Solved: While the discussion of drops - Page 2

ramatoulaye.hane1 · ‎05-19-2015

Dear Support,

I have some slowness in my network for outbound Internet. When I cheched the interface connected to outside, I see many packets dropped. what I can do to solve it . Below the interface detail.

Thank in advance for your support!

       92152990 packets input, 82476010121 bytes, 0 no buffer
       Received 952 broadcasts, 0 runts, 0 giants
       9163 input errors, 0 CRC, 0 frame, 9163 overrun, 0 ignored, 0 abort
       0 L2 decode drops
       66751232 packets output, 25866291828 bytes, 11459 underruns
       0 pause output, 0 resume output
       3598 output errors, 3308486 collisions, 3 interface resets
       1650813 late collisions, 16954694 deferred
       0 input reset drops, 269 output reset drops, 1 tx hangs
       input queue (blocks free curr/low): hardware (255/230)
       output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "outside":
       92146526 packets input, 80788829477 bytes
       68417472 packets output, 26568578588 bytes
       8155198 packets dropped
     1 minute input rate 2580 pkts/sec, 2641904 bytes/sec
     1 minute output rate 1750 pkts/sec, 414450 bytes/sec
     1 minute drop rate, 160 pkts/sec
     5 minute input rate 2129 pkts/sec, 1940579 bytes/sec
     5 minute output rate 1984 pkts/sec, 446397 bytes/sec
     5 minute drop rate, 159 pkts/sec
Control Point Interface States:
       Interface number is 3
       Interface config status is active
       Interface state is active

ramatoulaye.hane1 · ‎05-22-2015

Hi Seb,

Thank for your reply.

I will segment the network as you tell me and give you the result.

But when I put the interface mode to full duplex, the packets loss have decreased.

Thanks!

ramatoulaye.hane1 · ‎05-20-2015

hi Seb,

When I try these 2 commands, I get nothing:

ASA# sh capture asp | inc Drop
ASA# sh capture asp | inc sp-security-failed
ASA#

At this moment, I don't have support contract with Cisco but I will do it in next days.

The next router is our internet Gateway and it belongs to us.

Thanks!

Richard Burts · ‎05-21-2015

While the discussion of drops from policy is interesting I do not believe that it is the fundamental problem. I believe that the fundamental problem is a mismatch of duplex settings. Looking at the output from the ASA the number of collisions and especially of late collisions suggests that the ASA is operating in half duplex mode.

3598 output errors, 3308486 collisions, 3 interface resets
1650813 late collisions, 16954694 deferred

There is not anything in the output that specifically identifies the duplex setting of the ASA but I would guess that the ASA is set for the default which is to negotiate duplex. The output from the Border router is quite clear that negotiation is disabled and the router is operating in full duplex. When the ASA attempts to negotiate duplex but the router does not negotiate then the result is that the ASA would operate in half duplex mode. In half duplex mode there are lots of collisions and late collisions all of which are partial frames that were discarded and had to be re-transmitted and that can have significant impact on throughput.

My suggestion is to hard code duplex on the ASA. Give it a try and let us know if performance improves.

HTH

Rick

HTH

Rick

Interface Cisco asa