Packet loss between ASA 5506 and Cat 3650

I am getting packet loss between switch and firewall and wanted to see if anyone had any further ideas on what to look for. Basically we have 2 5506 and 2 3650, from a /28 it isset up so each f/w has an IP as well as the SVI  both switches which is also HSRP. The firewalls point to the HSRP IP as the default gateway. 

We are getting loss when pinging between the active firewall and the VLAN on the switch it is connected to. If I try from the standby firewall to the switch it is connected to we don’t get any loss. All counters on the firewall and switch interface don’t show any drops and the usage on the firewall or switch isn’t high. Therefore I failed over the firewalls and unexpectedly the problem just moved onto the new active firewall, and the old active firewall now doesn’t have any packet loss between switch and itself.

This at least ruled out switch ports and cables, but as the usage on the switch or firewall isn’t high it doesn’t really add up. I did some packet captures on the firewall outside interface and SPAN on the VLAN at the same time whilst generating pings in each direction. During the pings when packets were dropped I got the following results:

Ping FW to SW: Firewall sends request, this can be seen going over to the switch and the switch responding, but this packet never makes it back to the firewall as isn't seen on its capture.

Ping SW to FW: Switch sends the request but it never reaches the firewall as isn't seen on the firewalls capture.

My understanding of packet captures on an ASA is that it is before any processing, so as I can see the packets on the wire I should be getting them at the firewall. Everything in the ICMP request such as MACs and IPs are correct. As it doesn’t even arrive at the firewall it makes me think it is something on the switch. However I can't find anything wrong, was curious if anyone had experienced a similar problem,  the code been used is

S-C3560X-48       12.2(55)SE5
ASA5506        9.3(2)2





1 Reply 1

Hello Stephen,

I am also working with 3650 switches, in the video domain.To sum up, I also have packet loss between the cisco and the server. I did the test by adding several monitoring tool (VTS500). I have incoming packets to the cisco that are not forwarded to my server, it seems they are lost in the switch (or routed somewhere else?). And as for you, all counters on the swicth don't show any drops, cpu is not high, which makes me reach the same conclusion as you.


Did you have any progress since the time you created this post? or any answer from cisco maybe?




