As the title says, a switch is receiving pause frames, but the ASA is still getting overrun errors.  We have played with the settings for flowcontrol, but nothing seems to stop these errors.  I have performed troubleshooting as per this document:   https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html#anc6   There does not seem to be any significant resource hogs, Is there a misconfiguration on one of the devices?  I am trying to find out what will fix the overrun issue.  What else should I try?   Console output of the two connected interfaces: *ASA 5525x* - Version ASA 9.4(2)11 ASA1# sho int gi 0/1 Interface GigabitEthernet0/1 "Inside", is up, line protocol is up Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is on MAC address 0078.8847.87f3, MTU 1500 IP address 10.75.251.2, subnet mask 255.255.255.0 96959814285 packets input, 20072810163568 bytes, 0 no buffer Received 279155 broadcasts, 0 runts, 0 giants 3967982 input errors, 0 CRC, 0 frame, 3967982 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input 0 L2 decode drops 195761529692 packets output, 228626395757828 bytes, 424459 underruns 1611 pause output, 339 resume output 0 output errors, 0 collisions, 20 interface resets 0 late collisions, 0 deferred 511 input reset drops, 79 output reset drops input queue (blocks free curr/low): hardware (496/362) output queue (blocks free curr/low): hardware (468/0) Traffic Statistics for "Inside": 96955623491 packets input, 18217124488226 bytes 195761954647 packets output, 225071328596014 bytes 168532556 packets dropped 1 minute input rate 18647 pkts/sec, 3674933 bytes/sec 1 minute output rate 39880 pkts/sec, 45959787 bytes/sec 1 minute drop rate, 39 pkts/sec 5 minute input rate 17684 pkts/sec, 3429228 bytes/sec 5 minute output rate 46221 pkts/sec, 54987848 bytes/sec 5 minute drop rate, 32 pkts/sec ASA1# sho run int gi 0/1 ! interface GigabitEthernet0/1 flowcontrol send on 16 20 26624 nameif Inside security-level 100 ip address 10.75.251.2 255.255.255.0 ASA1#   *C6824-X-LE-40G* - Version 15.2(02)SY [Rel 1.0] C6824#sho int te 1/1/24 TenGigabitEthernet1/1/24 is up, line protocol is up (connected) Hardware is C6k 10000Mb 802.3, address is 706b.b99a.b988 (bia 706b.b99a.b988) Description: TO_ASA MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 7/255, rxload 99/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseT input flow-control is on, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 390797000 bits/sec, 41416 packets/sec 5 minute output rate 30701000 bits/sec, 17646 packets/sec 134005935676 packets input, 154259099562516 bytes, 0 no buffer Received 412337 broadcasts (409808 multicasts) 1 runts, 0 giants, 0 throttles 1 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 1950 pause input 0 input packets with dribble condition detected 64911682697 packets output, 16586145887747 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out C6824#sho run int te 1/1/24 Building configuration... Current configuration : 191 bytes ! interface TenGigabitEthernet1/1/24 description TO_ASA switchport switchport mode access switchport access vlan 998 flowcontrol receive on spanning-tree portfast edge end C6824#     ... View more

I have a 2960 that has high CPU utilization.  I know the " Hulc LED Process" processor usage is caused by a glitch, but what about the spanning tree CPU usage?  There are 176 VLANs running on this switch, and it is running Rapid PVST+.  Is that typical CPU usage for this kind of switch running that many instances of spanning-tree?   The CPU utilization is as follows: XXXXXXXX#sh proc cpu sorted | ex 0.00 CPU utilization for five seconds: 81%/2%; one minute: 77%; five minutes: 77% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 220 1041510985 88802676 11728 41.27% 35.86% 35.65% 0 Spanning Tree  162 627025960 43046544 14566 16.86% 19.63% 20.17% 0 Hulc LED Process 357 13330467 6354260 2097 3.98% 1.07% 0.65% 0 SNMP ENGINE 131 27388549 2603493 10519 0.93% 1.00% 1.00% 0 hpm counter proc 7 8194435 649655 12613 0.35% 0.24% 0.25% 0 Check heaps 173 8247868 513962 16047 0.29% 0.27% 0.28% 0 HQM Stack Proces 93 5424095 61881041 87 0.17% 0.14% 0.16% 0 RedEarth Rx Mana 194 3267192 2240256 1458 0.17% 0.11% 0.11% 0 CDP Protocol 236 3685301 2534533 1454 0.11% 0.12% 0.12% 0 PI MATM Aging Pr 207 1054175 6843668 154 0.11% 0.13% 0.08% 0 IP Input 355 3839010 12702559 302 0.11% 0.27% 0.22% 0 IP SNMP ... View more

I am working on a ISR4431 that is running Cisco IOS XE Software, Version 16.03.06.  For some reason, SSH version 2 will not activate on it.    I get an error message stating that I need to generate keys greater than 768 bytes for SSH version 2 to work.  I have generated keys that are 4096 bytes in length.  There are definitely keys in the key store, but for some reason they are not used.  Am I not generating the correct type of key?  What is the command looking for?    # show crypto key mypubkey all % Key pair was generated at: 23:51:41 EST May 11 2018 Key name: CISCO_IDEVID_SUDI Key type: RSA KEYS On Cryptographic Device: act2 (label=act2, key index=24) Usage: General Purpose Key Key is not exportable. Key Data: <REMOVED> % Key pair was generated at: 13:54:26 EST Aug 2 2018 Key name: XXXXXXXXXXXXXXXXX.XXXX.org Key type: RSA KEYS Storage Device: not specified Usage: Encryption Key Key is not exportable. Redundancy enabled. Key Data: <REMOVED> % Key pair was generated at: 13:56:34 EST Aug 2 2018 Key name: XXXXXXXXXXXXXXXXX.XXXX.org.server Key type: RSA KEYS Storage Device: not specified Usage: Encryption Key Key is not exportable. Redundancy enabled. Key Data: <REMOVED>           ... View more

I am looking at my options for dealing with bursty traffic on a trunk link.  I am looking at a switched trunk link between a Nexus 9K and a  3560 that has a (now) port channeled interface (bundled two gigabit ethernet links) that currently is dropping an unacceptable amount of outbound packets.  I verified that this really is bursty traffic by looking at traffic and buffer statistics, as well as looking at a packet capture.     I significantly lowered the amount of output discards by adding another gigabit interface and making the trunk a port channel.  But the output discards are still at an unacceptable level.   The links seem to be able to handle the load, except for the traffic bursts.  Do I have any options to remedy this aside from upgrading the links?  Can I modify the buffers on the interfaces to accommodate the bursts? ... View more