Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1067
Views
0
Helpful
2
Replies

Cisco ASA 9.1 crypto ipsec stats system capacity failures

Go to solution
dharrisonpaahi
Level 1
Level 1

‎09-02-2014 01:12 PM - edited ‎02-21-2020 07:48 PM

Hello,

I'm trying to research some performance issues on a centralized ASA and some VPN site end-points.  I'm already addressing fragmentation bits and flow control that looks to resolve some of the performance issues, but I came across something that I can't seem to identify to understand what it's telling me.

I can't seem to find any documentation that explains what triggers the counter for "System capacity failures" on the show crypto ipsec stats command:

# sho crypto ipsec stats 

IPsec Global Statistics
-----------------------
Active tunnels: 41
Previous tunnels: 8999
Inbound
    Bytes: 8292491846127
    Decompressed bytes: 8292491846127
    Packets: 25115896849
    Dropped packets: 1291637
    Replay failures: 220
    Authentications: 25114592561
    Authentication failures: 0
    Decryptions: 25114592564
    Decryption failures: 0
    TFC Packets: 12836
    Decapsulated fragments needing reassembly: 17418535
    Valid ICMP Errors rcvd: 0
    Invalid ICMP Errors rcvd: 0
Outbound
    Bytes: 37818073925334
    Uncompressed bytes: 37818837785556
    Packets: 38014583887
    Dropped packets: 2413164
    Authentications: 38020189281
    Authentication failures: 0
    Encryptions: 38020191839
    Encryption failures: 0
    TFC Packets: 0
    Fragmentation successes: 7763651
        Pre-fragmentation successses: 7763651
        Post-fragmentation successes: 0
    Fragmentation failures: 267158
        Pre-fragmentation failures: 267158
        Post-fragmentation failures: 0
    Fragments created: 15527302
    PMTUs sent: 267158
    PMTUs rcvd: 185
Protocol failures: 0
Missing SA failures: 255102
System capacity failures: 3167258

Does anyone have any knowledge of what this is referring to specifically?

 

Cheers,  Dale

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7

‎09-03-2014 04:43 AM

Hi,

What is the model of ASA you have and how many vpn sessions you get on average during the peak hours?

 

Capacity failure occurs when it runs out of capacity of the hardware or over utilization..

 

Regards

Karthik

View solution in original post

0 Helpful
2 Replies 2

Go to solution
nkarthikeyan
Level 7
Level 7

‎09-03-2014 04:43 AM

Hi,

What is the model of ASA you have and how many vpn sessions you get on average during the peak hours?

 

Capacity failure occurs when it runs out of capacity of the hardware or over utilization..

 

Regards

Karthik

0 Helpful

Go to solution
dharrisonpaahi
Level 1
Level 1
In response to nkarthikeyan

‎09-30-2014 02:23 PM

Sorry Karthik, I was away on vacation and just checking back in with this again.

It is an ASA5510 and as you can see we average about 40 to 50 tunnels.

The outside link is a 100Mb and the inside is 1Gb. The DMZ is a 100Mb.

The actual performance metrics evidenced on this doesn't show any real buffer drops or steady high-interface utilization to be just throughput performance (of course there may be some spikes I'm not seeing in our sampling).

I"m just curious to see exactly what triggers that counter and if I can figure that out, I can focus on something to prove any requirement to upgrade this model if required.

 

Cheers,

Dale.

 

0 Helpful
Customers Also Viewed These Support Documents