Cisco ASA 5585X Internal-Data0/1 interface errorsOutput Drops on Serial interface: Better queueing or Output queue size?ASA IPS issue: routing and management interfaceHow can I reasonably verify my QoS configuration is working?Output drops on serial interface when service-policy appliedDifference between CRC and input errors - show interfaceInterface on ASA 5525 cannot turn up/upASA unable to pass ICMP and RDP through internal interfacesCisco 3560 interface counters, are the counters reset automatically?How to assign a second available Public ip for NAT (Dynamic PAT) to Inside Network Cisco ASA 5516-XTrunk on the outside ASA interface
In a Latex Table, how can I automatically resize cell heights to account for superscripts?
Moving the subject of the sentence into a dangling participle
What are the differences between credential stuffing and password spraying?
Is this homebrew life-stealing melee cantrip unbalanced?
What was the state of the German rail system in 1944?
What does a yield inside a yield do?
Manager is threatning to grade me poorly if I don't complete the project
On which topic did Indiana Jones write his doctoral thesis?
Endgame: Is there significance between this dialogue between Tony and his father?
Coefficients of linear dependency
What is a "listed natural gas appliance"?
Why is `abs()` implemented differently?
Why is B♯ higher than C♭ in 31-ET?
Should one double the thirds or the fifth in chords?
Where can I go to avoid planes overhead?
How to give very negative feedback gracefully?
A foe leaves the reach of my 5-foot reach sword. Can I make an Opportunity Attack with my 10-foot reach whip?
Short story with physics professor who "brings back the dead" (Asimov or Bradbury?)
In Avengers 1, why does Thanos need Loki?
Missed the connecting flight, separate tickets on same airline - who is responsible?
If 1. e4 c6 is considered as a sound defense for black, why is 1. c3 so rare?
Catholic vs Protestant Support for Nazism in Germany
How can I get a job without pushing my family's income into a higher tax bracket?
What are the spoon bit of a spoon and fork bit of a fork called?
Cisco ASA 5585X Internal-Data0/1 interface errors
Output Drops on Serial interface: Better queueing or Output queue size?ASA IPS issue: routing and management interfaceHow can I reasonably verify my QoS configuration is working?Output drops on serial interface when service-policy appliedDifference between CRC and input errors - show interfaceInterface on ASA 5525 cannot turn up/upASA unable to pass ICMP and RDP through internal interfacesCisco 3560 interface counters, are the counters reset automatically?How to assign a second available Public ip for NAT (Dynamic PAT) to Inside Network Cisco ASA 5516-XTrunk on the outside ASA interface
I have noticed on Cisco ASA 5585 (SSP-20) interface error counter going up specially overrun but so far we haven't seen any production impact or issue, error rate is low so its not noticable but would like to track it down what could be the issue.
asa/pri/act# show int detail | b Internal-Data0/1
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is i82599_xaui rev01, BW 10000 Mbps, DLY 10 usec
(Full-duplex), (10000 Mbps)
Input flow control is on, output flow control is off
MAC address 0000.0001.0002, MTU not set
IP address unassigned
1647603170965 packets input, 997527140937135 bytes, 0 no buffer
Received 864639959 broadcasts, 0 runts, 0 giants
16931212 input errors, 0 CRC, 0 frame, 16931212 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
1384367635589 packets output, 843565440564127 bytes, 111 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 output decode drops
0 input reset drops, 0 output reset drops
Queue Stats:
RX[00]: 422029984108 packets, 255396173038299 bytes, 15836342 overrun
Blocks free curr/low: 511/112
RX[01]: 407016123288 packets, 245899431598039 bytes, 269316 overrun
Blocks free curr/low: 511/168
RX[02]: 413500421902 packets, 253352037908193 bytes, 566063 overrun
Blocks free curr/low: 511/264
RX[03]: 405056641781 packets, 242879498449889 bytes, 259491 overrun
Blocks free curr/low: 511/189
TX[00]: 330190721654 packets, 199847247773742 bytes, 0 underruns
Blocks free curr/low: 508/121
TX[01]: 338943972803 packets, 207641035134472 bytes, 0 underruns
Blocks free curr/low: 511/116
TX[02]: 351032018606 packets, 213654237791772 bytes, 0 underruns
Blocks free curr/low: 510/250
TX[03]: 334102657656 packets, 196810495181007 bytes, 0 underruns
Blocks free curr/low: 510/90
TX[04]: 0 packets, 0 bytes, 0 underruns
Blocks free curr/low: 511/511
Used by GigabitEthernet0/5
TX[05]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/509
Used by TenGigabitEthernet0/9
TX[06]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by TenGigabitEthernet0/8
TX[07]: 30112705950 packets, 25621895258706 bytes, 111 underruns
Blocks free curr/low: 511/0
Used by GigabitEthernet0/6
TX[08]: 21 packets, 1180 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by GigabitEthernet0/7
Topology Information:
This interface, a SSP Embedded NIC Port, is connected
with Internal-Data0/3, a SSP Switch Uplink Port.
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
I did basic troubleshooting like cpu-hog etc but not seeing any massive hog etc.
currently max conn count is ~40k around and 400mbps traffic rate with 75kpps rate.
Interface error rate graph
cisco cisco-asa firewall interface packet-loss
asked Apr 9 at 1:41
SatishSatish
1,92412462
add a comment |
I have noticed on Cisco ASA 5585 (SSP-20) interface error counter going up specially overrun but so far we haven't seen any production impact or issue, error rate is low so its not noticable but would like to track it down what could be the issue.
asa/pri/act# show int detail | b Internal-Data0/1
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is i82599_xaui rev01, BW 10000 Mbps, DLY 10 usec
(Full-duplex), (10000 Mbps)
Input flow control is on, output flow control is off
MAC address 0000.0001.0002, MTU not set
IP address unassigned
1647603170965 packets input, 997527140937135 bytes, 0 no buffer
Received 864639959 broadcasts, 0 runts, 0 giants
16931212 input errors, 0 CRC, 0 frame, 16931212 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
1384367635589 packets output, 843565440564127 bytes, 111 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 output decode drops
0 input reset drops, 0 output reset drops
Queue Stats:
RX[00]: 422029984108 packets, 255396173038299 bytes, 15836342 overrun
Blocks free curr/low: 511/112
RX[01]: 407016123288 packets, 245899431598039 bytes, 269316 overrun
Blocks free curr/low: 511/168
RX[02]: 413500421902 packets, 253352037908193 bytes, 566063 overrun
Blocks free curr/low: 511/264
RX[03]: 405056641781 packets, 242879498449889 bytes, 259491 overrun
Blocks free curr/low: 511/189
TX[00]: 330190721654 packets, 199847247773742 bytes, 0 underruns
Blocks free curr/low: 508/121
TX[01]: 338943972803 packets, 207641035134472 bytes, 0 underruns
Blocks free curr/low: 511/116
TX[02]: 351032018606 packets, 213654237791772 bytes, 0 underruns
Blocks free curr/low: 510/250
TX[03]: 334102657656 packets, 196810495181007 bytes, 0 underruns
Blocks free curr/low: 510/90
TX[04]: 0 packets, 0 bytes, 0 underruns
Blocks free curr/low: 511/511
Used by GigabitEthernet0/5
TX[05]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/509
Used by TenGigabitEthernet0/9
TX[06]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by TenGigabitEthernet0/8
TX[07]: 30112705950 packets, 25621895258706 bytes, 111 underruns
Blocks free curr/low: 511/0
Used by GigabitEthernet0/6
TX[08]: 21 packets, 1180 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by GigabitEthernet0/7
Topology Information:
This interface, a SSP Embedded NIC Port, is connected
with Internal-Data0/3, a SSP Switch Uplink Port.
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
I did basic troubleshooting like cpu-hog etc but not seeing any massive hog etc.
currently max conn count is ~40k around and 400mbps traffic rate with 75kpps rate.
Interface error rate graph
cisco cisco-asa firewall interface packet-loss
asked Apr 9 at 1:41
SatishSatish
1,92412462
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
add a comment |
I have noticed on Cisco ASA 5585 (SSP-20) interface error counter going up specially overrun but so far we haven't seen any production impact or issue, error rate is low so its not noticable but would like to track it down what could be the issue.
asa/pri/act# show int detail | b Internal-Data0/1
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is i82599_xaui rev01, BW 10000 Mbps, DLY 10 usec
(Full-duplex), (10000 Mbps)
Input flow control is on, output flow control is off
MAC address 0000.0001.0002, MTU not set
IP address unassigned
1647603170965 packets input, 997527140937135 bytes, 0 no buffer
Received 864639959 broadcasts, 0 runts, 0 giants
16931212 input errors, 0 CRC, 0 frame, 16931212 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
1384367635589 packets output, 843565440564127 bytes, 111 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 output decode drops
0 input reset drops, 0 output reset drops
Queue Stats:
RX[00]: 422029984108 packets, 255396173038299 bytes, 15836342 overrun
Blocks free curr/low: 511/112
RX[01]: 407016123288 packets, 245899431598039 bytes, 269316 overrun
Blocks free curr/low: 511/168
RX[02]: 413500421902 packets, 253352037908193 bytes, 566063 overrun
Blocks free curr/low: 511/264
RX[03]: 405056641781 packets, 242879498449889 bytes, 259491 overrun
Blocks free curr/low: 511/189
TX[00]: 330190721654 packets, 199847247773742 bytes, 0 underruns
Blocks free curr/low: 508/121
TX[01]: 338943972803 packets, 207641035134472 bytes, 0 underruns
Blocks free curr/low: 511/116
TX[02]: 351032018606 packets, 213654237791772 bytes, 0 underruns
Blocks free curr/low: 510/250
TX[03]: 334102657656 packets, 196810495181007 bytes, 0 underruns
Blocks free curr/low: 510/90
TX[04]: 0 packets, 0 bytes, 0 underruns
Blocks free curr/low: 511/511
Used by GigabitEthernet0/5
TX[05]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/509
Used by TenGigabitEthernet0/9
TX[06]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by TenGigabitEthernet0/8
TX[07]: 30112705950 packets, 25621895258706 bytes, 111 underruns
Blocks free curr/low: 511/0
Used by GigabitEthernet0/6
TX[08]: 21 packets, 1180 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by GigabitEthernet0/7
Topology Information:
This interface, a SSP Embedded NIC Port, is connected
with Internal-Data0/3, a SSP Switch Uplink Port.
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
I did basic troubleshooting like cpu-hog etc but not seeing any massive hog etc.
currently max conn count is ~40k around and 400mbps traffic rate with 75kpps rate.
Interface error rate graph
cisco cisco-asa firewall interface packet-loss
asked Apr 9 at 1:41
SatishSatish
1,92412462
I have noticed on Cisco ASA 5585 (SSP-20) interface error counter going up specially overrun but so far we haven't seen any production impact or issue, error rate is low so its not noticable but would like to track it down what could be the issue.
asa/pri/act# show int detail | b Internal-Data0/1
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is i82599_xaui rev01, BW 10000 Mbps, DLY 10 usec
(Full-duplex), (10000 Mbps)
Input flow control is on, output flow control is off
MAC address 0000.0001.0002, MTU not set
IP address unassigned
1647603170965 packets input, 997527140937135 bytes, 0 no buffer
Received 864639959 broadcasts, 0 runts, 0 giants
16931212 input errors, 0 CRC, 0 frame, 16931212 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
1384367635589 packets output, 843565440564127 bytes, 111 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 output decode drops
0 input reset drops, 0 output reset drops
Queue Stats:
RX[00]: 422029984108 packets, 255396173038299 bytes, 15836342 overrun
Blocks free curr/low: 511/112
RX[01]: 407016123288 packets, 245899431598039 bytes, 269316 overrun
Blocks free curr/low: 511/168
RX[02]: 413500421902 packets, 253352037908193 bytes, 566063 overrun
Blocks free curr/low: 511/264
RX[03]: 405056641781 packets, 242879498449889 bytes, 259491 overrun
Blocks free curr/low: 511/189
TX[00]: 330190721654 packets, 199847247773742 bytes, 0 underruns
Blocks free curr/low: 508/121
TX[01]: 338943972803 packets, 207641035134472 bytes, 0 underruns
Blocks free curr/low: 511/116
TX[02]: 351032018606 packets, 213654237791772 bytes, 0 underruns
Blocks free curr/low: 510/250
TX[03]: 334102657656 packets, 196810495181007 bytes, 0 underruns
Blocks free curr/low: 510/90
TX[04]: 0 packets, 0 bytes, 0 underruns
Blocks free curr/low: 511/511
Used by GigabitEthernet0/5
TX[05]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/509
Used by TenGigabitEthernet0/9
TX[06]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by TenGigabitEthernet0/8
TX[07]: 30112705950 packets, 25621895258706 bytes, 111 underruns
Blocks free curr/low: 511/0
Used by GigabitEthernet0/6
TX[08]: 21 packets, 1180 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by GigabitEthernet0/7
Topology Information:
This interface, a SSP Embedded NIC Port, is connected
with Internal-Data0/3, a SSP Switch Uplink Port.
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
I did basic troubleshooting like cpu-hog etc but not seeing any massive hog etc.
currently max conn count is ~40k around and 400mbps traffic rate with 75kpps rate.
Interface error rate graph
cisco cisco-asa firewall interface packet-loss
cisco cisco-asa firewall interface packet-loss
asked Apr 9 at 1:41
SatishSatish
1,92412462
asked Apr 9 at 1:41
SatishSatish
1,92412462
asked Apr 9 at 1:41
SatishSatish
1,92412462
asked Apr 9 at 1:41
SatishSatish
1,92412462
asked Apr 9 at 1:41
SatishSatish
1,92412462
1,92412462
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
add a comment |
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
add a comment |
2 Answers
2
active
oldest
votes
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
40.6k33781
add a comment |
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
7,01131031
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58316%2fcisco-asa-5585x-internal-data0-1-interface-errors%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
40.6k33781
add a comment |
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
40.6k33781
add a comment |
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
40.6k33781
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
40.6k33781
answered Apr 9 at 3:24
Ron TrunkRon Trunk
40.6k33781
answered Apr 9 at 3:24
Ron TrunkRon Trunk
40.6k33781
answered Apr 9 at 3:24
Ron TrunkRon Trunk
40.6k33781
40.6k33781
add a comment |
add a comment |
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
7,01131031
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
7,01131031
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
7,01131031
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
7,01131031
edited Apr 9 at 13:43
answered Apr 9 at 8:14
CownCown
7,01131031
answered Apr 9 at 8:14
CownCown
7,01131031
answered Apr 9 at 8:14
CownCown
7,01131031
7,01131031
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58316%2fcisco-asa-5585x-internal-data0-1-interface-errors%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45