Cisco ASA 5585X Internal-Data0/1 interface errors The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Output Drops on Serial interface: Better queueing or Output queue size?ASA IPS issue: routing and management interfaceHow can I reasonably verify my QoS configuration is working?Output drops on serial interface when service-policy appliedDifference between CRC and input errors - show interfaceInterface on ASA 5525 cannot turn up/upASA unable to pass ICMP and RDP through internal interfacesCisco 3560 interface counters, are the counters reset automatically?How to assign a second available Public ip for NAT (Dynamic PAT) to Inside Network Cisco ASA 5516-XTrunk on the outside ASA interface
Keeping a retro style to sci-fi spaceships?
Why is superheterodyning better than direct conversion?
How to stretch delimiters to envolve matrices inside of a kbordermatrix?
Single author papers against my advisor's will?
How many people can fit inside Mordenkainen's Magnificent Mansion?
Difference between "generating set" and free product?
Python - Fishing Simulator
He got a vote 80% that of Emmanuel Macron’s
Simulating Exploding Dice
Is this wall load bearing? Blueprints and photos attached
How to test the equality of two Pearson correlation coefficients computed from the same sample?
What information about me do stores get via my credit card?
Cooking pasta in a water boiler
Do warforged have souls?
Simulation of a banking system with an Account class in C++
Make it rain characters
Hiding Certain Lines on Table
How did the audience guess the pentatonic scale in Bobby McFerrin's presentation?
does high air pressure throw off wheel balance?
How do you keep chess fun when your opponent constantly beats you?
Can smartphones with the same camera sensor have different image quality?
Why does this iterative way of solving of equation work?
Semisimplicity of the category of coherent sheaves?
Finding the path in a graph from A to B then back to A with a minimum of shared edges
Cisco ASA 5585X Internal-Data0/1 interface errors
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Output Drops on Serial interface: Better queueing or Output queue size?ASA IPS issue: routing and management interfaceHow can I reasonably verify my QoS configuration is working?Output drops on serial interface when service-policy appliedDifference between CRC and input errors - show interfaceInterface on ASA 5525 cannot turn up/upASA unable to pass ICMP and RDP through internal interfacesCisco 3560 interface counters, are the counters reset automatically?How to assign a second available Public ip for NAT (Dynamic PAT) to Inside Network Cisco ASA 5516-XTrunk on the outside ASA interface
I have noticed on Cisco ASA 5585 (SSP-20) interface error counter going up specially overrun but so far we haven't seen any production impact or issue, error rate is low so its not noticable but would like to track it down what could be the issue.
asa/pri/act# show int detail | b Internal-Data0/1
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is i82599_xaui rev01, BW 10000 Mbps, DLY 10 usec
(Full-duplex), (10000 Mbps)
Input flow control is on, output flow control is off
MAC address 0000.0001.0002, MTU not set
IP address unassigned
1647603170965 packets input, 997527140937135 bytes, 0 no buffer
Received 864639959 broadcasts, 0 runts, 0 giants
16931212 input errors, 0 CRC, 0 frame, 16931212 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
1384367635589 packets output, 843565440564127 bytes, 111 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 output decode drops
0 input reset drops, 0 output reset drops
Queue Stats:
RX[00]: 422029984108 packets, 255396173038299 bytes, 15836342 overrun
Blocks free curr/low: 511/112
RX[01]: 407016123288 packets, 245899431598039 bytes, 269316 overrun
Blocks free curr/low: 511/168
RX[02]: 413500421902 packets, 253352037908193 bytes, 566063 overrun
Blocks free curr/low: 511/264
RX[03]: 405056641781 packets, 242879498449889 bytes, 259491 overrun
Blocks free curr/low: 511/189
TX[00]: 330190721654 packets, 199847247773742 bytes, 0 underruns
Blocks free curr/low: 508/121
TX[01]: 338943972803 packets, 207641035134472 bytes, 0 underruns
Blocks free curr/low: 511/116
TX[02]: 351032018606 packets, 213654237791772 bytes, 0 underruns
Blocks free curr/low: 510/250
TX[03]: 334102657656 packets, 196810495181007 bytes, 0 underruns
Blocks free curr/low: 510/90
TX[04]: 0 packets, 0 bytes, 0 underruns
Blocks free curr/low: 511/511
Used by GigabitEthernet0/5
TX[05]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/509
Used by TenGigabitEthernet0/9
TX[06]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by TenGigabitEthernet0/8
TX[07]: 30112705950 packets, 25621895258706 bytes, 111 underruns
Blocks free curr/low: 511/0
Used by GigabitEthernet0/6
TX[08]: 21 packets, 1180 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by GigabitEthernet0/7
Topology Information:
This interface, a SSP Embedded NIC Port, is connected
with Internal-Data0/3, a SSP Switch Uplink Port.
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
I did basic troubleshooting like cpu-hog etc but not seeing any massive hog etc.
currently max conn count is ~40k around and 400mbps traffic rate with 75kpps rate.
Interface error rate graph
cisco cisco-asa firewall interface packet-loss
asked Apr 9 at 1:41
SatishSatish
1,81012361
add a comment |
I have noticed on Cisco ASA 5585 (SSP-20) interface error counter going up specially overrun but so far we haven't seen any production impact or issue, error rate is low so its not noticable but would like to track it down what could be the issue.
asa/pri/act# show int detail | b Internal-Data0/1
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is i82599_xaui rev01, BW 10000 Mbps, DLY 10 usec
(Full-duplex), (10000 Mbps)
Input flow control is on, output flow control is off
MAC address 0000.0001.0002, MTU not set
IP address unassigned
1647603170965 packets input, 997527140937135 bytes, 0 no buffer
Received 864639959 broadcasts, 0 runts, 0 giants
16931212 input errors, 0 CRC, 0 frame, 16931212 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
1384367635589 packets output, 843565440564127 bytes, 111 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 output decode drops
0 input reset drops, 0 output reset drops
Queue Stats:
RX[00]: 422029984108 packets, 255396173038299 bytes, 15836342 overrun
Blocks free curr/low: 511/112
RX[01]: 407016123288 packets, 245899431598039 bytes, 269316 overrun
Blocks free curr/low: 511/168
RX[02]: 413500421902 packets, 253352037908193 bytes, 566063 overrun
Blocks free curr/low: 511/264
RX[03]: 405056641781 packets, 242879498449889 bytes, 259491 overrun
Blocks free curr/low: 511/189
TX[00]: 330190721654 packets, 199847247773742 bytes, 0 underruns
Blocks free curr/low: 508/121
TX[01]: 338943972803 packets, 207641035134472 bytes, 0 underruns
Blocks free curr/low: 511/116
TX[02]: 351032018606 packets, 213654237791772 bytes, 0 underruns
Blocks free curr/low: 510/250
TX[03]: 334102657656 packets, 196810495181007 bytes, 0 underruns
Blocks free curr/low: 510/90
TX[04]: 0 packets, 0 bytes, 0 underruns
Blocks free curr/low: 511/511
Used by GigabitEthernet0/5
TX[05]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/509
Used by TenGigabitEthernet0/9
TX[06]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by TenGigabitEthernet0/8
TX[07]: 30112705950 packets, 25621895258706 bytes, 111 underruns
Blocks free curr/low: 511/0
Used by GigabitEthernet0/6
TX[08]: 21 packets, 1180 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by GigabitEthernet0/7
Topology Information:
This interface, a SSP Embedded NIC Port, is connected
with Internal-Data0/3, a SSP Switch Uplink Port.
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
I did basic troubleshooting like cpu-hog etc but not seeing any massive hog etc.
currently max conn count is ~40k around and 400mbps traffic rate with 75kpps rate.
Interface error rate graph
cisco cisco-asa firewall interface packet-loss
asked Apr 9 at 1:41
SatishSatish
1,81012361
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
add a comment |
I have noticed on Cisco ASA 5585 (SSP-20) interface error counter going up specially overrun but so far we haven't seen any production impact or issue, error rate is low so its not noticable but would like to track it down what could be the issue.
asa/pri/act# show int detail | b Internal-Data0/1
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is i82599_xaui rev01, BW 10000 Mbps, DLY 10 usec
(Full-duplex), (10000 Mbps)
Input flow control is on, output flow control is off
MAC address 0000.0001.0002, MTU not set
IP address unassigned
1647603170965 packets input, 997527140937135 bytes, 0 no buffer
Received 864639959 broadcasts, 0 runts, 0 giants
16931212 input errors, 0 CRC, 0 frame, 16931212 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
1384367635589 packets output, 843565440564127 bytes, 111 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 output decode drops
0 input reset drops, 0 output reset drops
Queue Stats:
RX[00]: 422029984108 packets, 255396173038299 bytes, 15836342 overrun
Blocks free curr/low: 511/112
RX[01]: 407016123288 packets, 245899431598039 bytes, 269316 overrun
Blocks free curr/low: 511/168
RX[02]: 413500421902 packets, 253352037908193 bytes, 566063 overrun
Blocks free curr/low: 511/264
RX[03]: 405056641781 packets, 242879498449889 bytes, 259491 overrun
Blocks free curr/low: 511/189
TX[00]: 330190721654 packets, 199847247773742 bytes, 0 underruns
Blocks free curr/low: 508/121
TX[01]: 338943972803 packets, 207641035134472 bytes, 0 underruns
Blocks free curr/low: 511/116
TX[02]: 351032018606 packets, 213654237791772 bytes, 0 underruns
Blocks free curr/low: 510/250
TX[03]: 334102657656 packets, 196810495181007 bytes, 0 underruns
Blocks free curr/low: 510/90
TX[04]: 0 packets, 0 bytes, 0 underruns
Blocks free curr/low: 511/511
Used by GigabitEthernet0/5
TX[05]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/509
Used by TenGigabitEthernet0/9
TX[06]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by TenGigabitEthernet0/8
TX[07]: 30112705950 packets, 25621895258706 bytes, 111 underruns
Blocks free curr/low: 511/0
Used by GigabitEthernet0/6
TX[08]: 21 packets, 1180 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by GigabitEthernet0/7
Topology Information:
This interface, a SSP Embedded NIC Port, is connected
with Internal-Data0/3, a SSP Switch Uplink Port.
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
I did basic troubleshooting like cpu-hog etc but not seeing any massive hog etc.
currently max conn count is ~40k around and 400mbps traffic rate with 75kpps rate.
Interface error rate graph
cisco cisco-asa firewall interface packet-loss
asked Apr 9 at 1:41
SatishSatish
1,81012361
I have noticed on Cisco ASA 5585 (SSP-20) interface error counter going up specially overrun but so far we haven't seen any production impact or issue, error rate is low so its not noticable but would like to track it down what could be the issue.
asa/pri/act# show int detail | b Internal-Data0/1
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is i82599_xaui rev01, BW 10000 Mbps, DLY 10 usec
(Full-duplex), (10000 Mbps)
Input flow control is on, output flow control is off
MAC address 0000.0001.0002, MTU not set
IP address unassigned
1647603170965 packets input, 997527140937135 bytes, 0 no buffer
Received 864639959 broadcasts, 0 runts, 0 giants
16931212 input errors, 0 CRC, 0 frame, 16931212 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
1384367635589 packets output, 843565440564127 bytes, 111 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 output decode drops
0 input reset drops, 0 output reset drops
Queue Stats:
RX[00]: 422029984108 packets, 255396173038299 bytes, 15836342 overrun
Blocks free curr/low: 511/112
RX[01]: 407016123288 packets, 245899431598039 bytes, 269316 overrun
Blocks free curr/low: 511/168
RX[02]: 413500421902 packets, 253352037908193 bytes, 566063 overrun
Blocks free curr/low: 511/264
RX[03]: 405056641781 packets, 242879498449889 bytes, 259491 overrun
Blocks free curr/low: 511/189
TX[00]: 330190721654 packets, 199847247773742 bytes, 0 underruns
Blocks free curr/low: 508/121
TX[01]: 338943972803 packets, 207641035134472 bytes, 0 underruns
Blocks free curr/low: 511/116
TX[02]: 351032018606 packets, 213654237791772 bytes, 0 underruns
Blocks free curr/low: 510/250
TX[03]: 334102657656 packets, 196810495181007 bytes, 0 underruns
Blocks free curr/low: 510/90
TX[04]: 0 packets, 0 bytes, 0 underruns
Blocks free curr/low: 511/511
Used by GigabitEthernet0/5
TX[05]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/509
Used by TenGigabitEthernet0/9
TX[06]: 4 packets, 528 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by TenGigabitEthernet0/8
TX[07]: 30112705950 packets, 25621895258706 bytes, 111 underruns
Blocks free curr/low: 511/0
Used by GigabitEthernet0/6
TX[08]: 21 packets, 1180 bytes, 0 underruns
Blocks free curr/low: 511/510
Used by GigabitEthernet0/7
Topology Information:
This interface, a SSP Embedded NIC Port, is connected
with Internal-Data0/3, a SSP Switch Uplink Port.
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
I did basic troubleshooting like cpu-hog etc but not seeing any massive hog etc.
currently max conn count is ~40k around and 400mbps traffic rate with 75kpps rate.
Interface error rate graph
cisco cisco-asa firewall interface packet-loss
cisco cisco-asa firewall interface packet-loss
asked Apr 9 at 1:41
SatishSatish
1,81012361
asked Apr 9 at 1:41
SatishSatish
1,81012361
asked Apr 9 at 1:41
SatishSatish
1,81012361
asked Apr 9 at 1:41
SatishSatish
1,81012361
asked Apr 9 at 1:41
SatishSatish
1,81012361
1,81012361
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
add a comment |
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45
add a comment |
2 Answers
2
active
oldest
votes
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
39.8k33781
add a comment |
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
6,99131031
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58316%2fcisco-asa-5585x-internal-data0-1-interface-errors%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
39.8k33781
add a comment |
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
39.8k33781
add a comment |
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
39.8k33781
From Cisco tech note:
The ASA interface error counter "overrun" tracks the number of times
that a packet was received on the network interface, but there was no
available space in the interface FIFO queue to store the packet. Thus,
the packet was dropped. The value of this counter can be seen with the
show interface command.
answered Apr 9 at 3:24
Ron TrunkRon Trunk
39.8k33781
answered Apr 9 at 3:24
Ron TrunkRon Trunk
39.8k33781
answered Apr 9 at 3:24
Ron TrunkRon Trunk
39.8k33781
answered Apr 9 at 3:24
Ron TrunkRon Trunk
39.8k33781
39.8k33781
add a comment |
add a comment |
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
6,99131031
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
6,99131031
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
6,99131031
Looks like you might have hit the limit of what your current setup with SSP20 is capable off. We've recently had the same issues, where according to the Cisco datasheet and online specifications, it shouldn't have hit the limit.
Cisco TAC on the other had advised us, that with the setup we had, the limit was 2 Gbit/s with full inspection, application control (AVC) and url/malware filtering. We could've upgraded our firewalls to SSP60, but comparing prices and service with the new Next Generation Firewalls, that would economically be a bad idea.
It ended up with us upgrading to NGFW 4120, which can do 10 Gbit/s full inspection with url and malware filtering.
The ASA5585X is a really great all round firewall, but it's old and that reflects a lot on the hardware it's based on.
I have been unable to find the document Cisco TAC sent us online, so i've uploaded the version they sent us to my own page, you can download it below. Here's a screen shot:
Another screenshot from Cisco Live 2015 and the material i have:
Download: http://mooo.dk/Cisco_ASA_Datasheet_2015.pdf
Here are a few screenshots from Cisco TAC troubleshooting and finding out what the problem was:
Interface peaking at 2 Gbit/s
Interface error counter and show interface outside
answered Apr 9 at 8:14
CownCown
6,99131031
edited Apr 9 at 13:43
answered Apr 9 at 8:14
CownCown
6,99131031
answered Apr 9 at 8:14
CownCown
6,99131031
answered Apr 9 at 8:14
CownCown
6,99131031
6,99131031
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
I'm using this firewall for basic ACL to isolate subnets, I am not using for any IPS/AVC or any kind of other feature. We have 30 users for any connect VPN, so question is how do I find out it reached to Max capacity because I'm not seeing it's even using 2gbps anywhere. Does 2 Gbps cap calculate by all interface bandwidth ?
– Satish
Apr 9 at 12:13
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Sorry, i've edited my answer to assuming this could be the problem. Calculation is per interface or virtual group.
– Cown
Apr 9 at 13:32
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
@Satish Your drop rate looks exactly how ours looked like. I would suggest opening a Cisco TAC case. I have added some screenshots from Cisco TAC troubleshooting session.
– Cown
Apr 9 at 13:43
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
Thanks for details, tell me one thing in interface graph you posted that is one specific interface graph or aggregated graph of all interface? I really want to find out where i am hitting 2Gbps limit. We don't have TAC support for this specific device.
– Satish
Apr 9 at 15:56
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
@Satish Says on the picture. Interface Outside. Just above the graph.
– Cown
Apr 9 at 16:27
|
show 1 more comment
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58316%2fcisco-asa-5585x-internal-data0-1-interface-errors%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Basically, you are running services that take too much time so that the input queue cannot be serviced with the amount of traffic it is receiving, and packets are dropped because the queue is full. The more services you run, the lower the actual throughput. This happens from time-to-time as traffic spikes, and it is only important if it is negatively affecting you, at which point you must upgrade or replace the device.
– Ron Maupin♦
Apr 9 at 13:34
I have updated my answer with troubleshooting information and graphs you can make yourself to see what is going on.
– Cown
Apr 9 at 13:45