09-17-2007 04:37 PM - edited 02-21-2020 01:41 AM
Hi all,
I have an ASA5505 connected to a Dlink DI-624 switch through LAN ports (using straight through). Several times a day, if there is no activity coming from the Dlink, the traffic stops flowing. When I look at counters on each side (ASA and Dlink), I notice that the Dlink is no longer transmitting.
My immediate reaction was to think there was a bug with the firmware on the Dlink but when I replaced it with a Linksys switch, I got the same results.
I am concerned about the increasing number of drops due to switch ingress policy drops.
ASA5505(config)# sh int e0/3
Interface Ethernet0/3 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Description: To User VLAN
Available but not configured via nameif
MAC address 001b.0c0f.861b, MTU not set
IP address unassigned
157466 packets input, 18858798 bytes, 0 no buffer
Received 3248 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
96 switch ingress policy drops
180918 packets output, 55570322 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Here is an extract from the documentation:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
?The security appliance is connected to another Cisco device that has Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback packets to ensure interface health. This packet is not intended to be received by any other device; the health is ensured just by being able to send the packet. These types of packets are dropped at the switch port, and the counter increments.
[How do I turn off this feature on either side?]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
To fix the issue, I must either reboot the Dlink or ping the ASA from the Dlink console.
My ASA is running code 7.2(3) but code 8.0(2) does the same thing:
ASA5505(config)# sh run int
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan105
nameif OUTSIDE
security-level 0
pppoe client vpdn group PPPOE_AUTH
ip address pppoe setroute
!
interface Vlan115
nameif DMZ
security-level 50
ip address 192.168.115.1 255.255.255.0
!
interface Vlan120
nameif VPN_USERS
security-level 70
ip address 192.168.120.1 255.255.255.0
!
interface Vlan125
nameif WIRELESS
security-level 80
ip address 192.168.0.1 255.255.255.0
!
interface Vlan135
nameif USERS
security-level 90
ip address 192.168.135.1 255.255.255.0
!
interface Vlan145
nameif SERVERS
security-level 100
ip address 192.168.145.1 255.255.255.0
!
interface Ethernet0/0
description To OUTSIDE
switchport access vlan 105
!
interface Ethernet0/1
description To DMZ
switchport access vlan 115
!
interface Ethernet0/2
description To Wireless LAN
switchport access vlan 125
shutdown
!
interface Ethernet0/3
description To User VLAN
switchport access vlan 135
!
interface Ethernet0/4
description To Server VLAN
switchport access vlan 145
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
Martin
09-21-2007 02:22 PM
This drop is usually seen when a port is not configured correctly. This drop is incremented when a packet cannot be successfully forwarded within switch ports as a result of the default or user configured switch port settings. The following configurations are the likely reasons for this drop:
a)The nameif command was not configured on the VLAN interface.
Note: For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment.
b)The VLAN is shut down.
c)An access port received an 802.1Q-tagged packet.
d)A trunk port received a tag that is not allowed or an untagged packet.
In your case there seems to be no problem on ASA. The problem may be because of VLAN traffic not defined properly.
09-25-2007 09:21 PM
Is this a proxy-arp issue? The "timing" part of your note is intriguing.
Not sure if any of this relates, but . . .
http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K93807342
FWIW,
cm
09-26-2007 12:01 PM
Hi,
I implemented sysopt noproxyarp and it appears to have fixed the issue.
Thanks for your help!
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide