Hi all,

I have an ASA5505 connected to a Dlink DI-624 switch through LAN ports (using straight through). Several times a day, if there is no activity coming from the Dlink, the traffic stops flowing. When I look at counters on each side (ASA and Dlink), I notice that the Dlink is no longer transmitting.

My immediate reaction was to think there was a bug with the firmware on the Dlink but when I replaced it with a Linksys switch, I got the same results.

I am concerned about the increasing number of drops due to switch ingress policy drops.

ASA5505(config)# sh int e0/3

Interface Ethernet0/3 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Description: To User VLAN

Available but not configured via nameif

MAC address 001b.0c0f.861b, MTU not set

IP address unassigned

157466 packets input, 18858798 bytes, 0 no buffer

Received 3248 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

96 switch ingress policy drops

180918 packets output, 55570322 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops

Here is an extract from the documentation:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

?The security appliance is connected to another Cisco device that has Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback packets to ensure interface health. This packet is not intended to be received by any other device; the health is ensured just by being able to send the packet. These types of packets are dropped at the switch port, and the counter increments.

[How do I turn off this feature on either side?]

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

To fix the issue, I must either reboot the Dlink or ping the ASA from the Dlink console.

My ASA is running code 7.2(3) but code 8.0(2) does the same thing:

ASA5505(config)# sh run int

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan105

nameif OUTSIDE

security-level 0

pppoe client vpdn group PPPOE_AUTH

ip address pppoe setroute

!

interface Vlan115

nameif DMZ

security-level 50

ip address 192.168.115.1 255.255.255.0

!

interface Vlan120

nameif VPN_USERS

security-level 70

ip address 192.168.120.1 255.255.255.0

!

interface Vlan125

nameif WIRELESS

security-level 80

ip address 192.168.0.1 255.255.255.0

!

interface Vlan135

nameif USERS

security-level 90

ip address 192.168.135.1 255.255.255.0

!

interface Vlan145

nameif SERVERS

security-level 100

ip address 192.168.145.1 255.255.255.0

!

interface Ethernet0/0

description To OUTSIDE

switchport access vlan 105

!

interface Ethernet0/1

description To DMZ

switchport access vlan 115

!

interface Ethernet0/2

description To Wireless LAN

switchport access vlan 125

shutdown

!

interface Ethernet0/3

description To User VLAN

switchport access vlan 135

!

interface Ethernet0/4

description To Server VLAN

switchport access vlan 145

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

Martin