ASA 5550 - Interface Problems

Unanswered Question
Mar 14th, 2008

Hi guys,


I have 2 firewalls ASA5550 in failover mode, in the data sheet says that maximum throughput is 1.2G, but when the outside firewall traffic comes up to 750Mb, i start to have a lot of problems, like packet drops. When the traffic arrives at 800Mb the firewall stop to process the outside failover packets, and drop all packets in the outside interface.


Here are the show interface command:


Interface GigabitEthernet0/0 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps

Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)

MAC address 001a.e2ea.e674, MTU 1500

IP address xxx.xxx.xxx.xxx, subnet mask xxx.xxx.xxx.xxx

47486821698 packets input, 3893958800868 bytes, 19892367 no buffer

Received 16876 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 62954747 overrun, 0 ignored, 0 abort

0 L2 decode drops

81891090643 packets output, 108809258427982 bytes, 3695 underruns

0 output errors, 0 collisions

0 late collisions, 0 deferred

input queue (curr/max blocks): hardware (0/0) software (0/0)

output queue (curr/max blocks): hardware (1/511) software (0/0)

Traffic Statistics for "outside":

47485878509 packets input, 2841926097278 bytes

81891094335 packets output, 107330895810065 bytes

89951783 packets dropped

1 minute input rate 17131 pkts/sec, 1077743 bytes/sec

1 minute output rate 29928 pkts/sec, 38704909 bytes/sec

1 minute drop rate, 36 pkts/sec

5 minute input rate 17847 pkts/sec, 1059781 bytes/sec

5 minute output rate 31439 pkts/sec, 41073382 bytes/sec

5 minute drop rate, 36 pkts/sec


The overrun and no buffer are to high. It's possible that the ASA5550 has the maximum real throughput less than 800Mb?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
allanc_16 Fri, 03/14/2008 - 15:24

Usually the overrun packets means that the interface is handling more traffic than what it can so it is getting overwhelmed with traffic.

jojuarez Sat, 03/15/2008 - 19:33

Hi,


Overruns just means that the interface is receiving more traffic than the one it can handle so you should take a look to the device connected to that interface.


On the other hand, did you clear the counters before getting those outputs? Otherwise, those counters are since the firewall is up.


In addition to the mentioned above, drops is not synonym of issues. Drops can also be caused due to policies you have in the configuration such as ACLs, inspections, etc.

Actions

This Discussion