Nothing :(

SW#sh int gi 1/0/1

GigabitEthernet1/0/1 is up, line protocol is up (connected)

Hardware is Gigabit Ethernet, address is 001f.9e38.5201 (bia 001f.9e38.5201)

Description: FIREWALL

MTU 9198 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 3/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

30 second input rate 16593000 bits/sec, 1516 packets/sec

30 second output rate 738000 bits/sec, 801 packets/sec

14472553827 packets input, 16025120050533 bytes, 0 no buffer

Received 1552528 broadcasts (0 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

10855667028 packets output, 5824823801669 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

The switch is a C3750E and the fw is a ASA5520. MTU on each ASA subinterface is 8192. All servers have MTU 8192.

I would do sh int count errors rather than just sh int. If not already done, I would also replace the patch cable.

I already did this. This is the third factory made 50cm ethernet cable. Looking to my second ASA box is discover the same thing:

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Description: Internet

MAC address 001a.e2ea.f76c, MTU 1500

IP address 1.1.2.5, subnet mask 255.255.255.0

233335600 packets input, 131866082681 bytes, 1199 no buffer

Received 36690 broadcasts, 0 runts, 0 giants

171 input errors, 0 CRC, 0 frame, 171 overrun, 0 ignored, 0 abort

0 L2 decode drops

... and ...

Interface GigabitEthernet0/1 "", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Available but not configured via nameif

MAC address 001a.e2ea.f76d, MTU not set

IP address unassigned

273084633 packets input, 261669211975 bytes, 0 no buffer

Received 6278 broadcasts, 0 runts, 0 giants

19 input errors, 0 CRC, 0 frame, 19 overrun, 0 ignored, 0 abort

0 L2 decode drops

It appears to be related to traffic speed. When traffic rise around 60Mbps this "errors" begin to appear. Both boxes are light loaded (cpu < 10%), no VPN on them, no inspections, no NAT, only blocked ports.

I am suspecting the MTU settings as a possible cause of the problem. Your switchport is set at a higher MTU than the ASA interface MTU.

Please read this from the output interpreter:

WARNING: There have been 171 'overruns' reported.

This shows the number of times that the receiver hardware was incapable of handling

received data to a hardware buffer because the input rate exceeded the receiver's

capability to handle the data. If the overruns are equal to input errors and

there are no CRC errors then at one point the ASA/PIX received packets faster

than it can handle. This is not a cause of concern and can be ignored.

TRY THIS: Verify that speed and duplex settings are hard-coded on the ASA/PIX

and on the other directly connected devices.