ASA Interface Input errors - overrun

simonecapp · ‎11-17-2009

Hello,

Does anyone know why packets overrun are incrementing on the ASA even when I've only 40Mbps of throughput traffic?

All interface are 1000-FullDuplex, both on ASA and on Catalyst3750.

I've test the ASA5540 generating GET HTTP, about 40Mbit of traffic.

When I use one ingress interface and one egress interface, interface input overrun counter is zero.

When I use the same traffic with 3 ingress interfaces(slot0) and 3 egress interfaces(slot1), interface input overrun counter increase(60k overrun in only 2 minutes).

Have someone some ideas?

Thanks in advance

Simone

Panos Kampanakis · ‎11-17-2009

Even though the interface is 100Mbps, 40Mbps could spike overruns depending on the traffic burstiness. So even though you don't exceed the average there are bursts that the transmitter cannot transmit and loses.

I hope it makes sense.

PK

simonecapp · ‎11-17-2009

Hi, thanks for your reply.

Yes, it make sense. Is there another reason I can investigate or I'm sure that the counter increases only because there is too much traffic on interface?

Thanks

Simone

Royal Frazier · ‎03-30-2011

We saw this on a 100Mb connection to our DMZ.

So we used that same logic, must be too much traffic spiking.

We even lowered the handful of servers in the DMZ to 100Full -- no change.

So now we have a 5540 with a gig connections. No difference, still getting thousands and thousands of overruns.

Now we even see overruns on outside and a few on inside.

I see this on multiple customers, multiple ASA & PIX configs.

I'm not sure if it is an obscure accounting issue - for instance the ASA reports an SNMP discarded packet for every DENY. So suddenly you'll have millions of discards on your ethernet port which has nothing to do with ethernet discards but are Layer 3- Layer-7 discard. The ethernet packet was accepted as a valid packet. This is the first firewall to report denys as SNMP reported interface discards.

If it is a performance issue it is something low level and TAC was not able to help us to determine what was wrong. We got the same explanation about exceeding port. The 100 Mb NIC was receiving traffic from the 100Mb Siwtchport faster than allowed (by the hardware installed in the firewall). We aren't exceeding 100Mb--just exceeding the capabilty of the hardware Cisco chose for their NICs & firewall.

The theory is bursts. The theory always seems to be it is bursts.

Shrikant Sundaresh · ‎04-07-2011

Hi,

There are other reasons for overruns on an interface as well.

For traffic to be taken off the wire and put back on to the wire, blocks of size 1550 are used. These blocks are used by other services as well, such as Web Filtering. Depletion of these blocks because of long queues for Web Filtering, or because of other processes which use 1550 blocks, can also cause overruns to happen.

The value of "low" for 1550 blocks in "show block" output, if 0, would indicate depletion of 1550 blocks at some time.

Secondly, even if value is not 0 but low, fragmentation of memory could cause blocks of 1550 to be unavailable for allocation.

I shall try to enlist further reasons for overruns if i come across them.

Hope this helps.

-Shrikant

eyalhezi77 · ‎12-29-2014

Hi,

If the input errors are the same as the overrun than try this one:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html

Eyal