ASA Dropped packets at switch

Unanswered Question
Jan 7th, 2010

I have two ASA 5510s in a failover configuration.  The external interfaces are both plugged into an HP Procurve.  The failover unit's interface shows up, no errors.  On the switch, no errros, but all recived packets are dropped.  The only traffic at this time from that interface is keep alives with the primary unit.

I have no idea why the switch is dropping the packets.  I have swapped cables, and switched ports on the Porcurve.  Again, no CRC errors, no framing errors, no runts, etc...  just RX Drops.

Spanning tree is disabled, port security is not on...

Any ideas?

~rick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 01/07/2010 - 16:48

Could you pls. provide the following?

Pls. clear interface then then collect the following after a few seconds.

sh int (from both the ASA and the switch side)

sh run int (from both the ASA and the switch) I don't know the equivalent of these command for hp procurve.

-KS

Dileep Sivadas ... Fri, 01/08/2010 - 05:10

Hi,

1. Is it A/A or A/S ?

2. What about the cable , is it straight or cross?

3. Which interfaces are terminated on HP switch, can you please post the topology ?

4. What about speed and duplex setting?

0rsnaric Fri, 01/08/2010 - 09:43

Hi Dileep,

Hi,

1. Is it A/A or A/S ? 

Sorry, not sure what you mean?

2. What about the cable , is it straight or cross?

Straight through cable

3. Which interfaces are terminated on HP switch, can you please post the topology ?

There are four interfaces ETH0/0, EHT0/1, ETH0/2, and MGMT, all plugged into an HP Procurve. Eth0/0, ETH0/2, and MGMT are all monitored for failover.  Eth0/1 is the LAN failover interface.  ETH0/0 shows status of failed.  The other two monitored interfaces show normal.

4. What about speed and duplex setting?

They are all set to auto.  I have tried forcing the settings.  Setting both the switch and the ASA to 100full, 1000full, and 10full.  Same results.

~rick

0rsnaric Fri, 01/08/2010 - 09:34

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

SHOW INT ASA -

FIREWALL-A# sh int eth0/0

Interface Ethernet0/0 "external", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Full-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        Description: External - Internet facing

        MAC address 001d.45d9.a6e6, MTU 1500

        IP address X.X.X.185, subnet mask 255.255.255.192

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        3 packets output, 378 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max packets): hardware (0/0) software (0/0)

        output queue (curr/max packets): hardware (0/1) software (0/0)

  Traffic Statistics for "external":

        0 packets input, 0 bytes

        3 packets output, 324 bytes

        0 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

SHOW RUN INT ASA -

FIREWALL-A#  sh run int eth0/0

!

interface Ethernet0/0

description External - Internet facing

duplex full

nameif external

security-level 0

ip address X.X.X.184 255.255.255.192 standby X.X.X.185

SHOW INT HP -

SWITCH-B# sh int 7

Status and Counters - Port Counters for port 7

  Name  : Internet B

  Link Status     : Up

  Bytes Rx        : 1386                Bytes Tx        : 161

Unicast Rx      : 11                  Unicast Tx      : 0

  Bcast/Mcast Rx  : 0                   Bcast/Mcast Tx  : 1

  FCS Rx          : 0                   Drops Rx        : 11

  Alignment Rx    : 0                   Collisions Tx   : 0

  Runts Rx        : 0                   Late Colln Tx   : 0

  Giants Rx       : 0                   Excessive Colln : 0

  Total Rx Errors : 0                   Deferred Tx     : 0

SHOW INT BRIEF HP -

SWITCH-B# show int brief 7

Status and Counters - Port Status

                    | Intrusion                           MDI   Flow  Bcast

  Port    Type      | Alert     Enabled Status Mode       Mode  Ctrl  Limit

  ------- --------- + --------- ------- ------ ---------- ----- ----- ------

  7       100/1000T | No        Yes     Up     1000FDx    MDI   off   0

SHOT INT CONFIG -

Port Settings

Port    Type      | Enabled Mode         Flow Ctrl MDI

------- --------- + ------- ------------ --------- ----

1       100/1000T | No      Auto         Disable   Auto

2       100/1000T | Yes     Auto         Disable   Auto

3       100/1000T | Yes     Auto         Disable   Auto

4       100/1000T | Yes     Auto         Disable   Auto

5       100/1000T | No      Auto         Disable   Auto

6       100/1000T | No      Auto         Disable   Auto

Dileep Sivadas ... Fri, 01/08/2010 - 20:59

Hi Rick,

I mean,are you using

A/A -  Active /Active  failover

A/S - Active / Standby failover

As I understand eth0 interfaces (of both ASA) is connected to external router through HP switch. And  sh run int eth0 interface output shows that you hard code the duplex setting on ASA side  this will cause auto negotiation process to fail.

You can either set Auto on both sides or hard code setting on both sides. And what about the cable that is going to external router from your HP switch, is it cross or straight, if it is straight can you change it to cross and check it out.

Also post show failover command output.

Dileep

0rsnaric Thu, 01/14/2010 - 10:47

The firewalls are in A/A.


PRDDMZFW-A# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: heartbeat Ethernet0/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 02:19:51 PST Jan 6 2010
    This host: Secondary - Failed
        Active time: 0 (sec)
        slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
          Interface external (69.90.97.185): Failed (Waiting)
          Interface DMZ (172.17.184.3): Normal
          Interface management (172.17.190.21): Normal
        slot 1: empty
    Other host: Primary - Active
        Active time: 718573 (sec)
        slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
          Interface external (69.90.97.184): Normal (Waiting)
          Interface DMZ (172.17.184.1): Normal
          Interface management (172.17.190.20): Normal
        slot 1: empty

Stateful Failover Logical Update Statistics
<--- More --->
              
     Link : heartbeat Ethernet0/1 (up)
    Stateful Obj     xmit       xerr       rcv        rerr     
    General        95652      0          32393180   17       
    sys cmd      95652      0          95652      0        
    up time      0          0          0          0        
    RPC services      0          0          0          0        
    TCP conn     0          0          31023337   0        
    UDP conn     0          0          506848     0        
    ARP tbl      0          0          767343     17       
    Xlate_Timeout      0          0          0          0        
    VPN IKE upd     0          0          0          0        
    VPN IPSEC upd     0          0          0          0        
    VPN CTCP upd     0          0          0          0        
    VPN SDI upd     0          0          0          0        
    VPN DHCP upd     0          0          0          0        
    SIP Session     0          0          0          0        

    Logical Update Queue Information
              Cur     Max     Total
    Recv Q:     0     7     33110626
    Xmit Q:     0     1     95652

PRDDMZFW-A# exit

Kureli Sankar Thu, 01/14/2010 - 11:05

Active/Standby configuration:

I see that the secondary unit is reporting tha the external interface failed.

   Interface external (69.90.97.185): Failed (Waiting)

Is this interface showing up on the firewall?

sh int external?

What does the HP switch end show? It shows up as well?

on the asa if you do "cap capexternal interface external" and then issue "ping 69.90.97.184" and then issue a "sh cap capexternal" do you show any packets leaving the interafce or coming back?

Try moving this interface to another port on the swtich.

-KS

Actions

This Discussion