Interface error for ASA

Unanswered Question
May 2nd, 2010

Hi,


Could any1 say to avoid the folowing interface errors


727 L2 decode drops


949 overrun






------------------ show interface ------------------

Interface Ethernet0/0 "XXX", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address ------------------------, MTU 1500
IP address ----------------, subnet mask -----------------------
199271110 packets input, 173249048166 bytes, 0 no buffer
Received 364372 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
72 L2 decode drops
227606275 packets output, 40972840816 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/33)
output queue (curr/max packets): hardware (0/62)
  Traffic Statistics for "XXXX":
199270983 packets input, 169457978669 bytes
227606275 packets output, 36279281149 bytes
1106057 packets dropped
      1 minute input rate 4 pkts/sec,  231 bytes/sec
      1 minute output rate 79 pkts/sec,  13406 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 1 pkts/sec,  75 bytes/sec
      5 minute output rate 72 pkts/sec,  12160 bytes/sec
      5 minute drop rate, 0 pkts/sec
  Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Interface Ethernet0/1 "YYY", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0023.ebf6.0a3b, MTU 1500
IP address -----------------, subnet mask -------------------------
391819711 packets input, 174950996874 bytes, 1017 no buffer
Received 6987425 broadcasts, 0 runts, 0 giants
949 input errors, 0 CRC, 0 frame, 949 overrun, 0 ignored, 0 abort
727 L2 decode drops
382284361 packets output, 235447444332 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (2/33)
output queue (curr/max packets): hardware (0/141)
  Traffic Statistics for "YYY":
390446633 packets input, 165192813611 bytes
382284361 packets output, 228022683822 bytes
17739785 packets dropped
      1 minute input rate 81 pkts/sec,  8145 bytes/sec
      1 minute output rate 85 pkts/sec,  30643 bytes/sec
      1 minute drop rate, 10 pkts/sec
      5 minute input rate 119 pkts/sec,  13361 bytes/sec
      5 minute output rate 148 pkts/sec,  66682 bytes/sec
      5 minute drop rate, 8 pkts/sec
  Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 05/02/2010 - 21:28

Base on Cisco Output Interpreter tool, here is what it says:


SHOW INTERFACES (ASA/PIX) NOTIFICATIONS (if any)

Interface XXX - Ethernet0/0 (up/up)
 
WARNING: There are 72 L2 decode drops under the interface .
  L2 decode drops counter increases when the name is not configured (nameif command)
  or a frame with an invalid VLAN id is received. If this counter increments quickly
  it indicates that the connected switch is sending incorrect packets to ASA.
  TRY THIS: Check the switch configuration and network traffic. Also note that currently
  Dynamic Trunking Protocol (DTP) is not supported in ASA.


Interface YYY - Ethernet0/1 (up/up)
 
WARNING: There have been 949 'overruns' reported.
  This shows the number of times that the receiver hardware was incapable of handling
  received data to a hardware buffer because the input rate exceeded the receiver's
  capability to handle the data. If the overruns are equal to input errors and
  there are no CRC errors then at one point the ASA/PIX received packets faster
  than it can handle. This is not a cause of concern and can be ignored.
  TRY THIS: Verify that speed and duplex settings are hard-coded on the ASA/PIX
  and on the other directly connected devices. Use show blocks ASA/PIX command.
  A zero in the LOW column indicates a previous event where memory exhausted. A
  zero in the CNT column means memory is exhausted now. If the memory is continuously
  exhausted and traffic is not moving, then consider upgrading the interface to
  Gigabit or the ASA/PIX to a higher model. If this is DMZ interface, you can use
  other unused interfaces by splitting your current DMZ into 2 networks. If very
  large object-groups or large access-lists are used on ASA/PIX then use object-group-search
  keyword in the access-list ASA/PIX command to specify that access-list search
  is performed on object groups that are contained in access-list instead of searching
  the entire expanded access-list.
 
  WARNING: There are 727 L2 decode drops under the interface .
  L2 decode drops counter increases when the name is not configured (nameif command)
  or a frame with an invalid VLAN id is received. If this counter increments quickly
  it indicates that the connected switch is sending incorrect packets to ASA.
  TRY THIS: Check the switch configuration and network traffic. Also note that currently
  Dynamic Trunking Protocol (DTP) is not supported in ASA.
Richard.Jeff Mon, 05/03/2010 - 01:32

I do get the value zero in LOW



------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4    300    294    299
    80    100     75    100
   256   2612   2553   2612
  1550   9246   7571   7714
  2048    100     99    100
  2560      1      0      1
  4096      1      0      1
  8192      1      0      1
16384      2      0      2



Should I go for upgarde of the ASA model or what is the remedy ?



Thanks

Richard

Jennifer Halim Mon, 05/03/2010 - 04:33

You might want to upgrade the ASA to the latest version 7.2.x --> 7.2.4(33)

OR/ alternatively upgrade to version 8.0.5.

Actions

This Discussion