Ive got an issue with my ASA 5550. I am unable to get the inside and outside connections to negotiate at full duplex. Both interfaces always autonegotiate at half. Whenever i try and manually set the configs to full 100 or 1000, the interfaces drop and show down.
The ASA connects to Cisco 3825s on both sides. Suggestions?
By default, the Cisco ASA automatically negotiates the inside interface speed. If autonegotiate is not an option for the Switch interface, set the speed to either 10 or 100 Mbps half duplex. Do not set the interface to full duplex; this causes a duplex mismatch that significantly impacts the total throughput capabilities of the interface.
The key to this is understanding two things. There is a protocol for autonegotiation that is something like IEEE 802.3u.
There is a default in which most devices will go to half-duplex if there is no autonegotiation.
What makes this fit together is when you hard code one end to either full or half duplex, the protocol is disabled.
Therefore, the other end will not see the protocol and default to half-duplex. This is a problem only when the hard coded end is set to full duplex.
A couple of notes on this. There are cases that CDP will lie to you.
For example, if it is passed through an L2 device blindly that has a valid half-duplex connection to one device and a full-duplex connection to another. More modern switches also seem to overcome this sometimes/somehow. The other point that most people don't usually get about full duplex is that it is simpler from a hardware standpoint. Basically when you switch to full duplex, you are simply disabling collision detection as it is unnecessary. There cannot be collisions on a fd connection because on transmit pair is directly connected to one receive pair.
The case may be CDP being passed through an L2 device that doesn't know about CDP.
For example, if you use an ASA as a switch (it is an switch and the firewall is between vlans) it doesn't speak CDP. You can connect one router to port A with a valid half-duplex connection and another router to port B with a valid full-duplex connection. It must see CDP frames as normal traffic and pass them through. The routers look like they are directly connected with a "show cdp neighbors". Since one has a half duplex connection and the other has a full duplex connection, you see the mismatch error.
The security appliance is preconfigured to autodetect the speed and duplex settings on an interface. However, several situations exist that can cause the autonegotiation process to fail, which results in either speed or duplex mismatches (and performance issues). For mission-critical network infrastructure, Cisco manually hardcodes the speed and duplex on each interface so there is no chance for error. These devices generally do not move around, so if you configure them properly, you should not need to change them.
On any network device, link speed can be sensed, but duplex must be negotiated.
If two network devices are configured to autonegotiate speed and duplex, they exchange frames (called Fast Link Pulses, or FLPs) that advertise their speed and duplex capabilities.
In order to a link partner that is not aware, these pulses are similar to regular 10 Mbps frames. In order to a link partner that can decode the pulses, the FLPs contain all the speed and duplex settings that the link partner can provide. The station that receives the FLPs acknowledges the frames, and the devices mutually agree on the highest speed and duplex settings that each can achieve. If one device does not support autonegotiation, the other device receives the FLPs and transitions to parallel detection mode. In order to sense the speed of the partner, the device listens to the length of pulses, and then sets the speed accordingly. The problem arises with the duplex setting. Since duplex must be negotiated, the device that is set to autonegotiate cannot determine the settings on the other device, so it defaults to half-duplex, as stated in the IEEE 802.3u standard.
For example, if you configure the ASA interface for autonegotiation and connect it to a switch that is hardcoded for 100 Mbps and full-duplex, the ASA sends out FLPs. However, the switch does not respond because it is hardcoded for speed and duplex and does not participate in autonegotiation. Because it receives no response from the switch, the ASA transitions into parallel detecion mode and senses the length of the pulses in the frames that the switch sends out. That is, the ASA senses that the switch is set to 100 Mbps, so it sets the interface speed accordingly. However, because the switch does not exchange FLPs, the ASA cannot detect if the switch can run full-duplex, so the ASA sets the interface duplex to half-duplex, as stated in the IEEE 803.2u standard.
Since the switch is hardcoded to 100 Mbps and full-duplex, and the ASA has just autonegotiated to 100 Mbps and half-duplex (as it should), the result is a duplex mismatch that can cause severe performance problems.
A speed or duplex mismatch is most frequently revealed when error counters on the interfaces in question increase.
The most common errors are frame, cyclic redundancy checks (CRCs), and runts.
If these values increment on your interface, either a speed/duplex mismatch or a cabling issue occurs.
You must resolve this issue before you continue.
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 00d0.b78f.d579
IP address 192.168.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit half duplex
7594 packets input, 2683406 bytes, 0 no buffer
Received 83 broadcasts, 153 runts, 0 giants
378 input errors, 106 CRC, 272 frame, 0 overrun, 0 ignored, 0 abort
2997 packets output, 817123 bytes, 0 underruns
0 output errors, 251 collisions, 0 interface resets
0 babbles, 150 late collisions, 110 deferred
Message was edited by: sachinga.hcl