Solved: Cisco ASA Half-Duplex problem

urbinat_r · ‎09-08-2010

Hello,

Ive got an issue with my ASA 5550. I am unable to get the inside and outside connections to negotiate at full duplex. Both interfaces always autonegotiate at half. Whenever i try and manually set the configs to full 100 or 1000, the interfaces drop and show down.

The ASA connects to Cisco 3825s on both sides. Suggestions?

sachinga.hcl · ‎09-08-2010

Hi Tim,

By default, the Cisco ASA automatically negotiates the inside interface speed. If autonegotiate is not an option for the Switch interface, set the speed to either 10 or 100 Mbps half duplex. Do not set the interface to full duplex; this causes a duplex mismatch that significantly impacts the total throughput capabilities of the interface.

The key to this is understanding two things. There is a protocol for autonegotiation that is something like IEEE 802.3u.

There is a default in which most devices will go to half-duplex if there is no autonegotiation.

What makes this fit together is when you hard code one end to either full or half duplex, the protocol is disabled.

Therefore, the other end will not see the protocol and default to half-duplex. This is a problem only when the hard coded end is set to full duplex.

A couple of notes on this. There are cases that CDP will lie to you.

For example, if it is passed through an L2 device blindly that has a valid half-duplex connection to one device and a full-duplex connection to another. More modern switches also seem to overcome this sometimes/somehow. The other point that most people don't usually get about full duplex is that it is simpler from a hardware standpoint. Basically when you switch to full duplex, you are simply disabling collision detection as it is unnecessary. There cannot be collisions on a fd connection because on transmit pair is directly connected to one receive pair.

The case may be CDP being passed through an L2 device that doesn't know about CDP.

For example, if you use an ASA as a switch (it is an switch and the firewall is between vlans) it doesn't speak CDP. You can connect one router to port A with a valid half-duplex connection and another router to port B with a valid full-duplex connection. It must see CDP frames as normal traffic and pass them through. The routers look like they are directly connected with a "show cdp neighbors". Since one has a half duplex connection and the other has a full duplex connection, you see the mismatch error.

The security appliance is preconfigured to autodetect the speed and duplex settings on an interface. However, several situations exist that can cause the autonegotiation process to fail, which results in either speed or duplex mismatches (and performance issues). For mission-critical network infrastructure, Cisco manually hardcodes the speed and duplex on each interface so there is no chance for error. These devices generally do not move around, so if you configure them properly, you should not need to change them.

On any network device, link speed can be sensed, but duplex must be negotiated.

If two network devices are configured to autonegotiate speed and duplex, they exchange frames (called Fast Link Pulses, or FLPs) that advertise their speed and duplex capabilities.

In order to a link partner that is not aware, these pulses are similar to regular 10 Mbps frames. In order to a link partner that can decode the pulses, the FLPs contain all the speed and duplex settings that the link partner can provide. The station that receives the FLPs acknowledges the frames, and the devices mutually agree on the highest speed and duplex settings that each can achieve. If one device does not support autonegotiation, the other device receives the FLPs and transitions to parallel detection mode. In order to sense the speed of the partner, the device listens to the length of pulses, and then sets the speed accordingly. The problem arises with the duplex setting. Since duplex must be negotiated, the device that is set to autonegotiate cannot determine the settings on the other device, so it defaults to half-duplex, as stated in the IEEE 802.3u standard.

For example, if you configure the ASA interface for autonegotiation and connect it to a switch that is hardcoded for 100 Mbps and full-duplex, the ASA sends out FLPs. However, the switch does not respond because it is hardcoded for speed and duplex and does not participate in autonegotiation. Because it receives no response from the switch, the ASA transitions into parallel detecion mode and senses the length of the pulses in the frames that the switch sends out. That is, the ASA senses that the switch is set to 100 Mbps, so it sets the interface speed accordingly. However, because the switch does not exchange FLPs, the ASA cannot detect if the switch can run full-duplex, so the ASA sets the interface duplex to half-duplex, as stated in the IEEE 803.2u standard.

Since the switch is hardcoded to 100 Mbps and full-duplex, and the ASA has just autonegotiated to 100 Mbps and half-duplex (as it should), the result is a duplex mismatch that can cause severe performance problems.

A speed or duplex mismatch is most frequently revealed when error counters on the interfaces in question increase.

The most common errors are frame, cyclic redundancy checks (CRCs), and runts.

If these values increment on your interface, either a speed/duplex mismatch or a cabling issue occurs.

You must resolve this issue before you continue.

Example
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 00d0.b78f.d579
IP address 192.168.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit half duplex
        7594 packets input, 2683406 bytes, 0 no buffer
        Received 83 broadcasts, 153 runts, 0 giants
        378 input errors, 106 CRC, 272 frame, 0 overrun, 0 ignored, 0 abort
        2997 packets output, 817123 bytes, 0 underruns
        0 output errors, 251 collisions, 0 interface resets
        0 babbles, 150 late collisions, 110 deferred

HTH

Sachin Garg

Message was edited by: sachinga.hcl

View solution in original post

Panos Kampanakis · ‎09-08-2010

Please have a look at the switch interfaces have. Are they auto?

Also are you using crossover or straight-through cables?

PK

urbinat_r · ‎09-08-2010

Both router interfaces are set for auto along with ASA.

Both cables are straight through. Do i need crossover cables?

manish arora · ‎09-08-2010

Hi Tim,

what speed does the devices auto negotiate when the duplex is half ?

* seems like an NIC issue.

Please try to manually set speed - 100mbs and duplex half and let me know if the link come up.

Thanks

Manish

Panos Kampanakis · ‎09-08-2010

We should be able to auto-sense.

Please try a crossover though, just as a test.

PK

urbinat_r · ‎09-08-2010

Tried crossver cables with auto negotiate and the results were the same. Link comes up, but always at 100 half duplex.

Whenever i try and manually set for 100 full or 1000 full, the link drops and wont come up.

I did discover there is a passive McAfee Intrushield 2700 on both sides on the ASA (inside and outside) wired in between the Cisco 3825's. Would these make a difference somehow, even though its supposed to be a pass through device?

Links come up and work just fine half duplex, but not full.

manish arora · ‎09-08-2010

can you please post the "sh interface x 0/0 " of the 3825 router and also the ios

that you are running on the 3825.

Thanks

Manish

urbinat_r · ‎09-08-2010

Inside router:

GigabitEthernet0/1 is up, line protocol is up
Hardware is BCM1125 Internal MAC, address is 0017.5a37.6b11 (bia 0017.5a37.6b11)
Description: conn-to-ASA
Internet address is x.x.x.x/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 01:07:30, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 9481
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 9000 bits/sec, 1 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
     125397140 packets input, 1860939135 bytes, 0 no buffer
     Received 0 broadcasts, 4 runts, 0 giants, 0 throttles
     15 input errors, 7 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 76 multicast, 0 pause input
     4 input packets with dribble condition detected
     72474900 packets output, 3172491195 bytes, 0 underruns
     21 output errors, 3261 collisions, 8 interface resets
     0 babbles, 1282 late collision, 0 deferred
     21 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

Outside Router:

GigabitEthernet0/0 is up, line protocol is up
Hardware is BCM1125 Internal MAC, address is 0016.c81c.33c0 (bia 0016.c81c.33c0)
Description: connection to ASA
Internet address is x.x.x.x/28
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 7
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1000 bits/sec, 3 packets/sec
5 minute output rate 2000 bits/sec, 2 packets/sec
     44893805 packets input, 1799144468 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     3 input errors, 2 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 99 multicast, 0 pause input
     1 input packets with dribble condition detected
     74038109 packets output, 3921252200 bytes, 0 underruns
     21 output errors, 12424 collisions, 9 interface resets
     0 babbles, 9962 late collision, 0 deferred
     21 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

Both Devices are running IOS : 12.4(15)T3

manish arora · ‎09-08-2010

can you also post the output of "sh run int x 0/0 " on the router side ?

Thanks

Manish

urbinat_r · ‎09-08-2010

Those configs were from the routers side

/interfaces to the ASA

manish arora · ‎09-08-2010

They were "sh int " output , need "sh run int " output : ) . I think you are hitting a bug and would really like you upgrading the IOS on the router to the latest one which is 12.4.24 t3 something. I dont know if you have CC0 or not ... anyways i have been looking through these :-

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsc04961

also , check this out for RJ45 ( 1000 mbs ) settings :-

http://www.cisco.com/en/US/customer/prod/collateral/routers/ps5855/prod_qas0900aecd8016a953.html

hope it helps

Thanks

Manish

urbinat_r · ‎09-08-2010

Outside Router:

interface GigabitEthernet0/0
description connection to ASA
ip address x.x.x.x 255.255.255.240
duplex auto
speed auto
media-type rj45
ipv6 address x:x:x:x:x:x:x:x/64
ipv6 enable
ipv6 nd ra suppress

Inside Router:

interface GigabitEthernet0/1
description conn-to-ASA
ip address x.x.x.x 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 address x:x:x:x:x:x:x:x/64
ipv6 enable
ipv6 nd ra suppress
ipv6 ospf 500 area 0

Yes, i have CCO account. Ill upgrade IOS when i get a chance to see if it makes a difference. Thanks for the help!

Nagaraja Thanthry · ‎09-08-2010

Hello,

What kind of cable are you using? Can you try a new CAT5e or CAT6 cable and

see if that makes a difference? Sometimes the cable you are using may not

support the speed settings on the NIC forcing the NIC to fall back to half

duplex. Another thing to try would be to use a switch in between the

devices. That would eliminate any NIC compatibility issues.

Regards,

NT

urbinatm_r · ‎09-09-2010

Problem solved. Turned out to be a non-Cisco issue. I changed the monitoring interface

settings on the McAfee Intrushield 2700 to autonegotiate and the links came up Full Duplex.

Thanks for everyones help. Lots of good info.

sachinga.hcl · ‎09-08-2010