Please, help me explain this a little bit .. ASA 5510 - inside interface speed is 10Mbps.

The problem is that we have this ASA 5510 inside interface connected to a Gigabit 3750 switchport.

We are seeing lot of packet drops on this Gigabit 3750 switchport and I am looking for all the possibilities.

Not sure if it makes sense as I am very new to Cisco ASAs.

-NG

Packet drops are normally due to speed or duplex mismatch between the ASA interface and the switch interface.

Check to make sure that the speed and duplex on that particular port matches between the ASA and the switch port.

NG,

If you do not need additional ports then, there is no reason to order an SSM 4GE card to get GIG speed.

On the ASA5510 as I mentioned in this link: https://supportforums.cisco.com/thread/2003543

GIG interface support for ASA5510 which was introduced with 7.2 code upgrade.

ASA 7.2 release notes:

http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn723.h​tml#wp272663​

ASA 5510 Security Plus License Allows Gigabit Ethernet for Port 0 and 1

The ASA 5510 adaptive security appliance now has the security plus 
license to enable GE (Gigabit Ethernet) for port 0 and 1. If you upgrade 
the license from base to security plus, the capacity of the external 
port Ethernet0/0 and Ethernet0/1 increases from the original FE (Fast 
Ethernet) (100 Mbps) to GE (1000 Mbps). The interface names will remain 
Ethernet 0/0 and Ethernet 0/1. Use the speed command to change the speed 
on the interface and use the show interface command to see what speed is 
currently configured for each interface.

Now, you mentioned that the ports are at 10 MB speed.  Why is that? 
Do you see this reduced speed when you issue "sh int e0/0" if so, the speed 
duplex is not negotiated properly. 

Make sure to hardcode both the ASA and the switch end of 100 FULL.

-KS

Thanks KS! Good to know this.

As I see on my ASA 5510

Ethernet0/0 - 1000 Mbps

Ethernet0/1 -  100 Mbps

Ethernet0/3 -  100 Mbps

Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
    Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

     Interface Ethernet0/1.11 "inside", is up, line protocol is up
       Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

     Interface Ethernet0/1.12 "LISTENER", is up, line protocol is up
       Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

     Interface Ethernet0/1.13 "WEB", is up, line protocol is up
       Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Interface Ethernet0/3 "LANFAIL", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

- I don't see "speed 1000" command configured under ASA 5510 Ethernet0/0 interface?

- Can a sub-interface Ethernet0/1 also be configured as 1000 Mbps?

- If yes, do you configure speed under the main interface or sub-interface?

- Can Ethernet0/3 failover interface be configured as 1000 Mbps?

- Can you configure "speed 1000" and "duplex full" on fly? Will it effect anything - I mean effect traffic flow?

NG

Answers inline...

- I don't see "speed 1000" command configured under ASA 5510 Ethernet0/0 interface?

I'd leave it at auto. I see that it is negotiated for 1GB.

- Can a sub-interface Ethernet0/1 also be configured as 1000 Mbps?

No

- If yes, do you configure speed under the main interface or sub-interface?

Only on the main interface and for gig interface, pls leave at auto on both the ASA and the switch end. Make sure the switch can support gig speed.

- Can Ethernet0/3 failover interface be configured as 1000 Mbps?

No.

- Can you configure "speed 1000" and "duplex full" on fly? Will it effect anything - I mean effect traffic flow?

From what I have heard for 1GB - you configure it as auto/auto on both sides.

-KS

As suggested, we configured auto/auto on our ASA. It is connected to a Cisco 3750-48PS-S Gig switch which is also configured for auto/auto, but the ASA interfaces are still showing as 100Mbps.

The ASA verison is 8.0(5) and it has Security Plus license.

Cisco Adaptive Security Appliance Software Version 8.0(5)

System image file is "disk0:/asa805-k8.bin"

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : 250      
WebVPN Peers                 : 2        
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Proxy Sessions            : 2      

This platform has an ASA 5510 Security Plus license.

-NG

Not sure, but, can a Cisco CSE confirm this for us?

-NG

Please kindly be advised that ASA5510 with Security Plus license only have the following default physical interfaces:

2 x 10/100/1000 interfaces

3 x 10/100 interfaces

Please check out the intergrated ports section for ASA 5510 (security plus - in red):

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

The following are the corresponding speed for the interfaces:

Ethernet 0/0 and 0/1: Gigabit Ethernet

Ethernet 0/2, 0/3, and 0/4: Fast Ethernet

So only ethernet 0/0 and 0/1 can be configured as GIG interfaces (1000 Mbps), the remainder of the interfaces (0/2, 0/3 and 0/4) will only have a maximum of 100 Mbps.

Are you saying that both E0/0 and E0/1 are connected to two diff. ports on the same switch Cisco 3750-48PS-S, and E0/0 shows Gig speed but E0/1 only shows 100 MB?

If so, could you pls. swap the ports and see if E0/1 now shows Gig and E0/0 shows 100 MB?

-KS

Looking at the ASA inside, outside, LISTENER, WEB interfaces:

outside - 16 MB

inside - 12 MB

LISTENER - 8 MB

WEB - 10 MB

!
interface Ethernet0/0
nameif outside
!
interface Ethernet0/1
!
interface Ethernet0/1.11
  nameif inside
!
interface Ethernet0/1.12

nameif LISTENER
!
interface Ethernet0/1.13
nameif WEB
!

Does it mean that the total throughput of my ASA is 16 MB + 12 MB + 8 MB + 10 MB = 46 MB

-NG

The ASA 5510 adaptive security appliance now has the security plus license to enable GE (Gigabit Ethernet) for port 0 and 1.

How can I connect an ASA 5510 Ethernet0/0 port to a SFP-based Gigabit Ethernet port?

Is there a converter which can help me to achieve this?

-NG

You would connect it like you would if it were just E0/0.  Embeded ports do not support SFP.

-KS

Through put is not the aggregate of all the ports. Throughput is the speed that you get between two hosts on either side of the firewall.

-KS