Solved: Network Degradeded

Mero Cisco · ‎01-02-2012

Hi,

I have just changed the pix with ASA, but experiencing a network performance degradation after the change and I am looking for the causes of this one. I have got 4 gig ports on ASA and I have passed the trunk from my switch port to 3 gig ports so that I have six logical ports. Now, total I have got seven ports and configured it accordingly. All the system is working fine but network is quiet slow. Please help me to find out the reason and solution of this one.

I have not given the mac for the sub interfaces and also not set the speed for this one, is this the problem.

Please help.

Yours,

Mero

upendraardi · ‎01-02-2012

Hi Mero

Could you please verify duplex and MTU setting in ASA interfaces ?

View solution in original post

Marvin Rhoads · ‎01-03-2012

Duplex full needs to be set on both interface fa0/2 of your switch and interface Gi0/1 of your ASA. i.e., both ends of that link.

From the output you provided, speed autonegotiation to 100 Mbps appears to have worked. However, it would not hurt to set speed 100 at both ends.

View solution in original post

Marvin Rhoads · ‎01-05-2012

Since you have both devices configured correctly and the ASA continues to report "duplex half" I would suspect a hardware or Layer 1 issue.

Just to confirm, you are trying to set ASA interface settings to "duplex full" on interface GigabitEthernet0/1 as shown in this example. Note the link should not operate properly until both the ASA and the switch interfaces have their manual "duplex full" setttings completed.

The only thing other than a TAC case I can think of is to try replacing that one Cat 5 cable.

View solution in original post

upendraardi · ‎01-02-2012

Hi Mero

Could you please verify duplex and MTU setting in ASA interfaces ?

Mero Cisco · ‎01-02-2012

Hi,

Duplex is set to auto and MTU is 1500.

- Mero

Marvin Rhoads · ‎01-02-2012

Can you please post the interface configurations from your ASA and switch? You lost me with your description of 4, 3, 6, and 7 ports above.

Mero Cisco · ‎01-02-2012

Dear Marvin,

Please look the following:

SWITCH

=======

interface FastEthernet0/1

description *****connected to port0 *****

interface FastEthernet0/2

description *****connected to port1 *****

switchport trunk allowed vlan 2,3

switchport mode trunk

interface FastEthernet0/3

description *****connected to port2 *****

switchport trunk allowed vlan 4,5

switchport mode trunk

interface FastEthernet0/4

description *****connected to port3 *****

switchport trunk allowed vlan 6,7

switchport mode trunk

ASA

=======

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address

interface GigabitEthernet0/1

no ip address

interface GigabitEthernet0/1.2

vlan 2

nameif inside

security-level 100

ip address

interface GigabitEthernet0/1.3

vlan 3

nameif inside

security-level 30

ip address

interface GigabitEthernet0/2

no ip address

interface GigabitEthernet0/2.4

vlan 4

no shutdown

nameif intf400

security-level 40

ip address

interface GigabitEthernet0/2.5

vlan 5

no shutdown

nameif intf500

security-level 50

ip address

interface GigabitEthernet0/3

no shutdown

no ip address

interface GigabitEthernet0/3.6

vlan 6

no shutdown

nameif intf600

security-level 60

ip address

interface GigabitEthernet0/3.7

vlan 7

no shutdown

nameif intf700

security-level 70

ip address

- Mero

Marvin Rhoads · ‎01-02-2012

Mero,

Thanks - that's clearer now. What model and version of ASA software are you using?

Can you provide "show interface status" for each of your four switch ports connected to the ASA? Also "show interface | i Speed" from the ASA.

Mero Cisco · ‎01-02-2012

Thanks Mr. Marvin,

I will write more after few hours.

- Mero

Bikas Giri · ‎01-02-2012

Hi,

I am using cisco ASA 5520 and Software Version 7.2(4)

Sorry, the duplex was set to auto, half-duplex. Can I set it to full, will this drop my packets. I am getting confusion on single mode. I pasted some output of show interface, please have a look.

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

Hardware is xxxx rev03, BW 1000 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address xxxx.xxxx.xxxx, MTU 1500

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 output errors, 0 collisions, 4 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (2/25) software (0/0)

output queue (curr/max packets): hardware (0/50) software (0/0)

Traffic Statistics for "outside":

98140245 packets input, 118773026302 bytes

71538920 packets output, 6580023518 bytes

241680 packets dropped

Interface GigabitEthernet0/1 "", is up, line protocol is up

Hardware is xxxx rev03, BW 1000 Mbps

Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address xxxx.xxxx.xxxx, MTU not set

IP address unassigned

222553951 packets input, 110898015593 bytes, 0 no buffer

Received 323205 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

190477421 packets output, 93155281167 bytes, 0 underruns

0 output errors, 2802847 collisions, 1 interface resets

4946391 late collisions, 10976732 deferred

0 input reset drops, 13 output reset drops

input queue (curr/max packets): hardware (0/33) software (0/0)

output queue (curr/max packets): hardware (0/185) software (0/0)

Interface GigabitEthernet0/1.2 "intf200", is up, line protocol is up

VLAN identifier 2

MAC address xxxx.xxxx.xxxx, MTU 1500

IP address xxxx, subnet mask xxxx

Traffic Statistics for "intf200":

152134764 packets input, 26686067503 bytes

141153651 packets output, 79907226008 bytes

21314472 packets dropped

Interface GigabitEthernet0/1.3 "intf300", is up, line protocol is up

VLAN identifier 3

MAC address xxxx.xxxx.xxxx, MTU 1500

IP address xxxx, subnet mask xxxx

Traffic Statistics for "intf300":

70400873 packets input, 78921800729 bytes

54270216 packets output, 15286952393 bytes

180516 packets dropped

Waiting for your help,

- Mero

Marvin Rhoads · ‎01-02-2012

Your ASA 5520 has four Gigabit Ethernet interfaces (plus the Fast Ethernet management port). Normal practice would be to run all the connected ports at their rated 1 Gbps speed and full duplex. Normally auto speed and duplex settings at the ASA and switch would take care of that automatically.

Unless... is your switch on the inside only Fast Ethernet capable? Running at half duplex 100 Mbps is certainly not normal. Assuming your switch is capable, the ports should all be full duplex 1000 Mbps. That's why I asked for "show interface status" from the relevant switch ports. On a Cisco switch that will show me their speed and duplex settings and whether they are auto or manually set.

What were you saying about single mode? Is there a fiber optic connection somewhere?

Also, I see a large number of packets dropped. One would not normally expect to see drops of that number. The abnormal duplex setting could be contirbuting to that.

Bikas Giri · ‎01-02-2012

Dear Marvin,

Please go through the show inter status

Port Name Status Vlan Duplex Speed Type

Fa0/1 ***** connected 1 a-full a-100 10/100BaseTX

Fa0/2 ***** connected trunk full 100 10/100BaseTX

Fa0/3 ***** connected trunk full 100 10/100BaseTX

About the single mode, I was talking about the context, however I am not using context over here. No fiber connection.

Please write me the one by one step to speed up my network.

with best regards,

- Mero

upendraardi · ‎01-02-2012

I would suggest to remove auto and set "full duplex" in switch and ASA will solve the problem.

Marvin Rhoads · ‎01-03-2012

The trunk should definitely be running at full duplex. Right now your switch port Fa0/2 says "full" and your ASA interface Gi0/1 says "half". They should both be "full". Autonegotiation should take care of that but for whatever reason it is not.

So, on each device go into interface-config and set "duplex full" for those affected interfaces.

Mero Cisco · ‎01-03-2012

Dear Mr. Marvin,

Thanks for your kind support.

I tried to make the affected interfaces to duplex full, in one interface it works well but when I tried to change the duplex full of my network, it fails and hangs out. Do, I have to give the command from console or from another network.

The switch port interface maximum speed is 100 mbps and asa speed is 1000 mbps, do I have to set the ASA interface speed to 100 mbps or not ?

With best regards,

Mero

Marvin Rhoads · ‎01-03-2012

Duplex full needs to be set on both interface fa0/2 of your switch and interface Gi0/1 of your ASA. i.e., both ends of that link.

From the output you provided, speed autonegotiation to 100 Mbps appears to have worked. However, it would not hurt to set speed 100 at both ends.

Mero Cisco · ‎01-03-2012

Dear Mr. Marvin,

I configure the duplex mode to full on the interfaces of switch, no problem seen. After that, I configure the duplex mode to full on the ASA interfaces. The first one gives no problem, works well. But, when I configure the duplex mode to full of my network (ASA port) the whole network breaks down. What would be the problem ? Why the network breaks ? Do I have to configre from another network or do I have to configure from console port ?

Please help.

With best regards,

Mero