Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Network Degradeded

Hi,

I have just changed the pix with ASA, but experiencing a network performance degradation after the change and I am looking for the causes of this one. I have got 4 gig ports on ASA and I have passed the trunk from my switch port to 3 gig ports so that I have six logical ports. Now, total  I have got seven ports and configured it accordingly. All the system is working fine but network is quiet slow. Please help me to find out the reason and solution of this one.

I have not given the mac for the sub interfaces and also not set the speed for this one, is this the problem.

Please help.

Yours,

Mero

3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Network Degradeded

Hi Mero

Could you please  verify   duplex  and  MTU setting in ASA interfaces ?

Hall of Fame Super Silver

Network Degradeded

Duplex full needs to be set on both interface fa0/2 of your switch and interface Gi0/1 of your ASA. i.e., both ends of that link.

From the output you provided, speed autonegotiation to 100 Mbps appears to have worked. However, it would not hurt to set speed 100 at both ends.

Hall of Fame Super Silver

Network Degradeded

Since you have both devices configured correctly and the ASA continues to report "duplex half" I would suspect a hardware or Layer 1 issue.

Just to confirm, you are trying to set ASA interface settings to "duplex full" on interface GigabitEthernet0/1 as shown in this example. Note the link should not operate properly until both the ASA and the switch interfaces have their manual "duplex full" setttings completed.

The only thing other than a TAC case I can think of is to try replacing that one Cat 5 cable.

17 REPLIES
New Member

Re: Network Degradeded

Hi Mero

Could you please  verify   duplex  and  MTU setting in ASA interfaces ?

New Member

Re: Network Degradeded

Hi,

Duplex is set to auto and MTU is 1500.

- Mero

Hall of Fame Super Silver

Network Degradeded

Can you please post the interface configurations from your ASA and switch? You lost me with your description of 4, 3, 6, and 7 ports above.

New Member

Re: Network Degradeded

Dear Marvin,

Please look the following:

SWITCH

=======

interface FastEthernet0/1

description *****connected to port0 *****

interface FastEthernet0/2

description *****connected to port1 *****

switchport trunk allowed vlan 2,3

switchport mode trunk

interface FastEthernet0/3

description *****connected to port2 *****

switchport trunk allowed vlan 4,5

switchport mode trunk

interface FastEthernet0/4

description *****connected to port3 *****

switchport trunk allowed vlan 6,7

switchport mode trunk

ASA

=======

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address

interface GigabitEthernet0/1

no ip address

interface GigabitEthernet0/1.2

vlan 2

nameif inside

security-level 100

ip address

interface GigabitEthernet0/1.3

vlan 3

nameif inside

security-level 30

ip address

interface GigabitEthernet0/2

no ip address

interface GigabitEthernet0/2.4

vlan 4

no  shutdown

nameif intf400

security-level 40

ip address 

interface GigabitEthernet0/2.5

vlan 5

no  shutdown

nameif intf500

security-level 50

ip address 

interface GigabitEthernet0/3

no shutdown

no ip address

interface GigabitEthernet0/3.6

vlan 6

no  shutdown

nameif intf600

security-level 60

ip address 

interface GigabitEthernet0/3.7

vlan 7

no  shutdown

nameif intf700

security-level 70

ip address 

- Mero

Hall of Fame Super Silver

Re: Network Degradeded

Mero,

Thanks - that's clearer now. What model and version of ASA software are you using?

Can you provide "show interface status" for each of your four switch ports connected to the ASA? Also "show interface  | i Speed" from the ASA.

New Member

Re: Network Degradeded

Thanks Mr. Marvin,

I will write more after few hours.

- Mero

New Member

Re: Network Degradeded

Hi,

I am using cisco ASA 5520 and  Software Version 7.2(4)

Sorry, the duplex was set to auto, half-duplex. Can I set it to full, will this drop my packets. I am getting confusion on single mode. I pasted some output of show interface, please have a look.

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

  Hardware is xxxx rev03, BW 1000 Mbps

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        MAC address xxxx.xxxx.xxxx, MTU 1500

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        0 output errors, 0 collisions, 4 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops

        input queue (curr/max packets): hardware (2/25) software (0/0)

        output queue (curr/max packets): hardware (0/50) software (0/0)

  Traffic Statistics for "outside":

        98140245 packets input, 118773026302 bytes

        71538920 packets output, 6580023518 bytes

        241680 packets dropped

Interface GigabitEthernet0/1 "", is up, line protocol is up

  Hardware is xxxx rev03, BW 1000 Mbps

        Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)

        Available but not configured via nameif

        MAC address xxxx.xxxx.xxxx, MTU not set

        IP address unassigned

        222553951 packets input, 110898015593 bytes, 0 no buffer

        Received 323205 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        190477421 packets output, 93155281167 bytes, 0 underruns

        0 output errors, 2802847 collisions, 1 interface resets

        4946391 late collisions, 10976732 deferred

        0 input reset drops, 13 output reset drops

        input queue (curr/max packets): hardware (0/33) software (0/0)

        output queue (curr/max packets): hardware (0/185) software (0/0)

Interface GigabitEthernet0/1.2 "intf200", is up, line protocol is up

        VLAN identifier 2

        MAC address xxxx.xxxx.xxxx, MTU 1500

        IP address xxxx, subnet mask xxxx

  Traffic Statistics for "intf200":

        152134764 packets input, 26686067503 bytes

        141153651 packets output, 79907226008 bytes

        21314472 packets dropped

Interface GigabitEthernet0/1.3 "intf300", is up, line protocol is up

        VLAN identifier 3

        MAC address xxxx.xxxx.xxxx, MTU 1500

        IP address xxxx, subnet mask xxxx

  Traffic Statistics for "intf300":

        70400873 packets input, 78921800729 bytes

        54270216 packets output, 15286952393 bytes

        180516 packets dropped

Waiting for your help,

- Mero

Hall of Fame Super Silver

Network Degradeded

Your ASA 5520 has four Gigabit Ethernet interfaces (plus the Fast Ethernet management port). Normal practice would be to run all the connected ports at their rated 1 Gbps speed and full duplex. Normally auto speed and duplex settings at the ASA and switch would take care of that automatically.

Unless... is your switch on the inside only Fast Ethernet capable? Running at half duplex 100 Mbps is certainly not normal. Assuming your switch is capable, the ports should all be full duplex 1000 Mbps. That's why I asked for "show interface status" from the relevant switch ports. On a Cisco switch that will show me their speed and duplex settings and whether they are auto or manually set.

What were you saying about single mode? Is there a fiber optic connection somewhere?

Also, I see a large number of packets dropped. One would not normally expect to see drops of that number. The abnormal duplex setting could be contirbuting to that.

New Member

Network Degradeded

Dear Marvin,

Please go through the show inter status

Port      Name        Status       Vlan       Duplex  Speed Type

Fa0/1     *****                connected    1          a-full  a-100 10/100BaseTX

Fa0/2     *****                connected    trunk          full  100 10/100BaseTX

Fa0/3     *****                connected    trunk        full    100 10/100BaseTX

About the single mode, I was talking about the context, however I am not using context over here. No fiber connection.

Please write me the one by one step to speed up my network.

with best regards,

- Mero

New Member

Network Degradeded

I would  suggest  to remove auto and set  "full duplex" in switch and  ASA will solve the problem.

Hall of Fame Super Silver

Network Degradeded

The trunk should definitely be running at full duplex. Right now your switch port Fa0/2 says "full" and your ASA interface Gi0/1 says "half". They should both be "full". Autonegotiation should take care of that but for whatever reason it is not.

So, on each device go into interface-config and set "duplex full" for those affected interfaces.

New Member

Network Degradeded

Dear Mr. Marvin,

Thanks for your kind support.

I tried to make the affected interfaces to duplex full, in one interface it works well but when I tried to change the duplex full of my network, it fails and hangs out. Do, I have to give the command from console or from another network.

The switch port interface maximum speed is 100 mbps and asa speed is 1000 mbps, do I have to set the ASA interface speed to 100 mbps or not ?

With best regards,

Mero

Hall of Fame Super Silver

Network Degradeded

Duplex full needs to be set on both interface fa0/2 of your switch and interface Gi0/1 of your ASA. i.e., both ends of that link.

From the output you provided, speed autonegotiation to 100 Mbps appears to have worked. However, it would not hurt to set speed 100 at both ends.

New Member

Network Degradeded

Dear Mr. Marvin,

I configure the duplex mode to full on the interfaces of switch, no problem seen. After that, I configure the duplex mode to full on the ASA interfaces. The first one gives no problem, works well. But, when I configure the duplex mode to full of my network (ASA port) the whole network breaks down. What would be the problem ? Why the network breaks ? Do I have to configre from another network or do I have to configure from console port ?

Please help.

With best regards,

Mero

Hall of Fame Super Silver

Network Degradeded

Are you sure there is no device (like a hub) between your ASA and the switch? Either you have a physical layer problem (cable or physical interface) or I've misunderstood the description you provided of your connectivity.

What type of switch are you using? Please provide "show version" from the switch as well as "show run int fa0/2" and "show interface fa0/2" from the same switch. Please confirm that the cable from fa0/2 is copper Cat 5 plugged directly into ASA Gi0/1.

(Note ASA ports are numbered right to left - see Figure 1-4 on this document - so ASA interface Gi0/1 is second from the right.)

New Member

Network Degradeded

Dear Mr. Marvin,

I am sure that there is no any kind of device between ASA and Switch. ASA is directly connected with switch. I have got C2960 switch with c2960-lanbase-mz.122-25.FX/c2960-lanbase-mz.122-25.FX.bin image.

The swith amber light is blink, showing error on the trunk ports. I guess this is due to the duplex mismatch.  Yes, I have connected CAT 5 cable.

I just restarted the switch and ASA as the network breaks down, when I configure the duplex mode to full on ASA of my network.

Please go through this one:

show irun int fa0/2

interface FastEthernet0/2

  switchport trunk allowed vlan 4,5

switchport mode trunk

speed 100

duplex full

show int fa0/2

FastEthernet0/2 is up, line protocol is up (connected)

  Hardware is Fast Ethernet, address is xxxx

  Description: ***

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 253/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, media type is 10/100BaseTX

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 488000 bits/sec, 103 packets/sec

  5 minute output rate 588000 bits/sec, 148 packets/sec

     31404208 packets input, 2039432585 bytes, 0 no buffer

     Received 0 broadcasts (0 multicast)

     0 runts, 0 giants, 0 throttles

     1291273 input errors, 1291273 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     36097925 packets output, 1357406095 bytes, 0 underruns

     0 output errors, 0 collisions, 1 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out

Show version

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Wed 12-Oct-05 22:05 by yenanh

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE1, RELEASE SOFTWA

RE (fc1)

NOC-SWITCH uptime is 1 day, 8 hours, 31 minutes

System returned to ROM by power-on

System image file is "flash:c2960-lanbase-mz.122-25.FX/c2960-lanbase-mz.122-25.F

X.bin"

cisco WS-C2960-48TT-L (PowerPC405) processor (revision B0) with 61440K/4088K byt

es of memory.

Processor board ID xxx

Last reset from power-on

1 Virtual Ethernet interface

48 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.


Waiting for your kind response,

Mero

Hall of Fame Super Silver

Network Degradeded

Since you have both devices configured correctly and the ASA continues to report "duplex half" I would suspect a hardware or Layer 1 issue.

Just to confirm, you are trying to set ASA interface settings to "duplex full" on interface GigabitEthernet0/1 as shown in this example. Note the link should not operate properly until both the ASA and the switch interfaces have their manual "duplex full" setttings completed.

The only thing other than a TAC case I can think of is to try replacing that one Cat 5 cable.

527
Views
0
Helpful
17
Replies
CreatePlease login to create content