We installed ASA 5520 firewall which is connected to the Internet with NAT/PAT enabled but we started receiving complains about slow browsing. On checking the inside interface of the firewall it displays enormous number of packet drops!!!! Although the 5min input/output ratio shows a traffic not more than 500Kbits/sec.
I've cleared the interface to see the rate of drops. the rate of drops seems to be increasing exponentially.
Have anyone came across such a problem? Pls advise...
Did you check the speed and duplex mode of the switch port on which the ASA's interface is attached?
It may be a problem regarding the speed and duplex mode.
Is any software installed for syslogs, if not then I would advice you install it Firewall Log Analyzer of Adventnet and it would be easy to judge where the traffic is coming from.
Can you post your Network Diagram then it would be easy to troubleshoot it.
I would be doing that tomorrow morning, meanwhile just to give u an idea of the setup.
ASA Outside IP address: 212.76.x.x
ASA inside IP address: 10.0.5.1
Routes are added to the ASA firewall for reachability tp subnets behind Inside interface.
Default route is added to the core switch -> 0 0 10.0.5.1
Core switch SVI: 10.0.5.252
Server vlan 10.0.0.0/24... where these IP's are static NATed on asa firewall
Server vlan SVI: 10.0.10.252/24
10.0.0.2 <-> 212.x.y.a - exchange
10.0.0.3 <-> 212.x.y.b - owa
PAT enabled with interface ip
10.0.0.6 <-> 212.x.y.c - proxy
10.0.0.8 <-> 212.x.y.c - blackberry
User vlan are vlan 3,4,6,7,8,9,10 with corresponding svi's configured on the core.
Now the traffic source for ASA firewall is basically from the servers specified and I have observed that these interface doesn't have high volume of traffic infact less than 1 mb each, and the ASA vlan doesn't have any other end user except the access switches with managment ip's only!!
Aaahh!!! I'm not sure why these packet drops are occuring.....
I'll see if any valuable inputs come in from users from netpro community.
there could be a number of reasons for packet drops, but if you can you post complete output of show interface inside to see, what are your other interfaces stats are they clean such as outside interface etc.., how about the switchport the ASA interface inside is connected to, can u post output of show interface from switch side?
even though you have hardcoded both sides does not rule out the posibility of a bad
cable, any CRCs, runs, giants on switchport side?
u may also issue show asp drop in firewall
see table 25-2 for specs on this command
show service-pilicy output to rule out any service policy may be causing drops,
last but not least go through the normal performance check list here http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
Continuing with the packet drops issue... See the number of underruns on the interfaces
Interface GigabitEthernet0/1 "inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Description: *****Connected to Core switch*****
MAC address 001e.be79.7957, MTU 1500
IP address 10.0.5.1, subnet mask 255.255.254.0
4114739 packets input, 1292642813 bytes, 0 no buffer
Received 2514 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
4016064 packets output, 3095325439 bytes, 1805 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/25) software (0/0)
output queue (curr/max packets): hardware (0/255) software (0/0)
Traffic Statistics for "inside":
4114739 packets input, 1207986967 bytes
4017869 packets output, 3017572869 bytes
78650 packets dropped
1 minute input rate 101 pkts/sec, 15968 bytes/sec
1 minute output rate 156 pkts/sec, 23251 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 31 pkts/sec, 3199 bytes/sec
5 minute output rate 30 pkts/sec, 29771 bytes/sec
5 minute drop rate, 0 pkts/sec