Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

IPS Speed & Duplex settings

I have a 4240 inline between an ASA and a Switch, and am experiencing errors on the switch indicating receive discards.

The devices are directly connected like this, ASA --- IPS --- SWITCH. The ASA and Switch have the speed/duplex fixed to 100/Full, but the IPS is auto negotiate. Both ports have negotiated to 100/Half, which I believe is causing the issue (open to alternative suggestions) however if I change to fixed parameters I loose connectivity. How should these connections be configured to remove the errors?

Community Member

Re: IPS Speed & Duplex settings

I am having a similar problem, but with the Management0/0 interface on a 4260. It is connected to a 6509 switch that is fixed to 100/FDX. When I have the IPS set to auto negotiate, it always ends up on 100/HDX. Is this a bug?

Same issue is occuring whereby I am unable to maintain network connectivity when the device is in this state.

Cisco Employee

Re: IPS Speed & Duplex settings

Network Interfaces do not support fixed configuration of speed and duplex on one device and auto negotiate on the other device.

The device set to auto negotiate will send out negotiation queries to the other device, but because the other device is fixed it will not respond to the queries. The devices with the fixed speed and duplex does Not respond with the fixed speed and duplex, and instead just simply does not respond at all to the auto negotiation queries.

So the device with auto negotiation is not able to determine the settings for the other device, and will set it's own speed and duplex to the default settings for that NIC. On most 10/100 and 10/100/1000 copper interfaces the default will be 100 Half Duplex.

So for auto negotiation to work properly you Must set Both devices to auto negotions.

If you will fix speed and duplex on one device, then you must also fix speed and duplex on the other device.

The other thing to keep in mind is the type of cable connecting the 2 devices.

For 10/100 interfaces you have to be very carefull of the type of cable being used. When connecting the sensor to a switch it must be a standard cable. BUT when connecting the sensor to a Firewall, Router, or PC, then it likely needs to be a CrossOver cable. (The switch has built in the equivalent of crossover directly within its ports, but firewalls, routers, etc... generally do not)

If you are using 10/100/1000 interfaces on both devices, and have both devices set to auto negotiate; then in most cases the type of cable will not matter. When auto negotiate begins they will determine the cable type and one of the 2 will automatically do a sort of internal crossover if needed, and will then auto negotiate to 1000 Full.

HOWEVER, if you fix the speed and duplex then just like with 10/100 interfaces you have to be very carefull that you are using the right type of cable. There will not be any negotiation and so your cable choice must be very specific. In most instances you will need to use a crossover cable when connecting the sensor to a Firewall or Router, but use a standard cable when connecting to a switch.

So be sure to set speed and duplex the same on both devices. Either both devices with fixed speed and duplex, or both devices with auto negotiated speed and duplex.

And be sure you are suing the right type of cable for your particular connections.

Re: IPS Speed & Duplex settings

Adding to Marco's excellent explaination, please see figure 12 (table) ont he following link:

It illustrates which combinations work (partially/completely) and which don't work at all (no network connectivity i.e. link fail)



CreatePlease to create content