Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA 9.1 crypto ipsec stats system capacity failures

Hello,

I'm trying to research some performance issues on a centralized ASA and some VPN site end-points.  I'm already addressing fragmentation bits and flow control that looks to resolve some of the performance issues, but I came across something that I can't seem to identify to understand what it's telling me.

I can't seem to find any documentation that explains what triggers the counter for "System capacity failures" on the show crypto ipsec stats command:

# sho crypto ipsec stats 

IPsec Global Statistics
-----------------------
Active tunnels: 41
Previous tunnels: 8999
Inbound
    Bytes: 8292491846127
    Decompressed bytes: 8292491846127
    Packets: 25115896849
    Dropped packets: 1291637
    Replay failures: 220
    Authentications: 25114592561
    Authentication failures: 0
    Decryptions: 25114592564
    Decryption failures: 0
    TFC Packets: 12836
    Decapsulated fragments needing reassembly: 17418535
    Valid ICMP Errors rcvd: 0
    Invalid ICMP Errors rcvd: 0
Outbound
    Bytes: 37818073925334
    Uncompressed bytes: 37818837785556
    Packets: 38014583887
    Dropped packets: 2413164
    Authentications: 38020189281
    Authentication failures: 0
    Encryptions: 38020191839
    Encryption failures: 0
    TFC Packets: 0
    Fragmentation successes: 7763651
        Pre-fragmentation successses: 7763651
        Post-fragmentation successes: 0
    Fragmentation failures: 267158
        Pre-fragmentation failures: 267158
        Post-fragmentation failures: 0
    Fragments created: 15527302
    PMTUs sent: 267158
    PMTUs rcvd: 185
Protocol failures: 0
Missing SA failures: 255102
System capacity failures: 3167258

Does anyone have any knowledge of what this is referring to specifically?

 

Cheers,  Dale

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,What is the model of ASA

Hi,

What is the model of ASA you have and how many vpn sessions you get on average during the peak hours?

 

Capacity failure occurs when it runs out of capacity of the hardware or over utilization..

 

Regards

Karthik

2 REPLIES

Hi,What is the model of ASA

Hi,

What is the model of ASA you have and how many vpn sessions you get on average during the peak hours?

 

Capacity failure occurs when it runs out of capacity of the hardware or over utilization..

 

Regards

Karthik

New Member

Sorry Karthik, I was away on

Sorry Karthik, I was away on vacation and just checking back in with this again.

It is an ASA5510 and as you can see we average about 40 to 50 tunnels.

The outside link is a 100Mb and the inside is 1Gb. The DMZ is a 100Mb.

The actual performance metrics evidenced on this doesn't show any real buffer drops or steady high-interface utilization to be just throughput performance (of course there may be some spikes I'm not seeing in our sampling).

I"m just curious to see exactly what triggers that counter and if I can figure that out, I can focus on something to prove any requirement to upgrade this model if required.

 

Cheers,

Dale.

 

206
Views
0
Helpful
2
Replies