Solved: Cisco 5505 Dropping Packets

ashley_dew · ‎08-19-2010

Hi,

I have a Cisco 5505, and I am having problem pinging the gateway on the outside. If was working fine when i just installed it and then stopped after a few hours.

I can see large number of 1334 switch ingress policy drops now.

The outside interface is connected to a Cisco Catalyst 2960G, with a vlan created between the gateway and the asa outside interface.

Gio/1 -vlan34 ---> service provider

gi0/2 -vlan 34 ---> asa 5505 outside e0/0 interface.

Gi0/3 -vlan 34 --> router

gi0/4 - vlan 34 --> PIX

The pix and router can ping the sp gateway with no problem.

Here is the interface configuration on the asa 5505

interface Vlan1
nameif inside
security-level 100
ip address 10.102.246.71 255.255.255.240
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxx 255.255.255.248

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1

FW# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 0025.45fd.e466, MTU not set
        IP address unassigned
        1910 packets input, 141491 bytes, 0 no buffer
        Received 56 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        1334 switch ingress policy drops
        4 packets output, 256 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops
FW-#

I have checked there is no port security on the switch or the port is err-disabled on the switch.

Both ports on switch and asa are auto sensing and there is no problem of mismatch since there are no CRC.

Please help.

Thanks,

Ashley

manish arora · ‎08-19-2010

Hi ,

can you change the VLAN 2 on the asa to Vlan 34 as i can see the port on the switch is configured as VLAN 34. also , hardcode the speed and duplex on both of the devices ( switch & asa - full/100mbps).

Thanks

Manish

View solution in original post

Nagaraja Thanthry · ‎08-19-2010

Hello,

Can you please post the running configuration from the firewall here?

Regards,

NT

ashley_dew · ‎08-19-2010

Here is the running config

Nagaraja Thanthry · ‎08-19-2010

Hello,

Where are you trying to ping from? If you are trying to ping from the ASA,

it should work fine. However, if you try to ping from an internal client, it

may not work as you are missing the NAT configurations.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Please try the above configuration if you are trying to ping from inside

clients.

Hope this helps.

Regards,

NT

ashley_dew · ‎08-19-2010

Hi,

I was pinging from the ASA itself from console. with the outside and it is not working.

Thx,

Ashley

Nagaraja Thanthry · ‎08-19-2010

Hello,

What kind of cable you are using between the ASA and the switch? Can you use

a crossover cable and see if that helps?

Regards,

NT

manish arora · ‎08-19-2010

Hi ,

can you change the VLAN 2 on the asa to Vlan 34 as i can see the port on the switch is configured as VLAN 34. also , hardcode the speed and duplex on both of the devices ( switch & asa - full/100mbps).

Thanks

Manish

ashley_dew · ‎08-19-2010

Hi,

I did not try the duplex/speed hard coding on both sides, same thing. As you mentioned, there is a problem with the tagging.

I could have tried that.

Finally what i did, is to invert the vlans meaning vlan 1 - outside vlan 2 -- inside, so tagging on the outside and it works fine.

I will try your solution later and anyway thanks very much for your help guys.

Cheers,

Ashley

Nagaraja Thanthry · ‎08-20-2010

Hello,

How is the port connected to ASA5505 configured? Trunk or access port?

Regards,

NT

ashley_dew · ‎08-20-2010

Hi,

I am having the same problem on the inside interface when i have inter-changed.

The asa e0/1 -inside is connected to the switch with vlan 34 in access mode but still switch

48578 switch ingress policy drops

Ashley

ashley_dew · ‎08-19-2010

Hi,

Its a straight cable. I could change to cross but the catalyst is MDIX capable.

I think the problem is with vlan tagging or some sort. I have inserted the configuration vlan 1 is not oustside and vlan 2 is inside it works.

Weird.

Thanks,

Ashley

manish arora · ‎08-20-2010

Hi ash !

i would recommend you to hardcode the speed and duplex on the asa and upstream switch as i have seen some issues with asa 5505 connecting to higher speed interfaces where it shows that the auto negotiation at full + 100 mbps but it drops packets because of higher speed interface on the other end. test it with using ping rep 1000 , if you see drops than should hardcode the speed duplex on both ends.

thanks

Manish

ashley_dew · ‎08-20-2010

Hi, I have hard coded on both sides 100 full on asa and switch. Same problem.

I am running of ideas ...Any ideas.

Nagaraja Thanthry · ‎08-20-2010

Hello,

If I understand your topology correctly, you have a 2960 connecting to a

router, a PIX, and the ASA. Are there any address conflicts? Can you make

sure that on ASA5505, only one port is connected to 2960 (no physical

loops)? Can you try to ping ASA from one of the other devices and check the

MAC address assigned for that IP?

Regards,

NT

manish arora · ‎08-20-2010

The reason for switch ingress packet drops are :-

1> The port is not configured properly and the drops are incremented when a packet cannot be successfully forwarded within switch ports as a result these setting.

2> The namefi command was not configured on the vlan interface. if name if isnt configured , switching with the same vlan is still successful.

3> the vlan is shutdown.

4> an access port recieved an 802.1q tagged packet.

5> a trunk port recieved a tag that is not allowed or an untagged packet.

6> asa is connected to a cisco device or any other device that has ethernet keepalive.

7> The vlan only has one physical interface , but the dest of the packet does not match the mac add of the vlan and it is not the broadcast address.

thanks

manish