Cisco - VPN and Fragmented Packets
Hi,
When I am trying to copy a file across to a server that is on the other end of a VPN Tunnel the copy keeps dropping out (the file is only 164MB).
Is there some way to find out why this is happening?
Also is there a setting to allow fragmented packets?
Thanks
When I am trying to copy a file across to a server that is on the other end of a VPN Tunnel the copy keeps dropping out (the file is only 164MB).
Is there some way to find out why this is happening?
Also is there a setting to allow fragmented packets?
Thanks
ASKER
Hi,
I have followed through the document and made the appropriate changes, yet I am still experiencing these issues.
It happens if I try and copy files from HQ to Branch Office and also HQ to DR Site.
Does anyone have any additional suggestions as to what could be causing this issue.
Thanks
Paul
I have followed through the document and made the appropriate changes, yet I am still experiencing these issues.
It happens if I try and copy files from HQ to Branch Office and also HQ to DR Site.
Does anyone have any additional suggestions as to what could be causing this issue.
Thanks
Paul
On the PIX, can you run 'show interface detail' and post the results please?
Also a 'show fragment outside', and there are a few 'show vpdn ?' for some more details on the vpn traffic..
Also a 'show fragment outside', and there are a few 'show vpdn ?' for some more details on the vpn traffic..
ASKER
Here are the requested details
SHOW INTERFACE DETAIL
Interface Ethernet0/0 "inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Description: LAN
MAC address 0021.d871.8aaa, MTU 1500
IP address 192.168.100.254, subnet mask 255.255.252.0
1575589404 packets input, 658818951576 bytes, 357 no buffer
Received 210524347 broadcasts, 0 runts, 0 giants
29921343 input errors, 29920161 CRC, 0 frame, 1182 overrun, 0 ignored, 0 abort
0 L2 decode drops
2055639042 packets output, 1119573624138 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (5/33) software (0/0)
output queue (curr/max packets): hardware (0/113) software (0/0)
Traffic Statistics for "inside":
1575383153 packets input, 624753756410 bytes
2055639042 packets output, 1081550968635 bytes
226420539 packets dropped
1 minute input rate 1370 pkts/sec, 272981 bytes/sec
1 minute output rate 1855 pkts/sec, 580759 bytes/sec
1 minute drop rate, 326 pkts/sec
5 minute input rate 1460 pkts/sec, 345497 bytes/sec
5 minute output rate 1895 pkts/sec, 581194 bytes/sec
5 minute drop rate, 368 pkts/sec
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Interface Ethernet0/1 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Description: Easynet Internet Line
MAC address 0021.d871.8aab, MTU 1260
IP address 217.x.x.x, subnet mask 255.255.255.248
429754547 packets input, 169116775322 bytes, 0 no buffer
Received 5428 broadcasts, 0 runts, 0 giants
814570 input errors, 814570 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
563623971 packets output, 467534907262 bytes, 0 underruns
0 output errors, 0 collisions, 7 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/25) software (0/0)
output queue (curr/max packets): hardware (0/27) software (0/0)
Traffic Statistics for "outside":
429791613 packets input, 161177674932 bytes
563624071 packets output, 457070219504 bytes
969745 packets dropped
1 minute input rate 195 pkts/sec, 77434 bytes/sec
1 minute output rate 197 pkts/sec, 88623 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 270 pkts/sec, 118041 bytes/sec
5 minute output rate 289 pkts/sec, 126875 bytes/sec
5 minute drop rate, 1 pkts/sec
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
Interface Ethernet0/2 "backup", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
MAC address 0021.d871.8aac, MTU 1500
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "backup":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 4
Interface config status is not active
Interface state is not active
Interface Ethernet0/3 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 0022.55cf.59b9, MTU not set
IP address unassigned
1643549540 packets input, 1000548477098 bytes, 0 no buffer
Received 142470 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
905865889 packets output, 95309103871 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (1/29) software (0/0)
output queue (curr/max packets): hardware (0/127) software (0/0)
Control Point Interface States:
Interface number is 5
Interface config status is active
Interface state is active
Interface Ethernet0/3.10 "bloomberg", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 10
Description: Bloomberg DMZ
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.10.1, subnet mask 255.255.255.248
Traffic Statistics for "bloomberg":
888820750 packets input, 163270500608 bytes
482411558 packets output, 20662435577 bytes
160865 packets dropped
Control Point Interface States:
Interface number is 12
Interface config status is active
Interface state is active
Control Point Vlan10 States:
Interface vlan config status is active
Interface vlan state is UP
Interface Ethernet0/3.20 "reuters", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 20
Description: Reuters DMZ
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.20.1, subnet mask 255.255.255.0
Traffic Statistics for "reuters":
472955515 packets input, 467283162630 bytes
258954169 packets output, 10519960553 bytes
21283 packets dropped
Control Point Interface States:
Interface number is 11
Interface config status is active
Interface state is active
Control Point Vlan20 States:
Interface vlan config status is active
Interface vlan state is UP
Interface Ethernet0/3.30 "dmz", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 30
Description: DMZ
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.30.1, subnet mask 255.255.255.0
Traffic Statistics for "dmz":
281133915 packets input, 333674073980 bytes
163586494 packets output, 41427363910 bytes
33227 packets dropped
Control Point Interface States:
Interface number is 10
Interface config status is active
Interface state is active
Control Point Vlan30 States:
Interface vlan config status is active
Interface vlan state is UP
Interface Ethernet0/3.40 "wifi", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 40
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.40.1, subnet mask 255.255.255.0
Traffic Statistics for "wifi":
639676 packets input, 53270401 bytes
913872 packets output, 1099731624 bytes
69809 packets dropped
Control Point Interface States:
Interface number is 9
Interface config status is active
Interface state is active
Control Point Vlan40 States:
Interface vlan config status is active
Interface vlan state is UP
Interface Ethernet0/3.50 "fix", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 50
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.50.1, subnet mask 255.255.255.0
Traffic Statistics for "fix":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Control Point Interface States:
Interface number is 8
Interface config status is not active
Interface state is not active
Control Point Vlan50 States:
Interface vlan config status is not active
Interface vlan state is DOWN
Interface Management0/0 "failover", is up, line protocol is up
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Description: LAN Failover Interface
MAC address 0022.55cf.59ba, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.248
2765426 packets input, 242885180 bytes, 0 no buffer
Received 47 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
2765858 packets output, 252071092 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
7 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (0/13)
output queue (curr/max packets): hardware (0/9) software (0/1)
Traffic Statistics for "failover":
2765986 packets input, 204124376 bytes
2766162 packets output, 213330288 bytes
0 packets dropped
1 minute input rate 1 pkts/sec, 105 bytes/sec
1 minute output rate 1 pkts/sec, 109 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 106 bytes/sec
5 minute output rate 1 pkts/sec, 111 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 6
Interface config status is active
Interface state is active
Interface Virtual254 "", is up, line protocol is up
Hardware is Virtual Available but not configured via nameif
MAC address 0000.0000.0000, MTU not set
IP address unassigned
Control Point Interface States:
Interface number is 7
Interface config status is active
Interface state is active
SHOW FRAGMENT OUTSIDE
Interface: outside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 341, Fail: 5975, Overflow: 0
SHOW INTERFACE DETAIL
Interface Ethernet0/0 "inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Description: LAN
MAC address 0021.d871.8aaa, MTU 1500
IP address 192.168.100.254, subnet mask 255.255.252.0
1575589404 packets input, 658818951576 bytes, 357 no buffer
Received 210524347 broadcasts, 0 runts, 0 giants
29921343 input errors, 29920161 CRC, 0 frame, 1182 overrun, 0 ignored, 0 abort
0 L2 decode drops
2055639042 packets output, 1119573624138 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (5/33) software (0/0)
output queue (curr/max packets): hardware (0/113) software (0/0)
Traffic Statistics for "inside":
1575383153 packets input, 624753756410 bytes
2055639042 packets output, 1081550968635 bytes
226420539 packets dropped
1 minute input rate 1370 pkts/sec, 272981 bytes/sec
1 minute output rate 1855 pkts/sec, 580759 bytes/sec
1 minute drop rate, 326 pkts/sec
5 minute input rate 1460 pkts/sec, 345497 bytes/sec
5 minute output rate 1895 pkts/sec, 581194 bytes/sec
5 minute drop rate, 368 pkts/sec
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Interface Ethernet0/1 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Description: Easynet Internet Line
MAC address 0021.d871.8aab, MTU 1260
IP address 217.x.x.x, subnet mask 255.255.255.248
429754547 packets input, 169116775322 bytes, 0 no buffer
Received 5428 broadcasts, 0 runts, 0 giants
814570 input errors, 814570 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
563623971 packets output, 467534907262 bytes, 0 underruns
0 output errors, 0 collisions, 7 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/25) software (0/0)
output queue (curr/max packets): hardware (0/27) software (0/0)
Traffic Statistics for "outside":
429791613 packets input, 161177674932 bytes
563624071 packets output, 457070219504 bytes
969745 packets dropped
1 minute input rate 195 pkts/sec, 77434 bytes/sec
1 minute output rate 197 pkts/sec, 88623 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 270 pkts/sec, 118041 bytes/sec
5 minute output rate 289 pkts/sec, 126875 bytes/sec
5 minute drop rate, 1 pkts/sec
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
Interface Ethernet0/2 "backup", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
MAC address 0021.d871.8aac, MTU 1500
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "backup":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 4
Interface config status is not active
Interface state is not active
Interface Ethernet0/3 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 0022.55cf.59b9, MTU not set
IP address unassigned
1643549540 packets input, 1000548477098 bytes, 0 no buffer
Received 142470 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
905865889 packets output, 95309103871 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (1/29) software (0/0)
output queue (curr/max packets): hardware (0/127) software (0/0)
Control Point Interface States:
Interface number is 5
Interface config status is active
Interface state is active
Interface Ethernet0/3.10 "bloomberg", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 10
Description: Bloomberg DMZ
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.10.1, subnet mask 255.255.255.248
Traffic Statistics for "bloomberg":
888820750 packets input, 163270500608 bytes
482411558 packets output, 20662435577 bytes
160865 packets dropped
Control Point Interface States:
Interface number is 12
Interface config status is active
Interface state is active
Control Point Vlan10 States:
Interface vlan config status is active
Interface vlan state is UP
Interface Ethernet0/3.20 "reuters", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 20
Description: Reuters DMZ
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.20.1, subnet mask 255.255.255.0
Traffic Statistics for "reuters":
472955515 packets input, 467283162630 bytes
258954169 packets output, 10519960553 bytes
21283 packets dropped
Control Point Interface States:
Interface number is 11
Interface config status is active
Interface state is active
Control Point Vlan20 States:
Interface vlan config status is active
Interface vlan state is UP
Interface Ethernet0/3.30 "dmz", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 30
Description: DMZ
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.30.1, subnet mask 255.255.255.0
Traffic Statistics for "dmz":
281133915 packets input, 333674073980 bytes
163586494 packets output, 41427363910 bytes
33227 packets dropped
Control Point Interface States:
Interface number is 10
Interface config status is active
Interface state is active
Control Point Vlan30 States:
Interface vlan config status is active
Interface vlan state is UP
Interface Ethernet0/3.40 "wifi", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 40
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.40.1, subnet mask 255.255.255.0
Traffic Statistics for "wifi":
639676 packets input, 53270401 bytes
913872 packets output, 1099731624 bytes
69809 packets dropped
Control Point Interface States:
Interface number is 9
Interface config status is active
Interface state is active
Control Point Vlan40 States:
Interface vlan config status is active
Interface vlan state is UP
Interface Ethernet0/3.50 "fix", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
VLAN identifier 50
MAC address 0021.d871.8aad, MTU 1500
IP address 192.168.50.1, subnet mask 255.255.255.0
Traffic Statistics for "fix":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Control Point Interface States:
Interface number is 8
Interface config status is not active
Interface state is not active
Control Point Vlan50 States:
Interface vlan config status is not active
Interface vlan state is DOWN
Interface Management0/0 "failover", is up, line protocol is up
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Description: LAN Failover Interface
MAC address 0022.55cf.59ba, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.248
2765426 packets input, 242885180 bytes, 0 no buffer
Received 47 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
2765858 packets output, 252071092 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
7 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (0/13)
output queue (curr/max packets): hardware (0/9) software (0/1)
Traffic Statistics for "failover":
2765986 packets input, 204124376 bytes
2766162 packets output, 213330288 bytes
0 packets dropped
1 minute input rate 1 pkts/sec, 105 bytes/sec
1 minute output rate 1 pkts/sec, 109 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 106 bytes/sec
5 minute output rate 1 pkts/sec, 111 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 6
Interface config status is active
Interface state is active
Interface Virtual254 "", is up, line protocol is up
Hardware is Virtual Available but not configured via nameif
MAC address 0000.0000.0000, MTU not set
IP address unassigned
Control Point Interface States:
Interface number is 7
Interface config status is active
Interface state is active
SHOW FRAGMENT OUTSIDE
Interface: outside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 341, Fail: 5975, Overflow: 0
looks like the outside had several interface resets, can you try copy again to verify if this counter increases?
You may have an issue with the last mile link on the outside interface..
What is it connected too?
Interface Ethernet0/1 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Description: Easynet Internet Line
MAC address 0021.d871.8aab, MTU 1260
IP address 217.x.x.x, subnet mask 255.255.255.248
429754547 packets input, 169116775322 bytes, 0 no buffer
Received 5428 broadcasts, 0 runts, 0 giants
814570 input errors, 814570 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
563623971 packets output, 467534907262 bytes, 0 underruns
0 output errors, 0 collisions, 7 interface resets
There are a large amount of failures in reassembly of fragments, have you enough memory, is it always increasing, or were you attacked once off?
You may have an issue with the last mile link on the outside interface..
What is it connected too?
Interface Ethernet0/1 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Description: Easynet Internet Line
MAC address 0021.d871.8aab, MTU 1260
IP address 217.x.x.x, subnet mask 255.255.255.248
429754547 packets input, 169116775322 bytes, 0 no buffer
Received 5428 broadcasts, 0 runts, 0 giants
814570 input errors, 814570 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
563623971 packets output, 467534907262 bytes, 0 underruns
0 output errors, 0 collisions, 7 interface resets
There are a large amount of failures in reassembly of fragments, have you enough memory, is it always increasing, or were you attacked once off?
ASKER
Hi,
Please see at the bottom another copy of the output.
When you say the last mile link which segment of the connection are you referring to?
The ASA is connected directly to our ISP Provided Cisco 1841 Router, I am running a failover pair of ASA's that monitor both the inside and outside interface. Could this be causing an issue?
No sure regarding the memory what is the best thing to check?
Thanks
Interface Ethernet0/1 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Description: Easynet Internet Line
MAC address 0021.d871.8aab, MTU 1260
IP address 217.206.142.234, subnet mask 255.255.255.248
453832295 packets input, 176207104286 bytes, 0 no buffer
Received 5603 broadcasts, 0 runts, 0 giants
895900 input errors, 895900 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
608541832 packets output, 499878216162 bytes, 0 underruns
0 output errors, 0 collisions, 7 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/25) software (0/0)
output queue (curr/max packets): hardware (0/29) software (0/0)
Please see at the bottom another copy of the output.
When you say the last mile link which segment of the connection are you referring to?
The ASA is connected directly to our ISP Provided Cisco 1841 Router, I am running a failover pair of ASA's that monitor both the inside and outside interface. Could this be causing an issue?
No sure regarding the memory what is the best thing to check?
Thanks
Interface Ethernet0/1 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Description: Easynet Internet Line
MAC address 0021.d871.8aab, MTU 1260
IP address 217.206.142.234, subnet mask 255.255.255.248
453832295 packets input, 176207104286 bytes, 0 no buffer
Received 5603 broadcasts, 0 runts, 0 giants
895900 input errors, 895900 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
608541832 packets output, 499878216162 bytes, 0 underruns
0 output errors, 0 collisions, 7 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/25) software (0/0)
output queue (curr/max packets): hardware (0/29) software (0/0)
thats right, the segment:217.x.x.x
or 217.206.142.234...
It does increase the points of failure however it shouldn't be an issue in its own right..
'show memory' will show you the memory usage..
Its a common issue where the fragments fail to get reassembled due to a lack of memory..
Or could also be an inject attack that happened at one time. Try reseting the fragment counters to monitor it..
Do you have SNMP logging, or even a syslog?
or 217.206.142.234...
It does increase the points of failure however it shouldn't be an issue in its own right..
'show memory' will show you the memory usage..
Its a common issue where the fragments fail to get reassembled due to a lack of memory..
Or could also be an inject attack that happened at one time. Try reseting the fragment counters to monitor it..
Do you have SNMP logging, or even a syslog?
ASKER
Hi,
I have got a syslog server setup, what sort of thing should I look out for?
I have never experienced this issue before, but this is the first time I have used Cisco Firewalls.
Used to use Sonicwalls.
I have got a syslog server setup, what sort of thing should I look out for?
I have never experienced this issue before, but this is the first time I have used Cisco Firewalls.
Used to use Sonicwalls.
in the syslog server, you should have seen periods where large numbers of fragment rebuilds failed. Or they occur occasionally which indicates another type of fault.
Are you up to date with the firmware?
What PIX is it? And what connection does it have?
Are you up to date with the firmware?
What PIX is it? And what connection does it have?
ASKER
HI,
Yeah latest Firmware and ASDM.
Cisco ASA 5510, with a 10MB Uncontended Service.
Yeah latest Firmware and ASDM.
Cisco ASA 5510, with a 10MB Uncontended Service.
Couldn't it be the servers are timing out, or even lacking resources?
ASKER
When you say servers are you talking about my internal dns servers?
whatever server your downloading from...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you done the fragmentation test?
any results?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
any results?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
your welcome to the points, but for my part, could you let me know what the resolution was please?
Did you do the fragmentation test? If not, why? lack of instructions? Difficulty level? environment? permissions?
Did you do the fragmentation test? If not, why? lack of instructions? Difficulty level? environment? permissions?
ASKER
Hi,
The issue was caused by the switch connected to my inside interface not having a hard coded speed/duplex setting.
Once I set this, then everything funtioned perfectly. I was seeing very high number of CRC Errors on this interface, but since the change none.
Paul
The issue was caused by the switch connected to my inside interface not having a hard coded speed/duplex setting.
Once I set this, then everything funtioned perfectly. I was seeing very high number of CRC Errors on this interface, but since the change none.
Paul
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
Do the fragmentation test, you may need to adjust your MTU..