Link to home
Start Free TrialLog in
Avatar of Aeroquinn
Aeroquinn

asked on

Packets dropped on VLAN interfaces on Cisco ASA


Our Cisco ASA is showing a large number of packets dropped on both VLAN interfaces (inside and outside), but the physical interfaces are not reporting the same. What would cause this issue?

fmg-fw# sh int
Interface Vlan1 "inside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address c84c.7561.2509, MTU 1500
        IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside":
        882431847 packets input, 341832925500 bytes
        978670216 packets output, 973828835219 bytes
        23959504 packets dropped
      1 minute input rate 453 pkts/sec,  226367 bytes/sec
      1 minute output rate 499 pkts/sec,  521565 bytes/sec
      1 minute drop rate, 3 pkts/sec
      5 minute input rate 429 pkts/sec,  227337 bytes/sec
      5 minute output rate 501 pkts/sec,  527221 bytes/sec
      5 minute drop rate, 3 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address c84c.7561.2509, MTU 1500
        IP address 66.49.55.74, subnet mask 255.255.255.248
  Traffic Statistics for "outside":
        981700317 packets input, 974118544047 bytes
        832667112 packets output, 335521137359 bytes
        6049933 packets dropped
      1 minute input rate 515 pkts/sec,  525824 bytes/sec
      1 minute output rate 449 pkts/sec,  225330 bytes/sec
      1 minute drop rate, 17 pkts/sec
      5 minute input rate 516 pkts/sec,  530941 bytes/sec
      5 minute output rate 425 pkts/sec,  226324 bytes/sec
      5 minute drop rate, 15 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address c84c.7561.2501, MTU not set
        IP address unassigned
        983060731 packets input, 992444474940 bytes, 0 no buffer
        Received 11 broadcasts, 0 runts, 0 giants
        2 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        1330437 switch ingress policy drops
        832669170 packets output, 352310490094 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops
Interface Ethernet0/1 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex, Auto-Speed
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address c84c.7561.2502, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 switch ingress policy drops
        0 packets output, 0 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops
Interface Ethernet0/2 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address c84c.7561.2503, MTU not set
        IP address unassigned
        918970464 packets input, 373128011969 bytes, 0 no buffer
        Received 48511413 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        18539411 switch ingress policy drops
        978672288 packets output, 991975125448 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops
Interface Ethernet0/3 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex, Auto-Speed
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address c84c.7561.2504, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 switch ingress policy drops
<--- More --->
ASKER CERTIFIED SOLUTION
Avatar of Justin Ellenbecker
Justin Ellenbecker
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Aeroquinn
Aeroquinn

ASKER

So, this has nothing to with interface configurations? I know most of the time I will see CRC or interface errors.
Avatar of Justin Ellenbecker
Justin Ellenbecker
Flag of United States of America image
Yup if there are no CRCs it usually just means you have something that is broadcasting or hammering an IP that is not answering anymore.  The VLAN is dropping it instead of flooding all of the other machines on that VLAN.  You could crank up debugging and see if it shows you where the packets are coming from you should be able to see every drop if you crank it high enough but fair warning turning debugging up too high can crash the system.  There is sometimes too much output for it to parse.  If you think it may be an ACL you can add log to the end of the ACL line and that will log it for you to see how many are being hit.  I had this happen on my home router,  my ISP called me and said I was pinging the crap out of something.  I installed and ACL allow rule for ICMP with log and found it was actually my AV software pinging all the update servers, poorly written software caused me hours of headaches hope this help save you some.  Odds are though like I said because it is in the VLAN not the interfaces you are fine.  Offer still stands to go over it though if you like.
Avatar of Justin Ellenbecker
Justin Ellenbecker
Flag of United States of America image
Also I did the math:

0.0061627086140586425011819569372717

Thats if it was only dropping input packets on your "outside".  .6% of all packets coming in are dropped thats not a bad number for an outside interface.

Your inside is about 2% doing it the same way, input packets only, without the whole config its hard to know exactly where it is but with that number of packets I wouldn't be concerned unless you are seeing issues with connectivity or performance.
Avatar of Aeroquinn
Aeroquinn

ASKER

Thanks for your input.
Avatar of Justin Ellenbecker
Justin Ellenbecker
Flag of United States of America image
No problem, one quick follow up I just ran the same thing on my PIX and we are very similar on the numbers here are mine from a PIX in production.


Traffic Statistics for "external":
        300668882 packets input, 229126775724 bytes
        271074084 packets output, 66678062622 bytes
        6304378 packets dropped