90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!
High discard transmit count and TCP Out-of-order issue
I noticed in my monitoring software (Solarwinds NPM) the other day that the interface connecting our main switch stack and our router has over 20 million (million!) transmit discards and climbing. My network has about 150-200 devices on it, this discard amount seems ridiculously high to me. We aren't having any noticeable network slowness, and had I not looked at this particular screen in the monitor software I wouldn't have known there was an issue at all. That being said, it was time to investigate.
I ran a "sh int" on my switch stack interface (gig speed) on my stack of 4 Cisco 3750 switches. Nothing looked unusual. Ran the same command on my core router (Cisco 2821) inside interface (gig speed). One thing stood out: 1237956 unknown protocol drops and rising. It's not 20 million but it's a good start.
Tracked down this article: https://supportforums.cisco.com/docs/DOC-15490 and made sure DTP, CDP, LLDP, VTP are not applied/enable on either where applicable. Checked, protocol drop count was still going up.
SPAN’d (mirrored) the switch port we're having problems with to sniff the traffic with Wireshark. Results show I’m getting a lot of “TCP Retransmission” “TCP Out-of-order” and “TCP Dup ACK”. From my research these errors show a bottle neck somewhere, I'm unsure of where that bottleneck is as everything is gigabit speed leading from the PC out to the internet. PC <--gig--> Switch <--gig--> Router <--gig--> Firewall.
My question: where do I go from here as far as figuring out where this bottleneck is? Or alternatively if it's not a bottleneck, what settings need to be changed to fix the unknown protocol drops?
I ran a "sh int" on my switch stack interface (gig speed) on my stack of 4 Cisco 3750 switches. Nothing looked unusual. Ran the same command on my core router (Cisco 2821) inside interface (gig speed). One thing stood out: 1237956 unknown protocol drops and rising. It's not 20 million but it's a good start.
Tracked down this article: https://supportforums.cisco.com/docs/DOC-15490 and made sure DTP, CDP, LLDP, VTP are not applied/enable on either where applicable. Checked, protocol drop count was still going up.
SPAN’d (mirrored) the switch port we're having problems with to sniff the traffic with Wireshark. Results show I’m getting a lot of “TCP Retransmission” “TCP Out-of-order” and “TCP Dup ACK”. From my research these errors show a bottle neck somewhere, I'm unsure of where that bottleneck is as everything is gigabit speed leading from the PC out to the internet. PC <--gig--> Switch <--gig--> Router <--gig--> Firewall.
My question: where do I go from here as far as figuring out where this bottleneck is? Or alternatively if it's not a bottleneck, what settings need to be changed to fix the unknown protocol drops?
Asked:
-
4
2
1 Solution
LVL 13
Most of them are collisions I would bet. I would check your frame sizes and duplex settings on devices.
How would check to see if it was collisions or not? How would I determine what the optimal frame size and duplex settings are?
You would have to do this app by app and device by device. Inventory all your gear and start reading recommended settings. Most could be solved by setting duplex to x-full instead of auto-negotiate.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!
Tackle projects and never again get stuck behind a technical roadblock.
Join Now