Solved

input errors/overruns on inside interface of Cisco ASA5520 (Version 8.2.5)

Posted on 2014-12-15
4
1,357 Views
Last Modified: 2015-01-28
I have an ASA5520 running version 8.2.5.  I am receiving a lot of input errors which are all overruns.  Its doesn't seem to be affecting performance, but I would like to fix it.  To help troubleshoot the problem I configured netflow on the ASA and have it send information to my solarwinds netflow collector.  I have a 100Mbps internet circuit, and over the last month, I've only hit 50Mbps once, so it can't be an over subscription issue as I have lots of bandwidth to spare.  Usually I'm well below 50Mbps.  Now I'm getting the overruns on the inside interface.  It is configured at 1GB and the switch that connects to it is also 1GB (Cisco 3560G).  I'm reading that it could be bursts of traffic.  How do I find out where these bursts of traffic are coming from and begin to troubleshoot?  I could enable flow control, but doesn't that just put a bandage on the problem?  I would really like to know what is happening.  Cisco TAC's solution was to enable flow control, they wouldn't really go farther than that, and basically said they will do not more troubleshooting until flow control is enabled.  Is this a  viable solution?  Any Suggestions or advice from some who has had a similar problem would be  greatly appreciated.  Thanks!
0
Comment
Question by:denver218
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 40501459
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html

Causes of Interface Overruns

Interface overrun errors are usually caused by a combination of these factors:

    Software level - The ASA software does not pull the packets off of the interface FIFO queue fast enough. This causes the FIFO queue to fill up and new packets to be dropped.

    Hardware level - The rate at which packets come into the interface is too fast, which causes the FIFO queue to fill before the ASA software can pull the packets off. Usually, a burst of packets causes the FIFOqueue to fill up to maximum capacity in a short amount of time.


Personally, I'm not sure what you're wanting from this forum if you already have a TAC case open.
0
 
LVL 4

Author Comment

by:denver218
ID: 40502473
I'm not having any luck with TAC, which is why I posted this question to see if anyone has experienced the same problem.  I still have the case open and am working with them.
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 40502519
It's not uncommon for bursts of traffic to hit the inside interface, get dropped due to bandwidth limitations, and then slowly ramp back up.  Especially when you're using the IPS module.

I've seen several times where putting a router in line with the ASA, then configuring QoS on the router, would improve throughput on the firewall.  Usually, though, it's just cheaper and easier to buy more bandwidth.  QoS needs to be tweaked, bandwidth/policing settings must be correct, WRED settings must be correct, etc. for the in-line router solution to work correctly.

(Bottom line is that the ASA is a firewall, and does firewall tasks very well.  It will just drop traffic, though, and I've found that configuring QoS on the firewall has not been rewarding.)
0
 
LVL 4

Author Comment

by:denver218
ID: 40502542
I've had netflow configured on the device for a couple weeks now and bandwidth on the outside and inside interface has been very minimal.  I do have an IPS module (AIP-SSM-20).  I'm getting some overruns right now on the inside interface and the bandwidth on the outside interface is 9.956Mbps and the bandwidth on the inside interface is 9.662Mbps.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question