Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

input errors/overruns on inside interface of Cisco ASA5520 (Version 8.2.5)

Posted on 2014-12-15
4
Medium Priority
?
1,816 Views
Last Modified: 2015-01-28
I have an ASA5520 running version 8.2.5.  I am receiving a lot of input errors which are all overruns.  Its doesn't seem to be affecting performance, but I would like to fix it.  To help troubleshoot the problem I configured netflow on the ASA and have it send information to my solarwinds netflow collector.  I have a 100Mbps internet circuit, and over the last month, I've only hit 50Mbps once, so it can't be an over subscription issue as I have lots of bandwidth to spare.  Usually I'm well below 50Mbps.  Now I'm getting the overruns on the inside interface.  It is configured at 1GB and the switch that connects to it is also 1GB (Cisco 3560G).  I'm reading that it could be bursts of traffic.  How do I find out where these bursts of traffic are coming from and begin to troubleshoot?  I could enable flow control, but doesn't that just put a bandage on the problem?  I would really like to know what is happening.  Cisco TAC's solution was to enable flow control, they wouldn't really go farther than that, and basically said they will do not more troubleshooting until flow control is enabled.  Is this a  viable solution?  Any Suggestions or advice from some who has had a similar problem would be  greatly appreciated.  Thanks!
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 40501459
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html

Causes of Interface Overruns

Interface overrun errors are usually caused by a combination of these factors:

    Software level - The ASA software does not pull the packets off of the interface FIFO queue fast enough. This causes the FIFO queue to fill up and new packets to be dropped.

    Hardware level - The rate at which packets come into the interface is too fast, which causes the FIFO queue to fill before the ASA software can pull the packets off. Usually, a burst of packets causes the FIFOqueue to fill up to maximum capacity in a short amount of time.


Personally, I'm not sure what you're wanting from this forum if you already have a TAC case open.
0
 
LVL 4

Author Comment

by:denver218
ID: 40502473
I'm not having any luck with TAC, which is why I posted this question to see if anyone has experienced the same problem.  I still have the case open and am working with them.
0
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 40502519
It's not uncommon for bursts of traffic to hit the inside interface, get dropped due to bandwidth limitations, and then slowly ramp back up.  Especially when you're using the IPS module.

I've seen several times where putting a router in line with the ASA, then configuring QoS on the router, would improve throughput on the firewall.  Usually, though, it's just cheaper and easier to buy more bandwidth.  QoS needs to be tweaked, bandwidth/policing settings must be correct, WRED settings must be correct, etc. for the in-line router solution to work correctly.

(Bottom line is that the ASA is a firewall, and does firewall tasks very well.  It will just drop traffic, though, and I've found that configuring QoS on the firewall has not been rewarding.)
0
 
LVL 4

Author Comment

by:denver218
ID: 40502542
I've had netflow configured on the device for a couple weeks now and bandwidth on the outside and inside interface has been very minimal.  I do have an IPS module (AIP-SSM-20).  I'm getting some overruns right now on the inside interface and the bandwidth on the outside interface is 9.956Mbps and the bandwidth on the inside interface is 9.662Mbps.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question