input errors/overruns on inside interface of Cisco ASA5520 (Version 8.2.5)

I have an ASA5520 running version 8.2.5.  I am receiving a lot of input errors which are all overruns.  Its doesn't seem to be affecting performance, but I would like to fix it.  To help troubleshoot the problem I configured netflow on the ASA and have it send information to my solarwinds netflow collector.  I have a 100Mbps internet circuit, and over the last month, I've only hit 50Mbps once, so it can't be an over subscription issue as I have lots of bandwidth to spare.  Usually I'm well below 50Mbps.  Now I'm getting the overruns on the inside interface.  It is configured at 1GB and the switch that connects to it is also 1GB (Cisco 3560G).  I'm reading that it could be bursts of traffic.  How do I find out where these bursts of traffic are coming from and begin to troubleshoot?  I could enable flow control, but doesn't that just put a bandage on the problem?  I would really like to know what is happening.  Cisco TAC's solution was to enable flow control, they wouldn't really go farther than that, and basically said they will do not more troubleshooting until flow control is enabled.  Is this a  viable solution?  Any Suggestions or advice from some who has had a similar problem would be  greatly appreciated.  Thanks!
LVL 4
denver218Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html

Causes of Interface Overruns

Interface overrun errors are usually caused by a combination of these factors:

    Software level - The ASA software does not pull the packets off of the interface FIFO queue fast enough. This causes the FIFO queue to fill up and new packets to be dropped.

    Hardware level - The rate at which packets come into the interface is too fast, which causes the FIFO queue to fill before the ASA software can pull the packets off. Usually, a burst of packets causes the FIFOqueue to fill up to maximum capacity in a short amount of time.


Personally, I'm not sure what you're wanting from this forum if you already have a TAC case open.
0
denver218Author Commented:
I'm not having any luck with TAC, which is why I posted this question to see if anyone has experienced the same problem.  I still have the case open and am working with them.
0
asavenerCommented:
It's not uncommon for bursts of traffic to hit the inside interface, get dropped due to bandwidth limitations, and then slowly ramp back up.  Especially when you're using the IPS module.

I've seen several times where putting a router in line with the ASA, then configuring QoS on the router, would improve throughput on the firewall.  Usually, though, it's just cheaper and easier to buy more bandwidth.  QoS needs to be tweaked, bandwidth/policing settings must be correct, WRED settings must be correct, etc. for the in-line router solution to work correctly.

(Bottom line is that the ASA is a firewall, and does firewall tasks very well.  It will just drop traffic, though, and I've found that configuring QoS on the firewall has not been rewarding.)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
denver218Author Commented:
I've had netflow configured on the device for a couple weeks now and bandwidth on the outside and inside interface has been very minimal.  I do have an IPS module (AIP-SSM-20).  I'm getting some overruns right now on the inside interface and the bandwidth on the outside interface is 9.956Mbps and the bandwidth on the inside interface is 9.662Mbps.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.