[Webinar] Streamline your web hosting managementRegister Today


input errors/overruns on inside interface of Cisco ASA5520 (Version 8.2.5)

Posted on 2014-12-15
Medium Priority
Last Modified: 2015-01-28
I have an ASA5520 running version 8.2.5.  I am receiving a lot of input errors which are all overruns.  Its doesn't seem to be affecting performance, but I would like to fix it.  To help troubleshoot the problem I configured netflow on the ASA and have it send information to my solarwinds netflow collector.  I have a 100Mbps internet circuit, and over the last month, I've only hit 50Mbps once, so it can't be an over subscription issue as I have lots of bandwidth to spare.  Usually I'm well below 50Mbps.  Now I'm getting the overruns on the inside interface.  It is configured at 1GB and the switch that connects to it is also 1GB (Cisco 3560G).  I'm reading that it could be bursts of traffic.  How do I find out where these bursts of traffic are coming from and begin to troubleshoot?  I could enable flow control, but doesn't that just put a bandage on the problem?  I would really like to know what is happening.  Cisco TAC's solution was to enable flow control, they wouldn't really go farther than that, and basically said they will do not more troubleshooting until flow control is enabled.  Is this a  viable solution?  Any Suggestions or advice from some who has had a similar problem would be  greatly appreciated.  Thanks!
Question by:denver218
  • 2
  • 2
LVL 28

Expert Comment

ID: 40501459

Causes of Interface Overruns

Interface overrun errors are usually caused by a combination of these factors:

    Software level - The ASA software does not pull the packets off of the interface FIFO queue fast enough. This causes the FIFO queue to fill up and new packets to be dropped.

    Hardware level - The rate at which packets come into the interface is too fast, which causes the FIFO queue to fill before the ASA software can pull the packets off. Usually, a burst of packets causes the FIFOqueue to fill up to maximum capacity in a short amount of time.

Personally, I'm not sure what you're wanting from this forum if you already have a TAC case open.

Author Comment

ID: 40502473
I'm not having any luck with TAC, which is why I posted this question to see if anyone has experienced the same problem.  I still have the case open and am working with them.
LVL 28

Accepted Solution

asavener earned 2000 total points
ID: 40502519
It's not uncommon for bursts of traffic to hit the inside interface, get dropped due to bandwidth limitations, and then slowly ramp back up.  Especially when you're using the IPS module.

I've seen several times where putting a router in line with the ASA, then configuring QoS on the router, would improve throughput on the firewall.  Usually, though, it's just cheaper and easier to buy more bandwidth.  QoS needs to be tweaked, bandwidth/policing settings must be correct, WRED settings must be correct, etc. for the in-line router solution to work correctly.

(Bottom line is that the ASA is a firewall, and does firewall tasks very well.  It will just drop traffic, though, and I've found that configuring QoS on the firewall has not been rewarding.)

Author Comment

ID: 40502542
I've had netflow configured on the device for a couple weeks now and bandwidth on the outside and inside interface has been very minimal.  I do have an IPS module (AIP-SSM-20).  I'm getting some overruns right now on the inside interface and the bandwidth on the outside interface is 9.956Mbps and the bandwidth on the inside interface is 9.662Mbps.

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Just after setting up Cloud PBX connectivity and migrated Skype users to SFBO, we noticed inbound calls not working but outbound calls would work.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question