Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

input errors/overruns on inside interface of Cisco ASA5520 (Version 8.2.5)

Posted on 2014-12-15
4
Medium Priority
?
1,970 Views
Last Modified: 2015-01-28
I have an ASA5520 running version 8.2.5.  I am receiving a lot of input errors which are all overruns.  Its doesn't seem to be affecting performance, but I would like to fix it.  To help troubleshoot the problem I configured netflow on the ASA and have it send information to my solarwinds netflow collector.  I have a 100Mbps internet circuit, and over the last month, I've only hit 50Mbps once, so it can't be an over subscription issue as I have lots of bandwidth to spare.  Usually I'm well below 50Mbps.  Now I'm getting the overruns on the inside interface.  It is configured at 1GB and the switch that connects to it is also 1GB (Cisco 3560G).  I'm reading that it could be bursts of traffic.  How do I find out where these bursts of traffic are coming from and begin to troubleshoot?  I could enable flow control, but doesn't that just put a bandage on the problem?  I would really like to know what is happening.  Cisco TAC's solution was to enable flow control, they wouldn't really go farther than that, and basically said they will do not more troubleshooting until flow control is enabled.  Is this a  viable solution?  Any Suggestions or advice from some who has had a similar problem would be  greatly appreciated.  Thanks!
0
Comment
Question by:denver218
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 40501459
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html

Causes of Interface Overruns

Interface overrun errors are usually caused by a combination of these factors:

    Software level - The ASA software does not pull the packets off of the interface FIFO queue fast enough. This causes the FIFO queue to fill up and new packets to be dropped.

    Hardware level - The rate at which packets come into the interface is too fast, which causes the FIFO queue to fill before the ASA software can pull the packets off. Usually, a burst of packets causes the FIFOqueue to fill up to maximum capacity in a short amount of time.


Personally, I'm not sure what you're wanting from this forum if you already have a TAC case open.
0
 
LVL 4

Author Comment

by:denver218
ID: 40502473
I'm not having any luck with TAC, which is why I posted this question to see if anyone has experienced the same problem.  I still have the case open and am working with them.
0
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 40502519
It's not uncommon for bursts of traffic to hit the inside interface, get dropped due to bandwidth limitations, and then slowly ramp back up.  Especially when you're using the IPS module.

I've seen several times where putting a router in line with the ASA, then configuring QoS on the router, would improve throughput on the firewall.  Usually, though, it's just cheaper and easier to buy more bandwidth.  QoS needs to be tweaked, bandwidth/policing settings must be correct, WRED settings must be correct, etc. for the in-line router solution to work correctly.

(Bottom line is that the ASA is a firewall, and does firewall tasks very well.  It will just drop traffic, though, and I've found that configuring QoS on the firewall has not been rewarding.)
0
 
LVL 4

Author Comment

by:denver218
ID: 40502542
I've had netflow configured on the device for a couple weeks now and bandwidth on the outside and inside interface has been very minimal.  I do have an IPS module (AIP-SSM-20).  I'm getting some overruns right now on the inside interface and the bandwidth on the outside interface is 9.956Mbps and the bandwidth on the inside interface is 9.662Mbps.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question