Link to home
Start Free TrialLog in
Avatar of broccolini

asked on

Identify Output Discards Catalyst 9300


There seems to be a lot of discards happening on an interface of my Catalyst 9300. Here are some images to validate what is happening.
User generated imageUser generated imageUser generated image
This port on the switch goes to a Fortigate 300E. Would I be able to identify these discarded packets with Wireshark and spanning the port like so:
monitor session 1 source interface TwoGigabitEthernet1/0/8
monitor session 1 destination interface tenGigabitEthernet 1/0/45 encapsulation replicate

 I ended up trying it with Wireshark and got this, but not sure if it's my problem.
User generated imageUser generated image
Avatar of atlas_shuddered
Flag of United States of America image

You won't see the discards in wireshark regardless of where you put your SPAN.  What you will see are the resets, retrans and duplicate packets.

If I am copying those numbers correctly, you are running at nearly 50% loss, maybe a little over.  The interface itself isn't showing errors, only drops.  This would tend to indicate that you are saturating the interface.  Have you checked utilization?  Looking at the data on the interface, you could also be seeing the effect of bursting traffic.  You may be able to address the problem by working on the queuing of that interface.
Avatar of broccolini


I don't think the numbers are right because I'm guessing we would notice network performance issues if this was accurate, but we don't.  I followed this guide and uploaded the picture above of the results.
Maybe, maybe not.  If the drops are from bursting traffic, it could be less noticeable.  I'd still SPAN the interface and look for retrans, etc.
I notice re-transmissions from our SAN File Server on port 445 when I filter for tcp-retransmissions. If this was the problem, how could I dig deeper to find out why packets are getting dropped?
look at the buffer queues.  See what's going on with them.
Responded to last input from asker but have seen nothing further from them.  If the problem persists, then helpful to respond with findings.

Could you help me figure out how to take a look at the buffer queues on the switch. I'm not sure what commands are required to do that.

Thank you!
To find you drops in Wireshark - look for Retrans.

Looking at the data above, it looks like you have a lot of bursty traffic.  Looks like the uplink is 1G.  What are the access interfaces below it rated at?
Thank you for the links!

The 9300 switch is connected 1G to all our servers. There is one 10G port going to a stack switch that is what all the hosts on the network are connected to. The connection between the 9300 and stack interface is the only one that is 10G
Okay, so what is connected to gig1/0/8 then?  What is the likelyhood that it just has to many servers trying to talk to it or that it is trying to talk with to many other servers?
This is very possible. 1/0/8 is for a subnet with all our servers.
So 1/0/8 connects to a switch then?
1/0/8 connects to a firewall/router.

User generated image
We are going to eliminate the subnet and eventually put everything on the 172. This will probably fix the issue since we won't have to go through the firewall anymore. Everyone (Workstations & Servers) will be on the same subnet (172)
Okay, so you are using the firewall to route between the subnets then?
Yes, exactly.
Avatar of atlas_shuddered
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial