Hi, I'm having some trouble with a Cisco ASA 5505. It is performing very badly and I'm whondering if switch ingress policy drops can have this impact on performance? The topology is quite simple.
Cisco ASA 5505 - RAD tiny bridge - SDH network - RAD tiny bridge - Cisco Catalyst 3560-X - Cisco ASA 5510 So basically it's a leased line kind of setup, the tiny bridges convert the signal to Ethernet. I had to hardcode these to 10 Mbit full duplex since they don't handle auto negotiation very well. This is the configuration from the Catalyst switch and packet counters. sh run int gi0/18 Building configuration... Current configuration : 335 bytes ! interface GigabitEthernet0/18 description removed switchport trunk encapsulation dot1q switchport trunk allowed vlan 172 switchport mode trunk speed 10 duplex full no cdp enable spanning-tree portfast trunk spanning-tree bpdufilter enable spanning-tree bpduguard enable end sh int gi0/18 GigabitEthernet0/18 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is d0d0.fd24.bd12 (bia d0d0.fd24.bd12) Description: removed MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 4/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 10Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 20:34:32, output 00:00:02, output hang never Last clearing of "show interface" counters 19:08:04 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 185000 bits/sec, 21 packets/sec 5 minute output rate 11000 bits/sec, 16 packets/sec 1580989 packets input, 1543636799 bytes, 0 no buffer Received 3 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 1078549 packets output, 101138920 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out The leased line is at 512 kbit/s and you can se that we almost never use more than half of that. The port on the Catalyst looks clean. Then we have the other end that is a Cisco ASA 5505, this is the configuration and port stats from there: sh run int e0/0 ! interface Ethernet0/0 description removed switchport trunk allowed vlan 172 switchport mode trunk speed 10 duplex full sh int e0/0 Interface Ethernet0/0 "", is up, line protocol is up Hardware is 88E6095, BW 100 Mbps, DLY 100 usec Full-Duplex(Full-duplex), 10 Mbps(10 Mbps) Input flow control is unsupported, output flow control is unsupported Description: removed Available but not configured via nameif MAC address c84c.7541.33b2, MTU not set IP address unassigned 906935 packets input, 85622211 bytes, 0 no buffer Received 2 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 7705 switch ingress policy drops 1333081 packets output, 1313122660 bytes, 0 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops 0 rate limit drops 0 switch egress policy drops sh run int vlan 172 ! interface Vlan172 nameif removed security-level 50 ip address 172.16.1.4 255.255.255.248 You can see that there is 7705 switch ingress policy drops out of 906935 packets totalt, so roughly 0.85% of packets are being dropped. My first question is if you think this can affect performance? We have issues with high latency and some packet loss. The other question is, how do I debug this? According to Cisco they describe switch ingress policy drops like this: This drop is usually seen when a port is not configured correctly. This drop is incremented when a packet cannot be successfully forwarded within switch ports as a result of the default or user configured switch port settings. The following configurations are the likely reasons for this drop: .The nameif command was not configured on the VLAN interface. Note For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment. .The VLAN is shut down. .An access port received an 802.1Q-tagged packet. .A trunk port received a tag that is not allowed or an untagged packet. .The security appliance is connected to another Cisco device that has Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback packets to ensure interface health. This packet is not intended to be received by any other device; the health is ensured just by being able to send the packet. These types of packets are dropped at the switch port, and the counter increments. .The VLAN only has one physical interface, but the DEST of the packet does not match the MAC address of the VLAN, and it is not the broadcast address. Nameif is set so it can't be that, VLAN is not shutdown. It is not an access-port. Trunk that receives tag allowed, not impossible but not likely. Could it be the Catalyst sending keepalives? The final raeson I don't think applies here. So either something funky is going on with the tagging or it's keepalives that are being sent, could this affect performance? Thanks for your time. /Daniel _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/