Cisco Security :: ASA5540 Interface Input Errors - Overrun
Nov 16, 2009
Why packets overrun are incrementing on the ASA even when I've only 40Mbps of throughput traffic?All interface are 1000- Full Duplex, both on ASA and on Catalyst3750.I've test the ASA5540 generating GET HTTP, about 40Mbit of traffic.When I use one ingress interface and one egress interface, interface input overrun counter is zero.When I use the same traffic with 3 ingress interfaces(slot0) and 3 egress interfaces(slot1), interface input overrun counter increase(60k overrun in only 2 minutes).
View 4 Replies
ADVERTISEMENT
Feb 26, 2013
My Expertise with Cisco ASA is Very less. I have observed Input errors in a Couple of Interfaces in Cisco ASA 5540 Firewall. [code] I need to Clear the Input errors on this particular Interface.Will Clear interface GigabitEthernet 0/0 will work?
View 4 Replies
View Related
Nov 4, 2011
I use an 1841 router as an internet facing firewall with a 10MB MetroE connection. Lately users started reporting slow internet download speeds and web pages timing out. Bandwidth reports do not show the link as being saturated so I looked at the interfaces on the 1841. The interface connected to the provider shows OK as far as errors but the LAN side of the router shows steadily increasing input errors. It doesn't show any other errors, no CRC, frame, runts, giants or overruns, just generic input errors. What type of errors are those? Nothing is being logged on the console.
I moved the connection to another switch ports and the errors continue. I switched it down to 10MB and also changed the switch and the errors slow down but don't stop. Interestingly, the switch side never shows any errors. What can I do here? I guess it can be a bad interface but that is such a rare thing that I am hesitant to replace the router.
View 11 Replies
View Related
Apr 16, 2013
We are facing since one month in our two Cisco WS-C3750G-12S on many interfaces input errors when data transer or ping (ICMP) increase input erros. Not only port 1 but many interface has same issue, i have change new IOS but still same issue, once i have erase startup config but same issue we are facing and finaly i have replace same new switch with the same IOS it's working fine.(c3750-ipservicesk9-mz.122-55.SE4.bin) [code]
View 11 Replies
View Related
Feb 22, 2012
I have this output from show interfaces command for the fastethernet interface on a 2811 router.
find the causes of the crc and the ignored input errors on the interface?
The interface configuration is:
interface FastEthernet0/0description VLANS_CHILE
no ip address
[Code]....
View 6 Replies
View Related
May 10, 2012
I have an issue with input errors, overruns, and input reset drops on the inside interface of an 5580-40 (v8.2.5: Transparent mode) The box is not stressed at all according to the 'show' commands in the Cisco troubleshooting performance document for PIX/ASA v8.2.5. Nothing stands out because is pretty much normal, nothing (processes, RAM, blocks, IO...) really being highly utilized. I have replaced the 10Gig card and that seemed to work because the rate of errors has gone down tremedously. The next step is to RMA the whole box.My question is what would be the cause of the inside interface to stop processing traffic (I say that because the syslog server stops receiving messages) for some periods of 30 seconds periodically throughout the day and clients lose their connections (ie Outlook, IBM Sametime, Oracle, MSSQL..etc). Can the issue be somewhere related to the overruns and input errors?
View 2 Replies
View Related
Oct 21, 2012
I have been making effort to solve frequent input errors of module interface(WS-X4548-GB-RJ45) in our Backbone Switch(Cat4506).Let me show you show interface information.Rx-No-pkt-buff value is increased continuously even though traffic rate of interfaces is lower than 20Mbps.We have two Backbone Switch which is operated by HA via HSRP.What bring buffer shortage to our network ? [code]
View 2 Replies
View Related
Feb 23, 2011
Recently our network experience a Internal DoS attack. One internal server ( the network/security team doesnt have any access to the adninistration of these server) starts to send a lot of DNS bogus request to some DNS servers on the Internet. With sh conn detail we saw the IP of these server and blocked it with an ACL in the Internal ASA 5520 interface. After that, the server team disconnect the server, and made their job cleaning these infected device. Everything goes normal again....
Today, the same server starts again with the same problem. But a lot worst thant the first time. The ASA starts to drops packets in the internal interface, the overruns was increasing dramatically ( like 10000 per second), the asp-drop table shows the same amount of traffic than interface overruns in the ACL-Drop line , and the CNT blocks for 16xxx with sh blocks was in zero. The sh acess-list INSIDE shows near 9 million hints in the line that deny the DNS request from the server to the Internet. Again, we disconnect the server and the problem was solved by the server team.
It seems that our ASA cant handle in their internal interface the amount of traffic that these server send outbound. IS there anyway to raise the blocks in the firewall? What is the best way to deny the servers connections ( ACL, or MPF or threat detection maybe), and avoid the ASA interface overruns even when the server sends these large amount of request.
View 1 Replies
View Related
May 11, 2011
My router, a Cisco 7204 with NPE 300, is experiencing output drops and input errors on a fastethernet interface. I have a 100Mbps connection with less than 15Mbps utilization at peak times.
FastEthernet1/0 is up, line protocol is up Hardware is DEC21140, address is 0014.a985.1a1c (bia 0014.a985.1a1c) Internet address is 38.102.66.134/30 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 3/255, rxload 1/255
[Code]....
View 17 Replies
View Related
Oct 21, 2012
I ran into a problem a few weeks ago and am still trying to figure out why either the 3560 switch or our Cacti syslog server did not alert us when one of our ports was experiencing heavy CRC and Input errors.
I had upgraded the IOS to 12.2(55)SE6 and rebooted the switch. About a week later, someone was troubleshooting why print jobs were having problems printing to a high speed printer. When I looked at the interface it showed a few thousand CRC and Input errors. I cleared the counters and had them print again and watched as the CRC and Input errors went up. When I did a "show log" there were no error messages. Looking at our Cacti Syslog there were also no errors present for the past 6 months.
We found that the device on the port was set to auto speed and duplex and the switch port was at 100/Full. Once we got them to match the problem was resolved, but we were left wondering why we never got any alerts.
We also have some 3548 and 3550 model switches that Cacti picks up %LINK-4-ERROR for any ports that show CRC and Input errors. I did some research and it appears that the 3560 switches do not have the LINK facility code. I believe it has been replaced with a PHY link code but I'm not sure. We do have some "%PHY-4-EXCESSIVE_ERRORS: Excessive FCS, data, or idle word errors found" but they are all for 3750 switches. I could not find any 3560 that had alerted for that error or the LINK error.
I also tripped port security on the 3560 switch just to make sure that it was reporting correctly to Cacti and that alert did show up.
My question is how do I get a 3560 switch to alert in the logging buffer for CRC/Input/FCS errors? Also, how I can generate CRC and Input errors on purpose for testing? I tried mismatching the speed/duplex/Auto and only got collissions, no CRC or Input errors.
View 2 Replies
View Related
Jul 1, 2012
I am not sure why the CRC and input errors are increasing in fastethernet port...This port is used as Intradomain cross connect to Data Center service provider for LAN extension between two Data Centers in different locations... The link is 100 MB. The switch port is directly connected to patch panel of DC provider and I believe they have some L3 switch or some other device that is providing LAN extension...
#sh interfaces fastEthernet 0/23
FastEthernet0/23 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0019.3050.1497 (bia 0019.3050.1497)
Description: ASA_VPN_TO
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
[code]....
View 26 Replies
View Related
Dec 5, 2011
I'm using a Cisco 1812 to route traffic from a small location with 10 users.. Users are complaning about packet loss, and programs with live database connection is freezing..On the router i've checked one of the Fastethernet interfaces, and I can see that the input errors are increasing constantly. [code]
View 5 Replies
View Related
Oct 2, 2012
I am not sure why the CRC and input errors are increasing in fastethernet port...This port is used as Intradomain cross connect to Data Center service provider for LAN extension between two Data Centers in different locations... The link is 100 MB. The switch port is directly connected to patch panel of DC provider and I believe they have some L3 switch or some other device that is providing LAN extension...
#sh interfaces fastEthernet 0/23
FastEthernet0/23 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0019.3050.1497 (bia 0019.3050.1497)
[Code].....
View 3 Replies
View Related
Mar 15, 2013
I have an ASR 1002x connected to a 6513. Connection is from ASR Gig Copper SFP to 6513 Copper 10/100/1000 port. The ASR is recevinig Runt and input errors. I have removed the negotiation auto command on both boxes and hard coded the speed etc and still errors occur. I have also added the negotiation auto to both devices and also removed it with out hard coding the speed at and same results. Everytime I have seen these errors is has been to collision caused by a duplex mismatch.
View 4 Replies
View Related
Mar 11, 2013
I have an odd situation where I cannot get a device connected to a built in switchport with out input and crc errors. When connecting to a GLC-T sfp it works fine.Here is my test layout
Outdoor wireless AP --- 10' of cat6 cable --- Gigabit POE injector --- 10' Cat6 cable --- 3560G port 48. (input and crc errors)
When I do this there are input and crc errors on the switch port. This has been confirmed on three different switches and three different outdoor AP's. We though at first it was the injector, but when we run the same setup, but instead connect the device to port 49 with a GLC-T sfp there are no errors.
Outdoor wireless AP --- 10' of cat6 cable --- Gigabit POE injector --- 10' Cat6 cable --- 3560G port 49 (GLC-T). (No errors)
I have upgraded the 3560G to the latest ios and still it has the same problem. If I run the same setup to a 2960 there are no errors at all.
Outdoor wireless AP --- 10' of cat6 cable --- Gigabit POE injector --- 10' Cat6 cable --- 2960 port g0/1 (No errors)
I have also tried manually setting the speed on the 3560G with no success.
View 9 Replies
View Related
May 28, 2013
We are having Cisco ASA 5540 having Cisco Adaptive Security Appliance Software Version 8.0(5)23 at certain time of moment daily wer are facing latency and packetdrop wherin when I checked for ASA Interface which gives me " Input Errors" on outside interface ,so can any one tell me what are the causes to get input errors on cisco asa outisde interface.
View 2 Replies
View Related
Jun 17, 2011
I am trying to log every connection (Build, deny, etc).But for some reason I don't see them sh log.
[Code]...
View 2 Replies
View Related
Dec 13, 2011
One of my client want to upgrade its already installed ASA5540-bun-k9 by adding CSC-20 Module. As per below link CSC-20 is supported with ASA5540. but for any reason the ASA5540 bundle option with CSC Module is not available that create confusion.Will CSC-20 Module work with ASA5540-bun-k9 [URL]
View 2 Replies
View Related
May 9, 2011
How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed
View 1 Replies
View Related
Dec 11, 2011
I have requirement received from one of my customer. the part number given as ASA5540-AIP40-K8, same time requesting for addition of another 4Port GE Module (i believe its SSM-4GE Module). Is any option to add this module in to the above specified model (ASA5540-AIP40-K8).
As per my understanding the ASA5540 have the option to add 1 additional module only, so if we AIP-SSM module, we don't have any free slot left with to add another SSM-4GE Module in the firewall.
i am not getting even the option to add SSM-4GE in the ASA5540-AIP40-K8
View 1 Replies
View Related
Apr 28, 2013
I need to monitor with ping the inside sub-interface of my ASA5540, is that possible? I get the ICMP requests but no replys going out from the box.
I need to ping the 192.168.10.250 from the 192.168.5.55:
ASA Version 8.0(5)
interface GigabitEthernet0/1
nameif inside
[Code].....
View 2 Replies
View Related
Jul 5, 2012
I have a ASA5540 firewall set-up with an interface MTU of 1500.
I suspect that we are receiving packets with a larger MTU but have not found an easy way of confirming this. Any command that can be run on the firewall to display the MTU packet size being received on an interface?
We are also running Solar Winds so could query an OID if such a variable exists.
View 1 Replies
View Related
Mar 25, 2012
Running vista. When I pull up my list of possible wireless signals to try and connect.
I normally get asked to input a security key. NOW the screen will simply close after i press the enter key. Right clicking and trying to connect also am having the same issue. MY wireless signal for MY comcast account it connects perfectly.
View 1 Replies
View Related
Dec 4, 2011
No date in the TOP-N Interface Errors portlet showing in LMS 4.1, but data for TOP-N Interface Utilization is displayed like expected. The Interface Errors poller show active(without errors) with same Instances as Interface Utilization.
View 1 Replies
View Related
Jul 27, 2011
Using AnyConnect Secure Mobility Client, logging into ASA5540. After I put my credentials in, I get the banner message (from group policies). After I accept that, I get another pop message stating:It looks like a pre-set message. Where can I disable and/or edit this message?
View 4 Replies
View Related
Mar 25, 2013
I have a 2911 router connected to two different ISP. Is it posible to route traffic based on what interface the traffic came first?Lets say I have the deault route to use interface gig0/0(ISP1), but a certain ip packet reach the router by interface gig0/1(ISP2). Is there any way (if possible without using source NAT) that I could route traffic back to that ip address using interface gig0/1. The source Ip addresses are not fixed, so I can not use Policy Based Routing.
View 1 Replies
View Related
Dec 6, 2011
Vlan interface would be dropping packets on the input queue? Refer to the drops/flushes below. This is from a 6500 with a Sup720, there are a number of vlans on it. This 6500 and it's HSRP partner are exhibiting the same symptoms on all the vlans I bothered to check. This particular vlan is quite lightly used, there are only about fifteen user PC's (each with 100 Mb interfaces) on it.
There is a bit of information on input queue drops on Cisco, but this is focused on physical interfaces where I can understand some packets being dropped. I would think that Vlan interfaces would have different issues.I note the "no buffer" errors as well, that also concerns me, especially as that counter is quite close to the "flushes".
Vlan123 is up, line protocol is up Hardware is EtherSVI, address is 00d0.04fd.6000 (bia 00d0.04fd.6000) Description: Vlan123 Internet address is 10.123.123.7/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00
[Code] .......
View 3 Replies
View Related
Dec 14, 2011
I have a PIX 535 connected through OFC to Cisco 2960 Switch.
PIX end - G0 (SC type Connector) - Switch End - Gi1/0/28 (LC type connector)
When I am pinging from either side, I am getting packet drops. CRC error is increasing at PIX interface.
Speed settings, tried with
auto - auto
auto - nonegotiate
nonegotiate - auto
nonegotiate - nonegotiate
But no improvements. When its connected with SC - SC connector, its working fine.
Switch also working fine when connected LC - LC.Switch OS is 15.x version.
Cisco PIX Security Appliance Software Version 7.0(4) <system>
Device Manager Version 5.0(4) Cisco PIX Security Appliance Software Version 7.0(4) <system>Device Manager Version 5.0(4)
View 1 Replies
View Related
Nov 1, 2011
I have to bridge 1400 series which in the virtual interface has a CRC errors, i don´t the reason, maybe the link (point-point bridge) is misaligned.
View 3 Replies
View Related
Jan 20, 2013
Our customer get the problem that the switch count the 5mins input/output rate of connected traffic interface always ZERO.The problem only occur in the module 3,4 and 5 interface, module 2 has no problems.
-------------------------------------------------------------------------------------------------
Catayst 4506E
12.2(52)SG
Chassis Type : WS-C4506-E
Power consumed by backplane : 0 Watts
Mod Ports Card Type Model Serial No.---+-----+--------------------------------------+------------------+-----------1 6 Sup 6-E 10GE (X2), 1000BaseX (SFP) WS-X45-SUP6-E 2 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45 3 48 10/100/1000BaseT (RJ45) WS-X4648-RJ45-E 4 48 10/100/1000BaseT (RJ45) WS-X4648-RJ45-E 5 48 10/100/1000BaseT (RJ45) WS-X4648-RJ45-E
[code]....+
View 2 Replies
View Related
Nov 6, 2011
i have an 2921 connected to an Catalyst 3560. My router interface shows quite a lot of input queue drops. Load is not too much max 5/255.
View 1 Replies
View Related
May 15, 2012
My issue occurs on ALL of my home computers (MacBook and iMac using wi-fi) and ALL of my browsers (Safari, Firefox, Chrome).The problem:- Security Certificates: They pop up daily for Facebook mostly, but also Twitter. I will click Continue, which takes me to...- 404 Error/Page Not Found Error: After the Certificate error mentioned above, this happens. Mostly to YouTube. It will stay like this for a few hours. I've cleared cache, rebooted, etc. etc. Nothing works.- Images turn into little blue boxes with a question mark in them. **When this happens, it's an indication that a Certificate box will pop up out of the blue.- Even on Google.com, it will say: Invalid URLThe requested URL "/", is invalid.Reference #9.df260e6b.1336506889.420cf4fSo what can I do? It happens on both my Macbook Pro and iMac - both connected wirelessly to a Linksys router/cable modem. The router is Wireless-N Broadband Router WRT160Nv3 with Firmware Version: v3.0.02.
View 1 Replies
View Related
Sep 13, 2011
I have a AIR-AP1121G-A-K9 running c1100-k9w7-tar.123-7.JA2 (Autonomous)We have monitoring setup with Orion NPM and we consistently see output errors, Transmit discards and big buffer errors The users at the site have not reporting any issues but was wondering how to prevent these or are these normal?What causes the output errors on Wireless Radio ? How to troubleshoot further ?
Radio0-802.11G
Total Output Errors 0 47749
Small Buffer Misses
4 misses
139 misses
[code]....
View 1 Replies
View Related
