Packets dropped at encryption stage.
I am truly struggling with the changes after 8.21.
I am trying to get a VPN up between two sites. This is the B end, I am sure there are a bunch of problems in the other end too. Eg. the tunnel NAT does not have the right priority 1.
when I establish the tunnel I get this:
3 Sep 01 2008 11:23:37 Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 1.
# packet-tracer input inside tcp 10.2.32.11 80 10.1.1.10 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static 101_Net 101_Net destination static
ServerNet ServerNet
Additional Information:
Static translate 10.2.32.11/80 to 10.2.32.11/80
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Here is the config...
ASA Version 8.4(1)
hostname ma
names
name 14.1.1.1 HQ_peer
name 10.2.32.0 Ma_Net
interface Vlan1
nameif outside
security-level 0
pppoe client vpdn group NETF
ip address pppoe setroute
interface Vlan2
nameif inside
security-level 100
ip address 10.2.32.254 255.255.255.0
interface Vlan3
nameif av
security-level 99
ip address 192.168.1.254 255.255.255.0
interface Ethernet0/0
interface Ethernet0/1
description Airport Extreme
switchport access vlan 2
interface Ethernet0/2
description to PowerLine rest of network
switchport access vlan 2
interface Ethernet0/3
switchport access vlan 2
interface Ethernet0/4
switchport access vlan 2
interface Ethernet0/5
description TO AVNET switch
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 2
shutdown
interface Ethernet0/7
switchport access vlan 2
shutdown
boot system disk0:/asa841-k8.bin
ftp mode passive
object network 101_Net
subnet 10.2.32.0 255.255.255.0
object network HS_ServerNet
subnet 10.1.1.0 255.255.255.128
object network AV_Net
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.2.32.0_24
subnet 10.2.32.0 255.255.255.0
access-list outisde_1_cryptomap extended permit ip object 101_Net object HS
_ServerNet
access-list outside_cryptomap extended permit ip 10.2.32.0 255.255.255.0 object
HS_ServerNet
pager lines 24
logging enable
logging buffered notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu av 1500
ip local pool VPNNET 10.2.9.1-10.2.9.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static 101_Net 101_Net destination static HS_
ServerNet HS_ServerNet
nat (inside,outside) source dynamic any interface
nat (av,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_10.2.32.0_24 NETWORK_OBJ_10.2.32.
0_24 destination static HS_ServerNet HS_ServerNet
route outside 0.0.0.0 0.0.0.0 9.9.9.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Ma_Net 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 av
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer HansHQ_peer
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn HS-ma.HS.internal
subject-name CN=HS-ma
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.2.8.0 255.255.255.0 inside
telnet Ma_Net 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 av
telnet timeout 1440
ssh timeout 5
console timeout 0
management-access av
vpdn group NETF request dialout pppoe
vpdn group NETF localname *******************
vpdn group NETF ppp authentication pap
vpdn username ************* password *****
dhcpd address 10.2.32.10-10.2.32.40 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
dhcpd address 192.168.1.10-192.168.1.40 av
dhcpd dns 8.8.8.8 interface av
dhcpd enable av
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
ntp server 10.1.1.1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy GroupPolicy_14.1.1.1 internal
group-policy GroupPolicy_14.1.1.1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_MaResidence internal
group-policy GroupPolicy_MaResidence attributes
wins-server none
dns-server value 8.8.8.8
default-domain value HS.internal
tunnel-group 14.1.1.1 type ipsec-l2l
tunnel-group 14.1.1.1 general-attributes
default-group-policy GroupPolicy_14.1.1.1
tunnel-group 14.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
try to permit esp, udp port 500 and 4500 on your crypto acl and see if that helps.
Similar Messages
-
Input packet drops on uplink port-profile
Hi,
I'm using Nexus 1000v and vSphere 5.1;
I just migrated some physical servers to VM, and I have some weird reporting issues;
Just to make sure it wasn't a network issue they asked me to verify if anything was overlooked on the Nexus side of things;
Everything checked out, but I'm seeing a lot of input packet drops on the physical ports of the system uplink port-profile; I doubled checked the configs on the VSM and the Catalyst stack and all is configured properly;
should I be concerned about these Input packet drops that I'm seeing on the VSM on the physical interfaces of my uplink port-profile? If so, could it be the NICS in the ESX host that could be the issue?
Any feed back would be appreciated;
Thanks.I have the same symptomps on 3 different Nexus 1000v. All 3 run the same version - 4.2(1)SV2(1.1) VMware is 5.0 sp1 and the hardware for ESXi hosts is more or less the same (At least server blade model and CNA).
We have tried to use vempkt to capture traffic but no traffic is captured if we filter on drops even though the counter on the port-channel and member Ethernet interfaces increase. On the hosts we tried vempkt we see about 20 drops per second. Here is some info. I have removed some irrellevant stuff.
NRK-VSM-001# show int po 14
port-channel14 is up
Members in this channel: Eth6/3, Eth6/4
6172 input packet drops <- Increases
NRK-VSM-001# show mod 6
Mod Sw Hw
6 4.2(1)SV2(1.1) VMware ESXi 5.0.0 Releasebuild-1024429 (3.0)
Mod Server-IP Server-UUID Server-Name
6 10.16.1.12 4c4c4544-0034-3010-8036-b4c04f33354a nrk-vi01-h07.nt.se
FROM The ESXi
~ # vemcmd show port
LTL VSM Port Admin Link State PC-LTL SGID Vem Port Type
19 Eth6/3 UP UP F/B* 305 0 vmnic2
20 Eth6/4 UP UP F/B* 305 0 vmnic3
~ # vempkt show capture info
Stage : Drop
LTL : 305
VLAN : Unspecified
Filter : Unspecified
Even if we let the capture run for several minutes we see no drops. I set it to capture 31 packets.
~ # vempkt show info
Enabled : Yes
Total Packet Entries : 0 <- Never increases even if the capture is running filtered like above
Wrapped Packet Entries : 0
Lost Packet Entries : 0
Skipped Packet Entries : 560145
Available Packet Entries : 14169
Packet Capture Size : 88
Packet Capture Mode : Un Reliable
Stop After Packet Entry : 31
In our case, could the input drops depend on that we allow vlans from the upstream hardware switch to the VEM that do not exist on the N1000v and that this is the reason we can not capture the dropped packets?
Any ideas?
PS: We see drops on uplinks on all VEMs -
Hi,
Our customer took 30Mbps metro link from us. Even at 17Mbps link utilization they are facing packet drops. Our side policer is implemented for 30Mbps. There are no errors on customer or our interfaces. But I can see exceed packets under 'show policy-map interface' . Used maximum Bc. Does customer required to implement shaping his end with same CIR and Bc.
Regards
Siva KHi Siva,
It is not a mandatory rule that Customer should also have the same CIR configured with shaping.
When Customer have 30 Mbps circuit SLA with Service Provider, he may be able to pump ta line rate from CE side. But on PE side, it will be policied and excess traffic will be dropped.
To avoid Customer's traffic getting dropped at PE, It is advisible to configure shaping at CE side so that the traffic SLA will be maintained without or with less number of packet loss.
Can you post your config and show policy-map interface output with traffic?.
Regards,
Nagendra -
Packet drop when clients moving from one Access point to another
HI All ,
I am new to wireless . I am using WS-SVC-WISM-1-K9 wism module and using 5 Access points . When my clients are moving from one access point to another we are getting packet drops .
Kindly anyone suggest me what all configuration i need to verify on the controller for Proper client roaming so that i can resolve my issues..
Please let me know in case of any explanations requiered .
Thanks in Advance !!!
Regards
AngusFor radius authenticated SSIDs, you need WPA2-aes or wpa1-tkip-CCKM. It depends on what the client supports.
For pre-shared key, any WPA should be decent enough for roaming speed.
If you're on WEP ... no comment.
If you covered the above point, check if it's not a coverage problem. If the 2 APs coverage zone are not overlapping there will be a hole where you don't have signal and logically will have packet drops. -
Wireless AP 1262 getting packet drops whille buffering videos for 18 users.
Hi Team,
Please help for this issue
We are having 1262 Access point model and we are getting packet drops when 20 users are connected and users do Video streaming and buffering online.
Even our AD IP address also getting packet drops during the users are connected and using youtube or someother video sites.
Please help on this issue.
Best regards,
ArunWell if you have 802.11n enabled and also have 802.11n capable devices, then you would have max of 144mbps on the 2.4ghz and up to 300mbps on the 5ghz with 40 MHz channels. If you are using 20mhz on the 5ghz you will have the same as the 2.4ghz which is again 144mbps.
So if you have clients working fine on the 5ghz and its set to 20mhz, then I would look at interference on the 2.4ghz. See if your SNR is low as that will identify a poor 2.4ghz spectrum.
Sent from Cisco Technical Support iPhone App -
N7000 : details of packets dropped by COPP policy (class-default) ?
Hi,
On one of our N7K, we have some packets dropped by the COPP policy in the class-default class-map. :
Partial results of "show policy-map interface control-plane" not so long after clearing the counters :
class-map class-default (match-any)
set cos 0
police cir 100 kbps , bc 250 ms
module 1 :
conformed 12210790 bytes; action: transmit
violated 201870 bytes; action: drop
module 2 :
conformed 8399646 bytes; action: transmit
violated 0 bytes; action: drop
module 3 :
conformed 34518233 bytes; action: transmit
violated 6186895 bytes; action: drop
What would be the best way to figure out what traffic is dropped by the policy ? Is there any logging possible ?
Thanks,
LaurentThere is still no logging possible.
What can be done is piping the class-default-traffic to some port and then analyze it with wireshark or some similar tool. But as far as I know, this still cannot be done by default - at least with NX-OS 4.2(4) we had to reprogram the module with assistance from TAC. I suggest you contact your support partner in this matter. -
EEM -automatic shut down or switch over of WAN link in OSPF when packet drop increase
Hi,
Need help..
can any one help me how can EEM help for automatic shut down or switch over of WAN link in OSPF when packet drop increase a predefined level.
I have a set up different branches connected together...OSPF is the routing protocol and need to communicate with two branches via hub locations.
need to shut or switch some percent of traffic from primary to back up when packet drop in the link.I am not sure EEM can do what you want.
Another option could be to use SLA tacking/monitoring. But you will fall back to the new route when you lose some percentage of pings, you can't switch only part of the traffic.
I hope it helps.
PK -
Signature 1330 causes packet drops
Hello Members,
i see in my IPS-NME module a hign number of packet drops because of the following signatures:
1330-17: TCP segment out of state order
1330-12: TCP segment is out of order.
the targets and the attacers are internal hosts.
are these signatures triggered because of not propper configured policies or is this an indicator for problems in the internal network.
thanks for your inputs.
regards
alexHello Sid,
thanks for your answer. I learned that most of packets where the Signature 1330 triggers are packets from the IPS module to the IPS Express Manager. I added wireshark dump to the case.
That's really odd, i ran a traceroute from the IPS Manager to the IPS Module and vice versa and the flow look ok to me.
Trace from the IPS module to the IPS Manager
# trace 10.0.128.5
traceroute to 10.0.128.5 (10.0.128.5), 4 hops max, 40 byte packets
1 172.16.1.9 (172.16.1.9) 1.479 ms 1.327 ms 1.275 ms
2 172.16.1.1 (172.16.1.1) 3.616 ms 2.952 ms 1.907 ms
3 10.89.27.10 (10.89.27.10) 2.288 ms 2.044 ms 2.136 ms
4 10.89.27.21 (10.89.27.21) 8.106 ms 9.148 ms 8.266 ms
return path
C:\Users\Administrator.NOS-POC>tracert 172.16.1.11
Tracing route to 172.16.1.11 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.0.128.1
2 2 ms 3 ms 2 ms 172.16.2.1
3 1 ms 1 ms 1 ms 10.89.27.22
4 9 ms 9 ms 9 ms 10.89.27.9
5 8 ms 8 ms 8 ms 172.16.1.6
6 8 ms 8 ms 8 ms 172.16.1.11
Trace complete.
trace from the IPS module's gateway
#traceroute vrf CENTRAL 10.0.128.5 source 172.16.1.9
Type escape sequence to abort.
Tracing the route to 10.0.128.5
1 172.16.1.1 0 msec 0 msec 0 msec
2 10.89.27.10 0 msec 0 msec 4 msec
3 10.89.27.21 8 msec 8 msec 8 msec
4 172.16.2.6 8 msec 8 msec 4 msec
5 10.0.128.5 4 msec 4 msec 4 msec
what make me wonder is that the IPS module doesn't show hops further than 4 hops.
regards
alex -
Monitoring dscp ef packet drops
Looking for some guidance please.
I have been tasked by our network team to find a solution to monitor voice traffic specifically for packet drops in dscp ef traffic.
Thinking of using my cacti box as my first port of call but need to know exactly which OIDs i need to be pulling in. I have looked at the various mib sets related to qos cos etc.... but to be honest, they are bit daunting for someone who is not familiar in this area.
Any other options for this would be greatly appreciated - could rmon fulfill this task?
cheersYou can troubleshoot the output drops occuring with priority queuing be following the sugesstions made in http://www.cisco.com/en/US/tech/tk39/tk51/technologies_tech_note09186a0080103e8a.shtml
-
Packet drops on v490 production server..help us
Hello...
We have v490 server with ce0 interface configured.. It gets down frequently & after some packet drops it makes itself up...
Can anybody tell me what could be the reason behind this problem...
I have checked switch & router by changing interface cables, still problem persists...no message on /var/adm/messages.
Thanks in advance
gmrajtry a "snoop -d ce0" and verify messages
also, perhaps the NIC is broken
also, perhaps the duplex/speed of the NIC isn't set correctly (autoneg, forced, fullduplex, halfduplex etc.) and you have to define it with a "ndd -set " -
High packet drop over FCoE setup
We have nexus 5k switch connected to storage array through FCoE 10GB interface and with blade chasse support FCoE. We are facing a hug latency on the traffic flow between the server and the storage. Can some one help me to solve this issue? Also do we need to setup the jumbo frame and modify the MTU size?
Sent from Cisco Technical Support iPad AppAymen,
MTU should not be an issue. No need to modify the MTU for regular ethernet traffic, unless you're using IP storage such as iSCSI.
Let's narrow down the problem first.
1. Do you see packet loss/performance issues on other servers connected to the same N5K(s)?
2. Are you seeing any packet drops on the N5K interfaces or GATOs ASIC?
show interface e1/20 counters errors
show interface e1/20 flowcontrol
show interface e1/20 priority-flow-control
show system internal ethpm errors | egrep Ethernet1/20
show hardware internal gatos port ethernet 1/20| egrep -i err
I would check these counters on both the host facing and arrary facing interfaces.
3. What is the exact array that is FCoE attached?
4. Do you have a topology diagram?
5. What are the server side adapters, firmware and driver versions being used (include the OS on the host).
Regads,
Robert -
Hi,
i want to ask. My ASA5520 is generating some packet drops constantly and we have some problems with server aplication that a proccessing of tasks from client to server take a long time (sometime about 15 seconds). Our client application is accessing a server throught IPSec VPN tunnel terminated on two ASA`s. Our connectivity is about 20Mbit/s to internet and responses to ping about 5 ms and our internet load is about 20% on both sides - so i think this parameters are not bad. MTU is configured for 1500 for all interfaces. If this apllication is on local network its is working with no problems. Long responses are only throught VPN tunnel.
Can someone help me where to search for possible reasons? - is a drop rate about 2-4pkts/sec a normal behavior on Outside and Inside interface?
Outside:
received (in 3089.110 secs):
1440158 packets 1318512125 bytes
466 pkts/sec 426825 bytes/sec
transmitted (in 3089.110 secs):
1189541 packets 449651676 bytes
385 pkts/sec 145560 bytes/sec
1 minute input rate 660 pkts/sec, 569735 bytes/sec
1 minute output rate 543 pkts/sec, 194757 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 541 pkts/sec, 494752 bytes/sec
5 minute output rate 418 pkts/sec, 115924 bytes/sec
5 minute drop rate, 2 pkts/sec
Inside:
received (in 998799.294 secs):
1207809993 packets 733339825912 bytes
1002 pkts/sec 734002 bytes/sec
transmitted (in 998799.294 secs):
1200125098 packets 882901742659 bytes
1003 pkts/sec 883004 bytes/sec
1 minute input rate 502 pkts/sec, 179984 bytes/sec
1 minute output rate 614 pkts/sec, 564726 bytes/sec
1 minute drop rate, 4 pkts/sec
5 minute input rate 391 pkts/sec, 108899 bytes/sec
5 minute output rate 508 pkts/sec, 490840 bytes/sec
5 minute drop rate, 4 pkts/sec
DMZ:
received (in 998799.984 secs):
58298524 packets 44825759311 bytes
2 pkts/sec 44002 bytes/sec
transmitted (in 998799.984 secs):
46530732 packets 12940381278 bytes
3 pkts/sec 12001 bytes/sec
1 minute input rate 53 pkts/sec, 13049 bytes/sec
1 minute output rate 49 pkts/sec, 3004 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 36 pkts/sec, 5570 bytes/sec
5 minute output rate 33 pkts/sec, 1755 bytes/sec
5 minute drop rate, 0 pkts/sec
Aggregated Traffic on Physical Interface
GigabitEthernet0/0:
received (in 3089.870 secs):
1440885 packets 1346005546 bytes
466 pkts/sec 435618 bytes/sec
transmitted (in 3089.870 secs):
1190187 packets 474475065 bytes
385 pkts/sec 153558 bytes/sec
1 minute input rate 660 pkts/sec, 582256 bytes/sec
1 minute output rate 543 pkts/sec, 206077 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 541 pkts/sec, 504955 bytes/sec
5 minute output rate 418 pkts/sec, 124804 bytes/sec
5 minute drop rate, 0 pkts/sec
GigabitEthernet0/1:
received (in 998800.164 secs):
1207813930 packets 757321051733 bytes
1002 pkts/sec 758002 bytes/sec
transmitted (in 998800.164 secs):
1200125732 packets 906238831947 bytes
1003 pkts/sec 907000 bytes/sec
1 minute input rate 502 pkts/sec, 190546 bytes/sec
1 minute output rate 614 pkts/sec, 576442 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 391 pkts/sec, 117300 bytes/sec
5 minute output rate 508 pkts/sec, 500487 bytes/sec
5 minute drop rate, 0 pkts/sec
GigabitEthernet0/2:
received (in 998800.224 secs):
58298526 packets 45904344202 bytes
2 pkts/sec 45000 bytes/sec
transmitted (in 998800.224 secs):
46530733 packets 13855555976 bytes
3 pkts/sec 13003 bytes/sec
1 minute input rate 53 pkts/sec, 14097 bytes/sec
1 minute output rate 49 pkts/sec, 4018 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 36 pkts/sec, 6271 bytes/sec
5 minute output rate 33 pkts/sec, 2437 bytes/sec
5 minute drop rate, 0 pkts/sec
GigabitEthernet0/3:
received (in 998800.364 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 998800.364 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/secHi,
There is no UDP flow limit configured on this firewall:
asa-hvac# sh local-host router-bacnet
Interface inside: 3 active, 8 maximum active, 0 denied
local host: ,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 2/unlimited
Conn:
UDP out ctrl-delta-maniwaki:47808 in router-bacnet:47808 idle 0:00:15 flags -
UDP out ctrl-delta-laurentienne:47808 in router-bacnet:47808 idle 0:00:00 flags -
Interface outside: 15 active, 33 maximum active, 0 denied
To answer your second question, when the problem appear, there is the same 2 flows when I issue the "show local-host bacnet-router" command. -
Hi,
MY ASA5540 has 40 L2L IPsec VPN tunnels to other sites. One of tunnels has packet drop often ( but the tunnel remind up ). Called ISP and confirm its not ISP issue. Is there any method to troubleshoot the issue ? what should I look at in the configuration ? any help will be appericated.
ThanksVerify that ACLs and NAT configurations are Correct. Some times it may also block the traffic.
Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml -
4500-packets drop - IOS 12.2.25SG Sup2+
Q.1. ' sho plat cpu packet stat' output shows Packets were dropped for the reason 'NoFloodPorts'. What does that mean ??
Packets Dropped In Processing by Reason
Reason Total 5 sec avg 1 min avg 5 min avg 1 hour avg
L2DstDrop 3 0 0 0 0
NoFloodPorts 539467
Q.2. PacketRaw Buffer is 100% allocated and used. Should I increase it ??
kbytes % in use kbytes % in use
PacketBufRaw 20355.00 100% 20355.00 100%Nofloodports counter is similar to Color Blocking Logic (CBL) drops in 6500, which are expected if spanning tree is blocking for a VLAN on a port etc. For example, broadcast, mulitcast, or unknown unicast might still be received on a blocked port. It is normal to see this counter increment.
-
Packet drops and High CPU on Cisco 3845 Switch
Hello Experts,
We are facing a lot of packet drops in our LAN.
When we try to ping one of the access switches from the CE router, we get the follwoing output:
pdel1799#ping 10.132.136.17 so 10.132.164.1 si 100 re 500
Type escape sequence to abort.
Sending 500, 100-byte ICMP Echos to 10.132.136.17, timeout is 2 seconds:
Packet sent with a source address of 10.132.164.1
Success rate is 98 percent (491/500), round-trip min/avg/max = 1/9/44 ms
pdel1799#
Success rate is 98 percent (491/500), round-trip min/avg/max = 1/9/44 ms
pdel1799#
Some command outputs and show tech of all switches attached from the customer which I have attached.
I have also attached a diagram but the only router''s IP address is correct in the diagram while IP address of switches in the diagram are incorrect. Here are the correct IPs of the switches:
Core Switch : 10.132.139.2
Access Switches:
10.132.136.17
10.132.136.18
10.132.136.29
Apart from packet drops on VLAN 1 we are seeing high CPU utilization on core switch
ingur-msl-coresw#sh processes cpu sorted | ex 0.0
Core 0: CPU utilization for five seconds: 61%; one minute: 45%; five minutes: 47%
Core 1: CPU utilization for five seconds: 63%; one minute: 46%; five minutes: 56%
Core 2: CPU utilization for five seconds: 36%; one minute: 74%; five minutes: 69%
Core 3: CPU utilization for five seconds: 85%; one minute: 69%; five minutes: 65%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
5638 2374911 23863975 131 52.03 52.24 52.58 1088 fed
9227 43623 21191441 182 8.36 5.53 5.71 0 iosd
6146 1437288 13888905 56 0.95 0.68 0.70 0 pdsd
5639 1292905 86276135 11 0.13 0.13 0.11 0 platform_mgr
6161 2831440 20952285 955 0.13 0.12 0.10 0 cpumemd
I can get more details required to resolve this, please help!!Hi,
I can see several Mac Flaps in the logs provided.... i.e. on int gi 1/1/3. have you verified you don't have any bridging loop occurring on the network?
Regards,
Yaseen
Maybe you are looking for
-
How to upgade Oracle from 9.2 on SUN to Oracle 10g R2 RAC on Oracle EL4
Hi all, I have production database Oracle 9i EE Release 9.2.0.5.0 - 64bit on SunOS 5.9 cca 100GB. I would like to upgrade Oracle 10g Relase2 RAC with 2 nodes on Oracle Enterprise Linux. Database availability is 24x7 and system breakdown must be minim
-
Trying to get spry menu to show visited links with different color
I know there is Javascript involved I was just wondering if Anyone has sent it up yet. as a downloadable@ file
-
I only have 3 buddies listed and 2 I have no trouble with. The other one is not highlighted (light grey) and when I try to send a message to her cell phone I get a message "the "person is not currently on line". Should this happen with cell phone tex
-
"most recently downloaded" search?
is there anything out there that would let me categorize my music by the "most recently downloaded" like on itunes? i download music and then don't remember who it was and would love a sort feature on my ipod that would let me do this. thanks!!! suza
-
HI Friends Any one give some links regarding CRM data extarction to BW links Thanks Gita