I am getting frequent reports about RDP traffic dropping for 10-20 seconds at a time. Upon inspecting port traffic on our ASA, this is what I found:
*Note: outside int is a single gigabit interface to a L3 switch
*Note: gi0/5 is a single gigabit interface trunking to a core L2 switch
*Note: Above mentioned switches show no port errors
ASA5515# sh int out det
Interface GigabitEthernet0/0 "Outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MTU 1500
1386271557 packets input, 1514697309849 bytes, 0 no buffer
Received 570510 broadcasts, 0 runts, 0 giants
52686 input errors, 0 CRC, 0 frame, 52686 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
603785584 packets output, 221632398587 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (492/362)
output queue (blocks free curr/low): hardware (454/203)
Traffic Statistics for "Outside":
1386196774 packets input, 1489545780829 bytes
603785584 packets output, 210319081779 bytes
20903033 packets dropped
1 minute input rate 3342 pkts/sec, 2478208 bytes/sec
1 minute output rate 3356 pkts/sec, 2252799 bytes/sec
1 minute drop rate, 5 pkts/sec
5 minute input rate 6668 pkts/sec, 7657228 bytes/sec
5 minute output rate 2866 pkts/sec, 1354408 bytes/sec
5 minute drop rate, 5 pkts/sec
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
ASA5515# sh int gi0/5 | i L2 | error
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
11444613 L2 decode drops
0 output errors, 0 collisions, 0 interface resets
CPU and Memory both seem to be doing fine:
ASA5515# sh cpu
CPU utilization for 5 seconds = 9%; 1 minute: 11%; 5 minutes: 11%
ASA5515# sh memory
Free memory: 3427174896 bytes (80%)
Used memory: 867792400 bytes (20%)
------------- ------------------
Total memory: 4294967296 bytes (100%)
I'm not very familiar with some of the more advanced features of the ASA, so my current plan of action is to create an ether-channel group on the WAN interface to address the overruns. I'm not even sure what to do about the L2 decode drops, going to start with an audit of our VLANS and make sure that only relevant ones are being sent over that interface.
Am I on the right track?
No comments:
Post a Comment