I have a moderately complex network topology between my external firewall and the internet, as shown below.
Every so often – I haven't found a pattern yet – we're getting a significant degree of packet loss, around 25%. Most of the time it's under .5%. As far as I can tell the only commonality is that all of the dropped traffic is crossing the interface from vpn server Cisco ASA 5505 to gateway router, Cisco 2901.
Edit
In addition to pure dropped packets I'm also looking at response times. Any traffic from gateway router to vpn server or fiber uplink is adding exactly 200 milliseconds compared to a ping that stops one step short.
Since high ping response times are a common indicator of the CPU being maxed out I checked show process cpu, but it only shows about 40% utilization.
Any thoughts?
End Edit
Assuming that the problem does reside on the interface between the ASA and the 2901 I cleared the interface statistics on both devices.
Since then we've had a couple of the periods of increased packet loss. The interface statistics are below, but don't show anything out of the ordinary from my perspective – no malformed or dropped packets, interface resets, etc. The duplex and speed settings match.
What am I missing? All of this hardware is in building, with at least 100 mbps connectivity.
gateway router
show interfaces GigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is a493.4ccc.b218 (bia a493.4ccc.b218)
Internet address is xx.xx.xx.105/28
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 14/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 100Mbps, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:15:51
Input queue: 0/75/0/6427 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 511000 bits/sec, 401 packets/sec
5 minute output rate 5526000 bits/sec, 590 packets/sec
413812 packets input, 83711483 bytes, 0 no buffer
Received 5 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
600299 packets output, 695003736 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
vpn server
show interface ethernet 0/1
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001e.f76a.a441, MTU not set
IP address unassigned
215073 packets input, 247716476 bytes, 0 no buffer
Received 7 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
39 switch ingress policy drops
148763 packets output, 21509818 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Best Answer
Turned out to be a bad interface on the 5505 vpn server. We recabled and things have been rock solid ever since.