Cisco Cisco Web Security Appliance S670 Troubleshooting Guide

Contributed by Cisco TAC Engineers.
Aug 12, 2014

Why is the interface at Half−Duplex even though both sides are set to Full−Duplex?

Both the switch and appliance are set to use Full−Duplex, but the appliance shows Half−Duplex when
viewing etherconfig −> media.

For example:

1. Data 1 (100baseTX full−duplex: <100baseTX half−duplex>) 00:0f:1f:6a:ed:7a

Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), Security Management Appliance
(SMA), and all versions of AsyncOS.

This will happen if Full−Duplex cannot be negotiated in a timely manner and the network card on the
appliance falls back to half−duplex. Even when you set your email/web security appliance to use
Full−Duplex, it must still "confirm" that it can communicate in Full−Duplex mode with the Ethernet card it is
connected to on the switch. Despite disabling Autonegotiate, if either side cannot confirm the setting, it will
always fall back to the slower, though more universally acceptable "Half−Duplex" setting.

In most cases, a reboot of the appliance will bring it back to Full−Duplex. If the switch is a Cisco Catalyst,
use Autoselect so that a longer negotiation can take place and successfully bring you to Full−Duplex every
time the system comes up.

Refer to Troubleshooting Cisco Catalyst Switches to NIC Compatibility Issues for more information.

We have seen Autoselect work more reliably with some other network devices as well.

Updated: Aug 12, 2014

Document ID: 118225