Cisco Cisco ASA for Nexus 1000V Series Switch 문제 해결 가이드
Traffic Profile Processed Periodically Oversubscribes the ASA
Dependent upon on the traffic profile, the traffic that flows through the ASA might be too much for
it to handle and overruns might occur.
it to handle and overruns might occur.
The traffic profile consists of (among other aspects):
Packet size
●
Inter-packet gap (packet rate)
●
Protocol - some packets are subjected to application inspection on the ASA and require more
processing than other packets
processing than other packets
●
These ASA features can be used in order to identify the traffic profile on the ASA:
- the ASA can be configured to export NetFlow version 9 records to a NetFlow
collector. This data can then be analyzed to understand more about the traffic profile.
●
connection rates, and translation rates. The information can then be analyzed in order to
understand the traffic pattern and how it changes over time. Try to determine if there is a spike
in traffic rates that correlates to an increase in the overruns, and the cause of that traffic spike.
There have been cases in the TAC where devices on the network misbehave (due to
misconfiguration or virus infection) and generate a flood of traffic periodically.
understand the traffic pattern and how it changes over time. Try to determine if there is a spike
in traffic rates that correlates to an increase in the overruns, and the cause of that traffic spike.
There have been cases in the TAC where devices on the network misbehave (due to
misconfiguration or virus infection) and generate a flood of traffic periodically.
●
Intermittent Packet Bursts Oversubscribe the ASA Interface FIFO Queue
A burst of packets that arrive on the NIC could cause the FIFO to become filled before the CPU
can pull the packets off of it. There usually is not much that can be done in order to solve this
problem, but it can be mitigated by the use of QoS in the network to smooth out the traffic bursts,
or flow control on the ASA and the adjacent switchports.
can pull the packets off of it. There usually is not much that can be done in order to solve this
problem, but it can be mitigated by the use of QoS in the network to smooth out the traffic bursts,
or flow control on the ASA and the adjacent switchports.
Flow control is a feature that allows the ASA's interface to send a message to the adjacent device
(a switchport for example) in order to instruct it to stop sending traffic for a short amount of time. It
does this when the FIFO reaches a certain high water mark. Once the FIFO has been freed up
some amount, the ASA NIC sends a resume frame, and the switchport continues to send traffic.
This approach works well because the adjacent switchports usually have more buffer space and
can do a better job buffering packets on transmit than the ASA does in the receive direction.
(a switchport for example) in order to instruct it to stop sending traffic for a short amount of time. It
does this when the FIFO reaches a certain high water mark. Once the FIFO has been freed up
some amount, the ASA NIC sends a resume frame, and the switchport continues to send traffic.
This approach works well because the adjacent switchports usually have more buffer space and
can do a better job buffering packets on transmit than the ASA does in the receive direction.
You can try to enable captures on the ASA to detect the traffic micro-bursts, but usually this is not
helpful since the packets are dropped before they can get processed by the ASA and added to the
capture in memory. An external sniffer can be used to capture and identify the traffic burst, but
sometimes the external sniffer can be overwhelmed by the burst as well.
helpful since the packets are dropped before they can get processed by the ASA and added to the
capture in memory. An external sniffer can be used to capture and identify the traffic burst, but
sometimes the external sniffer can be overwhelmed by the burst as well.
Enable Flow Control to Mitigate Interface Overruns
The flow control feature was added to the ASA in version 8.2(2) and later for 10GE interfaces, and
version 8.2(5) and later for 1GE interfaces. The ability to enable flow control on ASA interfaces
that experience overruns proves to be an effective technique to prevent packet drop occurences.
version 8.2(5) and later for 1GE interfaces. The ability to enable flow control on ASA interfaces
that experience overruns proves to be an effective technique to prevent packet drop occurences.
Refer to the
information.