Cisco Cisco ASA 5540 Adaptive Security Appliance 문제 해결 가이드
TCP stream coalescing is a technical consideration specific to this problem because, when you
engage certain features on the ASA, the firewall fully coalesces the TCP stream that passes
through it.
For example, if the ASA discovers a missing packet on the network (since it is not received at the
ASA), it sends an ACK on behalf of the other TCP endpoint for the missing data. This scenario is
most common. If the ASA discovers packets that arrive out of order, the ASA reorders the packets
and passes them to the receiver in the proper order. If there are no network drops or packet
reordering, there are no side effects to enabling this feature. If all the packets sent by either TCP
endpoint successfully passed through the network and the ASA, you would not know this feature is
enabled since it does not take action on the packet flows. Only when there is trouble with the TCP
connection on the network will enabling this feature further slow down network traffic. The act of
coalescing the TCP stream is very resource intensive for the ASA. For every packet dropped on
the network the ASA must not only send a TCP packet request the retransmission of that packet,
but it must also buffer the packets that the sender continued to send after the packet went missing.
engage certain features on the ASA, the firewall fully coalesces the TCP stream that passes
through it.
For example, if the ASA discovers a missing packet on the network (since it is not received at the
ASA), it sends an ACK on behalf of the other TCP endpoint for the missing data. This scenario is
most common. If the ASA discovers packets that arrive out of order, the ASA reorders the packets
and passes them to the receiver in the proper order. If there are no network drops or packet
reordering, there are no side effects to enabling this feature. If all the packets sent by either TCP
endpoint successfully passed through the network and the ASA, you would not know this feature is
enabled since it does not take action on the packet flows. Only when there is trouble with the TCP
connection on the network will enabling this feature further slow down network traffic. The act of
coalescing the TCP stream is very resource intensive for the ASA. For every packet dropped on
the network the ASA must not only send a TCP packet request the retransmission of that packet,
but it must also buffer the packets that the sender continued to send after the packet went missing.
Common Problems
Misconfigured Speed and Duplex Values on Interface that Connects ASA to
Adjacent Device
Adjacent Device
This issue often occurs when a device is replaced by an ASA. If the speed and duplex values on
the ASA interface are not the same as the values on the adjacent device, packet drops occur on
that interface. Check the speed and duplex values on the ASA interface as well as the adjacent
interface.
Check the show interface output of the ASA for obvious errors that are symptoms of this problem:
the ASA interface are not the same as the values on the adjacent device, packet drops occur on
that interface. Check the speed and duplex values on the ASA interface as well as the adjacent
interface.
Check the show interface output of the ASA for obvious errors that are symptoms of this problem:
Interface Ethernet0/0 "Outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
MAC address 0019.2f58.c324, MTU 1500
IP address 192.168.222.122, subnet mask 255.255.255.252
124047996 packets input, 35340918453 bytes, 0 no buffer
Received 3 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
156918660 packets output, 40931551514 bytes, 0 underruns
1 output errors, 4286634 collisions, 0 interface resets
0 babbles, 123332 late collisions, 4752834 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (0/0) software (0/0)
output queue (curr/max blocks): hardware (0/245) software (0/0)
Traffic Statistics for "Outside":
124047995 packets input, 33107957301 bytes
157041993 packets output, 38195084709 bytes
103480 packets dropped
1 minute input rate 2140 pkts/sec, 477200 bytes/sec
1 minute output rate 2630 pkts/sec, 396763 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 2152 pkts/sec, 525496 bytes/sec
5 minute output rate 2701 pkts/sec, 421215 bytes/sec