[c-nsp] ASA5520 latency & OSPF drops

John Kougoulos john.kougoulos at gmail.com
Sat Feb 1 16:30:24 EST 2014 

Hi,

since you don't lose the OSPF session between 5520 and 2921, I would say
that this is not related to ASA CPU, DoS from Internet etc.

This would also suggest that 2950G in general works ok. The vlan that
connects 3750 to 5520 exists only in 2950G and only these 2 devices are
connected? Would it be possible that there is some kind of spanning tree
instability issue in this VLAN that causes this?

Other than this, I would watch the ASA logs carefully, possibly upgrade to
the latest 8.2 in case that there is a bug that could lead to some kind of
blocking of the input queue.

Also I think there is a "show memory xxx" command that allows you to see
how much memory is allocated / freed per process since boot. This might
give you a hint on which process allocates these few megabytes when the
issue occurs.


Regards,
John



On Sat, Feb 1, 2014 at 8:39 PM, Adam Greene <maillist at webjogger.net> wrote:

> Octavio,
>
> > What about pings from the external world to the ASA?
>
> These appear normal, since the ASA5520---2921 OSPF session is not dropping.
>
> > Also, I'd increase logging verbosity to a Syslog server with an interface
> connected to each side of the ASA.
>
> Good idea.
>
> > And I'd also be prepared to do a packet capture on both sides of the ASA
> for the next time it happens.
>
> Tough since they occur so sporadically, and up to now have been relatively
> brief. I wonder if there is some way to trigger a capture upon a specific
> event occurring. Or maybe will we just have to keep tons of logs which roll
> over, and hope we catch something. We generally have about 40Mbps pumping
> through the unit. That's a lot of data, and a fast rollover.
>
> > You mention spares (I assume cold spares) but also OSPF, do you have your
> devices HA?
>
> Yes, cold spares. Devices are not HA. I have seen posts about OSPF failing
> in 8.2 when the active host of a failover pair fails, due to a bug, but
> that
> doesn't seem to be our case here as far as I can tell.
>
> Any other ideas welcome.
>
> Sounds like people's thoughts are tending toward DoS ...
>
> Thanks,
> Adam
>
>
> -----Original Message-----
> From: Octavio Alvarez [mailto:alvarezp at alvarezp.ods.org]
> Sent: Saturday, February 01, 2014 1:24 PM
> To: Adam Greene
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA5520 latency & OSPF drops
>
> On 02/01/2014 08:27 AM, Adam Greene wrote:
>
> > Every so often (it started three months ago, about once per month, now
> > it's about once per week, but it's not regular), we're getting very
> > high latency on pings from our Internal Network to the ASA5520, and
> > the OSPF adjacency between the 3750 and the ASA5520 is dropping. The
> > issue was lasting about 60 seconds each time up to this morning, when it
> lasted about 3 hours. Ugh!
> >
> > Pings from the Internal Network to the 3750 and 2950G are fine.
>
> What about pings from the external world to the ASA?
>
> ALso, I'd increase logging verbosity to a Syslog server with an interface
> connected to each side of the ASA.
>
> And I'd also be prepared to do a packet capture on both sides of the ASA
> for
> the next time it happens.
>
> You mention spares (I assume cold spares) but also OSPF, do you have your
> devices HA?
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list