HellAll, Just to spread the solution...
It was neither cables nor network speed as I knew. When the problem is network speed the errors increase instead. The problem was with the firmware throughtput configuration. This Firewall is under a tons of traffic and a parameter have been changed to solve. I saw that the dropped packets that appears on "ifconfig" was the same as rx_fw_discard statistic of "ethtool -S" command. It happens when the firmware cannot handle all the packets that is receiving. However, the physical device and the kernel can handle more, but to do that a parameter needs to be changed. The default is low because it increase the memory consuption and 99% of the linux instalations does not need more. But, in my case it is a huge firewall. Running the command "ethtool -g" it is possible to see what is the maximum supported and what is actually configured. I'm talking about RX Ring Parameters. My interface was configured with 100. I changed to 1020 (max.). The command to change is "ethtool -G". Be careful, because when I changed it has flipped the active Firewall and reseted the counters,so I think it restarted my interface. I flipped back the Firewall and waited to see what is going on. Bingo! No more dropped packets. Bye! - Allan Klaus On Fri, May 8, 2009 at 10:04 AM, Pierre Lamy <[email protected]> wrote: > It depends on what OS you're using, and the line rate you should be > measuring is in pps rather than speed in mb. > > Make sure that the system is well tuned, there are many documents on SK > related to this. For example SecureXL - fwaccel stat/stats/stats -s > > Pierre > > > Allan Zeidler wrote: > >> Yes, I opened a change request to replace the cables and force the network >> speed. >> >> It will be done tonight. >> - >> Allan Klaus >> >> >> On Thu, May 7, 2009 at 11:33 AM, M. N. <[email protected]> wrote: >> >> >> >>> Hi Allan, >>> Would it possible for you to force it down to 100 mbit at both ends and >>> see >>> if you experience any packet loss? >>> >>> >>> >>> >>> -----Original Message----- >>> From: Mailing list for discussion of Firewall-1 >>> [mailto:[email protected]] On Behalf Of Allan >>> Zeidler >>> Sent: May-07-09 10:10 AM >>> To: [email protected] >>> Subject: [FW-1] Interface dropped packets increasing >>> >>> Hello, >>> >>> I'm having a problem with dropped packets in the interface. My network is >>> 1Gbps for both Switch port and FW NIC. The switch load is running around >>> 10% >>> of the network load. Is there a way to know which packets are being >>> dropped? >>> It is a lot per second, like 300 packets dropped per second, out of >>> control. >>> >>> I thought it could be auto-negotiation, but when it is the problem is >>> different...it increases the errors statistics. >>> >>> Thank you. >>> >>> - >>> Allan Klaus >>> >>> ================================================= >>> To set vacation, Out-Of-Office, or away messages, >>> send an email to [email protected] >>> in the BODY of the email add: >>> set fw-1-mailinglist nomail >>> ================================================= >>> To unsubscribe from this mailing list, >>> please see the instructions at >>> http://www.checkpoint.com/services/mailing.html >>> ================================================= >>> If you have any questions on how to change your >>> subscription options, email >>> [email protected] >>> ================================================= >>> >>> >>> Scanned by Check Point Total Security Gateway. >>> >>> ================================================= >>> To set vacation, Out-Of-Office, or away messages, >>> send an email to [email protected] >>> in the BODY of the email add: >>> set fw-1-mailinglist nomail >>> ================================================= >>> To unsubscribe from this mailing list, >>> please see the instructions at >>> http://www.checkpoint.com/services/mailing.html >>> ================================================= >>> If you have any questions on how to change your >>> subscription options, email >>> [email protected] >>> ================================================= >>> >>> >>> >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= >> >> > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
