Applies To:

Show Versions Show Versions

sol10191: Troubleshooting packet drops
TroubleshootingTroubleshooting

Original Publication Date: 07/15/2009
Updated Date: 04/29/2014

When administering network devices, such as switches or routers, it is important to understand the causes of packet drops. Not all devices drop packets for the same reason, and drops are not always indicative of an issue with the device; in some cases, packet drops may be expected behavior. For example, the BIG-IP system may intentionally drop packets in certain situations, such as when a BIG-IP interface receives a frame that contains an invalid VLAN ID. However, in other instances, packet drops may indicate an issue with the configuration or the device itself. For example, a BIG-IP interface drops packets that contain frame check sequence (FCS) errors. A high ratio of FCS errors may be a sign of a configuration issue, such as a duplex mismatch.

In addition, packet drops may occur at various stages of processing on the BIG-IP system; packets can be dropped by the BIG-IP interface or discarded by the Traffic Management Microkernel (TMM). For example, when a packet arrives at a BIG-IP interface containing an invalid VLAN ID, the switch chip drops the packet and the system increments the drop counter for the interface. When a packet arrives at the BIG-IP system with the destination IP address matching a virtual server, but containing a non-matching service port, the switch chip accepts the packet but the TMM discards the packet.

Packets dropped by the interface

You can use command line utilities to monitor packets dropped by a BIG-IP interface; however, the command output does not indicate a reason for the drops. The following commands report the total numbers of packets dropped by the interface:

  • tmsh show /net interface (11.x)
  • bigpipe interface show all (9.x - 10.x) 

An understanding of how packets flow through the switch chip is helpful when discussing packets dropped by the interface. Packets flow through the BIG-IP switch chip in the following sequence:

  • Ingress

    The ingress logic determines how a packet is processed when it is received by the device. The ingress logic accepts the packet, determines the egress port to which the packet will be sent, and passes the packet to the memory management unit (MMU) for processing.

  • MMU

    The MMU manages the internal/external packet buffering for the switch and schedules the packet for transmission.

  • Egress

    The egress logic requests packets from the MMU and transmits to the egress port.

Ingress Drops

In general, when an ingress packet arrives at a BIG-IP interface, the switch chip must determine whether to buffer the packet, drop the packet, or drop another packet to make room.

The BIG-IP command line utilities include an input drop counter that reports when a frame is dropped by the switch chip. The following table lists some of the reasons why a packet can be dropped at the switch chip:

Drop reason Description Possible cause
VLAN ID The interface drop counter increments when an ingress packet is dropped due to an invalid VLAN ID. Frames contain a VLAN tag that is not configured on the port.
Unknown packet The interface drop counter increments when an ingress packet is dropped due to an unknown traffic type.
A network device is sending unknown packets.
FCS When an ingress packet contains a frame check sequence (FCS) error, the interface will drop the packet. Corrupt frames exist.
A duplex mismatch exists.
Port flooding The BIG-IP switchboard will drop a frame if the dynamic forwarding database (FDB) indicates that the egress port for the frame is the same as the ingress port. For example, if the switchboard receives a frame on port 1.1, destined for MAC address 02:10:01:f5:f5:f5, and the switchboard has already learned that MAC address 02:10:01:f5:f5:f5 resides on port 1.1, it will drop the frame.
The upstream switch receives a frame destined for a MAC address not in its address table and subsequently floods the frame out all of its ports.

In BIG-IP 9.x, in addition to the above drops, the bigpipe interface command input drop counter also reports buffer exhaustion drops.

Egress Drops

In BIG-IP 9.4.7 and later, the bigpipe interface (9.x - 10.x) and tmsh show /net interface (11.x) commands output drop counter reports packets dropped due to buffer exhaustion:

Drop reason Description Possible cause
Buffer exhaustion Egress ports have an HOL (head-of-line) register that defines total buffer space that the port can consume before entering an HOL condition. The interface drop counter increments when the egress port buffer is full and the switch tells the ingress port(s) to drop packets destined for the egress port. The link is oversubscribed.

In BIG-IP 9.x, the bigpipe interface command output drop counter is always zero, since the BIG-IP system does not drop packets on transmission.

Packets dropped by the TMM

Once the packet is passed to the TMM, the TMM must decide whether to process the packet or drop the packet. You can view packets dropped by the TMM by using the following commands:

  • tmsh show /sys ip-stat, or tmsh show /sys tmm-traffic  (11.x)
  • bigpipe ip, or bigpipe tmm (9.x - 10.x)

The following table lists some of the reasons that packets can be dropped by the TMM:

IP drop reason Description Possible cause
Virtual server match A packet arriving at the BIG-IP system with the destination IP address matching a virtual server, but containing a non-matching service port, will be dropped by the IP filter and the bigpipe ip drop counter will increment. For more information, refer to SOL13151: Configuring the rate at which the BIG-IP system issues TCP RSTs or ICMP unreachable packets (11.x). Misconfigured client
IP version number The IP drop counter increments when a packet contains an incorrect or invalid IP version number and the IP filter drops packet. Corrupt packet
Checksum The IP drop counter increments when a packet contains an invalid L3 checksum and the IP filter drops the packet. Corrupt packet
IP option The IP drop counter increments when a packet contains an IP option. If the TM.AcceptIPOptions BigDB key is set to enable, the system accept IPv4 packets with IP options. Client performing debug, security test
Length The IP drop counter increments when a packet contains an invalid L3 length field. Corrupt packet
Protocol The IP drop counter increments when a packet contains an invalid L3 protocol field. Corrupt packet
Maintenance The IP drop counter increments when a new request arrives for a traffic management object and the IP filter drops the packet because the system is in maintenance mode. Maintenance mode is enabled on the BIG-IP system
Connection limit The IP drop counter increments when a new request arrives for a virtual server and the IP filter drops the packet because the connection limit was reached. A connection limit is enabled for the virtual server
License The IP drop counter increments when a new request arrives for a virtual server and the IP filter drops the packet because of a licensing issue. The license is not activated or installed

 

Known issues

BIG-IP packet drops may be the result of a known issue. For more information, refer to the following table:

Article Description
SOL5682 The dropped packet counter behavior is different on some BIG-IP platforms.
SOL9203 A trunk interface drops a small number of frames during link recovery.
SOL9792 BIG-IP platforms containing a Packet Velocity ASIC chip show packet loss on the internal links.
SOL9797 The bigpipe interface command does not include HOL packet drops.
SOL8894 The BIG-IP drops TCP RST packets with sequence numbers that do not match the last acknowledged sequence number.
SOL10290 The BIG-IP system drops packets containing double 802.1q VLAN tags.
SOL9317 The BIG-IP system may drop packets when more than eight different MAC masquerade addresses are defined.
SOL11096 The BIG-IP system may incorrectly drop a RST packet for an established flow when the system is holding a pending ACK.
SOL12375 Running the tcpdump command on an interface may cause the BIG-IP system to drop STP BPDU frames.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)