Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
All egress packets on all port-channel interfaces are silently dropped when the priority-queue command is applied to 1 port-channel interface: firewall# show nameif Interface Name Security Management1/1 management 100 Port-channel2 inside 10 Port-channel3 outside 0 firewall# show run | i priority priority-queue inside One or more of the following symptoms are observed: 1. The Tail Drops counter in the output of the show priority-queue statistics command eventually increases: firewall# show priority-queue statistics Priority-Queue Statistics interface inside (Uplink statistics is displayed for all TenGigabitEthernet interfaces) Queue Type = BE Tail Drops = 241786 <=== Reset Drops = 0 Packets Transmit = 184 Packets Enqueued = 4800 Current Q Length = 4800 Max Q Length = 0 (Uplink statistics is displayed for all TenGigabitEthernet interfaces) Queue Type = LLQ Tail Drops = 0 Reset Drops = 0 Packets Transmit = 0 Packets Enqueued = 0 Current Q Length = 0 Max Q Length = 0 2. Egress packets are visible in the data plane (Lina) data interface captures, however not visible in the internal switch uplink interface packet captures. Refer to https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/218105-configure-and-verify-secure-firewall-and.html#anc33 for packet capture configuration on the internal interfaces. 3. In the case of high availability configuration (HA), interface testing for monitored interfaces continuously runs and interface status becomes Undetermined and/or Passed. Failover communication with the peer unit is periodically lost: May 29 2023 06:44:19: %ASA-1-105008: (Secondary) Testing Interface inside May 29 2023 06:44:24: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface outside May 29 2023 06:44:24: %ASA-1-105008: (Secondary) Testing Interface outside May 29 2023 06:44:24: %ASA-1-105009: (Secondary) Testing on interface outside Passed May 29 2023 06:44:26: %ASA-1-105009: (Secondary) Testing on interface inside Status Undetermined May 29 2023 06:44:39: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface outside May 29 2023 06:44:39: %ASA-1-105008: (Secondary) Testing Interface outside May 29 2023 06:44:39: %ASA-1-105009: (Secondary) Testing on interface outside Passed May 29 2023 06:44:54: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface outside May 29 2023 06:44:54: %ASA-1-105008: (Secondary) Testing Interface outside May 29 2023 06:44:54: %ASA-1-105009: (Secondary) Testing on interface outside Passed May 29 2023 06:45:04: %ASA-1-105008: (Secondary) Testing Interface inside May 29 2023 06:45:09: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface outside May 29 2023 06:45:09: %ASA-1-105008: (Secondary) Testing Interface outside
First seen when all of the following conditions are met: - Secure Firewall 3100 running ASA 9.19.1 in HA and with port-channel interfaces. - The priority-queue command is configured for one or more port-channel interfaces. - The firewall originates packets from the data path engine (Lina), for example, NTP or Syslog packets.
Remove the priority-queue command: firewall(config)# show run | i prio priority-queue inside firewall(config)# no priority-queue inside
The fix of this defect removes the priority-queue command from the Secure Firewall Threat Defense (FTD). Refer to the documentation defect CSCwi60122 and the enhancement request CSCvf10507.