Can someone explain to me what this mean?

[cciesec2006]

Why ethtool and mii-tool shows different duplex on the interface?
Which one has correct value besides logging into the switchport
and confirm?

[Expert@SPLATGW2]# uname -a
Linux SPLATGW2 2.4.9-42cp #1 Wed Nov 19 19:54:48 GMT 2003 i686 unknown
[Expert@SPLATGW2]# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NG with Application Intelligence (R55) HFA_17, Hotfix 670 - Build 005
[Expert@SPLATGW2]#
[Expert@SPLATGW2]# /sbin/ethtool -s eth0 speed 100 duplex full autoneg off
[Expert@SPLATGW2]# /sbin/ethtool -s eth1 speed 100 duplex full autoneg off
[Expert@SPLATGW2]# /sbin/ethtool -s eth2 speed 100 duplex full autoneg off
[Expert@SPLATGW2]# mii-tool
eth0: 100 Mbit, full duplex, link ok
eth1: 100 Mbit, full duplex, link ok
eth2: 100 Mbit, full duplex, link ok
[Expert@SPLATGW2]# ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: d
Wake-on: d
Link detected: yes
[Expert@SPLATGW2]# ethtool eth1
Settings for eth1:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Half
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: d
Wake-on: d
Link detected: yes
[Expert@SPLATGW2]# ethtool eth2
Settings for eth2:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Half
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: d
Wake-on: d
Link detected: yes
[Expert@SPLATGW2]#

[cciesec2006]

Additional info:

On Catalyst 2960:

C2960#sh int g0/10
GigabitEthernet0/10 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0019.551b.d60a (bia 0019.551b.d60a)
Description: NGx R65 GW1 eth0
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:09, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 44000 bits/sec, 83 packets/sec
3774114 packets input, 1979043574 bytes, 0 no buffer
Received 1920095 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
198 input errors, 198 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1454975 multicast, 0 pause input
0 input packets with dribble condition detected
21580765 packets output, 4155483573 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
C2960#sh mac address-table interface g0/10
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
2 0000.0000.fe00 DYNAMIC Gi0/10
2 00a0.c90d.2a1d DYNAMIC Gi0/10
Total Mac Addresses for this criterion: 2
C2960#


On the SPLAT box:

[Expert@NGx-gw1]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:A0:C9:0D:2A:1D
inet addr:192.168.1.201 Bcast:192.168.1.255 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12922065 errors:0 dropped:0 overruns:0 frame:0
TX packets:3249038 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3328380246 (3174.1 Mb) TX bytes:1921831063 (1832.8 Mb)
Interrupt:11 Base address:0xdec0 Memory:f8001000-f8001038

[Expert@NGx-gw1]# ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Half
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: d
Wake-on: d
Link detected: yes
[Expert@NGx-gw1]#

[Thorpuse]

I've always found with Catalysts and SPLAT, it's a very good idea to not rely on autoneg and hard code the interfaces to 100f. Give that a shot and see what it comes back with - that should tell you who is not giving you the right info.

[cciesec2006]

This is what I did in the first place.I used this command on SPLAT:

[Expert@NGx-gw1]# /sbin/ethtool -s eth0 speed 100 duplex full autoneg off

I used this command on Catalyst 2960:

C2960#sh run int g0/10
Building configuration...

Current configuration : 141 bytes
!
interface GigabitEthernet0/10
description NGx R65 GW1 eth0
switchport access vlan 2
speed 100
duplex full
spanning-tree portfast
end

C2960#

The SPLAT interface still shows as "half":

[Expert@NGx-gw1]# /sbin/ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Half
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: d
Wake-on: d
Link detected: yes
[Expert@NGx-gw1]#


Anymore ideas?

[eduardw]

Do you have the web gui enable, you could try to set speed and duplex setting of the interface using this web gui.
You also could try the eth_set command on the command line of the system.
I also would like to recommend trying auto neg on both the switch and fw, but after applying autoneg always check speed and duplex setting on the switch and the fw.

Eduard

[cciesec2006]

"Do you have the web gui enable, you could try to set speed and duplex setting of the interface using this web gui."

I thought it is always a BAD idea to set speed/duplex via the web GUI.
Furthermore, there is a bug in R65 HFA_02 that these setting will NOT be
retained after a reboot. Maybe our senior member Ray can confirm this.

"also would like to recommend trying auto neg on both the switch and fw, but after applying autoneg always check speed and duplex setting on the switch and the fw."

Another bad idea, IMHO. Cisco and other vendors ALWAYS recommend that
devices should always be hard code with speed/duplex and that the same
thing go with the switchport as well, except when you have copper Gig
interface. For Fast Ethernet interface, always hard code the speed/duplex
on both the firewall devices and switchport.

[eduardw]

cciesec2006, you wrote that you have problems with the speed settings, so it couldn’t get any worse to try autoneg.
I've also seen more the a few server switch connection with big performance issues, while both server and switch were configured for 100mb full and also reporting that speed and duplex settings. when both the server and the switch were configured for autoneg, the link came up with a-100 a-full and the performance jumped with more then 300%.
I've also read a few documents for sun, in which they advocate the use of autoneg, but you always have to use it on both side of the connection.

I did not know about the possible hfa2 bug.

But we also have had our problems getting the speed and dupplex setting correct on using different versions of splat especially after reboots.

Eduard

[cciesec2006]

"you wrote that you have problems with the speed settings, so it couldn’t get any worse to try autoneg."

It is not matter of try this, try that. I am trying to get to a bottom of the
problem. I can try what you suggested but I don't think I want to use that
as a permanent solution.

Thanks.

[chuachongchee]

Quote:

Originally Posted by cciesec2006

I thought it is always a BAD idea to set speed/duplex via the web GUI.
Furthermore, there is a bug in R65 HFA_02 that these setting will NOT be
retained after a reboot. Maybe our senior member Ray can confirm this.

Hmm... DOFH! I have seen this on UTM-1 on R65, but i have not seen this on "traditional" SPLAT (Maybe i didnt really notice that)... There are fixes for the problem, on usercenter, it claims that its a problem with cisco catalyst switches, but have tried the fixes, it still doesn't work

[RayPesek]

Quote:

Originally Posted by cciesec2006

Furthermore, there is a bug in R65 HFA_02 that these setting will NOT beretained after a reboot. Maybe our senior member Ray can confirm this.

Yes, it's broke and there is no hotfix. CP acknowledged it on their forums a couple of months ago. I just deployed a couple of R65 HFA02 SPLAT firewalls and had to use ethtool. However ethtool and mii-tool matched when I checked. I know mii-tool does not work on all NICs and ethtool is supposed to work on all. Maybe that's the difference you're seeing?

Ray