Hi, Thanks for your answer. HCP doesn't complain about the SFP on both member of the cluster:

| System/Hardware/Transceivers Support
|
+-----------------------------------------------------------------------------------------------------------------
-------------------+
| Result: SUCCESS
|
|
|
| Description: This test checks that all installed transceivers are supported
|
|
|
| Summary:All transceivers are approved

Great the remaining aspect is the speed / multirate issue and if the SFP supports it (refer sk92755).

Hi,

Thank you all for your feedback, I’m waiting to get the proper 1 GbE SFP for the gateways to see if it fixes the issue.

Meanwhile, to give you more context, I’m trying to upgrade our links because I’ve noticed some TX-DRP on one of the interfaces of our bonding:

[Expert@Firewall1:0]# netstat -ni

Kernel Interface table

Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg

Mgmt       1500   0 16778174      0      0      0 78205393      0      0      0 BMRU

bond1      1500   0 5697476654      0      0      0 5549913947      0  21368      0 BMmRU

eth1       1500   0 3480924870      0      0      0 2919267926      0      0      0 BMsRU

eth2       1500   0 2216551784      0      0      0 2630646021      0  21368      0 BMsRU

lo        65536   0 39523309      0      0      0 39523309      0      0      0 ALMNORU

[Expert@Firewall1:0]# ifconfig eth2

eth2        Link encap:Ethernet  HWaddr 00:1C:7F:C9:26:D5 

            UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1

            RX packets:2216576196 errors:0 dropped:0 overruns:0 frame:0

            TX packets:2630672317 errors:0 dropped:21368 overruns:0 carrier:0

            collisions:0 txqueuelen:2048

            RX bytes:1499929022177 (1.3 TiB)  TX bytes:1996154942442 (1.8 TiB)

What’s troubling is the output of the ethtool below:

[Expert@Firewall1:0]# ethtool -S eth2 | grep 21368

     ife_oqdrops: 21368

Anyone know what “ife_oqdrops” could be referring to ?
Thank you.

Edit: I'll add that the gateway is a new 9100 appliance running UPPAK, replacing a 5600 appliance which didn't had any of those drops, with the same traffic going through them. 

Im sure @Timothy_Hall would give you way better explanation than I can, but to me, that sounds like its attempting to send/transmit way more data than what buffer would allow.

Seeing errors on the TX side in the output of netstat -ni is a strong indicator that UPPAK is active, since TX-side errors were extremely rare in KPPAK mode.  To my understanding, that counter indicates that packets were pushed into the TX ring buffer faster than they could be transferred to the NIC, and some were lost.  However, the eth2 interface is part of a bond. If it leads to a transit VLAN, ensure your Transmit Hash Policy for that bond is L3+4, not the default L2 XOR, as the qdrops may have been caused by improper balancing of traffic between the bond interfaces.  Please see my Be your Own TAC: Part Deux presentation for more information about this issue.

Thank you for your feedback, and your presentation, which is helpful.

We did change the Hash Policy on the gateway after noticing a load-balancing issue with the bond and the TX drops, but the other end (an old 4500 router) doesn’t support a similar load-balancing method, so it doesn’t help. Thus, now we’ll configure the bond to use Gigabit interfaces on the router to see if it help with the drops.

Setting the Transmit Hash Policy to L3+4 should still help with your TX errors.  As long as you are not seeing RX problems, the Transmit Hash Policy on the 4500 does not need to match, although you may see RX traffic imbalances on the firewall interfaces.

If you do ifconfig and show interfaces from clish, does it show as up in both places?