防火墙和上行链路之间有数据包丢失？

我的外部防火墙和互联网之间有一个中等复杂的网络拓扑，如下所示。

时不时地——我还没有发现规律——我们会遇到相当严重的数据包丢失，大约 25%。大多数时候，丢失率低于 0.5%。据我所知，唯一的共同点是所有丢失的流量都通过从vpn serverCisco ASA 5505 到gateway routerCisco 2901 的接口。

编辑

除了纯粹的丢包之外，我还在关注响应时间。任何来自gateway router或vpn server的流量fiber uplink都会增加确切地与差一步就停止的 ping 相比，这需要 200 毫秒。

由于较高的 ping 响应时间是 CPU 达到最大限度的常见指标，因此我进行了检查show process cpu，但它只显示约 40% 的利用率。

有什么想法吗？

结束编辑

假设问题确实出在 ASA 和 2901 之间的接口上，我清除了两个设备上的接口统计信息。

从那时起，我们经历了几次丢包率增加的时期。接口统计数据如下，但在我看来，没有显示任何异常 - 没有畸形或丢失的数据包、接口重置等。双工和速度设置匹配。

我遗漏了什么？所有这些硬件都在建设中，连接速度至少为 100 mbps。

网关路由器

show interfaces GigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
  Hardware is CN Gigabit Ethernet, address is a493.4ccc.b218 (bia a493.4ccc.b218)
  Internet address is xx.xx.xx.105/28
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 14/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full Duplex, 100Mbps, media type is RJ45
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:15:51
  Input queue: 0/75/0/6427 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 511000 bits/sec, 401 packets/sec
  5 minute output rate 5526000 bits/sec, 590 packets/sec
     413812 packets input, 83711483 bytes, 0 no buffer
     Received 5 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     600299 packets output, 695003736 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

VPN 服务器

show interface ethernet 0/1
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 001e.f76a.a441, MTU not set
        IP address unassigned
        215073 packets input, 247716476 bytes, 0 no buffer
        Received 7 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        39 switch ingress policy drops
        148763 packets output, 21509818 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops