ASA Packet Dropped problem

Unanswered Question
Mar 15th, 2007

Hi, my customer is complaining that every once in a while his browsing gets real slow and he needed a reboot of his ASA to resolve the issue. I cannot find anything wrong with the ASA apart from packet drops indicated here:

Interface Ethernet0/0 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 100 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

MAC address 0015.c695.d70c, MTU 1500

IP address 59.x.x.6, subnet mask 255.255.255.252

87915 packets input, 58923662 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

87045 packets output, 44806355 bytes, 0 underruns

0 output errors, 0 collisions

0 late collisions, 0 deferred

input queue (curr/max blocks): hardware (0/25) software (0/0)

output queue (curr/max blocks): hardware (0/223) software (0/0)

Traffic Statistics for "outside":

87915 packets input, 57214791 bytes

87045 packets output, 43065295 bytes

4853 packets dropped

This drop is constant and I cannot find the reason why. I suspect this could be the key to my problem. The setup is LAN-ASA-Carrier CAT3750-Internet We did see previously errors on the carrier switch. Every once in a while the link would become extremely slow and the LED on the 3750 would blink amber, removing and replacing the CAT5 between the ASA and the 3750 would solve the problem until next time. Any ideas? Thanks, Michael.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kenfulmer Fri, 03/16/2007 - 08:10

Try the command: "show asp drop"

That will tell you why the ASA is dropping packets. One thing to check is MSS Exceeded.

abinjola Fri, 03/16/2007 - 10:19

send me

1)sh asp drop

2)sh run pol

3)sh run | inc url

4)sh ver

As if now the above output should be enough to at least start with...

michael.orshansky Sun, 03/18/2007 - 00:54

show asp drop:

Result of the command: "show asp drop"

Frame drop:

Invalid tcp length 314

Invalid udp length 364

No valid adjacency 498

No route to host 301

Reverse-path verify failed 35871

Flow is denied by access rule 23629600

First TCP packet not SYN 990684

Bad TCP flags 116790

Bad option length in TCP 526

TCP MSS was too large 39790

TCP Window scale on non-SYN 602

Bad TCP SACK ALLOW option 7642

TCP Dual open denied 217

TCP data send after FIN 16

TCP failed 3 way handshake 69239

TCP RST/FIN out of order 443766

TCP SEQ in SYN/SYNACK invalid 494

TCP ACK in SYNACK invalid 3

TCP SYNACK on established conn 482

TCP packet SEQ past window 112317

TCP invalid ACK 944724

TCP packet out of order 7

TCP packet buffer full 1069976

TCP RST/SYN in window 197135

TCP DUP and has been ACKed 4398494

TCP packet failed PAWS test 106837

Early security checks failed 9

Slowpath security checks failed 289357

ICMP Error Inspect no existing conn 30

ICMP Error Inspect different embedded conn 157639

DNS Inspect invalid packet 208

DNS Inspect invalid domain label 251064

DNS Inspect packet too long 123545

DNS Inspect id not matched 71052

Interface is down 4

Invalid ASDP packet received from SSM card 1702

Service module is down 113

Flow drop:

NAT failed 67792

NAT reverse path failed 6

Inspection failure 330070

Service module failed 6

show run pol:

Result of the command: "show run pol"

!

policy-map global_policy

class inspection_default

inspect h323 ras

inspect sqlnet

inspect xdmcp

inspect tftp

inspect rtsp

inspect sunrpc

inspect netbios

inspect sip

inspect pptp

inspect http

inspect rsh

inspect ftp

inspect h323 h225

inspect dns maximum-length 512

inspect skinny

class csc_inside

csc fail-open

class csc_DMZ

csc fail-open

!

show run | i url:

None

michael.orshansky Sun, 03/18/2007 - 00:55

show ver:

Result of the command: "sh ver"

Cisco Adaptive Security Appliance Software Version 7.1(1)

Device Manager Version 5.1(1)

Compiled on Thu 19-Jan-06 15:02 by builders

System image file is "disk0:/asa711-k8.bin"

Config file at boot was "startup-config"

HMLXFW up 5 days 4 hours

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080: @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 0015.c695.d70c, irq 9

1: Ext: Ethernet0/1 : address is 0015.c695.d70d, irq 9

2: Ext: Ethernet0/2 : address is 0015.c695.d70e, irq 9

3: Ext: Not licensed : irq 9

4: Ext: Management0/0 : address is 0015.c695.d710, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : 4

Maximum VLANs : 10

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

This platform has a Base license.

Serial Number: JMX1014K0GK

Running Activation Key: xxx

Configuration register is 0x1

Configuration last modified by Admin at 14:55:46.659 EDT Fri Mar 16 2007

michael.orshansky Sun, 03/18/2007 - 01:06

Thanks everyone, I eralised what it is, its just shows how many packets are dropped due to access-lists and other security policies.

Thanks.

Actions

This Discussion