03-15-2007 09:37 PM - edited 03-11-2019 02:47 AM
Hi, my customer is complaining that every once in a while his browsing gets real slow and he needed a reboot of his ASA to resolve the issue. I cannot find anything wrong with the ASA apart from packet drops indicated here:
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0015.c695.d70c, MTU 1500
IP address 59.x.x.6, subnet mask 255.255.255.252
87915 packets input, 58923662 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
87045 packets output, 44806355 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (0/25) software (0/0)
output queue (curr/max blocks): hardware (0/223) software (0/0)
Traffic Statistics for "outside":
87915 packets input, 57214791 bytes
87045 packets output, 43065295 bytes
4853 packets dropped
This drop is constant and I cannot find the reason why. I suspect this could be the key to my problem. The setup is LAN-ASA-Carrier CAT3750-Internet We did see previously errors on the carrier switch. Every once in a while the link would become extremely slow and the LED on the 3750 would blink amber, removing and replacing the CAT5 between the ASA and the 3750 would solve the problem until next time. Any ideas? Thanks, Michael.
03-16-2007 08:10 AM
Try the command: "show asp drop"
That will tell you why the ASA is dropping packets. One thing to check is MSS Exceeded.
03-16-2007 10:19 AM
send me
1)sh asp drop
2)sh run pol
3)sh run | inc url
4)sh ver
As if now the above output should be enough to at least start with...
03-18-2007 12:54 AM
show asp drop:
Result of the command: "show asp drop"
Frame drop:
Invalid tcp length 314
Invalid udp length 364
No valid adjacency 498
No route to host 301
Reverse-path verify failed 35871
Flow is denied by access rule 23629600
First TCP packet not SYN 990684
Bad TCP flags 116790
Bad option length in TCP 526
TCP MSS was too large 39790
TCP Window scale on non-SYN 602
Bad TCP SACK ALLOW option 7642
TCP Dual open denied 217
TCP data send after FIN 16
TCP failed 3 way handshake 69239
TCP RST/FIN out of order 443766
TCP SEQ in SYN/SYNACK invalid 494
TCP ACK in SYNACK invalid 3
TCP SYNACK on established conn 482
TCP packet SEQ past window 112317
TCP invalid ACK 944724
TCP packet out of order 7
TCP packet buffer full 1069976
TCP RST/SYN in window 197135
TCP DUP and has been ACKed 4398494
TCP packet failed PAWS test 106837
Early security checks failed 9
Slowpath security checks failed 289357
ICMP Error Inspect no existing conn 30
ICMP Error Inspect different embedded conn 157639
DNS Inspect invalid packet 208
DNS Inspect invalid domain label 251064
DNS Inspect packet too long 123545
DNS Inspect id not matched 71052
Interface is down 4
Invalid ASDP packet received from SSM card 1702
Service module is down 113
Flow drop:
NAT failed 67792
NAT reverse path failed 6
Inspection failure 330070
Service module failed 6
show run pol:
Result of the command: "show run pol"
!
policy-map global_policy
class inspection_default
inspect h323 ras
inspect sqlnet
inspect xdmcp
inspect tftp
inspect rtsp
inspect sunrpc
inspect netbios
inspect sip
inspect pptp
inspect http
inspect rsh
inspect ftp
inspect h323 h225
inspect dns maximum-length 512
inspect skinny
class csc_inside
csc fail-open
class csc_DMZ
csc fail-open
!
show run | i url:
None
03-18-2007 12:55 AM
show ver:
Result of the command: "sh ver"
Cisco Adaptive Security Appliance Software Version 7.1(1)
Device Manager Version 5.1(1)
Compiled on Thu 19-Jan-06 15:02 by builders
System image file is "disk0:/asa711-k8.bin"
Config file at boot was "startup-config"
HMLXFW up 5 days 4 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080: @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0015.c695.d70c, irq 9
1: Ext: Ethernet0/1 : address is 0015.c695.d70d, irq 9
2: Ext: Ethernet0/2 : address is 0015.c695.d70e, irq 9
3: Ext: Not licensed : irq 9
4: Ext: Management0/0 : address is 0015.c695.d710, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs : 10
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
This platform has a Base license.
Serial Number: JMX1014K0GK
Running Activation Key: xxx
Configuration register is 0x1
Configuration last modified by Admin at 14:55:46.659 EDT Fri Mar 16 2007
03-18-2007 01:06 AM
Thanks everyone, I eralised what it is, its just shows how many packets are dropped due to access-lists and other security policies.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: