ASA Dropped Packets

Unanswered Question
May 9th, 2007
User Badges:

How do you troubleshoot drop packets on the asa. What could be the cause?

ciscoasa# show interface inside

Interface GigabitEthernet0/0.100 "inside", is up, line protocol is up

VLAN identifier 100

MAC address 0018.73d6.eb96, MTU 1500

IP address 192.x.x.219, subnet mask

Traffic Statistics for "inside":

130368043 packets input, 31024111730 bytes

149620357 packets output, 118858910520 bytes

14532019 packets dropped

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
p-allen Wed, 05/09/2007 - 05:48
User Badges:

Thanks. What does this tell me might be the issue?

show asp drop

Frame drop:

Punt rate limit exceeded 33396

Invalid encapsulation 122

Invalid TCP Length 1

Invalid UDP Length 18

No valid adjacency 33397

No route to host 28

Flow is denied by configured rule 2043650

Flow denied due to resource limitation 1878

Invalid SPI 65

NAT-T keepalive message 214

First TCP packet not SYN 318758

Bad TCP flags 2

TCP data exceeded MSS 818

TCP failed 3 way handshake 15408

TCP RST/FIN out of order 89306

TCP SEQ in SYN/SYNACK invalid 5

TCP SYNACK on established conn 136

TCP packet SEQ past window 7620

TCP invalid ACK 11271152

TCP replicated flow pak drop 546

TCP Out-of-0rder packet buffer full 93419

TCP Out-of-Order packet buffer timeout 25409

TCP RST/SYN in window 1516

TCP DUP and has been ACKed 1572503

TCP packet failed PAWS test 380711

IPSEC tunnel is down 207

Slowpath security checks failed 1675491

Dropped by standby unit 2

Expired flow 54224

ICMP Error Inspect different embedded conn 7801

DNS Inspect id not matched 15

IPS Module requested drop 1

FP L2 rule drop 465522

Interface is down 582

Flow drop:

Flow is denied by access rule 192

Flow terminated by IPS 2

NAT failed 32356

NAT reverse path failed 5176

Need to start IKE negotiation 15932

Inspection failure 536

p-allen Wed, 05/09/2007 - 07:27
User Badges:

So I am thinking this is what we need to do but I am still unsure of the syntax to add this to the asa


TCP data exceeded MSS

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a data length greater than the MSS advertised by the peer TCP endpoint.

Recommendation: To allow such TCP packets, use the exceed-mss command.

System log messages: 4419001

p-allen Wed, 05/09/2007 - 07:58
User Badges:

the highest counters seem to be coming from tcp-invalid-ack but there is no fix or recommendtion


TCP invalid ACK

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with an acknowledgement number greater than the data sent by the peer TCP endpoint.

Recommendation: None.

System log messages: None.

acomiskey Wed, 05/09/2007 - 08:22
User Badges:
  • Green, 3000 points or more

The ASA is doing exactly what it should do with those packets. Packets with invalid ack numbers may come about if a network delivers an old packet or an attacker attempts to hijack a connection

p-allen Wed, 05/09/2007 - 09:15
User Badges:

thanks. just another question. What would cause an old packet being delivered and how would we track down a hijack attemt if that was the case. I know my boss would want to know that information if available.


This Discussion