05-09-2007 05:40 AM - edited 03-11-2019 03:11 AM
How do you troubleshoot drop packets on the asa. What could be the cause?
ciscoasa# show interface inside
Interface GigabitEthernet0/0.100 "inside", is up, line protocol is up
VLAN identifier 100
MAC address 0018.73d6.eb96, MTU 1500
IP address 192.x.x.219, subnet mask 255.255.255.0
Traffic Statistics for "inside":
130368043 packets input, 31024111730 bytes
149620357 packets output, 118858910520 bytes
14532019 packets dropped
05-09-2007 05:43 AM
#show asp drop
05-09-2007 05:48 AM
Thanks. What does this tell me might be the issue?
show asp drop
Frame drop:
Punt rate limit exceeded 33396
Invalid encapsulation 122
Invalid TCP Length 1
Invalid UDP Length 18
No valid adjacency 33397
No route to host 28
Flow is denied by configured rule 2043650
Flow denied due to resource limitation 1878
Invalid SPI 65
NAT-T keepalive message 214
First TCP packet not SYN 318758
Bad TCP flags 2
TCP data exceeded MSS 818
TCP failed 3 way handshake 15408
TCP RST/FIN out of order 89306
TCP SEQ in SYN/SYNACK invalid 5
TCP SYNACK on established conn 136
TCP packet SEQ past window 7620
TCP invalid ACK 11271152
TCP replicated flow pak drop 546
TCP Out-of-0rder packet buffer full 93419
TCP Out-of-Order packet buffer timeout 25409
TCP RST/SYN in window 1516
TCP DUP and has been ACKed 1572503
TCP packet failed PAWS test 380711
IPSEC tunnel is down 207
Slowpath security checks failed 1675491
Dropped by standby unit 2
Expired flow 54224
ICMP Error Inspect different embedded conn 7801
DNS Inspect id not matched 15
IPS Module requested drop 1
FP L2 rule drop 465522
Interface is down 582
Flow drop:
Flow is denied by access rule 192
Flow terminated by IPS 2
NAT failed 32356
NAT reverse path failed 5176
Need to start IKE negotiation 15932
Inspection failure 536
05-09-2007 07:06 AM
Check Table 25-1 in link below, it explains all values and provides recommendations.
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s2_711.html#wp1116367
Please rate these if they help.
05-09-2007 07:27 AM
So I am thinking this is what we need to do but I am still unsure of the syntax to add this to the asa
tcp-mss-exceeded
TCP data exceeded MSS
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a data length greater than the MSS advertised by the peer TCP endpoint.
Recommendation: To allow such TCP packets, use the exceed-mss command.
System log messages: 4419001
05-09-2007 07:40 AM
tcp-map mss-map
exceed-mss allow
This may be what you're looking for...
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
05-09-2007 07:58 AM
the highest counters seem to be coming from tcp-invalid-ack but there is no fix or recommendtion
tcp-invalid-ack
TCP invalid ACK
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with an acknowledgement number greater than the data sent by the peer TCP endpoint.
Recommendation: None.
System log messages: None.
05-09-2007 08:22 AM
The ASA is doing exactly what it should do with those packets. Packets with invalid ack numbers may come about if a network delivers an old packet or an attacker attempts to hijack a connection
05-09-2007 09:15 AM
thanks. just another question. What would cause an old packet being delivered and how would we track down a hijack attemt if that was the case. I know my boss would want to know that information if available.
05-12-2007 06:29 PM
After looking at your asp drop output, it looks like your running into bug CSCsc16014
Please rate if you are satisfied.
Cheers!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: