ASA 5540 drops a lot of packets

Unanswered Question

Hi,


I do "show int g0/0" and see a lot of packets dropped on the outside interface of my ASA 5540. The CPU and memory utilization is low. Below are the outputs of "show int g0/0" and "show asp drop".

I would like to know the reasons of packets dropped. I really appreciate for any tips or information how to troubleshoot this problem.


PH



DC-ASA1# sh int g0/0

Interface GigabitEthernet0/0 "Outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address 0015.0000.0001, MTU 1500

IP address 10.86.1.10, subnet mask 255.255.255.0

1368864031 packets input, 809290865746 bytes, 0 no buffer

Received 3332954 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 ab

0 L2 decode drops

1104869394 packets output, 397716238864 bytes, 0 underruns

0 output errors, 0 collisions

0 late collisions, 0 deferred

input queue (curr/max blocks): hardware (3/0) software (0/

output queue (curr/max blocks): hardware (0/89) software (

Traffic Statistics for "Outside":

1368269553 packets input, 782318450328 bytes

1104869394 packets output, 375237662195 bytes

15039401 packets dropped

1 minute input rate 1277 pkts/sec, 963778 bytes/sec

1 minute output rate 982 pkts/sec, 191620 bytes/sec

1 minute drop rate, 38 pkts/sec

5 minute input rate 1232 pkts/sec, 942837 bytes/sec

5 minute output rate 971 pkts/sec, 243686 bytes/sec

5 minute drop rate, 34 pkts/sec

DC-ASA1# sh asp drop


Frame drop:

Invalid TCP Length 63

Reverse-path verify failed 1

Flow is denied by configured rule 17302314

First TCP packet not SYN 1014203

Bad TCP flags 451

Bad option length in TCP 14

TCP data exceeded MSS 26

TCP failed 3 way handshake 46287

TCP RST/FIN out of order 22312

TCP SEQ in SYN/SYNACK invalid 11350

TCP SYNACK on established conn 2914

TCP packet SEQ past window 81626

TCP invalid ACK 12444

TCP ACK in 3 way handshake invalid 4

TCP Out-of-0rder packet buffer full 771232

TCP Out-of-Order packet buffer timeout 115991

TCP RST/SYN in window 15515

TCP DUP and has been ACKed 6238552

TCP packet failed PAWS test 1009

Slowpath security checks failed 1

ICMP Inspect seq num not matched 1305

DNS Inspect id not matched 4907


Flow drop:

NAT failed 2092

Inspection failure 270

DC-ASA1#




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stalin_cisco Fri, 02/04/2011 - 00:21

Dear Expert,


Recently we have removed all the routing from ASA to make it as a L2 device. After this operation we are getting packet drop on both interface (incoming/outgoing),


I beleive ACL not causing issue because we have ip any any access-list only and also no problem in layer 1 (Cable) because don't see packet drop in Layer3 setup.


Please find the attachment of screenshot and help me to fix this case..



Regards,

STALIN P

Jitendriya Athavale Tue, 02/22/2011 - 00:59

stalin,


can you please clear the counters and wait for some time and collect the output again


you can clear the counters


clear asp table counter


show asp table counter


also please attach the output of "show interface"


the major drops are out of order... now depending on the placement of this firewall please investigate why we are seeing so many out of order packets as they are not good, it could be the isp too if this is a perimeter device


and the other is the host-move-pkt which usually comes when you move a host from one interafce to other if you see these counters incrementing very rapidly it could suggest some kind of looping


i would suggest you look for the explaination on what each of these counters means and try to find the cause depending on how relevant they are for your network. some drops may be harmless but some might suggest a problem


http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s2_711.html#wp1116466



you can find the packets which are dropped by applying asp drop captures


ASA# capture asp type asp-drop ?


  acl-drop                                    Flow is denied by configured rule
  all                                         All packet drop reasons
  bad-crypto                                  Bad crypto return in packet
  bad-ipsec-natt                              Bad IPSEC NATT packet
  bad-ipsec-prot                              IPSEC not AH or ESP
  bad-ipsec-udp                               Bad IPSEC UDP packet
  bad-tcp-cksum                               Bad TCP checksum




you can use each type of  asp drop and capture the dropped traffic and investigate the cause


show capture


will show you the output of capture


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml



also you can look at syslog server if you have one to see what is going on


Mianly lookout for layer 2 issues since you tell us that the drops started after converting this from layer 3 to layer 2 and i belive this would have led to some network topology change too

Actions

This Discussion