08-24-2007 03:42 AM - edited 03-11-2019 04:02 AM
Hi
I have an ASA 5520 running version 8.
I noticed in a sho int, that packets are being dropped on an interfaces and there are overruns.
I have checked the sho int again after a period of time and the overruns are not increasig but the packet drops are.
There are no CRC's or collisons errors.( I have included the sho int below.
My question is are the packet drops due to denied packets or something else.
Interface GigabitEthernet0/2 "X", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Description: LOCAL LAN
MAC address 0018.73d7.0f06, MTU 1500
IP address x.x.x.x subnet mask x.x.x.x
425900047 packets input, 175660341830 bytes, 16 no buffer
Received 113 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 715396 overrun, 0 ignored, 0 abort
0 L2 decode drops
331813766 packets output, 122952124630 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (1/33) software (0/0)
output queue (curr/max packets): hardware (0/75) software (0/0)
Traffic Statistics for "Longford-LAN":
425891541 packets input, 167577995460 bytes
331813766 packets output, 116281711092 bytes
308924 packets dropped
1 minute input rate 606 pkts/sec, 43234 bytes/sec
1 minute output rate 526 pkts/sec, 128487 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 609 pkts/sec, 51994 bytes/sec
5 minute output rate 521 pkts/sec, 111727 bytes/sec
5 minute drop rate, 0 pkts/sec
08-24-2007 04:28 AM
See if the "show asp drop" command gives you any useful output.
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s2_72.html#wp1174636
08-24-2007 05:06 AM
Here is the output
Frame drop:
Invalid IP header 1
No valid adjacency 231
No route to host 34
Flow is denied by configured rule 76107
First TCP packet not SYN 62169
Bad option length in TCP 137
TCP data exceeded MSS 132
TCP failed 3 way handshake 53062
TCP RST/FIN out of order 3
TCP packet SEQ past window 13128
TCP RST/SYN in window 11
TCP DUP and has been ACKed 246414
IPSEC Spoof detected 2
IPSEC tunnel is down 580274
ICMP Inspect seq num not matched 65
DNS Inspect id not matched 6
FP L2 rule drop 400047
Interface is down 891
Dropped pending packets in a closed socket 9227
Flow drop:
NAT failed 35014
NAT reverse path failed 6
Need to start IKE negotiation 1340
Inspection failure 62
SSL received close alert 8
08-24-2007 07:00 AM
I noticed there was a lot of packets dropped for IPSEC tunnel down.
IPSEC tunnel is down 580274
Check the Syslog and the firewall was set to 86400 secs but the responder was setting 3600
I changed the SA on the far side and havent seen any drops "yet" for IPSEC tunnel down
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: