asa5520/ASDM constant dropped packet value

Unanswered Question
May 1st, 2008

in the course of troubleshooting a fault I noticed that the 10 sec Drop Packet graph under monitoring/interfaces/outside/drop packet count on the ASDM was giving the same total every 10 seconds (+/- 1 or 2 every now and then). I searched for specifics on what this monitors, and other than 'dropped pkts' I've drawn a blank.

I've checked 3 different customer ASAs (2x5510s and a 5520) and they're all the same - the total is different but the variation is the same.

I can understand the drops occuring but why it is constant is not so clear - can anyone shed some light on the what and why?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Wed, 05/07/2008 - 13:17

When the ASP drops packets, it increments counters that match the reason that the asp dropped the packet. You can view the counter values by issuing show asp drop but this willshow you the cumulative counters. Issue the command clear asp drop then show asp drop to get a baseline of the drops so far, then send the traffic that is not making it through the firewall and then issue show asp drop again, and check which counters are incrementing.capture capture_name type asp-drop drop-code all packet-length 1518. You can specify a drop code of "all" or specify the particular drop code that you want to watch. The problem is that usually you dont know why the pix is dropping the packet, so you dont know the particular drop code yet. In that case, capture all the dropped packets. If you do not specify a drop-code, then the pix will not capture any packets. use the 'show service-policy flow' command and specify the flow that is failing to determine if it is subjected to a fixup.


This Discussion