Packet Drops after Implemention of FWSM ..?

Unanswered Question
Sep 16th, 2008
User Badges:

Hi guys ,

I am facing some packet drops in LAN after implementation of FWSM context .Please let me know is there any configuration need to be done to avoid this ?

Please suggest ..thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
felixjai Wed, 09/17/2008 - 08:32
User Badges:

You need to find out what is being dropped. Is it really the FWSM or somewhere else dropping the packets. If your environment didn't have firewall before, and you are introducing FWSM to it. Some applications might not be firewall-friendly, such as in-house built software. If you want to find out if your FWSM is dropping the packets, do "show asp drop" from the CLI. And use "capture capture_name type asp-drop" to capture any dropped packets.

manik.palekar Thu, 09/18/2008 - 01:49
User Badges:

Thx frd...Here is the output

FWSM/Infra# sh capture noc

0 packet seen, 0 captured

0 packet shown


FWSMPRI/Infra# sh asp drop


Frame drop:

No route to host 85151

Bad TCP flags 22

TCP failed 3 way handshake 7

TCP RST/FIN out of order 258

TCP packet SEQ past window 1625

TCP invalid ACK 7866937105

TCP packet buffer full 64556

TCP DUP and has been ACKed 548228

TCP packet failed PAWS test 414366

Packet hit an invalid connection 105

Invalid connection address in delete indication 2783892


Flow drop:



I have not observed any drops in capture

manik.palekar Thu, 09/18/2008 - 01:51
User Badges:


M getting below respose intermittently,Please let me know what could be issue...Thanks


Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.117.24: bytes=32 time=1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Farrukh Haroon Thu, 09/18/2008 - 01:53
User Badges:
  • Red, 2250 points or more

Is it random packets or ALL packets going to a VLAN? The FWSM needs an ACL to pass traffic even on highest security level (100) interfaces. This is different from PIX/ASA. If its random you already got the answer from the orignal responder (show asp drop etc.)


Also check the syslogs for any deny/discards/drops etc.


Regards


Farrukh

manik.palekar Thu, 09/18/2008 - 02:31
User Badges:

This is an intial setup ,& I have given full access from outside to inside & vice-versa.

robertson.michael Thu, 09/18/2008 - 06:13
User Badges:
  • Silver, 250 points or more

Hi Manik,


I would recommend that you start by setting up a SPAN session for both VLANs on either side of the FWSM. Depending on what version of FWSM code you are running (and this would be helpful to know as well), captures taken directly on the firewall can be unreliable. The SPAN captures will give you a fairly good indication of what is going on and how the FWSM is affecting the traffic flow, or at least where to start your troubleshooting.


-Mike

Actions

This Discussion