cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1305
Views
0
Helpful
6
Replies

Packet Drops after Implemention of FWSM ..?

manik.palekar
Level 1
Level 1

Hi guys ,

I am facing some packet drops in LAN after implementation of FWSM context .Please let me know is there any configuration need to be done to avoid this ?

Please suggest ..thanks in advance

6 Replies 6

felixjai
Level 1
Level 1

You need to find out what is being dropped. Is it really the FWSM or somewhere else dropping the packets. If your environment didn't have firewall before, and you are introducing FWSM to it. Some applications might not be firewall-friendly, such as in-house built software. If you want to find out if your FWSM is dropping the packets, do "show asp drop" from the CLI. And use "capture capture_name type asp-drop" to capture any dropped packets.

Thx frd...Here is the output

FWSM/Infra# sh capture noc

0 packet seen, 0 captured

0 packet shown

FWSMPRI/Infra# sh asp drop

Frame drop:

No route to host 85151

Bad TCP flags 22

TCP failed 3 way handshake 7

TCP RST/FIN out of order 258

TCP packet SEQ past window 1625

TCP invalid ACK 7866937105

TCP packet buffer full 64556

TCP DUP and has been ACKed 548228

TCP packet failed PAWS test 414366

Packet hit an invalid connection 105

Invalid connection address in delete indication 2783892

Flow drop:

I have not observed any drops in capture

M getting below respose intermittently,Please let me know what could be issue...Thanks

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.117.24: bytes=32 time=1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Farrukh Haroon
VIP Alumni
VIP Alumni

Is it random packets or ALL packets going to a VLAN? The FWSM needs an ACL to pass traffic even on highest security level (100) interfaces. This is different from PIX/ASA. If its random you already got the answer from the orignal responder (show asp drop etc.)

Also check the syslogs for any deny/discards/drops etc.

Regards

Farrukh

This is an intial setup ,& I have given full access from outside to inside & vice-versa.

Hi Manik,

I would recommend that you start by setting up a SPAN session for both VLANs on either side of the FWSM. Depending on what version of FWSM code you are running (and this would be helpful to know as well), captures taken directly on the firewall can be unreliable. The SPAN captures will give you a fairly good indication of what is going on and how the FWSM is affecting the traffic flow, or at least where to start your troubleshooting.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: