Firewall interface traffic statistics

Unanswered Question
May 15th, 2009
User Badges:

More of a sanity check question than anything else:

Does the "packets dropped" counter on an ASA firewall interface include just interface drops or does it include ACL rule drops in the count?

Ex: Traffic Statistics for "int foo":

576675535 packets input, 128101040719 bytes

731241996 packets output, 636870913964 bytes

22115790 packets dropped

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Fri, 05/15/2009 - 08:37
User Badges:
  • Purple, 4500 points or more

Good question! According to the documentation,

Typically this counter increments for packets dropped on the accelerated security path (ASP), for example, if a packet is dropped due to an access list deny.

See the show asp drop command for reasons for potential drops on an interface.

Collin Clark Fri, 05/15/2009 - 08:40
User Badges:
  • Purple, 4500 points or more

Check out that show asp drop command!

<font size="2">sh asp drop</p><p></p><p>Frame drop:</p><p>  Invalid encapsulation (invalid-encap)                                        8</p><p>  Invalid TCP Length (invalid-tcp-hdr-length)                                 13</p><p>  Invalid UDP Length (invalid-udp-length)                                      3</p><p>  No valid adjacency (no-adjacency)                                          432</p><p>  No route to host (no-route)                                                854</p><p>  Flow is denied by configured rule (acl-drop)                           5917343</p><p>  Flow denied due to resource limitation (unable-to-create-flow)            3717</p><p>  Invalid SPI (np-sp-invalid-spi)                                            827</p><p>  NAT-T keepalive message (natt-keepalive)                                738148</p><p>  First TCP packet not SYN (tcp-not-syn)                                  466773</p><p>  Bad TCP flags (bad-tcp-flags)                                              204</p><p>  TCP Dual open denied (tcp-dual-open)                                         3</p><p>  TCP failed 3 way handshake (tcp-3whs-failed)                              6351</p><p>  TCP RST/FIN out of order (tcp-rstfin-ooo)                                13965</p><p>  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                           963</p><p>  TCP SYNACK on established conn (tcp-synack-ooo)                            375</p><p>  TCP packet SEQ past window (tcp-seq-past-win)                            10975</p><p>  TCP invalid ACK (tcp-invalid-ack)                                         1580</p><p>  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                     107</p><p>  TCP Out-of-Order packet buffer full (tcp-buffer-full)                   438460</p><p>  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)             318081</p><p>  TCP RST/SYN in window (tcp-rst-syn-in-win)                                8434</p><p>  TCP packet failed PAWS test (tcp-paws-fail)                               4202</p><p>  IPSEC tunnel is down (ipsec-tun-down)                                     1789</p><p>  Early security checks failed (security-failed)                             182</p><p>  Slowpath security checks failed (sp-security-failed)                     38761</p><p>  IP option drop (invalid-ip-option)                                         118</p><p>  Expired flow (flow-expired)                                               4691</p><p>  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                    10</p><p>  DNS Inspect invalid packet (inspect-dns-invalid-pak)                        12</p><p>  DNS Inspect id not matched (inspect-dns-id-not-matched)                   3306</p><p>  FP L2 rule drop (l2_acl)                                                 52939</p><p>  Interface is down (interface-down)                                           3</p><p>  Dropped pending packets in a closed socket (np-socket-closed)            24834</p><p>  SVC Module does not have a session (mp-svc-no-session)                      79</p><p></p><p>Last clearing: Never</p><p></p><p>Flow drop:</p><p>  Need to start IKE negotiation (need-ike)                                    98</p><p>  Inspection failure (inspect-fail)                                       120188</p><p>  SSL received close alert (ssl-received-close-alert)                          6</p><p></p><p>Last clearing: Never </font>


This Discussion