05-15-2009 07:40 AM - edited 03-11-2019 08:32 AM
More of a sanity check question than anything else:
Does the "packets dropped" counter on an ASA firewall interface include just interface drops or does it include ACL rule drops in the count?
Ex: Traffic Statistics for "int foo":
576675535 packets input, 128101040719 bytes
731241996 packets output, 636870913964 bytes
22115790 packets dropped
05-15-2009 08:37 AM
Good question! According to the documentation,
Typically this counter increments for packets dropped on the accelerated security path (ASP), for example, if a packet is dropped due to an access list deny.
See the show asp drop command for reasons for potential drops on an interface.
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s3.html#wp1421795
05-15-2009 08:40 AM
Check out that show asp drop command!
sh asp drop
Frame drop:
Invalid encapsulation (invalid-encap) 8
Invalid TCP Length (invalid-tcp-hdr-length) 13
Invalid UDP Length (invalid-udp-length) 3
No valid adjacency (no-adjacency) 432
No route to host (no-route) 854
Flow is denied by configured rule (acl-drop) 5917343
Flow denied due to resource limitation (unable-to-create-flow) 3717
Invalid SPI (np-sp-invalid-spi) 827
NAT-T keepalive message (natt-keepalive) 738148
First TCP packet not SYN (tcp-not-syn) 466773
Bad TCP flags (bad-tcp-flags) 204
TCP Dual open denied (tcp-dual-open) 3
TCP failed 3 way handshake (tcp-3whs-failed) 6351
TCP RST/FIN out of order (tcp-rstfin-ooo) 13965
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 963
TCP SYNACK on established conn (tcp-synack-ooo) 375
TCP packet SEQ past window (tcp-seq-past-win) 10975
TCP invalid ACK (tcp-invalid-ack) 1580
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 107
TCP Out-of-Order packet buffer full (tcp-buffer-full) 438460
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 318081
TCP RST/SYN in window (tcp-rst-syn-in-win) 8434
TCP packet failed PAWS test (tcp-paws-fail) 4202
IPSEC tunnel is down (ipsec-tun-down) 1789
Early security checks failed (security-failed) 182
Slowpath security checks failed (sp-security-failed) 38761
IP option drop (invalid-ip-option) 118
Expired flow (flow-expired) 4691
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 10
DNS Inspect invalid packet (inspect-dns-invalid-pak) 12
DNS Inspect id not matched (inspect-dns-id-not-matched) 3306
FP L2 rule drop (l2_acl) 52939
Interface is down (interface-down) 3
Dropped pending packets in a closed socket (np-socket-closed) 24834
SVC Module does not have a session (mp-svc-no-session) 79
Last clearing: Never
Flow drop:
Need to start IKE negotiation (need-ike) 98
Inspection failure (inspect-fail) 120188
SSL received close alert (ssl-received-close-alert) 6
Last clearing: Never
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: