Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

I have many "Conns Drop". Is this a problem?

Hi all,

I have a two ACEs operating in HA. In this moment I have one service through of ACE, which is a Proxy Service. The topology is in One Arm Mode, therefore I am using SNAT in the ACE.

Although until this moment the service work correctly, I can see in the output of  "sh service-policy summary" many "conns drop".

You can see:

ACE-CC/Contexto_A# sh service-policy summ

service-policy: LB-VIP
Class                                          VIP             Prot          Port        VLAN          State       Curr Conns   Hit Count   Conns Drop
VIP_ISA_SERVER             tcp           any         1,10           IN-SRVC         797          396935     12537

My question is if this could be a problem in the future. Is normal this behavior?.

Could I see the detail the "Conns Drop"?.



Re: I have many "Conns Drop". Is this a problem?

Connections drop normally due to incomplete TCP handshakes.

Incomplete handshakes could result due to  various reasons like the real server slected by ACE is down or all reals in Serverfarm are down.

"show serverfarm detail" can give you the failed connections on per rserver basis.

"show stats loadbalance" can give you reasons for failed connections.

"show stat connection" can give you overall connection statistics


Re: I have many "Conns Drop". Is this a problem?


I was review the statistics you mentioned and can´t see more detial.

It seem strange the high number of CONN DROP, it will be a normal behavoir. The client with access to Internert through the ISA SERVER have not reported problems, I just want to know more detail.

The behavoir of incomplete TCP handshakes is a normal?. If so I should not worry more.

Thanks and regards,


Cisco Employee

Re: I have many "Conns Drop". Is this a problem?

You have 10k drops out of 400k connections.

That's 2.5%

The reason for the drop is usually the server did not respond or server responded with a RST or no server were active.

It might not be detectable, because a browser will usually retry immediately if it does not get a response.

So, you might not receive complain.

You need to capture your traffic with a sniffer trace and wait for the counter to increment.

Once you have a trace and you know the counter incremented during that time, check for any RST or unansered SYN.

You can then see where the problem comes from.

Or you can just ignore it since this is only 2.5% of drops.


Re: I have many "Conns Drop". Is this a problem?

Thanks Gilles.

I understand that I should not worry.

Thanks for your helps.



Re: I have many "Conns Drop". Is this a problem?

Hi all,

In this moment I have reports of our client with problems of connection of your users. I review the staticstic I can see many conn drops.

ACE-CC/Contexto_A# sh service-policy summary

service-policy: LB-VIP
Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop
VIP_ISA_SERVER             tcp   any         1,10           IN-SRVC        1071       96066      54336

It is more than 50%.

Other statistics are:

ACE-CC/Contexto_A# sh serverfarm ISA_SERVER
serverfarm     : ISA_SERVER, type: HOST
total rservers : 2
       real                  weight state        current    total      failures
   rserver: achs-isa01          8      OPERATIONAL  539        3113479    601898
   rserver: achs-isa02          8      OPERATIONAL  555        3279904    428178

ACE-CC/Contexto_A# sh stats connection

+------- Connection statistics ------------+
Total Connections Created  : 17797953
Total Connections Current  : 2128
Total Connections Destroyed: 16236630
Total Connections Timed-out: 1364700
Total Connections Failed   : 194495

ACE-CC/Contexto_A# sh stats loadbalance

+------- Loadbalance statistics -----------+
Total version mismatch                       : 0
Total Layer4 decisions                       : 7432007
Total Layer4 rejections                      : 101061
Total Layer7 decisions                       : 0
Total Layer7 rejections                      : 0
Total Layer4 LB policy misses                : 0
Total Layer7 LB policy misses                : 0
Total times rserver was unavailable          : 1
Total ACL denied                             : 0
Total IDMap Lookup Failures                  : 0
Total Cipher Lookup Failures                 : 0
Total Msg sent to Optimization               : 0
Total Direct Msg received from Optimization  : 0
Total Indirect Msg received from Optimization: 0
Total Optimization Msg sent to Real Servers  : 0



Cisco Employee

Re: I have many "Conns Drop". Is this a problem?

You will need to capture a sniffer trace filtering on those client ip addresses.


Re: I have many "Conns Drop". Is this a problem?

Hi Gilles,

The client changed the users who reported problems of VLAN 1 a new VLAN. This implementation is working in ONE-ARM Mode.

There is a problem in the ACE for customers who belong to the Vlan 1?.

All users with problems were changed of the Vlan 1 and the problem was solved.

I don´t understand this bevavior.

Thanks and regards.


Re: I have many "Conns Drop". Is this a problem?


I have other question:

The client informs me that your internet navigation is very slow since we installed the ACE. The ACE is balancing two ISA server (proxy).

We are using ONE-ARM Mode and performing SNAT.

I attached the settings for the ACE and some statistics obtained.

The problem of slow browsing could be due to the large number of conn drops, but still do not understand why this happen.

Thanks for your helps.



Cisco Employee

Re: I have many "Conns Drop". Is this a problem?

I'm sorry but I can't work without a sniffer trace of the problem.



Re: I have many "Conns Drop". Is this a problem?


VLAN 1 cannot be used on the ACE.  See the following thread for details and possible work-arounds, such as physically bridging VLAN 1 with another VLAN that can be configured on the ACE.

Note that this likely has nothing to do with your most recent query about a performance issue.  As Gilles indicated, those types of issues need to be looked at on the wire.