Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA packet drops

Hi

I have an ASA 5520 running version 8.

I noticed in a sho int, that packets are being dropped on an interfaces and there are overruns.

I have checked the sho int again after a period of time and the overruns are not increasig but the packet drops are.

There are no CRC's or collisons errors.( I have included the sho int below.

My question is are the packet drops due to denied packets or something else.

Interface GigabitEthernet0/2 "X", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Description: LOCAL LAN

MAC address 0018.73d7.0f06, MTU 1500

IP address x.x.x.x subnet mask x.x.x.x

425900047 packets input, 175660341830 bytes, 16 no buffer

Received 113 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 715396 overrun, 0 ignored, 0 abort

0 L2 decode drops

331813766 packets output, 122952124630 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (1/33) software (0/0)

output queue (curr/max packets): hardware (0/75) software (0/0)

Traffic Statistics for "Longford-LAN":

425891541 packets input, 167577995460 bytes

331813766 packets output, 116281711092 bytes

308924 packets dropped

1 minute input rate 606 pkts/sec, 43234 bytes/sec

1 minute output rate 526 pkts/sec, 128487 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 609 pkts/sec, 51994 bytes/sec

5 minute output rate 521 pkts/sec, 111727 bytes/sec

5 minute drop rate, 0 pkts/sec

3 REPLIES
Gold

Re: ASA packet drops

See if the "show asp drop" command gives you any useful output.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s2_72.html#wp1174636

Community Member

Re: ASA packet drops

Here is the output

Frame drop:

Invalid IP header 1

No valid adjacency 231

No route to host 34

Flow is denied by configured rule 76107

First TCP packet not SYN 62169

Bad option length in TCP 137

TCP data exceeded MSS 132

TCP failed 3 way handshake 53062

TCP RST/FIN out of order 3

TCP packet SEQ past window 13128

TCP RST/SYN in window 11

TCP DUP and has been ACKed 246414

IPSEC Spoof detected 2

IPSEC tunnel is down 580274

ICMP Inspect seq num not matched 65

DNS Inspect id not matched 6

FP L2 rule drop 400047

Interface is down 891

Dropped pending packets in a closed socket 9227

Flow drop:

NAT failed 35014

NAT reverse path failed 6

Need to start IKE negotiation 1340

Inspection failure 62

SSL received close alert 8

Community Member

Re: ASA packet drops

I noticed there was a lot of packets dropped for IPSEC tunnel down.

IPSEC tunnel is down 580274

Check the Syslog and the firewall was set to 86400 secs but the responder was setting 3600

I changed the SA on the far side and havent seen any drops "yet" for IPSEC tunnel down

2784
Views
0
Helpful
3
Replies
CreatePlease to create content