Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

dropped packet when ping from fwsm

Hi, I am troubleshooting an issue where we see intermittant packet loss within our infrastructure.  The setuip looks like this.

webserver = vlan120

webcache = vlan120

vlan120 is a dmz with fwsm as Layer3 gateway

fwsm svi is on vlan 119

ace module is frontend vlan 119 backend vlan 120


webserver( --> webcache(

we will see comms errors on the servers causing a session to timeout, we experience approx 30 per night causing clients to recieve a 500 error.

I have tried pinging between the boxes using the following command but cannot reproduce the issue.

ping -c 10000 -s 1300 -i 0

10000 packets transmitted, 10000 received, 0% packet loss, time 12490ms

rtt min/avg/max/mdev = 0.908/1.179/11.445/0.718 ms, ipg/ewma 1.249/1.091 ms

Now if we do the same ping from the fwsm to the webserver with the following command we lose between 5 - 10 packets every 10000.

ping size 1300 repeat 10000

Success rate is 99 percent (9994/10000), round-trip min/avg/max = 1/1/10 ms

This is the only way to reliably 'lose' packets.  A tcpdump on the destination however reveals it receives 10000 icmp request packets and transmits 10000 icmp reply packets but the fwsm reports a loss.

Not sure what is going on here!

My questions are:

1) is the fwsm ping test valid?

2) where are my packets going?

3) how do i troubleshoot the (possibly 2) issues further

Everyone's tags (4)

dropped packet when ping from fwsm

Hi Bro

Please do correct me if I'm wrong. Your FWSM connects to Cisco ACE and then connects to Web Server/Web Cache, am I right? Hence, between your FWSM and Web Server/Web Cache is Cisco ACE? You have VLAN 119 and VLAN 120 having the same network address, being bridged by the Cisco ACE?

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Community Member

dropped packet when ping from fwsm

Hi yeah, you are correct the ace is bridging between the fwsm and webserver.

CreatePlease to create content