Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewall interface traffic statistics

More of a sanity check question than anything else:

Does the "packets dropped" counter on an ASA firewall interface include just interface drops or does it include ACL rule drops in the count?

Ex: Traffic Statistics for "int foo":

576675535 packets input, 128101040719 bytes

731241996 packets output, 636870913964 bytes

22115790 packets dropped


Re: Firewall interface traffic statistics

Good question! According to the documentation,

Typically this counter increments for packets dropped on the accelerated security path (ASP), for example, if a packet is dropped due to an access list deny.

See the show asp drop command for reasons for potential drops on an interface.

Re: Firewall interface traffic statistics

Check out that show asp drop command!

sh asp drop

Frame drop:

Invalid encapsulation (invalid-encap) 8

Invalid TCP Length (invalid-tcp-hdr-length) 13

Invalid UDP Length (invalid-udp-length) 3

No valid adjacency (no-adjacency) 432

No route to host (no-route) 854

Flow is denied by configured rule (acl-drop) 5917343

Flow denied due to resource limitation (unable-to-create-flow) 3717

Invalid SPI (np-sp-invalid-spi) 827

NAT-T keepalive message (natt-keepalive) 738148

First TCP packet not SYN (tcp-not-syn) 466773

Bad TCP flags (bad-tcp-flags) 204

TCP Dual open denied (tcp-dual-open) 3

TCP failed 3 way handshake (tcp-3whs-failed) 6351

TCP RST/FIN out of order (tcp-rstfin-ooo) 13965

TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 963

TCP SYNACK on established conn (tcp-synack-ooo) 375

TCP packet SEQ past window (tcp-seq-past-win) 10975

TCP invalid ACK (tcp-invalid-ack) 1580

TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 107

TCP Out-of-Order packet buffer full (tcp-buffer-full) 438460

TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 318081

TCP RST/SYN in window (tcp-rst-syn-in-win) 8434

TCP packet failed PAWS test (tcp-paws-fail) 4202

IPSEC tunnel is down (ipsec-tun-down) 1789

Early security checks failed (security-failed) 182

Slowpath security checks failed (sp-security-failed) 38761

IP option drop (invalid-ip-option) 118

Expired flow (flow-expired) 4691

ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 10

DNS Inspect invalid packet (inspect-dns-invalid-pak) 12

DNS Inspect id not matched (inspect-dns-id-not-matched) 3306

FP L2 rule drop (l2_acl) 52939

Interface is down (interface-down) 3

Dropped pending packets in a closed socket (np-socket-closed) 24834

SVC Module does not have a session (mp-svc-no-session) 79

Last clearing: Never

Flow drop:

Need to start IKE negotiation (need-ike) 98

Inspection failure (inspect-fail) 120188

SSL received close alert (ssl-received-close-alert) 6

Last clearing: Never