Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM Dropped Packet

Hi everyone,

My client has an switch 6509 with nearly 20 Vlans routed in MSFC. I put an FWSM to separate all the VLANs and put an access-list to permit ip any any in the interfaces.

Almost everything works right, except one problem in between the IPCC and the CAD Agent.

I can see some packets are dropped in the interfaces

For example,

Interface Vlan2 "SERVIDORES", is up, line protocol is up

MAC address 0018.7474.2280, MTU 1500

IP address X.X.X.X, subnet mask 255.255.255.0

Traffic Statistics for "SERVIDORES":

473436062 packets input, 617714037302 bytes

192611712 packets output, 57413127227 bytes

128775 packets dropped

I?d like if there is an way to see what packets are dropped in the interfaces and send this information to a syslog server for example,

Thanks in Advanced

Andre Lomonaco

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FWSM Dropped Packet

Unfortunately, it doesn't look like we document this well on cisco.com I've filed bug CSCsi35389 to address this. The Release-note will be available via bug toolkit tomorrow. In the mean time, I'll include the Release-note below for your reference.

Sincerely,

David.

########################################

The Command Reference for the "show interface" command describes what all the counters in the "show interface" output mean. However, the meaning of the "dropped" counter is incorrect.

On the FWSM, the dropped counter will increment when the FWSM receives a packet that is not destined for it (the Destination MAC address in the packet is not the FWSM's MAC address). This can happen when the switch floods packets because of CAM table misses. Additionally, the counter will be incremented for CDP and VTP packets (as the FWSM does not support these protocols), and other multicast packets (assuming multicast is not configured on the FWSM). Also, IP broadcast packets will be counted here.

4 REPLIES
Cisco Employee

Re: FWSM Dropped Packet

The 'dropped' counter there isn't anything to worry about. They are packets that the switch forwarded to the FWSM, that are not destined to the FWSM.

You are taking the correct troubleshooting approach however. First check the syslogs to see if you see the connection built and teardown messages. Also, you can check the conn table (show conn) to see the state of the connection once it has been attempted.

David.

Community Member

Re: FWSM Dropped Packet

Hi David, I have the exact same observation in my customer's network. Do you know any reference on cisco.com to support your first paragraph? Thanks.

Cisco Employee

Re: FWSM Dropped Packet

Unfortunately, it doesn't look like we document this well on cisco.com I've filed bug CSCsi35389 to address this. The Release-note will be available via bug toolkit tomorrow. In the mean time, I'll include the Release-note below for your reference.

Sincerely,

David.

########################################

The Command Reference for the "show interface" command describes what all the counters in the "show interface" output mean. However, the meaning of the "dropped" counter is incorrect.

On the FWSM, the dropped counter will increment when the FWSM receives a packet that is not destined for it (the Destination MAC address in the packet is not the FWSM's MAC address). This can happen when the switch floods packets because of CAM table misses. Additionally, the counter will be incremented for CDP and VTP packets (as the FWSM does not support these protocols), and other multicast packets (assuming multicast is not configured on the FWSM). Also, IP broadcast packets will be counted here.

Community Member

Re: FWSM Dropped Packet

Thanks David! your reply is very helpful.

1510
Views
15
Helpful
4
Replies
CreatePlease to create content