Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Packet Drops after Implemention of FWSM ..?

Hi guys ,

I am facing some packet drops in LAN after implementation of FWSM context .Please let me know is there any configuration need to be done to avoid this ?

Please suggest ..thanks in advance

6 REPLIES
New Member

Re: Packet Drops after Implemention of FWSM ..?

You need to find out what is being dropped. Is it really the FWSM or somewhere else dropping the packets. If your environment didn't have firewall before, and you are introducing FWSM to it. Some applications might not be firewall-friendly, such as in-house built software. If you want to find out if your FWSM is dropping the packets, do "show asp drop" from the CLI. And use "capture capture_name type asp-drop" to capture any dropped packets.

New Member

Re: Packet Drops after Implemention of FWSM ..?

Thx frd...Here is the output

FWSM/Infra# sh capture noc

0 packet seen, 0 captured

0 packet shown

FWSMPRI/Infra# sh asp drop

Frame drop:

No route to host 85151

Bad TCP flags 22

TCP failed 3 way handshake 7

TCP RST/FIN out of order 258

TCP packet SEQ past window 1625

TCP invalid ACK 7866937105

TCP packet buffer full 64556

TCP DUP and has been ACKed 548228

TCP packet failed PAWS test 414366

Packet hit an invalid connection 105

Invalid connection address in delete indication 2783892

Flow drop:

I have not observed any drops in capture

New Member

Re: Packet Drops after Implemention of FWSM ..?

M getting below respose intermittently,Please let me know what could be issue...Thanks

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.117.24: bytes=32 time=1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Re: Packet Drops after Implemention of FWSM ..?

Is it random packets or ALL packets going to a VLAN? The FWSM needs an ACL to pass traffic even on highest security level (100) interfaces. This is different from PIX/ASA. If its random you already got the answer from the orignal responder (show asp drop etc.)

Also check the syslogs for any deny/discards/drops etc.

Regards

Farrukh

New Member

Re: Packet Drops after Implemention of FWSM ..?

This is an intial setup ,& I have given full access from outside to inside & vice-versa.

Re: Packet Drops after Implemention of FWSM ..?

Hi Manik,

I would recommend that you start by setting up a SPAN session for both VLANs on either side of the FWSM. Depending on what version of FWSM code you are running (and this would be helpful to know as well), captures taken directly on the firewall can be unreliable. The SPAN captures will give you a fairly good indication of what is going on and how the FWSM is affecting the traffic flow, or at least where to start your troubleshooting.

-Mike

1013
Views
0
Helpful
6
Replies
CreatePlease to create content