Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

packet drops on ASA firewall

We installed ASA 5520 firewall which is connected to the Internet with NAT/PAT enabled but we started receiving complains about slow browsing. On checking the inside interface of the firewall it displays enormous number of packet drops!!!! Although the 5min input/output ratio shows a traffic not more than 500Kbits/sec.

I've cleared the interface to see the rate of drops. the rate of drops seems to be increasing exponentially.

Have anyone came across such a problem? Pls advise...




Re: packet drops on ASA firewall


Did you check the speed and duplex mode of the switch port on which the ASA's interface is attached?

It may be a problem regarding the speed and duplex mode.

Best regards.


Community Member

Re: packet drops on ASA firewall

It is 1000Mbps full-duplex on both sides, ASA firewall as well as core switch..

Community Member

Re: packet drops on ASA firewall

Is any software installed for syslogs, if not then I would advice you install it Firewall Log Analyzer of Adventnet and it would be easy to judge where the traffic is coming from.

Can you post your Network Diagram then it would be easy to troubleshoot it.

Community Member

Re: packet drops on ASA firewall

I would be doing that tomorrow morning, meanwhile just to give u an idea of the setup.

ASA Outside IP address: 212.76.x.x

ASA inside IP address:

Routes are added to the ASA firewall for reachability tp subnets behind Inside interface.

Default route is added to the core switch -> 0 0

Core switch SVI:

Server vlan where these IP's are static NATed on asa firewall

Server vlan SVI: <-> 212.x.y.a - exchange <-> 212.x.y.b - owa

PAT enabled with interface ip <-> 212.x.y.c - proxy <-> 212.x.y.c - blackberry

User vlan are vlan 3,4,6,7,8,9,10 with corresponding svi's configured on the core.

Now the traffic source for ASA firewall is basically from the servers specified and I have observed that these interface doesn't have high volume of traffic infact less than 1 mb each, and the ASA vlan doesn't have any other end user except the access switches with managment ip's only!!

Aaahh!!! I'm not sure why these packet drops are occuring.....

I'll see if any valuable inputs come in from users from netpro community.

Community Member

Re: packet drops on ASA firewall

What is a version of ASA OS. If you are using an old version then I would advice you to upgrade it into 8.04 the latest one.

Re: packet drops on ASA firewall

there could be a number of reasons for packet drops, but if you can you post complete output of show interface inside to see, what are your other interfaces stats are they clean such as outside interface etc.., how about the switchport the ASA interface inside is connected to, can u post output of show interface from switch side?

even though you have hardcoded both sides does not rule out the posibility of a bad

cable, any CRCs, runs, giants on switchport side?

u may also issue show asp drop in firewall

see table 25-2 for specs on this command

show service-pilicy output to rule out any service policy may be causing drops,

last but not least go through the normal performance check list here


Community Member

Re: packet drops on ASA firewall

Continuing with the packet drops issue... See the number of underruns on the interfaces

Interface GigabitEthernet0/1 "inside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Description: *****Connected to Core switch*****

MAC address 001e.be79.7957, MTU 1500

IP address, subnet mask

4114739 packets input, 1292642813 bytes, 0 no buffer

Received 2514 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

4016064 packets output, 3095325439 bytes, 1805 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (0/25) software (0/0)

output queue (curr/max packets): hardware (0/255) software (0/0)

Traffic Statistics for "inside":

4114739 packets input, 1207986967 bytes

4017869 packets output, 3017572869 bytes

78650 packets dropped

1 minute input rate 101 pkts/sec, 15968 bytes/sec

1 minute output rate 156 pkts/sec, 23251 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 31 pkts/sec, 3199 bytes/sec

5 minute output rate 30 pkts/sec, 29771 bytes/sec

5 minute drop rate, 0 pkts/sec

Re: packet drops on ASA firewall

Can you post output from asa

show asp drop

show service-policy

Community Member

Re: packet drops on ASA firewall

Have you checked your appliance memory usage?

show memory

show processes memory

CreatePlease to create content