Solved: show asp drop output

mahesh18 · ‎07-23-2013

Hi Everyone,

I ran the command below

show asp drop

Frame drop:
No valid adjacency (no-adjacency)                                        11542
Flow is denied by configured rule (acl-drop)                         210306934
Invalid SPI (np-sp-invalid-spi)                                           2223
First TCP packet not SYN (tcp-not-syn)                                 4407216
Bad TCP flags (bad-tcp-flags)                                               14
TCP data send after FIN (tcp-data-past-fin)                                  1
TCP failed 3 way handshake (tcp-3whs-failed)                            403158
TCP RST/FIN out of order (tcp-rstfin-ooo)                              2552491
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                           822
TCP SYNACK on established conn (tcp-synack-ooo)                              7
TCP packet SEQ past window (tcp-seq-past-win)                            95277
TCP invalid ACK (tcp-invalid-ack)                                         1535
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                      24
TCP Out-of-Order packet buffer full (tcp-buffer-full)                   546435
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)             100898
TCP RST/SYN in window (tcp-rst-syn-in-win)                                3757
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)              333974
TCP packet failed PAWS test (tcp-paws-fail)                              56148
IPSEC tunnel is down (ipsec-tun-down)                                      359
Slowpath security checks failed (sp-security-failed)                     33779
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)       1934
DNS Inspect id not matched (inspect-dns-id-not-matched)                  12436
Interface is down (interface-down)                                        2134
Dropped pending packets in a closed socket (np-socket-closed)            98567

Last clearing: Never

Flow drop:
Flow is denied by access rule (acl-drop)                               2073154
NAT failed (nat-failed)                                                 150494
NAT reverse path failed (nat-rpf-failed)                                 32566
Need to start IKE negotiation (need-ike)                                 63354
Inspection failure (inspect-fail)                                           66
SSL handshake failed (ssl-handshake-failed)                                 22
SSL received close alert (ssl-received-close-alert)                          6

Last clearing: Never

Need to make sure all the drops above are normal?

Is there a command to clear the the counters ?

Regards

MAhesh

Rudy Sanjoko · ‎07-23-2013

Hi,

I believe it depends on your definition of normal or not, you can refer to following link from Cisco for detail information on each drop: show asp drop

What you see up there actually depends on your ASA configuration or what do you use your ASA for, for example on my ASA I don't see that many flow or frame drops:

FW# show asp drop

Frame drop:

No valid adjacency (no-adjacency) 18

Flow is denied by configured rule (acl-drop) 26447

First TCP packet not SYN (tcp-not-syn) 8015

TCP failed 3 way handshake (tcp-3whs-failed) 5

TCP RST/FIN out of order (tcp-rstfin-ooo) 2400

TCP SYNACK on established conn (tcp-synack-ooo) 10

TCP packet SEQ past window (tcp-seq-past-win) 1

TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1

TCP RST/SYN in window (tcp-rst-syn-in-win) 1

TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 8

TCP packet failed PAWS test (tcp-paws-fail) 85

Slowpath security checks failed (sp-security-failed) 3257

ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 5

DNS Inspect id not matched (inspect-dns-id-not-matched) 1

Interface is down (interface-down) 52

Dropped pending packets in a closed socket (np-socket-closed) 311

Last clearing: Never

Flow drop:

NAT reverse path failed (nat-rpf-failed) 4

Inspection failure (inspect-fail) 15238

SSL bad record detected (ssl-bad-record-detect) 3

SSL handshake failed (ssl-handshake-failed) 1

Last clearing: Never

FW#

UPDATE:

To clear those drops, you can use clear asp drop command. If you want to clear the flow drops, use clear asp drop flow command, the same for frame drops.

HTH,

View solution in original post

Rudy Sanjoko · ‎07-23-2013

Hi,

I believe it depends on your definition of normal or not, you can refer to following link from Cisco for detail information on each drop: show asp drop

What you see up there actually depends on your ASA configuration or what do you use your ASA for, for example on my ASA I don't see that many flow or frame drops:

FW# show asp drop

Frame drop:

No valid adjacency (no-adjacency) 18

Flow is denied by configured rule (acl-drop) 26447

First TCP packet not SYN (tcp-not-syn) 8015

TCP failed 3 way handshake (tcp-3whs-failed) 5

TCP RST/FIN out of order (tcp-rstfin-ooo) 2400

TCP SYNACK on established conn (tcp-synack-ooo) 10

TCP packet SEQ past window (tcp-seq-past-win) 1

TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1

TCP RST/SYN in window (tcp-rst-syn-in-win) 1

TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 8

TCP packet failed PAWS test (tcp-paws-fail) 85

Slowpath security checks failed (sp-security-failed) 3257

ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 5

DNS Inspect id not matched (inspect-dns-id-not-matched) 1

Interface is down (interface-down) 52

Dropped pending packets in a closed socket (np-socket-closed) 311

Last clearing: Never

Flow drop:

NAT reverse path failed (nat-rpf-failed) 4

Inspection failure (inspect-fail) 15238

SSL bad record detected (ssl-bad-record-detect) 3

SSL handshake failed (ssl-handshake-failed) 1

Last clearing: Never

FW#

UPDATE:

To clear those drops, you can use clear asp drop command. If you want to clear the flow drops, use clear asp drop flow command, the same for frame drops.

HTH,

mahesh18 · ‎07-23-2013

Hi Rudy,

Regards

MAhesh