Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

show asp drop output

Hi Everyone,

I ran the command below

show asp  drop

Frame drop:
  No valid adjacency (no-adjacency)                                        11542
  Flow is denied by configured rule (acl-drop)                         210306934
  Invalid SPI (np-sp-invalid-spi)                                           2223
  First TCP packet not SYN (tcp-not-syn)                                 4407216
  Bad TCP flags (bad-tcp-flags)                                               14
  TCP data send after FIN (tcp-data-past-fin)                                  1
  TCP failed 3 way handshake (tcp-3whs-failed)                            403158
  TCP RST/FIN out of order (tcp-rstfin-ooo)                              2552491
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                           822
  TCP SYNACK on established conn (tcp-synack-ooo)                              7
  TCP packet SEQ past window (tcp-seq-past-win)                            95277
  TCP invalid ACK (tcp-invalid-ack)                                         1535
  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                      24
  TCP Out-of-Order packet buffer full (tcp-buffer-full)                   546435
  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)             100898
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                3757
  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)              333974
  TCP packet failed PAWS test (tcp-paws-fail)                              56148
  IPSEC tunnel is down (ipsec-tun-down)                                      359
  Slowpath security checks failed (sp-security-failed)                     33779
  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)       1934
  DNS Inspect id not matched (inspect-dns-id-not-matched)                  12436
  Interface is down (interface-down)                                        2134
  Dropped pending packets in a closed socket (np-socket-closed)            98567

Last clearing: Never

Flow drop:
  Flow is denied by access rule (acl-drop)                               2073154
  NAT failed (nat-failed)                                                 150494
  NAT reverse path failed (nat-rpf-failed)                                 32566
  Need to start IKE negotiation (need-ike)                                 63354
  Inspection failure (inspect-fail)                                           66
  SSL handshake failed (ssl-handshake-failed)                                 22
  SSL received close alert (ssl-received-close-alert)                          6

Last clearing: Never

Need to make sure all the  drops above are normal?

Is there a command to clear the the counters ?

Regards

MAhesh

1 ACCEPTED SOLUTION

Accepted Solutions

Re: show asp drop output

Hi,

I believe it depends on your definition of normal or not, you can refer to following link from Cisco for detail information on each drop: show asp drop

What you see up there actually depends on your ASA configuration or what do you use your ASA for, for example on my ASA I don't see that many flow or frame drops:

FW# show asp drop

Frame drop:

  No valid adjacency (no-adjacency)                                           18

  Flow is denied by configured rule (acl-drop)                             26447

  First TCP packet not SYN (tcp-not-syn)                                    8015

  TCP failed 3 way handshake (tcp-3whs-failed)                                 5

  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 2400

  TCP SYNACK on established conn (tcp-synack-ooo)                             10

  TCP packet SEQ past window (tcp-seq-past-win)                                1

  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                  1

  TCP RST/SYN in window (tcp-rst-syn-in-win)                                   1

  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)                   8

  TCP packet failed PAWS test (tcp-paws-fail)                                 85

  Slowpath security checks failed (sp-security-failed)                      3257

  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          5

  DNS Inspect id not matched (inspect-dns-id-not-matched)                      1

  Interface is down (interface-down)                                          52

  Dropped pending packets in a closed socket (np-socket-closed)              311

Last clearing: Never

Flow drop:

  NAT reverse path failed (nat-rpf-failed)                                     4

  Inspection failure (inspect-fail)                                        15238

  SSL bad record detected (ssl-bad-record-detect)                              3

  SSL handshake failed (ssl-handshake-failed)                                  1

Last clearing: Never

FW#

UPDATE:

To clear those drops, you can use clear asp drop command. If you want to clear the flow drops, use clear asp drop flow command, the same for frame drops.

HTH,

2 REPLIES

Re: show asp drop output

Hi,

I believe it depends on your definition of normal or not, you can refer to following link from Cisco for detail information on each drop: show asp drop

What you see up there actually depends on your ASA configuration or what do you use your ASA for, for example on my ASA I don't see that many flow or frame drops:

FW# show asp drop

Frame drop:

  No valid adjacency (no-adjacency)                                           18

  Flow is denied by configured rule (acl-drop)                             26447

  First TCP packet not SYN (tcp-not-syn)                                    8015

  TCP failed 3 way handshake (tcp-3whs-failed)                                 5

  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 2400

  TCP SYNACK on established conn (tcp-synack-ooo)                             10

  TCP packet SEQ past window (tcp-seq-past-win)                                1

  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                  1

  TCP RST/SYN in window (tcp-rst-syn-in-win)                                   1

  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)                   8

  TCP packet failed PAWS test (tcp-paws-fail)                                 85

  Slowpath security checks failed (sp-security-failed)                      3257

  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          5

  DNS Inspect id not matched (inspect-dns-id-not-matched)                      1

  Interface is down (interface-down)                                          52

  Dropped pending packets in a closed socket (np-socket-closed)              311

Last clearing: Never

Flow drop:

  NAT reverse path failed (nat-rpf-failed)                                     4

  Inspection failure (inspect-fail)                                        15238

  SSL bad record detected (ssl-bad-record-detect)                              3

  SSL handshake failed (ssl-handshake-failed)                                  1

Last clearing: Never

FW#

UPDATE:

To clear those drops, you can use clear asp drop command. If you want to clear the flow drops, use clear asp drop flow command, the same for frame drops.

HTH,

New Member

show asp drop output

Hi Rudy,

Regards

MAhesh

1358
Views
0
Helpful
2
Replies
CreatePlease to create content