Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Show ASP Drop


I want help for below issue, does it mean i have problem with my isp, because my customer complain from disconnecting in service or no service ?

ASA-E#  show asp drop

Frame drop:

  Invalid TCP Length (invalid-tcp-hdr-length)                                226

  Invalid UDP Length (invalid-udp-length)                                     26

  No valid adjacency (no-adjacency)                                      1132921

  Flow is denied by configured rule (acl-drop)                          25221865

  Flow denied due to resource limitation (unable-to-create-flow)        30315574

  First TCP packet not SYN (tcp-not-syn)                                 7566521

  Bad TCP flags (bad-tcp-flags)                                            14877

  TCP data send after FIN (tcp-data-past-fin)                                157

  TCP failed 3 way handshake (tcp-3whs-failed)                             60984

  TCP RST/FIN out of order (tcp-rstfin-ooo)                              1619633

  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                        401073

  TCP ACK in SYNACK invalid (tcp-ack-syn-diff)                                 5

  TCP SYNACK on established conn (tcp-synack-ooo)                          42298

  TCP packet SEQ past window (tcp-seq-past-win)                           268890

  TCP invalid ACK (tcp-invalid-ack)                                       675430

  TCP replicated flow pak drop (tcp-fo-drop)                               19295

  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                     491

  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                 66

  TCP RST/SYN in window (tcp-rst-syn-in-win)                               10480

  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)                 997

  TCP packet failed PAWS test (tcp-paws-fail)                              50690

  Connection limit reached (conn-limit)                                        1

  Slowpath security checks failed (sp-security-failed)                     46497

  Expired flow (flow-expired)                                                  1

  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                    51

  DNS Inspect invalid packet (inspect-dns-invalid-pak)                       141

  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)       1629

  DNS Inspect packet too long (inspect-dns-pak-too-long)                     156

  DNS Inspect id not matched (inspect-dns-id-not-matched)                 127234

  Unable to obtain connection lock (connection-lock)                           4

  Interface is down (interface-down)                                         447

  RM connection limit reached (rm-conn-limit)                           14027404

Last clearing: Never

Flow drop:

  Flow is denied by access rule (acl-drop)                                  3002

  NAT failed (nat-failed)                                               19624370

  NAT reverse path failed (nat-rpf-failed)                                   240

  Inspection failure (inspect-fail)                                       605102

Last clearing: Never


Show ASP Drop

Hi Mustafa,

The output of "show asp drop" is cumulative. So you need to clear the counters "clear asp drop" then try to observe a baseline and any abnormally increasing counters.

I suggest that you collect the ASP drop captures and match them to the reported failure:

capture aspcap type asp-drop all

capture aspcap  buffer 32000000

show captue aspcap


Mashal Shboul

------------------ Mashal Shboul
CreatePlease login to create content