08-11-2006 06:32 AM - edited 03-09-2019 03:52 PM
kssnchqfwi1# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 327242, drop 0, reset-drop 5
Inspect: pptp, packet 443, drop 0, reset-drop 0
Inspect: sqlnet, packet 12, drop 0, reset-drop 0
Inspect: tftp, packet 14252, drop 0, reset-drop 0
Inspect: h323 h225, packet 174, drop 0, reset-drop 0
Inspect: h323 ras, packet 3, drop 2, reset-drop 0
Inspect: icmp error, packet 49820, drop 315, reset-drop 0
Inspect: dns maximum-length 1500, packet 5595126, drop 5873, reset-drop 0
Class-map: DUC-timeout
Set connection policy:
Set connection timeout policy:
tcp 72:00:00
Class-map: IPS-traffic
IPS: card status Up, mode inline fail-open
packet input 328461042, packet output 328465066, drop 13547, reset-drop 0
Set connection policy:
Set connection advanced-options: TCP-queue
Retransmission drops: 0 TCP checksum drops : 0
Exceeded MSS drops : 60 SYN with data drops: 0
Out-of-order packets: 295553 No buffer drops : 41688
Reserved bit cleared: 0 Reserved bit drops : 0
IP TTL modified : 0 Urgent flag cleared: 4
Window varied resets: 0
TCP-options:
Selective ACK cleared: 11 Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
kssnchqfwi1#
I'm showing a lot of "No buffer drops" when sending traffic to our IPS module. The module is running 5.1(2)S244, and only about 20 signatures are tuned. The IPS isn't overloaded as we're just testing it now, so only about 20 users behind it. CPU is very low on both the ASA and IPS module.
08-14-2006 12:50 AM
Hi,
The "no buffer drops" counter as shown relates to the out-of-order packets counter - by default this is set to zero, but can be modified with the "queue-limit" command. It looks like you've set this to some value - but not high enough, as the asa is still dropping out-of-order packets due to shortage of buffer space.
Try increasing the queue and see if that makes a difference (or, if you can, try eliminating the out-of-order packets)
HTH
Andrew.
08-14-2006 06:31 AM
Thanks for the input. I figured they were due to OOO packets, and I've been messing around with the queue-limit to try and get the packets normalized correctly. I currently am setting a queue-limit of 25.
!
tcp-map TCP-queue
queue-limit 25
!
I've tried cranking it up to 250 (the max), but I still get a large number of OOO packets and "no buffer drops". Is there anything else I need to be doing to properly normalize the traffic before sending it to the IPS?
Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: