Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What are "No buffer drops" under show service-policy?

kssnchqfwi1# sh service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: ftp, packet 327242, drop 0, reset-drop 5

Inspect: pptp, packet 443, drop 0, reset-drop 0

Inspect: sqlnet, packet 12, drop 0, reset-drop 0

Inspect: tftp, packet 14252, drop 0, reset-drop 0

Inspect: h323 h225, packet 174, drop 0, reset-drop 0

Inspect: h323 ras, packet 3, drop 2, reset-drop 0

Inspect: icmp error, packet 49820, drop 315, reset-drop 0

Inspect: dns maximum-length 1500, packet 5595126, drop 5873, reset-drop 0

Class-map: DUC-timeout

Set connection policy:

Set connection timeout policy:

tcp 72:00:00

Class-map: IPS-traffic

IPS: card status Up, mode inline fail-open

packet input 328461042, packet output 328465066, drop 13547, reset-drop 0

Set connection policy:

Set connection advanced-options: TCP-queue

Retransmission drops: 0 TCP checksum drops : 0

Exceeded MSS drops : 60 SYN with data drops: 0

Out-of-order packets: 295553 No buffer drops : 41688

Reserved bit cleared: 0 Reserved bit drops : 0

IP TTL modified : 0 Urgent flag cleared: 4

Window varied resets: 0

TCP-options:

Selective ACK cleared: 11 Timestamp cleared : 0

Window scale cleared : 0

Other options cleared: 0

Other options drops: 0

kssnchqfwi1#

I'm showing a lot of "No buffer drops" when sending traffic to our IPS module. The module is running 5.1(2)S244, and only about 20 signatures are tuned. The IPS isn't overloaded as we're just testing it now, so only about 20 users behind it. CPU is very low on both the ASA and IPS module.

2 REPLIES

Re: What are "No buffer drops" under show service-policy?

Hi,

The "no buffer drops" counter as shown relates to the out-of-order packets counter - by default this is set to zero, but can be modified with the "queue-limit" command. It looks like you've set this to some value - but not high enough, as the asa is still dropping out-of-order packets due to shortage of buffer space.

Try increasing the queue and see if that makes a difference (or, if you can, try eliminating the out-of-order packets)

HTH

Andrew.

New Member

Re: What are "No buffer drops" under show service-policy?

Thanks for the input. I figured they were due to OOO packets, and I've been messing around with the queue-limit to try and get the packets normalized correctly. I currently am setting a queue-limit of 25.

!

tcp-map TCP-queue

queue-limit 25

!

I've tried cranking it up to 250 (the max), but I still get a large number of OOO packets and "no buffer drops". Is there anything else I need to be doing to properly normalize the traffic before sending it to the IPS?

Thanks again.

659
Views
0
Helpful
2
Replies