topic ASA packet drops in Network Security

ASA packet drops

johnroche_2 — Mon, 11 Mar 2019 11:02:13 GMT

I have an ASA 5520 running version 8.

I noticed in a sho int, that packets are being dropped on an interfaces and there are overruns.

I have checked the sho int again after a period of time and the overruns are not increasig but the packet drops are.

There are no CRC's or collisons errors.( I have included the sho int below.

My question is are the packet drops due to denied packets or something else.

Interface GigabitEthernet0/2 "X", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Description: LOCAL LAN

MAC address 0018.73d7.0f06, MTU 1500

IP address x.x.x.x subnet mask x.x.x.x

425900047 packets input, 175660341830 bytes, 16 no buffer

Received 113 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 715396 overrun, 0 ignored, 0 abort

0 L2 decode drops

331813766 packets output, 122952124630 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (1/33) software (0/0)

output queue (curr/max packets): hardware (0/75) software (0/0)

Traffic Statistics for "Longford-LAN":

425891541 packets input, 167577995460 bytes

331813766 packets output, 116281711092 bytes

308924 packets dropped

1 minute input rate 606 pkts/sec, 43234 bytes/sec

1 minute output rate 526 pkts/sec, 128487 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 609 pkts/sec, 51994 bytes/sec

5 minute output rate 521 pkts/sec, 111727 bytes/sec

5 minute drop rate, 0 pkts/sec

Re: ASA packet drops

srue — Fri, 24 Aug 2007 11:28:55 GMT

See if the "show asp drop" command gives you any useful output.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s2_72.html#wp1174636

Re: ASA packet drops

johnroche_2 — Fri, 24 Aug 2007 12:06:53 GMT

Here is the output

Frame drop:

Invalid IP header 1

No valid adjacency 231

No route to host 34

Flow is denied by configured rule 76107

First TCP packet not SYN 62169

Bad option length in TCP 137

TCP data exceeded MSS 132

TCP failed 3 way handshake 53062

TCP RST/FIN out of order 3

TCP packet SEQ past window 13128

TCP RST/SYN in window 11

TCP DUP and has been ACKed 246414

IPSEC Spoof detected 2

IPSEC tunnel is down 580274

ICMP Inspect seq num not matched 65

DNS Inspect id not matched 6

FP L2 rule drop 400047

Interface is down 891

Dropped pending packets in a closed socket 9227

Flow drop:

NAT failed 35014

NAT reverse path failed 6

Need to start IKE negotiation 1340

Inspection failure 62

SSL received close alert 8

Re: ASA packet drops

johnroche_2 — Fri, 24 Aug 2007 14:00:56 GMT

I noticed there was a lot of packets dropped for IPSEC tunnel down.

IPSEC tunnel is down 580274

Check the Syslog and the firewall was set to 86400 secs but the responder was setting 3600

I changed the SA on the far side and havent seen any drops "yet" for IPSEC tunnel down