topic Re: Getting packet drop in ASP-drop in Network Security

Getting packet drop in ASP-drop

Chandresh — Thu, 06 Oct 2022 11:52:14 GMT

I am seeing asp packet drop on FTD in my captured logs for one of the website which user is trying to access on https. It is a intermittent issue where couple of time website is not opening or opening slow.

1: 23:07:25.774770 802.1Q vlan#2926 P0 14X.XX.XX.XX:443 > 10X.XX.XX.XX:59411: . ack 2225558804 win 24567 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055656c83116f flow (NA)/NA

Note: On firewall rule is allowed and packet tracer also hitting the correct rule.

Thanks in advance.

Re: Getting packet drop in ASP-drop

MHM Cisco World — Thu, 06 Oct 2022 12:39:36 GMT

can you share the packet tracer

Re: Getting packet drop in ASP-drop

Aref Alsouqi — Thu, 06 Oct 2022 12:58:26 GMT

Are you using the website IP address or the FQDN on the access list?

Re: Getting packet drop in ASP-drop

Chandresh — Thu, 06 Oct 2022 15:38:44 GMT

Using the website ip address.

Re: Getting packet drop in ASP-drop

Chandresh — Thu, 06 Oct 2022 15:44:40 GMT

Like i said earlier there is no issue in the packet tracer output.As it is everytime showing showing allowed and taking the expected rule.

The problem here is the intermittent issue and very difficult to catch exactly.Out of 10 times i would say 7 or 8times we are able to access the website ip address without any issue but couple of times it is getting loaded slowly or failed to load.

Re: Getting packet drop in ASP-drop

Aref Alsouqi — Sun, 09 Oct 2022 09:42:01 GMT

Not sure what would cause this issue in this case. Another thought I have could be related to the rules if they are using the app IDs instead of the service ports?! sometimes when using the app IDs the firewall needs to see more traffic before it can understand what app ID is inside the payload, that could potentially cause some temp drops.