topic Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c in Network Security

FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped conn

BACANEL — Mon, 21 Jul 2025 17:45:03 GMT

Good afternoon

We downgraded our FTD's from 7.6.0 to 7.4.2.2 - due to instability, bugs and snort 3 issues. We factory reset the FTD's and rebuild it successfully. Configuration is the same as before. FMC is stable.

FTD1 - we receive the following warning : ASP drop - missing existing xlate for PAT pool mapped connection intermittently.
FTD2 - no problem at all and is in healthy state.

Configurations on the failover are the same and the same before the rebuild. No changes

Has anyone else run into this scenario where you would receive the ASP drop warning intermittently.

Thank you in advance

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

Enes Simnica — Mon, 21 Jul 2025 17:54:13 GMT

hello. That "ASP drop - missing xlate" warning usually means NAT state mismatches after major changes like ur downgrade. Since only FTD1 shows this despite identical configs, i would try some steps:

1. first force a full HA resync with the : #conf high-availability failover reset and after that check Nat tables..

2. Re=apply Nat rules manually in case Snort 3 leftovers linger: the command is : conf policy-engine and policy-apply

3. also u have some known 7.4.2.2 Pat bugs like the well known CSCwd12345, which may need workarounds (let me know if u want the commands for that G..)

And if DROPS continue: Go ahead and capture traffic drops, and compare Nat stats..

also check these links G:

-Enes

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

Enes Simnica — Mon, 21 Jul 2025 17:59:08 GMT

also check these:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/show_asp_drop_command_usage/show-asp-drop-command-usage.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216745-troubleshoot-firepower-threat-defense-f.html

pat config: https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html#toc-hId--1367832884

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

MHM Cisco World — Mon, 21 Jul 2025 18:06:04 GMT

Are you use FW HA?

Is HA healthy?

MHM

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

BACANEL — Mon, 21 Jul 2025 18:13:03 GMT

Yes FW is HA and HA is healthy

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

BACANEL — Mon, 21 Jul 2025 18:13:35 GMT

Yes FW's are HA and yes HA is healthy

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

BACANEL — Mon, 21 Jul 2025 18:14:32 GMT

ASP Drop warning message is intermittent - throughout the day - sometimes I will have no warnings for a couple of hours and then it pops back up

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

MHM Cisco World — Mon, 21 Jul 2025 18:24:48 GMT

> show failover history

Check history' do you see any issue??
MHM

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

BACANEL — Mon, 21 Jul 2025 18:29:50 GMT

I did check that and everything is normal - no errors

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

MHM Cisco World — Mon, 21 Jul 2025 18:36:44 GMT

Any change of FW role from active to standby?

MHM

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

BACANEL — Tue, 22 Jul 2025 13:58:48 GMT

No same behavior - whatever one is active has the intermittent warning - standby is in good stand

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

MHM Cisco World — Tue, 22 Jul 2025 14:36:39 GMT

Show run nat <<- in both fw check hit count is same

Show xlate

Check if NAT is sync from active to standby' if not sync and traffic hit FW the traffic will drop

MHM

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

BACANEL — Wed, 23 Jul 2025 14:12:00 GMT

active
show xlate count
25950 in use, 26317 most used
> show conn count
26429 in use, 26940 most used
Inspect Snort:preserve-connection: 25807 enabled, 0 in effect, 36570 most enabled, 0 most in effect

standby
> show xlate count
25780 in use, 27607 most used
> show conn count
26150 in use, 42707 most used
Inspect Snort
preserve-connection: 25629 enabled, 0 in effect, 27505 most enabled, 0 most in effect

show failover
active : show failover--> interface is up, xmit 155001 / rcv 0 / err 989
TCP conn rcv err 988 / UPD conn rcv err 1
standby : show failover __> interface is up, xmit 74636 / rcv 10 / err 0
TCP conn, UDP conn, ARP table all receiving values
No rcv erro (0)

Standby replication is clean
Active is still showing 989 replication errors for stateful objects (most likely connection table) after I did a "clear failover statistics"
The errors are in connection replication, does not appear to be NAT. NAT is in sync

Checked for failover link health
Active - see 525 packets dropped --- this is not normal for a stateful failover link and lines up with the 989 replication errors I saw
Standby - see 0 packets dropped
when I did a "show asp drop frame" is saw the following :
dropped by standby-unit (fo-standby) 2717293. The packets hit the standby but were dropped because its not active or it didnt have valid state info. This lines up wit the replication errors and failover link drops I saw.

thank you for pointing me in the right direction @MHM Cisco World

Re: FTD Vers 7.4.2.2 ASP Drop Missing existing xlate pat pool mapped c

MHM Cisco World — Wed, 23 Jul 2025 14:19:05 GMT

As I suspect

Show failover state <<- check if there is error

Capture traffic in failover link' see if hello is send/receive in same period

Check failover interface is there is any collision or drop

The conn is not little close between two FW and there is error

So something wrong with HA.

MHM