topic Sh asp drop output. in Network Security

Sh asp drop output.

bryanrobh — Tue, 12 Mar 2019 03:29:05 GMT

I am new to the world of ASA's and I am trying to figure out when I do a sh asp drop I get this output

Frame drop:
Invalid UDP Length (invalid-udp-length)                                      1
Flow is denied by configured rule (acl-drop)                             40954
Flow denied due to resource limitation (unable-to-create-flow)              27
Invalid SPI (np-sp-invalid-spi)                                              1
First TCP packet not SYN (tcp-not-syn)                                       4
TCP failed 3 way handshake (tcp-3whs-failed)                               360
IPSEC tunnel is down (ipsec-tun-down)                                        4
Slowpath security checks failed (sp-security-failed)                     33585
Interface is down (interface-down)                                           2
Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode)            1

Last clearing: Never

Flow drop:
Need to start IKE negotiation (need-ike) 680

I am trying to figure out what frames were dropped due to ACL's the biggest number up there?

Re: Sh asp drop output.

Julio Carvajal — Mon, 13 Jan 2014 18:33:58 GMT

Hello Bryan,

Remember that there is a default deny ip any any at the bootom of each ACL so it's expected to see a LOT of ACL drops even more if the ASA sits on the edge of the network so no need to worry about it.

That being said if you want to see that you could enable logging on the FW and then look for the Message ID

106023.

Remember to add the keyword log to the implicit deny at the end of each ACL as it does not log anything by default

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.co

Sh asp drop output.

Jouni Forss — Mon, 13 Jan 2014 18:34:26 GMT

Hi,

I can't give you an 100% answer but to my understanding in the following conditions atleast the counter above increases

Traffic dropped by "security-level" check when not using ACLs on the interface (traffic from lower to higher denied)
Traffic is dropped by interface "access-list" attached with "access-group" command
Traffic is dropped by having the interfaces "security-level" equal and have not used "same-security-traffic " to enable it. (Even if ACLs are configured you will need this

As I said I can't say this for 100% certainty but the above situation sure do end with a ACL drop when you are testing with "packet-tracer". Unless I have remembered something wrong.

I'd assume that most of these ACL drop result in traffic hitting your ASAs external interface connected to Internet. There is usually constant scanning traffic day by day that increases the counter.

- Jouni

Re: Sh asp drop output.

bryanrobh — Mon, 13 Jan 2014 18:47:09 GMT

I added the log keyword on to the ACL line that I want to verify the traffic is passing from. I am just trying to make sure traffic from a specific IP is getting through.

Re: Sh asp drop output.

Julio Carvajal — Mon, 13 Jan 2014 18:51:21 GMT

Hello Bryan,

You could do

show logging | include x.x.x.x (IP address of the Host)

Or even better and more Advanced

cap asp type asp-drop all circular-buffer

Then try to connect via the host that you want to test if it's allowed through the firewall

and then

show cap asp | include x.x.x.x (IP of the host)

If you see any output there then those packets shown in the capture are being dropped by the ASA.

If u do not see any FW is letting that traffic to go through

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Sh asp drop output.

bryanrobh — Mon, 13 Jan 2014 18:57:39 GMT

Thanks for this command I will try it out now. This should have no effects on my traffic or slow it down correct?

Sh asp drop output.

Julio Carvajal — Mon, 13 Jan 2014 19:00:29 GMT

Hello,

It wil capture a bunch of traffic but no, I have not see it cause any issues in my entire TAC experience so no worries.

After the test do:

no cap asp

That's all and by the way Bryan Remember to rate all of the helpful posts such as the ones I provided in this posts

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com