topic ASA dropping packets in Network Security

ASA dropping packets

mahesh18 — Tue, 12 Mar 2019 00:28:14 GMT

Hi all,

I see this in ASA logs

ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 22 per second, max configured rate is 5; Cumulative total count is 13472

after this i did sh asp drop and then clear asp drops

sh asp drop

Frame drop:
Flow is denied by configured rule (acl-drop)                              8295
First TCP packet not SYN (tcp-not-syn)                                     165
TCP failed 3 way handshake (tcp-3whs-failed)                                 4
TCP RST/FIN out of order (tcp-rstfin-ooo)                                  140
TCP packet SEQ past window (tcp-seq-past-win)                              101
TCP Out-of-Order packet buffer full (tcp-buffer-full)                       48
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                  7
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)                  77
TCP packet failed PAWS test (tcp-paws-fail)                                 21

Last clearing: 20:46:35 UTC Nov 26 2012 by cc4708n

Flow drop:
Flow is denied by access rule (acl-drop) 168
NAT reverse path failed (nat-rpf-failed) 44

Here it shows frames drop due to ACL .

is there any may i can see which ACL is this and whether it is inbound or outbound?

Thanks

mahesh

ASA dropping packets

cadet alain — Tue, 27 Nov 2012 08:44:35 GMT

Hi,

sh access-list should give you the hit counts.

Regards.

Alain

Don't forget to rate helpful posts.

ASA dropping packets

mahesh18 — Tue, 27 Nov 2012 15:58:50 GMT

Hi Alain,

I did sh access-list.

It shows me quite a few hit counts.

Should i look for hit count with exact number like 8295

or does i have to find all hit counts and see that sum matches with current ASP drop?

Thanks

MAhesh

ASA dropping packets

cadet alain — Tue, 27 Nov 2012 18:07:09 GMT

Hi,

I took a closer lokk at the doc concerning asp drop and it can be lots of stuff so I don't think that the show access-list will be enough to troubleshoot the issue, I'll leave firewall experts help you.

Regards.

Alain

Don't forget to rate helpful posts.

ASA dropping packets

julomban — Tue, 27 Nov 2012 19:02:35 GMT

Hello Mahesh,

Well the log you are seeing is related to threat detection feature with scanning enable.

Threat detection basically collects information such as access list, ports, protocol, etc and creates a “database”. The log just indicates the burst threshold rate or average threshold rate has exceeded.

now, the show asp drop command shows the packets or connections dropped by the ASA and the “flow is denied by configured rule (acl-drop)” counter is incremented when a drop rule is hit by the packet and gets dropped (99% by implicit deny on the outside interface), when an acl is applied to interface or any other feature etc. Apart from default rule drops, a packet could be dropped because of:

ACL configured on an interface

ACL configured for AAA and AAA denied the user

Thru-box traffic arriving at management-only ifc

Unencrypted traffic arriving on a ipsec-enabled interface

If you want to look at which ACL is dropping packets there is no detailed information on the asp drop output, most likely it’s going to generate 106023, 106100, 106004 if one of ACLs listed below are fired.

I hope it helps.

Juan Lombana

Please rate helpful posts.

ASA dropping packets

mahesh18 — Wed, 28 Nov 2012 19:46:07 GMT

Hi Juan,

Thanks for reply.

So these are just informational messages?

They have no impact on the performance of ASA ?

Is there way i can get rid of these logs?

Thanks

Mahesh

ASA dropping packets

julomban — Wed, 28 Nov 2012 20:29:58 GMT

Mahesh,

Correct, they do not impact on the ASA performance. You can stop the log from been generated, so you won’t see it on the syslog server or ASDM. You can run the following command:

no logging message 733100

At the beginning of the syslog you can see the ID:

ASA-4-733100:

I hope it helps

Juan Lombana

Please rate helpful posts.

ASA dropping packets

mahesh18 — Wed, 28 Nov 2012 22:00:30 GMT

Many thanks Alain & Juan

Regards

Mahesh