https://community.cisco.com/t5/network-security/firewall-interface-traffic-statistics/m-p/1205670#M841075 <P>More of a sanity check question than anything else:</P><P></P><P>Does the "packets dropped" counter on an ASA firewall interface include just interface drops or does it include ACL rule drops in the count?</P><P></P><P>Ex: Traffic Statistics for "int foo":</P><P> 576675535 packets input, 128101040719 bytes</P><P> 731241996 packets output, 636870913964 bytes</P><P> 22115790 packets dropped</P> Mon, 11 Mar 2019 15:32:53 GMT haxworthy 2019-03-11T15:32:53Z https://community.cisco.com/t5/network-security/firewall-interface-traffic-statistics/m-p/1205670#M841075 <P>More of a sanity check question than anything else:</P><P></P><P>Does the "packets dropped" counter on an ASA firewall interface include just interface drops or does it include ACL rule drops in the count?</P><P></P><P>Ex: Traffic Statistics for "int foo":</P><P> 576675535 packets input, 128101040719 bytes</P><P> 731241996 packets output, 636870913964 bytes</P><P> 22115790 packets dropped</P> Mon, 11 Mar 2019 15:32:53 GMT https://community.cisco.com/t5/network-security/firewall-interface-traffic-statistics/m-p/1205670#M841075 haxworthy 2019-03-11T15:32:53Z https://community.cisco.com/t5/network-security/firewall-interface-traffic-statistics/m-p/1205671#M841076 <HTML><HEAD></HEAD><BODY><P>Good question! According to the documentation,</P><P></P><P><I>Typically this counter increments for packets dropped on the accelerated security path (ASP), for example, if a packet is dropped due to an access list deny.</I></P><P></P><P>See the show asp drop command for reasons for potential drops on an interface. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s3.html#wp1421795" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s3.html#wp1421795</A></P></BODY></HTML> Fri, 15 May 2009 15:37:15 GMT https://community.cisco.com/t5/network-security/firewall-interface-traffic-statistics/m-p/1205671#M841076 Collin Clark 2009-05-15T15:37:15Z https://community.cisco.com/t5/network-security/firewall-interface-traffic-statistics/m-p/1205672#M841077 <HTML><HEAD></HEAD><BODY><P>Check out that <B>show asp drop</B> command!</P><P></P><P><CODE><FONT size="2">sh asp drop</FONT></CODE></P><P></P><P>Frame drop:</P><P> Invalid encapsulation (invalid-encap) 8</P><P> Invalid TCP Length (invalid-tcp-hdr-length) 13</P><P> Invalid UDP Length (invalid-udp-length) 3</P><P> No valid adjacency (no-adjacency) 432</P><P> No route to host (no-route) 854</P><P> Flow is denied by configured rule (acl-drop) 5917343</P><P> Flow denied due to resource limitation (unable-to-create-flow) 3717</P><P> Invalid SPI (np-sp-invalid-spi) 827</P><P> NAT-T keepalive message (natt-keepalive) 738148</P><P> First TCP packet not SYN (tcp-not-syn) 466773</P><P> Bad TCP flags (bad-tcp-flags) 204</P><P> TCP Dual open denied (tcp-dual-open) 3</P><P> TCP failed 3 way handshake (tcp-3whs-failed) 6351</P><P> TCP RST/FIN out of order (tcp-rstfin-ooo) 13965</P><P> TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 963</P><P> TCP SYNACK on established conn (tcp-synack-ooo) 375</P><P> TCP packet SEQ past window (tcp-seq-past-win) 10975</P><P> TCP invalid ACK (tcp-invalid-ack) 1580</P><P> TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 107</P><P> TCP Out-of-Order packet buffer full (tcp-buffer-full) 438460</P><P> TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 318081</P><P> TCP RST/SYN in window (tcp-rst-syn-in-win) 8434</P><P> TCP packet failed PAWS test (tcp-paws-fail) 4202</P><P> IPSEC tunnel is down (ipsec-tun-down) 1789</P><P> Early security checks failed (security-failed) 182</P><P> Slowpath security checks failed (sp-security-failed) 38761</P><P> IP option drop (invalid-ip-option) 118</P><P> Expired flow (flow-expired) 4691</P><P> ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 10</P><P> DNS Inspect invalid packet (inspect-dns-invalid-pak) 12</P><P> DNS Inspect id not matched (inspect-dns-id-not-matched) 3306</P><P> FP L2 rule drop (l2_acl) 52939</P><P> Interface is down (interface-down) 3</P><P> Dropped pending packets in a closed socket (np-socket-closed) 24834</P><P> SVC Module does not have a session (mp-svc-no-session) 79</P><P></P><P>Last clearing: Never</P><P></P><P>Flow drop:</P><P> Need to start IKE negotiation (need-ike) 98</P><P> Inspection failure (inspect-fail) 120188</P><P> SSL received close alert (ssl-received-close-alert) 6</P><P></P><P>Last clearing: Never </P></BODY></HTML> Fri, 15 May 2009 15:40:24 GMT https://community.cisco.com/t5/network-security/firewall-interface-traffic-statistics/m-p/1205672#M841077 Collin Clark 2009-05-15T15:40:24Z