topic Re: Packet Drops after Implemention of FWSM ..? in Network Security

Packet Drops after Implemention of FWSM ..?

manik.palekar — Mon, 11 Mar 2019 13:45:17 GMT

Hi guys ,

I am facing some packet drops in LAN after implementation of FWSM context .Please let me know is there any configuration need to be done to avoid this ?

Please suggest ..thanks in advance

Re: Packet Drops after Implemention of FWSM ..?

felixjai — Wed, 17 Sep 2008 15:32:19 GMT

You need to find out what is being dropped. Is it really the FWSM or somewhere else dropping the packets. If your environment didn't have firewall before, and you are introducing FWSM to it. Some applications might not be firewall-friendly, such as in-house built software. If you want to find out if your FWSM is dropping the packets, do "show asp drop" from the CLI. And use "capture capture_name type asp-drop" to capture any dropped packets.

Re: Packet Drops after Implemention of FWSM ..?

manik.palekar — Thu, 18 Sep 2008 08:49:49 GMT

Thx frd...Here is the output

FWSM/Infra# sh capture noc

0 packet seen, 0 captured

0 packet shown

FWSMPRI/Infra# sh asp drop

Frame drop:

No route to host 85151

Bad TCP flags 22

TCP failed 3 way handshake 7

TCP RST/FIN out of order 258

TCP packet SEQ past window 1625

TCP invalid ACK 7866937105

TCP packet buffer full 64556

TCP DUP and has been ACKed 548228

TCP packet failed PAWS test 414366

Packet hit an invalid connection 105

Invalid connection address in delete indication 2783892

Flow drop:

I have not observed any drops in capture

Re: Packet Drops after Implemention of FWSM ..?

manik.palekar — Thu, 18 Sep 2008 08:51:33 GMT

M getting below respose intermittently,Please let me know what could be issue...Thanks

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Reply from 172.17.10.25: Destination host unreachable.

Reply from 172.17.117.24: bytes=32 time=1ms TTL=126

Reply from 172.17.117.24: bytes=32 time<1ms TTL=126

Re: Packet Drops after Implemention of FWSM ..?

Farrukh Haroon — Thu, 18 Sep 2008 08:53:05 GMT

Is it random packets or ALL packets going to a VLAN? The FWSM needs an ACL to pass traffic even on highest security level (100) interfaces. This is different from PIX/ASA. If its random you already got the answer from the orignal responder (show asp drop etc.)

Also check the syslogs for any deny/discards/drops etc.

Regards

Farrukh

Re: Packet Drops after Implemention of FWSM ..?

manik.palekar — Thu, 18 Sep 2008 09:31:04 GMT

This is an intial setup ,& I have given full access from outside to inside & vice-versa.

Re: Packet Drops after Implemention of FWSM ..?

robertson.michael — Thu, 18 Sep 2008 13:13:18 GMT

Hi Manik,

I would recommend that you start by setting up a SPAN session for both VLANs on either side of the FWSM. Depending on what version of FWSM code you are running (and this would be helpful to know as well), captures taken directly on the firewall can be unreliable. The SPAN captures will give you a fairly good indication of what is going on and how the FWSM is affecting the traffic flow, or at least where to start your troubleshooting.

-Mike