https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784552#M981307 <HTML><HEAD></HEAD><BODY><P>tcp-map mss-map</P><P> exceed-mss allow</P><P></P><P>This may be what you're looking for...</P><P></P><P><A class="jive-link-custom" href="http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml" target="_blank">http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml</A></P></BODY></HTML> Wed, 09 May 2007 14:40:32 GMT acomiskey 2007-05-09T14:40:32Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784547#M981302 <P>How do you troubleshoot drop packets on the asa. What could be the cause?</P><P></P><P>ciscoasa# show interface inside</P><P>Interface GigabitEthernet0/0.100 "inside", is up, line protocol is up</P><P> VLAN identifier 100</P><P> MAC address 0018.73d6.eb96, MTU 1500</P><P> IP address 192.x.x.219, subnet mask 255.255.255.0</P><P> Traffic Statistics for "inside":</P><P> 130368043 packets input, 31024111730 bytes</P><P> 149620357 packets output, 118858910520 bytes</P><P> 14532019 packets dropped</P><P></P> Mon, 11 Mar 2019 10:11:21 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784547#M981302 p-allen 2019-03-11T10:11:21Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784548#M981303 <HTML><HEAD></HEAD><BODY><P>#show asp drop</P></BODY></HTML> Wed, 09 May 2007 12:43:49 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784548#M981303 acomiskey 2007-05-09T12:43:49Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784549#M981304 <HTML><HEAD></HEAD><BODY><P>Thanks. What does this tell me might be the issue?</P><P>show asp drop</P><P></P><P>Frame drop:</P><P> Punt rate limit exceeded 33396</P><P> Invalid encapsulation 122</P><P> Invalid TCP Length 1</P><P> Invalid UDP Length 18</P><P> No valid adjacency 33397</P><P> No route to host 28</P><P> Flow is denied by configured rule 2043650</P><P> Flow denied due to resource limitation 1878</P><P> Invalid SPI 65</P><P> NAT-T keepalive message 214</P><P> First TCP packet not SYN 318758</P><P> Bad TCP flags 2</P><P> TCP data exceeded MSS 818</P><P> TCP failed 3 way handshake 15408</P><P> TCP RST/FIN out of order 89306</P><P> TCP SEQ in SYN/SYNACK invalid 5</P><P> TCP SYNACK on established conn 136</P><P> TCP packet SEQ past window 7620</P><P> TCP invalid ACK 11271152</P><P> TCP replicated flow pak drop 546</P><P> TCP Out-of-0rder packet buffer full 93419</P><P> TCP Out-of-Order packet buffer timeout 25409</P><P> TCP RST/SYN in window 1516</P><P> TCP DUP and has been ACKed 1572503</P><P> TCP packet failed PAWS test 380711</P><P> IPSEC tunnel is down 207</P><P> Slowpath security checks failed 1675491</P><P> Dropped by standby unit 2</P><P> Expired flow 54224</P><P> ICMP Error Inspect different embedded conn 7801</P><P> DNS Inspect id not matched 15</P><P> IPS Module requested drop 1</P><P> FP L2 rule drop 465522</P><P> Interface is down 582</P><P></P><P>Flow drop:</P><P> Flow is denied by access rule 192</P><P> Flow terminated by IPS 2</P><P> NAT failed 32356</P><P> NAT reverse path failed 5176</P><P> Need to start IKE negotiation 15932</P><P> Inspection failure 536</P><P></P></BODY></HTML> Wed, 09 May 2007 12:48:19 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784549#M981304 p-allen 2007-05-09T12:48:19Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784550#M981305 <HTML><HEAD></HEAD><BODY><P>Check Table 25-1 in link below, it explains all values and provides recommendations.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s2_711.html#wp1116367" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s2_711.html#wp1116367</A></P><P></P><P>Please rate these if they help.</P></BODY></HTML> Wed, 09 May 2007 14:06:06 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784550#M981305 acomiskey 2007-05-09T14:06:06Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784551#M981306 <HTML><HEAD></HEAD><BODY><P>So I am thinking this is what we need to do but I am still unsure of the syntax to add this to the asa</P><P></P><P></P><P>tcp-mss-exceeded </P><P> TCP data exceeded MSS </P><P> This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a data length greater than the MSS advertised by the peer TCP endpoint. </P><P></P><P>Recommendation: To allow such TCP packets, use the exceed-mss command. </P><P></P><P>System log messages: 4419001 </P><P> </P></BODY></HTML> Wed, 09 May 2007 14:27:58 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784551#M981306 p-allen 2007-05-09T14:27:58Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784552#M981307 <HTML><HEAD></HEAD><BODY><P>tcp-map mss-map</P><P> exceed-mss allow</P><P></P><P>This may be what you're looking for...</P><P></P><P><A class="jive-link-custom" href="http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml" target="_blank">http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml</A></P></BODY></HTML> Wed, 09 May 2007 14:40:32 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784552#M981307 acomiskey 2007-05-09T14:40:32Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784553#M981308 <HTML><HEAD></HEAD><BODY><P>the highest counters seem to be coming from tcp-invalid-ack but there is no fix or recommendtion</P><P></P><P></P><P>tcp-invalid-ack </P><P> TCP invalid ACK </P><P> This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with an acknowledgement number greater than the data sent by the peer TCP endpoint. </P><P></P><P>Recommendation: None. </P><P></P><P>System log messages: None. </P><P> </P></BODY></HTML> Wed, 09 May 2007 14:58:54 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784553#M981308 p-allen 2007-05-09T14:58:54Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784554#M981309 <HTML><HEAD></HEAD><BODY><P>The ASA is doing exactly what it should do with those packets. Packets with invalid ack numbers may come about if a network delivers an old packet or an attacker attempts to hijack a connection</P></BODY></HTML> Wed, 09 May 2007 15:22:44 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784554#M981309 acomiskey 2007-05-09T15:22:44Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784555#M981310 <HTML><HEAD></HEAD><BODY><P>thanks. just another question. What would cause an old packet being delivered and how would we track down a hijack attemt if that was the case. I know my boss would want to know that information if available.</P></BODY></HTML> Wed, 09 May 2007 16:15:34 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784555#M981310 p-allen 2007-05-09T16:15:34Z https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784556#M981311 <HTML><HEAD></HEAD><BODY><P>After looking at your asp drop output, it looks like your running into bug CSCsc16014</P><P></P><P><A class="jive-link-custom" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsc16014" target="_blank">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsc16014</A></P><P></P><P></P><P>Please rate if you are satisfied.</P><P></P><P>Cheers!</P></BODY></HTML> Sun, 13 May 2007 01:29:10 GMT https://community.cisco.com/t5/network-security/asa-dropped-packets/m-p/784556#M981311 joshua.walton 2007-05-13T01:29:10Z