cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11101
Views
0
Helpful
7
Replies

ASA dropping packets

mahesh18
Level 6
Level 6

Hi all,

I see this in ASA  logs

ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 22 per second, max configured rate is 5; Cumulative total count is 13472

after this i did sh asp drop and then clear asp drops

    sh asp drop

Frame drop:
  Flow is denied by configured rule (acl-drop)                              8295
  First TCP packet not SYN (tcp-not-syn)                                     165
  TCP failed 3 way handshake (tcp-3whs-failed)                                 4
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                  140
  TCP packet SEQ past window (tcp-seq-past-win)                              101
  TCP Out-of-Order packet buffer full (tcp-buffer-full)                       48
  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                  7
  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)                  77
  TCP packet failed PAWS test (tcp-paws-fail)                                 21

Last clearing: 20:46:35 UTC Nov 26 2012 by cc4708n

Flow drop:
  Flow is denied by access rule (acl-drop)                                   168
  NAT reverse path failed (nat-rpf-failed)                                    44

Here it shows frames drop due to ACL .

is there any may i can see which ACL  is this and whether it is inbound or outbound?

Thanks

mahesh

3 Accepted Solutions

Accepted Solutions

cadet alain
VIP Alumni
VIP Alumni

Hi,

sh access-list should give you the hit counts.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

julomban
Level 3
Level 3

Hello Mahesh,

Well the log you are seeing is related to threat detection feature with scanning enable.

Threat  detection basically collects information such as access list, ports,  protocol, etc and creates a “database”. The log just indicates the burst  threshold rate or average threshold rate has exceeded.

now, the show asp drop command shows the packets or connections  dropped by the ASA and the “flow is denied by configured rule  (acl-drop)” counter is incremented when a drop rule is hit by the packet  and gets dropped (99% by implicit deny on the outside interface), when  an acl is applied to interface or any other feature etc. Apart from  default rule drops, a packet could be dropped because of:

ACL configured on an interface

ACL configured for AAA and AAA denied the user

Thru-box traffic arriving at management-only ifc

Unencrypted traffic arriving on a ipsec-enabled interface

If you want to look at which ACL is dropping packets  there is no detailed information on the asp drop output, most likely  it’s going to generate 106023, 106100, 106004 if one of ACLs listed  below are fired.

I hope it helps.

Juan Lombana

Please rate helpful posts.

View solution in original post

Mahesh,

Correct, they do not impact on the ASA performance. You can stop the log from been generated, so you won’t see it on the syslog server or ASDM. You can run the following command:

no logging message 733100

At the beginning of the syslog you can see the ID:

ASA-4-733100:

I hope it helps

Juan Lombana

Please rate helpful posts.

View solution in original post

7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

Hi,

sh access-list should give you the hit counts.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Alain,

I did sh access-list.

It shows me  quite a few hit counts.

Should i look for hit count with exact number  like  8295

or does i have to find all hit counts and see that sum matches with current  ASP  drop?

Thanks

MAhesh

Hi,

I took a closer lokk at the doc concerning asp drop and it can be lots of stuff so I don't think that the show access-list will be enough to troubleshoot the issue, I'll leave firewall experts help you.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

julomban
Level 3
Level 3

Hello Mahesh,

Well the log you are seeing is related to threat detection feature with scanning enable.

Threat  detection basically collects information such as access list, ports,  protocol, etc and creates a “database”. The log just indicates the burst  threshold rate or average threshold rate has exceeded.

now, the show asp drop command shows the packets or connections  dropped by the ASA and the “flow is denied by configured rule  (acl-drop)” counter is incremented when a drop rule is hit by the packet  and gets dropped (99% by implicit deny on the outside interface), when  an acl is applied to interface or any other feature etc. Apart from  default rule drops, a packet could be dropped because of:

ACL configured on an interface

ACL configured for AAA and AAA denied the user

Thru-box traffic arriving at management-only ifc

Unencrypted traffic arriving on a ipsec-enabled interface

If you want to look at which ACL is dropping packets  there is no detailed information on the asp drop output, most likely  it’s going to generate 106023, 106100, 106004 if one of ACLs listed  below are fired.

I hope it helps.

Juan Lombana

Please rate helpful posts.

Hi Juan,

Thanks  for reply.

So these are just  informational messages?

They have no impact on the performance of ASA ?

Is there way  i can get rid of these logs?

Thanks

Mahesh

Mahesh,

Correct, they do not impact on the ASA performance. You can stop the log from been generated, so you won’t see it on the syslog server or ASDM. You can run the following command:

no logging message 733100

At the beginning of the syslog you can see the ID:

ASA-4-733100:

I hope it helps

Juan Lombana

Please rate helpful posts.

Many thanks Alain & Juan

Regards

Mahesh

Review Cisco Networking for a $25 gift card