09-05-2012 09:06 AM - edited 03-11-2019 04:50 PM
I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context, as shown below:
MAN1-5510-1/admin# sh int
Interface Management0/0 "", is up, line protocol is up
# Attention: This interface is located in a PCI-e x0 slot. For #
# optimal throughput, install the interface in a PCI-e x11 slot #
# if one is available. Refer to 'show controller slot'. #
Available but not configured via nameif
Interface Management0/0.2 "ESMGMT", is up, line protocol is up
# Attention: This interface is located in a PCI-e x0 slot. For #
# optimal throughput, install the interface in a PCI-e x11 slot #
# if one is available. Refer to 'show controller slot'. #
MAC address 1200.0002.0100, MTU 1500
IP address 57.31.207.182, subnet mask 255.255.255.224
Traffic Statistics for "ESMGMT":
32554 packets input, 1720860 bytes
10303 packets output, 820936 bytes
24408 packets dropped
The software version is 8.2.5. The interface is set to 100/full, there are no frame errors (e.g., CRC) when I do "sh int" in System space, and there is little traffic on the LAN. Here is the interface config in Admin context:
interface Management0/0.2
nameif ESMGMT
security-level 100
ip address 57.31.207.182 255.255.255.224 standby 57.31.207.183
management-only
When I do a capture of this interface, I get the following:
1: 13:56:05.128136 802.1Q vlan#2 P0 57.31.207.162.1985 > 224.0.0.2.1985: udp 20 Drop-reason: (acl-drop) Flow is denied by configured rule
2: 13:56:06.181265 802.1Q vlan#2 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
3: 13:56:06.764837 802.1Q vlan#2 P0 57.31.207.163.1985 > 224.0.0.2.1985: udp 20 Drop-reason: (acl-drop) Flow is denied by configured rule
4: 13:56:08.129311 802.1Q vlan#2 P0 57.31.207.162.1985 > 224.0.0.2.1985: udp 20 Drop-reason: (acl-drop) Flow is denied by configured rule
5: 13:56:08.194981 802.1Q vlan#2 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
6: 13:56:09.765524 802.1Q vlan#2 P0 57.31.207.163.1985 > 224.0.0.2.1985: udp 20 Drop-reason: (acl-drop) Flow is denied by configured rule
7: 13:56:10.208714 802.1Q vlan#2 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
Yet there are no L2 or L3 ACLs configured on the FW. In the above it appears that the FW is receiving and processing multicast packets like HSRP, and therefore drops them. But in my lab, I have the same setup and I do not see a high drop count nor do the HSRP packest appear in the captures.
Does anyone one know what's going on here? Is it possible that the interface is set to promiscuous mode and is there a way to disable this?
09-09-2012 05:43 AM
In your case , i think what you do see is very normal . that counter includes everything that is dropped by the ASA on that interface such as :
l2 broadcasts
packets that are not destined to the ASA ( multicast ) .
looks like you have an HSRP setup that is in the same layer 2 segment for the management interface.
HTH.
Mohammad.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide