Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1399
Views
0
Helpful
5
Replies

ASA ASP Drops

vishaw jasrotia
Level 1
Level 1

‎03-25-2020 02:41 AM

Hi,


In my setup I am using


>capture cap type asp-drop all buffer <> match tcp host x.x.x.x host y.y.y.y eq 443

 

to find the ASP drops specific to matched IP.

But Still capture showing me all asp capture. Please check if this command is ok or I need to add any thing else.

My Requirement is to see the asp drop for the specific IPs.


Thanks

.

0 Helpful
5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

‎03-25-2020 03:48 AM

Hi,

 

    Per the config, you should capture all packets dropped because of ASP-DROP (regardless of the reason), only for traffic between x.x.x. and y.y.y.y. Still try using the following instead: "capture cap type asp-drop all buffer <> match ip host x.x.x.x host y.y.y.y".  If it doesn't work, upgrade to a more stable ASA version, like  9.8.4 or 9.12.3.

 

Regards,

Cristian Matei.

0 Helpful

vishaw jasrotia
Level 1
Level 1
In response to Cristian Matei

‎03-25-2020 04:39 AM

Thanks Cristian for your reply.

 

Yes we are using 9.5 and this wont work here. But I found the the required log.

 

One More clarity required from you. I want to check crypto free and used memory in my ASA. I am not able to find the command  to check that.  if possible please help me in this regard.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to vishaw jasrotia

‎03-25-2020 07:30 AM

Hi,

 

    I'm not aware of an exact command to show you the memory/CPU impact for crypto-traffic. The only useful one  can think of is "show memory webvpn".

 

Regards,

Cristian Matei.

0 Helpful

vishaw jasrotia
Level 1
Level 1
In response to Cristian Matei

‎03-25-2020 09:37 PM

Hi Cristian

 

here's  my requirement.

 

! am facing some VPM(ssl/tls) connection failure issue. I want to debug the memory status of the ASA. Please help me in finding the command to get crypto free and used memory stats.

 

I am getting the asp drop counter against ctm-error.

 

CTM returned error:
This counter will increment when the appliance attempts to perform a crypto operation on a packet and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the appliance.

 

As per the details available this would be possibly due to memory issue. Please help me in finding crypto free and used memory stats.

 

Thanks

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to vishaw jasrotia

‎03-26-2020 04:56 AM

Hi,

 

   I already answered you in the other thread: https://community.cisco.com/t5/network-security/anny-connect-connection-failuer-ctm-error/m-p/4052752#M1068256

 

Regards,

Cristian Matei.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card