Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
1
Replies

ASA - High bps In on outside interface

esa_fresa
Level 1
Level 1

‎10-19-2015 08:32 AM - edited ‎03-11-2019 11:46 PM

A couple of days ago the receiving interface utilization on our ASA's outside interface spiked to over 100 times what's normal. Below are some show commands I ran. I'm not great with firewalls, so any help at all is appreciated.

 

# show traffic
inside:
        received (in 157419.900 secs):
                392718 packets  79601094 bytes
                2 pkts/sec      14 bytes/sec
        transmitted (in 157419.900 secs):
                218752 packets  21963534 bytes
                1 pkts/sec      3 bytes/sec
      1 minute input rate 2 pkts/sec,  240 bytes/sec
      1 minute output rate 1 pkts/sec,  103 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 5 pkts/sec,  1137 bytes/sec
      5 minute output rate 3 pkts/sec,  332 bytes/sec
      5 minute drop rate, 1 pkts/sec

outside:
        received (in 157419.930 secs):
                204561925 packets       9440820414 bytes
                1026 pkts/sec   59017 bytes/sec
        transmitted (in 157419.930 secs):
                278947 packets  94372148 bytes
                1 pkts/sec      26 bytes/sec
      1 minute input rate 732 pkts/sec,  33832 bytes/sec
      1 minute output rate 1 pkts/sec,  234 bytes/sec
      1 minute drop rate, 319 pkts/sec
      5 minute input rate 937 pkts/sec,  43566 bytes/sec
      5 minute output rate 4 pkts/sec,  1320 bytes/sec
      5 minute drop rate, 474 pkts/sec

 

# show resource usage
Resource              Current         Peak      Limit        Denied Context
SSH                         3            3          5             0 System
Syslogs [rate]              1         3081        N/A             0 System
Conns                      39           67      10000             0 System
Xlates                      8            8        N/A             0 System
Hosts                      12           14        N/A             0 System

 

 

# show inter out det
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address c471.fe4a.2062, MTU 1500
        IP address 74.213.161.150, subnet mask 255.255.255.240
  Traffic Statistics for "outside":
        203719444 packets input, 9401777193 bytes
        275162 packets output, 93454007 bytes
        119693306 packets dropped
      1 minute input rate 716 pkts/sec,  33133 bytes/sec
      1 minute output rate 1 pkts/sec,  271 bytes/sec
      1 minute drop rate, 302 pkts/sec
      5 minute input rate 803 pkts/sec,  37282 bytes/sec
      5 minute output rate 3 pkts/sec,  1046 bytes/sec
      5 minute drop rate, 340 pkts/sec
  Control Point Interface States:
        Interface number is 16
        Interface config status is active
        Interface state is active

 

# show asp drop

Frame drop:
  Punt rate limit exceeded (punt-rate-limit)                           119827225
  Flow is denied by configured rule (acl-drop)                             14638
  Invalid SPI (np-sp-invalid-spi)                                            180
  First TCP packet not SYN (tcp-not-syn)                                     114
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                    8
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                   3
  IPSEC tunnel is down (ipsec-tun-down)                                      109
  Slowpath security checks failed (sp-security-failed)                     64076
  Interface is down (interface-down)                                           2
  Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode)            1
  Dropped pending packets in a closed socket (np-socket-closed)               13

Last clearing: Never

Flow drop:
  Need to start IKE negotiation (need-ike)                                    56
  Inspection failure (inspect-fail)                                         3072

Last clearing: Never

Labels:
0 Helpful
1 Reply 1

Harvey
Level 1
Level 1

‎10-24-2015 04:36 PM

Hello,

 

You can use enable threat detection from ASDM and enable top 10 source/destinations, this will provide you IP addresses that are sending most of the traffic through the ASA:

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/protect_threat.html#wp1104293

 

Also it will be good to see the stats for outside physical interface, if it's an ASA5505 you can do "show interface fa 0/0"

 

Maybe check any new traffic that could be passing through the ASA.

 

Regards,

Harvey

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card