cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6606
Views
0
Helpful
9
Replies

ASA ICMP Packets

Oscar Cardiel
Level 1
Level 1

Hi Guys,

Actually we have two ASA 5520 in active/passive. We are losing random icmp packets between hosts located at different ASA’s interfaces or zones so; random icmp packets are losed when cross the firewalls.

asa# sh interface | i errors

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 2 interface resets

        94 input errors, 0 CRC, 0 frame, 94 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 2 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 2 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 2 interface resets

        2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 0 interface resets

asa# show conn count

7924 in use, 7934 most used

asa# show resource usage

Resource              Current         Peak      Limit        Denied Context

SSH                         2            2          5             0 System

ASDM                        1            3          5             0 System

Syslogs [rate]            444         1295        N/A             0 System

Conns                    7284         8000     280000             0 System

Xlates                   2728         3063        N/A             0 System

Hosts                    3155         3403        N/A             0 System

Conns [rate]              195          946        N/A             0 System

Inspects [rate]            20          280        N/A             0 System

asa# sh processes cpu-usage non-zero

PC         Thread       5Sec     1Min     5Min   Process

081a86c4   c91afa08    56.9%    45.1%    37.5%   Dispatch Unit

08c15df6   c91a93a8     1.3%     1.3%     1.2%   Logger

08190627   c91a4ec0     0.0%     0.1%     0.0%   tmatch compile thread

084b6fa1   c91a40f8     0.3%     0.6%     0.6%   IKE Daemon

083ccbfc   c91a17a0     0.1%     0.1%     0.1%   fover_health_monitoring_thread

08405637   c91a13b0     0.0%     0.1%     0.1%   ha_trans_data_tx

085345ae   c91a09d8     0.5%     0.3%     0.3%   ARP Thread

088c038d   c918f248     2.3%     2.2%     2.3%   Unicorn Admin Handler

08bde96c   c9189ba8     0.2%     0.4%     0.2%   ssh

2 Accepted Solutions

Accepted Solutions

Hello Oscar,

Thanks for the information.

I think our best suggestion here would be to create captures on both interfaces on the ASA involded on this communication and then check all the packets captured on both interfaces.

Also do a ASP capture that will show us all the packets being dropped by the ASA algorithm ( Acelerated Security Path).. We will need to see the ICMP packets in this list in order to make sure the ASA is the device causing the problem.

Regards,

Do rate all the helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post