07-31-2013 10:48 AM - edited 03-11-2019 07:19 PM
This is a vague question but I guess I need to start somewhere.
In a smaller sized environment, I see the following counters on a 5510 w/ a CSC module...
Frame drop:
SVC Module does not have a session (mp-svc-no-session) 1
Unsupported IP version (unsupported-ip-version) 1
No route to host (no-route) 223
Reverse-path verify failed (rpf-violated) 88
Flow is denied by configured rule (acl-drop) 73233
First TCP packet not SYN (tcp-not-syn) 44862
TCP failed 3 way handshake (tcp-3whs-failed) 8883
TCP RST/FIN out of order (tcp-rstfin-ooo) 34487
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 1
TCP packet SEQ past window (tcp-seq-past-win) 348
TCP invalid ACK (tcp-invalid-ack) 4
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 1
TCP RST/SYN in window (tcp-rst-syn-in-win) 40
TCP packet failed PAWS test (tcp-paws-fail) 717
Output QoS rate exceeded (rate-exceeded) 33810
Early security checks failed (security-failed) 44
Slowpath security checks failed (sp-security-failed) 39152
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 67
DNS Inspect invalid packet (inspect-dns-invalid-pak) 1
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 1
DNS Inspect id not matched (inspect-dns-id-not-matched) 107
FP L2 rule drop (l2_acl) 138157
Packet shunned (shunned) 329
Dropped pending packets in a closed socket (np-socket-closed) 349
Invalid ASDP packet received from SSM card (ssm-asdp-invalid) 2
Service module is down (ssm-app-fail) 71
Inspection failure (inspect-fail) 2050
DTLS hello processed and closed (dtls-hello-close) 3
Last clearing: 10:24:52 CDT Jul 30 2013 by root
I'm bothered by the sp-security failed and first not syn counters particularly. Do these values look normal?
Thank you
07-31-2013 11:10 AM
Hello Daron,
Well that´s a really odd question to answer as it will require a deep troubleshooting of the network.
For an ASA that it´s on the border of the network I would say it would expected to see a lot of those drops as the ASA might be required to drop offending packets,
If U want to know what are the packets that are being drop you can do it via the command
cap asp type-asp drop all (you could filter the captura to just capture certain drops)
For Networking Posts check my blog at http://www.laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
07-31-2013 12:48 PM
Indeed, I suppose a really odd question...
What I'm looking for is a "normally you don't see any counters for inspect fail unless there's a problem with ******, so you might want to look into ******"
I have an exceptionally noisy network here with hit and miss internet performance issues. Not entirely sure where to start, other then asking could any values on these counters be abnormal? I'm familar with the ASA just not that familar with it...
Thank you......
07-31-2013 01:59 PM
Hello Daron,
Start with the captures,
That would be my recommendation.
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide