Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
0
Helpful
1
Replies

ASA Service-Policy: drop count

cpaquet
Level 1
Level 1

‎05-24-2016 03:09 PM - edited ‎03-12-2019 12:47 AM

1. With Modular Policy Framework, what is the meaning of the drop count?  See below output of a SFR policy.

2. Does it represent packets that were dropped by the ASA prior to being punted to SFR?

3. If the ASA is dropping those packet, what would be the cause? tcp normalisation? IP option inspection? congestion?

HQ-ASA# show service-policy sfr

Interface inside:
  Service-policy: asasfr_policy
    Class-map: class-default
      SFR: card status Up, mode fail-close
        packet input 252138, packet output 234665, drop 21592, reset-drop 8

Interface dmz:
  Service-policy: asasfr_policy
    Class-map: class-default
      SFR: card status Up, mode fail-close
        packet input 133754, packet output 133646, drop 4831, reset-drop 0
HQ-ASA#

I looked at the ASA Command Reference guide,but it doesn't mention what the drop packet count represent.

Would appreciate if anyone could shed light on this counter.

Thanks.

Cath.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Kornelia Gutierrez
Level 1
Level 1

‎05-24-2016 04:45 PM

Hello Cath, 

From the output shown it seems that is the SFR that is dropping the packets, you should check the sourcefire module and check the policies to verify which of them is triggering and droping the packets.

Best regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card