1. With Modular Policy Framework, what is the meaning of the drop count? See below output of a SFR policy.
2. Does it represent packets that were dropped by the ASA prior to being punted to SFR?
3. If the ASA is dropping those packet, what would be the cause? tcp normalisation? IP option inspection? congestion?
HQ-ASA# show service-policy sfr
Interface inside:
Service-policy: asasfr_policy
Class-map: class-default
SFR: card status Up, mode fail-close
packet input 252138, packet output 234665, drop 21592, reset-drop 8
Interface dmz:
Service-policy: asasfr_policy
Class-map: class-default
SFR: card status Up, mode fail-close
packet input 133754, packet output 133646, drop 4831, reset-drop 0
HQ-ASA#
I looked at the ASA Command Reference guide,but it doesn't mention what the drop packet count represent.
Would appreciate if anyone could shed light on this counter.
Thanks.
Cath.