Cisco ASA Switch Ingres Policy Drops

George Rodriguez · ‎10-22-2014

Can someone explain the Switch Ingres Policy Drops in the show interface command?

sho interface e0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address 5087.899f.e6ac, MTU not set
        IP address unassigned
        1360550 packets input, 1086603489 bytes, 0 no buffer
        Received 309 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        84 switch ingress policy drops
        1059504 packets output, 186211777 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops

Vibhor Amrodia · ‎10-22-2014

Hi,

These are the documented possible reasons for this drop:-

switch ingress policy drops

This drop is usually seen when a port is not configured correctly. This drop is incremented when a packet cannot be successfully forwarded within switch ports as a result of the default or user configured switch port settings. The following configurations are the likely reasons for this drop:

The nameif command was not configured on the VLAN interface.

Note For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment.

The VLAN is shut down.
An access port received an 802.1Q-tagged packet.
A trunk port received a tag that is not allowed or an untagged packet.
The ASA is connected to another Cisco device that has Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback packets to ensure interface health. This packet is not intended to be received by any other device; the health is ensured just by being able to send the packet. These types of packets are dropped at the switch port, and the counter increments.

Can you share the "show run interface" from the ASA device ?

Thanks and Regards,

Vibhor Amrodia

George Rodriguez · ‎10-23-2014

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
description **Connection for FioS**
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan3
description ***FIOS***
nameif FiOS
security-level 0
ip address x.x.x.x 255.255.255.0

Vibhor Amrodia · ‎10-23-2014

Hi,

This seems to be okay. Would you be able to check the connected Trunk port on the Switch and see if that is forwarding any unused VLANS on the ASA device.

You can apply the ASP captures and see if the ASA device is receiving any malformed or unwanted VLANS on the ASA device.

capture asp type asp-drop all buffer 3333333

Check the content using show capture asp

Thanks and Regards,

Vibhor Amrodia

George Rodriguez · ‎10-24-2014

there are no trunk on the asa or the switch

Vibhor Amrodia · ‎10-25-2014

Hi,

Did you check the captures on the ASA device.

Also , share the output of "show asp drop"

Thanks and Regards,

Vibhor Amrodia