Cisco ASA5505 dropping packets

alcatron1 · ‎05-01-2013

Hi All,

Hope that some guru in the ASA can assist me with this.. I am having an issue where the ASA is dropping packets on the vlan interfaces. I have it as a dedicated router/firewall for a 100mb connection .

Vlan1 is the internal network
Vlan2 is the network to cable modem

Eth 0/1 is connected to a 2960G switch with hard coded 100mb Full Duplex at each end, this is the inside interface. Eth 0/0 is the connection to the cable modem, this is the outside interface, set at auto at both ends.

Im getting on the vlans eg. 51253 packets dropped however network traffic isnt impacted and everything runs fine, as well as 46532 switch ingress policy drops.

Here are some stats, any ideas would be appreciated..

Example;

ciscoasa# sh int vlan1
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 70ca.9b36.ab80, MTU 1500
IP address 10.x.x.x, subnet mask 255.255.255.0
Traffic Statistics for "inside":
43250588 packets input, 9953472733 bytes
64963367 packets output, 79657701404 bytes
577921 packets dropped
1 minute input rate 63 pkts/sec, 3633 bytes/sec
1 minute output rate 111 pkts/sec, 152006 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 74 pkts/sec, 5628 bytes/sec
5 minute output rate 124 pkts/sec, 160594 bytes/sec
5 minute drop rate, 1 pkts/sec

ciscoasa# sh int vlan2
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 70ca.9b36.ab80, MTU 1500
IP address x.x.x.x, subnet mask 255.255.240.0
Traffic Statistics for "outside":
64241157 packets input, 79695011938 bytes
41703323 packets output, 9887249949 bytes
51253 packets dropped
1 minute input rate 134 pkts/sec, 146796 bytes/sec
1 minute output rate 114 pkts/sec, 83763 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 148 pkts/sec, 165549 bytes/sec
5 minute output rate 120 pkts/sec, 78676 bytes/sec
5 minute drop rate, 0 pkts/sec

ciscoasa# sh int eth 0/1
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Description: **Connection to Cisco Switch**
Available but not configured via nameif
MAC address 70ca.9b36.ab79, MTU not set
IP address unassigned
43637406 packets input, 10980603707 bytes, 0 no buffer
Received 203893 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
46532 switch ingress policy drops
65414010 packets output, 81362776944 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Description: **Connection to Cable Modem**
Available but not configured via nameif
MAC address 70ca.9b36.ab78, MTU not set
IP address unassigned
64311932 packets input, 80946004143 bytes, 0 no buffer
Received 606564 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
41762296 packets output, 10719199183 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

ciscoasa# show asp drop

Frame drop:
Punt rate limit exceeded (punt-rate-limit)                              225370
Invalid encapsulation (invalid-encap)                                       88
No valid adjacency (no-adjacency)                                           39
No route to host (no-route)                                              46416
Flow is denied by configured rule (acl-drop)                             77914
First TCP packet not SYN (tcp-not-syn)                                    7151
Bad TCP flags (bad-tcp-flags)                                               54
TCP failed 3 way handshake (tcp-3whs-failed)                              2747
TCP RST/FIN out of order (tcp-rstfin-ooo)                                19856
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                             6
TCP SYNACK on established conn (tcp-synack-ooo)                              5
TCP packet SEQ past window (tcp-seq-past-win)                               16
TCP RST/SYN in window (tcp-rst-syn-in-win)                                   2
TCP packet failed PAWS test (tcp-paws-fail)                              12345
FP L2 rule drop (l2_acl)                                                240171
Interface is down (interface-down)                                           1
Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode)            1
Dropped pending packets in a closed socket (np-socket-closed)              226

Last clearing: Never

Flow drop:
Inspection failure (inspect-fail) 8

lcambron · ‎05-01-2013

Hello,

The packets dropped counter in the show interface command output from the Adaptive Security Appliance (ASA) represents all dropped packets on the interface. This counter includes all security related packet drops. It is expected that this counter will always increment on a production ASA. Again, it is normal and expected for the packet dropped counter to increase on a regular basis.

http://www.cisco.com/image/gif/paws/113680/pdc-show-output.pdf

Regards,

Felipe,

Security Team.