Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
754
Views
0
Helpful
2
Replies

Firepower 4120 with Port-channel dropping lots of packets

erer
Level 1
Level 1

‎03-29-2018 12:22 PM - edited ‎02-21-2020 07:34 AM

I have One Firewall cluster (Two Firepower 4120) with port-channel configuration to Cisco Nexus 7K with VPC.

 

There lots of drops on Firepower Port-channel2.86 interface and no drops on Cisco Nexus 7K VPC interface.

 

Here is output of Port-channel2.86 interface:

 

Interface Port-channel2.86 "Zone2", is up, line protocol is up
Hardware is EtherSVI, BW 20000 Mbps, DLY 1000 usec
VLAN identifier 86
MAC address 70db.9818.f47e, MTU 1500
IP address 10.2.17.129, subnet mask 255.255.255.248
Traffic Statistics for "Zone2":
7236805478 packets input, 5650848586624 bytes
4859489033 packets output, 779832135681 bytes
25438209 packets dropped
Control Point Interface States:
Interface number is 6
Interface config status is active
Interface state is active
Control Point Vlan86 States:
Interface vlan config status is active
Interface vlan state is UP

 

 

And after 10 second again:

 

Interface Port-channel2.86 "Zone2", is up, line protocol is up
Hardware is EtherSVI, BW 20000 Mbps, DLY 1000 usec
VLAN identifier 86
MAC address 70db.9818.f47e, MTU 1500
IP address 10.2.17.129, subnet mask 255.255.255.248
Traffic Statistics for "Zone2":
7237310145 packets input, 5651241935177 bytes
4859825036 packets output, 779883200691 bytes
25440285 packets dropped
Control Point Interface States:
Interface number is 6
Interface config status is active
Interface state is active
Control Point Vlan86 States:
Interface vlan config status is active
Interface vlan state is UP

 

After this 10 second  is

packet input changed: + 504667 packets

packets dropped + 2076

Which is 0,41% packet dropped.

 

Does packet dropped means error  or lets say that packet has been deny by access rule?

Thank you

Petr

 

Labels:
0 Helpful
2 Replies 2

mikael.lahtela
Level 4
Level 4

‎03-30-2018 12:54 PM

Hi,

The number of packets dropped. Typically this counter increments for packets dropped on the accelerated security path (ASP), for example, if a packet is dropped due to an access list deny.
See the show asp drop command for reasons for potential drops on an interface.

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/s_5.html

br, Micke
0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎03-31-2018 03:05 AM

Go to FP CLI and issue clear asp drops command. Then issue show asp drops
command 5 times and see which drop type is increasing drastically.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card