Solved: FPR 2130: Troubleshooting ASP Drops

Nikolaos Milas · ‎11-05-2025

Hello,

We have an FPR-2130 pair (Active - Standby) and I recently see increased ASP Drops (see attached image).

It is supposed to be "Flow Denied by access rule, Flow Denied by configured rule".

We need to understand better what this is about.

How can I examine further these drops? How do I see the related traffic and understand exactly why/how it is being dropped?

Also, how could I capture specifically ASP-related traffic using FMC (Web GUI)?

Please advise.

Thanks in advance,
Nick

Aref Alsouqi · ‎11-05-2025

The easiest way to check those specific drops would be to connect to your FTD via CLI and then move to Lina engine by issuing the command "system support diagnostic-cli" and then type "enable" and hit enter with no password. This will take you to Lina engine which basically the ASA engine CLI. From there you can then run some packet capture specifially for the ACL drops.

capture ASP-ACL-DROPS type asp-drop acl-drop
show capture ASP-ACL-DROPS

The output should show you the flows that are getting denied by the ACLs.

Remember to remove the capture once you finish with the command "no capture ASP-ACL-DROPS".

If you want to see the holistic drops you can use the command "sh asp drop", this will show you all the ASP drops counters. You can also filter by adding the pipe and the keyword you are looking for, example, "show asp drop | include acl" or "show asp drop | include conn".

View solution in original post

Aref Alsouqi · ‎11-05-2025

The easiest way to check those specific drops would be to connect to your FTD via CLI and then move to Lina engine by issuing the command "system support diagnostic-cli" and then type "enable" and hit enter with no password. This will take you to Lina engine which basically the ASA engine CLI. From there you can then run some packet capture specifially for the ACL drops.

capture ASP-ACL-DROPS type asp-drop acl-drop
show capture ASP-ACL-DROPS

The output should show you the flows that are getting denied by the ACLs.

Remember to remove the capture once you finish with the command "no capture ASP-ACL-DROPS".

If you want to see the holistic drops you can use the command "sh asp drop", this will show you all the ASP drops counters. You can also filter by adding the pipe and the keyword you are looking for, example, "show asp drop | include acl" or "show asp drop | include conn".

Nikolaos Milas · ‎11-05-2025

Thank you for your prompt reply; I have been able to get data.

I see large numbers of flows from the same IP Address (obfuscated below as abc.def.ghi.jkl because it's public) like:

...
416: 13:33:23.149238 802.1Q vlan#40 P0 abc.def.ghi.jkl.60463 > 255.255.255.255.21001: udp 1224 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aaad3d7e20 flow (NA)/NA
417: 13:33:23.149345 802.1Q vlan#40 P0 abc.def.ghi.jkl.60463 > 255.255.255.255.21001: udp 357 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aaad3d7e20 flow (NA)/NA
418: 13:33:23.255769 802.1Q vlan#40 P0 abc.def.ghi.jkl.60463 > 255.255.255.255.21001: udp 1224 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aaad3d7e20 flow (NA)/NA
419: 13:33:23.255891 802.1Q vlan#40 P0 abc.def.ghi.jkl.60463 > 255.255.255.255.21001: udp 1224 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aaad3d7e20 flow (NA)/NA
...

What does this UDP traffic to 255.255.255.255 port 21001 likely mean?

Could this be a sign that host abc.def.ghi.jkl is probably compromised and attempts offensive local connections?

Thanks a lot,
Nick

Aref Alsouqi · ‎11-05-2025

H Nick, good question, I'm not really sure what port 21001/udp would be used for. However, the 255.255.255.255 IP address used in the destination that is a boardcast address that will be used to send traffic to any host on the local network. An example of this would be a broadcast DHCP request from a client over the local network looking for a local DHCP server, but obviously that is not the case because from the capture your provided it seems the broadcast traffic is destined to port udp/21001. Maybe something you could do to trying to better understand what that host is trying to do is to check the running applications on that host. On the other hand, the drops you are seeing for this traffic are expected as the firewall wouldn't forward/route that broadcast traffic.