Getting packet drop in ASP-drop

Chandresh · ‎10-06-2022

I am seeing asp packet drop on FTD in my captured logs for one of the website which user is trying to access on https. It is a intermittent issue where couple of time website is not opening or opening slow.

1: 23:07:25.774770 802.1Q vlan#2926 P0 14X.XX.XX.XX:443 > 10X.XX.XX.XX:59411: . ack 2225558804 win 24567 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055656c83116f flow (NA)/NA

Note: On firewall rule is allowed and packet tracer also hitting the correct rule.

Thanks in advance.

MHM Cisco World · ‎10-06-2022

can you share the packet tracer

Chandresh · ‎10-06-2022

Like i said earlier there is no issue in the packet tracer output.As it is everytime showing showing allowed and taking the expected rule.

The problem here is the intermittent issue and very difficult to catch exactly.Out of 10 times i would say 7 or 8times we are able to access the website ip address without any issue but couple of times it is getting loaded slowly or failed to load.

Aref Alsouqi · ‎10-06-2022

Are you using the website IP address or the FQDN on the access list?

Chandresh · ‎10-06-2022

Using the website ip address.

Aref Alsouqi · ‎10-09-2022

Not sure what would cause this issue in this case. Another thought I have could be related to the rules if they are using the app IDs instead of the service ports?! sometimes when using the app IDs the firewall needs to see more traffic before it can understand what app ID is inside the payload, that could potentially cause some temp drops.