Solved: High Input Packet Discard in Firewall ASA interfaces in trunk

damasoalcazar · ‎01-26-2015

I have Cisco ASA 5515 with the next version:

Cisco Adaptive Security Appliance Software Version 9.1(4)

My interface configuration is the next:

PortChannel5 made with Interface GigabitEthernet 0/2 + Interface GigabitEthernet 0/3

Subinterfaces in PortChannel5

Nagios Graphs shows:

- many input discards in virtual subinterfaces

- many output discards in interface Gi0/2 and Gi0/3

- PortChannel5 output discards is the sum of discards in interface Gi0/2 and Gi0/3

if I run the snmpwalk command against the ASA the following results were obtained:

Interface description

[user@FIREWALL01 ~]$ snmpwalk -v 2c -c XXXXXXX 10.255.16.1 | grep ifDescr
IF-MIB::ifDescr.2 = STRING: Adaptive Security Appliance 'asa_mgmt_plane' interface
IF-MIB::ifDescr.3 = STRING: Adaptive Security Appliance 'Internet' interface
IF-MIB::ifDescr.4 = STRING: Adaptive Security Appliance 'LAN_MPLS' interface
IF-MIB::ifDescr.5 = STRING: Adaptive Security Appliance 'GigabitEthernet0/2' interface
IF-MIB::ifDescr.6 = STRING: Adaptive Security Appliance 'GigabitEthernet0/3' interface
IF-MIB::ifDescr.7 = STRING: Adaptive Security Appliance 'stateifha' interface
IF-MIB::ifDescr.8 = STRING: Adaptive Security Appliance 'statelink' interface
IF-MIB::ifDescr.9 = STRING: Adaptive Security Appliance 'Internal-Data0/1' interface
IF-MIB::ifDescr.10 = STRING: Adaptive Security Appliance 'cplane' interface
IF-MIB::ifDescr.11 = STRING: Adaptive Security Appliance 'mgmt_plane_int_tap' interface
IF-MIB::ifDescr.12 = STRING: Adaptive Security Appliance 'management' interface
IF-MIB::ifDescr.13 = STRING: Adaptive Security Appliance 'Virtual254' interface
IF-MIB::ifDescr.14 = STRING: Adaptive Security Appliance 'Port-channel5' interface
IF-MIB::ifDescr.15 = STRING: Adaptive Security Appliance 'VLAN_USGLB_OOB' interface
IF-MIB::ifDescr.16 = STRING: Adaptive Security Appliance 'VLAN_USGLBHSTHYP_MGNT' interface
IF-MIB::ifDescr.17 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_OM' interface
IF-MIB::ifDescr.18 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNTOM' interface
IF-MIB::ifDescr.19 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNT' interface
IF-MIB::ifDescr.20 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVF' interface
IF-MIB::ifDescr.21 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVB' interface
IF-MIB::ifDescr.22 = STRING: Adaptive Security Appliance 'VLAN_USGLB_DMZ' interface

Input discards

[user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxx 10.255.16.1 | grep ifInDiscards
IF-MIB::ifInDiscards.2 = Counter32: 0
IF-MIB::ifInDiscards.3 = Counter32: 0
IF-MIB::ifInDiscards.4 = Counter32: 0
IF-MIB::ifInDiscards.5 = Counter32: 0
IF-MIB::ifInDiscards.6 = Counter32: 0
IF-MIB::ifInDiscards.7 = Counter32: 0
IF-MIB::ifInDiscards.8 = Counter32: 0
IF-MIB::ifInDiscards.9 = Counter32: 0
IF-MIB::ifInDiscards.10 = Counter32: 0
IF-MIB::ifInDiscards.11 = Counter32: 0
IF-MIB::ifInDiscards.12 = Counter32: 0
IF-MIB::ifInDiscards.13 = Counter32: 0
IF-MIB::ifInDiscards.14 = Counter32: 0
IF-MIB::ifInDiscards.15 = Counter32: 12481926
IF-MIB::ifInDiscards.16 = Counter32: 9927941
IF-MIB::ifInDiscards.17 = Counter32: 134120211
IF-MIB::ifInDiscards.18 = Counter32: 124695686
IF-MIB::ifInDiscards.19 = Counter32: 27081148
IF-MIB::ifInDiscards.20 = Counter32: 2941537222
IF-MIB::ifInDiscards.21 = Counter32: 32714719
IF-MIB::ifInDiscards.22 = Counter32: 4008856

Output discards

[user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxxxx 10.255.16.1 | grep ifOutDiscards
IF-MIB::ifOutDiscards.2 = Counter32: 0
IF-MIB::ifOutDiscards.3 = Counter32: 0
IF-MIB::ifOutDiscards.4 = Counter32: 0
IF-MIB::ifOutDiscards.5 = Counter32: 3635696
IF-MIB::ifOutDiscards.6 = Counter32: 119099
IF-MIB::ifOutDiscards.7 = Counter32: 0
IF-MIB::ifOutDiscards.8 = Counter32: 0
IF-MIB::ifOutDiscards.9 = Counter32: 0
IF-MIB::ifOutDiscards.10 = Counter32: 0
IF-MIB::ifOutDiscards.11 = Counter32: 0
IF-MIB::ifOutDiscards.12 = Counter32: 0
IF-MIB::ifOutDiscards.13 = Counter32: 0
IF-MIB::ifOutDiscards.14 = Counter32: 3754795
IF-MIB::ifOutDiscards.15 = Counter32: 0
IF-MIB::ifOutDiscards.16 = Counter32: 0
IF-MIB::ifOutDiscards.17 = Counter32: 0
IF-MIB::ifOutDiscards.18 = Counter32: 0
IF-MIB::ifOutDiscards.19 = Counter32: 0
IF-MIB::ifOutDiscards.20 = Counter32: 0
IF-MIB::ifOutDiscards.21 = Counter32: 0
IF-MIB::ifOutDiscards.22 = Counter32: 0

Output discards may be normals, but I don't understand input discards in virtual subinterfaces of PortChannel5

By the other hand, show interface command in subinterfaces don't show error or discards packets

FIREWALL01/pri/act# sh interface VLAN_USGLBVRM_SRVB detail
Interface Port-channel5.1020 "VLAN_USGLBVRM_SRVB", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
VLAN identifier 1020
Description: VLAN_USGLBVRM_SRVB
MAC address 6073.5c69.0917, MTU 1500
IP address 10.255.19.65, subnet mask 255.255.255.192
Traffic Statistics for "VLAN_USGLBVRM_SRVB":
42067433644 packets input, 45125599467459 bytes
28153119062 packets output, 8866514693262 bytes
32715765 packets dropped
Control Point Interface States:
Interface number is 21
Interface config status is active
Interface state is active
Control Point Vlan1020 States:
Interface vlan config status is active
Interface vlan state is UP
FIREWALL01/pri/act# sh interface VLAN_USGLBVRM_SRVF detail
Interface Port-channel5.1019 "VLAN_USGLBVRM_SRVF", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
VLAN identifier 1019
Description: VLAN_USGLBVRM_SRVF
MAC address 6073.5c69.0917, MTU 1500
IP address 10.255.19.1, subnet mask 255.255.255.192
Traffic Statistics for "VLAN_USGLBVRM_SRVF":
30475814698 packets input, 14615432248013 bytes
27472348465 packets output, 20872697455933 bytes
2941588838 packets dropped
Control Point Interface States:
Interface number is 20
Interface config status is active
Interface state is active
Control Point Vlan1019 States:
Interface vlan config status is active
Interface vlan state is UP
FIREWALL01/pri/act#

Can anyone explain why so many input errors appear in the subinterfaces?

Thanks in advance!

Marius Gunnerud · ‎02-14-2015

Hi sorry for the very late reply.

There are a lot of overruns on your interface and there are a lot of drops on the slow path security check and the l2-acl drop in the show asp drop output.

Have you verified that the traffic going through the ASA is legitimate and that you are not subject to an attack?

Check the output of show local-host, show local-host all, show local-host detail. you could also use the command show conn detail and check if you are under syn attack. Look for flags that are set to saA. you can use the following link to decode the flags:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-14-2015

If the traffic that is passing through the ASA is legitimate then your ASA is about to reach (if not already reached) its throughput limit and needs to be upgraded.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎01-26-2015

How much traffic to you have traversing the Gig0/2 and Gig0/3 interfaces?

Could you issue the commands

show int Gig0/2

show int Gig0/3

show int po5

show cpu usage

show blocks

and post the outputs here please

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

damasoalcazar · ‎01-26-2015

Thanks for answering Marius.

On special occasions, interfaces with 500 Mbps of traffic, sometimes have 200 Mbps of traffic maintained.

Interface Gi0/2

Interface Gi0/3

Output from commands you request is:

FIREWALL01/pri/act# show int Gig0/2
Interface GigabitEthernet0/2 "", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: USGLBHSTLSW01_Te_1_0_12_Redes_Internas
Active member of Port-channel5
MAC address 6073.5c69.0917, MTU not set
IP address unassigned
178710915166 packets input, 178541289399642 bytes, 0 no buffer
Received 187201112 broadcasts, 0 runts, 0 giants
118028 input errors, 0 CRC, 0 frame, 118028 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
208486454561 packets output, 212811416855624 bytes, 3638684 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (488/362)
output queue (blocks free curr/low): hardware (461/0)

FIREWALL01/pri/act# show int Gig0/3
Interface GigabitEthernet0/3 "", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: USGLBHSTLSW01_Te_1_0_22_Redes_Internas
Active member of Port-channel5
MAC address 6073.5c69.0914, MTU not set
IP address unassigned
165919279164 packets input, 163593124051029 bytes, 0 no buffer
Received 190662133 broadcasts, 0 runts, 0 giants
36061 input errors, 0 CRC, 0 frame, 36061 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
134001721425 packets output, 128036039088512 bytes, 119099 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (466/362)
output queue (blocks free curr/low): hardware (472/0)

FIREWALL01/pri/act# show int po5
Interface Port-channel5 "", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: Redes_internas
Available but not configured via nameif
MAC address 6073.5c69.0917, MTU not set
IP address unassigned
Members in this channel:
Active: Gi0/2 Gi0/3

FIREWALL01/pri/act# show cpu usage
CPU utilization for 5 seconds = 8%; 1 minute: 7%; 5 minutes: 7%

FIREWALL01/pri/act# show blocks
SIZE MAX LOW CNT
0 1450 1386 1450
4 248 246 247
80 1400 1293 1400
256 5560 5351 5541
1550 8427 8045 8342
2048 1600 1580 1600
2560 1476 1454 1476
4096 170 0 169
8192 100 99 100
9344 100 100 100
16384 126 126 126
65536 16 16 16

Marius Gunnerud · ‎01-27-2015

Looks like something is causing a low memory condition

4096 170 0 169

Could you also issue the following commands and post the outputs here.

show proc cpu-hog

show blocks interface

show blocks queue history

show asp drop

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

damasoalcazar · ‎01-28-2015

Output from commands you request is:

FIREWALL01/pri/act# show proc cpu-hog

Process: tmatch compile thread, NUMHOG: 11, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 15:55:36 UTC Jan 28 2015
PC: 0x000000000042ae2e (suspend)
Call stack: 0x000000000065b1c2 0x000000000064d53d 0x0000000000644600
0x0000000000644600 0x0000000000644600 0x0000000000644600
0x0000000000644600 0x0000000000644600 0x0000000000644600
0x0000000000644ee4 0x0000000000644600 0x000000000064f4eb
0x0000000000666108 0x000000000065bee9

Process: tmatch compile thread, NUMHOG: 5, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:01:37 UTC Jan 28 2015
PC: 0x000000000042ae2e (suspend)
Call stack: 0x000000000065799d 0x000000000064429e 0x0000000000644600
0x0000000000644600 0x0000000000644600 0x0000000000648361
0x0000000000649bab 0x0000000000644600 0x0000000000644600
0x0000000000644ee4 0x0000000000644600 0x000000000064f4eb
0x0000000000666108 0x000000000065bee9

Process: tmatch compile thread, NUMHOG: 9, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:01:37 UTC Jan 28 2015
PC: 0x000000000042ae2e (suspend)
Call stack: 0x000000000065799d 0x000000000064efe6 0x000000000064f2f0
0x0000000000666108 0x000000000065bee9 0x0000000000428d45


Process: tmatch compile thread, NUMHOG: 3, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:01:37 UTC Jan 28 2015
PC: 0x000000000042ae2e (suspend)
Call stack: 0x000000000065799d 0x0000000000641b91 0x0000000000641bc3
0x0000000000641c13 0x0000000000641c13 0x000000000064f4bf
0x0000000000666108 0x000000000065bee9 0x0000000000428d45

Process: snmp, PROC_PC_TOTAL: 1, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:02:18 UTC Jan 28 2015
PC: 0x00000000014d38cc (suspend)

Process: snmp, NUMHOG: 1, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:02:18 UTC Jan 28 2015
PC: 0x00000000014d38cc (suspend)
Call stack: 0x00000000014d38cc 0x00000000014d251a 0x00000000014cf2da
0x00000000014d20d7 0x00000000014ac3ca 0x00000000014aab3a
0x0000000000428d45

Process: tmatch compile thread, PROC_PC_TOTAL: 256877, MAXHOG: 4, LASTHOG: 2
LASTHOG At: 16:04:22 UTC Jan 28 2015
PC: 0x000000000042ae2e (suspend)

Process: tmatch compile thread, NUMHOG: 9, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:04:22 UTC Jan 28 2015
PC: 0x000000000042ae2e (suspend)
Call stack: 0x000000000065799d 0x000000000064429e 0x0000000000644ee4
0x0000000000644600 0x0000000000644600 0x0000000000644600
0x0000000000644ee4 0x000000000064903f 0x0000000000649bab
0x000000000064f4eb 0x0000000000666108 0x000000000065bee9
0x0000000000428d45

Process: CP ARP Processing, PROC_PC_TOTAL: 80, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:04:41 UTC Jan 28 2015
PC: 0x0000000000799f8a (suspend)

Process: CP ARP Processing, NUMHOG: 80, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:04:41 UTC Jan 28 2015
PC: 0x0000000000799f8a (suspend)
Call stack: 0x0000000000799f8a 0x0000000000428d45

Process: CP HA Processing, PROC_PC_TOTAL: 86, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:05:20 UTC Jan 28 2015
PC: 0x00000000007999af (suspend)

Process: CP HA Processing, NUMHOG: 86, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:05:20 UTC Jan 28 2015
PC: 0x00000000007999af (suspend)
Call stack: 0x00000000007999af 0x0000000000428d45

Process: CP Crypto Result Processing, PROC_PC_TOTAL: 193, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:05:29 UTC Jan 28 2015
PC: 0x00000000007998b2 (suspend)

Process: CP Crypto Result Processing, NUMHOG: 193, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:05:29 UTC Jan 28 2015
PC: 0x00000000007998b2 (suspend)
Call stack: 0x00000000007998b2 0x0000000000428d45

Process: CP Midpath Processing, PROC_PC_TOTAL: 251, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:06:36 UTC Jan 28 2015
PC: 0x0000000000799bc8 (suspend)

Process: CP Midpath Processing, NUMHOG: 251, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:06:36 UTC Jan 28 2015
PC: 0x0000000000799bc8 (suspend)
Call stack: 0x0000000000799bc8 0x0000000000428d45

Process: ssh_init, PROC_PC_TOTAL: 1, MAXHOG: 1, LASTHOG: 1
LASTHOG At: 16:06:53 UTC Jan 28 2015
PC: 0x000000000042aec0 (suspend)

Process: ssh_init, NUMHOG: 1, MAXHOG: 1, LASTHOG: 1
LASTHOG At: 16:06:53 UTC Jan 28 2015
PC: 0x000000000042aec0 (suspend)
Call stack: 0x000000000042aec0 0x00000000005654f9 0x0000000001c65b07
0x00007fff2ee71800

Process: SRTP Processing, PROC_PC_TOTAL: 167, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:07:00 UTC Jan 28 2015
PC: 0x0000000000799aaa (suspend)

Process: SRTP Processing, NUMHOG: 167, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:07:00 UTC Jan 28 2015
PC: 0x0000000000799aaa (suspend)
Call stack: 0x0000000000799aaa 0x0000000000428d45

Process: CP Processing, PROC_PC_TOTAL: 4246, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:07:04 UTC Jan 28 2015
PC: 0x0000000000799d98 (suspend)

Process: CP Processing, NUMHOG: 4246, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:07:04 UTC Jan 28 2015
PC: 0x0000000000799d98 (suspend)
Call stack: 0x0000000000799d98 0x0000000000428d45

Process: snmp, PROC_PC_TOTAL: 114629, MAXHOG: 16, LASTHOG: 12
LASTHOG At: 16:07:05 UTC Jan 28 2015
PC: 0x00000000014d3c87 (suspend)

Process: snmp, NUMHOG: 114623, MAXHOG: 16, LASTHOG: 12
LASTHOG At: 16:07:05 UTC Jan 28 2015
PC: 0x00000000014d3c87 (suspend)
Call stack: 0x00000000014d3c87 0x00000000014d2653 0x00000000014cf2da
0x00000000014d20d7 0x00000000014ac3ca 0x00000000014aab3a
0x0000000000428d45

Process: CP Threat-Detection Processing, PROC_PC_TOTAL: 261, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:07:12 UTC Jan 28 2015
PC: 0x000000000079a06f (suspend)

Process: CP Threat-Detection Processing, NUMHOG: 261, MAXHOG: 2, LASTHOG: 1
LASTHOG At: 16:07:12 UTC Jan 28 2015
PC: 0x000000000079a06f (suspend)
Call stack: 0x000000000079a06f 0x0000000000428d45

Process: CP DP CXSC Event Processing, PROC_PC_TOTAL: 72, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:07:16 UTC Jan 28 2015
PC: 0x0000000000799e97 (suspend)

Process: CP DP CXSC Event Processing, NUMHOG: 72, MAXHOG: 2, LASTHOG: 2
LASTHOG At: 16:07:16 UTC Jan 28 2015
PC: 0x0000000000799e97 (suspend)
Call stack: 0x0000000000799e97 0x0000000000428d45

Process: tmatch compile thread, PROC_PC_TOTAL: 560915, MAXHOG: 4, LASTHOG: 1
LASTHOG At: 16:07:21 UTC Jan 28 2015
PC: 0x000000000065b2c1 (suspend)

Process: tmatch compile thread, NUMHOG: 484306, MAXHOG: 4, LASTHOG: 1
LASTHOG At: 16:07:21 UTC Jan 28 2015
PC: 0x000000000065b2c1 (suspend)
Call stack: 0x000000000065b2c1 0x0000000000428d45

Process: DATAPATH-0-1152, PROC_PC_TOTAL: 2164902, MAXHOG: 44, LASTHOG: 2
LASTHOG At: 16:07:32 UTC Jan 28 2015
PC: 0x0000000000000000 (suspend)

Process: DATAPATH-0-1152, NUMHOG: 2162817, MAXHOG: 44, LASTHOG: 2
LASTHOG At: 16:07:32 UTC Jan 28 2015
PC: 0x0000000000000000 (suspend)
Call stack: 0x000000000041a19e 0x000000000041a373 0x000000000069774b
0x000000000135906f 0x0000000001363fcd 0x0000000001369613
0x00007ffffeccef3a

CPU hog threshold (msec): 1.542
Last cleared: None
FIREWALL01/pri/act#
FIREWALL01/pri/act#
FIREWALL01/pri/act#
FIREWALL01/pri/act#
FIREWALL01/pri/act#
FIREWALL01/pri/act# show blocks interface
Memory Pool SIZE LIMIT/MAX LOW CNT GLB:HELD GLB:TOTAL
DMA 2048 4032 4032 0 0 0
Cache pool statistics:
Queue LIMIT/MAX LOW CNT
Core 0 2016 2015 2016
Global 2016 2016 2016

Memory Pool SIZE LIMIT/MAX LOW CNT GLB:HELD GLB:TOTAL
DMA 1550 8704 4285 4285 0 0
Cache pool statistics:
Queue LIMIT/MAX LOW CNT
Core 0 1024 0 792
Global 1024 0 0

FIREWALL01/pri/act# show blocks queue history
History buffer memory usage: 3744 bytes (default)
History analysis time limit: 100 msec
Each Summary for User and Queue_type is followed by its top 5 individual queues
Blocks shown below are used blocks

Analysis elapsed time: 197 usec
Snapshot created at 02:34:13 UTC Dec 16 2014
Block Size: 4096
Blk_cnt Last_Op Queue_Type Id/Interface User Context
100 get <alloc_pc 0x9609d0> <na> <na>

Please see 'show blocks exhaustion snapshot' for more information
FIREWALL01/pri/act# show asp drop

Frame drop:
NAT-T keepalive message (natt-keepalive) 27690
IPSEC tunnel is down (ipsec-tun-down) 801309
SVC Module does not have a channel for reinjection (mp-svc-no-channel) 1573
SVC Module does not have a session (mp-svc-no-session) 893
SVC Module is in flow control (mp-svc-flow-control) 360863
SVC Module unable to fragment packet (mp-svc-no-fragment) 17
VPN reclassify failed (vpn-reclassify-failed) 5093
Flow is being freed (flow-being-freed) 4
Invalid TCP Length (invalid-tcp-hdr-length) 2
Invalid UDP Length (invalid-udp-length) 1
No route to host (no-route) 92872
Reverse-path verify failed (rpf-violated) 230390
Flow is denied by configured rule (acl-drop) 42100526
Invalid SPI (np-sp-invalid-spi) 982633
First TCP packet not SYN (tcp-not-syn) 9362786
Bad TCP checksum (bad-tcp-cksum) 9
TCP failed 3 way handshake (tcp-3whs-failed) 2835203
TCP RST/FIN out of order (tcp-rstfin-ooo) 1505578
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 342
TCP SYNACK on established conn (tcp-synack-ooo) 1
TCP packet SEQ past window (tcp-seq-past-win) 94929
TCP invalid ACK (tcp-invalid-ack) 56
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 2
TCP RST/SYN in window (tcp-rst-syn-in-win) 1453
TCP packet failed PAWS test (tcp-paws-fail) 174
CTM returned error (ctm-error) 24
Early security checks failed (security-failed) 828
Slowpath security checks failed (sp-security-failed) 300444641
IP option drop (invalid-ip-option) 589
Expired flow (flow-expired) 3
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 364
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 7202
DNS Inspect invalid packet (inspect-dns-invalid-pak) 71037
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 187
DNS Inspect packet too long (inspect-dns-pak-too-long) 1742
DNS Inspect id not matched (inspect-dns-id-not-matched) 2214063
FP L2 rule drop (l2_acl) 3201556335
Interface is down (interface-down) 11
Dropped pending packets in a closed socket (np-socket-closed) 86460
IKE new SA limit exceeded (ike-sa-rate-limit) 378207
NAT failed (nat-xlate-failed) 1437
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 74

Last clearing: Never

Flow drop:
Tunnel has been torn down (tunnel-torn-down) 10008
Tunnel being brought up or torn down (tunnel-pending) 178
Need to start IKE negotiation (need-ike) 948130
VPN handle not found (vpn-handle-not-found) 130
SVC replacement connection established (svc-replacement-conn) 968
Expired VPN context (vpn-context-expired) 12
VPN overlap conflict (vpn-overlap-conflict) 50
Flow is denied by access rule (acl-drop) 118948
Inspection failure (inspect-fail) 11165664
SSL bad record detected (ssl-bad-record-detect) 100
SSL handshake failed (ssl-handshake-failed) 250460
DTLS hello processed and closed (dtls-hello-close) 856
SSL malloc error (ssl-malloc-error) 24
SVC inner policy mismatch failure (svc-selector-failure) 104

Last clearing: Never
FIREWALL01/pri/act# exit
FIREWALL01/pri/act#

Marius Gunnerud · ‎02-14-2015

Hi sorry for the very late reply.

There are a lot of overruns on your interface and there are a lot of drops on the slow path security check and the l2-acl drop in the show asp drop output.

Have you verified that the traffic going through the ASA is legitimate and that you are not subject to an attack?

Check the output of show local-host, show local-host all, show local-host detail. you could also use the command show conn detail and check if you are under syn attack. Look for flags that are set to saA. you can use the following link to decode the flags:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎02-14-2015

If the traffic that is passing through the ASA is legitimate then your ASA is about to reach (if not already reached) its throughput limit and needs to be upgraded.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts