09-16-2008 08:41 PM - edited 03-11-2019 06:45 AM
Hi guys ,
I am facing some packet drops in LAN after implementation of FWSM context .Please let me know is there any configuration need to be done to avoid this ?
Please suggest ..thanks in advance
09-17-2008 08:32 AM
You need to find out what is being dropped. Is it really the FWSM or somewhere else dropping the packets. If your environment didn't have firewall before, and you are introducing FWSM to it. Some applications might not be firewall-friendly, such as in-house built software. If you want to find out if your FWSM is dropping the packets, do "show asp drop" from the CLI. And use "capture capture_name type asp-drop" to capture any dropped packets.
09-18-2008 01:49 AM
Thx frd...Here is the output
FWSM/Infra# sh capture noc
0 packet seen, 0 captured
0 packet shown
FWSMPRI/Infra# sh asp drop
Frame drop:
No route to host 85151
Bad TCP flags 22
TCP failed 3 way handshake 7
TCP RST/FIN out of order 258
TCP packet SEQ past window 1625
TCP invalid ACK 7866937105
TCP packet buffer full 64556
TCP DUP and has been ACKed 548228
TCP packet failed PAWS test 414366
Packet hit an invalid connection 105
Invalid connection address in delete indication 2783892
Flow drop:
I have not observed any drops in capture
09-18-2008 01:51 AM
M getting below respose intermittently,Please let me know what could be issue...Thanks
Reply from 172.17.117.24: bytes=32 time<1ms TTL=126
Reply from 172.17.117.24: bytes=32 time<1ms TTL=126
Reply from 172.17.117.24: bytes=32 time<1ms TTL=126
Reply from 172.17.117.24: bytes=32 time<1ms TTL=126
Reply from 172.17.10.25: Destination host unreachable.
Reply from 172.17.10.25: Destination host unreachable.
Reply from 172.17.10.25: Destination host unreachable.
Reply from 172.17.10.25: Destination host unreachable.
Reply from 172.17.10.25: Destination host unreachable.
Reply from 172.17.117.24: bytes=32 time=1ms TTL=126
Reply from 172.17.117.24: bytes=32 time<1ms TTL=126
Reply from 172.17.117.24: bytes=32 time<1ms TTL=126
09-18-2008 01:53 AM
Is it random packets or ALL packets going to a VLAN? The FWSM needs an ACL to pass traffic even on highest security level (100) interfaces. This is different from PIX/ASA. If its random you already got the answer from the orignal responder (show asp drop etc.)
Also check the syslogs for any deny/discards/drops etc.
Regards
Farrukh
09-18-2008 02:31 AM
This is an intial setup ,& I have given full access from outside to inside & vice-versa.
09-18-2008 06:13 AM
Hi Manik,
I would recommend that you start by setting up a SPAN session for both VLANs on either side of the FWSM. Depending on what version of FWSM code you are running (and this would be helpful to know as well), captures taken directly on the firewall can be unreliable. The SPAN captures will give you a fairly good indication of what is going on and how the FWSM is affecting the traffic flow, or at least where to start your troubleshooting.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide