05-11-2017 12:32 PM - edited 03-12-2019 02:20 AM
I have a permitted rule on my ASA 5585 appliance.
When I run the packet trace on a permitted rule I get the following output:
Type: Route Lookup Action Allow
Info Found next hop...
Access List, Type: Access List, Action: DROP
Config Implicit Rule
Result: the packet is dropped
Input/output interfaces are both UP
Info: (acl drop) flow is denied by configured rule
Not sure why this is occurring. Other permitted rules packet trace out just fine
05-11-2017 01:04 PM
Could you paste the ACL line and the complete packet-tracer command and output?
05-16-2017 05:42 AM
I recently upgraded my Cisco ASA 5585 from ASA 9.1(4) to 9.6(3)1 ASDM 7.1(5) to 7.6.2(150)
Once I did that there have been some packets dropped on some of the interface traffic.
this traffic is on port channels is upgrading the software and firmware going to affect this?
The interfaces are all up and up The traffic is hitting the access rules that are in place and did not change prior to the upgrade, and I do not see any denies.
I see traffic build from src to dest But then I see the traffic teardown from the initiator on the dest IP and the closure codes vary. I see TCP FINS (success), SYN TIMEOUT (awaiting 3 way handshake) and TCP-Reset-O (outside) do you think me upgrading the software and firmware could have affected this traffic?
I see NO denied traffic Just when I do a show interface on the cli, I see packets input and packets output, and I also see packets dropped and they are increasing.
The customer states that are receiving about 52% of the traffic, so that is probably where I am seeing the TCP FIN traffic.
I asked the customer to check their system. They said nothing has changed, they do have dynamic_client_socket_connection_error, but they state they have had those for years.
do you think upgrading the ASA and ASDM effected the traffic?
05-16-2017 05:47 AM
I ran these commands with the output below:
show interface port channel 1 link and line prot are both up, hardware is Etherchannel/LACP, BW 20000 Mbps, DLY 10usec, traffic stats:26929959 packet input, 1468209948 bytes, 170513415 packets output, 25527561290 bytes, 255076 packets dropped
show interface port channel 2 link and line protocol are both up, hardware is Etherchannel/LACP, BW 20000 Mbps, DLY 10usec, traffic stats: 255495 packets input, 12773046 bytes, 427 packets output, 1956 bytes, 255069 packets dropped
show interface port channel 3 link and line protocol are both up, hardware is Etherchannel/LACP, BW 20000 Mbps, DLY 10usec, traffic stats: 173449466 packets input, 258648257421 bytes, 490765064 packets output, 118882860252 bytes, 310068 packets dropped
show cpu for 5 seconds-1%; 1 minute: 1%; 5 minutes: 1%
show mem Free memory 72%, Used memory 22%, total 100%
show conn count 27 in use, 42 most used
show block SIZE MAX LOW CNT
0 7450 7449 7450
4 1700 1699 1699
80 9000 8991 9000
256 9676 9610 9660
1550 36274 36145 36259
2048 20000 19811 20000
2560 8192 8192 8192
4096 100 100 100
8192 100 100 100
9344 100 100 100
16384 300 300 300
65536 16 16 16
So by upgrading the firmware code from 9.1 to 9.6 and ASDM from 7.1 to 7.6 should not have affected the traffic flow at all?
My history is troubleshooting with customers is that SYN Timeout and TCP Reset-O are system level errors.
The customer stated that they started to not receive all of their traffic once I rebooted the firewall.
Do you think doing a shut/no shut on one of the interfaces in the port channel may fix the issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide