Solved: Packets drops due to tcp-fo-drop

nur fahmi hamdika · ‎04-18-2016

Hi All,

I have problems with cisco ASA using 8.3(1) Software Version, the symptoms indicates to this bug CSCsg09419 but with different version of OS. below is output from show asp drop command :

7: 10:44:13.240176 x.x.x.x.4427 > 1x.x.x.x.449: S 3127442769:3127442769(0) win 65535 <mss 1380,nop,nop,sackOK> Drop-reason: (tcp-fo-drop) TCP replicated flow pak drop

53: 10:44:40.383921 x.x.x.x.4517 > x.x.x.x.449: S 4030465714:4030465714(0) win 65535 <mss 1380,nop,nop,sackOK>
71: 10:44:46.315901 x.x.x.x.4517 > x.x.x.x.449: S 4030465714:4030465714(0) win 65535 <mss 1380,nop,nop,sackOK>
194: 10:45:37.507938 x.x.x.x.22570 > x.x.x.x.449: S 4274859623:4274859623(0) win 64240 <mss 1380,nop,nop,sackOK>

any suggestion about this problems?

i need help soon as possible...thanks.

Best Regards,

Fahmi

Marius Gunnerud · ‎04-21-2016

If this is related to the bug then an upgrade is the only solution.

drop explanation from Cisco doc http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s2.html

Name: tcp-fo-drop

TCP replicated flow pak drop:

    This counter is incremented and the packet is dropped when appliance receives a TCP 
packet with control flag like SYN, FIN or RST on an established connection just after the 
appliance has taken over as active unit.

Recommendations:

    None

Syslogs:

    None

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Philip D'Ath · ‎04-21-2016

8.3(1) is getting pretty old. Are you able to upgrade?

Marius Gunnerud · ‎04-21-2016

If this is related to the bug then an upgrade is the only solution.

drop explanation from Cisco doc http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s2.html

Name: tcp-fo-drop

TCP replicated flow pak drop:

    This counter is incremented and the packet is dropped when appliance receives a TCP 
packet with control flag like SYN, FIN or RST on an established connection just after the 
appliance has taken over as active unit.

Recommendations:

    None

Syslogs:

    None

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

nur fahmi hamdika · ‎05-03-2016

Hi marius,

The issue is resolved by clearing the connections.

found that the timeout is 00:00:00 which is unreasonable value so we changed it to the recommended (1:00:00)

also we've plan to upgrade the software...

Thank you for your response.

rgds

NFH