08-16-2011 09:07 AM - edited 03-11-2019 02:12 PM
Hello everyone,
We have PIX 515E with 7.2(4) software on it. I am trying to identify why do we get drops on the outside interface. Here are some statisctics:
Interface Ethernet0 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0014.a8ad.e9d2, MTU 1500
IP address XXXX, subnet mask 255.255.255.248
10428 packets input, 13266457 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
5949 packets output, 576926 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (0/6)
output queue (curr/max packets): hardware (0/7) software (0/1)
Traffic Statistics for "outside":
490771 packets input, 253026296 bytes
358591 packets output, 105524027 bytes
920 packets dropped
1 minute input rate 72 pkts/sec, 73946 bytes/sec
1 minute output rate 52 pkts/sec, 6123 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 38 pkts/sec, 26052 bytes/sec
5 minute output rate 34 pkts/sec, 6933 bytes/sec
5 minute drop rate, 0 pkts/sec
Priority-Queue Statistics interface outside
Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 137921
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Queue Type = LLQ
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 0
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
It's 10 Mbit sync link. There is no high traffic load, and it seems that buffers are not getting filled up. The drops number is small, but they are increasing constantly.
I understand that the statistic on the interface does not include the dropped packets by the ACL. Or does it? In any case, the ACL deny hits count is three times higher than the dropped packets count on the interface.
I am sure I must be missing something. So any advice is welcome. Thanks in advance.
Andri
Solved! Go to Solution.
08-16-2011 09:17 AM
One more thing:
The 'packets dropped' counter is really the number of packets dropped in the asp on a per-interface basis. So, if you add up all the dropped packets in the 'show asp drop' output, it should equal the sum of all the per-interface 'packets dropped'.
Hope this makes it better
-Varun
08-16-2011 09:12 AM
Hi,
I am not sure if you should worry about it, bcause these are the packets that were dropped for any damn reason on the PIX, be it, ACL drop, overruns, out-of-order packets etc. So this would not point towards anything specific. I do not see any errors on the PIX, so it shouldn't be a matter of concern as far as everything is working fine. If you want to dig more, you can check "show asp drop" on PIX, this would tell you more info.
Hope this resolves your query.
-Varun
08-16-2011 09:17 AM
One more thing:
The 'packets dropped' counter is really the number of packets dropped in the asp on a per-interface basis. So, if you add up all the dropped packets in the 'show asp drop' output, it should equal the sum of all the per-interface 'packets dropped'.
Hope this makes it better
-Varun
08-18-2011 05:40 AM
Hi Varun, many thanks for this.
I have just cleared the counters. Here is what I have after about 6 minutes:
sh asp drop
Frame drop:
Flow is denied by configured rule (acl-drop) 427
First TCP packet not SYN (tcp-not-syn) 6
TCP failed 3 way handshake (tcp-3whs-failed) 1
TCP packet failed PAWS test (tcp-paws-fail) 11
Traffic Statistics for "outside":
22995 packets input, 8918668 bytes
21699 packets output, 5988119 bytes
444 packets dropped
1 minute input rate 40 pkts/sec, 13826 bytes/sec
1 minute output rate 42 pkts/sec, 10227 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 53 pkts/sec, 22286 bytes/sec
5 minute output rate 47 pkts/sec, 12775 bytes/sec
5 minute drop rate, 0 pkts/sec
Traffic Statistics for "inside":
22772 packets input, 5991151 bytes
24759 packets output, 10118003 bytes
3 packets dropped
1 minute input rate 44 pkts/sec, 10056 bytes/sec
1 minute output rate 43 pkts/sec, 12740 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 46 pkts/sec, 12509 bytes/sec
5 minute output rate 53 pkts/sec, 21301 bytes/sec
5 minute drop rate, 0 pkts/sec
Traffic Statistics for "dmz":
59 packets input, 6679 bytes
59 packets output, 9393 bytes
12 packets dropped
1 minute input rate 0 pkts/sec, 13 bytes/sec
1 minute output rate 0 pkts/sec, 17 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 13 bytes/sec
5 minute output rate 0 pkts/sec, 18 bytes/sec
5 minute drop rate, 0 pkts/sec
So the asp drops seems to be in the same range as the interfaces drops. it's just not clear why the hitcounts in acl dyny ip any any string is much greater?
Thanks.
Andri
08-18-2011 05:49 AM
Yup, thats what the counter means, total sum of "show asp drop" should be approx. equal to the sum of packet drops on all interfaces.
Now coming onto your next question, there might be a lot of denied traffic hitting the firewall on the outside interface, if you really want to monitor it, enable the log option for the deny acl and check it in the logs, which IP's are being denied. Another way would, enable the log option after the acl and go to ASDM, go to the access-rule and right click--> show logg, this would open the log viewer, you can see what logs are generated.
The config for acl would be:
access-list
Let me know if this helps you.
Thanks,
Varun
Please rate helpful posts.
08-23-2011 04:49 AM
Hi Varun, thanks for your answer. Apologies for the delay, I just couldn't find time for this earlier.
I have logged those denied packets as you suggested. And it appears that these are just random packets from various IP addresses in US and Chine, with random source and destination ports, i.e. 10557, 33436, etc.
Do you know why there would be so many packets like these hitting the outside interface?
Many thanks.
Andri
08-23-2011 05:05 AM
Hi,
Thanks for getting back on this, well those packets if not from trusted hosts, could be anything from anywhere, trying to access your internal resources. Packets might be dropped due to incomplete TCP hanshakes, or out of order packets, so very difficult to analyse each packet. But if you just notice large amount of packets being dropped from a single ip or range, then you might want to consider investiagting them.
-Varun
08-29-2011 06:26 AM
Many thanks Varun!
Cheers,
Andri
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide