cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3210
Views
15
Helpful
7
Replies

PIX dropped packets

kyiver_voip
Level 1
Level 1

Hello everyone,

We have PIX 515E with 7.2(4) software on it. I am trying to identify why do we get drops on the outside interface. Here are some statisctics:

Interface Ethernet0 "outside", is up, line protocol is up

  Hardware is i82559, BW 100 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

MAC address 0014.a8ad.e9d2, MTU 1500

IP address XXXX, subnet mask 255.255.255.248

10428 packets input, 13266457 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

5949 packets output, 576926 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/1) software (0/6)

output queue (curr/max packets): hardware (0/7) software (0/1)

  Traffic Statistics for "outside":

490771 packets input, 253026296 bytes

358591 packets output, 105524027 bytes

920 packets dropped

      1 minute input rate 72 pkts/sec,  73946 bytes/sec

      1 minute output rate 52 pkts/sec,  6123 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 38 pkts/sec,  26052 bytes/sec

      5 minute output rate 34 pkts/sec,  6933 bytes/sec

      5 minute drop rate, 0 pkts/sec

Priority-Queue Statistics interface outside

Queue Type         = BE

Tail Drops         = 0

Reset Drops        = 0

Packets Transmit   = 137921

Packets Enqueued   = 0

Current Q Length   = 0

Max Q Length       = 0

Queue Type         = LLQ

Tail Drops         = 0

Reset Drops        = 0

Packets Transmit   = 0

Packets Enqueued   = 0

Current Q Length   = 0

Max Q Length       = 0

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

It's 10 Mbit sync link. There is no high traffic load, and it seems that buffers are not getting filled up. The drops number is small, but they are increasing constantly.

I understand that the statistic on the interface does not include the dropped packets by the ACL. Or does it? In any case, the ACL deny hits count is three times higher than the dropped packets count on the interface.

I am sure I must be missing something. So any advice is welcome. Thanks in advance.

Andri

1 Accepted Solution

Accepted Solutions

One more thing:

The 'packets dropped' counter is really the number of packets dropped in the asp on a per-interface basis.  So, if you add up all the dropped packets in the 'show asp drop' output, it should equal the sum of all the per-interface 'packets dropped'.

Hope this makes it better

-Varun

Thanks,
Varun Rao

View solution in original post

7 Replies 7

varrao
Level 10
Level 10

Hi,

I am not sure if you should worry about it, bcause these are the packets that were dropped for any damn reason on the PIX, be it, ACL drop, overruns, out-of-order packets etc. So this would not point towards anything specific. I do not see any errors on the PIX, so it shouldn't be a matter of concern as far as everything is working fine. If you want to dig more, you can check "show asp drop" on PIX, this would tell you more info.

Hope this resolves your query.

-Varun

Thanks,
Varun Rao

One more thing:

The 'packets dropped' counter is really the number of packets dropped in the asp on a per-interface basis.  So, if you add up all the dropped packets in the 'show asp drop' output, it should equal the sum of all the per-interface 'packets dropped'.

Hope this makes it better

-Varun

Thanks,
Varun Rao

Hi Varun, many thanks for this.

I have just cleared the counters. Here is what I have after about 6 minutes:

sh asp drop

Frame drop:

  Flow is denied by configured rule (acl-drop)                               427

  First TCP packet not SYN (tcp-not-syn)                                       6

  TCP failed 3 way handshake (tcp-3whs-failed)                                 1

  TCP packet failed PAWS test (tcp-paws-fail)                                 11

Traffic Statistics for "outside":

22995 packets input, 8918668 bytes

21699 packets output, 5988119 bytes

444 packets dropped

      1 minute input rate 40 pkts/sec,  13826 bytes/sec

      1 minute output rate 42 pkts/sec,  10227 bytes/sec

      1 minute drop rate, 1 pkts/sec

      5 minute input rate 53 pkts/sec,  22286 bytes/sec

      5 minute output rate 47 pkts/sec,  12775 bytes/sec

      5 minute drop rate, 0 pkts/sec

Traffic Statistics for "inside":

22772 packets input, 5991151 bytes

24759 packets output, 10118003 bytes

3 packets dropped

      1 minute input rate 44 pkts/sec,  10056 bytes/sec

      1 minute output rate 43 pkts/sec,  12740 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 46 pkts/sec,  12509 bytes/sec

      5 minute output rate 53 pkts/sec,  21301 bytes/sec

      5 minute drop rate, 0 pkts/sec

Traffic Statistics for "dmz":

59 packets input, 6679 bytes

59 packets output, 9393 bytes

12 packets dropped

      1 minute input rate 0 pkts/sec,  13 bytes/sec

      1 minute output rate 0 pkts/sec,  17 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  13 bytes/sec

      5 minute output rate 0 pkts/sec,  18 bytes/sec

      5 minute drop rate, 0 pkts/sec

So the asp drops seems to be in the same range as the interfaces drops. it's just not clear why the hitcounts in acl dyny ip any any string is much greater?

Thanks.

Andri

Yup, thats what the counter means, total sum of "show asp drop" should be approx. equal to the sum of packet drops on all interfaces.

Now coming onto your next question, there might be a lot of denied traffic hitting the firewall on the outside interface, if you really want to monitor it, enable the log option for the deny acl and check it in the logs, which IP's are being denied. Another way would, enable the log option after the acl and go to ASDM, go to the access-rule and right click--> show logg, this would open the log viewer, you can see what logs are generated.

The config for acl would be:

access-list deny ip any any log interval 1

Let me know if this helps you.

Thanks,

Varun

Please rate helpful posts.

Thanks,
Varun Rao

Hi Varun, thanks for your answer. Apologies for the delay, I just couldn't find time for this earlier.

I have logged those denied packets as you suggested. And it appears that these are just random packets from various IP addresses in US and Chine, with random source and destination ports, i.e. 10557, 33436, etc.

Do you know why there would be so many packets like these hitting the outside interface?

Many thanks.

Andri

Hi,

Thanks for getting back on this, well those packets if not from trusted hosts, could be anything from anywhere, trying to access your internal resources. Packets might be dropped due to incomplete TCP hanshakes, or out of order packets, so very difficult to analyse each packet. But if you just notice large amount of packets being dropped from a single ip or range, then you might want to consider investiagting them.

-Varun

Thanks,
Varun Rao

Many thanks Varun!

Cheers,

Andri

Review Cisco Networking for a $25 gift card