Here's the sh asp drop output.

ACU-ASA# sh asp drop

Frame drop:
  Invalid encapsulation (invalid-encap)                                       84
  No valid adjacency (no-adjacency)                                           21
  Flow is denied by configured rule (acl-drop)                             91444
  Invalid SPI (np-sp-invalid-spi)                                             54
  NAT-T keepalive message (natt-keepalive)                                 32581
  First TCP packet not SYN (tcp-not-syn)                                   15251
  Bad TCP checksum (bad-tcp-cksum)                                             1
  Bad TCP flags (bad-tcp-flags)                                                8
  TCP data send after FIN (tcp-data-past-fin)                                324
  TCP failed 3 way handshake (tcp-3whs-failed)                             31498
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                24942
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                            30
  TCP packet SEQ past window (tcp-seq-past-win)                             1024
  TCP invalid ACK (tcp-invalid-ack)                                         1422
  TCP Out-of-Order packet buffer full (tcp-buffer-full)                    19315
  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)              10338
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                  40
  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)              626151
  TCP packet failed PAWS test (tcp-paws-fail)                               2334
  IPSEC tunnel is down (ipsec-tun-down)                                      175
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          6
  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                    25
  DNS Inspect id not matched (inspect-dns-id-not-matched)                     25
  Dropped pending packets in a closed socket (np-socket-closed)              293
  Invalid ASDP packet received from SSM card (ssm-asdp-invalid)              104
  Service module is down (ssm-app-fail)                                        3
             
Last clearing: 15:08:21 PST Dec 8 2010 by enable_15
             
Flow drop:   
  Flow closed by inspection (closed-by-inspection)                             4
  NAT failed (nat-failed)                                                      6
  Need to start IKE negotiation (need-ike)                                 20442
  Inspection failure (inspect-fail)                                          224
  SSL bad record detected (ssl-bad-record-detect)                            192
  SSL handshake failed (ssl-handshake-failed)                                191
  SSL malloc error (ssl-malloc-error)                                          1
  SSL received close alert (ssl-received-close-alert)                         12
             
Last clearing: 15:08:21 PST Dec 8 2010 by enable_15
ACU-ASA#

So once I do ACU-ASA# capture drop type asp-drop all command, then I do a 'show asp drop' and 'show capture drop' . What command do I use to stop the capture?

Hello russeeeeccna,

  TCP failed 3 way handshake (tcp-3whs-failed)   counter is pretty high.  You need to issue "clear asp drop" and then immediately issue "sh asp drop" to see which counter in particular is increasing and then gather captures for that particular counter.

for example:

cap capasp type asp-drop tcp-3whs-failed

sh cap capasp.

This will provide you with source ip address details. With this you can reach out to your ISP and ask them to block this if it is coming from the outside or address the host(s) if it is within your  network.

-KS

How long does the capture run and what command stops it?

Capture will run until the default buffer size 256K is full and will not collect any more packets once the buffer is full unless you issue "clear cap capasp".

You can issue " sh cap capasp" and see what IP addresses show. ONce you done you can remove the capture with the command "no cap capasp"

-KS