Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2102
Views
35
Helpful
6
Replies

Sh asp drop output.

bryanrobh
Level 1
Level 1

‎01-13-2014 10:24 AM - edited ‎03-11-2019 08:29 PM

                   I am new to the world of ASA's and I am trying to figure out when I do a sh asp drop I get this output

Frame drop:
  Invalid UDP Length (invalid-udp-length)                                      1
  Flow is denied by configured rule (acl-drop)                             40954
  Flow denied due to resource limitation (unable-to-create-flow)              27
  Invalid SPI (np-sp-invalid-spi)                                              1
  First TCP packet not SYN (tcp-not-syn)                                       4
  TCP failed 3 way handshake (tcp-3whs-failed)                               360
  IPSEC tunnel is down (ipsec-tun-down)                                        4
  Slowpath security checks failed (sp-security-failed)                     33585
  Interface is down (interface-down)                                           2
  Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode)            1

Last clearing: Never

Flow drop:
  Need to start IKE negotiation (need-ike)                                   680

I am trying to figure out what frames were dropped due to ACL's the biggest number up there?

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-13-2014 10:33 AM

Hello Bryan,

Remember that there is a default deny ip any any at the bootom of each ACL so it's expected to see a LOT of ACL drops even more if the ASA sits on the edge of the network so no need to worry about it.

That being said if you want to see that you could enable logging on the FW and then look for the Message ID

106023.

Remember to add the keyword log to the implicit deny at the end of each ACL as it does not log anything by default

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.co

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bryanrobh
Level 1
Level 1
In response to Julio Carvajal

‎01-13-2014 10:47 AM

I added the log keyword on to the ACL line that I want to verify the traffic is passing from.  I am just trying to make sure traffic from a specific IP is getting through.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to bryanrobh

‎01-13-2014 10:51 AM

Hello Bryan,

You could do

show logging | include x.x.x.x (IP address of the Host)

Or even better and more Advanced

cap asp type asp-drop all circular-buffer

Then try to connect via the host that you want to test if it's allowed through the firewall

and then

show cap asp | include x.x.x.x (IP of the host)

If you see any output there then those packets shown in the capture are being dropped by the ASA.

If u do not see any FW is letting that traffic to go through

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bryanrobh
Level 1
Level 1
In response to bryanrobh

‎01-13-2014 10:57 AM

Thanks for this command I will try it out now.  This should have no effects on my traffic or slow it down correct? 

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to bryanrobh

‎01-13-2014 11:00 AM

Hello,

It wil capture a bunch of traffic but no, I have not see it cause any issues in my entire TAC experience so no worries.

After the test do:

no cap asp

That's all and by the way Bryan Remember to rate all of the helpful posts such as the ones I provided in this posts

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss
VIP Alumni
VIP Alumni

‎01-13-2014 10:34 AM

Hi,

I can't give you an 100% answer but to my understanding in the following conditions atleast the counter above increases

  • Traffic dropped by "security-level" check when not using ACLs on the interface (traffic from lower to higher denied)
  • Traffic is dropped by interface "access-list" attached with "access-group" command
  • Traffic is dropped by having the interfaces "security-level" equal and have not used "same-security-traffic " to enable it. (Even if ACLs are configured you will need this

As I said I can't say this for 100% certainty but the above situation sure do end with a ACL drop when you are testing with "packet-tracer". Unless I have remembered something wrong.

I'd assume that most of these ACL drop result in traffic hitting your ASAs external interface connected to Internet. There is usually constant scanning traffic day by day that increases the counter.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card