cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1280
Views
0
Helpful
2
Replies
Highlighted
Frequent Contributor

slow, intermittent Internet access with ASA

Users are reporting lots of problem with the Internet at my office.  Mostly slow speeds and pages that do not fully load.  I did a "sho asp drop" on the ASA and got the info below.  Not sure what is OK or not but the large amount of out-of-order buffer full errors worry me.  Would appreciates comments and/or suggestions.

Thanks,

Diego

 

Frame drop:

  Invalid TCP Length (invalid-tcp-hdr-length)                                 39

  Invalid UDP Length (invalid-udp-length)                                     18

  No valid adjacency (no-adjacency)                                       124426

  No route to host (no-route)                                             326260

  Flow is denied by configured rule (acl-drop)                          30027270

  First TCP packet not SYN (tcp-not-syn)                                 4720710

  Bad TCP flags (bad-tcp-flags)                                               54

  TCP Dual open denied (tcp-dual-open)                                      3154

  TCP data send after FIN (tcp-data-past-fin)                                 54

  TCP failed 3 way handshake (tcp-3whs-failed)                            563461

  TCP RST/FIN out of order (tcp-rstfin-ooo)                                25702

  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                          1039

  TCP SYNACK on established conn (tcp-synack-ooo)                            789

  TCP packet SEQ past window (tcp-seq-past-win)                            28464

  TCP invalid ACK (tcp-invalid-ack)                                          212

  TCP Out-of-Order packet buffer full (tcp-buffer-full)                185256835

  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)            1934908

  TCP RST/SYN in window (tcp-rst-syn-in-win)                               32239

  TCP packet failed PAWS test (tcp-paws-fail)                              79193

  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)         86

  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                    21

  DNS Inspect invalid packet (inspect-dns-invalid-pak)                     11359

  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)        514

  DNS Inspect id not matched (inspect-dns-id-not-matched)                  91686

  Interface is down (interface-down)                                           3

2 REPLIES 2
Highlighted

Hello Diego,

Can you share the following:

-show service-policy

-sh interface | include errors

Regards,

Julio

Rate all the posts that help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

HTH,

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 52062477, drop 103719, reset-drop 0

      Inspect: ftp, packet 10673793, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 30, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

      Inspect: netbios, packet 613535, drop 0, reset-drop 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 7899930, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: skinny , packet 321194, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 50

      Inspect: esmtp _default_esmtp_map, packet 28879288, drop 213, reset-drop 0

      Inspect: sqlnet, packet 6, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: tftp, packet 20157, drop 0, reset-drop 0

      Inspect: sip , packet 10513, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

      Inspect: http, packet 3977754678, drop 0, reset-drop 0

    Class-map: class_ftp

      Inspect: ftp, packet 0, drop 0, reset-drop 0

Asa#

Asa#

Asa# show interface | include errors

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 2 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 7997 collisions, 0 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 0 interface resets

        225 input errors, 0 CRC, 0 frame, 225 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 5 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 0

Thank you,

Diego

Content for Community-Ad