Hi ,

Thanks for reply

i am checking with cisco IME real time log viewer and i am not seeing any alert for that source ip.

Regards,

Prashant

Hello Prashant,

Okey, so no alerts,

Do you see any hits on the show command I gave u (you should see all the signatures being triggered and the amount of times they have been triggered).

Also OOO are not expected on a network with a FW or IPS due to how the normalizer engine works (In this case the firewall will gather all the OOO packets and place them into a queue until all packets reach the box and then they will be ordered, aftewards they will be send to the IPS {Latency in place here}, then the IPS normalizer is really strict with TCP flows so the same will happens here)

How many OOO are you seeing?

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

HI,

Below is the output of sh asp drop

asa# sh asp drop

Frame drop:

  Invalid TCP Length (invalid-tcp-hdr-length)                               2739

  Invalid UDP Length (invalid-udp-length)                                  17566

  No valid adjacency (no-adjacency)                                       653905

  No route to host (no-route)                                             345270

  Reverse-path verify failed (rpf-violated)                            388748876

  Flow is denied by configured rule (acl-drop)                          36060607

  Flow denied due to resource limitation (unable-to-create-flow)         6791470

  Invalid SPI (np-sp-invalid-spi)                                          12834

  NAT-T keepalive message (natt-keepalive)                               2554723

  First TCP packet not SYN (tcp-not-syn)                                17005256

  Bad TCP flags (bad-tcp-flags)                                           225404

  TCP data send after FIN (tcp-data-past-fin)                                401

  TCP failed 3 way handshake (tcp-3whs-failed)                           1195674

  TCP RST/FIN out of order (tcp-rstfin-ooo)                              9044823

  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                        139054

  TCP ACK in SYNACK invalid (tcp-ack-syn-diff)                                 2

  TCP SYNACK on established conn (tcp-synack-ooo)                          49477

  TCP packet SEQ past window (tcp-seq-past-win)                          1591164

  TCP invalid ACK (tcp-invalid-ack)                                        81679

  TCP replicated flow pak drop (tcp-fo-drop)                                1729

  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                    2235

  TCP Out-of-Order packet buffer full (tcp-buffer-full)                  5059051

  TCP global Out-of-Order packet buffer full (tcp-global-buffer-full)         20

  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)            4861218

  TCP RST/SYN in window (tcp-rst-syn-in-win)                              380728

  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)            35381750

  TCP packet failed PAWS test (tcp-paws-fail)                             429340

  IPSEC tunnel is down (ipsec-tun-down)                                    10495

  Early security checks failed (security-failed)                          108781

  Slowpath security checks failed (sp-security-failed)                    139185

  IP option drop (invalid-ip-option)                                       11991

  Expired flow (flow-expired)                                              31251

  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)         49

  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                 22232

  DNS Inspect invalid packet (inspect-dns-invalid-pak)                        30

  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)        191

  DNS Inspect packet too long (inspect-dns-pak-too-long)                  993166

  DNS Inspect id not matched (inspect-dns-id-not-matched)                 114282

  IPS Module requested drop (ips-request)                                 658857

  FP L2 rule drop (l2_acl)                                             108072704

  Interface is down (interface-down)                                       24066

  Dropped pending packets in a closed socket (np-socket-closed)            14775

Last clearing: Never

Flow drop:

  Flow is denied by access rule (acl-drop)                                 67336

  Flow terminated by IPS (ips-request)                                     11290

  NAT failed (nat-failed)                                                  52090

  NAT reverse path failed (nat-rpf-failed)                                 41358

  Tunnel being brought up or torn down (tunnel-pending)                        2

  Need to start IKE negotiation (need-ike)                                 47678

  Inspection failure (inspect-fail)                                       685750

  SSL received close alert (ssl-received-close-alert)                         40

  IPSec inner policy mismatch failure (ipsec-selector-failure)               126

i am having some doubt on ISP . i have changed the isp to Secondary and from now performace is Stable.

Is it possible the even i am not  getting any Event on Cisco Ime ,IPS could casue such problem ?

Regards,

Prashant

Hi

I am not able to conclude  wheter the problem was solved by changing the isp or shuting down IPS.

As if now the ips is on. Thus the problem occur due to isp also?

Exactly,

The traffic patterns that you were receiving from the IPS was harming the network (traffic ooo) which causes several performance problems,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.