cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5405
Views
5
Helpful
17
Replies

Interface Cisco asa

Dear Support,

I have some slowness in my network for outbound Internet. When I cheched the interface connected to outside, I see many packets dropped. what I can do to solve it . Below the interface detail.

Thank in advance for your support!

 

       92152990 packets input, 82476010121 bytes, 0 no buffer
       Received 952 broadcasts, 0 runts, 0 giants
       9163 input errors, 0 CRC, 0 frame, 9163 overrun, 0 ignored, 0 abort
       0 L2 decode drops
       66751232 packets output, 25866291828 bytes, 11459 underruns
       0 pause output, 0 resume output
       3598 output errors, 3308486 collisions, 3 interface resets
       1650813 late collisions, 16954694 deferred
       0 input reset drops, 269 output reset drops, 1 tx hangs
       input queue (blocks free curr/low): hardware (255/230)
       output queue (blocks free curr/low): hardware (255/0)
 Traffic Statistics for "outside":
       92146526 packets input, 80788829477 bytes
       68417472 packets output, 26568578588 bytes
       8155198 packets dropped
     1 minute input rate 2580 pkts/sec,  2641904 bytes/sec
     1 minute output rate 1750 pkts/sec,  414450 bytes/sec
     1 minute drop rate, 160 pkts/sec
     5 minute input rate 2129 pkts/sec,  1940579 bytes/sec
     5 minute output rate 1984 pkts/sec,  446397 bytes/sec
     5 minute drop rate, 159 pkts/sec
 Control Point Interface States:
       Interface number is 3
       Interface config status is active
       Interface state is active

1 Accepted Solution

Accepted Solutions

While the discussion of drops from policy is interesting I do not believe that it is the fundamental problem. I believe that the fundamental problem is a mismatch of duplex settings.  Looking at the output from the ASA the number of collisions and especially of late collisions suggests that the ASA is operating in half duplex mode.

3598 output errors, 3308486 collisions, 3 interface resets
       1650813 late collisions, 16954694 deferred

 

There is not anything in the output that specifically identifies the duplex setting of the ASA but I would guess that the ASA is set for the default which is to negotiate duplex. The output from the Border router is quite clear that negotiation is disabled and the router is operating in full duplex. When the ASA attempts to negotiate duplex but the router does not negotiate then the result is that the ASA would operate in half duplex mode. In half duplex mode there are lots of collisions and late collisions all of which are partial frames that were discarded and had to be re-transmitted and that can have significant impact on throughput.

 

My suggestion is to hard code duplex on the ASA. Give it a try and let us know if performance improves.

 

HTH

 

Rick

HTH

Rick

View solution in original post

17 Replies 17

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

You would expect to see interface drops on your outside interface; this is your firewall policy at work:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113680-pdc-show-output.html

 

With regard to the slowness of internet-bound traffic, if you ran a series of traceroutes to an outside internet IP address, does the latency always increase once the traffic is past the ASA?

 

Looking at your input/ output rates (bytes/sec) you are no where near the lowest spec ASA's maximum throughput. What model are you running. Were this interface stats taken at roughly peak time?

 

cheers,

Seb.

Hi Seb,

 

thanks for your reply.

I make a ping to internet (8.8.8.8) from outside interface and traceroute www.ggogle.com, below the result taken when there are no peak time.

ASA# ping outside 8.8.8.8 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!?!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!?!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (988/1000), round-trip min/avg/max = 60/66/140 ms

ASA# traceroute www.google.com source outside

Type escape sequence to abort.
Tracing the route to 216.58.208.4

 1  X.X.X.X 10 msec 0 msec 0 msec
 2  lis2-br1-posch1.cprm.net (195.8.10.89) 60 msec 70 msec 60 msec
 3  lis2-cr1-te0-0-13.cprm.net (195.8.1.53) 70 msec 60 msec 70 msec
 4  googlept2.cprm.net (195.8.10.102) 70 msec 70 msec 70 msec
 5  216.239.49.127 60 msec 70 msec 60 msec
 6  www.google.com (216.58.208.4) 70 msec 60 msec 70 msec

 

ASA# sh asp drop

Frame drop:
  Invalid encapsulation (invalid-encap)                                    16054
  Invalid TCP Length (invalid-tcp-hdr-length)                                  3
  Invalid UDP Length (invalid-udp-length)                                      4
  No valid adjacency (no-adjacency)                                         1072
  No route to host (no-route)                                              37412
  Flow is denied by configured rule (acl-drop)                          11023385
  First TCP packet not SYN (tcp-not-syn)                                  146291
  Bad TCP flags (bad-tcp-flags)                                             1101
  TCP Dual open denied (tcp-dual-open)                                      3689
  TCP data send after FIN (tcp-data-past-fin)                                  4
  TCP failed 3 way handshake (tcp-3whs-failed)                             26285
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                72274
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                          3553
  TCP SYNACK on established conn (tcp-synack-ooo)                           1271
  TCP packet SEQ past window (tcp-seq-past-win)                              749
  TCP invalid ACK (tcp-invalid-ack)                                         1362
  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                       1
  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                  6
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                2468
  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)               11276
  TCP packet failed PAWS test (tcp-paws-fail)                               1671
  CTM returned error (ctm-error)                                               1
  IPSEC tunnel is down (ipsec-tun-down)                                       44
  Early security checks failed (security-failed)                           29517
  Slowpath security checks failed (sp-security-failed)                2130928896
  IP option drop (invalid-ip-option)                                          57
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)      16878
  DNS Inspect invalid packet (inspect-dns-invalid-pak)                        65
  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)        109
  DNS Inspect packet too long (inspect-dns-pak-too-long)                       1
  DNS Inspect id not matched (inspect-dns-id-not-matched)                   1331
  FP L2 rule drop (l2_acl)                                                   889
  Interface is down (interface-down)                                           5
  Dropped pending packets in a closed socket (np-socket-closed)             1846
  SVC Module does not have a session (mp-svc-no-session)                     600
  SVC Module is in flow control (mp-svc-flow-control)                        577
  SVC Module unable to fragment packet (mp-svc-no-fragment)                    1

Last clearing: Never

Flow drop:
  NAT failed (nat-failed)                                                 151030
  NAT reverse path failed (nat-rpf-failed)                                    20
  Need to start IKE negotiation (need-ike)                                 58836
  Inspection failure (inspect-fail)                                         1858
  SSL bad record detected (ssl-bad-record-detect)                            199
  SSL handshake failed (ssl-handshake-failed)                                732
  SSL malloc error (ssl-malloc-error)                                          1
  SSL received close alert (ssl-received-close-alert)                         98
  IPSec inner policy mismatch failure (ipsec-selector-failure)              4760
  SVC replacement connection established (svc-replacement-conn)               55

Last clearing: Never
 

Hi Seb,

My ASA version is:

Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"

vpnserver up 1 day 4 hours

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06

Hello again,

focusing on your slow outbound interent connection my attention is drawn the huge increase in latency between your first and second hops. Do you own the first hop router, or is your ASA directly connected to your ISP? I would suggest that the link between the first and second hop routers is the source of congestion.

 

Also of interest is that in 28 hours of uptime you have accumulated so many slow path security failures, disproportionate to any other drops. Details on the causes can be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s3.html#pgfId-1509661

You could attempt to capture some of the traffic to analysis the traffic in question:

asa# capture asp-drop type asp-drop all

asa# sh capture asp-drop

 

...looking for the 'sp-security-failed' items.

 

Of concern is that you are running a version of code that has had an EOL notice put on it and has not received any updates since 2010! I would suggest you upgrade to 9.1.5ED .

 

cheers,

Seb.

Hi Seb,

Thank for your reply,

The result of command:

2264: 08:49:24.151466 192.168.180.100.137 > 192.168.183.255.137:  udp 50
2265: 08:49:24.180273 41.74.173.145.45605 > 41.219.0.149.22041:  udp 20
2266: 08:49:24.180883 41.74.173.145.51190 > 41.219.0.149.22041: S 2752962352:275
2962352(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2267: 08:49:24.181692 31.24.247.172.59239 > 41.219.0.149.37505:  udp 103
2268: 08:49:24.184469 195.154.112.239.34164 > 41.219.0.149.50297: S 1072726133:1
072726133(0) win 7300 <mss 1460,sackOK,timestamp 1418868848 0,nop,wscale 0>
2269: 08:49:24.216541 109.29.213.105.24874 > 41.219.0.149.60090:  udp 30
2270: 08:49:24.219760 82.66.29.63.59095 > 41.219.0.149.54862: S 2778699863:27786
99863(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 393502071 0,sackOK,e
ol>
2271: 08:49:24.219867 94.23.253.33.42721 > 41.219.0.149.22041: S 3884965240:3884
965240(0) win 14600 <mss 1460,sackOK,timestamp 113703367 0,nop,wscale 7>
2272: 08:49:24.307814 94.23.227.43.41653 > 41.219.0.149.22041: S 3222299925:3222
299925(0) win 14600 <mss 1460,sackOK,timestamp 113716844 0,nop,wscale 7>
2273: 08:49:24.329771 2.8.174.66.62099 > 41.219.0.149.18780: . ack 2850470406 wi
n 258
2274: 08:49:24.336042 83.204.240.151.26993 > 41.219.0.149.60090:  udp 103
2275: 08:49:24.345654 78.249.178.183 > 41.219.0.149: icmp: host 78.249.178.183 u
nreachable
2276: 08:49:24.345715 78.249.178.183 > 41.219.0.149: icmp: host 78.249.178.183 u
nreachable
2277: 08:49:24.347073 83.204.240.151.62288 > 41.219.0.149.60090: S 3609742567:36
09742567(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
2278: 08:49:24.354611 83.204.240.151.26993 > 41.219.0.149.60090:  udp 20
2279: 08:49:24.374141 90.35.135.67.56348 > 41.219.0.149.22041:  udp 103
2280: 08:49:24.398065 190.203.211.12.49601 > 41.219.0.149.60090: S 2459221343:24
59221343(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2281: 08:49:24.418679 85.169.124.59.51413 > 41.219.0.149.37505:  udp 30
2282: 08:49:24.444785 88.169.120.140.49659 > 41.219.0.149.32557: S 2704948494:27
04948494(0) win 8192 <mss 1460,nop,nop,sackOK>
2283: 08:49:24.478338 186.19.159.121.53489 > 41.219.0.149.60090: S 3923075105:39
23075105(0) win 8192 <mss 1460,nop,nop,sackOK>
2284: 08:49:24.482549 217.171.85.20 > 41.219.0.149: icmp: 217.171.85.20 udp port
 11182 unreachable
2285: 08:49:24.483526 82.238.73.67 > 41.219.0.149: icmp: host 82.238.73.67 unrea
chable
2286: 08:49:24.483953 82.238.73.67 > 41.219.0.149: icmp: host 82.238.73.67 unrea
chable
2287: 08:49:24.512623 41.214.137.18 > 41.219.0.149: icmp: 41.214.137.18 udp port
 12703 unreachable
2288: 08:49:24.523227 109.89.59.89.50120 > 41.219.0.149.22041: S 3505614288:3505
614288(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2289: 08:49:24.526324 196.206.236.66.42214 > 41.219.0.149.60090:  udp 20
2290: 08:49:24.531924 91.121.133.35.55561 > 41.219.0.149.60090: S 436309326:4363
09326(0) win 7300 <mss 1460,sackOK,timestamp 3981886962 0,nop,wscale 0>
2291: 08:49:24.543093 80.248.71.109.28478 > 41.219.0.149.22041:  udp 103
2292: 08:49:24.545137 192.168.180.242.137 > 192.168.180.255.137:  udp 50
2293: 08:49:24.570679 83.157.60.192.62909 > 41.219.0.149.22041: S 681224652:6812
24652(0) win 8192 <mss 1460,nop,nop,sackOK>
2294: 08:49:24.618467 90.28.48.40.65093 > 41.219.0.149.54830: S 1710163262:17101
63262(0) win 8192 <mss 1452,nop,nop,sackOK>
2295: 08:49:24.667079 196.2.8.135 > 41.219.0.149: icmp: 196.2.8.135 udp port 165
08 unreachable
2296: 08:49:24.685465 80.248.71.109.28478 > 41.219.0.149.22041:  udp 20
2297: 08:49:24.685816 80.248.71.109.56229 > 41.219.0.149.22041: S 1468693683:146
8693683(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2298: 08:49:24.701700 66.220.158.19.443 > 41.219.0.149.46405: FP 2973371564:2973
371640(76) ack 1080905535 win 70 <nop,nop,timestamp 917435722 1013758>
2299: 08:49:24.730507 92.11.68.8.53186 > 41.219.0.149.37505: S 3136990187:313699
0187(0) win 8192 <mss 1460,nop,wscale 2,sackOK,timestamp 46167513 0>
2300: 08:49:24.733452 109.236.152.178.59207 > 41.219.0.149.22041: S 3793560658:3
793560658(0) win 64240 <mss 1460,nop,nop,nop,nop,nop,nop,nop,nop>
2301: 08:49:24.747153 103.17.45.192.54535 > 41.219.0.149.22041: S 2086557526:208
6557526(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
2302: 08:49:24.772771 162.40.22.156.56001 > 41.219.0.149.60090:  udp 103
2303: 08:49:24.787923 176.185.4.88.59205 > 41.219.0.149.22041:  udp 20
2304: 08:49:24.789677 31.36.180.185.1024 > 41.219.0.149.22041:  udp 103
2305: 08:49:24.824542 88.186.171.74.17015 > 41.219.0.149.37505:  udp 20
2306: 08:49:24.825320 195.24.205.68 > 41.219.0.149: icmp: 195.24.205.68 udp port
 32320 unreachable
2307: 08:49:24.852739 92.11.68.8.33693 > 41.219.0.149.37505:  udp 20
2308: 08:49:24.860047 213.55.40.10.55742 > 41.219.0.149.32557: S 3304147706:3304
147706(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
2309: 08:49:24.860429 192.168.180.231.137 > 192.168.180.255.137:  udp 50
2310: 08:49:24.881088 81.66.55.121.52276 > 41.219.0.149.60090:  udp 103
2311: 08:49:24.883316 83.154.136.169.62400 > 41.219.0.149.60090: S 1466617632:14
66617632(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 1178373186 0,sack
OK,eol>
2312: 08:49:24.890533 88.127.5.99.13658 > 41.219.0.149.22041:  udp 103
2313: 08:49:24.904295 81.66.55.121.52276 > 41.219.0.149.60090:  udp 20
2314: 08:49:24.908583 81.66.55.121.60512 > 41.219.0.149.60090: S 2336178608:2336
178608(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2315: 08:49:24.910048 83.157.60.192.62275 > 41.219.0.149.22041:  udp 20
2316: 08:49:24.912962 192.168.180.100.137 > 192.168.183.255.137:  udp 50
2317: 08:49:24.915266 109.89.59.89.36952 > 41.219.0.149.22041:  udp 20
2318: 08:49:24.927427 82.249.157.118.63659 > 41.219.0.149.22041: S 2198148055:21
98148055(0) win 8192 <mss 1412,nop,wscale 2,nop,nop,sackOK>
2319: 08:49:24.929135 176.183.193.182.56092 > 41.219.0.149.22041: S 2926422456:2
926422456(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2320: 08:49:24.929257 176.183.193.182.64335 > 41.219.0.149.22041:  udp 20
2321: 08:49:24.973567 82.231.164.152.51824 > 41.219.0.149.37505: S 2121692109:21
21692109(0) win 29200 <mss 1460,sackOK,timestamp 129866140 0,nop,wscale 6>
2322: 08:49:24.978327 90.47.208.243.35061 > 41.219.0.149.60090:  udp 20
2323: 08:49:24.980204 82.228.140.174.56544 > 41.219.0.149.37505: S 3483115964:34
83115964(0) win 8192 <mss 1460,nop,nop,sackOK>
2324: 08:49:24.994089 41.82.154.76.33727 > 41.219.0.149.60090:  udp 103
2325: 08:49:25.045209 92.138.175.213.1148 > 41.219.0.149.10865:  udp 11
2326: 08:49:25.050915 41.92.205.157 > 41.219.0.149: icmp: 41.92.205.157 udp port
 11400 unreachable
2327: 08:49:25.072536 154.66.163.211.50819 > 41.219.0.149.60090: S 3060317020:30
60317020(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
2328: 08:49:25.072765 78.129.77.162.42696 > 41.219.0.149.22041:  udp 103
2329: 08:49:25.098734 196.2.8.64 > 41.219.0.149: icmp: 196.2.8.64 udp port 16508
 unreachable
2330: 08:49:25.105814 93.31.98.183.52216 > 41.219.0.149.60090: S 933746014:93374
6014(0) win 8192 <mss 1460,nop,nop,sackOK>
2331: 08:49:25.116769 83.110.74.36.54618 > 41.219.0.149.22041: S 2434871502:2434
871502(0) win 8192 <mss 1452,nop,nop,sackOK>
2332: 08:49:25.135536 88.169.120.140.27884 > 41.219.0.149.32557:  udp 20
2333: 08:49:25.174887 103.17.45.192.55436 > 41.219.0.149.22041:  udp 20
2334: 08:49:25.174978 81.218.177.154.62442 > 41.219.0.149.60090:  udp 103
2335: 08:49:25.201527 197.0.63.14.10374 > 41.219.0.149.60090:  udp 103
2336: 08:49:25.207112 81.218.177.154.62442 > 41.219.0.149.60090:  udp 20
2337: 08:49:25.209507 78.222.235.134.62045 > 41.219.0.149.60090: S 3918001036:39
18001036(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2338: 08:49:25.210178 81.218.177.154.53648 > 41.219.0.149.60090: S 2446910290:24
46910290(0) win 8192 <mss 1340,nop,wscale 2,nop,nop,sackOK>
2339: 08:49:25.215687 92.90.33.182.57066 > 41.219.0.149.22041: S 2853466296:2853
466296(0) win 65535 <mss 1460,nop,nop,sackOK>
2340: 08:49:25.222659 77.130.86.174.50399 > 41.219.0.149.22041:  udp 103
2341: 08:49:25.238513 41.200.37.230.62777 > 41.219.0.149.60090: S 353381025:3533
81025(0) win 8192 <mss 1412,nop,nop,sackOK>
2342: 08:49:25.243029 196.200.92.138.49742 > 41.219.0.149.37505:  udp 103
2343: 08:49:25.250643 192.168.180.151.33415 > 255.255.255.255.34569:  udp 20
2344: 08:49:25.251222 192.168.180.151.52286 > 255.255.255.255.34569:  udp 430
2345: 08:49:25.265657 118.179.245.182.61542 > 41.219.0.149.32557: S 3739984645:3
739984645(0) win 8192 <mss 1452,nop,nop,sackOK>
2346: 08:49:25.266801 78.129.122.64.64696 > 41.219.0.149.60090:  udp 20
2347: 08:49:25.266923 154.66.163.211.12682 > 41.219.0.149.60090:  udp 20
2348: 08:49:25.292663 192.168.180.242.137 > 192.168.180.255.137:  udp 50
2349: 08:49:25.303298 192.168.180.155.137 > 192.168.180.255.137:  udp 50
2350: 08:49:25.313567 195.8.10.89 > 41.219.0.149: icmp: time exceeded in-transit

2351: 08:49:25.320128 88.186.5.101.57739 > 41.219.0.149.22041: S 698706913:69870
6913(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2352: 08:49:25.336377 82.66.29.63.59095 > 41.219.0.149.54862: S 2778699863:27786
99863(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 393503091 0,sackOK,e
ol>
2353: 08:49:25.340802 92.90.33.182.48552 > 41.219.0.149.22041:  udp 20
2354: 08:49:25.388071 192.168.180.212.51110 > 255.255.255.255.34569:  udp 549
2355: 08:49:25.409341 52.0.230.167 > 41.219.0.149: icmp: 52.0.230.167 udp port 5
4347 unreachable
2356: 08:49:25.415368 52.0.220.32 > 41.219.0.149: icmp: 52.0.220.32 udp port 562
65 unreachable
2357: 08:49:25.420510 188.165.238.74.45967 > 41.219.0.149.22041: S 3146719297:31
46719297(0) win 14600 <mss 1460,sackOK,timestamp 113682704 0,nop,wscale 7>
2358: 08:49:25.436455 88.10.130.136 > 41.219.0.149: icmp: 88.10.130.136 udp port
 35652 unreachable
2359: 08:49:25.446601 78.211.191.80.50392 > 41.219.0.149.54825: S 1358618645:135
8618645(0) win 8192 <mss 1460,nop,nop,sackOK>
2360: 08:49:25.497090 105.99.191.44.52262 > 41.219.0.149.32557:  udp 20
2361: 08:49:25.506916 93.31.98.183.14205 > 41.219.0.149.60090:  udp 20
2362: 08:49:25.521472 41.200.37.230.56641 > 41.219.0.149.60090:  udp 20
2363: 08:49:25.559816 91.178.151.15.49976 > 41.219.0.149.22041:  udp 20
2364: 08:49:25.560945 91.178.151.15.53114 > 41.219.0.149.22041: S 1966322166:196
6322166(0) win 8192 <mss 1448,nop,wscale 2,nop,nop,sackOK>
2365: 08:49:25.590530 109.29.213.105.17420 > 41.219.0.149.60090: S 2031332331:20
31332331(0) win 65535 <mss 1460,sackOK,eol>
2366: 08:49:25.594650 78.222.235.134.14948 > 41.219.0.149.60090:  udp 20
2367: 08:49:25.611800 194.125.224.89 > 41.219.0.149: icmp: 194.125.224.89 udp po
rt 27423 unreachable
2368: 08:49:25.613417 118.179.224.73.64752 > 41.219.0.149.32557: S 3739678963:37
39678963(0) win 8192 <mss 1452,nop,nop,sackOK>
2369: 08:49:25.624845 192.168.180.231.137 > 192.168.180.255.137:  udp 50
2370: 08:49:25.647320 190.23.171.37.18147 > 41.219.0.149.61346: R 0:0(0) ack 221
7778587 win 0
2371: 08:49:25.672770 192.168.180.160.49059 > 255.255.255.255.34569:  udp 549
2372: 08:49:25.677439 192.168.180.100.137 > 192.168.183.255.137:  udp 50
2373: 08:49:25.737739 2.11.212.216.18141 > 41.219.0.149.22041:  udp 103
2374: 08:49:25.742301 83.110.74.36.1492 > 41.219.0.149.22041:  udp 20
2375: 08:49:25.795521 66.220.158.19.443 > 41.219.0.149.15516: . 2074859345:20748
59409(64) ack 3469464365 win 60
2376: 08:49:25.803715 185.34.3.201.3372 > 41.219.0.149.37505:  udp 58
2377: 08:49:25.807895 41.202.219.182.41544 > 41.219.0.149.60090: S 2097105366:20
97105366(0) win 8192 <mss 1200,nop,wscale 8,nop,nop,sackOK>
2378: 08:49:25.808704 41.202.219.182.41549 > 41.219.0.149.60090:  udp 20
2379: 08:49:25.815265 90.56.156.248.56297 > 41.219.0.149.22041: S 921191500:9211
91500(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
2380: 08:49:25.863663 41.82.165.19.62848 > 41.219.0.149.60090: S 1587338987:1587
338987(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
2381: 08:49:25.863923 41.82.165.19.59028 > 41.219.0.149.60090:  udp 20
2382: 08:49:25.889144 192.168.180.178.59330 > 255.255.255.255.34569:  udp 558
2383: 08:49:25.892470 81.53.150.110.58484 > 41.219.0.149.22041: S 1815880144:181
5880144(0) win 8192 <mss 1452,nop,nop,sackOK>
2384: 08:49:25.914274 185.21.216.186 > 41.219.0.149: icmp: 185.21.216.186 udp po
rt 55736 unreachable
2385: 08:49:25.917249 95.18.199.94 > 41.219.0.149: icmp: 95.18.199.94 udp port 1
026 unreachable
2386: 08:49:25.923154 171.106.199.211.41217 > 41.219.0.149.11641:  udp 115
2387: 08:49:25.935803 103.28.220.77 > 41.219.0.149: icmp: 103.28.220.77 udp port
 5808 unreachable
2388: 08:49:25.952083 118.179.224.73.15290 > 41.219.0.149.32557:  udp 20
2389: 08:49:26.017409 41.190.227.110.11971 > 41.219.0.149.60090:  udp 67
2390: 08:49:26.020430 80.8.164.36.55419 > 41.219.0.149.43571: S 3712582558:37125
82558(0) win 8192 <mss 1452,nop,nop,sackOK>
2391: 08:49:26.026228 83.154.136.169.62400 > 41.219.0.149.60090: S 1466617632:14
66617632(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 1178374278 0,sack
OK,eol>
2392: 08:49:26.033018 82.232.166.106.63937 > 41.219.0.149.22041:  udp 20
2393: 08:49:26.035184 82.232.166.106.64534 > 41.219.0.149.22041: S 1376071515:13
76071515(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2394: 08:49:26.042554 192.168.180.242.137 > 192.168.180.255.137:  udp 50
2395: 08:49:26.054913 192.168.180.155.137 > 192.168.180.255.137:  udp 50
2396: 08:49:26.070202 109.190.75.190.63253 > 41.219.0.149.37505:  udp 20
2397: 08:49:26.072460 109.213.105.18.54215 > 41.219.0.149.22041: S 3983839771:39
83839771(0) win 8192 <mss 1452,nop,nop,sackOK>
2398: 08:49:26.086329 77.207.144.160.47495 > 41.219.0.149.15239: . ack 140186709
6 win 0
2399: 08:49:26.097864 197.243.45.249 > 41.219.0.149: icmp: time exceeded in-tran
sit
2400: 08:49:26.161444 80.8.164.36.60580 > 41.219.0.149.43571:  udp 20
2401: 08:49:26.170843 109.21.240.71.2802 > 41.219.0.149.54873: S 672261857:67226
1857(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2402: 08:49:26.194417 90.56.156.248.45811 > 41.219.0.149.22041:  udp 20
2403: 08:49:26.200856 115.126.163.92.53846 > 41.219.0.149.22041:  udp 20
2404: 08:49:26.202000 115.126.163.92.61000 > 41.219.0.149.22041: S 2293047420:22
93047420(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
2405: 08:49:26.223865 94.23.253.33.42721 > 41.219.0.149.22041: S 3884965240:3884
965240(0) win 14600 <mss 1460,sackOK,timestamp 113703868 0,nop,wscale 7>
2406: 08:49:26.263475 192.168.180.231 > 203.205.136.100: icmp: echo reply
2407: 08:49:26.263765 118.179.254.12.57878 > 41.219.0.149.22041: S 1503945458:15
03945458(0) win 8192 <mss 1452,nop,wscale 2,sackOK,timestamp 2501181 0>
2408: 08:49:26.264039 197.243.45.254 > 41.219.0.149: icmp: time exceeded in-tran
sit
2409: 08:49:26.284454 65.55.83.123.443 > 192.168.183.174.49564: R 2214795413:221
4795413(0) ack 3081907405 win 0
2410: 08:49:26.293838 78.247.177.68.57891 > 41.219.0.149.22041: S 805684308:8056
84308(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2411: 08:49:26.312453 78.247.177.68.37227 > 41.219.0.149.22041:  udp 20
2412: 08:49:26.318053 63.245.217.115.443 > 192.168.177.190.56954: R 1247976956:1
247976956(0) win 0
2413: 08:49:26.350857 213.223.47.238.53182 > 41.219.0.149.22041: S 2909938059:29
09938059(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2414: 08:49:26.376002 41.86.235.111.56612 > 41.219.0.149.22041: S 2663588869:266
3588869(0) win 8192 <mss 1460,nop,nop,sackOK>
2415: 08:49:26.386347 85.26.123.60.43514 > 41.219.0.149.32557:  udp 20
2416: 08:49:26.386668 85.26.123.60.61634 > 41.219.0.149.32557: S 2323956869:2323
956869(0) win 8192 <mss 1460,nop,nop,sackOK>
2417: 08:49:26.394861 196.12.130.12 > 41.219.0.149: icmp: 196.12.130.12 udp port
 18694 unreachable
2418: 08:49:26.418237 88.188.33.76.63039 > 41.219.0.149.22041: S 10877401:108774
01(0) win 8192 <mss 1460,nop,nop,sackOK>
2419: 08:49:26.448661 192.168.190.72.52720 > 195.8.11.144.443: R 290639612:29063
9612(0) win 0
2420: 08:49:26.458029 105.97.248.52.11220 > 41.219.0.149.32557:  udp 20
2421: 08:49:26.460120 82.66.29.63.59095 > 41.219.0.149.54862: S 2778699863:27786
99863(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 393504117 0,sackOK,e
ol>
2422: 08:49:26.490453 109.213.105.18.13666 > 41.219.0.149.22041:  udp 20
2423: 08:49:26.499531 41.66.46.125.59147 > 41.219.0.149.60090: S 3474074600:3474
074600(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
2424: 08:49:26.506901 54.192.62.211.80 > 41.219.0.149.23179: F 3970320360:397032
0360(0) ack 1895179505 win 115
2425: 08:49:26.577789 41.86.235.111.21861 > 41.219.0.149.22041:  udp 20
2426: 08:49:26.605361 84.55.161.8.35009 > 41.219.0.149.22041: S 873000726:873000
726(0) win 8192 <mss 1380,nop,nop,sackOK>
2427: 08:49:26.622114 88.123.217.48.63061 > 41.219.0.149.32557: S 379439898:3794
39898(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2428: 08:49:26.623991 88.123.217.48.41794 > 41.219.0.149.32557:  udp 20
2429: 08:49:26.627058 66.220.158.19.443 > 41.219.0.149.46405: FP 2973371564:2973
371640(76) ack 1080905535 win 70 <nop,nop,timestamp 917437648 1013758>
2430: 08:49:26.656521 81.50.48.206.50150 > 41.219.0.149.22041: S 654525171:65452
5171(0) win 8192 <mss 1452,nop,nop,sackOK>
2431: 08:49:26.659694 23.103.189.125.443 > 192.168.180.100.54541: R 2011513555:2
011513555(0) ack 3800887460 win 0
2432: 08:49:26.668163 118.179.254.12.63268 > 41.219.0.149.22041:  udp 20
2433: 08:49:26.672572 93.4.8.156.24283 > 41.219.0.149.37505:  udp 103
2434: 08:49:26.717324 81.53.36.97.49509 > 41.219.0.149.32557:  udp 103
2435: 08:49:26.724617 90.18.14.227.44209 > 41.219.0.149.22041:  udp 20
2436: 08:49:26.727745 90.18.14.227.59828 > 41.219.0.149.22041: S 4175939826:4175
939826(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
2437: 08:49:26.747382 41.189.32.73.33480 > 41.219.0.149.50694: P 2004020860:2004
021593(733) ack 3924015619 win 195
2438: 08:49:26.761725 88.188.33.76.56581 > 41.219.0.149.22041:  udp 20
2439: 08:49:26.795536 192.168.180.231.137 > 192.168.180.255.137:  udp 50
2440: 08:49:26.801655 192.168.190.97.49197 > 41.219.0.149.80: S 4227499300:42274
99300(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2441: 08:49:26.802113 79.88.232.116.57433 > 41.219.0.149.60090: S 3487818821:348
7818821(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
2442: 08:49:26.803303 192.168.180.155.137 > 192.168.180.255.137:  udp 50
2443: 08:49:26.804050 79.88.232.116.1025 > 41.219.0.149.60090:  udp 20
2444: 08:49:26.853395 201.141.74.215.20195 > 41.219.0.149.60090: S 1285326797:12
85326797(0) win 8192 <mss 1460,nop,nop,sackOK>
2445: 08:49:26.893203 46.103.176.158.51060 > 41.219.0.149.11641:  udp 106
2446: 08:49:26.907347 84.102.118.29.33275 > 41.219.0.149.32557:  udp 103
2447: 08:49:26.953594 194.60.241.218.60927 > 41.219.0.149.53546: S 4161651952:41
61651952(0) win 8192 <mss 1380,nop,nop,sackOK>
2448: 08:49:26.957866 194.60.241.218.49203 > 41.219.0.149.53546:  udp 20
2449: 08:49:26.971690 77.145.190.26.56046 > 41.219.0.149.22041: S 3822389873:382
2389873(0) win 8192 <mss 1460,nop,nop,sackOK>
2450: 08:49:26.994760 192.168.180.242.137 > 192.168.180.255.137:  udp 50
2451: 08:49:27.017439 81.50.48.206.49199 > 41.219.0.149.22041:  udp 20
2452: 08:49:27.031980 79.41.185.198.51688 > 41.219.0.149.54872: S 4082022290:408
2022290(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
2453: 08:49:27.042417 23.103.189.125.443 > 192.168.190.24.52930: R 105712129:105
712129(0) ack 3958034640 win 0
2454: 08:49:27.051770 220.245.3.211.15070 > 41.219.0.149.22041:  udp 103
2454 packets shown
ASA#

 

Also, how to upgrade to 9.1.5ED?

Thank in advance!

Can you run the capture again, but this time use this command:

 

sh capture asp | inc Drop

 

...if that gives you lots of output try:

sh capture asp | inc sp-security-failed

 

Do you have a support contract for your ASA with a supplier? That would be your ideal method. If not then you can request software via TAC:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl

...check the section:

Obtaining Fixed Software -> Customers without Service Contracts. Your version of ASA code is vulnerable to this exploit.

 

...I've never tried this method myself but it should work.

 

Going back a few posts, you never said if the first hop router belongs to you?

 

cheers,

Seb.

Sorry that should read:

sh capture asp-drop | inc Drop

...and

sh capture asp-drop | inc sp-security-failed

..and don't forget to:

no capture asp-drop

 

 

Hi Seb,

ASA# sh capture asp-drop | inc Drop
   1: 08:48:52.618574 78.250.190.4.37407 > 41.219.0.149.22041: S 3942277819:3942
277819(0) win 8192 <mss 1300,nop,nop,sackOK> Drop-reason: (acl-drop) Flow is den
ied by configured rule
   2: 08:48:52.640698 192.168.180.231 > 113.99.136.16: icmp: echo reply Drop-rea
son: (acl-drop) Flow is denied by configured rule
   3: 08:48:52.691965 31.187.94.187 > 41.219.0.149: icmp: 31.187.94.187 udp port
 61407 unreachable Drop-reason: (acl-drop) Flow is denied by configured rule
   4: 08:48:52.705285 41.248.51.244.1024 > 41.219.0.149.22041:  udp 20 Drop-reas
on: (acl-drop) Flow is denied by configured rule
   5: 08:48:52.708551 41.248.51.244.52179 > 41.219.0.149.22041: S 343740652:3437
40652(0) win 63443 <mss 1452,nop,wscale 6,nop,nop,sackOK> Drop-reason: (acl-drop
) Flow is denied by configured rule
   6: 08:48:52.728004 195.132.148.55.52894 > 41.219.0.149.22041:  udp 20 Drop-re
ason: (acl-drop) Flow is denied by configured rule
   7: 08:48:52.729088 105.155.206.91.62802 > 41.219.0.149.60090: S 143243904:143
243904(0) win 8192 <mss 1452,nop,wscale 8,sackOK,timestamp 21976358 0> Drop-reas
on: (acl-drop) Flow is denied by configured rule
   8: 08:48:52.733085 94.159.211.190.1032 > 41.219.0.149.60090:  udp 20 Drop-rea
son: (acl-drop) Flow is denied by configured rule
   9: 08:48:52.756552 83.153.157.196.40191 > 41.219.0.149.22041:  udp 20 Drop-re
ason: (acl-drop) Flow is denied by configured rule
  10: 08:48:52.777517 176.183.248.229.57795 > 41.219.0.149.22041: S 4134876376:4
134876376(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Drop-reason: (acl-d
rop) Flow is denied by configured rule
  11: 08:48:52.777776 176.183.248.229.54664 > 41.219.0.149.22041:  udp 20 Drop-r
eason: (acl-drop) Flow is denied by configured rule
  12: 08:48:52.781941 192.168.180.240.137 > 192.168.183.255.137:  udp 50 Drop-re
ason: (sp-security-failed) Slowpath security checks failed
  13: 08:48:52.786290 41.188.97.195.63598 > 41.219.0.149.22041: S 2631491026:263
1491026(0) win 8192 <mss 1360,nop,nop,sackOK> Drop-reason: (acl-drop) Flow is de
nied by configured rule
  14: 08:48:52.808628 192.168.190.85.22041 > 41.219.0.149.22041:  udp 20 Drop-re
ason: (acl-drop) Flow is denied by configured rule
  15: 08:48:52.808704 192.168.190.85.51745 > 41.219.0.149.22041: S 2940881481:29
40881481(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Drop-reason: (acl-dr
op) Flow is denied by configured rule
  16: 08:48:52.826556 78.250.190.4.37873 > 41.219.0.149.22041:  udp 20 Drop-reas
on: (acl-drop) Flow is denied by configured rule
  17: 08:48:52.827212 78.250.190.4.37873 > 41.219.0.149.22041:  udp 20 Drop-reas
on: (acl-drop) Flow is denied by configured rule
  18: 08:48:52.846208 101.127.73.46.55814 > 41.219.0.149.51535: S 2504585702:250
4585702(0) win 8192 <mss 1460,nop,wscale 0,nop,nop,timestamp 844937613 0,sackOK,
eol> Drop-reason: (acl-drop) Flow is denied by configured rule
  19: 08:48:52.872391 31.201.185.71.52245 > 41.219.0.149.51535:  udp 30 Drop-rea
son: (acl-drop) Flow is denied by configured rule
  20: 08:48:52.873703 88.178.244.69.43611 > 41.219.0.149.22041:  udp 30 Drop-rea
son: (acl-drop) Flow is denied by configured rule
  21: 08:48:52.889236 105.154.118.233.50874 > 41.219.0.149.22041:  udp 20 Drop-r
eason: (acl-drop) Flow is denied by configured rule
  22: 08:48:52.948681 78.239.160.166.1024 > 41.219.0.149.22041:  udp 30 Drop-rea
son: (acl-drop) Flow is denied by configured rule
  23: 08:48:52.959835 91.182.149.40.63786 > 41.219.0.149.60090: S 2359075449:235
9075449(0) win 65535 <mss 1448,nop,wscale 5,nop,nop,timestamp 1525792520 0,sackO
K,eol> Drop-reason: (acl-drop) Flow is denied by configured rule
  24: 08:48:52.980128 90.28.48.40.64962 > 41.219.0.149.54725: S 2103529500:21035
29500(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK> Drop-reason: (acl-drop)
 Flow is denied by configured rule
  26: 08:48:52.993051 83.153.164.231.49260 > 41.219.0.149.54727: S 1971320503:19
71320503(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> Drop-reason: (acl-dr
op) Flow is denied by configured rule
  28: 08:48:53.011962 142.167.200.221.64186 > 41.219.0.149.60090: S 1712685326:1
712685326(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK> Drop-reason: (acl-d
rop) Flow is denied by configured rule
  29: 08:48:53.023451 41.82.84.162.57461 > 41.219.0.149.60090: S 3484403587:3484
403587(0) win 8192 <mss 1452,nop,nop,sackOK> Drop-reason: (acl-drop) Flow is den
ied by configured rule
  30: 08:48:53.028334 79.41.185.198.51479 > 41.219.0.149.54722: S 3852500677:385
2500677(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK> Drop-reason: (acl-dro
p) Flow is denied by configured rule
  31: 08:48:53.054883 105.155.206.91.13529 > 41.219.0.149.60090:  udp 20 Drop-re
ason: (acl-drop) Flow is denied by configured rule
  32: 08:48:53.081203 41.188.97.195.47201 > 41.219.0.149.22041:  udp 20 Drop-rea
son: (acl-drop) Flow is denied by configured rule
  33: 08:48:53.108255 82.228.27.78.1026 > 41.219.0.149.22041:  udp 103 Drop-reas
on: (acl-drop) Flow is denied by configured rule
  34: 08:48:53.111139 77.144.201.111.27043 > 41.219.0.149.60090:  udp 20 Drop-re
ason: (acl-drop) Flow is denied by configured rule
  35: 08:48:53.111856 77.144.201.111.56533 > 41.219.0.149.60090: S 1940976985:19
40976985(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Drop-reason: (acl-dr
op) Flow is denied by configured rule
  36: 08:48:53.146385 82.228.27.78.1026 > 41.219.0.149.22041:  udp 20 Drop-reaso
n: (acl-drop) Flow is denied by configured rule
  37: 08:48:53.147377 80.119.172.141.62413 > 41.219.0.149.60090: S 3026040254:30
26040254(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK> Drop-reason: (acl-dr
op) Flow is denied by configured rule
  38: 08:48:53.189489 154.72.112.170.1025 > 41.219.0.149.51535:  udp 20 Drop-rea
son: (acl-drop) Flow is denied by configured rule
  39: 08:48:53.192586 70.29.145.241.63670 > 41.219.0.149.22041: S 497371817:4973
71817(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK> Drop-reason: (acl-drop)
 Flow is denied by configured rule
  40: 08:48:53.208607 142.167.200.221.58938 > 41.219.0.149.60090:  udp 20 Drop-r
eason: (acl-drop) Flow is denied by configured rule
  41: 08:48:53.214207 41.77.223.118.50489 > 41.219.0.149.22041:  udp 20 Drop-rea
son: (acl-drop) Flow is denied by configured rule
  42: 08:48:53.224765 41.77.223.118.40077 > 41.219.0.149.22041: S 64848302:64848
302(0) win 8192 <mss 1392,nop,wscale 8,nop,nop,sackOK> Drop-reason: (acl-drop) F
low is denied by configured rule
  43: 08:48:53.248354 109.13.53.130.43611 > 41.219.0.149.37505:  udp 67 Drop-rea
son: (acl-drop) Flow is denied by configured rule
  44: 08:48:53.248507 192.168.180.151.35077 > 255.255.255.255.34569:  udp 20 Dro
p-reason: (acl-drop) Flow is denied by configured rule
  46: 08:48:53.256548 41.98.156.80.39753 > 41.219.0.149.22041:  udp 20 Drop-reas
on: (acl-drop) Flow is denied by configured rule
  47: 08:48:53.266358 192.168.180.239.52424 > 84.53.132.171.443: R 2087605003:20
87605003(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
  48: 08:48:53.323088 80.119.172.141.46044 > 41.219.0.149.60090:  udp 20 Drop-re
ason: (acl-drop) Flow is denied by configured rule
  49: 08:48:53.326521 195.24.205.68.2834 > 41.219.0.149.60090:  udp 20 Drop-reas
on: (acl-drop) Flow is denied by configured rule
  50: 08:48:53.327284 195.24.205.68.55022 > 41.219.0.149.60090: S 1051822367:105
1822367(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK> Drop-reason: (acl-dro
p) Flow is denied by configured rule
ASA#   sh capture asp-drop | inc sp-security-failed
  12: 08:48:52.781941 192.168.180.240.137 > 192.168.183.255.137:  udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed

ASA#

It is hard to ascertain much from that output. Your one sp-security-failed item has been casued by a broadcast packet which was prevented from being forwarded through the ASA. From the documentation:

 

1) In routed mode receives a through-the-box:

- L2 broadcast packet

...in this particular case it was 137/UDP (NetBIOS)...and I am guessing the size of the subnet ID is 192.168.180.0/22 so there is probably a lot of broadcast traffic of various types hitting the ASA and incrementing this counter.

But it is hard to attribute all hits on that counter (sp-security-failed) to that one subnet and single ASA interface based on such a small capture!

 

I am still addmitant your issue lies with your border gateway router.

What does the sh int output for its outside and ASA connected intefaces look like?

 

cheers,

Seb.

Hi Seb,

My subnet ID is :192.168.176.0/21.

My border router Gateway internet is Huawei router: Below the detail of the interface connecteed to my ASA:

 

     internet-ne40 FE 2/01/2 connect cisco-asa:

<NE40>disp interface ethe 2/0/12

Ethernet2/0/12 current state: up

Line protocol current state: up

  Hardware is WAN-FastEthernet,

  Address is 00e0-fc66-4ac4

  Description: to_CISCO-ASA

  Internet address is X.X.X.X/30 Is-Primary

  The Maximum Transmit Unit is 1500 bytes, the BandWidth is 100000 Kbits

  Send-frame-type is Ethernet_II, loopback not set

  Negotiation disabled, full-duplex, 100Mbps, urpf disabled

  This port works as a Router

 Statistics last cleared: never

  Traffic statistics:

    Last 5 minutes input rate 579921 bytes/sec, 4982 packets/sec

    Last 5 minutes output rate 5980858 bytes/sec, 4867 packets/sec

    1594087376 packets input, 550144592224 bytes

    1998070148 packets output, 1753023254632 bytes

    Input:  0 shorts, 657 jumbos, 0 giants, 0 pauses

            1389092686 unicasts, 5071 multicasts, 19412 broadcasts

            0 MulticastOctets, 0 MulticastPkts

            0 InvalidVlanOctets, 0 InvalidVlanPkts

            0 input fragments, 0 jabbers

            204970207 CRC, 0 errors, 0 overruns

    Output: 0 shorts, 0 jumbos, 0 giants

            1997564429 unicasts, 738 multicasts, 504981 broadcasts

            0 MulticastOctets, 0 MulticastPkts

            0 InvalidVlanOctets, 0 InvalidVlanPkts

            0 runts, 0 jabbers, 0 CRC

            0 deferrals, 0 underruns, 0 aborts

            0 collisions, 0 lates, 0 singles

            0 multiples, 0 excessives

 

If I try to create VLAN on my network, you think it should resolve my issue?

I've never laid eyes on Huawei output, so I'm not sure how you'd diagnose it further.

A /21 is a big subnet and would generate a lot of broadcast traffic!

The biggest I usually deply is a /22 .

 

From a topology point of view you should have point-to-point links /31's or /30's from your ASA interfaces to a router/ switch.

If you only have a single core switch, then you should create different VRFs for each of the security groups you have cofigured on the ASA. For instance your 'inside' (security level 100) could reside on the default VRF. If you have a DMZ, then create a VRF for that. Each VRF would need a seperate physical link from the core router/switch to the ASA.

 

This topology woul certainly lower the drop count on your ASA as it wouldn't be hit by so much Layer 2 traffic.

 

With regard to the orignal issue of slow internet, this problem I still believe resides with your Huawei router since that is where your latency markedly increases...but I have not experience with those I'm afraid!

 

cheers,

Seb.

Hi Seb,

Thank for your reply.

 

What's  VRF?

Yes,it is point to point link between ASA and Internet router.

I will reduce the network to /22 and create VLAN to reduce broadcasts packets.

Thank!

Hi Richard Burts,

thank for your reply.

 

I set the interface to full duplex mode.

Now, when I ping 8.8.8.8 from outside, the interface connected to border router, the packet loss had decreased. Before I had :

ASA# ping outside 8.8.8.8 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 98 percent (988/1000), round-trip min/avg/max = 60/66/140 ms -

Now I have:

ASA# ping outside 8.8.8.8 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (997/1000), round-trip min/avg/max = 60/65/140 ms

A VRF is a Virtual Routing and Forwarding table:

http://ciscodreamer.blogspot.co.uk/2009/06/vrf-basics.html

... you would be configurin VRF-lite which in a nutshell allows to have two seperate routing tables on one device.

 

Attached is a diagram of how I think you would implement it.

I've also attached some configuration showing roughly how you'd implement it using a pair of routers. You'll need to use your imagination to convert it to work on an ASA and switch. The config is from a working GNS3 sim I put together for you, so you should be able to paste it straight in to GNS3 if you have in installed to try it out. The connections are:

ASA fa0/0 -> coreswitch fa0/0

ASA fa0/1 -> coreswitch fa0/1

 

cheers,

Seb.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco