Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1722
Views
0
Helpful
1
Replies

ASA 5510 High Drop Count on Mgmt Interface

xzevallos
Level 1
Level 1

‎09-05-2012 09:06 AM - edited ‎03-11-2019 04:50 PM

I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context, as shown below:

MAN1-5510-1/admin# sh int
Interface Management0/0 "", is up, line protocol is up
# Attention: This interface is located in a PCI-e x0 slot. For #
# optimal throughput, install the interface in a PCI-e x11 slot #
# if one is available. Refer to 'show controller slot'.        #
        Available but not configured via nameif
Interface Management0/0.2 "ESMGMT", is up, line protocol is up
# Attention: This interface is located in a PCI-e x0 slot. For #
# optimal throughput, install the interface in a PCI-e x11 slot #
# if one is available. Refer to 'show controller slot'.        #
        MAC address 1200.0002.0100, MTU 1500
        IP address 57.31.207.182, subnet mask 255.255.255.224
  Traffic Statistics for "ESMGMT":
        32554 packets input, 1720860 bytes
        10303 packets output, 820936 bytes
        24408 packets dropped

The software version is 8.2.5.  The interface is set to 100/full, there are no frame errors (e.g., CRC) when I do "sh int" in System space, and there is little traffic on the LAN.  Here is the interface config in Admin context:

interface Management0/0.2

nameif ESMGMT

security-level 100

ip address 57.31.207.182 255.255.255.224 standby 57.31.207.183

management-only

When I do a capture of this interface, I get the following:

1: 13:56:05.128136 802.1Q vlan#2 P0 57.31.207.162.1985 > 224.0.0.2.1985: udp 20 Drop-reason: (acl-drop) Flow is denied by configured rule

2: 13:56:06.181265 802.1Q vlan#2 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

3: 13:56:06.764837 802.1Q vlan#2 P0 57.31.207.163.1985 > 224.0.0.2.1985: udp 20 Drop-reason: (acl-drop) Flow is denied by configured rule

4: 13:56:08.129311 802.1Q vlan#2 P0 57.31.207.162.1985 > 224.0.0.2.1985: udp 20 Drop-reason: (acl-drop) Flow is denied by configured rule

5: 13:56:08.194981 802.1Q vlan#2 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

6: 13:56:09.765524 802.1Q vlan#2 P0 57.31.207.163.1985 > 224.0.0.2.1985: udp 20 Drop-reason: (acl-drop) Flow is denied by configured rule

7: 13:56:10.208714 802.1Q vlan#2 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

Yet there are no L2 or L3 ACLs configured on the FW.  In the above it appears that the FW is receiving and processing multicast packets like HSRP, and therefore drops them.  But in my lab, I have the same setup and I do not see a high drop count nor do the HSRP packest appear in the captures.

Does anyone one know what's going on here?  Is it possible that the interface is set to promiscuous mode and is there a way to disable this?  

Labels:
0 Helpful
1 Reply 1

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎09-09-2012 05:43 AM

In your case , i think what you do see is very normal . that counter includes everything that is dropped by the ASA on that interface such as :

l2 broadcasts

packets that are not destined to the ASA ( multicast ) .

looks like you have an HSRP setup that is in the same layer 2 segment for the management interface.

HTH.

Mohammad.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card