Cisco Firewall ASP Drop
Joe Renwick
joe at gonetforward.com
Sun Apr 24 00:45:00 UTC 2011
So my firewall seems to be dropping an oddly large number of packets on the
INSIDE interface:
asa1(config)# sh int RACK
Interface GigabitEthernet0/1 "RACK", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address 0024.14d0.4521, MTU 1500
IP address 64.22.76.97, subnet mask 255.255.255.240
28128158809 packets input, 162066888025865 bytes, 4 no buffer
Received 186502879 broadcasts, 0 runts, 0 giants
5089 input errors, 0 CRC, 0 frame, 5089 overrun, 0 ignored, 0 abort
0 L2 decode drops
27235942172 packets output, 18181322825213 bytes, 237 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (1/33)
output queue (curr/max packets): hardware (0/511)
Traffic Statistics for "RACK":
144406450470 packets input, 159422361828279 bytes
103754084999 packets output, 16098663171295 bytes
6934615576 packets dropped
1 minute input rate 2056 pkts/sec, 2053935 bytes/sec
1 minute output rate 1678 pkts/sec, 418581 bytes/sec
1 minute drop rate, 270 pkts/sec
5 minute input rate 2519 pkts/sec, 2676286 bytes/sec
5 minute output rate 1887 pkts/sec, 469578 bytes/sec
5 minute drop rate, 283 pkts/sec
Looking at ASP drop data they are most coming from "TCP packet SEQ past
window (tcp-seq-past-win)":
asa1(config)# sh asp drop
Frame drop:
Invalid TCP Length (invalid-tcp-hdr-length)
31
No valid adjacency (no-adjacency)
88
No route to host (no-route)
1728
Flow is denied by configured rule (acl-drop)
203110
Flow denied due to resource limitation (unable-to-create-flow)
556419
First TCP packet not SYN (tcp-not-syn)
4080584
Bad TCP flags (bad-tcp-flags)
38
Bad option length in TCP (tcp-bad-option-len)
54
TCP data exceeded MSS (tcp-mss-exceeded)
910
TCP failed 3 way handshake (tcp-3whs-failed)
724043
TCP RST/FIN out of order (tcp-rstfin-ooo)
21011574
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)
19758
TCP SYNACK on established conn (tcp-synack-ooo)
6
TCP packet SEQ past window (tcp-seq-past-win)
156938345
TCP invalid ACK (tcp-invalid-ack)
15360
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)
9
TCP Out-of-Order packet buffer full (tcp-buffer-full)
41
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)
343
TCP RST/SYN in window (tcp-rst-syn-in-win)
13323
TCP DUP and has been ACKed (tcp-acked)
379384
TCP packet failed PAWS test (tcp-paws-fail)
84304
IP option drop (invalid-ip-option)
12
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)
16
DNS Inspect invalid packet (inspect-dns-invalid-pak)
53
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)
50
DNS Inspect packet too long (inspect-dns-pak-too-long)
5353783
DNS Inspect id not matched (inspect-dns-id-not-matched)
5275
Anybody seen this before? Would be nice to see if there is a command to
show offending packets but I cannot seem to find it.
Thanks for the time.
Cheers,
--
Joe Renwick
IP Network Consultant, CCIE #16465
GO NETFORWARD!
Direct: 619-800-2055, Emergency Support: 800-719-0504
Is your network moving you forward?
More information about the NANOG
mailing list