Cisco Firewall ASP Drop

• Previous message (by thread): World of Warcraft may begin using IPv6 on Tuesday
• Next message (by thread): SIXXS contact
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So my firewall seems to be dropping an oddly large number of packets on the
INSIDE interface:

asa1(config)# sh int RACK
Interface GigabitEthernet0/1 "RACK", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address 0024.14d0.4521, MTU 1500
IP address 64.22.76.97, subnet mask 255.255.255.240
28128158809 packets input, 162066888025865 bytes, 4 no buffer
Received 186502879 broadcasts, 0 runts, 0 giants
5089 input errors, 0 CRC, 0 frame, 5089 overrun, 0 ignored, 0 abort
0 L2 decode drops
27235942172 packets output, 18181322825213 bytes, 237 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (1/33)
output queue (curr/max packets): hardware (0/511)
  Traffic Statistics for "RACK":
144406450470 packets input, 159422361828279 bytes
103754084999 packets output, 16098663171295 bytes
6934615576 packets dropped
      1 minute input rate 2056 pkts/sec,  2053935 bytes/sec
      1 minute output rate 1678 pkts/sec,  418581 bytes/sec
      1 minute drop rate, 270 pkts/sec
      5 minute input rate 2519 pkts/sec,  2676286 bytes/sec
      5 minute output rate 1887 pkts/sec,  469578 bytes/sec
      5 minute drop rate, 283 pkts/sec

Looking at ASP drop data they are most coming from "TCP packet SEQ past
window (tcp-seq-past-win)":

asa1(config)# sh asp drop

Frame drop:
  Invalid TCP Length (invalid-tcp-hdr-length)
  31
  No valid adjacency (no-adjacency)
  88
  No route to host (no-route)
1728
  Flow is denied by configured rule (acl-drop)
 203110
  Flow denied due to resource limitation (unable-to-create-flow)
 556419
  First TCP packet not SYN (tcp-not-syn)
4080584
  Bad TCP flags (bad-tcp-flags)
  38
  Bad option length in TCP (tcp-bad-option-len)
  54
  TCP data exceeded MSS (tcp-mss-exceeded)
910
  TCP failed 3 way handshake (tcp-3whs-failed)
 724043
  TCP RST/FIN out of order (tcp-rstfin-ooo)
21011574
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)
19758
  TCP SYNACK on established conn (tcp-synack-ooo)
   6
  TCP packet SEQ past window (tcp-seq-past-win)
 156938345
  TCP invalid ACK (tcp-invalid-ack)
 15360
  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)
  9
  TCP Out-of-Order packet buffer full (tcp-buffer-full)
  41
  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)
 343
  TCP RST/SYN in window (tcp-rst-syn-in-win)
13323
  TCP DUP and has been ACKed (tcp-acked)
 379384
  TCP packet failed PAWS test (tcp-paws-fail)
 84304
  IP option drop (invalid-ip-option)
 12
  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)
                                   16
  DNS Inspect invalid packet (inspect-dns-invalid-pak)
 53
  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)
  50
  DNS Inspect packet too long (inspect-dns-pak-too-long)
5353783
  DNS Inspect id not matched (inspect-dns-id-not-matched)
5275

Anybody seen this before?  Would be nice to see if there is a command to
show offending packets but I cannot seem to find it.

Thanks for the time.

Cheers,

-- 
Joe Renwick
IP Network Consultant, CCIE #16465
GO NETFORWARD!
Direct: 619-800-2055, Emergency Support: 800-719-0504
Is your network moving you forward?

• Previous message (by thread): World of Warcraft may begin using IPv6 on Tuesday
• Next message (by thread): SIXXS contact
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]