Cisco ASA Packet Drop Troubleshooting (2024)

Table of Contents
Connection State Interface drops Syslog ASP drops Packet Capture ASP Drops Capture FAQs

Lesson Contents

As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops.

In this lesson, we’ll cover the following tools:

  • Connection State
  • Interface Drops
  • Syslog
  • ASP Drops
  • Packet Capture
  • Packet Tracer
  • Service Policy
  • Conclusion

Here is the topology I use:

Cisco ASA Packet Drop Troubleshooting (1)

We use a simple topology:

  • Two “host” devices:
    • These are routers with ip routing disabled, and they use ASA1 as their default gateway.
    • An HTTP server is enabled on both devices.
  • ASA1 runs ASAv Version 9.9(2) and has two interfaces:
    • INSIDE: security level 100
    • OUTSIDE: security level 0

In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a low-security level (0) to a high-security level (100).

Configurations

See Also
Network Traffic Monitor - Analyze & Optimize Traffic | SolarWindsCisco ASA Firewall: Packet Flow/Mode of OperationCommand to check IPSEC tunnel on ASA 5520Fixing Packet Loss in Gaming

Want to take a look for yourself? Here you will find the startup configuration of each device.

ASA1

hostname ASA1!interface GigabitEthernet0/0 nameif INSIDE security-level 100 ip address 192.168.1.254 255.255.255.0 !interface GigabitEthernet0/1 nameif OUTSIDE security-level 0 ip address 192.168.2.254 255.255.255.0!class-map inspection_default match default-inspection-traffic!policy-map global_policy class inspection_default inspect ip-options inspect netbios inspect rtsp inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect esmtp inspect sqlnet inspect sip inspect skinny !service-policy global_policy global!: end

H1

hostname H1!no ip routing! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0!ip default-gateway 192.168.1.254!ip http serverno ip http secure-server!end

H2

hostname H2!no ip routing! interface GigabitEthernet0/1 ip address 192.168.2.2 255.255.255.0!ip default-gateway 192.168.2.254!ip http serverno ip http secure-server!end

Let’s get started!

Connection State

The ASA keeps track of all existing connections and their state. Let’s see what this looks like. First, we connect from H1 to H2:

H1#telnet 192.168.2.2 80Trying 192.168.2.2, 80 ... Open

Now look at the connections with the show conn command:

ASA1# show conn 1 in use, 1 most usedTCP OUTSIDE 192.168.2.2:80 INSIDE 192.168.1.1:50195, idle 0:00:00, bytes 0, flags U

You can see the flags if you add the detail parameter:

See Also
Traffic Logs In ASA

ASA1# show conn detail 0 in use, 1 most usedFlags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, c - cluster centralized, D - DNS, d - dump, E - outside back connection, e - semi-distributed, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response k - Skinny media, L - LISP triggered flow owner mobility l - local director/backup stub flow M - SMTP data, m - SIP media, n - GUP N - inspected by Snort O - outbound data, o - offloaded, P - inside back connection, Q - Diameter, q - SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, u - STUN, V - VPN orphan, v - M3UA W - WAAS, w - secondary domain backup, X - inspected by service module, x - per session, Y - director stub flow, y - backup stub flow, Z - Scansafe redirection, z - forwarding stub flow

Let’s try to connect from H2 to H1:

H2#telnet 192.168.1.1 80Trying 192.168.1.1, 80 ... % Connection timed out; remote host not responding

This connection fails, so it doesn’t show up in the connection overview:

ASA1# show conn0 in use, 1 most used

At least we know something is going on.

Interface drops

The ASA keeps track of drops on the interface. Here’s where you find this:

ASA1# show interface GigabitEthernet 0/1 | include packets dropped 10 packets dropped

We see the ASA drops packets on the interface, but we have no idea what.You can use clear interface to reset this counter.

Syslog

Syslog is one of the best tools to figure out what is going on with your packet drops. The ASA has over 2000 unique syslog messages. You can send syslog messages to different locations. For debugging, the console works fine. Let’s see how we can use this.

First, you need to enable logging up to the debug level:

ASA1(config)# logging enableASA1(config)# logging buffered debugging

Optionally, you can increase the buffer size so you can store more syslog messages. For this example, I’m disabling the timestamps so that the messages are easier to look at:

ASA1(config)# logging buffer-size 1000000ASA1(config)# no logging timestamp

Let’s try to connect from H2 to H1 on TCP port 80:

H2#telnet 192.168.1.1 80Trying 192.168.1.1, 80 ... % Connection timed out; remote host not responding

Now check out your log with the show logging command:

ASA1(config)# show loggingSyslog logging: enabled Facility: 20 Timestamp logging: disabled Hide Username logging: enabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level debugging, 11 messages logged Trap logging: disabled Permit-hostdown logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled%ASA-5-111008: User 'enable_15' executed the 'logging buffer-size 1000000' command.%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffer-size 1000000'%ASA-5-111008: User 'enable_15' executed the 'no logging timestamp' command.%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'no logging timestamp'%ASA-7-111009: User 'enable_15' executed cmd: show logging%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE

Above, we see the syslog messages and the code. If you want to know what each message means, you have to check the Cisco ASA Series Syslog Messages. In this case, we see message code 106001. Here is the explanation for this message, taken directly from Cisco.com:

Explanation An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK.

When there is much traffic going on, you’ll need to filter these messages. You can either use include to filter the message:

ASA1(config)# show logging | include 106001%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE

Or get rid of what you don’t need with exclude:

ASA1(config)# show logging | exclude 111008|111009|111010|302010Syslog logging: enabled Facility: 20 Timestamp logging: disabled Hide Username logging: enabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level debugging, 19 messages logged Trap logging: disabled Permit-hostdown logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/13279 to 192.168.1.1/80 flags SYN on interface OUTSIDE

These syslog messages are handy to figure out what is going on.

ASP drops

Another useful tool is to check the Accelerated Security Path (ASP) drops with the show asp drop command. This command gives an overview of packets that the ASA drops with a reason. Let’s have a look:

ASA1# show asp dropFrame drop: Flow is denied by configured rule (acl-drop) 3Last clearing: 12:12:46 UTC Apr 24 2020 by enable_15Flow drop:Last clearing: 12:12:46 UTC Apr 24 2020 by enable_15

Above, we see 3 hits because of “acl-drop”. You can reset this counter with the clear asp drop command if needed. There is a huge list of reasons, which you can find on the Cisco “show asp drop” command reference page.

Packet Capture

We can also capture packets to take a closer look. There are two options:

  • Capture ASP dropped packets
  • Capture any packets you want.

Let’s check both options.

ASP Drops Capture

The show asp drop command tells us why something is dropped with a counter, but that’s it. It doesn’t tell us exactly what is dropped. Let’s capture some packets so we can see them. We do this with the capture command:

ASA1(config)# capture ASP_DROPS type asp-drop acl-drop

The command above supports some extra parameters. For example, you could capture only specific protocol numbers (AH, ESP, GRE, etc.) or add an access-list. If you have a lot of traffic, you probably want a specific capture, but in my case, this is fine.

Let’s generate some more traffic from H2 to H1:

H2#telnet 192.168.1.1 80Trying 192.168.1.1, 80 ... % Connection timed out; remote host not responding

Here are the packets we captured:

ASA1(config)# show capture ASP_DROPS4 packets captured 1: 12:16:18.018919 192.168.2.2.30833 > 192.168.1.1.80: S 178607441:178607441(0) win 4128 Drop-reason: (acl-drop) Flow is denied by configured rule 2: 12:16:20.021666 192.168.2.2.30833 > 192.168.1.1.80: S 178607441:178607441(0) win 4128 Drop-reason: (acl-drop) Flow is denied by configured rule 3: 12:16:24.028456 192.168.2.2.30833 > 192.168.1.1.80: S 178607441:178607441(0) win 4128 Drop-reason: (acl-drop) Flow is denied by configured rule 4: 12:16:32.034986 192.168.2.2.30833 > 192.168.1.1.80: S 178607441:178607441(0) win 4128 Drop-reason: (acl-drop) Flow is denied by configured rule4 packets shown

The above output is interesting. This output tells us which packets get dropped with the reason. When you are finished, don’t forget to get rid of the capture:

Cisco ASA Packet Drop Troubleshooting (2024)

FAQs

How to troubleshoot packet drop issues on Cisco? ›

Use the show hardware rate-limit command to determine if packets are being dropped because of a rate limit. Use the show policy-map interface control-plane command to determine if packets are being dropped because of CoPP.

Read On
How to check packet loss on Cisco ASA? ›

You can use the show asp drop command to see more specific reasons for these packet drops. Do not confuse the packets dropped counter with the interface error counters. The counter is only displayed for named interfaces, since it does not represent a physical error counter, but an ASA policy drop counter.

Discover More Details
How do I stop ASA packet capture? ›

The ASA now begins to capture the traffic flow between the interfaces. In order to stop the capture at anytime, enter the no capture command followed by the capture name.

Continue Reading
How do you diagnose packet drops? ›

Detecting packet loss may be as simple as pinging the remote endpoint and seeing how many pings come back.

See Details
What's causing my packet loss? ›

The causes of packet loss include inadequate signal strength at the destination, natural or human-made interference, excessive system noise, software corruption or overburdened network nodes. Often more than one of these factors is involved. Additional causes include the following: Network congestion.

Find Out More
How do I check my CPU on Cisco ASA? ›

Cisco Adaptive Security Device Manager (ASDM) also provides a graph on the Monitoring tab that allows you to view the CPU usage of the ASA over time. You can use this graph in order to determine the load on your ASA. The show cpu usage command can be used to display CPU utilization statistics.

Tell Me More
How do I check my ASA firewall logs? ›

If you just want to look at local logs, type the command show log asdm. ASDM logs are typically not very large so you may have them going to a syslog.

Show Me More
How to debug dropped packets? ›

This can be done by using tools such as ping, traceroute, and packet capture to test the connectivity and performance of different segments of the network. Ping can measure the round-trip time and success rate of sending and receiving packets between two endpoints.

Explore More
Does a VPN fix packet loss? ›

VPNs can contribute to reducing packet loss by optimizing the route that data takes from the user's device to its destination. Most importantly, VPNs allow you to bypass your ISP. Some VPN providers have a network of servers strategically located around the world.

Continue Reading
How to detect packet loss in TCP? ›

The first method is TCP retransmission analysis.

By examining the TCP retransmission packets, we can gain insights into packet loss occurrences. These tools offer detailed packet-level information, including sequence numbers, timestamps, and other metrics, aiding in troubleshooting efforts.

Show Me More

Which command is used to capture packets on ASA? ›

Use the show capture command or real time capture command. Use 'no capture' command to stop it.

Read The Full Story
What is packet Tracer command in Asa? ›

The packet-tracer command provides detailed information about the packets and how they are processed by the ASA. packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress.

See Details
What is the difference between packet tracer and packet capture in ASA? ›

Packet trace options are available for devices that support the packet trace feature. Devices, such as the Core Controller and the SSL do not support packet trace. A traffic capture file contains one or more packets captured by a device on a single segment or multiple segments.

Get More Info Here
Which two conditions would cause a router to drop a packet? ›

If you are a network administrator, you may encounter a situation where your router drops packets, causing network performance issues or connectivity problems. Packet loss can have various causes, such as faulty hardware, misconfigured settings, network congestion, or security attacks.

Continue Reading
What causes output drops on a Cisco switch? ›

Total output drops: The number of packets dropped because the output queue is full. A common cause of this might be traffic from a high bandwidth link being switched to a lower bandwidth link or traffic from multiple inbound links being switched to a single outbound link.

View More
How to check output drops in Cisco switch? ›

The show platform hardware fed switch active qos queue stats interface < interface> command allows you to see per-queue statistics on an interface, which includes how many bytes were enqueued into the buffers, and how many bytes were dropped due to lack of available buffers.

View Details
Top Articles
Cash Composition - principlesofaccounting.com
Pi Price Prediction 2023-2030: Can PI reach $100?
Amazing deals for Ralphs on Goodshop!
7Th Ave And Osborn Safeway
Latest Posts
Linux: Find Out What Is Using TCP Port 80
Netflix's Vacation Policy: They Don't Track Time Off?
Article information

Author: Melvina Ondricka

Last Updated:

Views: 5599

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.