What is the Accelerated Security Path ?
The Accelerated Security Path (ASP) on the ASA appliance comprises of 2 components; The Fast Path and The Session Management Path. In addition to the Accelerated Security Paths there is also the Control Plane Path which is also covered below.
The Session Management Path
When a new connection reaches the ASA gateway the first packet is sent to the “Session Management Path”. This path is responsible for
* Performing the access list checks
* Performing route lookups
* Allocating NAT translations (xlates)
* Establishing sessions in the “fast path”
The Fast Path
If the connection is already established, the security appliance does not need to re-check packets and the packets are sent to the Fast Path. The Fast Path is responsible for the following tasks:
* IP checksum verification
* Session lookup
* TCP sequence number check
* NAT translations based on existing sessions
* Layer 3 and Layer 4 header adjustments
For UDP or other connectionless protocols, the security appliance creates connection state information so that it can also use the fast path.
Some established session packets must continue to go through the session management path or the control plane path. Generally packets that require HTTP packet inspection or content filtering will go through to the session management. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection. But Data packets for protocols that require Layer 7 inspection can still go through the Fast Path.
The Control Plane Path
Some packets which require adjustments or changes to be made to the packets headers at a Layer 7 level. Or Layer 7 inspection engines which are required for dynamic port based protocols such as FTP and H.323 etc are passed to the Control Plane Path.
How do I Debug ASP Drops ?
There are 3 main ways to confirm whether your ASA appliance has dropped packets at the ASP stage. These are:
1. Viewing the ASP statistics
2. Viewing the ASA Logs
3. Running an ASP Drop packet capture
Viewing the ASP statistics
In order to view the ASP drop statistics you can run the command “sh asp drop”.
asa-firewall# sh asp dropFrame drop: Invalid TCP Length (invalid-tcp-hdr-length) 20 First TCP packet not SYN (tcp-not-syn) 902518 Bad TCP flags (bad-tcp-flags) 39Last clearing: 19:45:39 UTC Jan 18 2010 by userFlow drop: NAT failed (nat-failed) 218 Inspection failure (inspect-fail) 29170 SSL received close alert (ssl-received-close-alert) 4Last clearing: 19:45:39 UTC Jan 18 2010 by user
This will give you an overview view of the type of drops being encountered. But does not provided the necessary information to isolate and troubleshoot particular hosts.
You can also clear these counters using the clear asp drop command.
Viewing the ASA Logs
Via your Syslog server you will be able to view the logs showing the dropped connections. This will provide the reason along with the source and destination addresses. An example is shown below for an MSS Excedded ASP drop,
%ASA-4-419001: Dropping TCP packet from outside:192.168.9.2/80 to inside:192.168.9.30/1025, reason: MSS exceeded, MSS 460, data 1440
Running an ASP drop packet capture
This is in my opinion the most concise and efficient way of troubleshooting your ASP dropped traffic.
To enable a packet capture on all traffic for all asp-drop types use the following command :
asa-firewall# capture asp-drop type asp-drop all
To then see your buffer for the asp-drop capture run the following command. You can see from the highlighted sections the reason for the drop.
asa-firewall# sh capture asp-drop
2 packets captured
1: 15:15:00.682154 197.2.1.29.2616 > 87.200.42.101.443: S 1239395083:1239395083(0) win 65535 <mss 1260,nop,nop,sackOK> Drop-reason: (acl-drop) Flow is denied by configured rule
4: 15:15:00.750830 10.70.0.162.3812 > 168.252.3.41.15: S 3523756300:3523756300(0) win 65535 <mss 1360,nop,nop,sackOK> Drop-reason: (rpf-violated) Reverse-path verify failed
Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.
Latest posts by Rick Donato (see all)
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial
FAQs
ASP drops. Another useful tool is to check the Accelerated Security Path (ASP) drops with the show asp drop command. This command gives an overview of packets that the ASA drops with a reason.
How do I troubleshoot my ASA firewall? ›
Task 2 : How to check Routes and arp on the ASA firewall.
- Check active route in routing table for a particular destination. ...
- Check if the route is present in running configuration for a specific destination. ...
- Check if the designation is on directly connected on Layer2 segment and if it's ARP is learnt on the firewall.
How to monitor traffic usage in Cisco ASA firewall?
- Identify the top talkers in the network from dashboard. ...
- Generate reports for Cisco ASA device. ...
- Identify malicious traffic with advanced security analytics module. ...
- Set real-time alerts and get notified via email or SMS.
The Accelerated Security Path (ASP) on the ASA appliance comprises of 2 components; The Fast Path and The Session Management Path. In addition to the Accelerated Security Paths there is also the Control Plane Path which is also covered below.
How do I check my deny logs in Asa? ›
In the ASDM, go to the Access-rules, you would see a deny acl right at the bottom, whenever you see hitcounts increasing on it, just right click----> show log ------> ASDM real-time log viewer would pop up, you can see real-time logs of the traffic being denied by the firewall.
How do I know if my firewall has dropped packets? ›
Click on Log | Settings. Select Network | ICMP. For the ICMP packets dropped option select the option show in GUI.
How do I view dropped packets? ›
Run the "Command prompt" program by clicking on it. In the window, type "netstat -s -p tcp" and press the "Enter" key to begin the packet loss check.
How do I check my packet loss? ›
To test for packet loss on a Windows computer:
- Open Command Prompt/Windows PowerShell (either will work) Right click the windows icon in the bottom-left corner. ...
- Enter the command as follows: ping -n 100 1.1.1.1. ping = The command to ping, leave unchanged. ...
- Check the summary when completed for percentage of packet loss.
Need to check how many tunnels IPSEC are running over ASA 5520.
...
Please try to use the following commands.
- show vpn-sessiondb l2l.
- show vpn-sessiondb ra-ikev1-ipsec.
- show vpn-sessiondb summary.
- show vpn-sessiondb license-summary.
- and try other forms of the connection with "show vpn-sessiondb ?"
Access your router by entering your router's IP address into a web browser. Once you sign in, look for a Status section on the router (you might even have a Bandwidth or Network Monitor section depending on the type of router). From there, you should be able to see the IP addresses of devices connected to your network.
ASA will check for the TCP flag if its a TCP packet. If the packet contains a SYN flag, then the new connection entry will be created in the connection table(connection counter gets incremented). Other than SYN flag, the packet will be discarded and a log entry will be created. "Remember the 3-way handshake process.
What is ASP in security? ›
Airport Security Program (ASP means a security program approved by the Transportation Security Administration (TSA) under section 1542.101 of 49 CFR Chapter XII.
How to check interface status in ASA firewall? ›
You can verify the interface status in the second line of output. If the interface is shown as “up,” the interface has been enabled. If the line protocol is shown as “up,” there is an active link between the ASA interface and some other device.
What is TCP bypass? ›
Similar if the ASA should see an ACK packet before seeing the previous two packets SYN and SYN-ACK exchanged between the two hosts. The ASA does this by inspecting each packet and creating a state for each connection. This feature is called TCP State Bypass.
How do I check Cisco ASA CLI logs? ›
utilize "l3" - use netflow. and you can buy something like manage-engine log analyzer to read your logs.... Hi Harmeet Singh, with these commands you will able to see all event on your ASA from CLI. Then you will able to view with show logging.
What happens during ASA failover? ›
When failover occurs, ASA standby assumes active IP and MAC and sends. Gratuitous ARP on each interface to recalculate L2 subnets. Failover interface is required and intended for configuration replication and keep.
What is the maximum ACL limit on ASA? ›
Each ACE uses at least 212 bytes of RAM. Once you reach or get close to the maximum number of ACEs, the performance of the ASA decreases by 10-15%. Use this table below to stay within the maximum number of allowed Access List Entries.
...
Cisco ASA Max ACL Limit.
| Model | Max Recommended ACEs | Tested ACEs |
|---|
| ASA SM | 2 mil | 2 mil |
12 more rowsOct 18, 2015
However, packet loss can occur even when you have a fast internet connection. Basic troubleshooting steps include power cycling your router, switching from Wi-Fi to ethernet, and changing ethernet ports. You can also go into your router settings to update firmware or activate Quality of Service (QoS) settings.
What is the most typical reason for packet drop? ›
Network congestion - The primary cause of network packet loss is congestion. All networks have space limitations, so in simple terms, network congestion is very much the same as peak hour traffic. Think of the queues on the road at certain times of the day, like early mornings and the end of the working day.
What can cause dropped packets? ›
The causes of packet loss include inadequate signal strength at the destination, natural or human-made interference, excessive system noise, software corruption or overburdened network nodes. Often more than one of these factors is involved. Additional causes include the following: Network congestion.
Especially if you're working on a wired network, damaged Ethernet cables could be the reason for packet loss. These physical wires handle a lot of traffic. If they have deteriorated, data can't be efficiently sent, leading to packet loss.
How much packet loss is normal? ›
Some packet loss is expected but shouldn't exceed 1%. This is considered acceptable since losing 1% of all packets involved in a session wouldn't cause noticeable issues with a game. But that doesn't mean you should accept packet loss, especially when it comes to real-time applications.
How much packet loss is acceptable? ›
General packet loss should be less than 1%.
How do you diagnose firewall problems? ›
Use the following steps to identify and solve firewall problems:
- 1) Ping a PC near the device. ...
- 2) Ping the device. ...
- 3) Telnet and/or browse to the device. ...
- 4) Confirm the port configuration of the device. ...
- 5) Confirm that important IP addresses are not blocked. ...
- 6) Trace the route to the device.
asa.txt
- Reboot the device.
- On boot hit `escape` so that you break the normal startup process and enter. ...
- Change the current confreg so that you can bypass the current startup config. ...
- Reset the appliance with the boot command, ...
- You will then be presented with the ScreenOS CLI and the ASA having a completely clear config.
Click the Services tab of the Task Manager window, then click Open Services at the bottom. In the window that opens, scroll to Windows Firewall and double-click it. Select Automatic from the Startup type dropdown menu. Next, click OK and restart your PC to refresh the firewall.
How do I reset ASA config? ›
- After you open connection, press enter a couple of times, and you should get a prompt like: 'ciscoasa>'
- type 'enable' to go to enable mode. ...
- type 'config t'
- type 'config factory-default'
- hit spacebar when the 'more' is displayed. ...
- type 'reload save-config noconfirm'
