Viewing dropped packets on ASA

show asp drop is a great troubleshooting command for the ASA.

ASA5505#show asp drop

Frame drop:
Invalid encapsulation (invalid-encap) 8
Invalid TCP Length (invalid-tcp-hdr-length) 13
Invalid UDP Length (invalid-udp-length) 3
No valid adjacency (no-adjacency) 432
No route to host (no-route) 854
Flow is denied by configured rule (acl-drop) 5917343
Flow denied due to resource limitation (unable-to-create-flow) 3717
Invalid SPI (np-sp-invalid-spi) 827
NAT-T keepalive message (natt-keepalive) 738148
First TCP packet not SYN (tcp-not-syn) 466773
Bad TCP flags (bad-tcp-flags) 204
TCP Dual open denied (tcp-dual-open) 3
TCP failed 3 way handshake (tcp-3whs-failed) 6351
TCP RST/FIN out of order (tcp-rstfin-ooo) 13965
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 963
TCP SYNACK on established conn (tcp-synack-ooo) 375
TCP packet SEQ past window (tcp-seq-past-win) 10975
TCP invalid ACK (tcp-invalid-ack) 1580
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 107
TCP Out-of-Order packet buffer full (tcp-buffer-full) 438460
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 318081
TCP RST/SYN in window (tcp-rst-syn-in-win) 8434
TCP packet failed PAWS test (tcp-paws-fail) 4202
IPSEC tunnel is down (ipsec-tun-down) 1789
Early security checks failed (security-failed) 182
Slowpath security checks failed (sp-security-failed) 38761
IP option drop (invalid-ip-option) 118
Expired flow (flow-expired) 4691
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 10
DNS Inspect invalid packet (inspect-dns-invalid-pak) 12
DNS Inspect id not matched (inspect-dns-id-not-matched) 3306
FP L2 rule drop (l2_acl) 52939
Interface is down (interface-down) 3
Dropped pending packets in a closed socket (np-socket-closed) 24834
SVC Module does not have a session (mp-svc-no-session) 79

Last clearing: Never

Flow drop:
Need to start IKE negotiation (need-ike) 98
Inspection failure (inspect-fail) 120188
SSL received close alert (ssl-received-close-alert) 6

Last clearing: Never


You can clear the ASP table with 

clear asp table

One Comment on “Viewing dropped packets on ASA”

  1. Pingback: Judi Togel

Leave a Reply

Your email address will not be published. Required fields are marked *