packet tracer

samantha.harrison1 · ‎05-11-2017

I have a permitted rule on my ASA 5585 appliance.

When I run the packet trace on a permitted rule I get the following output:

Type: Route Lookup Action Allow

Info Found next hop...

Access List, Type: Access List, Action: DROP

Config Implicit Rule

Result: the packet is dropped

Input/output interfaces are both UP

Info: (acl drop) flow is denied by configured rule

Not sure why this is occurring. Other permitted rules packet trace out just fine

Rahul Govindan · ‎05-11-2017

Could you paste the ACL line and the complete packet-tracer command and output?

samantha.harrison1 · ‎05-16-2017

I recently upgraded my Cisco ASA 5585 from ASA 9.1(4) to 9.6(3)1 ASDM 7.1(5) to 7.6.2(150)

Once I did that there have been some packets dropped on some of the interface traffic.

this traffic is on port channels is upgrading the software and firmware going to affect this?

The interfaces are all up and up The traffic is hitting the access rules that are in place and did not change prior to the upgrade, and I do not see any denies.

I see traffic build from src to dest But then I see the traffic teardown from the initiator on the dest IP and the closure codes vary. I see TCP FINS (success), SYN TIMEOUT (awaiting 3 way handshake) and TCP-Reset-O (outside) do you think me upgrading the software and firmware could have affected this traffic?

I see NO denied traffic Just when I do a show interface on the cli, I see packets input and packets output, and I also see packets dropped and they are increasing.

The customer states that are receiving about 52% of the traffic, so that is probably where I am seeing the TCP FIN traffic.

I asked the customer to check their system. They said nothing has changed, they do have dynamic_client_socket_connection_error, but they state they have had those for years.

do you think upgrading the ASA and ASDM effected the traffic?

samantha.harrison1 · ‎05-16-2017

I ran these commands with the output below:

show interface port channel 1 link and line prot are both up, hardware is Etherchannel/LACP, BW 20000 Mbps, DLY 10usec, traffic stats:26929959 packet input, 1468209948 bytes, 170513415 packets output, 25527561290 bytes, 255076 packets dropped

show interface port channel 2 link and line protocol are both up, hardware is Etherchannel/LACP, BW 20000 Mbps, DLY 10usec, traffic stats: 255495 packets input, 12773046 bytes, 427 packets output, 1956 bytes, 255069 packets dropped

show interface port channel 3 link and line protocol are both up, hardware is Etherchannel/LACP, BW 20000 Mbps, DLY 10usec, traffic stats: 173449466 packets input, 258648257421 bytes, 490765064 packets output, 118882860252 bytes, 310068 packets dropped

show cpu for 5 seconds-1%; 1 minute: 1%; 5 minutes: 1%

show mem Free memory 72%, Used memory 22%, total 100%

show conn count 27 in use, 42 most used

show block SIZE MAX LOW CNT

0 7450 7449 7450

4 1700 1699 1699

80 9000 8991 9000

256 9676 9610 9660

1550 36274 36145 36259

2048 20000 19811 20000

2560 8192 8192 8192

4096 100 100 100

8192 100 100 100

9344 100 100 100

16384 300 300 300

65536 16 16 16

So by upgrading the firmware code from 9.1 to 9.6 and ASDM from 7.1 to 7.6 should not have affected the traffic flow at all?

My history is troubleshooting with customers is that SYN Timeout and TCP Reset-O are system level errors.

The customer stated that they started to not receive all of their traffic once I rebooted the firewall.

Do you think doing a shut/no shut on one of the interfaces in the port channel may fix the issue?