cisco asa 5505 asp drop

theklap
theklap used Ask the Experts™
on
I have an MPLS network connecting 5 sites.  All internet traffic is funneled thru one site.  Which has a cisco asa 5505 as the firewall.  So it goes:

Public Internet->Cisco-Public Side(ISP router)->Cisco ASA 5505->Cisco-Private Side(ISP Router)->MPLS
I also have a switch for that local subnet plugged into the ASA.
In the ISP Cisco the ISP has set it to hand off all internet traffic to my ASA.  And in my ASA I created static routes back  to the MPLS router for the remote MPLS networks.

All services are working, except I am getting weird numbers in the asp drop.
Frame drop:
  Reverse-path verify failed (rpf-violated)                                   11
  Flow is denied by configured rule (acl-drop)                            119819
  First TCP packet not SYN (tcp-not-syn)                                   22131
  TCP failed 3 way handshake (tcp-3whs-failed)                              2166
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 2116
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                            25
  TCP SYNACK on established conn (tcp-synack-ooo)                             34
  TCP packet SEQ past window (tcp-seq-past-win)                               49
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                 223
  TCP packet failed PAWS test (tcp-paws-fail)                               2135
  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                     1
  DNS Inspect packet too long (inspect-dns-pak-too-long)                      48
  Dropped pending packets in a closed socket (np-socket-closed)              111

Last clearing: 23:23:54 CST Jan 26 2010 by enable_15

Flow drop:
  NAT failed (nat-failed)                                                   1122
  Inspection failure (inspect-fail)                                            8

Last clearing: 23:23:54 CST Jan 26 2010 by enable_15

I know for a fact everytime the Outlook Web Access is hit by HTTPS or active sync cell phones the ASA generates 2-5 tcp-not-syn for the inside interface and sometimes generates it for the outside interface.  It generates othe tcp-not-syn for random web browsing.  I do not know when the other drops are generated.

Any suggestions?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I would suggest the possibility that the ASA is seeing inside traffic on the outside interface and outside traffic on the inside interface.

Is the ISP router connected to both the inside and outside interfaces of your ASA?

Author

Commented:
Yes the ISP router has 2 ports on it.  One is the public side and one is the private side/MPLS.
 
Matt

Not sure what the problem is, looks like your ASA is doing a good job inspecting flows outside to inside and filtering traffic it does not expect to receive, which numbers are you having problems with? Is the problem that you do not expect to receive these drops at all?

harbor235 ;}
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

I'd set up logging to a syslog server.  Then you can search the log for packet drops, and determine why the drops are happening.

Author

Commented:
Ok so the sylog has helped me clean up 2 problems.  But still have a question about a TCP-NOT -SYN being generated.
I have a flow from an OWA session attached.
It appears the ASA closes the connection and then milliseconds after that the client is sending RST ACK which is being denied.  Is this normal?  It looks like the client sends the reset initially , then sends the reset again and it is denied and a TCP-NOT-SYN is generated.  What can I do to fix this or just live with it and the ASA is doing its job.  
Matt

flow.txt


I would take a look at the FW TCP idle  timeout values and compare them to the servers, I bet the tcp sessions are going idle and the  FW is clearing them out to quickly, then the FW receives additional traffic for a flow already terminated. It could also be a different idle timeout on the device that is outside the FW.

Hard one to troubleshoot without looking at the flow tables.

harbor235 ;}

Author

Commented:
Helped me find some problems with the config.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial