• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 862
  • Last Modified:

Cisco ASA dropping clients

I have a Cisco ASA 5505 with the unlimited client license. Under normal circumstances all clients (about 50 total) on the LAN can access the Internet and ping the router's private interface.

We've been experiencing frequent Internet problems on the clients. The clients (Windows PCs) will lose Internet access and are no longer able to ping the router's private interface (but they can ping and connect to other Internal PCs); however it will be one or two clients at a time i.e. other clients and servers can still access the Internet. The problem occurs up to 4 or 5 times an hour for some people.

The "outage" lasts for between 30 seconds and 3 minutes usually. It's almost as if the router is choosing to block certain IPs for no apparent reason; I don't see anything in the logs, anti-spoofing is turned on, and anti-scanning protection was been turned off.

I'm not an expert with ASAs, so I'm hoping someone can point me towards the answer here.
  • 2
1 Solution
Ernie BeekExpertCommented:
I'd almost think that there isn't an unlimited license on the ASA. Perhaps asking the obvious, but did you check to see if the license really is unlimited (and not limited at 50)?

If a client is dropped, can you ping it from the ASA (and/or does it show anything in the log then)?
lion147Author Commented:
We used to have the license problem, but then we got the unlimited license. This is the output of show activation:

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 20             DMZ Unrestricted
Dual ISPs                         : Enabled        perpetual
VLAN Trunk Ports                  : 8              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual

I will try pinging from the router when it goes down again.
Feroz AhmedSenior Network EngineerCommented:

I can make out from above configuration Failover is configured on ASA Firewall.Can you run command as below on ASA.

ASA#sh asp drop .

It will give you brief description of where the packets are dropping is it on asa or on inside router .So,plz try the above command and check for your self.
lion147Author Commented:
I tried the ping from the router to the dropped client and the router gets no response, however the router does get a response from other clients on the same LAN.

Here's the output of sh asp drop:

Frame drop:
  Invalid encapsulation (invalid-encap)                                    10107
  No valid adjacency (no-adjacency)                                           18
  Reverse-path verify failed (rpf-violated)                                 2257
  Flow is denied by configured rule (acl-drop)                             46724
  First TCP packet not SYN (tcp-not-syn)                                   23010
  Bad TCP flags (bad-tcp-flags)                                                3
  TCP failed 3 way handshake (tcp-3whs-failed)                              2619
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 4204
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                             2
  TCP SYNACK on established conn (tcp-synack-ooo)                              1
  TCP packet SEQ past window (tcp-seq-past-win)                               20
  TCP invalid ACK (tcp-invalid-ack)                                           24
  TCP Out-of-Order packet buffer full (tcp-buffer-full)                   250787
  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)               4372
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                  97
  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)             1207959
  TCP packet failed PAWS test (tcp-paws-fail)                                 90
  Slowpath security checks failed (sp-security-failed)                    198939
  FP L2 rule drop (l2_acl)                                                  3276
  Interface is down (interface-down)                                           5
  Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode)            1
  Dropped pending packets in a closed socket (np-socket-closed)              124

Last clearing: Never

Flow drop:
  Inspection failure (inspect-fail)                                            2

Last clearing: Never

Although we don't actually use the failover feature, but we do have dual WAN connections.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now