Cisco ASA dropping clients

Posted on 2012-08-21
Last Modified: 2013-11-04
I have a Cisco ASA 5505 with the unlimited client license. Under normal circumstances all clients (about 50 total) on the LAN can access the Internet and ping the router's private interface.

We've been experiencing frequent Internet problems on the clients. The clients (Windows PCs) will lose Internet access and are no longer able to ping the router's private interface (but they can ping and connect to other Internal PCs); however it will be one or two clients at a time i.e. other clients and servers can still access the Internet. The problem occurs up to 4 or 5 times an hour for some people.

The "outage" lasts for between 30 seconds and 3 minutes usually. It's almost as if the router is choosing to block certain IPs for no apparent reason; I don't see anything in the logs, anti-spoofing is turned on, and anti-scanning protection was been turned off.

I'm not an expert with ASAs, so I'm hoping someone can point me towards the answer here.
Question by:lion147
    LVL 35

    Accepted Solution

    I'd almost think that there isn't an unlimited license on the ASA. Perhaps asking the obvious, but did you check to see if the license really is unlimited (and not limited at 50)?

    If a client is dropped, can you ping it from the ASA (and/or does it show anything in the log then)?

    Author Comment

    We used to have the license problem, but then we got the unlimited license. This is the output of show activation:

    Licensed features for this platform:
    Maximum Physical Interfaces       : 8              perpetual
    VLANs                             : 20             DMZ Unrestricted
    Dual ISPs                         : Enabled        perpetual
    VLAN Trunk Ports                  : 8              perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Standby perpetual
    VPN-DES                           : Enabled        perpetual
    VPN-3DES-AES                      : Enabled        perpetual

    I will try pinging from the router when it goes down again.
    LVL 5

    Expert Comment

    by:Feroz Ahmed

    I can make out from above configuration Failover is configured on ASA Firewall.Can you run command as below on ASA.

    ASA#sh asp drop .

    It will give you brief description of where the packets are dropping is it on asa or on inside router .So,plz try the above command and check for your self.

    Author Comment

    I tried the ping from the router to the dropped client and the router gets no response, however the router does get a response from other clients on the same LAN.

    Here's the output of sh asp drop:

    Frame drop:
      Invalid encapsulation (invalid-encap)                                    10107
      No valid adjacency (no-adjacency)                                           18
      Reverse-path verify failed (rpf-violated)                                 2257
      Flow is denied by configured rule (acl-drop)                             46724
      First TCP packet not SYN (tcp-not-syn)                                   23010
      Bad TCP flags (bad-tcp-flags)                                                3
      TCP failed 3 way handshake (tcp-3whs-failed)                              2619
      TCP RST/FIN out of order (tcp-rstfin-ooo)                                 4204
      TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                             2
      TCP SYNACK on established conn (tcp-synack-ooo)                              1
      TCP packet SEQ past window (tcp-seq-past-win)                               20
      TCP invalid ACK (tcp-invalid-ack)                                           24
      TCP Out-of-Order packet buffer full (tcp-buffer-full)                   250787
      TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)               4372
      TCP RST/SYN in window (tcp-rst-syn-in-win)                                  97
      TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)             1207959
      TCP packet failed PAWS test (tcp-paws-fail)                                 90
      Slowpath security checks failed (sp-security-failed)                    198939
      FP L2 rule drop (l2_acl)                                                  3276
      Interface is down (interface-down)                                           5
      Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode)            1
      Dropped pending packets in a closed socket (np-socket-closed)              124

    Last clearing: Never

    Flow drop:
      Inspection failure (inspect-fail)                                            2

    Last clearing: Never

    Although we don't actually use the failover feature, but we do have dual WAN connections.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now