Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Packet dropped counter in the show interface command output

Document ID: 113680

Updated: Aug 31, 2012

Contributed by Brendan Quinn, Cisco TAC Engineer.

   Print

Introduction

This document provides information why the packets dropped counter in the show interface command output increases.

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Q. I see the packets dropped counter in the show interface command output increasing. How do I troubleshoot what causes this counter to increment?

A. The packets dropped counter in the show interface command output from the Adaptive Security Appliance (ASA) represents all dropped packets on the interface. This counter includes all security related packet drops. It is expected that this counter will always increment on a production ASA. Again, it is normal and expected for the packet dropped counter to increase on a regular basis.

ciscoasa(config)# show interface ethernet 0/0
Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Input flow control is unsupported, output flow control is off
    MAC address 001b.d454.c092, MTU 1500
    IP address 10.36.109.93, subnet mask 255.255.0.0
    23990802 packets input, 1619288894 bytes, 0 no buffer
    Received 22034675 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 pause input, 0 resume input
    58006 L2 decode drops
    912400 packets output, 58393600 bytes, 0 underruns
    0 pause output, 0 resume output
    0 output errors, 0 collisions, 25 interface resets
    0 late collisions, 0 deferred
    40 input reset drops, 0 output reset drops, 0 tx hangs
    input queue (blocks free curr/low): hardware (255/241)
    output queue (blocks free curr/low): hardware (255/253)
  Traffic Statistics for "outside":
    23932752 packets input, 1184782039 bytes
    912408 packets output, 25547424 bytes
    1785822 packets dropped
      1 minute input rate 8 pkts/sec,  429 bytes/sec
      1 minute output rate 0 pkts/sec,  7 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 8 pkts/sec,  395 bytes/sec
      5 minute output rate 0 pkts/sec,  7 bytes/sec
      5 minute drop rate, 0 pkts/sec
ciscoasa(config)#

You can use the show asp drop command to see more specific reasons for these packet drops. Do not confuse the packets dropped counter with the interface error counters. Any input or output errors are the result of dropped packets due to utilization.

Related Information

Updated: Aug 31, 2012
Document ID: 113680