Introduction
This document describes how to troubleshoot dropped counters in the show interface command output.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Q. I see the packets dropped counter in the show interface
command output increasing. How do I troubleshoot what causes this counter to increment?
A. The packets dropped counter in the show interface
command output from the Adaptive Security Appliance (ASA) represents all dropped packets on the interface. This counter includes all security related packet drops. It is expected that this counter always increments on a production ASA. Again, it is normal and expected for the packet dropped counter to increase on a regular basis.
ciscoasa(config)# show interface ethernet 0/0
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 001b.d454.c092, MTU 1500
IP address 10.36.109.93, subnet mask 255.255.0.0
23990802 packets input, 1619288894 bytes, 0 no buffer
Received 22034675 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
58006 L2 decode drops
912400 packets output, 58393600 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 25 interface resets
0 late collisions, 0 deferred
40 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/241)
output queue (blocks free curr/low): hardware (255/253)
Traffic Statistics for "outside":
23932752 packets input, 1184782039 bytes
912408 packets output, 25547424 bytes
1785822 packets dropped
1 minute input rate 8 pkts/sec, 429 bytes/sec
1 minute output rate 0 pkts/sec, 7 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 8 pkts/sec, 395 bytes/sec
5 minute output rate 0 pkts/sec, 7 bytes/sec
5 minute drop rate, 0 pkts/sec
ciscoasa(config)#
You can use the show asp drop
command to see more specific reasons for these packet drops. Do not confuse the packets dropped counter with the interface error counters.
The counter is only displayed for named interfaces, since it does not represent a physical error counter, but an ASA policy drop counter. If you make the TenGig interface a named interface (with nameif x
command) the drop counter shows up for that interface in the output of show interface
command but if that interface is only a member of a port-channel, it does not.
To get this counter value for each interface via SNMP, use this OID: .1.3.6.1.2.1.2.2.1.13.
Related Information