Table 25-1 Frame Drop Reasons
Frame Drop Reason Keyword
|
Frame Drop Reason Display
|
Description
|
acl-drop
|
Flow is denied by access rule
|
This counter is incremented when a packet is denied by the security appliance. The deny rule could be a default rule created when the security appliance comes up, when various features are turned on or off, when an access list is applied to an interface, or any other feature. Apart from default rule drops, a flow could be denied because of:
• An access list configured on an interface
•An access list configured for AAA, and AAA denied the user
•Through traffic arriving at a management-only interface
•Unencrypted traffic arriving on a IPSec-enabled interface
Recommendation: Check the access lists referenced by the following system log messages: 106023, 106100, and 106004.
|
bad-crypto
|
Bad crypto return in packet
|
This counter will increment when the security appliance attempts to perform a crypto operation on a packet, and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the security appliance.
Recommendation: If you are receiving many bad crypto indications, your security appliance may need servicing. You should enable system log message 402123 to determine whether the crypto errors are hardware or software errors. You can also check the error counter in the global IPSec statistics with the show ipsec stats command. If the IPSec SA that is triggering these errors is known, the SA statistics from the show ipsec sa detail command will also be useful in diagnosing the problem.
|
bad-ipsec-natt
|
Bad IPSEC NATT packet
|
This counter will increment when the security appliance receives a packet on an IPSec connection that has negotiated NAT-T, but the packet is not addressed to the NAT-T UDP destination port of 4500 or had an invalid payload length.
Recommendation: Analyze your network traffic to determine the source of the NAT-T traffic. No system log messages are generated.
|
bad-ipsec-prot
|
IPSEC not AH or ESP
|
This counter will increment when the security appliance receives a packet on an IPSec connection that is not an AH or ESP protocol packet. This is not a normal condition.
Recommendation: If you are receiving many IPSec not AH or ESP indications on your security appliance, analyze your network traffic to determine the source of the traffic.
System log messages: 402115
|
bad-ipsec-udp
|
Bad IPSEC UDP packet
|
This counter will increment when the security appliance receives a packet on an IPSec connection that has negotiated IPSec over UDP, but the packet has an invalid payload length.
Recommendation: Analyze your network traffic to determine the source of the NAT-T traffic.
System log messages: None.
|
bad-tcp-cksum
|
Bad TCP checksum
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet whose computed TCP checksum does not match the recorded checksum in TCP header.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets, and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. To allow packets with an incorrect TCP checksum, disable the checksum-verification feature.
System log messages: None
|
bad-tcp-flags
|
Bad TCP flags
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with invalid TCP flags in the TCP header. For example, a packet with both SYN and FIN TCP flags set will be dropped.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System log messages: None.
|
conn-limit
|
Connection limit reached
|
This reason is given for dropping a packet when the connection limit or host connection limit has been exceeded. If this is a TCP packet which is dropped during TCP connection establishment phase due to connection limit, the drop reason "TCP connection limit reached" is also reported.
Recommendation: If this is incrementing rapidly, check the System log messages to determine which host's connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack.
System log messages: 201011
|
ctm-error
|
CTM returned error
|
This counter will increment when the security appliance attempts to perform a crypto operation on a packet and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the security appliance.
Recommendation: If you are receiving many bad crypto indications, your security appliance may need servicing. You should enable system message 402123 to determine whether the crypto errors are hardware or software errors. You can also check the error counter in the global IPSec statistics with the show ipsec stats command. If the IPSec SA that is triggering these errors is known, the SA statistics from the show ipsec sa detail command will also be useful in diagnosing the problem.
System log messages: 402123
|
dns-guard-id-not-matched
|
DNS Guard id not matched
|
This counter will increment when the identification of the DNS response message does not match any DNS queries that passed across the appliance earlier on the same connection. This counter will increment by the DNS Guard function.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System log messages: None.
|
dns-guard-out-of-app-id
|
DNS Guard out of app id
|
This counter will increment when the DNS Guard function fails to allocate a data structure to store the identification of the DNS message.
Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory.
System log messages: None.
|
dst-l2_lookup-fail
|
Dst MAC L2 Lookup Failed
|
This counter will increment when the security appliance is configured for transparent mode, and the security appliance does a Layer 2 destination MAC address lookup that fails. Upon the lookup failure, the security appliance will begin the destination MAC discovery process and attempt to find the location of the host via ARP and/or ICMP messages.
Recommendation: This is a normal condition when the security appliance is configured for transparent mode. You can also execute the show mac-address-table command to list the L2 MAC address locations currently discovered by the security appliance.
System log messages: None.
|
flow-expired
|
Expired flow
|
This counter is incremented when the security appliance tries to inject a new or cached packet belonging to a flow that has already expired. It is also incremented when the security appliance attempts to send an RST on a TCP flow that has already expired, or when a packet returns from the AIP SSM but the flow had already expired. The packet is dropped.
Recommendation: If valid applications are getting preempted, investigate if a longer timeout is needed.
System log messages: None.
|
fo-standby
|
Dropped by standby unit
|
If a through-the-box packet arrives at security appliance or context in a standby state, and a flow is created, then the packet is dropped and the flow removed. This counter will increment each time a packet is dropped in this manner.
Recommendation: This counter should never be incrementing on the active security appliance or context. However, it is normal to see it increment on the standby appliance or security appliance.
System log messages: 302014, 302016, 302018
|
fragment-reassembly-failed
|
Fragment reassembly failed
|
This counter is incremented when the security appliance fails to reassemble a chain of fragmented packets into a single packet. All the fragment packets in the chain are dropped. This is probably because of a failure while allocating memory for the reassembled packet.
Recommendation: Use the show blocks command to monitor the current block memory.
System log messages: None.
|
host-move-pkt
|
FP host move packet
|
This counter will increment when the security appliance or context is configured for transparent mode, and the source interface of a known Layer 2 MAC address is detected on a different interface.
Recommendation: This indicates that a host has been moved from one interface (i.e. LAN segment) to another. This condition is normal while in transparent mode if the host has in fact been moved. However, if the host move toggles back and forth between interfaces, a network loop may be present.
System log messages: 412001, 412002, 322001
|
ifc-classify
|
Virtual firewall classification failed
|
A packet arrived on a shared interface, but failed to classify to any specific context interface.
Recommendation: Use the global or static command to specify the IPv4 addresses that belong to each context interface.
System log messages: None.
|
inspect-dns-id-not-matched
|
DNS Inspect id not matched
|
This counter will increment when the identification of the DNS response message does not match any DNS queries that passed across the security appliance earlier on the same connection.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System log messages: None.
|
inspect-dns-invalid-domain-
label
|
DNS Inspect invalid domain label
|
This counter will increment when the security appliance detects an invalid DNS domain name or label. DNS domain name and label is checked per RFC 1035.
Recommendation: None.
System log messages: None.
|
inspect-dns-invalid-pak
|
DNS Inspect invalid packet
|
This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.
Recommendation: None.
System log messages: None.
|
inspect-dns-out-of-app-id
|
DNS Inspect out of app id
|
This counter will increment when the DNS inspection engine fails to allocate a data structure to store the identification of the DNS message.
Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory.
System log messages: None.
|
inspect-dns-pak-too-long
|
DNS Inspect packet too long
|
This counter is incremented when the length of the DNS message exceeds the configured maximum allowed value.
Recommendation: No action required. If DNS message length checking is not desired, enable DNS inspection without the inspect dns maximum-length option.
System log messages: 410001
|
inspect-icmp-error-different-
embedded-conn
|
ICMP Error Inspect different embedded conn
|
This counter will increment when the frame embedded in the ICMP error message does not match the established connection that has been identified when the ICMP connection is created.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System log messages: 313005
|
inspect-icmp-error-no-existing-
conn
|
ICMP Error Inspect no existing conn
|
This counter will increment when the security appliance is not able to find any established connection related to the frame embedded in the ICMP error message.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System log messages: 313005
|
inspect-icmp-out-of-app-id
|
ICMP Inspect out of app id
|
This counter will increment when the ICMP inspection engine fails to allocate an App ID data structure. The structure is used to store the sequence number of the ICMP packet.
Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory.
System log messages: None.
|
inspect-icmp-seq-num-not-
matched
|
ICMP Inspect seq num not matched
|
This counter will increment when the sequence number in the ICMP echo reply message does not match any ICMP echo message that passed across the security appliance earlier on the same connection.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System log messages: 313004
|
inspect-icmpv6-error-invalid-
pak
|
ICMPv6 Error Inspect invalid packet
|
This counter will increment when the security appliance detects an invalid frame embedded in the ICMPv6 packet. This check is the same as that on IPv6 packets. For example, an incomplete IPv6 header, a malformed IPv6 Next Header, etc.
Recommendation: None.
System log messages: None.
|
inspect-icmpv6-error-no-
existing-conn
|
ICMPv6 Error Inspect no existing conn
|
This counter will increment when the security appliance is not able to find any established connection related to the frame embedded in the ICMPv6 error message.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System log messages: 313005
|
inspect-rtcp-invalid-length
|
Invalid RTCP Packet length
|
This counter will increment when the UDP packet length is less than the size of the RTCP header.
Recommendation: No action required. A capture can be used to figure out which RTP source is sending the incorrect packets and you can deny the host using the access lists.
System log messages: None.
|
inspect-rtcp-invalid-payload-type
|
Invalid RTCP Payload type field
|
This counter will increment when the RTCP payload type field does not contain the values 200 to 204.
Recommendation: The RTP source should be validated to see why it is sending payload types outside of the range recommended by the RFC 1889.
System log messages: 431002
|
inspect-rtcp-invalid-version
|
Invalid RTCP Version field
|
This counter will increment when the RTCP version field contains a version other than 2.
Recommendation: The RTP source in your network does not seem to be sending RTCP packets conformant with the RFC 1889. The reason for this has to be identified and you can deny the host using access lists if required.
System log messages: 431002.
|
inspect-rtp-invalid-length
|
Invalid RTP Packet length
|
This counter will increment when the UDP packet length is less than the size of the RTP header.
Recommendation: No action required. A capture can be used to figure out which RTP source is sending the incorrect packets and you can deny the host using the access lists.
System log messages: None.
|
inspect-rtp-invalid-payload-
type
|
Invalid RTP Payload type field
|
This counter will increment when the RTP payload type field does not contain an audio payload type when the signalling channel negotiated an audio media type for this RTP secondary connection. The counter increments similarly for the video payload type.
Recommendation: The RTP source in your network is using the audio RTP secondary connection to send video or vice versa. If you wish to prevent this you can deny the host using access lists.
System log messages: 431001
|
inspect-rtp-invalid-version
|
Invalid RTP Version field
|
This counter will increment when the RTP version field contains a version other than 2.
Recommendation: The RTP source in your network does not seem to be sending RTP packets conformant with the RFC 1889. The reason for this has to be identified and you can deny the host using access lists if required.
System log messages: 431001
|
inspect-rtp-max-outofseq-paks-
probation
|
RTP out of sequence packets in probation period
|
This counter will increment when the out of sequence packets when the RTP source is being validated exceeds 20. During the probation period, the inspect looks for 5 in-sequence packets to consider the source validated.
Recommendation: Check the RTP source to see why the first few packets do not come in sequence and correct it.
System log messages: 431001
|
inspect-rtp-sequence-num-
outofrange
|
RTP Sequence number out of range
|
This counter will increment when the RTP sequence number in the packet is not in the range expected by the inspect.
Recommendation: No action is required because the inspect tries to recover and start tracking from a new sequence number after a lapse in the sequence numbers from the RTP source.
System log messages: 431001
|
inspect-rtp-ssrc-mismatch
|
Invalid RTP Synchronization Source field
|
This counter will increment when the RTP SSRC field in the packet does not match the SSRC which the inspect has been seeing from this RTP source in all the RTP packets.
Recommendation: This could be because the RTP source in your network is rebooting and hence changing the SSRC or it could be because of another host on your network trying to use the opened secondary RTP connections on the firewall to send RTP packets. This should be investigated further to confirm if there is a problem.
System log messages: 431001
|
intercept-unexpected
|
Intercept unexpected packet
|
The security appliance either received data from a client while waiting for a SYNACK from a server, or it received a packet that cannot be handled in a particular state of TCP intercept.
Recommendation: If this drop is causing the connection to fail, please have a sniffer trace of the client- and server-side of the connection while reporting the issue. The security appliance could be under attack, and the sniffer traces or capture would help narrow down the culprit.
System log messages: None.
|
interface-down
|
Interface is down
|
This counter will increment for each packet received on an interface that is shutdown using the shutdown command. For ingress traffic, the packet is dropped after security context classification and if the interface associated with the context is shut down. For egress traffic, the packet is dropped when the egress interface is shut down.
Recommendation: None.
System log messages: None.
|
invalid-app-length
|
Invalid app length
|
This counter will increment when the security appliance detects an invalid length of the Layer 7 payload in the packet. Currently, it counts the drops by the DNS Guard function only. For example, an incomplete DNS header.
Recommendation: None.
System log messages: None.
|
invalid-encap
|
Invalid encapsulation
|
This counter is incremented when the security appliance receives a frame belonging to an unsupported link-level protocol or if the L3 type specified in the frame is not supported by the security appliance. The packet is dropped.
Recommendation: Verify that directly-connected hosts have proper link-level protocol settings.
System log messages: None.
|
invalid-ethertype
|
Invalid ethertype
|
This counter is incremented when the fragmentation module on the security appliance receives or tries to send a fragmented packet that does not belong to IP version 4 or version 6. The packet is dropped.
Recommendation: Verify the MTU of the security appliance and other devices on the connected network to determine why the security appliance is processing such fragments.
System log messages: None.
|
invalid-ip-header
|
Invalid IP header
|
This counter is incremented and the packet is dropped when the security appliance receives an IP packet whose computed checksum of the IP header does not match the recorded checksum in the header.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a peer is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System log messages: None
|
invalid-ip-length
|
Invalid IP length
|
This counter is incremented when the security appliance receives an IPv4 or IPv6 packet in which the header length or total length fields in the IP header are not valid or do not conform to the received packet length.
Recommendation: None.
System log messages: None.
|
invalid-ip-option
|
IP option configured drop
|
This counter is incremented when any unicast packet with IP options or a multicast packet with IP options that have not been configured to be accepted, is received by the security appliance. The packet is dropped.
Recommendation: Investigate why a packet with IP options is being sent by the sender.
System log messages: None.
|
invalid-tcp-hdr-length
|
Invalid tcp length
|
This counter is incremented when the security appliance receives a TCP packet whose size is smaller than the minimum-allowed header length or does not conform to the received packet length.
Recommendation: The invalid packet could be a bogus packet being sent by an attacker. Investigate the traffic from the source in the following system message.
System log messages: 500003.
|
invalid-udp-length
|
Invalid udp length
|
This counter is incremented when the security appliance receives a UDP packet whose size as calculated from the fields in the header is different from the measured size of the packet as received from the network.
Recommendation: The invalid packet could be a bogus packet being sent by an attacker.
System log messages: None.
|
ipsec-clearpkt-notun
|
IPSEC Clear Pkt w/no tunnel
|
This counter will increment when the security appliance receives a packet that should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.
Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.
System log messages: 402117
|
ipsec-ipv6
|
IPSEC via IPV6
|
This counter will increment when the security appliance receives an IPSec ESP packet, IPSec NAT-T ESP packet, or an IPSec over UDP ESP packet encapsulated in an IPv6 header. The security appliance does not currently support any IPSec sessions encapsulated in IPv6.
Recommendation: None.
System log messages: None.
|
ipsec-need-sa
|
IPSEC SA Not negotiated yet
|
This counter will increment when the security appliance receives a packet that requires encryption but has no established IPSec security association. This is generally a normal condition for LAN-to-LAN IPSec configurations. This indication will cause the security appliance to begin ISAKMP negotiations with the destination peer.
Recommendation: If you have configured IPSec LAN-to-LAN on your security appliance, this indication is normal and does not indicate a problem. However, if this counter increments rapidly it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing. Verify that you can communicate with the destination peer and verify your crypto configuration using the show running-config command.
System log messages: None.
|
ipsec-spoof
|
IPSEC Spoof detected
|
This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.
Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.
System log messages: 402117
|
ipsec-tun-down
|
IPSEC tunnel is down
|
This counter will increment when the security appliance receives a packet associated with an IPSec connection which is in the process of being deleted.
Recommendation: This is a normal condition when the IPSec tunnel is torn down for any reason.
System log messages: None.
|
ipsecudp-keepalive
|
IPSEC/UDP keepalive message
|
This counter will increment when the security appliance receives an IPSec over UDP keepalive message. IPSec over UDP keepalive messages are sent from the IPSec peer to the security appliance to keep NAT/PAT flow information current in network devices between the IPSec over UDP peer and the security appliance.
Note These are not industry-standard NAT-T keepalive messages that are also carried over UDP and addressed to UDP port 4500.
Recommendation: If you have configured IPSec over UDP on your security appliance, this indication is normal and does not indicate a problem. If IPSec over UDP is not configured on your security appliance, analyze your network traffic to determine the source of the IPSec over UDP traffic.
System log messages: None.
|
ips-fail-close
|
IPS card is down
|
This counter is incremented and the packet is dropped when the AIP SSM is down and the fail-close option was used in IPS inspection.
Recommendation: Check and bring up the AIP SSM.
System log messages: 420001
|
ips-request
|
IPS Module requested drop
|
This counter is incremented and the packet is dropped as requested by the AIP SSM when the packet matches a signature on the IPS engine.
Recommendation: Check System log messages and alerts on the AIP SSM.
System log messages: 420002
|
ipv6_sp-security-failed
|
IPv6 slowpath security checks failed
|
This counter is incremented and the packet is dropped for one of the following reasons:
•An IPv6 through-the-box packet has the identical source and destination address.
•An IPv6 through-the-box packet has a linklocal source or destination address.
•An IPv6 through-the-box packet has a multicast destination address.
Recommendation: These packets could indicate malicious activity, or could be the result of a misconfigured IPv6 host. Use the packet capture feature to capture type asp packets, and use the source MAC address to identify the source.
System log messages: For identical source and destination address, system message 106016.
|
l2_acl
|
FP L2 rule drop
|
This counter increments when the security appliance denies a packet due to an EtherType access list. The transparent mode security appliance permits the following traffic by default:
•IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list.
Note For Layer 3 traffic travelling from a low to a high security interface, an extended access list is required on the low security interface.
•ARPs are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection.
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported.
Packets permitted by EtherType access lists might still be dropped by an extended access list.
The EtherType access list only supports EtherTypes and not Layer 2 destination MAC addresses.
The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
•TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
•IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
•BPDU multicast address equal to 0100.0CCC.CCCD
•Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Recommendation: If your non-IP packets are dropped by the security appliance, you can configure an EtherType access list to permit the Layer 2 traffic.
System log messages: 106026, 106027
|
l2_same-lan-port
|
L2 Src/Dst same LAN port
|
This counter will increment when the security appliance or context is configured for transparent mode, and the security appliance determines that the destination interface's L2 MAC address is the same as its ingress interface.
Recommendation: This is a normal condition when the security appliance or context is configured for transparent mode. Since the security appliance interface is operating in promiscuous mode, the security appliance or context receives all packets on the local LAN segment.
System log messages: None.
|
loopback-buffer-full
|
Loopback buffer full
|
This counter is incremented and the packet is dropped when packets are sent from one context of the security appliance to another context through a shared interface, and there is no buffer space in the loopback queue.
Recommendation: Check the system CPU to make sure it is not overloaded.
System log messages: None.
|
lu-invalid-pkt
|
Invalid LU packet
|
The standby unit received a corrupted Logical Update packet.
Recommendation: The packet corruption could be caused by a bad cable, interface card, line noise, or software defect. If the interface appears to be functioning properly, then report the problem to Cisco TAC.
System log messages: None.
|
mp-pf-queue-full
|
Port Forwarding Queue Is Full
|
This counter is incremented when the Port Forwarding application's internal queue is full and it receives another packet for transmission.
Recommendation: This indicates that a software error should be reported to the Cisco TAC.
System log messages: None.
|
mp-svc-addr-renew-response
|
SVC Module received address renew response data frame
|
This counter will increment when the security appliance receives an Address Renew Response message from an SVC. The SVC should not be sending this message.
Recommendation: This indicates that an SVC software error should be reported to the Cisco TAC.
System log messages: None.
|
mp-svc-bad-framing
|
SVC Module received badly framed data
|
This counter will increment when the security appliance receives a packet from an SVC or the control software that it is unable to decode.
Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault.
System log messages: 722037 (Only for SVC received data).
|
mp-svc-bad-length
|
SVC Module received bad data length
|
This counter will increment when the security appliance receives a packet from an SVC or the control software where the calculated and specified lengths do not match.
Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault.
System log messages: 722037 (Only for SVC received data).
|
mp-svc-compress-error
|
SVC Module compression error
|
This counter will increment when the security appliance encounters an error during compression of data to an SVC.
Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault.
System log messages: 722037
|
mp-svc-decompres-error
|
SVC Module decompression error
|
This counter will increment when the security appliance encounters an error during decompression of data from an SVC.
Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault.
System log messages: 722037
|
mp-svc-delete-in-progress
|
SVC Module received data while connection was being deleted
|
This counter will increment when the security appliance receives a packet associated with an SVC connection that is in the process of being deleted.
Recommendation: This is a normal condition when the SVC connection is torn down for any reason. If this error occurs repeatedly or in large numbers, it could indicate that clients are having network connectivity issues.
System log messages: None.
|
mp-svc-flow-control
|
SVC Session is in flow control
|
This counter will increment when the security appliance needs to drop data because an SVC is temporarily not accepting any more data.
Recommendation: This indicates that the client is unable to accept more data. The client should reduce the amount of traffic it is attempting to receive.
System log messages: None.
|
mp-svc-invalid-mac
|
SVC Module found invalid L2 data in the frame
|
This counter will increment when the security appliance is finds an invalid L2 MAC header attached to data received from an SVC.
Recommendation: This indicates that a software error should be reported to the Cisco TAC.
System log messages: None.
|
mp-svc-invalid-mac-len
|
SVC Module found invalid L2 data length in the frame
|
This counter will increment when the security appliance is finds an invalid L2 MAC length attached to data received from an SVC.
Recommendation: This indicates that a software error should be reported to the Cisco TAC.
System log messages: None.
|
mp-svc-no-channel
|
SVC Module does not have a channel for reinjection
|
This counter will increment when the interface that the encrypted data was received upon cannot be found in order to inject the decrypted data.
Recommendation: If an interface is shut down during a connection, this could happen; re-enable/check the interface. Otherwise, this indicates that a software error should be reported to the Cisco TAC.
System log messages: None.
|
mp-svc-no-mac
|
SVC Module unable to find L2 data for frame
|
This counter will increment when the security appliance is unable to find an L2 MAC header for data received from an SVC.
Recommendation: This indicates that a software error should be reported to the Cisco TAC.
System log messages: None.
|
mp-svc-no-prepend
|
SVC Module does not have enough space to insert header
|
This counter will increment when there is not enough space before the packet data to prepend a MAC header in order to put the packet onto the network.
Recommendation: This indicates that a software error should be reported to the Cisco TAC.
System log messages: None.
|
mp-svc-no-session
|
SVC Module does not have a session
|
This counter will increment when the security appliance cannot determine the SVC session that this data should be transmitted over.
Recommendation: This indicates that a software error should be reported to the Cisco TAC.
System log messages: None.
|
mp-svc-unknown-type
|
SVC Module received unknown data frame
|
This counter will increment when the security appliance receives a packet from an SVC where the data type is unknown.
Recommendation: Validate that the SVC being used by the client is compatible with the version of security appliance software.
System log messages: None.
|
natt-keepalive
|
NAT-T keepalive message
|
This counter will increment when the security appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the security appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the security appliance.
Recommendation: If you have configured IPSec NAT-T on your security appliance, this indication is normal and does not indicate a problem. If NAT-T is not configured on your security appliance, analyze your network traffic to determine the source of the NAT-T traffic.
System log messages: None
|
no-adjacency
|
No valid adjacency
|
This counter is incremented when the security appliance has tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.
Recommendation: Configure a capture for this drop reason and check if a host with the specified destination address exists on the connected network or is routable from the security appliance.
System log messages: None.
|
no-mcast-entry
|
FP no mcast entry
|
This counter increments because of one of the following reasons:
•A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built.
Recommendation: Reenable multicast if it is disabled.
System log messages: None.
•A multicast entry change has been detected after a packet was punted to the CP, and the NP can no longer forward the packet since no entry is present.
Recommendation: None.
System log messages: None.
|
no-mcast-intrf
|
FP no mcast output intrf
|
This counter increments because of one of the following reasons:
•All output interfaces have been removed from the multicast entry.
Recommendation: Verify that there are no longer any receivers for this group.
System log messages: None.
•The multicast packet could not be forwarded.
Recommendation: Verify that a flow exists for this packet.
System log messages: None.
|
non-ip-pkt-in-routed-mode
|
Non-IP packet received in routed mode
|
This counter will increment when the security appliance receives a packet that is not an IPv4, IPv6, or ARP packet, and the security appliance or context is configured for routed mode. In normal operation such packets should be dropped.
Recommendation: This indicates that a software error should be reported to the Cisco TAC.
System log messages: 106026, 106027
|
no-route
|
No route to host
|
This counter is incremented when the security appliance tries to send a packet out of an interface and does not find a route for it in the routing table.
Recommendation: Verify that a route exists for the destination address obtained from the generated system message.
System log messages: 110001
|
np-socket-closed
|
Dropped pending packets in a closed socket
|
If a socket is abruptly closed, by the user or software, then any pending packets in the pipeline for that socket are also dropped. This counter is incremented for each packet in the pipeline that is dropped.
Recommendation: It is common to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of socket-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further.
System log messages: None.
|
np-sp-invalid-spi
|
Invalid SPI
|
This counter increments when the security appliance receives an IPSec ESP packet addressed to the security appliance that specifies an SPI (security parameter index) not currently known by the security appliance.
Recommendation: Occasional invalid SPI indications are common, especially during rekey processing. Many invalid SPI indications may suggest a problem or DoS attack. If you are experiencing a high rate of invalid SPI indications, analyze your network traffic to determine the source of the ESP traffic.
System log messages: 402114
|
punt-rate-limit
|
Punt rate limit exceeded
|
This counter will increment when the security appliance attempts to forward a Layer 2 packet to a rate-limited control point service routine, and the rate limit (per/second) is now being exceeded. Currently, the only Layer 2 packets destined for a control point service routine that are rate limited are ARP packets. The ARP packet rate limit is 500 ARPs per second per interface.
Recommendation: Analyze your network traffic to determine the reason behind the high rate of ARP packets.
System log messages: 322002, 322003
|
queue-removed
|
Queued packet dropped
|
When the QoS configuration is changed or removed, the existing packets in the output queues awaiting transmission are dropped and this counter is incremented.
Recommendation: Under normal conditions, this may be seen when the QoS configuration has been changed by the user. If this occurs when no changes to the QoS configuration were performed, please contact Cisco TAC.
System log messages: None.
|
rate-exceeded
|
QoS rate exceeded
|
This counter is incremented when rate-limiting (policing) is configured on an egress/ingress interface, and the egress/ingress traffic rate exceeds the burst rate configured. The counter is incremented for each packet dropped.
Recommendation: Investigate and determine why the rate of traffic leaving the interface is higher than the configured rate. This may be normal, or could be an indication of virus or attempted attack.
System log messages: None.
|
rm-conn-limit
|
RM connection limit reached
|
This counter is incremented when the maximum number of connections for a context or the system has been reached, and a new connection is attempted.
Recommendation: The device administrator can use the commands show resource usage and show resource usage system to view context and system resource limits and "Denied" counts and adjust resource limits if desired.
System log messages: 321001
|
rm-conn-rate-limit
|
RM connection rate limit reached
|
This counter is incremented when the maximum connection rate for a context or the system has been reached and a new connection is attempted.
Recommendation: The device administrator can use the commands show resource usage and show resource usage system to view context and system resource limits and "Denied" counts and adjust resource limits if desired.
System log messages: 321002
|
rpf-violated
|
Reverse-path verify failed
|
This counter is incremented when ip verify reverse-path is configured on an interface and the security appliance receives a packet for which the route lookup of the source IP did not yield the same interface as the one on which the packet was received.
Recommendation: Trace the source of traffic based on the source IP printed in the system message below, and investigate why it is sending spoofed traffic.
System log messages: 106021
|
security-failed
|
Early security checks failed
|
This counter is incremented and the packet is dropped when the security appliance:
•Receives an IPv4 multicast packet when the packet multicast MAC address does not match the packet multicast destination IP address
•Receives an IPv6 or IPv4 teardrop fragment containing either small offset or fragment overlapping
•Receives an IPv4 packet that matches an IP audit signature
Recommendation: Contact the remote peer administrator or escalate this issue according to your security policy. For detailed description and System log messages for IP audit attack checks please refer the ip audit signature command.
System log messages: 106020, 400xx in case of IP audit checks
|
send-ctm-error
|
Send to CTM returned error
|
This counter is obsolete in the security appliance and should never increment.
Recommendation: None.
System log messages: None.
|
sp-security-failed
|
Slowpath security checks failed
|
This counter is incremented and the packet is dropped when the security appliance:
•Is in routed mode and receives a through-the-box:
–L2 broadcast packet
–IPv4 packet with destination IP address equal to 0.0.0.0
–IPv4 packet with source IP address equal to 0.0.0.0
Recommendation: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
System log messages: 106016
•Is in routed or transparent mode and receives a through-the-box IPv4 packet with:
–The first octet of the source IP address is equal to zero
–The source IP address is equal to the loopback IP address
–Network part of the source IP address is equal to all 0s
–The network part of the source IP address is equal to all 1s
–The source IP address host part is equal to all 0s or all 1s
Recommendation: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
System log messages: 106016
•In routed or transparent mode and receives an IPv4 or IPv6 packet with the same source and destination IP addresses
Recommendation: If this message counter is incrementing rapidly, an attack may be in progress. Use the packet capture feature to capture type asp packets, and check the source MAC address in the packet to see where they are coming from.
System log messages: 106017
|
ssm-app-fail
|
Service module is down
|
This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when a packet to be inspected by the SSM is dropped because the SSM has become unavailable. Some examples of this are: software or hardware failure, software or signature upgrade, or the module being shut down.
Recommendation: The SSM manager process running in the security appliance control plane would have issued system messages and CLI warning to inform you of the failure. Please consult the documentation that comes with the SSM to troubleshoot the SSM failure. Contact Cisco TAC if needed.
System log messages: None.
|
ssm-app-request
|
Service module requested drop
|
This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the application running on the SSM requests the security appliance to drop a packet.
Recommendation: More information could be obtained by querying the incident report or system messages generated by the SSM itself. Please consult the documentation that comes with your SSM for instructions.
System log messages: None.
|
ssm-asdp-invalid
|
Invalid ASDP packet received from SSM card
|
This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the security appliance receives an ASA SSM Dataplane Protocol (ASDP) packet from the internal data plane interface, but the driver encountered a problem when parsing the packet. ASDP is a protocol used by the security appliance to communicate with certain types of SSMs, like the CSC SSM. This could happen for various reasons, for example: the ASDP protocol version is not compatible between the security appliance and the SSM, in which case the SSM manager process in the control plane issues system messages and CLI warnings to inform you of the proper version of images that needs to be installed; the ASDP packet belongs to a connection that has already been terminated on the security appliance; the security appliance has switched to the standby state (if failover is enabled) in which case it can no longer pass traffic; or any unexpected value when parsing the ASDP header and payload.
Recommendation: The counter is usually 0 or a very small number. But you should not be concerned if the counter slowly increases over time, especially when there has been a failover, or you have manually cleared connections on the security appliance via the CLI. If the counter increases drastically during normal operation, please contact Cisco TAC.
System log messages: 421003, 421004
|
ssm-dpp-invalid
|
Invalid packet received from SSM card
|
This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the security appliance receives a packet from the internal data plane interface but could not find the proper driver to parse it.
Recommendation: The data plane driver is dynamically registered depending on the type of SSM installed in the system. So this could happen if data plane packets arrive before the security appliance is fully initialized. This counter is usually 0. You should not be concerned if there are a few drops. However, if this counter keeps rising when system is up and running, it may indicate a problem. Please contact Cisco TAC if you suspect it affects the normal operation of your the security appliance.
System log messages: None.
|
tcp_xmit_partial
|
TCP retransmission partial
|
This counter is incremented and the packet is dropped when the check-retransmission feature is enabled, and a partial TCP retransmission was received.
Recommendation: None.
System log messages: None.
|
tcp-3whs-failed
|
TCP failed 3 way handshake
|
This counter is incremented and the packet is dropped when security appliance receives an invalid TCP packet during the three-way handshake. For example, the SYN-ACK from a client will be dropped for this reason.
Recommendation: None.
System log messages: None.
|
tcp-acked
|
TCP DUP and has been ACKed
|
This counter is incremented and the packet is dropped when the security appliance receives a retransmitted data packet and the data has been acknowledged by the peer TCP endpoint.
Recommendation: None.
System log messages: None.
|
tcp-ack-syn-diff
|
TCP ACK in SYNACK invalid
|
This counter is incremented and the packet is dropped when the security appliance receives a SYN-ACK packet during the three-way handshake with an incorrect TCP acknowledgement number.
Recommendation: None.
System log messages: None.
|
tcp-bad-option-len
|
Bad option length in TCP
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a TCP option set, but the option length does not match the length defined for that option in the TCP RFC.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System log messages: None.
|
tcp-bad-option-list
|
TCP option list invalid
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a non-standard TCP header option.
Recommendation: To allow such TCP packets or clear non-standard TCP header options and then allow the packet, use the tcp-options command.
System log messages: None.
|
tcp-bad-sack-allow
|
Bad TCP SACK ALLOW option
|
This counter is incremented and the packet is dropped when the appliance receives a TCP packet with the selective acknowledgement option, but the SYN flag is not set.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System log messages: None.
|
tcp-bad-winscale
|
Bad TCP window scale value
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with the window-scale option greater than 14.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System log messages: None.
|
tcp-buffer-full
|
TCP packet buffer full
|
This counter is incremented and the packet is dropped when the security appliance receives an out-of-order TCP packet on a connection, and there is no buffer space to store this packet. Typically TCP packets are put into order on connections that are inspected by the security appliance or when packets are sent to an SSM for inspection. There is a default queue size, and when packets in excess of this default queue size are received they will be dropped.
Recommendation: On ASA platforms the queue size could be increased using the queue-limit command.
System log messages: None.
|
tcp-conn-limit
|
TCP Connection limit reached
|
This reason is given for dropping a TCP packet during the TCP connection establishment phase when the connection limit has been exceeded. The connection limit is configured using the set connection conn-max command.
Recommendation: If this is incrementing rapidly, check the System log messages to determine which host's connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack.
System log messages: 201011
|
tcp-data-past-fin
|
TCP data send after FIN
|
This counter is incremented and the packet is dropped when the security appliance receives new a TCP data packet from an endpoint which had sent a FIN to close the connection.
Recommendation: None.
System log messages: None.
|
tcp-discarded-ooo
|
TCP ACK in 3 way handshake invalid
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP ACK packet from a client during the three-way-handshake and the sequence number is not the next expected sequence number.
Recommendation: None.
System log messages: None.
|
tcp-dual-open
|
TCP Dual open denied
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet from the server and an embryonic TCP connection is already open.
Recommendation: None.
System log messages: None.
|
tcp-fo-drop
|
TCP replicated flow pak drop
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a control flag like SYN, FIN, or RST on an established connection just after the security appliance has taken over as active unit.
Recommendation: None.
System log messages: None.
|
tcp-invalid-ack
|
TCP invalid ACK
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with an acknowledgement number greater than the data sent by the peer TCP endpoint.
Recommendation: None.
System log messages: None.
|
tcp-mss-exceeded
|
TCP data exceeded MSS
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a data length greater than the MSS advertised by the peer TCP endpoint.
Recommendation: To allow such TCP packets, use the exceed-mss command.
System log messages: 4419001
|
tcpnorm-rexmit-bad
|
TCP bad retransmission
|
This counter is incremented and the packet is dropped when the check-retransmission feature is enabled, and a TCP retransmission with different data from the original packet was received.
|
