Guest

Cisco PIX 500 Series Security Appliances

PIX/ASA 7.X Issue: MSS Exceeded - HTTP Clients Cannot Browse to Some Web Sites

Hierarchical Navigation

Document ID: 65436

Updated: Aug 03, 2011

   Download PDF
   Print

Introduction

This document addresses the problem when some websites are not accessible through a PIX or Adaptive Security Appliance (ASA) that runs 7.0 or later code. The 7.0 release introduces several new security enhancements, one of which is a check for TCP endpoints which adhere to the advertised Maximum Segment Size (MSS). In a normal TCP session, the client sends a SYN packet to the server, with the MSS included within the TCP options of the SYN packet. The server, upon receipt of the SYN packet, should recognize the MSS value sent by the client and then send its own MSS value in the SYN-ACK packet. Once both the client and the server are aware of each other's MSS, neither peer should send a packet to the other that is greater than that peer's MSS. A discovery has been made that there are a few HTTP servers on the Internet that do not honor the MSS that the client advertises. Subsequently, the HTTP server sends data packets to the client that are larger than the advertised MSS. Before release 7.0, these packets were allowed through the PIX Security Appliance. With the security enhancement included in the 7.0 software release, these packets are dropped by default. This document is designed to assist the PIX/ASA Security Appliance administrator in the diagnosis of this problem and the implementation of a workaround to allow the packets that exceed the MSS.

Refer to ASA 8.3 Issue: MSS Exceeded - HTTP Clients Cannot Browse to Some Websites for more information on identical configuration using Adaptive Security Device Manager (ASDM) with Cisco ASA with version 8.3 and later.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco PIX 525 Security Appliance that runs 7.0.1 software.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related Products

You can also use this document with these hardware and software versions:

  • All other Cisco PIX Security Appliance platforms that can run the 7.0 release. These platforms include the 515, 515E, and 535.

  • All Cisco ASA platforms. These platforms include the 5510, 5520, and 5540.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

This section presents you with the information to configure the features this document describes.

Note: Use the Command Lookup Tool (registered customers only) to find additional information on the commands this document uses.

Network Diagram

This document uses this network setup:

/image/gif/paws/65436/pix-asa-70-browse-1.gif

PIX Security Appliance 7.0 Configuration

These configuration commands are added to a PIX 7.0 default configuration to allow the HTTP client to communicate with the HTTP server.

PIX 7.0.1 Configuration 
pixfirewall(config)#interface Ethernet0
pixfirewall(config-if)#speed 100
pixfirewall(config-if)#duplex full
pixfirewall(config-if)#nameif outside
pixfirewall(config-if)#security-level 0
pixfirewall(config-if)#ip address 192.168.9.30 255.255.255.0
pixfirewall(config-if)#exit 
pixfirewall(config)#interface Ethernet1
pixfirewall(config-if)#speed 100
pixfirewall(config-if)#duplex full
pixfirewall(config-if)#nameif inside
pixfirewall(config-if)#security-level 100
pixfirewall(config-if)#ip address 10.0.0.1 255.255.255.0 
pixfirewall(config-if)#exit 
pixfirewall(config)#global (outside) 1 interface
pixfirewall(config)#nat (inside) 1 10.0.0.0 255.0.0.0
pixfirewall(config)#route outside 0.0.0.0 0.0.0.0 192.168.9.2 1

Troubleshoot

If a particular website is not accessible through the PIX/ASA Security Appliance, complete these steps to troubleshoot. You first need to capture the packets from the HTTP connection. In order to collect the packets, the relevant IP addresses of the HTTP server and client need to be known, as well as the IP address that the client is translated to when it traverses the PIX Security Appliance. In the example network, the HTTP server is addressed at 192.168.9.2, the HTTP client is addressed at 10.0.0.2, and the HTTP client addresses is translated to 192.168.9.30 as packets leave the outside interface. You can use the capture feature of the PIX/ASA Security Appliance to collect the packets, or you can utilize an external packet capture. If you intend to use the capture feature, the administrator can also utilize a new capture feature included in the 7.0 release that allows the administrator to capture packets that are dropped due to a TCP anomaly.

Note: Some of the commands in these tables are wrapped to a second line due to spatial reasons.

  1. Define a pair of access-lists which identify the packets as they ingress and egress the outside and inside interfaces.

    Access-list Configuration for Packet Capture 
    pixfirewall(config)#access-list capture-list-in line 1 permitip host 10.0.0.2 host 192.168.9.2  

pixfirewall(config)#access-list capture-list-in line 2 permit ip host 192.168.9.2 host 10.0.0.2 

pixfirewall(config)#access-list capture-list-out line 1 permit ip host 192.168.9.30 host 192.168.9.2  

pixfirewall(config)#access-list capture-list-out line 2 permit ip host 192.168.9.2 host 192.168.9.30

  2. Enable the capture feature for both the inside and outside interface. Also enable the capture for TCP-specific MSS-exceeded packets.

    Capture Configuration for Packet Capture 
    pixfirewall(config)#capture capture-outside access-list capture-list-out packet-length 1518 interface outside

pixfirewall(config)#capture capture-inside access-list capture-list-in packet-length 1518 interface inside

pixfirewall(config)#capture mss-capture type asp-drop tcp-mss-exceeded packet-length 1518

  3. Clear the Accelerated Security Path (ASP) counters on the PIX Security Appliance.

    Clear ASP Drop Statistics 
    pixfirewall(config)#clear asp drop

  4. Enable trap syslogging at the debug level sent to a host on the network.

    Enable Trap Logging 
    pixfirewall(config)#logging on
pixfirewall(config)#logging host inside 10.0.0.2
pixfirewall(config)#logging trap debug

  5. Initiate an HTTP session from the HTTP client to the problematic HTTP server.

    Collect the syslog output and the output from these commands after the connection fails.

    • show capture capture-inside

    • show capture capture-outside

    • show capture mss-capture

    • show asp drop

    Syslogs from a Failed Connection 
    %PIX-6-609001: Built local-host inside:10.0.0.2
%PIX-6-609001: Built local-host outside:192.168.9.2
%PIX-6-305011: Built dynamic TCP translation from inside:10.0.0.2/58565 to 
outside:192.168.9.30/1024
%PIX-6-302013: Built outbound TCP connection 3 for outside:192.168.9.2/80 
(192.168.9.2/80) to inside:10.0.0.2/58565 (192.168.9.30/1024)
%PIX-5-304001: 10.0.0.2 Accessed URL 192.168.9.2:/
 

!--- Under normal circumstances, you expect 
!--- to see the TCP connection torn down immediately 
!--- after the retrieval of the web content from 
!--- the HTTP server.  When the problem occurs, the 
!--- data packets from the HTTP server are dropped on 
!--- the outside interface and the connection  
!--- remains until either side resets the connection 
!--  or the PIX Security Appliance connection idle 
!--- timer expires.  Therefore, you do not immediately
!--- see the 302014 syslog message (TCP teardown).

 

 

!--- In PIX release 7.0.2 and later, the PIX 
!--- Security Appliance issues a syslog when it receives
!--- a packet that exceeds the advertised MSS.  The syslog, 
!--- which defaults to warning level, has this format: 


%PIX-4-419001: Dropping TCP packet from outside:192.168.9.2/80 to 
inside:192.168.9.30/1025, reason: MSS exceeded, MSS 460, data 1440




!--- In ASA release 7.0.2 and later, the ASA
!--- Security Appliance issues a syslog when it receives
!--- a packet that exceeds the advertised MSS.  The syslog, 
!--- which defaults to warning level, has this format:


%ASA-4-419001: Dropping TCP packet from outside:192.168.9.2/80 to 
inside:192.168.9.30/1025, reason: MSS exceeded, MSS 460, data 1440

    Note: Refer to System Log Message 419001 for more information about this error message.

    Output from show Commands from a Failed Connection 
    pixfirewall#show capture capture-inside
6 packets captured
   1: 08:59:59.362301 10.0.0.2.58565 > 192.168.9.2.80: 
      S 3965932251:3965932251(0) win 1840 < mss 460,sackOK,timestamp 
      110211948 0,nop,wscale 0>
 

!--- The advertised MSS of the client is 460 in packet #1.

 
   2: 08:59:59.552156 192.168.9.2.80 > 10.0.0.2.58565: 
      S 1460644203:1460644203(0) ack 3965932252 win 8192 <mss 1380>
   3: 08:59:59.552354 10.0.0.2.58565 > 192.168.9.2.80: . ack 1460644204 win 1840
   4: 08:59:59.552629 10.0.0.2.58565 > 192.168.9.2.80: 
      P 3965932252:3965932351(99) ack 1460644204 win 1840
   5: 08:59:59.725960 192.168.9.2.80 > 10.0.0.2.58565: . ack 3965932351 win 8192
   6: 08:59:59.726189 192.168.9.2.80 > 10.0.0.2.58565: . ack 3965932351 win 65340
6 packets shown
pixfirewall# 
pixfirewall# 
pixfirewall#show capture capture-outside
16 packets captured
   1: 08:59:59.362636 192.168.9.30.1024 > 192.168.9.2.80: 
      S 473738107:473738107(0) win 1840 <mss 460,sackOK,timestamp 
      110211948 0,nop,wscale 0>
 

!--- The advertised MSS of the client is 460 in packet #1.

 
   2: 08:59:59.552110 192.168.9.2.80 > 192.168.9.30.1024: 
      S 314834194:314834194(0) ack 473738108 win 8192 <mss 1460>
   3: 08:59:59.552370 192.168.9.30.1024 > 192.168.9.2.80: . ack 314834195 win 1840
   4: 08:59:59.552675 192.168.9.30.1024 > 192.168.9.2.80: 
      P 473738108:473738207(99) ack 314834195 win 1840
   5: 08:59:59.725945 192.168.9.2.80 > 192.168.9.30.1024: . ack 473738207 win 8192
   6: 08:59:59.726173 192.168.9.2.80 > 192.168.9.30.1024: . ack 473738207 win 65340
 

!--- In packets 7 through 14, the length of the packet exceeds 460.
!--- Packets 7 through 14 are not observed on the capture-inside trace.
!--- This means that they were dropped by the PIX Security Appliance.
!--- Packets 7 through 14 are also represented in the output of the 
!--- show capture mss-capture command.

 
   7: 08:59:59.734199 192.168.9.2.80 > 192.168.9.30.1024: 
      . 314834195:314835647(1452) ack 473738207 win 65340
   8: 08:59:59.742072 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314835647:314837099(1452) ack 473738207 win 65340
   9: 08:59:59.757986 192.168.9.2.80 > 192.168.9.30.1024: 
      . 314837099:314838551(1452) ack 473738207 win 65340
  10: 08:59:59.765661 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314838551:314840003(1452) ack 473738207 win 65340
  11: 08:59:59.771276 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314840003:314841035(1032) ack 473738207 win 65340
  12: 09:00:02.377604 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314834195:314835647(1452) ack 473738207 win 65340
  13: 09:00:07.452643 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314834195:314835647(1452) ack 473738207 win 65340
  14: 09:00:17.680049 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314834195:314835647(1452) ack 473738207 win 65340
  15: 09:00:29.670680 192.168.9.2.80 > 192.168.9.30.1024: 
      F 314841035:314841035(0) ack 473738207 win 65340
  16: 09:00:29.670711 192.168.9.30.1024 > 192.168.9.2.80: 
      P ack 314834195 win 1840
16 packets shown
pixfirewall# 
pixfirewall# 
pixfirewall(config)#show capture mss-capture
8 packets captured
   1: 08:59:59.734214 192.168.9.2.80 > 192.168.9.30.1024: 
      . 314834195:314835647(1452) ack 473738207 win 65340
   2: 08:59:59.742086 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314835647:314837099(1452) ack 473738207 win 65340
   3: 08:59:59.758000 192.168.9.2.80 > 192.168.9.30.1024: 
      . 314837099:314838551(1452) ack 473738207 win 65340
   4: 08:59:59.765673 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314838551:314840003(1452) ack 473738207 win 65340
   5: 08:59:59.771291 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314840003:314841035(1032) ack 473738207 win 65340
   6: 09:00:02.377619 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314834195:314835647(1452) ack 473738207 win 65340
   7: 09:00:07.452658 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314834195:314835647(1452) ack 473738207 win 65340
   8: 09:00:17.680063 192.168.9.2.80 > 192.168.9.30.1024: 
      P 314834195:314835647(1452) ack 473738207 win 65340
8 packets shown
pixfirewall# 
pixfirewall# 
pixfirewall#show asp drop
 
Frame drop:
  TCP MSS was too large 8
 
Flow drop:
pixfirewall#
 

!--- The show asp drop command reports 
!--- that eight packets were dropped because the
!--- TCP MSS is to large. This corroborates the information derived from
!--- the packet captures.

Workaround

Implement a workaround now that you know that the PIX/ASA Security Appliance drops the packets that exceed the MSS value advertised by the client. Keep in mind that you might not want to allow these packets to reach the client because of a potential buffer overrun on the client. If you choose to allow these packets through the PIX/ASA Security Appliance, proceed with this workaround procedure. A new feature in the 7.0 release called the Modular Policy Framework (MPF) is used to allow these packets through the PIX Security Appliance. This document is not designed to fully detail the MPF, but rather suggests the configuration entities used to work around the problem. Refer to the PIX 7.0 Configuration Guide and the PIX 7.0 Command Reference Manual for more information on MPF and any of the commands listed in this section.

An overview to the workaround includes the identification of the HTTP client and servers via an access-list. Once the access-list is defined, a class-map is created and the access-list is assigned to the class-map. Then a tcp-map is configured and the option to allow packets that exceed the MSS is enabled. Once the tcp-map and class-map are defined, you can add them to a new or an existing policy-map. A policy-map is then assigned to a security-policy. Use the service-policy command in configuration mode to activate a policy map on an interface/globally. These configuration parameters are added to the PIX 7.0 Configuration list. After you create a policy map named http-map1, this sample configuration adds the class-map to this policy-map.

Specific Interface: MPF Configuration to Allow Packets that Exceed MSS 
pixfirewall(config)#access-list http-list2 permit tcp any host 192.168.9.2
pixfirewall(config)#
pixfirewall#configure terminal
pixfirewall(config)# 
pixfirewall(config)#class-map http-map1
pixfirewall(config-cmap)#match access-list http-list2    
pixfirewall(config-cmap)#exit
pixfirewall(config)#tcp-map mss-map
pixfirewall(config-tcp-map)#exceed-mss allow
pixfirewall(config-tcp-map)#exit
pixfirewall(config)#policy-map http-map1
pixfirewall(config-pmap)#class http-map1
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config-pmap-c)#exit
pixfirewall(config-pmap)#exit
pixfirewall(config)#service-policy http-map1 interface outside
pixfirewall#

Once these configuration parameters are in place, packets from 192.168.9.2 that exceed the MSS advertised by the client are allowed through the PIX Security Appliance. It is important to note that the access-list used in the class-map is designed to identify outbound traffic to 192.168.9.2. The outbound traffic is examined to allow the inspection engine to extract the MSS from the outgoing SYN packet. Therefore, it is imperative to configure the access-list with the direction of the SYN in mind. If a more pervasive rule is required, you can replace the access-list statement in this section with an access-list which permits everything, such as access-list http-list2 permit ip any any or access-list http-list2 permit tcp any any. Also remember that the VPN tunnel can be slow if a large value of TCP MSS is used. You can reduce TCP MSS to improve the performance.

This example helps to configure globally Inbound/outbound traffic in ASA/PIX:

Global Configuration: MPF Configuration to Allow Packets that Exceed MSS 
pixfirewall(config)#access-list http-list2 permit tcp any host 192.168.9.2
pixfirewall(config)#
pixfirewall#configure terminal
pixfirewall(config)# 
pixfirewall(config)#class-map http-map1
pixfirewall(config-cmap)#match any    
pixfirewall(config-cmap)#exit
pixfirewall(config)#tcp-map mss-map
pixfirewall(config-tcp-map)#exceed-mss allow
pixfirewall(config-tcp-map)#exit
pixfirewall(config)#policy-map http-map1
pixfirewall(config-pmap)#class http-map1
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config-pmap-c)#exit
pixfirewall(config-pmap)#exit
pixfirewall(config)#service-policy http-map1 global
pixfirewall#

Verify

This section provides information you can use to confirm your configuration works properly.

Repeat the steps in the Troubleshoot section to verify that the configuration changes do what they are designed to do.

Syslogs from a Successful Connection 
%PIX-6-609001: Built local-host inside:10.0.0.2
%PIX-6-609001: Built local-host outside:192.168.9.2
%PIX-6-305011: Built dynamic TCP translation from inside:10.0.0.2/58798 
               to outside:192.168.9.30/1025
%PIX-6-302013: Built outbound TCP connection 13 for outside:192.168.9.2/80 
               (192.168.9.2/80) to inside:10.0.0.2/58798 (192.168.9.30/1025)
%PIX-5-304001: 10.0.0.2 Accessed URL 192.168.9.2:/

%PIX-6-302014: Teardown TCP connection 13 for outside:192.168.9.2/80 to 
               inside:10.0.0.2/58798 duration 0:00:01 bytes 6938 TCP FINs
 

!--- The connection is built and immediately torn down
!--- when the web content is retrieved.

Output from show Commands from a Successful Connection 
pixfirewall# 
pixfirewall#show capture capture-inside
21 packets captured
   1: 09:16:50.972392 10.0.0.2.58769 > 192.168.9.2.80: S 751781751:751781751(0) 
   win 1840 <mss 460,sackOK,timestamp 110313116 0,nop,wscale 0>
 

!--- The advertised MSS of the client is 460 in packet #1.
!--- However, with the workaround in place, packets 7, 9, 11, 13,
!--- and 15 appear on the inside trace, despite the MSS>460.

 
   2: 09:16:51.098536 192.168.9.2.80 > 10.0.0.2.58769: S 1305880751:1305880751(0) ack 751781752 win 8192 <mss 1380>
   3: 09:16:51.098734 10.0.0.2.58769 > 192.168.9.2.80: . ack 1305880752 win 1840
   4: 09:16:51.099009 10.0.0.2.58769 > 192.168.9.2.80: P 751781752:751781851(99) ack 1305880752 win 1840
   5: 09:16:51.228412 192.168.9.2.80 > 10.0.0.2.58769: . ack 751781851 win 8192
   6: 09:16:51.228641 192.168.9.2.80 > 10.0.0.2.58769: . ack 751781851 win 25840
   7: 09:16:51.236254 192.168.9.2.80 > 10.0.0.2.58769: . 1305880752:1305882112(1360) ack 751781851 win 25840
   8: 09:16:51.237704 10.0.0.2.58769 > 192.168.9.2.80: . ack 1305882112 win 4080
   9: 09:16:51.243593 192.168.9.2.80 > 10.0.0.2.58769: P 1305882112:1305883472(1360) ack 751781851 win 25840
  10: 09:16:51.243990 10.0.0.2.58769 > 192.168.9.2.80: . ack 1305883472 win 6800
  11: 09:16:51.251009 192.168.9.2.80 > 10.0.0.2.58769: . 1305883472:1305884832(1360) ack 751781851 win 25840
  12: 09:16:51.252428 10.0.0.2.58769 > 192.168.9.2.80: . ack 1305884832 win 9520
  13: 09:16:51.258440 192.168.9.2.80 > 10.0.0.2.58769: P 1305884832:1305886192(1360) ack 751781851 win 25840
  14: 09:16:51.258806 10.0.0.2.58769 > 192.168.9.2.80: . ack 1305886192 win 12240
  15: 09:16:51.266130 192.168.9.2.80 > 10.0.0.2.58769: . 1305886192:1305887552(1360) ack 751781851 win 25840
  16: 09:16:51.266145 192.168.9.2.80 > 10.0.0.2.58769: P 1305887552:1305887593(41) ack 751781851 win 25840
  17: 09:16:51.266511 10.0.0.2.58769 > 192.168.9.2.80: . ack 1305887552 win 14960
  18: 09:16:51.266542 10.0.0.2.58769 > 192.168.9.2.80: . ack 1305887593 win 14960
  19: 09:16:51.267320 10.0.0.2.58769 > 192.168.9.2.80: F 751781851:751781851(0) ack 1305887593 win 14960
  20: 09:16:51.411370 192.168.9.2.80 > 10.0.0.2.58769: F 1305887593:1305887593(0) ack 751781852 win 8192
  21: 09:16:51.411554 10.0.0.2.58769 > 192.168.9.2.80: . ack 1305887594 win 14960
21 packets shown
pixfirewall# 
pixfirewall# 
pixfirewall#show capture capture-outside
21 packets captured
   1: 09:16:50.972834 192.168.9.30.1024 > 192.168.9.2.80: 
      S 1465558595:1465558595(0) win 1840 <mss 460,sackOK,timestamp 110313116 0,nop,wscale 0>
   2: 09:16:51.098505 192.168.9.2.80 > 192.168.9.30.1024: 
      S 466908058:466908058(0) ack 1465558596 win 8192 <mss 1460>
   3: 09:16:51.098749 192.168.9.30.1024 > 192.168.9.2.80: . ack 466908059 win 1840
   4: 09:16:51.099070 192.168.9.30.1024 > 192.168.9.2.80: P 1465558596:1465558695(99) ack 466908059 win 1840
   5: 09:16:51.228397 192.168.9.2.80 > 192.168.9.30.1024: . ack 1465558695 win 8192
   6: 09:16:51.228625 192.168.9.2.80 > 192.168.9.30.1024: . ack 1465558695 win 25840
   7: 09:16:51.236224 192.168.9.2.80 > 192.168.9.30.1024: . 466908059:466909419(1360) ack 1465558695 win 25840
   8: 09:16:51.237719 192.168.9.30.1024 > 192.168.9.2.80: . ack 466909419 win 4080
   9: 09:16:51.243578 192.168.9.2.80 > 192.168.9.30.1024: P 466909419:466910779(1360) ack 1465558695 win 25840
  10: 09:16:51.244005 192.168.9.30.1024 > 192.168.9.2.80: . ack 466910779 win 6800
  11: 09:16:51.250978 192.168.9.2.80 > 192.168.9.30.1024: . 466910779:466912139(1360) ack 1465558695 win 25840
  12: 09:16:51.252443 192.168.9.30.1024 > 192.168.9.2.80: . ack 466912139 win 9520
  13: 09:16:51.258424 192.168.9.2.80 > 192.168.9.30.1024: P 466912139:466913499(1360) ack 1465558695 win 25840
  14: 09:16:51.258485 192.168.9.2.80 > 192.168.9.30.1024: P 466914859:466914900(41) ack 1465558695 win 25840
  15: 09:16:51.258821 192.168.9.30.1024 > 192.168.9.2.80: . ack 466913499 win 12240
  16: 09:16:51.266099 192.168.9.2.80 > 192.168.9.30.1024: . 466913499:466914859(1360) ack 1465558695 win 25840
  17: 09:16:51.266526 192.168.9.30.1024 > 192.168.9.2.80: . ack 466914859 win 14960
  18: 09:16:51.266557 192.168.9.30.1024 > 192.168.9.2.80: . ack 466914900 win 14960
  19: 09:16:51.267335 192.168.9.30.1024 > 192.168.9.2.80: F 1465558695:1465558695(0) ack 466914900 win 14960
  20: 09:16:51.411340 192.168.9.2.80 > 192.168.9.30.1024: F 466914900:466914900(0) ack 1465558696 win 8192
  21: 09:16:51.411569 192.168.9.30.1024 > 192.168.9.2.80: . ack 466914901 win 14960
21 packets shown
pixfirewall#
pixfirewall(config)#show capture mss-capture
0 packets captured
0 packets shown
pixfirewall#
pixfirewall#show asp drop
 
Frame drop:
 
Flow drop:
pixfirewall#
 

!--- Both the show capture mss-capture 
!--- and the show asp drop reveal that no packets are dropped.

Related Information

Updated: Aug 03, 2011
Document ID: 65436