So my firewall seems to be dropping an oddly large number of packets on the INSIDE interface: asa1(config)# sh int RACK Interface GigabitEthernet0/1 "RACK", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) MAC address 0024.14d0.4521, MTU 1500 IP address 64.22.76.97, subnet mask 255.255.255.240 28128158809 packets input, 162066888025865 bytes, 4 no buffer Received 186502879 broadcasts, 0 runts, 0 giants 5089 input errors, 0 CRC, 0 frame, 5089 overrun, 0 ignored, 0 abort 0 L2 decode drops 27235942172 packets output, 18181322825213 bytes, 237 underruns 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops input queue (curr/max packets): hardware (1/33) output queue (curr/max packets): hardware (0/511) Traffic Statistics for "RACK": 144406450470 packets input, 159422361828279 bytes 103754084999 packets output, 16098663171295 bytes 6934615576 packets dropped 1 minute input rate 2056 pkts/sec, 2053935 bytes/sec 1 minute output rate 1678 pkts/sec, 418581 bytes/sec 1 minute drop rate, 270 pkts/sec 5 minute input rate 2519 pkts/sec, 2676286 bytes/sec 5 minute output rate 1887 pkts/sec, 469578 bytes/sec 5 minute drop rate, 283 pkts/sec Looking at ASP drop data they are most coming from "TCP packet SEQ past window (tcp-seq-past-win)": asa1(config)# sh asp drop Frame drop: Invalid TCP Length (invalid-tcp-hdr-length) 31 No valid adjacency (no-adjacency) 88 No route to host (no-route) 1728 Flow is denied by configured rule (acl-drop) 203110 Flow denied due to resource limitation (unable-to-create-flow) 556419 First TCP packet not SYN (tcp-not-syn) 4080584 Bad TCP flags (bad-tcp-flags) 38 Bad option length in TCP (tcp-bad-option-len) 54 TCP data exceeded MSS (tcp-mss-exceeded) 910 TCP failed 3 way handshake (tcp-3whs-failed) 724043 TCP RST/FIN out of order (tcp-rstfin-ooo) 21011574 TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 19758 TCP SYNACK on established conn (tcp-synack-ooo) 6 TCP packet SEQ past window (tcp-seq-past-win) 156938345 TCP invalid ACK (tcp-invalid-ack) 15360 TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 9 TCP Out-of-Order packet buffer full (tcp-buffer-full) 41 TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 343 TCP RST/SYN in window (tcp-rst-syn-in-win) 13323 TCP DUP and has been ACKed (tcp-acked) 379384 TCP packet failed PAWS test (tcp-paws-fail) 84304 IP option drop (invalid-ip-option) 12 ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 16 DNS Inspect invalid packet (inspect-dns-invalid-pak) 53 DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 50 DNS Inspect packet too long (inspect-dns-pak-too-long) 5353783 DNS Inspect id not matched (inspect-dns-id-not-matched) 5275 Anybody seen this before? Would be nice to see if there is a command to show offending packets but I cannot seem to find it. Thanks for the time. Cheers, -- Joe Renwick IP Network Consultant, CCIE #16465 GO NETFORWARD! Direct: 619-800-2055, Emergency Support: 800-719-0504 Is your network moving you forward?