Packet dropped: Cache Entry is Deleted - Drop Code explanation

03/26/2020 104 20680

DESCRIPTION:

This article explains drop code Cache Entry Deleted 

RESOLUTION:

The drops related to "Packet dropped - cache entry is deleted" are dropped because the connection cache entry had already been removed, thus its not an active connection. In other words, this is a packet received after the firewall identified the connection was closed, so the new incoming packet was dropped since the tuple does not match an open connection in the cache.

This type of drop is not indicative of a problem. It just means a host continued to communicate after the connection was closed, so the firewall dropped those packets since they are not part of an active connection. It is expected behavior and should have no effect on the connection itself since it was closed by either of the two hosts prior to the firewall dropping packets.

The drop code "entry cache is deleted" simply means one host continued to send traffic using the same connection, which the firewall already purged from its connection table.

Example:

A and B are communicating over a connection XXXXX src port (12345) to YY dst port (TCP/80). For simplicity, let's say its a basic HTTP connection for a very basic text-only page. When the connection is torn down, you'll see the connection come to a close with FIN ACKs and RSTs. If a host continued to communicate with the remote host after the firewall detected the end of the connection and purged the entry from it's connection table, the firewall will see an incoming packet with an invalid flag/connection. It isn't a SYN, so its not trying to establish a new connection, and if its a RST or anything else then its not seen as a packet associated with any current connections.

 In other words, two parties on a phone call have hung up, but one of the hosts continues talking while the line is dead.