This drop is usually seen when a port is not configured correctly. This drop is incremented when a packet cannot be successfully forwarded within switch ports as a result of the default or user configured switch port settings. The following configurations are the likely reasons for this drop:
•
The nameif command was not configured on the VLAN interface.
Note For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment.
•The VLAN is shut down.
•An access port received an 802.1Q-tagged packet.
•A trunk port received a tag that is not allowed or an untagged packet.
•The security appliance is connected to another Cisco device that has Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback packets to ensure interface health. This packet is not intended to be received by any other device; the health is ensured just by being able to send the packet. These types of packets are dropped at the switch port, and the counter increments.
•The VLAN only has one physical interface, but the DEST of the packet does not match the MAC address of the VLAN, and it is not the broadcast address.
In my case the reason was # 5, a second CISCO device
Source: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s3_72.html#wp1283345
