17-23
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 17 ASA CX Module
Monitoring the ASA CX Module
Class-map: bypass
CXSC: card status Up, mode fail-open, auth-proxy disabled
packet input 2626422041, packet output 2626877967, drop 0, reset-drop 0, proxied 0
The following is sample output from the
show service-policy
command showing the ASA CX policy
and the current statistics as well as the module status when the authentication proxy is enabled; in this
case, the proxied counters also increment:
hostname#
show service-policy cxsc
Global policy:
Service-policy: pmap
Class-map: class-default
Default Queueing Set connection policy: random-sequence-number disable
drop 0
CXSC: card status Up, mode fail-open, auth-proxy enabled
packet input 7724, packet output 7701, drop 0, reset-drop 0, proxied 10
Monitoring Module Connections
To show connections through the ASA CX module, enter one of the following commands:
•
show asp table classify domain
cxsc
Shows the NP rules created to send traffic to the ASA CX module.
•
show asp table classify domain
cxsc-auth-proxy
Shows the NP rules created for the authentication proxy for the ASA CX module. In the following
is sample output, which shows one rule, the destination “port=2000” is the auth-proxy port
configured by the
cxsc auth-proxy port 2000
command, and the destination “ip/id=192.168.0.100”
is the ASA interface IP address.
hostname#
show asp table classify domain cxsc-auth-proxy
Input Table
in id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.0.100, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=inside, output_ifc=identity
•
show asp drop
Shows dropped packets. The drop types are explained below.
•
show asp event dp-cp cxsc-msg
This output shows how many ASA CX module messages are on the dp-cp queue. Only VPN queries
from the ASA CX module are sent to dp-cp.
•
show conn
Shows if a connection is being forwarded to a module by displaying the ‘X - inspected by service
module’ flag.
The
show asp drop
command can include the following drop reasons related to the ASA CX module.
Frame Drops:
•
cxsc-bad-tlv-received—This occurs when ASA receives a packet from CXSC without a Policy ID
TLV. This TLV must be present in non-control packets if it does not have the Standby Active bit set
in the actions field.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...