Monitoring module connections – Cisco ASA 5505 User Manual

Page 1260

Advertising
background image

59-14

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 59 Configuring the ASA CX Module

Monitoring the ASA CX Module

Monitoring Module Connections

To show connections through the ASA CX module, enter the one of the following commands:

Examples

The following is sample output from the show asp table classify domain cxsc command:

hostname# show asp table classify domain cxsc

Input Table

Command

Purpose

show asp table classify domain cxsc

Shows the NP rules created to send traffic to the ASA CX module.

show asp table classify domain

cxsc-auth-proxy

Shows the NP rules created for the authentication proxy for the ASA CX
module.

show asp drop

Shows dropped packets. The following drop types are used:

Frame Drops:

cxsc-bad-tlv-received—This occurs when ASA receives a packet
from CXSC without a Policy ID TLV. This TLV must be present in
non-control packets if it does not have the Standy Active bit set in the
actions field.

cxsc-request—The frame was requested to be dropped by CXSC due
a policy on CXSC whereby CXSC would set the actions to Deny
Source, Deny Destination, or Deny Pkt.

cxsc-fail-close—The packet is dropped because the card is not up and
the policy configured was 'fail-close' (rather than 'fail-open' which
allows packets through even if the card was down).

cxsc-fail—The CXSC configuration was removed for an existing
flow and we are not able to process it through CXSC it will be
dropped. This should be very unlikely.

cxsc-malformed-packet—The packet from CXSC contains an invalid
header. For instance, the header length may not be correct.

Flow Drops:

cxsc-request—The CXSC requested to terminate the flow. The
actions bit 0 is set.

reset-by-cxsc—The CXSC requested to terminate and reset the flow.
The actions bit 1 is set.

cxsc-fail-close—The flow was terminated because the card is down
and the configured policy was 'fail-close'.

show asp event dp-cp cxsc-msg

This output shows how many ASA CX module messages are on the dp-cp
queue. Currently, only VPN queries from the ASA CX module are sent to
dp-cp.

show conn

This command already shows if a connection is being forwarded to an
module by displaying the ‘X - inspected by service module’ flag.
Connections being forwarded to the ASA CX module will also display the
‘X’ flag.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals