Cisco Systems ASA 5585-X Manual De Usuario
30-27
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 30 Configuring the ASA CX Module
Monitoring the ASA CX Module
The following is sample output from the show service-policy command showing the ASA CX policy
and the current statistics as well as the module status when the authentication proxy is enabled; in this
case, the proxied counters also increment:
and the current statistics as well as the module status when the authentication proxy is enabled; in this
case, the proxied counters also increment:
hostname# show service-policy cxsc
Global policy:
Service-policy: pmap
Class-map: class-default
Default Queueing Set connection policy: random-sequence-number disable
drop 0
CXSC: card status Up, mode fail-open, auth-proxy enabled
packet input 7724, packet output 7701, drop 0, reset-drop 0, proxied 10
Monitoring Module Connections
To show connections through the ASA CX module, enter one of the following commands:
Command
Purpose
show asp table classify domain cxsc
Shows the NP rules created to send traffic to the ASA CX module.
show asp table classify domain
cxsc-auth-proxy
Shows the NP rules created for the authentication proxy for the ASA CX
module.
module.
show asp drop
Shows dropped packets. The following drop types are used:
Frame Drops:
•
cxsc-bad-tlv-received—This occurs when ASA receives a packet
from CXSC without a Policy ID TLV. This TLV must be present in
non-control packets if it does not have the Standy Active bit set in the
actions field.
from CXSC without a Policy ID TLV. This TLV must be present in
non-control packets if it does not have the Standy Active bit set in the
actions field.
•
cxsc-request—The frame was requested to be dropped by CXSC due
a policy on CXSC whereby CXSC would set the actions to Deny
Source, Deny Destination, or Deny Pkt.
a policy on CXSC whereby CXSC would set the actions to Deny
Source, Deny Destination, or Deny Pkt.
•
cxsc-fail-close—The packet is dropped because the card is not up and
the policy configured was 'fail-close' (rather than 'fail-open' which
allows packets through even if the card was down).
the policy configured was 'fail-close' (rather than 'fail-open' which
allows packets through even if the card was down).
•
cxsc-fail—The CXSC configuration was removed for an existing
flow and we are not able to process it through CXSC it will be
dropped. This should be very unlikely.
flow and we are not able to process it through CXSC it will be
dropped. This should be very unlikely.
•
cxsc-malformed-packet—The packet from CXSC contains an invalid
header. For instance, the header length may not be correct.
header. For instance, the header length may not be correct.
Flow Drops:
•
cxsc-request—The CXSC requested to terminate the flow. The
actions bit 0 is set.
actions bit 0 is set.
•
reset-by-cxsc—The CXSC requested to terminate and reset the flow.
The actions bit 1 is set.
The actions bit 1 is set.
•
cxsc-fail-close—The flow was terminated because the card is down
and the configured policy was 'fail-close'.
and the configured policy was 'fail-close'.