[c-nsp] PIX/ASA "show counters" command

Antonio Soares amsoares at netcabo.pt
Thu Feb 25 11:57:02 EST 2010 

Group,

I need help with the PIX/ASA "show counters" command:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086

As you can see, the command reference doesn't give too much details about the command.

The CLI "show counters description" command gives us additional information, for example:

++++++++++++++++++++++++++++++++++++++++++
PIX1# show counters description | inc TCP
IP           TO_TCP                         Packets delivered to TCP stack
TCP          IN_PKTS                        Packets received
TCP          OUT_PKTS                       Packets transmitted
TCP          RCV_GOOD                       Received good packets
TCP          IN_BAD_CXT                     Packets received with invalid environment data (ifc, ctx, etc.)
TCP          IN_NO_PRIV                     Packets dropped due to no TCB
TCP          BD_CKSUM                       Packets received with a bad checksum
TCP          BD_LEN                         Packets received with a bad length
TCP          NOT_ALLWD                      Packets dropped due to security level
TCP          INV_HOST                       Packets dropped invalid host and least secured interface
TCP          NO_APP                         Packets dropped no one listening
TCP          DROP_NRST                      Packets dropped no one listening - no reset sent
TCP          SESS_CLSD                      Packets dropped session closed
TCP          SESS_CTOD                      Packets dropped session slosed due to timeout
TCP          DRP_LIS_RST                    Packets dropped Listen state received reset
TCP          DRP_LIS_BAD                    Packets dropped Listen state received packet with invalid flags
TCP          SYNS_RST                       Packets dropped SynSent state received reset
TCP          SYNS_BAD                       Packets dropped SynSent state received packet with invalid flags
TCP          CONN_RST1                      Packets dropped Est, Fin1, Fin2, CloseWait state connection reset
TCP          CONN_RST2                      Packets dropped Closing, LastAck, TimeWait state connection reset
TCP          CONN_RST3                      Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received syn
TCP          CONN_REFD                      Packets dropped SynRcvd state conn refused
TCP          BAD_FLAG                       Packets dropped invalid flag for state
TCP          NACK1                          Packets dropped Est, CloseWait state received ack - not established
TCP          NACK2                          Packets dropped Fin1 state received ack - not established
TCP          NACK3                          Packets dropped Fin2 state received ack - not established
TCP          NACK4                          Packets dropped Closing state received ack - not established
TCP          DROP_UNACC                     Packets dropped do not save or rearrange segments
TCP          DROP_IGNORE1                   Packets dropped Closing state received ack - ignored
TCP          DROP_IGNORE2                   Packets dropped LastAck state received non fin/ack - ignored
TCP          DROP_IGNORE3                   Packets dropped TimeWait state received non remote fin/ack - ignored
TCP          DROP_IGNORE4                   Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote fin/ack
- data ignored
TCP          DROP_IGNORE5                   Packets dropped Closed, Listen, SynSent state received fin/ack - ignored
TCP          DROP_IGNORE6                   Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack - ignored
TCP          DROP_IGNORE7                   Packets dropped Estab state & receiving data but no blocks are available - ignored
TCP          OUT_CLSD                       Packets out dropped Conn Closed
TCP          OUT_BAD_CXT                    Packets out packets dropped due to invalid environment data (ifc, ctx, etc.)
TCP          OUT_NO_BLKS                    Packets out no blocks
TCP          OUT_NO_PRIV                    Packets out due to no TCB
TCP          OUT_CONNRDY                    Packets out dropped connection not ready
TCP          HASH_ADD                       User hash add
TCP          HASH_ADD_DUP                   User hash add dup
TCP          HASH_MISS                      User srch hash miss
TCP          HASH_HIT                       User srch hash hit
TCP          HASH_DEL                       User hash delete
TCP          HASH_DMISS                     User hash delete miss
TCP          MOVE_FAILED                    Move listener failed
TCP          NO_USER_MEM                    Alloc user failed
TCP          FORCE_FREE                     Users Forcefully removed due to context deletion
TCP          SND_SYN                        send syn
TCP          SND_RST                        send rst
TCP          SND_ACK                        send ack
TCP          RCV_ACK                        receive ack
TCP          RCV_ACK_NEST                   receive ack not established
NPSHIM       IOCTL_TCPFIP_FAIL              Ioctl TCPFIP Fail
PIX1#
++++++++++++++++++++++++++++++++++++++++++

Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or
both ?

I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why
would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was
what the customer was looking for.

I don't have access to real gear right now and under dynamips/pemu, i don't see anything...


Thanks.

Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

More information about the cisco-nsp mailing list