[c-nsp] PIX/ASA "show counters" command
Antonio Soares
amsoares at netcabo.pt
Thu Feb 25 15:17:27 EST 2010
David/Andrew,
Thank you very much for clarifying this. Well, the customer was looking for something like this but for TCP sessions traversing the
PIX/ASA. For example, how many SYN packets were sent to the systems protected by the unit, how many SYN/ACK were sent from those
systems, how many arrived to the established state and so on. Do we have any options here ? I'm now investigating if the
CISCO-UNIFIED-MIB can help:
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-UNIFIED-FIREWALL-MIB.my
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
-----Original Message-----
From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com]
Sent: quinta-feira, 25 de Fevereiro de 2010 18:35
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX/ASA "show counters" command
Hi Antonio,
Please see inline..
Antonio Soares wrote:
> Group,
>
> I need help with the PIX/ASA "show counters" command:
>
> http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086
>
> As you can see, the command reference doesn't give too much details about the command.
>
> The CLI "show counters description" command gives us additional information, for example:
>
> ++++++++++++++++++++++++++++++++++++++++++
> PIX1# show counters description | inc TCP
> IP TO_TCP Packets delivered to TCP stack
> TCP IN_PKTS Packets received
> TCP OUT_PKTS Packets transmitted
> TCP RCV_GOOD Received good packets
> TCP IN_BAD_CXT Packets received with invalid environment data (ifc, ctx, etc.)
> TCP IN_NO_PRIV Packets dropped due to no TCB
> TCP BD_CKSUM Packets received with a bad checksum
> TCP BD_LEN Packets received with a bad length
> TCP NOT_ALLWD Packets dropped due to security level
> TCP INV_HOST Packets dropped invalid host and least secured interface
> TCP NO_APP Packets dropped no one listening
> TCP DROP_NRST Packets dropped no one listening - no reset sent
> TCP SESS_CLSD Packets dropped session closed
> TCP SESS_CTOD Packets dropped session slosed due to timeout
> TCP DRP_LIS_RST Packets dropped Listen state received reset
> TCP DRP_LIS_BAD Packets dropped Listen state received packet with invalid flags
> TCP SYNS_RST Packets dropped SynSent state received reset
> TCP SYNS_BAD Packets dropped SynSent state received packet with invalid flags
> TCP CONN_RST1 Packets dropped Est, Fin1, Fin2, CloseWait state connection reset
> TCP CONN_RST2 Packets dropped Closing, LastAck, TimeWait state connection reset
> TCP CONN_RST3 Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received
syn
> TCP CONN_REFD Packets dropped SynRcvd state conn refused
> TCP BAD_FLAG Packets dropped invalid flag for state
> TCP NACK1 Packets dropped Est, CloseWait state received ack - not established
> TCP NACK2 Packets dropped Fin1 state received ack - not established
> TCP NACK3 Packets dropped Fin2 state received ack - not established
> TCP NACK4 Packets dropped Closing state received ack - not established
> TCP DROP_UNACC Packets dropped do not save or rearrange segments
> TCP DROP_IGNORE1 Packets dropped Closing state received ack - ignored
> TCP DROP_IGNORE2 Packets dropped LastAck state received non fin/ack - ignored
> TCP DROP_IGNORE3 Packets dropped TimeWait state received non remote fin/ack - ignored
> TCP DROP_IGNORE4 Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote
fin/ack
> - data ignored
> TCP DROP_IGNORE5 Packets dropped Closed, Listen, SynSent state received fin/ack - ignored
> TCP DROP_IGNORE6 Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack - ignored
> TCP DROP_IGNORE7 Packets dropped Estab state & receiving data but no blocks are available - ignored
> TCP OUT_CLSD Packets out dropped Conn Closed
> TCP OUT_BAD_CXT Packets out packets dropped due to invalid environment data (ifc, ctx, etc.)
> TCP OUT_NO_BLKS Packets out no blocks
> TCP OUT_NO_PRIV Packets out due to no TCB
> TCP OUT_CONNRDY Packets out dropped connection not ready
> TCP HASH_ADD User hash add
> TCP HASH_ADD_DUP User hash add dup
> TCP HASH_MISS User srch hash miss
> TCP HASH_HIT User srch hash hit
> TCP HASH_DEL User hash delete
> TCP HASH_DMISS User hash delete miss
> TCP MOVE_FAILED Move listener failed
> TCP NO_USER_MEM Alloc user failed
> TCP FORCE_FREE Users Forcefully removed due to context deletion
> TCP SND_SYN send syn
> TCP SND_RST send rst
> TCP SND_ACK send ack
> TCP RCV_ACK receive ack
> TCP RCV_ACK_NEST receive ack not established
> NPSHIM IOCTL_TCPFIP_FAIL Ioctl TCPFIP Fail
> PIX1#
> ++++++++++++++++++++++++++++++++++++++++++
>
> Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or
> both ?
>
They are for packets to/from the PIX/ASA's stack.
> I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why
> would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was
> what the customer was looking for.
>
With clientless WebVPN, and other sessions that terminate on the box, it
is yet another way to debug/troubleshoot some issues :-)
Sincerely,
David.
> I don't have access to real gear right now and under dynamips/pemu, i don't see anything...
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list