[c-nsp] PIX/ASA "show counters" command

Antonio Soares amsoares at netcabo.pt
Thu Feb 25 15:17:27 EST 2010


David/Andrew,

Thank you very much for clarifying this. Well, the customer was looking for something like this but for TCP sessions traversing the
PIX/ASA. For example, how many SYN packets were sent to the systems protected by the unit, how many SYN/ACK were sent from those
systems, how many arrived to the established state and so on. Do we have any options here ? I'm now investigating if the
CISCO-UNIFIED-MIB can help:

ftp://ftp.cisco.com/pub/mibs/v2/CISCO-UNIFIED-FIREWALL-MIB.my


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com] 
Sent: quinta-feira, 25 de Fevereiro de 2010 18:35
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX/ASA "show counters" command

Hi Antonio,

Please see inline..

Antonio Soares wrote:
> Group,
>
> I need help with the PIX/ASA "show counters" command:
>
> http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086
>
> As you can see, the command reference doesn't give too much details about the command.
>
> The CLI "show counters description" command gives us additional information, for example:
>
> ++++++++++++++++++++++++++++++++++++++++++
> PIX1# show counters description | inc TCP
> IP           TO_TCP                         Packets delivered to TCP stack
> TCP          IN_PKTS                        Packets received
> TCP          OUT_PKTS                       Packets transmitted
> TCP          RCV_GOOD                       Received good packets
> TCP          IN_BAD_CXT                     Packets received with invalid environment data (ifc, ctx, etc.)
> TCP          IN_NO_PRIV                     Packets dropped due to no TCB
> TCP          BD_CKSUM                       Packets received with a bad checksum
> TCP          BD_LEN                         Packets received with a bad length
> TCP          NOT_ALLWD                      Packets dropped due to security level
> TCP          INV_HOST                       Packets dropped invalid host and least secured interface
> TCP          NO_APP                         Packets dropped no one listening
> TCP          DROP_NRST                      Packets dropped no one listening - no reset sent
> TCP          SESS_CLSD                      Packets dropped session closed
> TCP          SESS_CTOD                      Packets dropped session slosed due to timeout
> TCP          DRP_LIS_RST                    Packets dropped Listen state received reset
> TCP          DRP_LIS_BAD                    Packets dropped Listen state received packet with invalid flags
> TCP          SYNS_RST                       Packets dropped SynSent state received reset
> TCP          SYNS_BAD                       Packets dropped SynSent state received packet with invalid flags
> TCP          CONN_RST1                      Packets dropped Est, Fin1, Fin2, CloseWait state connection reset
> TCP          CONN_RST2                      Packets dropped Closing, LastAck, TimeWait state connection reset
> TCP          CONN_RST3                      Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received
syn
> TCP          CONN_REFD                      Packets dropped SynRcvd state conn refused
> TCP          BAD_FLAG                       Packets dropped invalid flag for state
> TCP          NACK1                          Packets dropped Est, CloseWait state received ack - not established
> TCP          NACK2                          Packets dropped Fin1 state received ack - not established
> TCP          NACK3                          Packets dropped Fin2 state received ack - not established
> TCP          NACK4                          Packets dropped Closing state received ack - not established
> TCP          DROP_UNACC                     Packets dropped do not save or rearrange segments
> TCP          DROP_IGNORE1                   Packets dropped Closing state received ack - ignored
> TCP          DROP_IGNORE2                   Packets dropped LastAck state received non fin/ack - ignored
> TCP          DROP_IGNORE3                   Packets dropped TimeWait state received non remote fin/ack - ignored
> TCP          DROP_IGNORE4                   Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote
fin/ack
> - data ignored
> TCP          DROP_IGNORE5                   Packets dropped Closed, Listen, SynSent state received fin/ack - ignored
> TCP          DROP_IGNORE6                   Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack - ignored
> TCP          DROP_IGNORE7                   Packets dropped Estab state & receiving data but no blocks are available - ignored
> TCP          OUT_CLSD                       Packets out dropped Conn Closed
> TCP          OUT_BAD_CXT                    Packets out packets dropped due to invalid environment data (ifc, ctx, etc.)
> TCP          OUT_NO_BLKS                    Packets out no blocks
> TCP          OUT_NO_PRIV                    Packets out due to no TCB
> TCP          OUT_CONNRDY                    Packets out dropped connection not ready
> TCP          HASH_ADD                       User hash add
> TCP          HASH_ADD_DUP                   User hash add dup
> TCP          HASH_MISS                      User srch hash miss
> TCP          HASH_HIT                       User srch hash hit
> TCP          HASH_DEL                       User hash delete
> TCP          HASH_DMISS                     User hash delete miss
> TCP          MOVE_FAILED                    Move listener failed
> TCP          NO_USER_MEM                    Alloc user failed
> TCP          FORCE_FREE                     Users Forcefully removed due to context deletion
> TCP          SND_SYN                        send syn
> TCP          SND_RST                        send rst
> TCP          SND_ACK                        send ack
> TCP          RCV_ACK                        receive ack
> TCP          RCV_ACK_NEST                   receive ack not established
> NPSHIM       IOCTL_TCPFIP_FAIL              Ioctl TCPFIP Fail
> PIX1#
> ++++++++++++++++++++++++++++++++++++++++++
>
> Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or
> both ?
>   

They are for packets to/from the PIX/ASA's stack.

> I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why
> would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was
> what the customer was looking for.
>   

With clientless WebVPN, and other sessions that terminate on the box, it
is yet another way to debug/troubleshoot some issues :-)

Sincerely,

David.
> I don't have access to real gear right now and under dynamips/pemu, i don't see anything...
>
>
> Thanks.
>
> Regards,
>  
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   




More information about the cisco-nsp mailing list