[c-nsp] PIX/ASA "show counters" command

Andrew Yourtchenko ayourtch at cisco.com
Thu Feb 25 16:40:32 EST 2010


Antonio,

On Thu, 25 Feb 2010, Antonio Soares wrote:

> David/Andrew,
>
> Thank you very much for clarifying this. Well, the customer was looking for something like this but for TCP sessions traversing the
> PIX/ASA. For example, how many SYN packets were sent to the systems protected by the unit, how many SYN/ACK were sent from those
> systems, how many arrived to the established state and so on. Do we have any options here ? I'm now investigating if the
> CISCO-UNIFIED-MIB can help:
>
> ftp://ftp.cisco.com/pub/mibs/v2/CISCO-UNIFIED-FIREWALL-MIB.my


You can take a look at the output of "show snmp-server oidlist" to see 
what's queryable. (We've a bug filed to get this command documented)

An output close to what they could be looking for is "show perfmon"; 
"detail" keyword adds the setup rates in the end of its output:

# sh perfmon detail

PERFMON STATS:                     Current      Average
Xlates                                0/s          0/s
Connections                           0/s          0/s
TCP Conns                             0/s          0/s
UDP Conns                             0/s          0/s
URL Access                            0/s          0/s
URL Server Req                        0/s          0/s
TCP Fixup                             0/s          0/s
TCP Intercept Established Conns       0/s          0/s
TCP Intercept Attempts                9/s          0/s
TCP Embryonic Conns Timeout           0/s          0/s
HTTP Fixup                            0/s          0/s
FTP Fixup                             0/s          0/s
AAA Authen                            0/s          0/s
AAA Author                            0/s          0/s
AAA Account                           0/s          0/s

VALID CONNS RATE in TCP INTERCEPT:    Current      Average
                                         0.00%          0.00%

SETUP RATES:
Connections for 1 minute = 0/s; 5 minutes = 0/s
TCP Conns for 1 minute = 0/s; 5 minutes = 0/s
UDP Conns for 1 minute = 0/s; 5 minutes = 0/s


If you want the more detailed stats, you can configure the 
"threat-detection statistics" - 
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058499

But that of course at a need of very noticeable amount of memory to store 
these stats.

In the case of the spoofed TCP SYNs in case the embryonic 
limit is reached, the reaction to them is stateless, so there are no 
per-host statistics kept by default.

cheers,
andrew


>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com]
> Sent: quinta-feira, 25 de Fevereiro de 2010 18:35
> To: Antonio Soares
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX/ASA "show counters" command
>
> Hi Antonio,
>
> Please see inline..
>
> Antonio Soares wrote:
>> Group,
>>
>> I need help with the PIX/ASA "show counters" command:
>>
>> http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086
>>
>> As you can see, the command reference doesn't give too much details about the command.
>>
>> The CLI "show counters description" command gives us additional information, for example:
>>
>> ++++++++++++++++++++++++++++++++++++++++++
>> PIX1# show counters description | inc TCP
>> IP           TO_TCP                         Packets delivered to TCP stack
>> TCP          IN_PKTS                        Packets received
>> TCP          OUT_PKTS                       Packets transmitted
>> TCP          RCV_GOOD                       Received good packets
>> TCP          IN_BAD_CXT                     Packets received with invalid environment data (ifc, ctx, etc.)
>> TCP          IN_NO_PRIV                     Packets dropped due to no TCB
>> TCP          BD_CKSUM                       Packets received with a bad checksum
>> TCP          BD_LEN                         Packets received with a bad length
>> TCP          NOT_ALLWD                      Packets dropped due to security level
>> TCP          INV_HOST                       Packets dropped invalid host and least secured interface
>> TCP          NO_APP                         Packets dropped no one listening
>> TCP          DROP_NRST                      Packets dropped no one listening - no reset sent
>> TCP          SESS_CLSD                      Packets dropped session closed
>> TCP          SESS_CTOD                      Packets dropped session slosed due to timeout
>> TCP          DRP_LIS_RST                    Packets dropped Listen state received reset
>> TCP          DRP_LIS_BAD                    Packets dropped Listen state received packet with invalid flags
>> TCP          SYNS_RST                       Packets dropped SynSent state received reset
>> TCP          SYNS_BAD                       Packets dropped SynSent state received packet with invalid flags
>> TCP          CONN_RST1                      Packets dropped Est, Fin1, Fin2, CloseWait state connection reset
>> TCP          CONN_RST2                      Packets dropped Closing, LastAck, TimeWait state connection reset
>> TCP          CONN_RST3                      Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received
> syn
>> TCP          CONN_REFD                      Packets dropped SynRcvd state conn refused
>> TCP          BAD_FLAG                       Packets dropped invalid flag for state
>> TCP          NACK1                          Packets dropped Est, CloseWait state received ack - not established
>> TCP          NACK2                          Packets dropped Fin1 state received ack - not established
>> TCP          NACK3                          Packets dropped Fin2 state received ack - not established
>> TCP          NACK4                          Packets dropped Closing state received ack - not established
>> TCP          DROP_UNACC                     Packets dropped do not save or rearrange segments
>> TCP          DROP_IGNORE1                   Packets dropped Closing state received ack - ignored
>> TCP          DROP_IGNORE2                   Packets dropped LastAck state received non fin/ack - ignored
>> TCP          DROP_IGNORE3                   Packets dropped TimeWait state received non remote fin/ack - ignored
>> TCP          DROP_IGNORE4                   Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote
> fin/ack
>> - data ignored
>> TCP          DROP_IGNORE5                   Packets dropped Closed, Listen, SynSent state received fin/ack - ignored
>> TCP          DROP_IGNORE6                   Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack - ignored
>> TCP          DROP_IGNORE7                   Packets dropped Estab state & receiving data but no blocks are available - ignored
>> TCP          OUT_CLSD                       Packets out dropped Conn Closed
>> TCP          OUT_BAD_CXT                    Packets out packets dropped due to invalid environment data (ifc, ctx, etc.)
>> TCP          OUT_NO_BLKS                    Packets out no blocks
>> TCP          OUT_NO_PRIV                    Packets out due to no TCB
>> TCP          OUT_CONNRDY                    Packets out dropped connection not ready
>> TCP          HASH_ADD                       User hash add
>> TCP          HASH_ADD_DUP                   User hash add dup
>> TCP          HASH_MISS                      User srch hash miss
>> TCP          HASH_HIT                       User srch hash hit
>> TCP          HASH_DEL                       User hash delete
>> TCP          HASH_DMISS                     User hash delete miss
>> TCP          MOVE_FAILED                    Move listener failed
>> TCP          NO_USER_MEM                    Alloc user failed
>> TCP          FORCE_FREE                     Users Forcefully removed due to context deletion
>> TCP          SND_SYN                        send syn
>> TCP          SND_RST                        send rst
>> TCP          SND_ACK                        send ack
>> TCP          RCV_ACK                        receive ack
>> TCP          RCV_ACK_NEST                   receive ack not established
>> NPSHIM       IOCTL_TCPFIP_FAIL              Ioctl TCPFIP Fail
>> PIX1#
>> ++++++++++++++++++++++++++++++++++++++++++
>>
>> Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or
>> both ?
>>
>
> They are for packets to/from the PIX/ASA's stack.
>
>> I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why
>> would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was
>> what the customer was looking for.
>>
>
> With clientless WebVPN, and other sessions that terminate on the box, it
> is yet another way to debug/troubleshoot some issues :-)
>
> Sincerely,
>
> David.
>> I don't have access to real gear right now and under dynamips/pemu, i don't see anything...
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>


More information about the cisco-nsp mailing list