[c-nsp] PIX/ASA "show counters" command
Antonio Soares
amsoares at netcabo.pt
Thu Feb 25 19:01:42 EST 2010
Thanks Andrew, i will investigate the options you mentioned.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
-----Original Message-----
From: Andrew Yourtchenko [mailto:ayourtch at cisco.com]
Sent: quinta-feira, 25 de Fevereiro de 2010 21:41
To: Antonio Soares
Cc: dwhitejr at cisco.com; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] PIX/ASA "show counters" command
Antonio,
On Thu, 25 Feb 2010, Antonio Soares wrote:
> David/Andrew,
>
> Thank you very much for clarifying this. Well, the customer was looking for something like this but for TCP sessions traversing
the
> PIX/ASA. For example, how many SYN packets were sent to the systems protected by the unit, how many SYN/ACK were sent from those
> systems, how many arrived to the established state and so on. Do we have any options here ? I'm now investigating if the
> CISCO-UNIFIED-MIB can help:
>
> ftp://ftp.cisco.com/pub/mibs/v2/CISCO-UNIFIED-FIREWALL-MIB.my
You can take a look at the output of "show snmp-server oidlist" to see
what's queryable. (We've a bug filed to get this command documented)
An output close to what they could be looking for is "show perfmon";
"detail" keyword adds the setup rates in the end of its output:
# sh perfmon detail
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 9/s 0/s
TCP Embryonic Conns Timeout 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average
0.00% 0.00%
SETUP RATES:
Connections for 1 minute = 0/s; 5 minutes = 0/s
TCP Conns for 1 minute = 0/s; 5 minutes = 0/s
UDP Conns for 1 minute = 0/s; 5 minutes = 0/s
If you want the more detailed stats, you can configure the
"threat-detection statistics" -
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058499
But that of course at a need of very noticeable amount of memory to store
these stats.
In the case of the spoofed TCP SYNs in case the embryonic
limit is reached, the reaction to them is stateless, so there are no
per-host statistics kept by default.
cheers,
andrew
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: David White, Jr. (dwhitejr) [mailto:dwhitejr at cisco.com]
> Sent: quinta-feira, 25 de Fevereiro de 2010 18:35
> To: Antonio Soares
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX/ASA "show counters" command
>
> Hi Antonio,
>
> Please see inline..
>
> Antonio Soares wrote:
>> Group,
>>
>> I need help with the PIX/ASA "show counters" command:
>>
>> http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086
>>
>> As you can see, the command reference doesn't give too much details about the command.
>>
>> The CLI "show counters description" command gives us additional information, for example:
>>
>> ++++++++++++++++++++++++++++++++++++++++++
>> PIX1# show counters description | inc TCP
>> IP TO_TCP Packets delivered to TCP stack
>> TCP IN_PKTS Packets received
>> TCP OUT_PKTS Packets transmitted
>> TCP RCV_GOOD Received good packets
>> TCP IN_BAD_CXT Packets received with invalid environment data (ifc, ctx, etc.)
>> TCP IN_NO_PRIV Packets dropped due to no TCB
>> TCP BD_CKSUM Packets received with a bad checksum
>> TCP BD_LEN Packets received with a bad length
>> TCP NOT_ALLWD Packets dropped due to security level
>> TCP INV_HOST Packets dropped invalid host and least secured interface
>> TCP NO_APP Packets dropped no one listening
>> TCP DROP_NRST Packets dropped no one listening - no reset sent
>> TCP SESS_CLSD Packets dropped session closed
>> TCP SESS_CTOD Packets dropped session slosed due to timeout
>> TCP DRP_LIS_RST Packets dropped Listen state received reset
>> TCP DRP_LIS_BAD Packets dropped Listen state received packet with invalid flags
>> TCP SYNS_RST Packets dropped SynSent state received reset
>> TCP SYNS_BAD Packets dropped SynSent state received packet with invalid flags
>> TCP CONN_RST1 Packets dropped Est, Fin1, Fin2, CloseWait state connection reset
>> TCP CONN_RST2 Packets dropped Closing, LastAck, TimeWait state connection reset
>> TCP CONN_RST3 Packets dropped Est, Fin1, Fin2, CloseWait, Closed, LastAck, TimeWait state received
> syn
>> TCP CONN_REFD Packets dropped SynRcvd state conn refused
>> TCP BAD_FLAG Packets dropped invalid flag for state
>> TCP NACK1 Packets dropped Est, CloseWait state received ack - not established
>> TCP NACK2 Packets dropped Fin1 state received ack - not established
>> TCP NACK3 Packets dropped Fin2 state received ack - not established
>> TCP NACK4 Packets dropped Closing state received ack - not established
>> TCP DROP_UNACC Packets dropped do not save or rearrange segments
>> TCP DROP_IGNORE1 Packets dropped Closing state received ack - ignored
>> TCP DROP_IGNORE2 Packets dropped LastAck state received non fin/ack - ignored
>> TCP DROP_IGNORE3 Packets dropped TimeWait state received non remote fin/ack - ignored
>> TCP DROP_IGNORE4 Packets dropped CloseWait, Closing, LastAck, TimeWait state received non remote
> fin/ack
>> - data ignored
>> TCP DROP_IGNORE5 Packets dropped Closed, Listen, SynSent state received fin/ack - ignored
>> TCP DROP_IGNORE6 Packets dropped CloseWait, Closing, LastAck, TimeWait state received fin/ack -
ignored
>> TCP DROP_IGNORE7 Packets dropped Estab state & receiving data but no blocks are available - ignored
>> TCP OUT_CLSD Packets out dropped Conn Closed
>> TCP OUT_BAD_CXT Packets out packets dropped due to invalid environment data (ifc, ctx, etc.)
>> TCP OUT_NO_BLKS Packets out no blocks
>> TCP OUT_NO_PRIV Packets out due to no TCB
>> TCP OUT_CONNRDY Packets out dropped connection not ready
>> TCP HASH_ADD User hash add
>> TCP HASH_ADD_DUP User hash add dup
>> TCP HASH_MISS User srch hash miss
>> TCP HASH_HIT User srch hash hit
>> TCP HASH_DEL User hash delete
>> TCP HASH_DMISS User hash delete miss
>> TCP MOVE_FAILED Move listener failed
>> TCP NO_USER_MEM Alloc user failed
>> TCP FORCE_FREE Users Forcefully removed due to context deletion
>> TCP SND_SYN send syn
>> TCP SND_RST send rst
>> TCP SND_ACK send ack
>> TCP RCV_ACK receive ack
>> TCP RCV_ACK_NEST receive ack not established
>> NPSHIM IOCTL_TCPFIP_FAIL Ioctl TCPFIP Fail
>> PIX1#
>> ++++++++++++++++++++++++++++++++++++++++++
>>
>> Now, for example for TCP, are these counters related with TCP sessions that traverse the PIX/ASA, sessions to/from the PIX/ASA or
>> both ?
>>
>
> They are for packets to/from the PIX/ASA's stack.
>
>> I have a customer swearing that these counters are related with TCP sessions to/from the PIX/ASA and i found it very strange. Why
>> would we need so many details about that ? These counters make sense for connections traversing the PIX/ASA. By the way, this was
>> what the customer was looking for.
>>
>
> With clientless WebVPN, and other sessions that terminate on the box, it
> is yet another way to debug/troubleshoot some issues :-)
>
> Sincerely,
>
> David.
>> I don't have access to real gear right now and under dynamips/pemu, i don't see anything...
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
More information about the cisco-nsp
mailing list