Cisco ASA 5506-X Configuration Manual page 393
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 17
ASA CX Module
The following is sample output from the show service-policy command showing the ASA CX policy
and the current statistics as well as the module status when the authentication proxy is enabled; in this
case, the proxied counters also increment:
hostname# show service-policy cxsc
Global policy:
Service-policy: pmap
Monitoring Module Connections
To show connections through the ASA CX module, enter one of the following commands:
•
•
•
•
•
The show asp drop command can include the following drop reasons related to the ASA CX module.
Frame Drops:
•
Class-map: bypass
CXSC: card status Up, mode fail-open, auth-proxy disabled
packet input 2626422041, packet output 2626877967, drop 0, reset-drop 0, proxied 0
Class-map: class-default
Default Queueing
drop 0
CXSC: card status Up, mode fail-open, auth-proxy enabled
packet input 7724, packet output 7701, drop 0, reset-drop 0, proxied 10
show asp table classify domain cxsc
Shows the NP rules created to send traffic to the ASA CX module.
show asp table classify domain cxsc-auth-proxy
Shows the NP rules created for the authentication proxy for the ASA CX module. In the following
is sample output, which shows one rule, the destination "port=2000" is the auth-proxy port
configured by the cxsc auth-proxy port 2000 command, and the destination "ip/id=192.168.0.100"
is the ASA interface IP address.
hostname# show asp table classify domain cxsc-auth-proxy
Input Table
in
id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.0.100, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=inside, output_ifc=identity
show asp drop
Shows dropped packets. The drop types are explained below.
show asp event dp-cp cxsc-msg
This output shows how many ASA CX module messages are on the dp-cp queue. Only VPN queries
from the ASA CX module are sent to dp-cp.
show conn
Shows if a connection is being forwarded to a module by displaying the 'X - inspected by service
module' flag.
cxsc-bad-tlv-received—This occurs when ASA receives a packet from CXSC without a Policy ID
TLV. This TLV must be present in non-control packets if it does not have the Standby Active bit set
in the actions field.
Set connection policy: random-sequence-number disable
Cisco ASA Series Firewall CLI Configuration Guide
Monitoring the ASA CX Module
17-23
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
