Cisco ASA 5506-X Configuration Manual page 394
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Troubleshooting Problems with the Authentication Proxy
•
•
•
•
Flow Drops:
•
•
•
Troubleshooting Problems with the Authentication Proxy
If you are having a problem using the authentication proxy feature, follow these steps to troubleshoot
your configuration and connections.
If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only
Note
configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module,
including traffic originating on the non-ASA CX interface (the feature is bidirectional). However, the
ASA only performs the authentication proxy on the interface to which the service policy is applied,
because this feature is ingress-only.
Procedure
Step 1
Check your configurations.
•
•
Check the output of the show service-policy cxsc command to see if any packets were proxied.
Step 2
Perform a packet capture on the backplane (capture name interface asa_dataplane), and check to see
Step 3
if traffic is being redirected on the correct configured port.You can check the configured port using the
show running-config cxsc command or the show asp table classify domain cxsc-auth-proxy
command.
Cisco ASA Series Firewall CLI Configuration Guide
17-24
cxsc-request—The frame was requested to be dropped by CXSC due a policy on CXSC whereby
CXSC would set the actions to Deny Source, Deny Destination, or Deny Pkt.
cxsc-fail-close—The packet is dropped because the card is not up and the policy configured was
'fail-close' (rather than 'fail-open' which allows packets through even if the card was down).
cxsc-fail—The CXSC configuration was removed for an existing flow and we are not able to process
it through CXSC; it will be dropped. This should be very unlikely.
cxsc-malformed-packet—The packet from CXSC contains an invalid header. For instance, the
header length may not be correct.
cxsc-request—The CXSC requested to terminate the flow. The actions bit 0 is set.
reset-by-cxsc—The CXSC requested to terminate and reset the flow. The actions bit 1 is set.
cxsc-fail-close—The flow was terminated because the card is down and the configured policy was
'fail-close.'
On the ASA, check the output of the show asp table classify domain cxsc-auth-proxy command
and make sure there are rules installed and that they are correct.
In PRSM, ensure the directory realm is created with the correct credentials and test the connection
to make sure you can reach the authentication server; also ensure that a policy object or objects are
configured for authentication.
Chapter 17
ASA CX Module
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
