Troubleshooting; Monitoring Packets Matched To An Acp - HP 7102dl - ProCurve Secure Router Configuration Manual

ProCurve# show ip policy-stats
Global 0 current sessions (255300 max)
Policy-class "Inside":
121 current sessions (85100 max)
Entry 1 - allow list MatchAll
1424221 in bytes, 14222323 out bytes, 123 hits
Policy-class "Outside":
554 current sessions (85100 max)
Entry 1 - allow list Region
2345352 in bytes, 56363536 out bytes, 554 hits
Entry 2 - allow list InWeb
0 in bytes, 0 out bytes, 0 hits
Entry 2 - discard list MatchAll
0 in bytes, 0 out bytes, 0 hits
Figure 6-8. Displaying IP Policy-Stats

Troubleshooting

In addition to using show commands to view information about ACLs and
ACPs and to verify that your configuration is correct, you can use these
commands for troubleshooting. For example, suppose that several users call
you, complaining that they cannot send traffic to the Internet. However, the
PPP 1 interface, which provides the Internet connection, is up, and other users
are successfully sending traffic across the interface. You can use the show ip
policy-sessions command to determine whether or not the traffic is being
blocked by an ACP. You can then change the appropriate ACP as required.

Monitoring Packets Matched to an ACP

The Secure Router OS firewall tracks the number of connections made using
each ACP configured on the router. By default, the firewall generates a log
message after it creates 100 sessions (connections) using an ACP.
You can customize the number of connections made before a log message is
generated. For example, you may want to be notified when 50 connections
are made. If you have a large network, on the other hand, you may want to be
notified when 200 connections are made. To change the default setting, move
to the global configuration mode context and enter:
Syntax: ip firewall policy-log threshold <connections>
You can specify a number between 0 and 4294967295.
Configuring Network Address Translation
Troubleshooting
6-21