Applying Access Control to Router Interfaces
Troubleshooting
5-54
Troubleshooting
show Commands
In addition to using show commands to view information about ACLs and
ACPs and to verify that your configuration is correct, you can use these
commands for troubleshooting. For example, suppose that several users call
you, complaining that they cannot send traffic to a remote site. However, the
PPP 1 interface, which provides the connection to that site, is up, and other
users are successfully sending traffic across the interface. You can use the
show ip policy-sessions command to determine whether or not the traffic
is being blocked by an ACP. You can then change the appropriate ACP as
required.
Monitoring Packets Matched to an ACP
The Secure Router OS firewall tracks the number of sessions established using
each ACP that is configured on the router. By default, the firewall generates
a log message after it creates 100 sessions (connections) for an ACP.
You can customize the number of connections made before a log message is
generated. For example, you may want to be notified after 50 connections have
been made. If you have a large network, on the other hand, you may want to
be notified when 200 sessions have been established. To change the default
setting, move to the global configuration mode context and enter:
Syntax: ip firewall policy-log threshold <sessions>
You can specify a number between 0 and 4294967295.
Clearing Existing Policy Sessions
Whenever you change your ACP configurations, you are prompted to clear the
existing sessions. This enables you to apply your new configurations. Other-
wise, an existing session that violates an ACP that you just configured will
remain active.
To clear all of the policy sessions on the router, move to the enable mode
context and enter:
ProCurve# clear ip policy-sessions