Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
63-14
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 63 Configuring the ASA CX Module
Monitoring the ASA CX Module
Default Queueing Set connection policy: random-sequence-number disable
drop 0
CXSC: card status Up, mode fail-open, auth-proxy enabled
packet input 7724, packet output 7701, drop 0, reset-drop 0, proxied 10
Monitoring Module Connections
To show connections through the ASA CX module, enter the one of the following commands:
Command Purpose
show asp table classify domain cxsc
Shows the NP rules created to send traffic to the ASA CX module.
show asp table classify domain
cxsc-auth-proxy
Shows the NP rules created for the authentication proxy for the ASA CX
module.
show asp drop
Shows dropped packets. The following drop types are used:
Frame Drops:
cxsc-bad-tlv-received—This occurs when ASA receives a packet
from CXSC without a Policy ID TLV. This TLV must be present in
non-control packets if it does not have the Standy Active bit set in the
actions field.
cxsc-request—The frame was requested to be dropped by CXSC due
a policy on CXSC whereby CXSC would set the actions to Deny
Source, Deny Destination, or Deny Pkt.
cxsc-fail-close—The packet is dropped because the card is not up and
the policy configured was 'fail-close' (rather than 'fail-open' which
allows packets through even if the card was down).
cxsc-fail—The CXSC configuration was removed for an existing
flow and we are not able to process it through CXSC it will be
dropped. This should be very unlikely.
cxsc-malformed-packet—The packet from CXSC contains an invalid
header. For instance, the header length may not be correct.
Flow Drops:
cxsc-request—The CXSC requested to terminate the flow. The
actions bit 0 is set.
reset-by-cxsc—The CXSC requested to terminate and reset the flow.
The actions bit 1 is set.
cxsc-fail-close—The flow was terminated because the card is down
and the configured policy was 'fail-close'.
show asp event dp-cp cxsc-msg
This output shows how many ASA CX module messages are on the dp-cp
queue. Currently, only VPN queries from the ASA CX module are sent to
dp-cp.
show conn
This command already shows if a connection is being forwarded to an
module by displaying the ‘X - inspected by service module’ flag.
Connections being forwarded to the ASA CX module will also display the
‘X’ flag.