Cisco Systems ASA 5555-X Network Router User Manual


  Open as PDF
of 2086
 
63-20
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 63 Configuring the ASA CX Module
Troubleshooting the ASA CX Module
3. Perform a packet capture on the backplane, and check to see if traffic is being redirected on the
correct configured port. See the “Capturing Module Traffic” section on page 63-17. You can check
the configured port using the show running-config cxsc command or the show asp table classify
domain cxsc-auth-proxy command.
Note If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only
configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module,
including traffic orginiating on the non-ASA CX interface (the feature is bidirectional). However, the
ASA only performs the authentication proxy on the interface to which the service policy is applied,
because this feature is ingress-only.
Example 63-1 Make sure port 2000 is used consistently:
1.
Check the authentication proxy port:
hostname# show running-config cxsc
cxsc auth-proxy port 2000
2. Check the authentication proxy rules:
hostname# show asp table classify domain cxsc-auth-proxy
Input Table
in id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.0.100, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=inside, output_ifc=identity
3. In the packet captures, the redirect request should be going to destination port 2000.