30-29
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 30 Configuring the ASA CX Module
Monitoring the ASA CX Module
Examples
The following is sample output from the show asp table classify domain cxsc command:
ciscoasa# show asp table classify domain cxsc
Input Table
in id=0x7ffedb4acf40, priority=50, domain=cxsc, deny=false
hits=15485658, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0,
protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
in id=0x7ffedb4ad4a0, priority=50, domain=cxsc, deny=false
hits=992053, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
show asp drop
Shows dropped packets. The following drop types are used:
Frame Drops:
• cxsc-bad-tlv-received—This occurs when ASA receives a packet
from CXSC without a Policy ID TLV. This TLV must be present in
non-control packets if it does not have the Standy Active bit set in the
actions field.
• cxsc-request—The frame was requested to be dropped by CXSC due
a policy on CXSC whereby CXSC would set the actions to Deny
Source, Deny Destination, or Deny Pkt.
• cxsc-fail-close—The packet is dropped because the card is not up and
the policy configured was 'fail-close' (rather than 'fail-open' which
allows packets through even if the card was down).
• cxsc-fail—The CXSC configuration was removed for an existing
flow and we are not able to process it through CXSC it will be
dropped. This should be very unlikely.
• cxsc-malformed-packet—The packet from CXSC contains an invalid
header. For instance, the header length may not be correct.
Flow Drops:
• cxsc-request—The CXSC requested to terminate the flow. The
actions bit 0 is set.
• reset-by-cxsc—The CXSC requested to terminate and reset the flow.
The actions bit 1 is set.
• cxsc-fail-close—The flow was terminated because the card is down
and the configured policy was 'fail-close'.
show asp event dp-cp cxsc-msg
This output shows how many ASA CX module messages are on the dp-cp
queue. Currently, only VPN queries from the ASA CX module are sent to
dp-cp.
show conn
This command already shows if a connection is being forwarded to a
module by displaying the ‘X - inspected by service module’ flag.
Connections being forwarded to the ASA CX module will also display the
‘X’ flag.
Command Purpose