How to know what policy is dropping a packet via CLI

francisco del cura ferreira · ‎01-12-2010

Hi all:

I would like to know if there is a tool, command or whatever (not ASDM) in order to know if the FWSM is dropping a packet.

I tried with capture command with the type acl-drop all option but the appliances doesn't show anything even creating an specific access-list that drops my connections.

With the normal capture neither shows if a packet is being dropped, only shows the packet but no more information. Through ASDM is impossible to see nothing with real monitoring o buffer and filtering by my IP, although it must show my dropping packets, it doesn't.

Thanks a lot,

Francisco

Panos Kampanakis · ‎01-12-2010

Francisco,

The FWSM doesn't have a packet tracer feature like the ASA.

Also the ASP drop capture are only for control traffic.

The existing conns packets are processed in hardware so the functionality is not the same and the cpu cannot give you answer with one command.

Your best bet is syslogs at level 7.

I hope it helps.

PK

Kureli Sankar · ‎01-12-2010

sh np all stats | e : 0

Will give you quite a bit of output. Note the "space" after the ":". If you sent 1000 pings with timeout 0 from a host, you can use the output to see if any counter went up by a thousand.

You can clear the counter by issuing "clear np all stats".

-KS

francisco del cura ferreira · ‎01-13-2010

PK, what do you mean with syslog at level 7?.

-KS, there are a huge traffic passing through the FWSM, I tried the command you said but it's very difficult to know if the interesting traffic is being drooped.

Thanks for your replies,

Francisco

Panos Kampanakis · ‎01-13-2010

level 7 is debugging level.

PK