08-13-2010 06:20 AM - edited 03-11-2019 11:25 AM
The short of my issue:
I have configured a service policy that watches web traffic to a web server, limiting the maximum connections to the server (over TCP 80) to 'n' amount of simultaneous connections (set connection per-client-max n). I need to see the pervice policy in action, but the only way I know to do it is to watch the drops in "show service policy" output increment or watch the logging buffer (no syslog server available yet). I would really like to debug this action. Is it possible, and most importantly, what is the debug command to do it?
08-13-2010 08:24 AM
Antonio,
show local-host IP.ADD.RE.SS det
is what you need to "debug" connection counts etc.
HTH,
Marcin
08-13-2010 09:12 AM
Thanks for your reply. This was useful info.
But what I'm looking for is a way to run a debug that shows when the 'per-client-max' setting has been invoked?
08-13-2010 10:33 AM
sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 80
sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 443
-KS
08-24-2010 05:41 AM
FYI,
For anyone attempting to see on-screen when this service policy is invoked, I've found a simple workaround. In lieu of a direct debug command, what you can do is configure 'logging monitor errors' and then 'terminal monitoring' whenever the 'set connection per-client-max n' rule is invoked, you will get a log that looks like this:
Aug 17 2010 10:16:48: %ASA-3-201013: Per-client connection limit exceeded 20/20 for input packet from 192.168.2.26/38602 to 172.16.34.8/80 on interface outside
Hope you find this useful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: