cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2556
Views
0
Helpful
4
Replies

Service policy debugging???

Antonio Knox
Level 7
Level 7

The short of my issue:

I have configured a service policy that watches web traffic to a web server, limiting the maximum connections to the server (over TCP 80) to 'n' amount of simultaneous connections (set connection per-client-max n).  I need to see the pervice policy in action, but the only way I know to do it is to watch the drops in "show service policy" output increment or watch the logging buffer (no syslog server available yet).  I would really like to debug this action.  Is it possible, and most importantly, what is the debug command to do it?

4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Antonio,

show local-host IP.ADD.RE.SS det

is what you need to "debug" connection counts etc.

HTH,

Marcin

Thanks for your reply.  This was useful info.

But what I'm looking for is a way to run a debug that shows when the 'per-client-max' setting has been invoked?

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 80

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 443

-KS

FYI,

For anyone attempting to see on-screen when this service policy is invoked, I've found a simple workaround.  In lieu of a direct debug command, what you can do is configure 'logging monitor errors' and then 'terminal monitoring'  whenever the 'set connection per-client-max n' rule is invoked, you will get a log that looks like this:

Aug 17 2010 10:16:48: %ASA-3-201013: Per-client connection limit exceeded 20/20 for input packet from 192.168.2.26/38602 to 172.16.34.8/80 on interface outside

Hope you find this useful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: