Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco ASA 5505 - 2 internal Networks

Hi new to ASA's,

Been trying to get the following setup working for ages but can't see what I am missing:

image.jpg

(Got image from another post but exactly what I want but cannot get working)

I can get ping between subnets but nothing else and Lan 2 cannot get to internet.

The reolution for this guy was the following I believe; (from his config he has ASA v8.2)

same-security-traffic permit intra-interface

access-list NONAT permit ip 192.168.50.0 255.255.255.0 10.0.50.0255.255.255.0

access-list NONAT permit ip 10.0.50.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list NONAT

I have tried this but I have ASA v8.4 and whilst commands 1 - 3 work command 4 doesn't.

I get a message about the command being deprecated. I couldn't find a new version I could understand.

Hope nothing stupid and simple but any help greatly appreciated.

BTW, I have reset my ASA back to defaults except internet access is working and internet LAN as I made some many changes I feared one my conflict with the other.

Many thanks for any views or help.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Cisco ASA 5505 - 2 internal Networks

Ok, tcp-bypass is done for TCP traffic only and on the document it states that configuring this option would avoid any type of inspection. This was mainly created for design issues where you receive traffic through the ASA without going through TCP 3 way handshake.

U turning was also added for none VPN traffic based on the need to re-route traffic on the same interface which you receive a packet but has limitations.

Inspect ICMP to maintain control over ICMP sessions, one request one reply.

Most of these issues caused by incorrect routing, so to avoid over complication just change the routing.

This is a document created for PIX but explains a little of what is happening.

Q. I recently added an inside router to connect a second inside network to my Cisco Secure PIX Firewall. Users between the Cisco Secure PIX Firewall and inside router can successfully get to the Internet, but they cannot talk to this new, inside network. Users on the new network are unable to get past the inside router. What is wrong?

    A. You must enter a specific route inside statement into the PIX for this new network through the new router. You can also enter a specific route inside statement for the major network through this router, which allows for future growth.

    For example, if your existing network is 192.168.1.0/24 and your new network is 192.168.2.0/24, the Ethernet port of your internal router is 192.168.1.2. The route configuration of the PIX appears similar to this:

        route inside 192.168.2.0 255.255.255.0 192.168.1.2 1

    or (the major network):

        route inside 192.168.0.0 255.255.0.0 192.168.1.2 1

    Work stations between the Cisco Secure PIX Firewall and router should have their gateway point to the router, not the PIX. Even though they are directly connected, they have problems accessing the new internal network if their gateway does not point to the router. The router should have a default gateway that directs all unknown traffic to the inside interface of the Cisco Secure PIX Firewall. The installation of a route for this new network in the PIX does not work either. The PIX does not route or redirect off the interface it received the packet. Unlike a router, the PIX cannot route packets back through the same interface where the packet was initially received. Also, make sure your nat statement includes the new network or the major net you are adding.

Value our effort and rate the assistance!
29 REPLIES
Purple

Cisco ASA 5505 - 2 internal Networks

Hi,

For communication between 10.0.50.0 and 192.168.1.0 you are using the router and the devices on the 192.168.1.0 network are attached to switchports on the ASA so they are switched not routed and so you don't need any of these commands to make it work.Just simply add a static route inside for 10.0.50.0 pointing towards 192.168.1.252 and NAT 192.168.1.0 and 10.0.50.0 from inside to outside.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: Cisco ASA 5505 - 2 internal Networks

Hi Alain,

thanks for the reply.

I tried to do as you have suggested above but still have no connectivity but I think this is more to do with what I am doing..... although I have to add I spent a few weeks / months with assistance from a guy from Experts Exchange with the same issue and still couldn't get it working so a begining to feel it just isnt' possible with my ASA, could that be the case?

I added a static route and while I can ping the ASA from the PC on the 10.0.50.0 lan I can ping nothing else on the 192.168.1.0 lan.

From the 192.168.1.0 I can ping the router but nothing else on the 10.0.50.0 lan.

I am aftraid that I really fell down on the NAT part, I tried to do it through the GUI and didn't see any different results so presumed I am not selecting the correct options.

I wiped the ASA again to keep things fresh and not conflicting with each other and when I setup the internet access again just to try something different I setup EIGRP on the router and the ASA and get the same ping connectivity above.

Are you able to guide me further.?

Many thanks

Richard

Re: Cisco ASA 5505 - 2 internal Networks

Let's try to tackle things in pieces:

I added a static route and while I can ping the ASA from the PC on the 10.0.50.0 lan I can ping nothing else on the 192.168.1.0 lan.


What static route did you add?

What is the gateway of the machines on the 192.168.1.0 LAN? Is it the ASA?

From the 192.168.1.0 I can ping the router but nothing else on the 10.0.50.0 lan.

This would also point to your gateway being the ASA.

Have you added a static route on the LAN 1 PC to route traffic for LAN2 through the router?

Or, you can set your gateway to the router.

Can you try one of these and see if you can ping between the test host on LAN1 and LAN2?

New Member

Re: Cisco ASA 5505 - 2 internal Networks

hi Robert,

Thanks for the reply.

I have progress :-) and in the right direction :-)

Def G of PC's on 192.168.1.0 LAN is the ASA

Def G of PC's on 10.0.50.0 LAN is 1841 router.

added static route on ASA of : route inside 10.0.50.0 255.255.255.0 192.168.1.252 1

Still no connectivity.

Then added:

same-security-traffic permit intra-interface

And hurah... ping from 192 to 10 from clients aswell :-)

Question is......

ASA says:

  inter-interface  Permit communication between different interfaces with the

                   same security level

  intra-interface  Permit communication between peers connected to the same

                   interface

Where am I misunderstanding...

I did "inter-interface" first thinking devices are in different physical interfaces but same security level (inside) but it was the intra-interface that got the ping working but .... they are in different physical interfaces??? I am confused?

or is it s case that it looks at the inside and outside VLANs as interfaces in this scenario?

Only have ping connectivity though so is NAT the next step?

Have always struggled with this bit, so if it is the next step please could I ask for guidance here thanks.

Thanks again

Richard

P.s. thanks for advice of tackling in pieces I all too often try too much....

New Member

Re: Cisco ASA 5505 - 2 internal Networks

Hi,

Had another look at this today.

Noticed that I was getting the following messages in the ASDM syslog:

Teardown TCP connection 12657 for inside:xx.xx.xx.xx/4658 to inside:xx.xx.xx.xx/139 duration 0:00:00 bytes 0 TCP Reset-O
Deny TCP (no connection) from xx.xx.xx.xx/4654 to xx.xx.xx.xx/445 flags RST  on interface inside

When I investigated I found a website that mentioned asymmetrical routing, presumably my problem where the 1841 was routing direct back to the host instead of through the ASA.?? not something I have heard of before!

This mentioned using TCP state bypass found the following config from :

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html#wp1087434

CONFIG AS PER BELOW:

hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside

Once commands entered..... HURAH it works!!!

I can now RDP to PC's in the 10 network :-)

After months I have made progress :-)

But..... is there any security risk with this? or anything else I should be concerned with?

I have run an nmap port scan on my external IP and that doesn't report any open ports so all good I hope??

Presuming bypassing the TCP state inspection is not the preferred method for proper resolution what is?

Only thing left now (unless you experts advise is to change this setup) is to get internet access from the 10 range PC's,

will DNS resolution pass through the ASA?

thaks again apologies for the length!

Re: Cisco ASA 5505 - 2 internal Networks

TCP bypass is meant for assymetric traffic, which is what you have here. LAN2 can send directly to LAN1, but LAN1 must go through the firewall. The response from LAN2 to LAN1 will not pass through the ASA, which is what generated the logs messages and kept the connection from working.

You should probably restrict the tcp bypass ACL more than you've done. It's bypassing everything, not just between your internal subnets. Instead of any, define the destination as your LAN1 network. You don't want to do TCP bypass on traffic from LAN2 to the internet.

Do you have an internal DNS server?

Can you post your current NAT configuration?

Re: Cisco ASA 5505 - 2 internal Networks

Question is......

ASA says:

  inter-interface  Permit communication between different interfaces with the

                   same security level

  intra-interface  Permit communication between peers connected to the same

                   interface

Where am I misunderstanding...

I did "inter-interface" first thinking devices are in different physical interfaces but same security level (inside) but it was the intra-interface that got the ping working but .... they are in different physical interfaces??? I am confused?

or is it s case that it looks at the inside and outside VLANs as interfaces in this scenario?

The devices/endpoints are accessed through the same interface, the inside interface. It doesn't matter than they are on different vlans.

Intra-interface basically allows the ASA to redirect traffic out the same interface that it entered on. In the past, the ASA couldn't actually do this type of redirection, only forward between interfaces.

This command is also very useful if you have remote access VPN sessions inbound that need to access resources over a L2L VPN tunnel. The traffic from the VPN sessions enters and leaves on the same interface, usually the outside.

Inter-interface is used if you have multiple interfaces with the same security level, maybe DMZs as an example. It's unlikely that you'll need this on a 5505 but it does happen in environments where there might be many more DMZs or extranets.

New Member

Re: Cisco ASA 5505 - 2 internal Networks

thanks for the info in both posts Robert, and the explanation.

Never thought of it that way!

I have restricted the access list to from the 192 network to the 10 network although I might restrict it down even further. I am surprised the access lists on the ASA's use subnet masks but those on Cisco routers etc use wildcard masks! I understand that the ASA's were not originally a Cisco design but another company bought out so perhaps that is why the difference, unless I misunderstood what the person was telling me was saying.

I don't currently have a DNS server but in due course might set one up on a VMware box, I have been using openDNS.

I have copied the lines out of the show version for NAT below is this enough info?

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface nat

thanks also for the explanation of the inter and intra. I suppose this is where I need to make sure that I keep my head straight in logical and physical interfaces, presumably I was thinking in physical interfaces and the ASA was thinking logical for the inside and outside interfaces.

thanks again for your assistance with this.

Cisco ASA 5505 - 2 internal Networks

The ASA line was preceeded by the PIX line of firewalls, which was purchased back in the 90s. Cisco did not initially develop it.

Can you include your network objects also? You need to make sure that each LAN has been configured for NAT.

New Member

Cisco ASA 5505 - 2 internal Networks

Hi Robert,

Apologies for the delay, had to suddently do a lovely 600mile round trip to Lands End.

I hope I haven't misunderstood what you have asked for but is the following what you are looking for:

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any

nat (inside,outside) dynamic interface

These are the only 2 network object entries I can see in the running config.

Am I right in thinking that the network object is like a label to make it easier to identify an object and add it to a ACL or NAT or other configuration?

Thanks again for your assistance.

Hall of Fame Super Gold

Cisco ASA 5505 - 2 internal Networks

Wrong forum, post in "Security - firewalling". You can move your posting with the Actions panel on the right.

New Member

Cisco ASA 5505 - 2 internal Networks

Thanks, sorryit was in the wrong place.

Cisco ASA 5505 - 2 internal Networks

An object group is just that, a grouping of stuff that makes ACLs easier to manage. Instead of applying  things to an individual item, you apply it to the group. Then you just add items to the group and they have the necessary policy applied. Like a security group in active directory.

This is basically saying 'all networks'

object network obj_any

subnet 0.0.0.0 0.0.0.0

This says the group defined should have NAT applied to all subnets and make them appear externally to be sourced from the outside interface of the ASA.

object network obj_any

nat (inside,outside) dynamic interface

These look fine for both subnets to access the internet. What ACLs are applied to the interfaces?

New Member

Cisco ASA 5505 - 2 internal Networks

thanks again Robert.

I have had another look and am not sure if I am getting confused between access control lists and access rules but I have copied the screen showing the Access Rules which is attached.

I have had a look through the running conifig and did a show access-list and all I could see was the following:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list tcp_bypass; 1 elements; name hash: 0xce18d5d2

access-list tcp_bypass line 1 extended permit tcp 192.168.1.0 255.255.255.0 10.0.50.0 255.255.255.0 (hitcnt=0) 0x63dba9fc

Is there something I am missing?

To me it all looks fine and so I am thinking if I add DNS then itshould be fine?

Thanks

Cisco ASA 5505 - 2 internal Networks

Can both subnets access the internet or is LAN2 failing?

New Member

Re: Cisco ASA 5505 - 2 internal Networks

Only the 192 subnet can access the internet.

I added the ISP's DNS entries to the PC on the 10 subnet and still no internet access.

I was going to try and enable ICMP on the ASA to allow ping through to be able to test further from the 10 subnet.

I looked at the logs on the ASA whilst trying to access the internet and strangely couldn't see anything from the 10 subnet which made me wonder if it was actually getting through or if there was a problem on the router between the 10 and the 192 but going to check that too.

(wrote the above this morning but couldn't post as the forum kept giving errors... happy its working now though :-) ..

I have enabled ping and can ping the ASA from the 10 subnet but can't ping 8.8.8.8 for example I get request timed out.

I have tried to trace route but it gives the 10 subnet router but then nothing. I have a static route on the router to route out the 192 interface.

But still don't get internet.

Oh and for some reason the 192 PC's and servers have stopped responding to ping....

When I enabled ICMP inspect to allow ping I also enabled inspect icmp error and that is what stopped the ping's from the 10 subnnet to the 192 subnet so have disabled it and it is now working.

Should I have inspect icmp error enabled? it said it enabled NAT but I am confused as to the error word and NAT?

Many thanks

Silver

Cisco ASA 5505 - 2 internal Networks

First of all, can you get me a show tech, second, if you are talking about the two networks that are behind the inside interface of the ASA 5505 you can configure hair pining or tcp bypass but this is just a network design flow that can be correct without having to change things on the ASA as it over complicates things.

Things that I need to know before hand to help you out would be:

The internal router, what is the defaulf gateway of that device? if it is the ASA all we need is for the 192.168.1.0/24 to point to the router and that way we would avoid configuring a U turn or tcp bypass and traffic would be routed by the internal router for internal communication, anything else would be sent to the ASA.

If you get me the configuration I can tell you what you need to add to be able to NAT or PAT out to the Internet.

Value our effort and rate the assistance!
New Member

Cisco ASA 5505 - 2 internal Networks

Hi Jumora,

Thanks for the reply.

The 192 network behind the ASA can access the internet but the 10 network past the 1841 router can't.

I have setup tcp bypass already as that got me at least remote access to the PC's on the 10 network from the 192 network.

I had the 1841 router set to use the interface on the 192 subnet as the route to the 0.0.0.0 0.0.0.0 network but I couldn't get out but have just changed this to go to the inside interface of the ASA and can now ping 8.8.8.8 for example but still not internet access.

Also I have found that the ASA seems to occasionally when it feels like it block pings from the 10 subnet to devices in the 192 subnet...... annoying for testing! but I can still access shares even though the ping fails.

e.g. as per above yesterday it stopped when I enabled icmp error inspection but when I switched that off it worked again. Then suddenly again today with no changes it has stopped working again, drives me nuts the inconsistency!

I couldn't find an attach option for the show tech so it has made this post massive.... apologies for that....

ASA5505# show tech

Cisco Adaptive Security Appliance Software Version 8.4(4)1

Device Manager Version 6.4(9)

Compiled on Thu 14-Jun-12 11:20 by builders

System image file is "disk0:/asa844-1-k8.bin"

Config file at boot was "startup-config"

ASA5505 up 8 days 23 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06

                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is 4403.a7a2.e7c7, irq 11

1: Ext: Ethernet0/0         : address is 4403.a7a2.e7bf, irq 255

2: Ext: Ethernet0/1         : address is 4403.a7a2.e7c0, irq 255

3: Ext: Ethernet0/2         : address is 4403.a7a2.e7c1, irq 255

4: Ext: Ethernet0/3         : address is 4403.a7a2.e7c2, irq 255

5: Ext: Ethernet0/4         : address is 4403.a7a2.e7c3, irq 255

6: Ext: Ethernet0/5         : address is 4403.a7a2.e7c4, irq 255

7: Ext: Ethernet0/6         : address is 4403.a7a2.e7c5, irq 255

8: Ext: Ethernet0/7         : address is 4403.a7a2.e7c6, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces       : 8              perpetual

VLANs                             : 3              DMZ Restricted

Dual ISPs                         : Disabled       perpetual

VLAN Trunk Ports                  : 0              perpetual

Inside Hosts                      : 50             perpetual

Failover                          : Disabled       perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 10             perpetual

Total VPN Peers                   : 12             perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX3434343T

Running Permanent Activation Key: 0x8509ef7f 0x2cff5895 0xa4675895 0x7989798 0xc1323132

Configuration register is 0x1

Configuration last modified by enable_15 at 16:21:28.863 UTC Wed Oct 23 2013

------------------ show disk0: controller ------------------

Flash Model: SMART CF

------------------ show clock ------------------

04:43:59.822 UTC Thu Oct 24 2013

------------------ show crashinfo ------------------

No crash file found.

------------------ show module ------------------

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  0 ASA 5505 Adaptive Security Appliance         ASA5505            JMX3434343T

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version    

--- --------------------------------- ------------ ------------ ---------------

  0 1255.a3a4.e3bf to 1233.a4a4.e4c4  0.1          1.0(12)13    8.4(4)1

Mod SSC Application Name           Status           SSC Application Version

--- ------------------------------ ---------------- --------------------------

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable        

------------------ show memory ------------------

Free memory:         283382600 bytes (53%)

Used memory:         253488312 bytes (47%)

-------------     ------------------

Total memory:        536870912 bytes (100%)

------------------ show conn count ------------------

76 in use, 704 most used

------------------ show xlate count ------------------

80 in use, 814 most used

------------------ show vpn-sessiondb summary ------------------

No sessions to display.

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT

     0    400    399    400

4    100     99     99

    80    347    332    347

   256    200    192    195

  1550   6374   6306   6371

  2048   1200   1199   1200

  2560    264    264    264

  4096    100     99    100

  8192    100     99    100

16384    100     99    100

65536     16     15     16

CORE  LIMIT  ALLOC   HIGH    CNT       FAILED

   0  24576     26     26     25            0

------------------ show blocks queue history detail ------------------

History buffer memory usage: 2832 bytes (default)

History analysis time limit: 100 msec

Please see 'show blocks exhaustion snapshot' for more information

------------------ show interface ------------------

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 4403.a7a2.e7bf, MTU not set

IP address unassigned

8257648 packets input, 9051289473 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

6222 switch ingress policy drops

6399241 packets output, 1011134108 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

  Control Point Interface States:

Interface number is 3

Interface config status is active

Interface state is active

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 4403.a7a2.e7c0, MTU not set

IP address unassigned

1330699 packets input, 312264395 bytes, 0 no buffer

Received 63097 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

0 switch ingress policy drops

1738131 packets output, 637935280 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

  Control Point Interface States:

Interface number is 4

Interface config status is active

Interface state is active

Interface Ethernet0/2 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 4403.a7a2.e7c1, MTU not set

IP address unassigned

5028958 packets input, 693527818 bytes, 0 no buffer

Received 28835 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

1 switch ingress policy drops

7782140 packets output, 8316018900 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

  Control Point Interface States:

Interface number is 5

Interface config status is active

Interface state is active

Interface Ethernet0/3 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 4403.a7a2.e7c2, MTU not set

IP address unassigned

17048409 packets input, 21350059442 bytes, 0 no buffer

Received 75081 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

18 switch ingress policy drops

8319277 packets output, 5138543287 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

  Control Point Interface States:

Interface number is 6

Interface config status is active

Interface state is active

Interface Ethernet0/4 "", is down, line protocol is down

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 4403.a7a2.e7c3, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

0 switch ingress policy drops

0 packets output, 0 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

  Control Point Interface States:

Interface number is 7

Interface config status is not active

Interface state is active

Interface Ethernet0/5 "", is down, line protocol is down

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 4403.a7a2.e7c4, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

0 switch ingress policy drops

0 packets output, 0 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

  Control Point Interface States:

Interface number is 8

Interface config status is not active

Interface state is active

Interface Ethernet0/6 "", is down, line protocol is down

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 4403.a7a2.e7c5, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

0 switch ingress policy drops

0 packets output, 0 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

  Control Point Interface States:

Interface number is 9

Interface config status is not active

Interface state is active

Interface Ethernet0/7 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 4403.a7a2.e7c6, MTU not set

IP address unassigned

7293552 packets input, 4521902362 bytes, 0 no buffer

Received 6520 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

0 switch ingress policy drops

16232858 packets output, 21234947011 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

  Control Point Interface States:

Interface number is 10

Interface config status is active

Interface state is active

Interface Internal-Data0/0 "", is up, line protocol is up

  Hardware is y88acs06, BW 1000 Mbps, DLY 10 usec

(Full-duplex), (1000 Mbps)

Input flow control is unsupported, output flow control is unsupported

MAC address 4403.a2a2.e2c2, MTU not set

IP address unassigned

15222257 packets input, 10134321711 bytes, 0 no buffer

Received 173531 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops, 0 demux drops

15128507 packets output, 10256870512 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops, 0 tx hangs

input queue (blocks free curr/low): hardware (512/487)

output queue (blocks free curr/low): hardware (512/450)

  Control Point Interface States:

Interface number is 2

Interface config status is active

Interface state is active

Interface Internal-Data0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 1000 Mbps, DLY 10 usec

(Full-duplex), (1000 Mbps)

Input flow control is unsupported, output flow control is unsupported

MAC address 0000.0003.0002, MTU not set

IP address unassigned

15128465 packets input, 10256855882 bytes, 0 no buffer

Received 1967 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 switch ingress policy drops

15222217 packets output, 10134318430 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 switch egress policy drops

0 input reset drops, 0 output reset drops

  Control Point Interface States:

Interface number is 11

Interface config status is active

Interface state is active

Interface Vlan1 "inside", is up, line protocol is up

  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 4403.a7a2.e7c7, MTU 1500

IP address 192.168.1.1, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

4183727 packets input, 523675346 bytes

5702790 packets output, 5851485425 bytes

142576 packets dropped

      1 minute input rate 22 pkts/sec,  2839 bytes/sec

      1 minute output rate 30 pkts/sec,  22751 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 33 pkts/sec,  3746 bytes/sec

      5 minute output rate 46 pkts/sec,  20906 bytes/sec

      5 minute drop rate, 1 pkts/sec

  Control Point Interface States:

Interface number is 14

Interface config status is active

Interface state is active

Interface Vlan2 "outside", is up, line protocol is up

  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 4403.a7a2.e7c7, MTU 1492

IP address 98.22.77.33, subnet mask 255.255.255.255

  Traffic Statistics for "outside":

10541983 packets input, 11433817622 bytes

3793777 packets output, 526586888 bytes

13654 packets dropped

      1 minute input rate 47 pkts/sec,  41657 bytes/sec

      1 minute output rate 18 pkts/sec,  2802 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 80 pkts/sec,  38519 bytes/sec

      5 minute output rate 29 pkts/sec,  3749 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Control Point Interface States:

Interface number is 15

Interface config status is active

Interface state is active

Interface Virtual0 "_internal_loopback", is up, line protocol is up

  Hardware is Virtual          MAC address 0000.0000.0000, MTU 1500

IP address 127.0.0.1, subnet mask 255.255.255.0

  Traffic Statistics for "_internal_loopback":

1 packets input, 28 bytes

1 packets output, 28 bytes

1 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Control Point Interface States:

Interface number is 12

Interface config status is active

Interface state is active

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 12%; 1 minute: 8%; 5 minutes: 8%

------------------ show cpu hogging process ------------------

Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 1, MAXHOG: 23, LASTHOG: 23

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x0853e1f4 (suspend)

Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 23, LASTHOG: 23

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x0853e1f4 (suspend)

Call stack:   0x0853e1f4  0x0853ec36  0x0854182c  0x0869cc4b  0x08415ae7  0x0840ae40  0x0806e6cf

              0x08aade2b  0x0806e6cf  0x084a0a44  0x0849986d  0x08499aac  0x08499dd6  0x084a0909

Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 2, MAXHOG: 18, LASTHOG: 18

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x0853fb48 (suspend)

Process:      Unicorn Admin Handler, NUMHOG: 2, MAXHOG: 18, LASTHOG: 18

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x0853fb48 (suspend)

Call stack:   0x0853fb48  0x0853fd1d  0x0853e1bc  0x0853ec36  0x0854182c  0x0869cc4b  0x08415ae7

      0x0840ae40  0x0806e6cf  0x08aade2b  0x0806e6cf  0x084a0a44  0x0849986d  0x08499aac

Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 2, MAXHOG: 24, LASTHOG: 24

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x084167d2 (suspend)

Process:      Unicorn Admin Handler, NUMHOG: 2, MAXHOG: 24, LASTHOG: 24

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x084167d2 (suspend)

Call stack:   0x08538afd  0x0853fa3a  0x0853fd1d  0x0853e1bc  0x0853ec36  0x0854182c  0x0869cc4b

              0x08415ae7  0x0840ae40  0x0806e6cf  0x08aade2b  0x0806e6cf  0x084a0a44  0x0849986d

Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 1, MAXHOG: 12, LASTHOG: 12

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x08ee9b4e (suspend)

Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 12, LASTHOG: 12

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x08ee9b4e (suspend)

Call stack:   0x08ee9e12  0x084a1032  0x0849986d  0x08499aac  0x08499dd6  0x084a0909  0x080689bc

Process:      Dispatch Unit, PROC_PC_TOTAL: 2, MAXHOG: 12, LASTHOG: 12

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x081e208a (suspend)

Process:      Dispatch Unit, NUMHOG: 2, MAXHOG: 12, LASTHOG: 12

LASTHOG At:   06:01:57 UTC Oct 15 2013

PC:           0x081e208a (suspend)

Call stack:   0x081e208a  0x080689bc

Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 180, LASTHOG: 180

LASTHOG At:   07:24:33 UTC Oct 19 2013

PC:           0x0806a8c2 (suspend)

Call stack:   0x0806a8c2  0x08a8ebd7  0x08a8f7c8  0x08a914fa  0x080ddd6f  0x080df9db  0x080f4132

              0x080f5b16  0x080dd956  0x080de0ef  0x080de876  0x080dea37  0xdd6e6c1c  0xdd6e71b5

Process:      rtcli async executor process, NUMHOG: 14, MAXHOG: 94, LASTHOG: 82

LASTHOG At:   07:28:06 UTC Oct 19 2013

PC:           0x08f262e3 (suspend)

Call stack:   0x0806a881  0x08f262e3  0x08f432a2  0x09064ba8  0x0903dfa9  0x0904f88d  0x0903ed70

              0x09036221  0x0903d29b  0x0903d49f  0x09035ffa  0x09055321  0x0903dfa9  0x0904f88d

Process:      rtcli async executor process, PROC_PC_TOTAL: 27, MAXHOG: 319, LASTHOG: 88

LASTHOG At:   07:28:06 UTC Oct 19 2013

PC:           0x08f4212d (suspend)

Process:      rtcli async executor process, NUMHOG: 27, MAXHOG: 319, LASTHOG: 88

LASTHOG At:   07:28:06 UTC Oct 19 2013

PC:           0x08f4212d (suspend)

Call stack:   0x08069faa  0x08f4212d  0x08f260b6  0x08f27b85  0x08f27c35  0xcb147b98

Process:      rtcli async executor process, PROC_PC_TOTAL: 12, MAXHOG: 45, LASTHOG: 10

LASTHOG At:   07:28:14 UTC Oct 19 2013

PC:           0x08f2594b (suspend)

Process:      rtcli async executor process, NUMHOG: 12, MAXHOG: 45, LASTHOG: 10

LASTHOG At:   07:28:14 UTC Oct 19 2013

PC:           0x08f2594b (suspend)

Call stack:   0x0806a881  0x08f2594b  0x08f27b85  0x08f27c35  0xcb147b98

Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 11, LASTHOG: 11

LASTHOG At:   07:28:14 UTC Oct 19 2013

PC:           0x0806a8c2 (suspend)

Call stack:   0x0806a8c2  0x08a8ebd7  0x08b9aa46  0x08b9ad0e  0x080dc76f  0xdd6e6961  0xdd6e71b5

              0xdd6e7b07  0xdd6e8d5c  0xdd6e138d  0xdd6e247a  0x080dcb22  0x0849f899  0x084981c7

Process:      rtcli async executor process, PROC_PC_TOTAL: 83, MAXHOG: 298, LASTHOG: 119

LASTHOG At:   07:28:16 UTC Oct 19 2013

PC:           0x08f262e3 (suspend)

Process:      rtcli async executor process, NUMHOG: 47, MAXHOG: 298, LASTHOG: 119

LASTHOG At:   07:28:16 UTC Oct 19 2013

PC:           0x08f262e3 (suspend)

Call stack:   0x0806a881  0x08f262e3  0x08f38fad  0x08f3acc0  0x0905a29e  0x0905b2ba  0x0903dfa9

              0x0903ecb5  0x0904f6f5  0x0903ed70  0x09036221  0x0903d29b  0x0903d49f  0x09035ffa

Process:      Unicorn Admin Handler, NUMHOG: 3, MAXHOG: 180, LASTHOG: 180

LASTHOG At:   07:28:16 UTC Oct 19 2013

PC:           0x0806a8c2 (suspend)

Call stack:   0x0806a881  0x0806a8c2  0x0816261b  0x095302a7  0x0954abef  0x0954acc3  0x0815aabe

              0x08134da6  0x08c64632  0x08ea8079  0x08ea8481  0x08ea85f7  0x08f41adc  0x0806e6cf

Process:      Unicorn Admin Handler, NUMHOG: 3, MAXHOG: 15, LASTHOG: 15

LASTHOG At:   07:28:20 UTC Oct 19 2013

PC:           0x0806a8c2 (suspend)

Call stack:   0x0806a881  0x0806a8c2  0x0947a399  0x0946d24d  0x0946d364  0x08c2b0e6  0x08c38f65

              0x08ea810b  0x08ea8481  0x08ea85f7  0x08f41adc  0x0806e6cf  0x08f3cc48  0x092afca6

Process:      Unicorn Admin Handler, NUMHOG: 3, MAXHOG: 64, LASTHOG: 64

LASTHOG At:   07:28:20 UTC Oct 19 2013

PC:           0x0806a8c2 (suspend)

Call stack:   0x0806a881  0x0806a8c2  0x0947a3e4  0x09479cf9  0x094750eb  0x08c3f645  0x08c3fcab

              0x08c2b235  0x08c38f65  0x08ea810b  0x08ea8481  0x08ea85f7  0x08f41adc  0x0806e6cf

Process:      IP Thread, NUMHOG: 4, MAXHOG: 14, LASTHOG: 14

LASTHOG At:   07:28:24 UTC Oct 19 2013

PC:           0x0806a8c2 (suspend)

Call stack:   0x0806a8c2  0x0947a399  0x0946d24d  0x0946d364  0x08c2b0e6  0x08c38f65  0x08ea810b

              0x08ea8481  0x08ea85f7  0x08ea5f86  0x090e086e  0x090e0b6e  0x090b9a99  0x090b6b00

Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 22, MAXHOG: 180, LASTHOG: 64

LASTHOG At:   07:28:24 UTC Oct 19 2013

PC:           0x0806a8c2 (suspend)

Process:      IP Thread, NUMHOG: 4, MAXHOG: 64, LASTHOG: 64

LASTHOG At:   07:28:24 UTC Oct 19 2013

PC:           0x0806a8c2 (suspend)

Call stack:   0x0806a8c2  0x0947a3e4  0x09479cf9  0x094750eb  0x08c3f645  0x08c3fcab  0x08c2b235

              0x08c38f65  0x08ea810b  0x08ea8481  0x08ea85f7  0x08ea5f86  0x090e086e  0x090e0b6e

CPU hog threshold (msec): 10.240

Last cleared: None

------------------ show process ------------------

    PC       SP       STATE       Runtime    SBASE     Stack Process

Lwe 0x08058ba4 0xc82baf84 0x0a345788          0 0xc82b7078 15760/16384 block_diag

Mrd 0x081e1e11 0xc82ed54c 0x0a346144     430188 0xc82cd6e0 120548/131072 Dispatch Unit

Msi 0x087509a4 0xc82fdcb4 0x0a3458b0        713 0xc82f9da8 15688/16384 WebVPN KCD Process

Msi 0x09200c7b 0xc839b3d4 0x0a3458b0       3466 0xc83974c8 15688/16384 y88acs06 OneSec Thread

Mwe 0x080718dd 0xc83a3804 0x0a3458b0          0 0xc839f948 15808/16384 Reload Control Thread

Mwe 0x080849b9 0xc83ae79c 0x0a346e2c          0 0xc83aabe0 15256/16384 aaa

Mwe 0x08f4212d 0xc8d3d1e4 0x0a3458b0          9 0xc83aed78 15056/16384 UserFromCert Thread

Mwe 0x08f4212d 0xc9003fe4 0x0a3458b0         14 0xc83b2f50 14528/16384 aaa_shim_thread

Mwe 0x080b477c 0xc83bfa1c 0x0a347eb4          0 0xc83bbb20 15760/16384 CMGR Server Process

Mwe 0x080b6ded 0xc83c3b64 0x0a3458b0          0 0xc83bfcb8 15832/16384 CMGR Timer Process

Lwe 0x081e0474 0xc83d83bc 0x0a3568e0          0 0xc83d44b0 15488/16384 dbgtrace

Mwe 0x084de0ed 0xc83ef574 0x0a3458b0          0 0xc83e76d8 31680/32768 idfw_proc

Mwe 0x084ea35b 0xc83f75b4 0x0a3458b0          0 0xc83ef708 32216/32768 idfw_service

Mwe 0x084f5fc5 0xc83fb70c 0x0a3458b0          0 0xc83f78a0 15524/16384 idfw_adagent

Mwe 0x085351b5 0xc84038dc 0x0a3458b0         89 0xc83ffbd0 11568/16384 eswilp_svi_init

Mwe 0x08f4212d 0xc8770564 0x0a3458b0          0 0xc8433aa0 15280/16384 netfs_thread_init

Mwe 0x09576795 0xc844c10c 0x0a3458b0          0 0xc8448290 15848/16384 Chunk Manager

Msi 0x08ae10be 0xc84508ac 0x0a3458b0       3523 0xc844c9c0 15656/16384 PIX Garbage Collector

Mwe 0x08ac328a 0xc8461a0c 0x0a1d5d24          0 0xc845db00 16104/16384 IP Address Assign

Mwe 0x08d0477a 0xc85f7534 0x0a251838          0 0xc85f3628 16104/16384 QoS Support Module

Mwe 0x08b5c32a 0xc85fb70c 0x0a1d6c88          0 0xc85f7800 16104/16384 Client Update Task

Lwe 0x095d54f5 0xc860009c 0x0a3458b0     109750 0xc85fc1f0 14448/16384 Checkheaps

Mwe 0x08d093ed 0xc861080c 0x0a3458b0        454 0xc86089a0 19328/32768 Quack process

Mwe 0x08d8569d 0xc86189c4 0x0a3458b0        533 0xc8610b38 31952/32768 Session Manager

Mwe 0x08ed964d 0xc8620cd4 0xcadf5b08          8 0xc861ce68 15464/16384 uauth

Mwe 0x08e66621 0xc8624f0c 0x0a264a10          0 0xc8621000 15632/16384 Uauth_Proxy

Msp 0x08ea87de 0xc86313d4 0x0a3458b0        561 0xc862d4c8 15688/16384 SSL

Mwe 0x08ed72d4 0xc863554c 0x0a26bc14          0 0xc8631660 15708/16384 SMTP

Mwe 0x08ed170c 0xc86396a4 0x0a26af38      23255 0xc86357f8 13608/16384 Logger

Mwe 0x08ecfd1d 0xc863d80c 0x0a3458b0          0 0xc8639990 15784/16384  Syslog Retry Thread

Mwe 0x08ecadf5 0xc86419d4 0x0a3458b0          0 0xc863db28 15600/16384 Thread Logger

Mwe 0x08ed50b4 0xc866457c 0x0a26b5e0          0 0xc8660680 15464/16384 syslogd

Mwe 0x09132032 0xc8681094 0x0a2a5688          0 0xc867d1a8 15328/16384 vpnlb_thread

Mwe 0x092037ec 0xc86916c4 0x0a2aa9e8          0 0xc868d808 16024/16384 pci_nt_bridge

Mwe 0x082beb95 0xc8756e44 0x0a3458b0          0 0xc8752fb8 15864/16384 TLS Proxy Inspector

Msi 0x08da221c 0xc87d44a4 0x0a3458b0       2749 0xc87d0598 15688/16384 emweb/cifs_timer

Mwe 0x08852cc4 0xc88291f4 0x0a1c4c44          0 0xc88252f8 15712/16384 netfs_mount_handler

Msi 0x086b4248 0xc8316454 0x0a3458b0      27304 0xc8312568 15312/16384 arp_timer

Mwe 0x086bc58e 0xc8447fb4 0x0a371110          0 0xc84440f8 16024/16384 arp_forward_thread

Mwe 0x08eddb77 0xc8f2e27c 0x0a26c680          0 0xc8f2a380 15672/16384 tcp_fast

Mwe 0x08ee69a8 0xc8f3229c 0x0a26c680          0 0xc8f2e3b0 15656/16384 tcp_slow

Mwe 0x08f1df34 0xc8f42fac 0x0a2745d0          0 0xc8f3f0b0 16000/16384 udp_timer

Mwe 0x0814110d 0xc8fb133c 0xc83ca8d0          4 0xc8fad4a0 15664/16384 IPsec message handler

Mwe 0x087515c6 0xc8fdc834 0x0a376060          1 0xc8fd8958 16056/16384 Lic TMR

Mwe 0x087513bc 0xc8fe0884 0x0a1c0ea0        242 0xc8fdc988 16088/16384 Lic HA

Msi 0x08153267 0xc84270dc 0x0a3458b0      54986 0xc8423440 13872/16384 CTM message handler

Mwe 0x0811bd2d 0xc843bb8c 0x0a3458b0          0 0xc8437ce0 15832/16384 CTCP Timer process

Mwe 0x090d3d95 0xc843fbac 0x0a3458b0          0 0xc843bd10 15816/16384 L2TP data daemon

Mwe 0x090d6605 0xc9b5b24c 0x0a3458b0          0 0xc9b573b0 15816/16384 L2TP mgmt daemon

Mwe 0x090c2b27 0xc9b9339c 0x0a29a3ec       2228 0xc9b8f4e0 15480/16384 ppp_timer_thread

Msi 0x0913239d 0xc9b973ec 0x0a3458b0       4093 0xc9b93510 15640/16384 vpnlb_timer_thread

Mwe 0x081c7708 0xc9c67c84 0x0a13ef88       2899 0xc9c47f18 118548/131072 tmatch compile thread

Mwe 0x08d38b2d 0xcac940cc 0x0a3458b0          0 0xcac90210 15848/16384 ICMP event handler

Mwe 0x0908081d 0xcac98254 0x0a3458b0          0 0xcac943a8 15832/16384 Dynamic Filter VC Housekeeper

Mwe 0x08a1b612 0xcacc47f4 0x0a3458b0        819 0xcacc0938 13860/16384 IP Background

Mwe 0x08c26e63 0xcaed904c 0x0a3458b0          0 0xcaed51a0 15832/16384 Crypto CA

Mwe 0x08c60c18 0xcaedd1e4 0x0a3458b0          0 0xcaed9338 15896/16384 CERT API

Mwe 0x08c257d5 0xcaee6e24 0x0a3458b0          0 0xcaee2f58 15928/16384 Crypto PKI RECV

Mwe 0x0878dd85 0xc862d1cc 0x0a3458b0        187 0xc8629330 15272/16384 ESW_MRVL switch interrupt service

Mwe 0x08cae62c 0xc866c89c 0x0a1ea7e0          0 0xc86689b0 15832/16384 lina_int

Mrd 0x0959948b 0xc8684f1c 0x0a346144   28493079 0xc8681340 13824/16384 esw_stats

Lsi 0x08af3199 0xc86958bc 0x0a3458b0        152 0xc86919a0 15704/16384 uauth_urlb clean

Lwe 0x08acbd76 0xc83ff8b4 0x0a3458b0       4432 0xc83fba38 14308/16384 pm_timer_thread

Mwe 0x08555f8d 0xc8418b0c 0x0a3458b0          0 0xc8414c60 15832/16384 IKE Common thread

Mwe 0x0858cecd 0xcaf8688c 0x0a3458b0          0 0xcaf82a60 15704/16384 IKE Timekeeper

Mwe 0x0857bad1 0xcaf8ccc4 0x0a1bc678          1 0xcaf890e8 12116/16384 IKE Daemon

Mwe 0x08629eb3 0xcaf90c64 0x0a3458b0        964 0xcaf8d118 14744/16384 IKEv2 Daemon

Mwe 0x08628e7c 0xcaf94ff4 0x0a3458b0       1095 0xcaf91148 15640/16384 IKEv2 DPD Client Process

Mwe 0x08e7d2e4 0xcafafd7c 0x0a2690f4          0 0xcafabe90 16072/16384 RADIUS Proxy Event Daemon

Mwe 0x08e41f35 0xcafb3d74 0xcb07e358          7 0xcafb0028 14912/16384 RADIUS Proxy Listener

Mwe 0x08e7ca0d 0xcafb806c 0x0a3458b0          0 0xcafb41c0 15832/16384 RADIUS Proxy Time Keeper

Mwe 0x086a1e44 0xcafbc184 0x0a3710c8          0 0xcafb8358 15264/16384 Integrity FW Task

Mrd 0x082c923a 0xcaffce54 0x0a346144          0 0xcaff8f98 14552/16384 CP Threat-Detection Processing

Mwe 0x081fb74e 0xcb0cc4bc 0x09c4a8bc       2497 0xcb0acd60 122448/131072 ci/console

Msi 0x08b0ea8c 0xcb0d0e14 0x0a3458b0     217583 0xcb0ccef8 14004/16384 update_cpu_usage

Mwe 0x08ef5ff5 0xcb0d4ecc 0x0a3458b0         77 0xcb0d1090 15360/16384 npshim_thread

Msi 0x08b0eb14 0xcb0e1224 0x0a3458b0          0 0xcb0dd428 13104/16384 NIC status poll

Mwe 0x08dd5f2c 0xcb0e54bc 0x0a259ec8        228 0xcb0e15c0 15540/16384 SNMP Notify Thread

Mwe 0x086aba0e 0xcb12ebe4 0x0a37170c     235813 0xcb126d08 25428/32768 IP Thread

Mwe 0x086b31fe 0xcb132d9c 0x0a371100       9150 0xcb12eea0 9700/16384 ARP Thread

Mwe 0x084be3ae 0xcb136f8c 0x0a3716c8       1743 0xcb1331b0 12696/16384 icmp_thread

Mwe 0x08f1f443 0xcb13b1e4 0x0a3458b0        158 0xcb137348 15728/16384 udp_thread

Mwe 0x08ee0f44 0xcb13f0bc 0x0a37178c          0 0xcb13b4e0 15288/16384 tcp_thread

Mwe 0x08f4212d 0xcb1bccd4 0x0a3458b0      12848 0xcb13fd70 26600/32768 rtcli async executor process

Mwe 0x090e408d 0xcb4dff64 0x0a3458b0          0 0xcb4dc0a8 14608/16384 PPPOE background daemon

Mwe 0x090e53c4 0xcb4e3fb4 0x0a29aa4c          1 0xcb4e00d8 14656/16384 PPPOE CLI daemon

Mwe 0x0824ff45 0xcb501e4c 0x0a3458b0        258 0xcb4fdf90 15624/16384 Timekeeper

Mwe 0x08e41f35 0xcb89a6d4 0xcb89eb10          7 0xcb896998 15392/16384 EAPoUDP-sock

Mwe 0x0822323d 0xcb89e544 0x0a3458b0          0 0xcb89a9c8 15016/16384 EAPoUDP

Mwe 0x08204371 0xcb3df9dc 0x0a3458b0        149 0xcb3dbb20 15168/16384 DHCPD Timer

Mwe 0x082066a1 0xcb3e6404 0x0a3458b0       1286 0xcb3e25a8 7172/16384 dhcp_daemon

Mwe 0x0910dfd4 0xcbc3b4e4 0x0a2a5380          0 0xcbc335e8 32472/32768 vpnfol_thread_msg

Msi 0x09116252 0xcbc3fac4 0x0a3458b0       2657 0xcbc3bbd8 15656/16384 vpnfol_thread_timer

Mwe 0x09114882 0xcbc44074 0x0a2a53c0          0 0xcbc401c8 16008/16384 vpnfol_thread_sync

Msi 0x09115fdc 0xcbc486b4 0x0a3458b0      11061 0xcbc447b8 15672/16384 vpnfol_thread_unsent

Mwe 0x0869e365 0xc8689384 0x0a3458b0          0 0xc86854d8 15832/16384 Integrity Fw Timer Thread

Msi 0x08852fd6 0xc868d55c 0x0a3458b0        206 0xc8689670 15656/16384 netfs_vnode_reclaim

Mwe 0x08f4212d 0xcb2a1914 0x0a3458b0       1277 0xcbd38510 15008/16384 Unicorn Proxy Thread

Mwe 0x0825afcb 0xcbc61254 0x0a3458b0        335 0xcbc5d788 14272/16384 emweb/https

Mwe 0x08eef828 0xcbd4dd0c 0xcbd4fd7c          0 0xcbd49fd0 14888/16384 listen/telnet

Mwe 0x08aac530 0xcbdbd754 0xcbd6c9fc        102 0xcbd9def8 127432/131072 Unicorn Admin Handler

Mwe 0x08aab345 0xcbddd644 0x0a3458b0        105 0xcbdbdf28 123712/131072 Unicorn Admin Handler

Mwe 0x08cd7c6f 0xcaf358cc 0x0a49edc8          0 0xcaf31bb0 15384/16384 qos_metric_daemon

Mwe 0x08218c82 0xcb2693fc 0x0a3458b0          3 0xcb265560 13248/16384 DHCP Client

Mwe 0x08f1d929 0xcb4bb0fc 0xc8f3ece4          0 0xcb4b3300 31552/32768 DHCPC Receiver

M*  0x08a86f55 0xdcc1df2c 0x0a346144        274 0xcb34deb8 19696/32768 telnet/ci

-           -          -          -          0          -      -      DATAPATH-0-455

-           -          -          -  744377118          -      -      scheduler

-           -          -          -  774156778          -      -      total elapsed

------------------ show kernel process ------------------

PID PPID PRI NI      VSIZE      RSS      WCHAN STAT  RUNTIME COMMAND

  1    0  20  0    2080768      616 3725686580    S      630 init

  2    0  15 -5          0        0 3725738556    S        0 kthreadd

  3    2  15 -5          0        0 3725692956    S        0 ksoftirqd/0

  4    2  15 -5          0        0 3725728656    S        0 events/0

  5    2  15 -5          0        0 3725728656    S        0 khelper

50    2  15 -5          0        0 3725728656    S        0 kblockd/0

53    2  15 -5          0        0 3726777703    S        0 kseriod

99    2  20  0          0        0 3725848262    S        0 pdflush

100    2  20  0          0        0 3725848262    S        0 pdflush

101    2  15 -5          0        0 3725861131    S        0 kswapd0

102    2  15 -5          0        0 3725728656    S        0 aio/0

103    2  15 -5          0        0 3725728656    S        0 nfsiod

214    2  15 -5          0        0 3725728656    S        0 hid_compat

215    2  15 -5          0        0 3725728656    S        0 rpciod/0

240    1  16 -4    1789952      600 3725997327    S        4 udevd

272  240  18 -2    1785856      564 3725997327    S        0 udevd

277  240  18 -2    1785856      552 3725997327    S        0 udevd

421    1  20  0    5201920     1600 4294967295    S       11 lwsmd

423  421  20  0   16736256     3600 4294967295    S      102 lwregd

448    1  20  0    2084864      512 3725686580    S        1 sh

449  448  20  0   10186752      528 4294967295    S        2 lina_monitor

451  449   0 -20  440270848    53000 4294967295    S 77713055 lina

------------------ show kernel cgroup-controller detail ------------------

memory controller:

-----------------

memory.limit_in_bytes: unlimited

memory.usage_in_bytes: 61665280   (11%)

memory.max_usage_in_bytes: 64245760   (12%)

memory.failcnt: 0

tasks:

group "normal"

  memory.limit_in_bytes: unlimited

  memory.usage_in_bytes: 77824   (0%)

  memory.max_usage_in_bytes: 544768   (0%)

  memory.failcnt: 0

  tasks:

       PID         RSS COMMAND                      

         1      630784 init                         

         2           0 kthreadd                     

         3           0 ksoftirqd/0                  

         4           0 events/0                     

         5           0 khelper                      

        50           0 kblockd/0                    

        53           0 kseriod                      

        99           0 pdflush                      

       100           0 pdflush                      

       101           0 kswapd0                      

       102           0 aio/0                        

       103           0 nfsiod                       

       214           0 hid_compat                   

       215           0 rpciod/0                     

       240      614400 udevd                        

       272      577536 udevd                        

       277      565248 udevd                        

       448      524288 sh                           

group "privileged"

  memory.limit_in_bytes: unlimited

  memory.usage_in_bytes: 22327296   (4%)

  memory.max_usage_in_bytes: 22515712   (4%)

  memory.failcnt: 0

  tasks:

       PID         RSS COMMAND                      

       449      540672 lina_monitor                 

       450           0 lina_monitor                 

       451    54280192 lina                         

       452           0 lina                         

       453           0 lina                         

       454           0 lina                         

       455           0 lina                         

group "restricted"

  memory.limit_in_bytes: 23068672   (4%)

  memory.usage_in_bytes: 1724416   (0%)

  memory.max_usage_in_bytes: 1900544   (0%)

  memory.failcnt: 0

  tasks:

       PID         RSS COMMAND                      

       421     1638400 lwsmd                        

       422           0 lwsmd                        

       423     3686400 lwregd                       

       425           0 lwregd                       

       426           0 lwregd                       

       427           0 lwregd                       

       428           0 lwregd                       

       429           0 lwregd                       

       430           0 lwsmd                        

       431           0 lwsmd                        

       432           0 lwsmd                        

       433           0 lwsmd                        

       434           0 lwsmd                        

cpu controller:

---------------

cpu.shares: 1024

cpuacct.usage: 777015353084076

tasks:

group "normal"

  cpu.shares: 1024

  cpuacct.usage: 53525955783   (0%)

tasks:

       PID         RSS COMMAND                      

         1      630784 init                         

         2           0 kthreadd                     

         3           0 ksoftirqd/0                  

         4           0 events/0                     

         5           0 khelper                      

        50           0 kblockd/0                    

        53           0 kseriod                      

        99           0 pdflush                      

       100           0 pdflush                      

       101           0 kswapd0                      

       102           0 aio/0                        

       103           0 nfsiod                       

       214           0 hid_compat                   

       215           0 rpciod/0                     

       240      614400 udevd                        

       272      577536 udevd                        

       277      565248 udevd                        

       448      524288 sh                           

       449      540672 lina_monitor                 

       450           0 lina_monitor                 

       451    54280192 lina                         

       452           0 lina                         

       453           0 lina                         

       454           0 lina                         

group "privileged"

  cpu.shares: 16384

  cpuacct.usage: 776952528547140   (100%)

  tasks:

       PID         RSS COMMAND                      

       455           0 lina                         

group "restricted"

  cpu.shares: 1024

  cpuacct.usage: 1291957168   (0%)

  tasks:

       PID         RSS COMMAND                      

       421     1638400 lwsmd                        

       422           0 lwsmd                        

       423     3686400 lwregd                       

       425           0 lwregd                       

       426           0 lwregd                       

       427           0 lwregd                       

       428           0 lwregd                       

       429           0 lwregd                       

       430           0 lwsmd                        

       431           0 lwsmd                        

       432           0 lwsmd                        

       433           0 lwsmd                        

       434           0 lwsmd                        

------------------ show traffic ------------------

inside:

received (in 422169.300 secs):

4183910 packets          523687951 bytes

9 pkts/sec          1006 bytes/sec

transmitted (in 422169.300 secs):

5702974 packets          5851550584 bytes

3 pkts/sec          13006 bytes/sec

      1 minute input rate 22 pkts/sec,  2839 bytes/sec

      1 minute output rate 30 pkts/sec,  22751 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 33 pkts/sec,  3746 bytes/sec

      5 minute output rate 46 pkts/sec,  20906 bytes/sec

      5 minute drop rate, 1 pkts/sec

outside:

received (in 422169.300 secs):

10542135 packets          11433861540 bytes

4 pkts/sec          27002 bytes/sec

transmitted (in 422169.300 secs):

3793870 packets          526596330 bytes

8 pkts/sec          1003 bytes/sec

      1 minute input rate 47 pkts/sec,  41657 bytes/sec

      1 minute output rate 18 pkts/sec,  2802 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 80 pkts/sec,  38519 bytes/sec

      5 minute output rate 29 pkts/sec,  3749 bytes/sec

      5 minute drop rate, 0 pkts/sec

_internal_loopback:

received (in 422168.950 secs):

0 packets          0 bytes

0 pkts/sec          0 bytes/sec

transmitted (in 422168.950 secs):

0 packets          0 bytes

0 pkts/sec          0 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

----------------------------------------

Aggregated Traffic on Physical Interface

----------------------------------------

Ethernet0/0:

received (in 776992.730 secs):

8257731 packets          9051312645 bytes

5 pkts/sec          11002 bytes/sec

transmitted (in 776992.730 secs):

6399342 packets          1011145708 bytes

2 pkts/sec          1002 bytes/sec

      1 minute input rate 26 pkts/sec,  24481 bytes/sec

      1 minute output rate 20 pkts/sec,  3472 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 40 pkts/sec,  20147 bytes/sec

      5 minute output rate 29 pkts/sec,  4280 bytes/sec

      5 minute drop rate, 0 pkts/sec

Ethernet0/1:

received (in 776992.730 secs):

1330771 packets          312271947 bytes

1 pkts/sec          3 bytes/sec

transmitted (in 776992.730 secs):

1738316 packets          638003030 bytes

2 pkts/sec          3 bytes/sec

      1 minute input rate 4 pkts/sec,  405 bytes/sec

      1 minute output rate 11 pkts/sec,  3333 bytes/sec

<--- More --->

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 7 pkts/sec,  735 bytes/sec

      5 minute output rate 13 pkts/sec,  4410 bytes/sec

      5 minute drop rate, 0 pkts/sec

Ethernet0/2:

received (in 776993.220 secs):

5028958 packets          693527818 bytes

0 pkts/sec          2 bytes/sec

transmitted (in 776993.220 secs):

7782202 packets          8316039741 bytes

4 pkts/sec          10000 bytes/sec

      1 minute input rate 1 pkts/sec,  153 bytes/sec

      1 minute output rate 2 pkts/sec,  391 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  187 bytes/sec

      5 minute output rate 3 pkts/sec,  1011 bytes/sec

      5 minute drop rate, 0 pkts/sec

Ethernet0/3:

received (in 776993.220 secs):

17219822 packets          21609826615 bytes

0 pkts/sec          27005 bytes/sec

transmitted (in 776993.220 secs):

8373382 packets          5142266559 bytes

5 pkts/sec          6004 bytes/sec

<--- More --->

      1 minute input rate 8384 pkts/sec,  12695156 bytes/sec

      1 minute output rate 2657 pkts/sec,  203156 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 8010 pkts/sec,  12112337 bytes/sec

      5 minute output rate 2525 pkts/sec,  188122 bytes/sec

      5 minute drop rate, 0 pkts/sec

Ethernet0/4:

received (in 776993.680 secs):

0 packets          0 bytes

0 pkts/sec          0 bytes/sec

transmitted (in 776993.680 secs):

0 packets          0 bytes

0 pkts/sec          0 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Ethernet0/5:

received (in 776993.690 secs):

0 packets          0 bytes

0 pkts/sec          0 bytes/sec

transmitted (in 776993.690 secs):

<--- More --->

0 packets          0 bytes

0 pkts/sec          0 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Ethernet0/6:

received (in 776994.140 secs):

0 packets          0 bytes

0 pkts/sec          0 bytes/sec

transmitted (in 776994.140 secs):

0 packets          0 bytes

0 pkts/sec          0 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Ethernet0/7:

received (in 776994.140 secs):

7328915 packets          4524298170 bytes

<--- More --->

3 pkts/sec          5004 bytes/sec

transmitted (in 776994.140 secs):

16345245 packets          21405489647 bytes

4 pkts/sec          27001 bytes/sec

      1 minute input rate 2330 pkts/sec,  158045 bytes/sec

      1 minute output rate 7422 pkts/sec,  11264540 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 2481 pkts/sec,  168427 bytes/sec

      5 minute output rate 7977 pkts/sec,  12105867 bytes/sec

      5 minute drop rate, 0 pkts/sec

Internal-Data0/0:

received (in 776994.640 secs):

15222548 packets          10134365294 bytes

3 pkts/sec          13004 bytes/sec

transmitted (in 776994.640 secs):

15128813 packets          10256961010 bytes

2 pkts/sec          13001 bytes/sec

      1 minute input rate 45 pkts/sec,  24860 bytes/sec

      1 minute output rate 49 pkts/sec,  26647 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 73 pkts/sec,  24918 bytes/sec

      5 minute output rate 75 pkts/sec,  26334 bytes/sec

      5 minute drop rate, 0 pkts/sec

Internal-Data0/1:

<--- More --->

received (in 776994.640 secs):

15128721 packets          10256943282 bytes

2 pkts/sec          13001 bytes/sec

transmitted (in 776994.640 secs):

15222455 packets          10134357062 bytes

3 pkts/sec          13004 bytes/sec

      1 minute input rate 48 pkts/sec,  26530 bytes/sec

      1 minute output rate 45 pkts/sec,  24826 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 75 pkts/sec,  26323 bytes/sec

      5 minute output rate 73 pkts/sec,  24908 bytes/sec

      5 minute drop rate, 0 pkts/sec

------------------ show perfmon ------------------

PERFMON STATS:                     Current      Average

Xlates                                0/s          0/s

Connections                           0/s          0/s

TCP Conns                             0/s          0/s

UDP Conns                             0/s          0/s

URL Access                            0/s          0/s

URL Server Req                        0/s          0/s

TCP Fixup                             0/s          0/s

<--- More --->

TCP Intercept Established Conns       0/s          0/s

TCP Intercept Attempts                0/s          0/s

TCP Embryonic Conns Timeout           0/s          0/s

HTTP Fixup                            0/s          0/s

FTP Fixup                             0/s          0/s

AAA Authen                            0/s          0/s

AAA Author                            0/s          0/s

AAA Account                           0/s          0/s

VALID CONNS RATE in TCP INTERCEPT:    Current      Average

                                       N/A         100.00%

------------------ show counters ------------------

Protocol     Counter                             Value   Context

IP           IN_PKTS                           8416058   Summary

IP           OUT_PKTS                            32836   Summary

IP           TO_ARP                             133654   Summary

IP           TO_UDP                               6018   Summary

IP           TO_ICMP                             24920   Summary

UDP          IN_PKTS                              6018   Summary

UDP          OUT_PKTS                             6045   Summary

ICMP         IN_PKTS                             24920   Summary

ICMP         OUT_PKTS                            24783   Summary

ICMP         DROP_IGNORE                             1   Summary

ICMP         PORT_UNREACH                            5   Summary

SSLERR       BAD_PROTOCOL_VERSION_NUMBER             8   Summary

SSLERR       BAD_SIGNATURE                           6   Summary

SSLALERT     RX_CLOSE_NOTIFY                        12   Summary

SSLALERT     RX_WARNING_ALERT                       12   Summary

SSLALERT     TX_CLOSE_NOTIFY                       576   Summary

SSLALERT     TX_WARNING_ALERT                      576   Summary

SSLDEV       NEW_CTX                                 5   Summary

SSLNP        OPEN_CONN                               5   Summary

SSLNP        HANDSHAKE_START                       611   Summary

SSLNP        HANDSHAKE_DONE                        611   Summary

SSLNP        DOWNSTREAM_CLOSE                     2474   Summary

SSLNP        DOWNSTREAM_CLOSE_NEXT                 613   Summary

SSLNP        UPSTREAM_CLOSE                        625   Summary

SSLNP        UPSTREAM_CLOSE_NEXT                   613   Summary

SSLNP        FREE_CONN                             613   Summary

SSLNP        NEW_CONN_SERVER                       611   Summary

SSLNP        EXTRACT_VIA_DUPB                        6   Summary

SSLNP        IN_PKTS_RX                           3447   Summary

SSLNP        IN_PKTS_TX                            702   Summary

SSLNP        OUT_PKTS_RX                        401121   Summary

SSLNP        OUT_PKTS_TX                        402919   Summary

SSLNP        SESSIONS_CLEARED                      332   Summary

NPSHIM       CTX_ALLOC                             640   Summary

NPSHIM       CTX_FREE                              635   Summary

NPSHIM       WRITE_UNBLOCKED                      1338   Summary

NPSHIM       PUT_REQUEST                            10   Summary

NPSHIM       PUT_XMT                                10   Summary

NPSHIM       READ_RECV                            3255   Summary

VPIF         BAD_VALUE                               4   Summary

VPIF         NOT_FOUND                          205696   Summary

SSLENC       CONTEXT_CREATED                       611   Summary

SSLENC       CONTEXT_UPDATED                       611   Summary

SSLENC       CONTEXT_DESTROYED                     609   Summary

CRYPTO       INVALID_INPUT_PARAM                   613   Summary

------------------ show service-policy ------------------

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 153877, drop 384, reset-drop 0

        message-length maximum client auto, drop 0

        message-length maximum 512, drop 0

        dns-guard, count 28208

        protocol-enforcement, drop 0

<--- More --->

        nat-rewrite, count 0

      Inspect: ftp, packet 0, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

        h245-tunnel-block drops 0 connection

      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

        h245-tunnel-block drops 0 connection

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

        mask-banner, count 0

        match cmd line length gt 512

          drop-connection log, packet 0

        match cmd RCPT count gt 100

          drop-connection log, packet 0

        match body line length gt 998

          log, packet 0

        match header line length gt 998

          drop-connection log, packet 0

        match sender-address length gt 320

          drop-connection log, packet 0

        match MIME filename length gt 255

          drop-connection log, packet 0

<--- More --->

        match ehlo-reply-parameter others

          mask, packet 0

      Inspect: sqlnet, packet 0, drop 0, reset-drop 0

      Inspect: skinny , packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

      Inspect: sip , packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: netbios, packet 7406, drop 0, reset-drop 0

      Inspect: tftp, packet 0, drop 0, reset-drop 0

      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0

        Router Alert:  allow 0, clear 0

      Inspect: icmp, packet 12288, drop 0, reset-drop 0

Interface inside:

  Service-policy: tcp_bypass_policy

    Class-map: tcp_bypass

      Set connection policy:         drop 0

      Set connection advanced-options: tcp-state-bypass

------------------ show history ------------------

<--- More --->

  en

------------------ show firewall ------------------

Firewall mode: Router

------------------ show running-config ------------------

: Saved

:

ASA Version 8.4(4)1

!

hostname ASA5505

enable password

passwd

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group BT_PPOE

ip address pppoe setroute

!

ftp mode passive

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list tcp_bypass extended permit tcp 192.168.1.0 255.255.255.0 10.0.50.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

route inside 10.0.50.0 255.255.255.0 192.168.1.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

<--- More --->

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group BT_PPOE request dialout pppoe

vpdn group BT_PPOE localname bthomehub

vpdn group BT_PPOE ppp authentication chap

vpdn username bthomehub@btbroadband.com password *****

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

<--- More --->

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

class-map tcp_bypass

description "TCP traffic that bypasses stateful firewall"

match access-list tcp_bypass

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

<--- More --->

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

policy-map tcp_bypass_policy

class tcp_bypass

  set connection advanced-options tcp-state-bypass

!

service-policy global_policy global

service-policy tcp_bypass_policy interface inside

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e9e2ef60912ff6b127643a620f0d6b0c

: end

Cannot open disk0:/csco_config/97/bookmarks/index.ini

------------------ more disk0:/sdesktop/data.xml ------------------

------------------ show startup-config errors ------------------

<--- More --->

              Reading from flash...

!

------------------ console logs ------------------

Message #1 : Message #2 :

Total SSMs found: 0

Message #3 :

Total NICs found: 10

Message #4 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #5 :  MAC: 0000.0003.0002

Message #6 : 88E6095 rev 2 Ethernet @ index 08Message #7 :  MAC: 4403.a7a2.e7c6

Message #8 : 88E6095 rev 2 Ethernet @ index 07Message #9 :  MAC: 4403.a7a2.e7c5

Message #10 : 88E6095 rev 2 Ethernet @ index 06Message #11 :  MAC: 4403.a7a2.e7c4

Message #12 : 88E6095 rev 2 Ethernet @ index 05Message #13 :  MAC: 4403.a7a2.e7c3

Message #14 : 88E6095 rev 2 Ethernet @ index 04Message #15 :  MAC: 4403.a7a2.e7c2

Message #16 : 88E6095 rev 2 Ethernet @ index 03Message #17 :  MAC: 4403.a7a2.e7c1

Message #18 : 88E6095 rev 2 Ethernet @ index 02Message #19 :  MAC: 4403.a7a2.e7c0

Message #20 : 88E6095 rev 2 Ethernet @ index 01Message #21 :  MAC: 4403.a7a2.e7bf

Message #22 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 4403.a7a2.e7c7

Message #23 : Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Message #24 :                              Boot microcode   : CN1000-MC-BOOT-2.00

Message #25 :                              SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

Message #26 :                              IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06

Message #27 : Verify the activation-key, it might take a while...

<--- More --->

Message #28 : Running Permanent Message #29 : Activation Key: Message #30 : 0x8509ef7f Message #31 : 0x2cff2755 Message #32 : 0xa8428164 Message #33 : 0x82a45018 Message #34 : 0xc5261fbf Message #35 :

Message #36 :

Licensed Message #37 : features for this platform:

Message #38 : Maximum Physical Interfaces       : 8              perpetual

Message #39 : VLANs                             : 3              DMZ Restricted

Message #40 : Dual ISPs                         : Disabled       perpetual

Message #41 : VLAN Trunk Ports                  : 0              perpetual

Message #42 : Inside Hosts                      : 50             perpetual

Message #43 : Failover                          : Disabled       perpetual

Message #44 : VPN-DES                           : Enabled        perpetual

Message #45 : VPN-3DES-AES                      : Enabled        perpetual

Message #46 : AnyConnect Premium Peers          : 2              perpetual

Message #47 : AnyConnect Essentials             : Disabled       perpetual

Message #48 : Other VPN Peers                   : 10             perpetual

Message #49 : Total VPN Peers                   : 12             perpetual

Message #50 : Shared License                    : Disabled       perpetual

Message #51 : AnyConnect for Mobile             : Disabled       perpetual

Message #52 : AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Message #53 : Advanced Endpoint Assessment      : Disabled       perpetual

Message #54 : UC Phone Proxy Sessions           : 2              perpetual

Message #55 : Total UC Proxy Sessions           : 2              perpetual

Message #56 : Botnet Traffic Filter             : Disabled       perpetual

Message #57 : Intercompany Media Engine         : Disabled       perpetual

Message #58 :

<--- More --->

This platform has a Base license.

Message #59 :

Message #60 :

Cisco Adaptive Security Appliance Software Version 8.4(4)1

Message #61 :

Message #62 :   ****************************** Warning *******************************

Message #63 :   This product contains cryptographic features and is

Message #64 :   subject to United States and local country laws

Message #65 :   governing, import, export, transfer, and use.

Message #66 :   Delivery of Cisco cryptographic products does not

Message #67 :   imply third-party authority to import, export,

Message #68 :   distribute, or use encryption. Importers, exporters,

Message #69 :   distributors and users are responsible for compliance

Message #70 :   with U.S. and local country laws. By using this

Message #71 :   product you agree to comply with applicable laws and

Message #72 :   regulations. If you are unable to comply with U.S.

Message #73 :   and local laws, return the enclosed items immediately.

Message #74 :

Message #75 :   A summary of U.S. laws governing Cisco cryptographic

Message #76 :   products may be found at:

Message #77 :   http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

Message #78 :

Message #79 :   If you require further assistance please contact us by

Message #80 :   sending email to export@cisco.com.

<--- More --->

Message #81 :   ******************************* Warning *******************************

Message #82 :

Message #83 : Copyright (c) 1996-2012 by Cisco Systems, Inc.

Message #84 :                 Restricted Rights Legend

Message #85 : Use, duplication, or disclosure by the Government is

Message #86 : subject to restrictions as set forth in subparagraph

Message #87 : (c) of the Commercial Computer Software - Restricted

Message #88 : Rights clause at FAR sec. 52.227-19 and subparagraph

Message #89 : (c) (1) (ii) of the Rights in Technical Data and Computer

Message #90 : Software clause at DFARS sec. 252.227-7013.

Message #91 :                 Cisco Systems, Inc.

Message #92 :                 170 West Tasman Drive

Message #93 :                 San Jose, California 95134-1706

ASA5505#

Cisco ASA 5505 - 2 internal Networks

Do you have ASDM access to this firewall? If so, you can use it to look at the logs of what's happening with NAT.

Monitoring-Logging-View

Run a test from LAN2 and filter by the IP address of the machine you are testing from. It should give you a good idea what's happening.

Also you could test with the following, which is splitting up the LAN network objects:

object network LAN_1

subnet 192.168.1.0 255.255.255.0

object network LAN_2

subnet 10.0.50.0 255.255.255.0

object network LAN_1

nat (inside,outside) dynamic inteface

object network LAN_2

nat (inside,outside) dynamic inteface

New Member

Cisco ASA 5505 - 2 internal Networks

Hi,

Well I have good and annoying news......

Good news is I appear to have full access from the 10 subnet to the 192 subnet and internet access.

It looks like the problem could have been a silly typo mistake where I entered the static route on the 1841 router to the network address 192.168.1.0 instead of the specific IP of the ASA, once corrected internet access worked.... :-)

Thanks for all the assistance..

The annoying...

I configured the devices and I could ping devices from the 10 subnet to the 192 subnet specifically a .20 device.... to check the reliability of the config I rebooted the router and ASA and when they cam back up I couldn't....!

Is there a solution to this or could it be a bug of some sort as I had the same yesterday that one minute it worked and the next it didn't even without any config changes?

Any clues / thoughts would be very welcome!!

Cisco ASA 5505 - 2 internal Networks

Did you save the configs before rebooting?

Is there a chance there could be a duplicate address on LAN1 with the fa0/0 interface of the router?

Silver

Cisco ASA 5505 - 2 internal Networks

OK, need to get this straight.

What is the current default gateway of the 1841 router?

What is the default gateway of the 192.168.1.0/24 network?

Do you still have the static route on the ASA to reach the 10.0.50.0/24?

Do you still have the PAT configuration in place so that both networks can surf out to the Internet?

This is what I would have as a setup:

1)  10.0.50.0/24 default gateway pointing to the 1841 router.

2)  192.168.1.0/24 default gateway pointing to the 1841 router

3) 1841 router default gateway pointing to the ASA 192.168.1.X address

4) PAT configuration defined for both network on individual rules or a rule that covers both networks.

FYI: asa844-1-k8.bin not my favorite version for the any ASA.

Value our effort and rate the assistance!
New Member

Re: Cisco ASA 5505 - 2 internal Networks

Hi jumora, in reply to your questions:

OK, need to get this straight.

What is the current default gateway of the 1841 router? default network 0.0.0.0 point to 192.168.1.1

What is the default gateway of the 192.168.1.0/24 network? 192.168.1.1

Do you still have the static route on the ASA to reach the 10.0.50.0/24? yes

Do you still have the PAT configuration in place so that both networks can surf out to the Internet?yes

This is what I would have as a setup:

1)  10.0.50.0/24 default gateway pointing to the 1841 router. - Yes

2)  192.168.1.0/24 default gateway pointing to the 1841 router - No this points to the ASA

3) 1841 router default gateway pointing to the ASA 192.168.1.X address - yes

4) PAT configuration defined for both network on individual rules or a rule that covers both networks.- err how would I do this?

FYI: asa844-1-k8.bin not my favorite version for the any ASA. - sadly I have no Cisco contract and the company I work for doesn't use much cisco... am looking for Cisco related jobs at present, is there any way I might be able to get an upgrade considering this?

Thanks very much for your assistance.

Silver

Re: Cisco ASA 5505 - 2 internal Networks

Please add the next line into the ASA configuration:

enable

config t

dhcpd option 3 ip 192.168.1.254

This will correct your routing issues for your 192.168.1.0/24 network that routes through the ASA, what this will do is change the gateway of the 192.168.1.0/24 that you are providing DHCP for to point to the router. TCP bypass and U turning will not be needed and you won't have issues.

Try that and then let me know if you still have issues with ICMP maybe you can send me an email to juanmh84@hotmail.com and I can take a look later today if you have some sort of web terminal where I can remote in and help you out.

Value our effort and rate the assistance!
New Member

Re: Cisco ASA 5505 - 2 internal Networks

Sorry jumora I missed this message last night.

and thanks for the help.

My hope / plan was to be able to switch off the router if required elswhere as the extra network was more to be used for testing purposes so that additional networks could be added beyond it for different scenarios but leave the ASA to provide internet access to the main network. I hope that makes sense.

You are right though I have just changed the defualt gateway on the main server I was trying to access and ping does now work :-)

I am going to verify Roberts question of whether I saved the config just incase I have made a stupid mistake. I am pretty sure I did but.... I want to make sure, and I thought I could test it with rebooting between different commands to see if I can ascertain which command might cause the problem.

Could there be anything else that migh be causing it to work at one time then not at others?

Other than setting the default gateway to the router is the other option that would result in a technically correct setup to set the extra network as the DMZ with internal access? I suppose then my only issue would be no internet access as I presume that as I only have the base license I would only be able to access the outside or the inside LAN and not both?

My issue there would be I wouldn't be able to access that kit from the main network which I could do with for internal testing.

Sorry this has become so long and a huge thank you to both of you for your assistance, I have learnt a huge amount.

New Member

Re: Cisco ASA 5505 - 2 internal Networks

Hi,

Yes I did remember to save the configs first, I have made that mistake before but I am happy to say not this time :-)

The odd thing is as before I can ping one address but not others. I can still access the windows file shares on the device but I don't understand why the ping is suddenly not working.

Sent from Cisco Technical Support iPad App

New Member

Re: Cisco ASA 5505 - 2 internal Networks

it is the icmp inspection that is stopping it!

But only after the reboot of the asa then if I just turn the icmp inspection off again the ping works straight away.

I have found the following page to enable ICMP through access lists aswell as ICMP inspection would this be ok or a security risk?

http://jklogic.net/cisco-asa-and-icmp-configurations/

Obviously I now have what I am looking for working which is fantastic as I have been scratching my head with this for ages so a huge thanks to Robert and jumora.

But... final question.....

What is the technically correct way of doing what I have setup? is there a "Cisco" way that this chould have been completed or is it not the sort of thing that is usually done in a live environment?

Sorry for the extra question above but am studying for the CCNA Security and want to get as much understanding as I can.

Thanks again

Silver

Re: Cisco ASA 5505 - 2 internal Networks

Ok, tcp-bypass is done for TCP traffic only and on the document it states that configuring this option would avoid any type of inspection. This was mainly created for design issues where you receive traffic through the ASA without going through TCP 3 way handshake.

U turning was also added for none VPN traffic based on the need to re-route traffic on the same interface which you receive a packet but has limitations.

Inspect ICMP to maintain control over ICMP sessions, one request one reply.

Most of these issues caused by incorrect routing, so to avoid over complication just change the routing.

This is a document created for PIX but explains a little of what is happening.

Q. I recently added an inside router to connect a second inside network to my Cisco Secure PIX Firewall. Users between the Cisco Secure PIX Firewall and inside router can successfully get to the Internet, but they cannot talk to this new, inside network. Users on the new network are unable to get past the inside router. What is wrong?

    A. You must enter a specific route inside statement into the PIX for this new network through the new router. You can also enter a specific route inside statement for the major network through this router, which allows for future growth.

    For example, if your existing network is 192.168.1.0/24 and your new network is 192.168.2.0/24, the Ethernet port of your internal router is 192.168.1.2. The route configuration of the PIX appears similar to this:

        route inside 192.168.2.0 255.255.255.0 192.168.1.2 1

    or (the major network):

        route inside 192.168.0.0 255.255.0.0 192.168.1.2 1

    Work stations between the Cisco Secure PIX Firewall and router should have their gateway point to the router, not the PIX. Even though they are directly connected, they have problems accessing the new internal network if their gateway does not point to the router. The router should have a default gateway that directs all unknown traffic to the inside interface of the Cisco Secure PIX Firewall. The installation of a route for this new network in the PIX does not work either. The PIX does not route or redirect off the interface it received the packet. Unlike a router, the PIX cannot route packets back through the same interface where the packet was initially received. Also, make sure your nat statement includes the new network or the major net you are adding.

Value our effort and rate the assistance!
New Member

Re: Cisco ASA 5505 - 2 internal Networks

Hi Jumora,

A huge thank you again for the reply.

I will take the hint and change the routing to how you have described above as thta is clearly the technically correct way!

I have purchased a couple of extra routers off ebay to allow for practice and to allow the current 1841 to remain and be used for the setup above.

Thanks again for your time and patience.

1830
Views
0
Helpful
29
Replies
CreatePlease to create content