I have configured a service policy that watches web traffic to a web server, limiting the maximum connections to the server (over TCP 80) to 'n' amount of simultaneous connections (set connection per-client-max n). I need to see the pervice policy in action, but the only way I know to do it is to watch the drops in "show service policy" output increment or watch the logging buffer (no syslog server available yet). I would really like to debug this action. Is it possible, and most importantly, what is the debug command to do it?
For anyone attempting to see on-screen when this service policy is invoked, I've found a simple workaround. In lieu of a direct debug command, what you can do is configure 'logging monitor errors' and then 'terminal monitoring' whenever the 'set connection per-client-max n' rule is invoked, you will get a log that looks like this:
Aug 17 2010 10:16:48: %ASA-3-201013: Per-client connection limit exceeded 20/20 for input packet from 192.168.2.26/38602 to 172.16.34.8/80 on interface outside
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...