Service policy debugging???

Antonio Knox · ‎08-13-2010

The short of my issue:

I have configured a service policy that watches web traffic to a web server, limiting the maximum connections to the server (over TCP 80) to 'n' amount of simultaneous connections (set connection per-client-max n). I need to see the pervice policy in action, but the only way I know to do it is to watch the drops in "show service policy" output increment or watch the logging buffer (no syslog server available yet). I would really like to debug this action. Is it possible, and most importantly, what is the debug command to do it?

Marcin Latosiewicz · ‎08-13-2010

Antonio,

show local-host IP.ADD.RE.SS det

is what you need to "debug" connection counts etc.

HTH,

Marcin

Antonio Knox · ‎08-13-2010

Thanks for your reply. This was useful info.

But what I'm looking for is a way to run a debug that shows when the 'per-client-max' setting has been invoked?

Kureli Sankar · ‎08-13-2010

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 80

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 443

-KS

Antonio Knox · ‎08-24-2010

FYI,

For anyone attempting to see on-screen when this service policy is invoked, I've found a simple workaround. In lieu of a direct debug command, what you can do is configure 'logging monitor errors' and then 'terminal monitoring' whenever the 'set connection per-client-max n' rule is invoked, you will get a log that looks like this:

Aug 17 2010 10:16:48: %ASA-3-201013: Per-client connection limit exceeded 20/20 for input packet from 192.168.2.26/38602 to 172.16.34.8/80 on interface outside

Hope you find this useful.