Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Service policy debugging???

The short of my issue:

I have configured a service policy that watches web traffic to a web server, limiting the maximum connections to the server (over TCP 80) to 'n' amount of simultaneous connections (set connection per-client-max n).  I need to see the pervice policy in action, but the only way I know to do it is to watch the drops in "show service policy" output increment or watch the logging buffer (no syslog server available yet).  I would really like to debug this action.  Is it possible, and most importantly, what is the debug command to do it?

Cisco Employee

Re: Service policy debugging???


show local-host IP.ADD.RE.SS det

is what you need to "debug" connection counts etc.



Re: Service policy debugging???

Thanks for your reply.  This was useful info.

But what I'm looking for is a way to run a debug that shows when the 'per-client-max' setting has been invoked?

Cisco Employee

Re: Service policy debugging???

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 80

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 443


Re: Service policy debugging???


For anyone attempting to see on-screen when this service policy is invoked, I've found a simple workaround.  In lieu of a direct debug command, what you can do is configure 'logging monitor errors' and then 'terminal monitoring'  whenever the 'set connection per-client-max n' rule is invoked, you will get a log that looks like this:

Aug 17 2010 10:16:48: %ASA-3-201013: Per-client connection limit exceeded 20/20 for input packet from to on interface outside

Hope you find this useful.

CreatePlease to create content