Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Service policy debugging???

The short of my issue:

I have configured a service policy that watches web traffic to a web server, limiting the maximum connections to the server (over TCP 80) to 'n' amount of simultaneous connections (set connection per-client-max n).  I need to see the pervice policy in action, but the only way I know to do it is to watch the drops in "show service policy" output increment or watch the logging buffer (no syslog server available yet).  I would really like to debug this action.  Is it possible, and most importantly, what is the debug command to do it?

4 REPLIES
Cisco Employee

Re: Service policy debugging???

Antonio,

show local-host IP.ADD.RE.SS det

is what you need to "debug" connection counts etc.

HTH,

Marcin

Re: Service policy debugging???

Thanks for your reply.  This was useful info.

But what I'm looking for is a way to run a debug that shows when the 'per-client-max' setting has been invoked?

Cisco Employee

Re: Service policy debugging???

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 80

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 443

-KS

Re: Service policy debugging???

FYI,

For anyone attempting to see on-screen when this service policy is invoked, I've found a simple workaround.  In lieu of a direct debug command, what you can do is configure 'logging monitor errors' and then 'terminal monitoring'  whenever the 'set connection per-client-max n' rule is invoked, you will get a log that looks like this:

Aug 17 2010 10:16:48: %ASA-3-201013: Per-client connection limit exceeded 20/20 for input packet from 192.168.2.26/38602 to 172.16.34.8/80 on interface outside

Hope you find this useful.

1781
Views
0
Helpful
4
Replies
CreatePlease to create content