Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Monitoring half open connections on a CBAC firewall

Monitoring CBAC firewall

We’ve got a CBAC firewall running on a 7505 (enterprise FW feature set IOS)

I’d like to be able to monitor how many half open connections there are on the firewall. This will let me see how close I am to the maximum number, before the firewall starts closing connections.

I’ve looked at SNMP and there is a CISCO-FIREWALL-MIB which has the right options but this doesn’t seem to be supported on the FW IOS. Is there another way to get this information so we can graph it with something like mrtg.

sh ip inspect sessions lists all the sessions; this gives an instantaneous value but doesn’t really lend itself to long term monitoring.

Taken from MIB:.......

ConnectionStat ::= TEXTUAL-CONVENTION

STATUS current

DESCRIPTION

"This textual convention is used to describe various

connections statistics.

other : A generic connection event.

totalOpen : Total open connections since reboot.

currentOpen : The number of connections currently open.

currentClosing : The number of connections currently closing.

currentHalfOpen : The number of connections currently half-open.

currentInUse : The number of connections currently in use.

high : The highest number of connections in use at

any one time since system startup."

2 REPLIES
Blue

Re: Monitoring half open connections on a CBAC firewall

I believe that the CISCO-FIREWALL-MIB is only supported by PIX running PIX software.

New Member

Re: Monitoring half open connections on a CBAC firewall

That seems to be the view I was coming to as well.

Can you suggest another approach to the problem of monitoring this counter. We are trying to understand where the baseline is for our network so we can set the maximum threshold accordingly.

189
Views
0
Helpful
2
Replies