cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1283
Views
0
Helpful
2
Replies

How to take the drop counters for ZBFW configured in CSR 1000v with multi-tenancy

manoghos
Cisco Employee
Cisco Employee

Hi Experts

 

Currently, I am working on ZBFW configuration which is applied using 2 zones. one zone is a VT interface and another is Cisco CSR gig2 for outside traffic interface.

Using AnyConnect Client a FlexVPN tunnel is configured on VT interface and hence a Virtual-Access interface is formed.

Now to take ZBFW counters for drop packets which should be the ideal CLI-(A or B ?)

A. show interface virtual-access 1 and get the total output drops

Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback1 (10.0.6.254)
MTU 9922 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 255/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from AAA, Virtual-Template2
Vaccess status 0x4, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 192.171.8.114, destination 192.171.8.44
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "AC-9VGTO5D2")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:13:46
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 3753
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 252000 bits/sec, 19 packets/sec
23333 packets input, 1575899 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
34158 packets output, 48016602 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

or  B. using the below show CLI and sum of all the listed counters: 

show platform hardware qfp active feature firewall drop vrf name 9VGTO5D2

 

Drops stats for VRF:(id=2:name=9VGTO5D2)
-------------------------------------------------------------------------------
Drop Reason Packets
-------------------------------------------------------------------------------
Invalid TCP initiator 214
TCP out of window 123
Stray Segment 379
ICMP Unreach pkt exceeds lmt 8
Zone-pair without policy 388

 

 

As per my understanding, the later should be fine when there is a factor of stability and numbers of VA's are present. 

Please suggest.

 

 

 

 

 

2 Replies 2

Hi manoghos,
Does the following command give you what you want:- "show policy-firewall stats all"

....just filter for drops, this will identify which class/policy-map the drops occurred.

HTH

Thanks, RJI.

But on CSR 16.08 I am having below options only-

99d0155b-744b-4d50-88b4-0d7fe1f620bb#show policy-firewall stats ?
global Global statistics
platform Firewall Platform Information
vrf vrf statistics
zone zone statistics

 I tried with the vrf option (vrf name:  9VGTO5D2) on which my flextunnel + zbfw was configured but I didn't understand the show counters:

99d0155b-744b-4d50-88b4-0d7fe1f620bb#show policy-firewall stats vrf 9VGTO5D2
VRF: 9VGTO5D2, Parameter-Map: vrf-default
Interface reference count: 4
Total Session Count(estab + half-open): 3, Exceed: 0
Total Session Aggressive Aging Period Off, Event Count: 0

Half Open
Protocol Session Cnt Exceed
-------- ----------- ------
All 0 0
UDP 0 0
ICMP 0 0
TCP 0 0

TCP Syn Flood Half Open Count: 0, Exceed: 0
Half Open Aggressive Aging Period Off, Event Count: 0

 

My other observation with the original post where initially I am taking the drop counters:

VA interface 'Total output drops' for a VRF is always > 'sum of all counters' of show platform hardware qfp active feature firewall drop vrf name <vrf>

that's why which one is giving a more realistic drop counter wrt to ZBFW is the matter of concern.

 

Thanks and regards

Manoj

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: