Solved: Negative counters in ASA "show service-policy"

alberx · ‎02-08-2012

Hi everybody,

In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:

access-list ACL-Limitada extended permit ip host srv-proxy any

access-list ACL-Limitada extended permit ip any host srv-proxy

access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data

access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp

access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data

access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp

class-map Limit-Trafico-DMZ

description "Limitar el ancho de banda de trafico de internet DMZ"

match access-list ACL-Limitada-DMZ

policy-map global_policy_DMZ

class inspection_default

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ftp

inspect pptp

inspect icmp

inspect dns preset_dns_map

inspect ip-options

inspect esmtp

class Limit-Trafico-DMZ

set connection per-client-max 100 per-client-embryonic-max 30

police output 2000000

police input 2000000

service-policy global_policy_DMZ interface dmz

Everything seems working correctly, but the output of "show service-policy" shows me a very big number of current connections in negative format:

Interface dmz:
   Service-policy: global_policy_DMZ
     Class-map: inspection_default
       Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: http, packet 2534891, drop 0, reset-drop 0
      Inspect: netbios, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
                tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
                tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
       Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: pptp, packet 0, drop 0, reset-drop 0
      Inspect: icmp, packet 0, drop 0, reset-drop 0
      Inspect: dns preset_dns_map, packet 15700, drop 3, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
    Class-map: Limit-Trafico-DMZ
      Set connection policy: per-client-max 100 per-client-embryonic-max 30
         current conns -22077, drop 18270
       Output police Interface dmz:
         cir 2000000 bps, bc 62500 bytes
         conformed 33185594 packets, 2963990821 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions:   drop
        conformed 41432 bps, exceed 0 bps
      Input police Interface dmz:
        cir 2000000 bps, bc 62500 bytes
        conformed 42439891 packets, 50791684448 bytes; actions: transmit
         exceeded 1595688 packets, 2261211961 bytes; actions: drop
        conformed 446136 bps, exceed 0 bps

I couldn't find information about that behavior. Does anybody have experience in an issue like that.

Thanks everybody

Shaoqin Li · ‎08-26-2013

CSCtl23397 ASA may log negative values for Per-client conn limit exceeded messg

Sent from Cisco Technical Support iPad App

View solution in original post

bogdan.badiu · ‎08-26-2013

Hello,

Thank you for pointing out that bug ID, I will make a fast upgrade to the last interim of 8.2.5 (I am currently running official version 8.2.5).

BR,

Bogdan

View solution in original post

Maykol Rojas · ‎02-08-2012

Hi,

Well, you put "per client max" That means that each client (local-host) will be able to make 100 connections, that means that you will be able to do around 25000 connections (since you have a class "C" network define on the ACL that matches the class map)

If you want just limit it to 100 overall you can use "conn-max" instead of per client max.

Hope this helps.

Mike

bogdan.badiu · ‎08-26-2013

Hello,

Well, but the real question was about the negative connections number .... What does it mean?

I had also a negative connection number shown in "show service-policy" and it seems that the ASA was dropping all the connections. After removing and re-applying the classmap, the traffic was OK:

"

Class-map: HTTP_www.bnr.ro

Set connection policy: conn-max 3000 embryonic-conn-max 50 per-client-max 20 per-client-embryonic-max 10

current embryonic conns 0, current conns -72, drop 50770

"

alberx · ‎08-26-2013

I don´t know what does it mean. In fact only you seems having same issue.

bogdan.badiu · ‎08-26-2013

Hello,

Either that (we are the only two people affected by this) or the others ignored this issue.

Thanks,

Bogdan

Shaoqin Li · ‎08-26-2013

CSCtl23397 ASA may log negative values for Per-client conn limit exceeded messg

Sent from Cisco Technical Support iPad App

bogdan.badiu · ‎08-26-2013

Hello,

Thank you for pointing out that bug ID, I will make a fast upgrade to the last interim of 8.2.5 (I am currently running official version 8.2.5).

BR,

Bogdan

alberx · ‎08-27-2013

Thanks Shaoqin Li,

after more than one year somebody answer with the exact issue.