FWSM class-map monitor

pnavratil · ‎04-04-2011

Hi, I will setup connection limits on FWSM (version 4.1) with nat bypass so I am going to use service policy for this. Customer wants to look after the current connection count.

Example: I will limit conection to some server with:

access-list SERVER_LIMIT_ACL permit ip any host 10.10.10.10

class-map SERVER_LIMIT_CMAP

match access-list SERVER_LIMIT_ACL

policy-map LIMIT_PMAP

class SERVER_LIMIT_CMAP

set connection max 1000

This will be aplied to proper interface. So the result will be the 1001-st request to server 10.10.10.10 will be denied. I need to watch current status to be able to set some alarm when number of connections goes over some limit - say 800 connections. Is there any way, how to monitor current connection counter of class-map?

Thank you for any help

Regards

Pavel

mirober2 · ‎04-04-2011

Hi Pavel,

You can monitor the output of 'show service-policy set connection' and 'show local-host' to find out how close you are to hitting the connection limits you configured:

show service-policy:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/s7.html#wp2751053

show local-host:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/s4.html#wp2826903

When you do meet the connection limit, the FWSM will generate a %FWSM-3-202011 syslog message:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/system/message/logmsgs_external_docbase_0900e4b18059d73b_4container_external_docbase_0900e4b180ef4f45.html#wp2232717

Hope that helps.

-Mike