04-04-2011 03:27 AM - edited 03-11-2019 01:16 PM
Hi, I will setup connection limits on FWSM (version 4.1) with nat bypass so I am going to use service policy for this. Customer wants to look after the current connection count.
Example: I will limit conection to some server with:
access-list SERVER_LIMIT_ACL permit ip any host 10.10.10.10
class-map SERVER_LIMIT_CMAP
match access-list SERVER_LIMIT_ACL
policy-map LIMIT_PMAP
class SERVER_LIMIT_CMAP
set connection max 1000
This will be aplied to proper interface. So the result will be the 1001-st request to server 10.10.10.10 will be denied. I need to watch current status to be able to set some alarm when number of connections goes over some limit - say 800 connections. Is there any way, how to monitor current connection counter of class-map?
Thank you for any help
Regards
Pavel
04-04-2011 06:07 AM
Hi Pavel,
You can monitor the output of 'show service-policy set connection' and 'show local-host' to find out how close you are to hitting the connection limits you configured:
show service-policy:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/s7.html#wp2751053
show local-host:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/s4.html#wp2826903
When you do meet the connection limit, the FWSM will generate a %FWSM-3-202011 syslog message:
Hope that helps.
-Mike
04-10-2011 05:14 AM
Thank you for the tips, can I get the values current connections and drops which I can see in show service-policy set connection by SNMP?
I cannot find them.
Regards
Pavvel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide