04-30-2019 12:46 PM - edited 04-30-2019 12:49 PM
Hi Experts
Currently, I am working on ZBFW configuration which is applied using 2 zones. one zone is a VT interface and another is Cisco CSR gig2 for outside traffic interface.
Using AnyConnect Client a FlexVPN tunnel is configured on VT interface and hence a Virtual-Access interface is formed.
Now to take ZBFW counters for drop packets which should be the ideal CLI-(A or B ?)
A. show interface virtual-access 1 and get the total output drops
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback1 (10.0.6.254)
MTU 9922 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 255/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from AAA, Virtual-Template2
Vaccess status 0x4, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 192.171.8.114, destination 192.171.8.44
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "AC-9VGTO5D2")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:13:46
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 3753
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 252000 bits/sec, 19 packets/sec
23333 packets input, 1575899 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
34158 packets output, 48016602 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
or B. using the below show CLI and sum of all the listed counters:
Drops stats for VRF:(id=2:name=9VGTO5D2)
-------------------------------------------------------------------------------
Drop Reason Packets
-------------------------------------------------------------------------------
Invalid TCP initiator 214
TCP out of window 123
Stray Segment 379
ICMP Unreach pkt exceeds lmt 8
Zone-pair without policy 388
As per my understanding, the later should be fine when there is a factor of stability and numbers of VA's are present.
Please suggest.
04-30-2019 01:28 PM
04-30-2019 09:06 PM
Thanks, RJI.
But on CSR 16.08 I am having below options only-
99d0155b-744b-4d50-88b4-0d7fe1f620bb#show policy-firewall stats ?
global Global statistics
platform Firewall Platform Information
vrf vrf statistics
zone zone statistics
I tried with the vrf option (vrf name: 9VGTO5D2) on which my flextunnel + zbfw was configured but I didn't understand the show counters:
99d0155b-744b-4d50-88b4-0d7fe1f620bb#show policy-firewall stats vrf 9VGTO5D2
VRF: 9VGTO5D2, Parameter-Map: vrf-default
Interface reference count: 4
Total Session Count(estab + half-open): 3, Exceed: 0
Total Session Aggressive Aging Period Off, Event Count: 0
Half Open
Protocol Session Cnt Exceed
-------- ----------- ------
All 0 0
UDP 0 0
ICMP 0 0
TCP 0 0
TCP Syn Flood Half Open Count: 0, Exceed: 0
Half Open Aggressive Aging Period Off, Event Count: 0
My other observation with the original post where initially I am taking the drop counters:
VA interface 'Total output drops' for a VRF is always > 'sum of all counters' of show platform hardware qfp active feature firewall drop vrf name <vrf>
that's why which one is giving a more realistic drop counter wrt to ZBFW is the matter of concern.
Thanks and regards
Manoj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide