Re: sh resource usage

lkadlik · ‎02-28-2011

Could someone please explain to me what the following output me

xxx# sh resource usage
Resource              Current         Peak      Limit        Denied Context
SSH                         1            2          5             0 System
Syslogs [rate]             42         3764        N/A             0 System
Conns                    3060         4944     280000             0 System
Xlates                    515         5195        N/A             0 System
Hosts                    1089         2495        N/A             0 System
Conns [rate]               13         7601        N/A             0 System
Inspects [rate]            23         7586        N/A             0 System

What is the time frame for the above command? ( ie are these averages per seconds and if so over how many seconds) ?

What is the difference betewen the "Conns" and "Conns [rate]" ?

Thank you.

IAN WHITMORE · ‎03-01-2011

Table 5-1 Resource Names and Limits
Resource Name	Rate or Concurrent	Minimum and Maximum Number per Context	System Limit¹	Description
mac-addresses	Concurrent	N/A	65,535	For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.
conns	Concurrent or Rate	N/A	Concurrent connections: See the "Supported Platforms and Feature Licenses" section on page A-1 for the connection limit for your platform. Rate: N/A	TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.
inspects	Rate	N/A	N/A	Application inspections.
hosts	Concurrent	N/A	N/A	Hosts that can connect through the adaptive security appliance.
asdm	Concurrent	1 minimum 5 maximum	32	ASDM management sessions. Note ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions.
ssh	Concurrent	1 minimum 5 maximum	100	SSH sessions.
syslogs	Rate	N/A	N/A	System log messages.
telnet	Concurrent	1 minimum 5 maximum	100	Telnet sessions.
xlates	Concurrent	N/A	N/A	Address translations.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mngcntxt.html#wp1113880

HTH,

Ian

lkadlik · ‎03-01-2011

Hi,

Thank you for the information but I think I am still confused.

What is the difference between

Resource Current Peak Limit Denied Context

Conns 2242 4944 280000 0 System

and

Conns [rate] 18 7601 N/A 0 System
?

Thank you.

mirober2 · ‎03-01-2011

Hello,

The Conns resource is a measure of the number of conns currently in use on the firewall. The Conns [rate] resource measures the number of conns being built per second.

In the output you posted, your firewall was building conns at a rate of 18 per second and had 2242 conns established at that time.

Hope that helps.

-Mike

lkadlik · ‎03-01-2011

Hi Mike,

That helps alot. Do you happen to know the default time interval it uses to determine the Peak rate?

I would think, and please correct me if I am wrong, that based on the output the peak Conns [rate] of 7601 is that in one second interval the firewall saw 7601 connections being built.

As far as the peak rate for the Conns though, why is that different? What is used to calculate that number?

Thank you.

Lynne

mirober2 · ‎03-01-2011

Hi Lynne,

I agree those numbers doesn't make sense. I can't think of a scenario where the peak conn rate would ever be higher than the peak number of conns. In other words, if you have a peak conn rate of, say, 1000, the peak conn count should never be less than 1000 (could certainly be more though).

What version of ASA code are you running?

It would probably be worth opening a TAC case for this issue to see if this is a bug. At the very least, we might need to adjust the documentation to reflect the differences. I wasn't able to find any known defects that would explain this output.

-Mike