59-14
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter59 Configuring the ASA CX Module
Monitoring the ASA CX Module
Monitoring Module Connections
To show connections through the ASA CX module, enter the one of the following commands:
Examples
The following is sample output from the show asp table classify domain cxsc command:
hostname# show asp table classify domain cxsc
Input Table
Command Purpose
show asp table classify domain cxsc Shows the NP rules created to send traffic to the ASA CX module.
show asp table classify domain
cxsc-auth-proxy
Shows the NP rules created for the authentication proxy for the ASA CX
module.
show asp drop Shows dropped packets. The following drop types are used:
Frame Drops:
cxsc-bad-tlv-received—This occurs when ASA receives a packet
from CXSC without a Policy ID TLV. This TLV must be present in
non-control packets if it does not have the Standy Active bit set in the
actions field.
cxsc-request—The frame was requested to be dropped by CXSC due
a policy on CXSC whereby CXSC would set the actions to Deny
Source, Deny Destination, or Deny Pkt.
cxsc-fail-close—The packet is dropped because the card is not up and
the policy configured was 'fail-close' (rather than 'fail-open' which
allows packets through even if the card was down).
cxsc-fail—The CXSC configuration was removed for an existing
flow and we are not able to process it through CXSC it will be
dropped. This should be very unlikely.
cxsc-malformed-packet—The packet from CXSC contains an invalid
header. For instance, the header length may not be correct.
Flow Drops:
cxsc-request—The CXSC requested to terminate the flow. The
actions bit 0 is set.
reset-by-cxsc—The CXSC requested to terminate and reset the flow.
The actions bit 1 is set.
cxsc-fail-close—The flow was terminated because the card is down
and the configured policy was 'fail-close'.
show asp event dp-cp cxsc-msg This output shows how many ASA CX module messages are on the dp-cp
queue. Currently, only VPN queries from the ASA CX module are sent to
dp-cp.
show conn This command already shows if a connection is being forwarded to an
module by displaying the ‘X - inspected by service module’ flag.
Connections being forwarded to the ASA CX module will also display the
‘X’ flag.