Table Of Contents

show asp drop through show curpriv Commands

show asp drop

show asp load-balance per-packet

show asp multiprocessor accelerated-features

show asp table arp

show asp table classify

show asp table interfaces

show asp table routing

show asp table socket

show asp table vpn-context

show blocks

show blocks core

show blocks interface

show bootvar

show capture

show chardrop

show checkheaps

show checksum

show chunkstat

show class

show clock

show compression svc

show configuration

show conn

show console-output

show context

show controller

show counters

show cpu

show crashinfo

show crashinfo console

show crypto accelerator statistics

show crypto ca certificates

show crypto ca crls

show crypto ca server

show crypto ca server cert-db

show crypto ca server certificate

show crypto ca server crl

show crypto ca server user-db

show crypto ipsec df-bit

show crypto ipsec fragmentation

show crypto ipsec sa

show crypto ipsec stats

show crypto isakmp stats

show crypto isakmp sa

show crypto isakmp stats

show crypto protocol statistics

show csc node-count

show ctiqbe

show curpriv

show asp drop through show curpriv Commands

---

show asp drop

To debug the accelerated security path dropped packets or connections, use the show asp drop command in privileged EXEC mode.

show asp drop [flow [flow_drop_reason] | frame [frame_drop_reason]]

Syntax Description

flow [flow_drop_reason]	(Optional) Shows the dropped flows (connections). You can specify a particular reason by using the flow_drop_reason argument. Valid values for the flow_drop_reason argument are listed in the "Usage Guidelines" section, below.
frame [frame_drop_reason]	(Optional) Shows the dropped packets. You can specify a particular reason by using the frame_drop_reason argument. Valid values for the frame_drop_reason argument are listed in the "Usage Guidelines" section, below.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.
7.1(1)	Additional drop reasons were added.
7.2(1)	Additional drop reasons were added.
7.2(4)	Added a timestamp indicating when the last time the asp drop counters were cleared. It also displays the capture asp-drop type keywords next to the descriptions it displays.
8.0(2)	Additional drop reasons were added.
8.1(1)	Additional drop reasons were added.
7.0(8)/7.2(4)/8.0(4)/8.1(1)	Output now includes a timestamp indicating when the counters were last cleared (see the clear asp drop command). It also displays the drop reason keywords next to the description, so you can easily use the capture asp-drop command using the keyword.

Usage Guidelines

The show asp drop command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Table 25-1 lists valid values for the frame_drop_reason argument for dropped frames. Table 25-2 lists valid values for the flow_drop_reason argument for dropped flows.

Table 25-1 Frame Drop Reasons 

Frame Drop Reason Keyword	Frame Drop Reason Display	Description
acl-drop	Flow is denied by access rule	This counter is incremented when a packet is denied by the security appliance. The deny rule could be a default rule created when the security appliance comes up, when various features are turned on or off, when an access list is applied to an interface, or any other feature. Apart from default rule drops, a flow could be denied because of: •An access list configured on an interface •An access list configured for AAA, and AAA denied the user •Through traffic arriving at a management-only interface •Unencrypted traffic arriving on a IPSec-enabled interface Recommendation: Check the access lists referenced by the following syslog messages. Syslog messages: 106023, 106100, 106004
bad-crypto	Bad crypto return in packet	This counter will increment when the security appliance attempts to perform a crypto operation on a packet, and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the security appliance. Recommendation: If you are receiving many bad crypto indications, your security appliance may need servicing. You should enable system message 402123 to determine whether the crypto errors are hardware or software errors. You can also check the error counter in the global IPSec statistics with the show ipsec stats command. If the IPSec SA that is triggering these errors is known, the SA statistics from the show ipsec sa detail command will also be useful in diagnosing the problem. Syslog messages: 402123
bad-ipsec-natt	Bad IPSEC NATT packet	This counter will increment when the security appliance receives a packet on an IPSec connection that has negotiated NAT-T, but the packet is not addressed to the NAT-T UDP destination port of 4500 or had an invalid payload length. Recommendation: Analyze your network traffic to determine the source of the NAT-T traffic. Syslog messages: None.
bad-ipsec-prot	IPSEC not AH or ESP	This counter will increment when the security appliance receives a packet on an IPSec connection that is not an AH or ESP protocol packet. This is not a normal condition. Recommendation: If you are receiving many IPSec not AH or ESP indications on your security appliance, analyze your network traffic to determine the source of the traffic. Syslog messages: 402115
bad-ipsec-udp	Bad IPSEC UDP packet	This counter will increment when the security appliance receives a packet on an IPSec connection that has negotiated IPSec over UDP, but the packet has an invalid payload length. Recommendation: Analyze your network traffic to determine the source of the NAT-T traffic. Syslog messages: None.
bad-tcp-cksum	Bad TCP checksum	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet whose computed TCP checksum does not match the recorded checksum in TCP header. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets, and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. To allow packets with an incorrect TCP checksum, disable the checksum-verification feature. Syslog messages: None
bad-tcp-flags	Bad TCP flags	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with invalid TCP flags in the TCP header. For example, a packet with both SYN and FIN TCP flags set will be dropped. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. Syslog messages: None.
channel-closed	Data path channel closed	This counter is incremented when the data path channel has been closed before the packet attempts to be sent out through this channel. Recommendation: It is normal in a multi-processor system when one processor closes the channel (for example, using the CLI), and another processor tries to send a packet through the channel. Syslog messages: None
connection-lock	Connection locking failed	While the packet was waiting for processing, the flow that was going to be usedwas destroyed. Recommendation: This message could occur if a user issued a command to remove the connection in a security appliance that is actively processing a packet. Otherwise, investigate the flow drop counter. This message might occur if the flow is force-dropped from error. Syslog messages: None.
conn-limit	Connection limit reached	This reason is given for dropping a packet when the connection limit or host connection limit has been exceeded. If this is a TCP packet which is dropped during TCP connection establishment phase due to connection limit, the drop reason "TCP connection limit reached" is also reported. Recommendation: If this is incrementing rapidly, check the syslog messages to determine which host's connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack. Syslog messages: 201011
cp-event-queue-error	CP event queue error	This counter is incremented when a control point event queue enqueue attempt has failed due to queue length exceeded. This queue is used by the data path to punt packets to the control point for additional processing. This condition is only possible in a multi-processor enviroment. The module that attempted to enqueue the packet may issue its own packet-specific drop in response to this error. Recommendation: While this error does indicate a failure to completely process a packet, it may not adversely affect the connection. If the condition persists or connections are adversely affected contact Cisco TAC. Syslog messages: None.
cp-syslog-event-queue-error	CP syslog event queue error	This counter is incremented when a control point syslog event queue enqueue attempt has failed due to queue length exceeded. This queue is used by the data path to punt logging events to the control point when logging destinations other than to a UDP server are configured. This condition is only possible in a multi-processor environment. Recommendation: While this error does indicate a failure to completely process a logging event, logging to UDP servers should not be affected. If the condition persists, consider lowering the logging level and/or removing logging destinations or contact Cisco TAC. Syslog messages: None.
ctm-error	CTM returned error	This counter will increment when the security appliance attempts to perform a crypto operation on a packet and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the security appliance. Recommendation: If you are receiving many bad crypto indications, your security appliance may need servicing. You should enable system message 402123 to determine whether the crypto errors are hardware or software errors. You can also check the error counter in the global IPSec statistics with the show ipsec stats command. If the IPSec SA that is triggering these errors is known, the SA statistics from the show ipsec sa detail command will also be useful in diagnosing the problem. Syslog messages: 402123
dispatch-block-alloc	Dispatch block unavailable	This counter is incremented and the packet is dropped when the security appliance could not allocate a core local block to process the packet that was received by the interface driver. Recommendation: This may be due to packets being queued for later processing or a block leak. Core local blocks may also not be available if they are not replenished on time by the free resource rebalancing logic. Please use the show blocks core command to further diagnose the problem. Syslog messages: None
dispatch-decode-err	Dispatch decode error	This counter is incremented when the packet dispatch module finds an error when decoding the frame. An example is an unsupported packet frame. Recommendation: Verify the packet format with a capture tool. Syslog messages: None
dispatch-queue-limit	Dispatch queue limit reached	The security appliance has are 32 K load-balancer queues that a packet can be hashed to. Each queue has a limit of 40 packets. When more packets are attempted, tail drop occurs, and this counter is incremented. Recommendation: If this happens excessively, find out which queues are affected and the connections hashing to that queue. Send this information to Cisco TAC. Syslog messages: None.
dns-guard-id-not-matched	DNS Guard id not matched	This counter will increment when the identification of the DNS response message does not match any DNS queries that passed across the appliance earlier on the same connection. This counter will increment by the DNS Guard function. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists. Syslog messages: None.
dns-guard-out-of-app-id	DNS Guard out of app id	This counter will increment when the DNS Guard function fails to allocate a data structure to store the identification of the DNS message. Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory. Syslog messages: None.
dst-l2_lookup-fail	Dst MAC L2 Lookup Failed	This counter will increment when the security appliance is configured for transparent mode, and the security appliance does a Layer 2 destination MAC address lookup that fails. Upon the lookup failure, the security appliance will begin the destination MAC discovery process and attempt to find the location of the host via ARP and/or ICMP messages. Recommendation: This is a normal condition when the security appliance is configured for transparent mode. You can also execute the show mac-address-table command to list the L2 MAC address locations currently discovered by the security appliance. Syslog messages: None.
flow-being-freed	Flow is being freed	This counter is incremented when the flow is being freed and all packets queued for inspection are dropped. Recommendation: No action needs to be taken. Syslog messages: None.
flow-expired	Expired flow	This counter is incremented when the security appliance tries to inject a new or cached packet belonging to a flow that has already expired. It is also incremented when the security appliance attempts to send an RST on a TCP flow that has already expired, or when a packet returns from the AIP SSM but the flow had already expired. The packet is dropped. Recommendation: If valid applications are getting preempted, investigate if a longer timeout is needed. Syslog messages: None.
fo-standby	Dropped by standby unit	If a through-the-box packet arrives at security appliance or context in a standby state, and a flow is created, then the packet is dropped and the flow removed. This counter will increment each time a packet is dropped in this manner. Recommendation: This counter should never be incrementing on the active security appliance or context. However, it is normal to see it increment on the standby appliance or security appliance. Syslog messages: 302014, 302016, 302018
fragment-reassembly-failed	Fragment reassembly failed	This counter is incremented when the security appliance fails to reassemble a chain of fragmented packets into a single packet. All the fragment packets in the chain are dropped. This is probably because of a failure while allocating memory for the reassembled packet. Recommendation: Use the show blocks command to monitor the current block memory. Syslog messages: None.
host-move-pkt	FP host move packet	This counter will increment when the security appliance or context is configured for transparent mode, and the source interface of a known Layer 2 MAC address is detected on a different interface. Recommendation: This indicates that a host has been moved from one interface (i.e. LAN segment) to another. This condition is normal while in transparent mode if the host has in fact been moved. However, if the host move toggles back and forth between interfaces, a network loop may be present. Syslog messages: 412001, 412002, 322001
ifc-classify	Virtual firewall classification failed	A packet arrived on a shared interface, but failed to classify to any specific context interface. Recommendation: Use the global or static command to specify the IPv4 addresses that belong to each context interface. Syslog messages: None.
inspect-dns-id-not-matched	DNS Inspect id not matched	This counter will increment when the identification of the DNS response message does not match any DNS queries that passed across the security appliance earlier on the same connection. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists. Syslog messages: None.
inspect-dns-invalid-domain- label	DNS Inspect invalid domain label	This counter will increment when the security appliance detects an invalid DNS domain name or label. DNS domain name and label is checked per RFC 1035. Recommendation: None. Syslog messages: None.
inspect-dns-invalid-pak	DNS Inspect invalid packet	This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc. Recommendation: None. Syslog messages: None.
inspect-dns-out-of-app-id	DNS Inspect out of app id	This counter will increment when the DNS inspection engine fails to allocate a data structure to store the identification of the DNS message. Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory. Syslog messages: None.
inspect-dns-pak-too-long	DNS Inspect packet too long	This counter is incremented when the length of the DNS message exceeds the configured maximum allowed value. Recommendation: No action required. If DNS message length checking is not desired, enable DNS inspection without the inspect dns maximum-length option. Syslog messages: 410001
inspect-icmp-error-different- embedded-conn	ICMP Error Inspect different embedded conn	This counter will increment when the frame embedded in the ICMP error message does not match the established connection that has been identified when the ICMP connection is created. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists. Syslog messages: 313005
inspect-icmp-error-no-existing- conn	ICMP Error Inspect no existing conn	This counter will increment when the security appliance is not able to find any established connection related to the frame embedded in the ICMP error message. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists. Syslog messages: 313005
inspect-icmp-out-of-app-id	ICMP Inspect out of app id	This counter will increment when the ICMP inspection engine fails to allocate an App ID data structure. The structure is used to store the sequence number of the ICMP packet. Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory. Syslog messages: None.
inspect-icmp-seq-num-not- matched	ICMP Inspect seq num not matched	This counter will increment when the sequence number in the ICMP echo reply message does not match any ICMP echo message that passed across the security appliance earlier on the same connection. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists. Syslog messages: 313004
inspect-icmpv6-error-invalid- pak	ICMPv6 Error Inspect invalid packet	This counter will increment when the security appliance detects an invalid frame embedded in the ICMPv6 packet. This check is the same as that on IPv6 packets. For example, an incomplete IPv6 header, a malformed IPv6 Next Header, etc. Recommendation: None. Syslog messages: None.
inspect-icmpv6-error-no- existing-conn	ICMPv6 Error Inspect no existing conn	This counter will increment when the security appliance is not able to find any established connection related to the frame embedded in the ICMPv6 error message. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists. Syslog messages: 313005
inspect-rtcp-invalid-length	Invalid RTCP Packet length	This counter will increment when the UDP packet length is less than the size of the RTCP header. Recommendation: No action required. A capture can be used to figure out which RTP source is sending the incorrect packets and you can deny the host using the access lists. Syslog messages: None.
inspect-rtcp-invalid-payload-type	Invalid RTCP Payload type field	This counter will increment when the RTCP payload type field does not contain the values 200 to 204. Recommendation: The RTP source should be validated to see why it is sending payload types outside of the range recommended by the RFC 1889. Syslog messages: 431002
inspect-rtcp-invalid-version	Invalid RTCP Version field	This counter will increment when the RTCP version field contains a version other than 2. Recommendation: The RTP source in your network does not seem to be sending RTCP packets conformant with the RFC 1889. The reason for this has to be identified and you can deny the host using access lists if required. Syslog messages: 431002.
inspect-rtp-invalid-length	Invalid RTP Packet length	This counter will increment when the UDP packet length is less than the size of the RTP header. Recommendation: No action required. A capture can be used to figure out which RTP source is sending the incorrect packets and you can deny the host using the access lists. Syslog messages: None.
inspect-rtp-invalid-payload- type	Invalid RTP Payload type field	This counter will increment when the RTP payload type field does not contain an audio payload type when the signalling channel negotiated an audio media type for this RTP secondary connection. The counter increments similarly for the video payload type. Recommendation: The RTP source in your network is using the audio RTP secondary connection to send video or vice versa. If you wish to prevent this you can deny the host using access lists. Syslog messages: 431001
inspect-rtp-invalid-version	Invalid RTP Version field	This counter will increment when the RTP version field contains a version other than 2. Recommendation: The RTP source in your network does not seem to be sending RTP packets conformant with the RFC 1889. The reason for this has to be identified and you can deny the host using access lists if required. Syslog messages: 431001
inspect-rtp-max-outofseq-paks- probation	RTP out of sequence packets in probation period	This counter will increment when the out of sequence packets when the RTP source is being validated exceeds 20. During the probation period, the inspect looks for 5 in-sequence packets to consider the source validated. Recommendation: Check the RTP source to see why the first few packets do not come in sequence and correct it. Syslog messages: 431001
inspect-rtp-sequence-num- outofrange	RTP Sequence number out of range	This counter will increment when the RTP sequence number in the packet is not in the range expected by the inspect. Recommendation: No action is required because the inspect tries to recover and start tracking from a new sequence number after a lapse in the sequence numbers from the RTP source. Syslog messages: 431001
inspect-rtp-ssrc-mismatch	Invalid RTP Synchronization Source field	This counter will increment when the RTP SSRC field in the packet does not match the SSRC which the inspect has been seeing from this RTP source in all the RTP packets. Recommendation: This could be because the RTP source in your network is rebooting and hence changing the SSRC or it could be because of another host on your network trying to use the opened secondary RTP connections on the firewall to send RTP packets. This should be investigated further to confirm if there is a problem. Syslog messages: 431001
intercept-unexpected	Intercept unexpected packet	The security appliance either received data from a client while waiting for a SYNACK from a server, or it received a packet that cannot be handled in a particular state of TCP intercept. Recommendation: If this drop is causing the connection to fail, please have a sniffer trace of the client- and server-side of the connection while reporting the issue. The security appliance could be under attack, and the sniffer traces or capture would help narrow down the culprit. Syslog messages: None.
interface-down	Interface is down	This counter will increment for each packet received on an interface that is shutdown using the shutdown command. For ingress traffic, the packet is dropped after security context classification and if the interface associated with the context is shut down. For egress traffic, the packet is dropped when the egress interface is shut down. Recommendation: None. Syslog messages: None.
invalid-app-length	Invalid app length	This counter will increment when the security appliance detects an invalid length of the Layer 7 payload in the packet. Currently, it counts the drops by the DNS Guard function only. For example, an incomplete DNS header. Recommendation: None. Syslog messages: None.
invalid-encap	Invalid encapsulation	This counter is incremented when the security appliance receives a frame belonging to an unsupported link-level protocol or if the L3 type specified in the frame is not supported by the security appliance. The packet is dropped. Recommendation: Verify that directly-connected hosts have proper link-level protocol settings. Syslog messages: None.
invalid-ethertype	Invalid ethertype	This counter is incremented when the fragmentation module on the security appliance receives or tries to send a fragmented packet that does not belong to IP version 4 or version 6. The packet is dropped. Recommendation: Verify the MTU of the security appliance and other devices on the connected network to determine why the security appliance is processing such fragments. Syslog messages: None.
invalid-ip-header	Invalid IP header	This counter is incremented and the packet is dropped when the security appliance receives an IP packet whose computed checksum of the IP header does not match the recorded checksum in the header. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a peer is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. Syslog messages: None
invalid-ip-length	Invalid IP length	This counter is incremented when the security appliance receives an IPv4 or IPv6 packet in which the header length or total length fields in the IP header are not valid or do not conform to the received packet length. Recommendation: None. Syslog messages: None.
invalid-ip-option	IP option configured drop	This counter is incremented when any unicast packet with IP options or a multicast packet with IP options that have not been configured to be accepted, is received by the security appliance. The packet is dropped. Recommendation: Investigate why a packet with IP options is being sent by the sender. Syslog messages: None.
invalid-tcp-hdr-length	Invalid tcp length	This counter is incremented when the security appliance receives a TCP packet whose size is smaller than the minimum-allowed header length or does not conform to the received packet length. Recommendation: The invalid packet could be a bogus packet being sent by an attacker. Investigate the traffic from the source in the following system message. Syslog messages: 500003.
invalid-udp-length	Invalid udp length	This counter is incremented when the security appliance receives a UDP packet whose size as calculated from the fields in the header is different from the measured size of the packet as received from the network. Recommendation: The invalid packet could be a bogus packet being sent by an attacker. Syslog messages: None.
ipsec-clearpkt-notun	IPSEC Clear Pkt w/no tunnel	This counter will increment when the security appliance receives a packet that should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue. Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic. Syslog messages: 402117
ipsec-ipv6	IPSEC via IPV6	This counter will increment when the security appliance receives an IPSec ESP packet, IPSec NAT-T ESP packet, or an IPSec over UDP ESP packet encapsulated in an IPv6 header. The security appliance does not currently support any IPSec sessions encapsulated in IPv6. Recommendation: None. Syslog messages: None.
ipsec-lock-error	IPSec locking error	This counter is incremented when an IPSec operation is attempted but fails due to an internal locking error. Recommendation: This condition should never be encountered during normal operation and may indicate a software problem with the security appliance. Contact Cisco TAC if this error occurs. Syslog messages: None.
ipsec-need-sa	IPSEC SA Not negotiated yet	This counter will increment when the security appliance receives a packet that requires encryption but has no established IPSec security association. This is generally a normal condition for LAN-to-LAN IPSec configurations. This indication will cause the security appliance to begin ISAKMP negotiations with the destination peer. Recommendation: If you have configured IPSec LAN-to-LAN on your security appliance, this indication is normal and does not indicate a problem. However, if this counter increments rapidly it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing. Verify that you can communicate with the destination peer and verify your crypto configuration using the show running-config command. Syslog messages: None.
ipsec-spoof	IPSEC Spoof detected	This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue. Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic. Syslog messages: 402117
ipsec-tun-down	IPSEC tunnel is down	This counter will increment when the security appliance receives a packet associated with an IPSec connection which is in the process of being deleted. Recommendation: This is a normal condition when the IPSec tunnel is torn down for any reason. Syslog messages: None.
ipsecudp-keepalive	IPSEC/UDP keepalive message	This counter will increment when the security appliance receives an IPSec over UDP keepalive message. IPSec over UDP keepalive messages are sent from the IPSec peer to the security appliance to keep NAT/PAT flow information current in network devices between the IPSec over UDP peer and the security appliance. Note These are not industry-standard NAT-T keepalive messages that are also carried over UDP and addressed to UDP port 4500. Recommendation: If you have configured IPSec over UDP on your security appliance, this indication is normal and does not indicate a problem. If IPSec over UDP is not configured on your security appliance, analyze your network traffic to determine the source of the IPSec over UDP traffic. Syslog messages: None.
ips-fail-close	IPS card is down	This counter is incremented and the packet is dropped when the AIP SSM is down and the fail-close option was used in IPS inspection. Recommendation: Check and bring up the AIP SSM. Syslog messages: 420001
ips-request	IPS Module requested drop	This counter is incremented and the packet is dropped as requested by the AIP SSM when the packet matches a signature on the IPS engine. Recommendation: Check syslog messages and alerts on the AIP SSM. Syslog messages: 420002
ipv6_sp-security-failed	IPv6 slowpath security checks failed	This counter is incremented and the packet is dropped for one of the following reasons: •An IPv6 through-the-box packet has the identical source and destination address. •An IPv6 through-the-box packet has a linklocal source or destination address. •An IPv6 through-the-box packet has a multicast destination address. Recommendation: These packets could indicate malicious activity, or could be the result of a misconfigured IPv6 host. Use the packet capture feature to capture type asp packets, and use the source MAC address to identify the source. Syslog messages: For identical source and destination address, system message 106016.
l2_acl	FP L2 rule drop	This counter increments when the security appliance denies a packet due to an EtherType access list. The transparent mode security appliance permits the following traffic by default: •IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list. Note For Layer 3 traffic travelling from a low to a high security interface, an extended access list is required on the low security interface. •ARPs are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection. In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic). Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported. Packets permitted by EtherType access lists might still be dropped by an extended access list. The EtherType access list only supports EtherTypes and not Layer 2 destination MAC addresses. The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped. •TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF •IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF •BPDU multicast address equal to 0100.0CCC.CCCD •Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF Recommendation: If your non-IP packets are dropped by the security appliance, you can configure an EtherType access list to permit the Layer 2 traffic. Syslog messages: 106026, 106027
l2_same-lan-port	L2 Src/Dst same LAN port	This counter will increment when the security appliance or context is configured for transparent mode, and the security appliance determines that the destination interface's L2 MAC address is the same as its ingress interface. Recommendation: This is a normal condition when the security appliance or context is configured for transparent mode. Since the security appliance interface is operating in promiscuous mode, the security appliance or context receives all packets on the local LAN segment. Syslog messages: None.
loopback-buffer-full	Loopback buffer full	This counter is incremented and the packet is dropped when packets are sent from one context of the security appliance to another context through a shared interface, and there is no buffer space in the loopback queue. Recommendation: Check the system CPU to make sure it is not overloaded. Syslog messages: None.
lu-invalid-pkt	Invalid LU packet	The standby unit received a corrupted Logical Update packet. Recommendation: The packet corruption could be caused by a bad cable, interface card, line noise, or software defect. If the interface appears to be functioning properly, then report the problem to Cisco TAC. Syslog messages: None.
mp-pf-queue-full	Port Forwarding Queue Is Full	This counter is incremented when the Port Forwarding application's internal queue is full and it receives another packet for transmission. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
mp-svc-addr-renew-response	SVC Module received address renew response data frame	This counter will increment when the security appliance receives an Address Renew Response message from an SVC. The SVC should not be sending this message. Recommendation: This indicates that an SVC software error should be reported to the Cisco TAC. Syslog messages: None.
mp-svc-bad-framing	SVC Module received badly framed data	This counter will increment when the security appliance receives a packet from an SVC or the control software that it is unable to decode. Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault. Syslog messages: 722037 (Only for SVC received data).
mp-svc-bad-length	SVC Module received bad data length	This counter will increment when the security appliance receives a packet from an SVC or the control software where the calculated and specified lengths do not match. Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault. Syslog messages: 722037 (Only for SVC received data).
mp-svc-compress-error	SVC Module compression error	This counter will increment when the security appliance encounters an error during compression of data to an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault. Syslog messages: 722037
mp-svc-decompres-error	SVC Module decompression error	This counter will increment when the security appliance encounters an error during decompression of data from an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault. Syslog messages: 722037
mp-svc-delete-in-progress	SVC Module received data while connection was being deleted	This counter will increment when the security appliance receives a packet associated with an SVC connection that is in the process of being deleted. Recommendation: This is a normal condition when the SVC connection is torn down for any reason. If this error occurs repeatedly or in large numbers, it could indicate that clients are having network connectivity issues. Syslog messages: None.
mp-svc-flow-control	SVC Session is in flow control	This counter will increment when the security appliance needs to drop data because an SVC is temporarily not accepting any more data. Recommendation: This indicates that the client is unable to accept more data. The client should reduce the amount of traffic it is attempting to receive. Syslog messages: None.
mp-svc-invalid-mac	SVC Module found invalid L2 data in the frame	This counter will increment when the security appliance is finds an invalid L2 MAC header attached to data received from an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
mp-svc-invalid-mac-len	SVC Module found invalid L2 data length in the frame	This counter will increment when the security appliance is finds an invalid L2 MAC length attached to data received from an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
mp-svc-no-channel	SVC Module does not have a channel for reinjection	This counter will increment when the interface that the encrypted data was received upon cannot be found in order to inject the decrypted data. Recommendation: If an interface is shut down during a connection, this could happen; re-enable/check the interface. Otherwise, this indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
mp-svc-no-fragment	SVC Module unable to fragment packet:	This counter is incremented when a packet to be sent to the SVC is not permitted to be fragmented or when there are not enough data buffers to fragment the packet. Recommendation: Increase the MTU of the SVC to reduce fragmentation. Avoid using applications that do not permit fragmentation. Decrease the load on the device to increase available data buffers. Syslog messages: None.
mp-svc-no-mac	SVC Module unable to find L2 data for frame	This counter will increment when the security appliance is unable to find an L2 MAC header for data received from an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
mp-svc-no-prepend	SVC Module does not have enough space to insert header	This counter will increment when there is not enough space before the packet data to prepend a MAC header in order to put the packet onto the network. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
mp-svc-no-session	SVC Module does not have a session	This counter will increment when the security appliance cannot determine the SVC session that this data should be transmitted over. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
mp-svc-unknown-type	SVC Module received unknown data frame	This counter will increment when the security appliance receives a packet from an SVC where the data type is unknown. Recommendation: Validate that the SVC being used by the client is compatible with the version of security appliance software. Syslog messages: None.
natt-keepalive	NAT-T keepalive message	This counter will increment when the security appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the security appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the security appliance. Recommendation: If you have configured IPSec NAT-T on your security appliance, this indication is normal and does not indicate a problem. If NAT-T is not configured on your security appliance, analyze your network traffic to determine the source of the NAT-T traffic. Syslog messages: None
no-adjacency	No valid adjacency	This counter is incremented when the security appliance has tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped. Recommendation: Configure a capture for this drop reason and check if a host with the specified destination address exists on the connected network or is routable from the security appliance. Syslog messages: None.
no-mcast-entry	FP no mcast entry	This counter increments because of one of the following reasons: •A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built. Recommendation: Reenable multicast if it is disabled. Syslog messages: None. •A multicast entry change has been detected after a packet was punted to the CP, and the NP can no longer forward the packet since no entry is present. Recommendation: None. Syslog messages: None.
no-mcast-intrf	FP no mcast output intrf	This counter increments because of one of the following reasons: •All output interfaces have been removed from the multicast entry. Recommendation: Verify that there are no longer any receivers for this group. Syslog messages: None. •The multicast packet could not be forwarded. Recommendation: Verify that a flow exists for this packet. Syslog messages: None.
non-ip-pkt-in-routed-mode	Non-IP packet received in routed mode	This counter will increment when the security appliance receives a packet that is not an IPv4, IPv6, or ARP packet, and the security appliance or context is configured for routed mode. In normal operation such packets should be dropped. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: 106026, 106027
no-route	No route to host	This counter is incremented when the security appliance tries to send a packet out of an interface and does not find a route for it in the routing table. Recommendation: Verify that a route exists for the destination address obtained from the generated system message. Syslog messages: 110001
np-socket-closed	Dropped pending packets in a closed socket	If a socket is abruptly closed, by the user or software, then any pending packets in the pipeline for that socket are also dropped. This counter is incremented for each packet in the pipeline that is dropped. Recommendation: It is common to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of socket-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further. Syslog messages: None.
np-sp-invalid-spi	Invalid SPI	This counter increments when the security appliance receives an IPSec ESP packet addressed to the security appliance that specifies an SPI (security parameter index) not currently known by the security appliance. Recommendation: Occasional invalid SPI indications are common, especially during rekey processing. Many invalid SPI indications may suggest a problem or DoS attack. If you are experiencing a high rate of invalid SPI indications, analyze your network traffic to determine the source of the ESP traffic. Syslog messages: 402114
punt-no-mem	Punt no memory	This counter is incremented and the packet is dropped when there is no memory to create data structure for punting a packet to control point. Recommendation: No action needs to be taken if this condition is transient. If this condition persists due to low memory, then a system upgrade might be necessary. Syslog messages: None.
punt-queue-limit	Punt queue limit exceeded	This counter is incremented and the packet is dropped when the punt queue limit is exceeded, an indication that a bottle-neck is forming at the control point. Recommendation: No action needs to be taken. This is a design limitation. Syslog messages: None.
punt-rate-limit	Punt rate limit exceeded	This counter will increment when the security appliance attempts to forward a Layer 2 packet to a rate-limited control point service routine, and the rate limit (per/second) is now being exceeded. Currently, the only Layer 2 packets destined for a control point service routine that are rate limited are ARP packets. The ARP packet rate limit is 500 ARPs per second per interface. Recommendation: Analyze your network traffic to determine the reason behind the high rate of ARP packets. Syslog messages: 322002, 322003
queue-removed	Queued packet dropped	When the QoS configuration is changed or removed, the existing packets in the output queues awaiting transmission are dropped and this counter is incremented. Recommendation: Under normal conditions, this may be seen when the QoS configuration has been changed by the user. If this occurs when no changes to the QoS configuration were performed, please contact Cisco TAC. Syslog messages: None.
rate-exceeded	QoS rate exceeded	This counter is incremented when rate-limiting (policing) is configured on an egress/ingress interface, and the egress/ingress traffic rate exceeds the burst rate configured. The counter is incremented for each packet dropped. Recommendation: Investigate and determine why the rate of traffic leaving the interface is higher than the configured rate. This may be normal, or could be an indication of virus or attempted attack. Syslog messages: None.
rm-conn-limit	RM connection limit reached	This counter is incremented when the maximum number of connections for a context or the system has been reached, and a new connection is attempted. Recommendation: The device administrator can use the commands show resource usage and show resource usage system to view context and system resource limits and "Denied" counts and adjust resource limits if desired. Syslog messages: 321001
rm-conn-rate-limit	RM connection rate limit reached	This counter is incremented when the maximum connection rate for a context or the system has been reached and a new connection is attempted. Recommendation: The device administrator can use the commands show resource usage and show resource usage system to view context and system resource limits and "Denied" counts and adjust resource limits if desired. Syslog messages: 321002
rpf-violated	Reverse-path verify failed	This counter is incremented when ip verify reverse-path is configured on an interface and the security appliance receives a packet for which the route lookup of the source IP did not yield the same interface as the one on which the packet was received. Recommendation: Trace the source of traffic based on the source IP printed in the system message below, and investigate why it is sending spoofed traffic. Syslog messages: 106021
security-failed	Early security checks failed	This counter is incremented and the packet is dropped when the security appliance: •Receives an IPv4 multicast packet when the packet multicast MAC address does not match the packet multicast destination IP address •Receives an IPv6 or IPv4 teardrop fragment containing either small offset or fragment overlapping •Receives an IPv4 packet that matches an IP audit signature Recommendation: Contact the remote peer administrator or escalate this issue according to your security policy. For detailed description and syslog messages for IP audit attack checks please refer the ip audit signature command. Syslog messages: 106020, 400xx in case of IP audit checks
send-ctm-error	Send to CTM returned error	This counter is obsolete in the security appliance and should never increment. Recommendation: None. Syslog messages: None.
sp-security-failed	Slowpath security checks failed	This counter is incremented and the packet is dropped when the security appliance: •Is in routed mode and receives a through-the-box: –L2 broadcast packet –IPv4 packet with destination IP address equal to 0.0.0.0 –IPv4 packet with source IP address equal to 0.0.0.0 Recommendation: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients. Syslog messages: 106016 •Is in routed or transparent mode and receives a through-the-box IPv4 packet with: –The first octet of the source IP address is equal to zero –The source IP address is equal to the loopback IP address –Network part of the source IP address is equal to all 0s –The network part of the source IP address is equal to all 1s –The source IP address host part is equal to all 0s or all 1s Recommendation: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients. Syslog messages: 106016 •In routed or transparent mode and receives an IPv4 or IPv6 packet with the same source and destination IP addresses Recommendation: If this message counter is incrementing rapidly, an attack may be in progress. Use the packet capture feature to capture type asp packets, and check the source MAC address in the packet to see where they are coming from. Syslog messages: 106017
ssm-app-fail	Service module is down	This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when a packet to be inspected by the SSM is dropped because the SSM has become unavailable. Some examples of this are: software or hardware failure, software or signature upgrade, or the module being shut down. Recommendation: The SSM manager process running in the security appliance control plane would have issued system messages and CLI warning to inform you of the failure. Please consult the documentation that comes with the SSM to troubleshoot the SSM failure. Contact Cisco TAC if needed. Syslog messages: None.
ssm-app-request	Service module requested drop	This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the application running on the SSM requests the security appliance to drop a packet. Recommendation: More information could be obtained by querying the incident report or system messages generated by the SSM itself. Please consult the documentation that comes with your SSM for instructions. Syslog messages: None.
ssm-asdp-invalid	Invalid ASDP packet received from SSM card	This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the security appliance receives an ASA SSM Dataplane Protocol (ASDP) packet from the internal data plane interface, but the driver encountered a problem when parsing the packet. ASDP is a protocol used by the security appliance to communicate with certain types of SSMs, like the CSC SSM. This could happen for various reasons, for example: the ASDP protocol version is not compatible between the security appliance and the SSM, in which case the SSM manager process in the control plane issues system messages and CLI warnings to inform you of the proper version of images that needs to be installed; the ASDP packet belongs to a connection that has already been terminated on the security appliance; the security appliance has switched to the standby state (if failover is enabled) in which case it can no longer pass traffic; or any unexpected value when parsing the ASDP header and payload. Recommendation: The counter is usually 0 or a very small number. But you should not be concerned if the counter slowly increases over time, especially when there has been a failover, or you have manually cleared connections on the security appliance via the CLI. If the counter increases drastically during normal operation, please contact Cisco TAC. Syslog messages: 421003, 421004
ssm-dpp-invalid	Invalid packet received from SSM card	This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the security appliance receives a packet from the internal data plane interface but could not find the proper driver to parse it. Recommendation: The data plane driver is dynamically registered depending on the type of SSM installed in the system. So this could happen if data plane packets arrive before the security appliance is fully initialized. This counter is usually 0. You should not be concerned if there are a few drops. However, if this counter keeps rising when system is up and running, it may indicate a problem. Please contact Cisco TAC if you suspect it affects the normal operation of your the security appliance. Syslog messages: None.
tcp_xmit_partial	TCP retransmission partial	This counter is incremented and the packet is dropped when the check-retransmission feature is enabled, and a partial TCP retransmission was received. Recommendation: None. Syslog messages: None.
tcp-3whs-failed	TCP failed 3 way handshake	This counter is incremented and the packet is dropped when security appliance receives an invalid TCP packet during the three-way handshake. For example, the SYN-ACK from a client will be dropped for this reason. Recommendation: None. Syslog messages: None.
tcp-acked	TCP DUP and has been ACKed	This counter is incremented and the packet is dropped when the security appliance receives a retransmitted data packet and the data has been acknowledged by the peer TCP endpoint. Recommendation: None. Syslog messages: None.
tcp-ack-syn-diff	TCP ACK in SYNACK invalid	This counter is incremented and the packet is dropped when the security appliance receives a SYN-ACK packet during the three-way handshake with an incorrect TCP acknowledgement number. Recommendation: None. Syslog messages: None.
tcp-bad-option-len	Bad option length in TCP	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a TCP option set, but the option length does not match the length defined for that option in the TCP RFC. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. Syslog messages: None.
tcp-bad-option-list	TCP option list invalid	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a non-standard TCP header option. Recommendation: To allow such TCP packets or clear non-standard TCP header options and then allow the packet, use the tcp-options command. Syslog messages: None.
tcp-bad-sack-allow	Bad TCP SACK ALLOW option	This counter is incremented and the packet is dropped when the appliance receives a TCP packet with the selective acknowledgement option, but the SYN flag is not set. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. Syslog messages: None.
tcp-bad-winscale	Bad TCP window scale value	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with the window-scale option greater than 14. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. Syslog messages: None.
tcp-buffer-full	TCP packet buffer full	This counter is incremented and the packet is dropped when the security appliance receives an out-of-order TCP packet on a connection, and there is no buffer space to store this packet. Typically TCP packets are put into order on connections that are inspected by the security appliance or when packets are sent to an SSM for inspection. There is a default queue size, and when packets in excess of this default queue size are received they will be dropped. Recommendation: On ASA platforms the queue size could be increased using the queue-limit command. Syslog messages: None.
tcp-conn-limit	TCP Connection limit reached	This reason is given for dropping a TCP packet during the TCP connection establishment phase when the connection limit has been exceeded. The connection limit is configured using the set connection conn-max command. Recommendation: If this is incrementing rapidly, check the syslog messages to determine which host's connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack. Syslog messages: 201011
tcp-data-past-fin	TCP data send after FIN	This counter is incremented and the packet is dropped when the security appliance receives new a TCP data packet from an endpoint which had sent a FIN to close the connection. Recommendation: None. Syslog messages: None.
tcp-discarded-ooo	TCP ACK in 3 way handshake invalid	This counter is incremented and the packet is dropped when the security appliance receives a TCP ACK packet from a client during the three-way-handshake and the sequence number is not the next expected sequence number. Recommendation: None. Syslog messages: None.
tcp-dual-open	TCP Dual open denied	This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet from the server and an embryonic TCP connection is already open. Recommendation: None. Syslog messages: None.
tcp-fo-drop	TCP replicated flow pak drop	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a control flag like SYN, FIN, or RST on an established connection just after the security appliance has taken over as active unit. Recommendation: None. Syslog messages: None.
tcp-invalid-ack	TCP invalid ACK	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with an acknowledgement number greater than the data sent by the peer TCP endpoint. Recommendation: None. Syslog messages: None.
tcp-mss-exceeded	TCP data exceeded MSS	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a data length greater than the MSS advertised by the peer TCP endpoint. Recommendation: To allow such TCP packets, use the exceed-mss command. Syslog messages: 4419001
tcpnorm-rexmit-bad	TCP bad retransmission	This counter is incremented and the packet is dropped when the check-retransmission feature is enabled, and a TCP retransmission with different data from the original packet was received. Recommendation: None. Syslog messages: None.
tcpnorm-win-variation	TCP unexpected window size variation	This counter is incremented and the packet is dropped when the window size advertised by the TCP endpoint is drastically changed without accepting that much data. Recommendation: To allow such packet, use the window-variation command. Syslog messages: None.
tcp-not-syn	First TCP packet not SYN	The security appliance received a non-SYN packet as the first packet of a non-intercepted and non-nailed connection. Recommendation: Under normal conditions, this may be seen when the security appliance has already closed a connection, and the client or server still believe the connection is open, and continue to transmit data. Some examples where this may occur is just after a clear local-host or clear xlate command is issued. Also, if connections have not been recently removed, and the counter is incrementing rapidly, the security appliance may be under attack. Capture a sniffer trace to help isolate the cause. Syslog messages: 6106015
tcp-paws-fail	TCP packet failed PAWS test	This counter is incremented and the packet is dropped when a TCP packet with a timestamp header option fails the PAWS (Protect Against Wrapped Sequences) test. Recommendation: To allow such connections to proceed, use the tcp-options command to clear the timestamp option. Syslog messages: None.
tcp-reserved-set	TCP reserved flags set	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with reserved flags set in TCP header. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. To allow such TCP packets or clear reserved flags and then pass the packet, use the reserved-bits command. Syslog messages: None
tcp-rstfin-ooo	TCP RST/FIN out of order	This counter is incremented and the packet is dropped when the security appliance receives a RST or a FIN packet with the incorrect TCP sequence number. Recommendation: None. Syslog messages: None.
tcp-rst-syn-in-win	TCP RST/SYN in window	This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN or TCP RST packet on an established connection with a sequence number within the window, but not as the next expected sequence number. Recommendation: None. Syslog messages: None.
tcp-seq-past-win	TCP packet SEQ past window	This counter is incremented and the packet is dropped when the security appliance receives a TCP data packet with a sequence number beyond the window allowed by the peer TCP endpoint. Recommendation: None. Syslog messages: None.
tcp-seq-syn-diff	TCP SEQ in SYN/SYNACK invalid	This counter is incremented and the packet is dropped when the security appliance receives a SYN or SYN-ACK packet during the three-way handshake with an incorrect TCP sequence number. Recommendation: None. Syslog messages: None.
tcp-synack-data	TCP SYNACK with data	This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN-ACK packet with data. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. Syslog messages: None.
tcp-synack-ooo	TCP SYNACK on established conn	This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN-ACK packet on an established TCP connection. Recommendation: None. Syslog messages: None.
tcp-syn-data	TCP SYN with data	This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet with data. Recommendation: To allow such TCP packets use the syn-data command. Syslog messages: None.
tcp-syn-ooo	TCP SYN on established conn	This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet on an established TCP connection. Recommendation: None. Syslog messages: None.
tcp-winscale-no-syn	TCP Window scale on non-SYN	This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with the window-scale TCP option without SYN flag set. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. Syslog messages: None.
telnet-not-permitted	Telnet not permitted on least secure interface	This counter is incremented and packet is dropped when the appliance receives a TCP SYN packet attempting to establish a TELNET session to the appliance and that packet was received on the least secure interface. Recommendation: To establish a TELNET session to the appliance via the least secure interface, first establish an IPSec tunnel to that interface and then connect the TELNET session over that tunnel. Syslog messages: 402117
tfw-no-mgmt-ip-config	No management IP address configured for TFW	This counter is incremented when the security appliance receives an IP packet in transparent mode and has no management IP address defined. The packet is dropped. Recommendation: Configure the security appliance with a management IP address and mask values. Syslog messages: 322004
unable-to-add-flow	Flow hash full	This counter is incremented when a newly created flow is inserted into the flow hash table, and the insertion failed because the hash table was full. The flow and the packet are dropped. This is different from the counter that increments when the maximum connection limit is reached. Recommendation: This message signifies a lack of resources on the security appliance to support an operation that should have been successful. Please check if the connections in the show conn output have exceeded their configured idle timeout values. If so, contact Cisco TAC. Syslog messages: None.
unable-to-create-flow	Flow denied due to resource limitation	This counter is incremented and the packet is dropped when flow creation fails due to a system resource limitation. The resource limit may be either: •System memory •Packet block extension memory •System connection limit The first two causes occur simultaneously with flow drop reason "No memory to complete flow." Recommendation: •Observe if free system memory is low. •Observe if flow drop reason "No memory to complete flow" occurs. •Observe if the connection count reaches the system connection limit using the show resource usage command. Syslog messages: None.
unexpected-packet	Unexpected packet	This counter is incremented when the security appliance in transparent mode receives a non-IP packet destined to its MAC address, but there is no corresponding service running on the security appliance to process the packet. Recommendation: Verify if the security appliance is under attack. If there are no suspicious packets, or the security appliance is not in transparent mode, this counter is most likely being incremented due to a software error. Attempt to capture the traffic that is causing the counter to increment and contact the Cisco TAC. Syslog messages: None.
unsupported-ip-version	Unsupported IP version	This counter is incremented when the security appliance receives an IP packet that has an unsupported version in the version field of the IP header. Specifically, if the packet does not belong to version 4 or version 6, the packet is dropped. Recommendation: Verify that other devices on the connected network are configured to send IP packets belonging to versions 4 or 6 only. Syslog messages: None.
unsupport-ipv6-hdr	Unsupported IPV6 header	This counter is incremented and the packet is dropped if an IPv6 packet is received with an unsupported IPv6 extension header. The supported IPv6 extension headers are: TCP, UDP, ICMPv6, ESP, AH, Hop Options, Destination Options, and Fragment. The IPv6 routing extension header is not supported, and any extension header not listed above is not supported. IPv6 ESP and AH headers are supported only if the packet is through-the-box. To-the-box IPv6 ESP and AH packets are not supported and will be dropped. Recommendation: This error may be due to a misconfigured host. If this error occurs repeatedly or in large numbers, it could also indicate spurious or malicious activity such as an attempted DoS attack. Syslog messages: None.
vpn-context-expired	Expired VPN context	This counter will increment when the security appliance receives a packet that requires encryption or decryption, and the ASP VPN context required to perform the operation is no longer valid. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None
vpn-lock-error	IPSec locking error	This counter is incremented when a VPN flow cannot be created due to an internal locking error. Recommendation: This condition should never be encountered during normal operation and may indicate a software problem with the security appliance . Contact Cisco TAC if this error occurs. Syslog messages: None.
wccp-redirect-no-route	No route to Cache Engine	This counter is incremented when the security appliance tries to redirect a packet and does not find a route to the Cache Engine. Recommendation: Verify that a route exists for Cache Engine. Syslog messages: None
wccp-return-no-route	No route to host for WCCP returned packet	This counter is incremented when a packet is returned from the Cache Engine and the security appliance does not find a route for the original source of the packet. Recommendation: Verify that a route exists for the source IP address of the packet returned from Cache Engine. Syslog messages: None

Table 25-2 lists valid values for the flow_drop_reason argument for dropped flows.

Table 25-2 Flow Drop Reasons 

Flow Drop Reason Keyword	Flow Drop Reason Display	Description
acl-drop	Flow is denied by access rule	This counter is incremented when a packet is denied by the security appliance, and flow creation is denied. The deny rule could be a default rule created when the security appliance comes up, when various features are turned on or off, when an access list is applied to an interface, or any other feature. Apart from default rule drops, a flow could be denied because of: •An access list configured on an interface •An access list configured for AAA, and AAA denied the user •Through traffic arriving at a management-only interface •Unencrypted traffic arriving on a IPSec-enabled interface •Implicit deny at the end of an access list Recommendation: Observe if one of syslog messages related to packet drop display. Flow drop results in the corresponding packet drop that would trigger the requisite system message. Syslog messages: None.
audit-failure	Audit failure	A flow was freed after matching an ip audit signature that had reset as the associated action. Recommendation: If removing the flow is not the desired outcome of matching this signature, then remove the reset action from the ip audit command. Syslog messages: None.
closed-by-inspection	Flow closed by inspection	This reason is given for closing a flow due to an error detected during application inspection. For example, if an error is detected during inspecting an H323 message, the corresponding H323 flow is closed with this reason. Recommendation: None. Syslog messages: None.
conn-limit-exceeded	Connection limit exceeded	This reason is given for closing a flow when the connection limit has been exceeded. The connection limit is configured using the set connection conn-max command. Recommendation: None. Syslog messages: 201011
ctm-crypto-request-error	CTM crypto request error	This counter is incremented each time CTM cannot accept our crypto request. This usually means the crypto hardware request queue is full. Recommendation: Issue the show crypto protocol statistics ssl command and contact the Cisco TAC with this information. Syslog messages: None.
fin-timeout	FIN Timeout	This reason is given for closing a TCP flow due to expiry of half-closed timer. Recommendation: If these are valid sessions which take longer to close a TCP flow, increase the half-closed timeout. Syslog messages: 302014
flow-reclaimed	Non-tcp/udp flow reclaimed for new request	This counter is incremented when a reclaimable flow is removed to make room for a new flow. This occurs only when the number of flows through the security appliance equals the maximum number permitted by the software imposed limit, and a new flow request is received. When this occurs, if the number of reclaimable flows exceeds the number of VPN tunnels permitted by the security appliance, then the oldest reclaimable flow is removed to make room for the new flow. All flows except the following are deemed to be reclaimable: •TCP, UDP, GRE and failover flows •ICMP flows if ICMP stateful inspection is enabled •ESP flows to the security appliance Recommendation: No action is required if this counter is incrementing slowly. If this counter is incrementing rapidly, it could mean that the security appliance is under attack and the security appliance is spending more time reclaiming and rebuilding flows. Syslog messages: 302021
fo_rep_err	Standby flow replication error	The standby unit failed to replicate a flow. Recommendation: If the security appliance is processing VPN traffic, then this counter could be constantly increasing on the standby unit because the flow could be replicated before the IKE SA information. No action is required in this case. If the appliance is not processing VPN traffic, then this indicates a software detect; turn on the debug fover fail command on the standby unit, collect the debug output, and report the problem to Cisco TAC. Syslog messages: 302014, 302016, 302018
fo-primary-closed	Failover primary closed	The standby unit received a flow delete message from the active unit and terminated the flow. Recommendation: If the security appliance is running stateful failover, then this counter should increment for every replicated connection that is torn down on the standby appliance. Syslog messages: 302014, 302016, 302018
fo-standby	Flow closed by failover standby	If a through-the-box packet arrives at the security appliance or a context that is in a standby state, then a flow is created, the packet is dropped, and the flow removed. This counter will increment each time a flow is removed in this manner. Recommendation: This counter should never be incrementing on the active security appliance or context. However, it is normal to see it increment on the standby security appliance or context. Syslog messages: 302014, 302016, 302018
host-removed	Host is removed	The flow was removed in response to the clear local-host command. Recommendation: This is an information counter. Syslog messages: 302014, 302016, 302018, 302021, 305010, 305012, 609002
inspect-fail	Inspection failure	This counter will increment when the security appliance fails to enable protocol inspection carried out by the NP for the connection. The cause could be memory allocation failure, or for ICMP error message, the security appliance not being able to find any established connection related to the frame embedded in the ICMP error message. Recommendation: Check system memory usage. For the ICMP error message, if the cause is an attack, you can deny the host using the access lists. Syslog messages: 313004 for ICMP error.
ipsec-selector-failure	IPSec VPN inner policy selector mismatch detected	This counter is incremented when an IPsec packet is received with an inner IP header that does not match the configured policy for the tunnel. Recommendation: Verify that the crypto access lists for the tunnel are correct and that all acceptable packets are included in the tunnel identity. Verify that the security appliance is not under attack if this message is repeatedly seen. Syslog messages: 402116
ipsec-spoof-detect	IPsec spoof packet detected	This counter will increment when the security appliance receives a packet that should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue. Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic. Syslog messages: 402117
ips-fail-close	IPS fail-close	This reason is given for terminating a flow because the AIP SSM is down and the fail-close option was used with IPS inspection. Recommendation: Check and bring up the AIP SSM. Syslog messages: 420001
ips-request	Flow terminated by IPS	This reason is given for terminating a flow as requested by the AIP SSM. Recommendation: Check syslog messages and alerts on the AIP SSM. Syslog messages: 420002
loopback	Flow is a loopback	This reason is given for closing a flow due to the following conditions: •U-turn traffic is present on the flow. •same-security-traffic permit intra-interface is not configured. Recommendation: To allow U-turn traffic on an interface, configure the interface with the same-security-traffic permit intra-interface command. Syslog messages: None.
mcast-entry-removed	Multicast entry removed	This reason is given for one of the following cases: •A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built. Recommendation: Reenable multicast if it is disabled. Syslog messages: None. •The multicast entry has been deleted so the flow is being cleaned up, but the packet will be reinjected into the data path. Recommendation: None. Syslog messages: None.
mcast-intrf-removed	Multicast interface removed	This reason is given for one of the following cases: •An output interface has been removed from the multicast entry. Recommendation: None. Syslog messages: None. •All output interfaces have been removed from the multicast entry. Recommendation: Verify that there are no longer any receivers for this group. Syslog messages: None.
nat-failed	NAT failed	Failed to create an xlate to translate an IP or transport header. Recommendation: If NAT is not desired, disable nat-control. Otherwise, use the static, nat, or global command to configure NAT policy for the dropped flow. For dynamic NAT, ensure that each nat command is paired with at least one global command. Use show running-config nat and debug pix process to verify NAT rules. Syslog messages: 305005, 305006, 305009, 305010, 305011, 305012
nat-rpf-failed	NAT reverse path failed	Rejected attempt to connect to a mapped host using the mapped host's real address. Recommendation: When not on the same interface as the host undergoing NAT, use the mapped address instead of the real address to connect to the host. Also, enable the appropriate inspect command if the application embeds the IP address. Syslog messages: 305005
need-ike	Need to start IKE negotiation	This counter will increment when the security appliance receives a packet that requires encryption but has no established IPSec security association. This is generally a normal condition for LAN-to-LAN IPSec configurations. This indication will cause the security appliance to begin ISAKMP negotiations with the destination peer. Recommendation: If you have configured IPSec LAN-to-LANs on your security appliance, this indication is normal and does not indicate a problem. However, if this counter increments rapidly, it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing. Verify that you can communicate with the destination peer and verify your crypto configuration using the show running-config command. Syslog messages: None.
no-inspect	Failed to allocate inspection	This counter will increment when the security appliance fails to allocate a run-time inspection data structure upon connection creation. The connection will be dropped. Recommendation: This error condition is caused when the security appliance runs out of system memory. Please check the current available free memory by executing the show memory command. Syslog messages: None.
no-ipv6-ipsec	IPsec over IPv6 unsupported	This counter will increment when the security appliance receives an IPSec ESP packet, IPSec NAT-T ESP packet, or an IPSec over UDP ESP packet encapsulated in an IPv6 header. The security appliance does not currently support any IPSec sessions encapsulated in IPv6. Recommendation: None. Syslog messages: None.
non_tcp_syn	non-syn TCP	This reason is given for terminating a TCP flow when the first packet is not a SYN packet. Recommendation: None. Syslog messages: None.
np-context-removed	NP virtual context removed	This counter is incremented when the security context with which the flow is going to be associated has been removed. This could happen in a multi-core environment when one CPU core is in the process of destroying the context, and another CPU core tries to create a flow in the context. Recommendation: No action is required. Syslog messages: None.
np-midpath-cp-event-failure	NP midpath CP event failure	This is a counter for critical midpath events that could not be sent to the control point. Recommendation: This indicates that a software error should be reported to Cisco TAC. Syslog messages: None.
np-midpath-service-failure	NP midpath service failure	This is a general counter for critical midpath service errors. Recommendation: This indicates that a software error should be reported to Cisco TAC. Syslog messages: None.
np-socket-block-conv-failure	NP socket block conversion failure	This counter is incremented for socket block conversion failures. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
np-socket-conn-not-accepted	A new socket connection was not accepted	This counter is incremented for each new socket connection that is not accepted by the security appliance. Recommendation: It is possible to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of socket-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further. Syslog messages: None.
np-socket-data-move-failure	NP socket data movement failure	This counter is incremented for socket data movement errors. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
np-socket-failure	NP socket failure	This is a general counter for critical socket processing errors. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
np-socket-new-conn-failure	NP socket new connection failure	This counter is incremented for new socket connection failures. Recommendation: This indicates that a software error should be reported to the Cisco TAC. Syslog messages: None.
np-socket-transport-closed	NP socket transport closed	This counter is incremented when the transport attached to the socket is abruptly closed. Recommendation: It is possible to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of socket-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further. Syslog messages: None.
out-of-memory	No memory to complete flow	This counter is incremented when the security appliance is unable to create a flow because of insufficient memory. Recommendation: Verify that the security appliance is not under attack by checking the current connections. Also verify if the configured timeout values are too large resulting in idle flows residing in memory longer. Check the free memory available by issuing the show memory command. If free memory is low, issue the show processes memory command to determine which processes are utilizing most of the memory. Syslog messages: None.
parent-closed	Parent flow is closed	When the parent flow of a subordinating flow is closed, the subordinating flow is also closed. For example, an FTP data flow (subordinating flow) will be closed with this specific reason when its control flow (parent flow) is terminated. This reason is also given when a secondary flow (pin-hole) is closed by its controlling application. For example, when the BYE messaged is received, the SIP inspection engine (controlling application) will close the corresponding SIP RTP flows (secondary flow). Recommendation: None. Syslog messages: None.
pinhole-timeout	Pinhole timeout	This counter is incremented to report that the security appliance opened a secondary flow, but no packets passed through this flow within the timeout interval, and hence it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel. Recommendation: None. Syslog messages: 302014, 302016
recurse	Close recursive flow	A flow was recursively freed. This reason applies to pair flows, multicast slave flows, and syslog flows to prevent syslog messages being issued for each of these subordinate flows. Recommendation: None. Syslog messages: None.
reinject-punt	Flow terminated by punt action	This counter is incremented when a packet is punted to the exception path for processing by one of the enhanced services such as inspection or AAA. The servicing routine, having detected a violation in the traffic flowing on the flow, requests that the flow be dropped. The flow is immediately dropped. Recommendation: Please watch for syslog messages triggered by a servicing routine. Flow drop terminates the corresponding connection. Syslog messages: None.
reset-by-ips	Flow reset by IPS	This reason is given for terminating a TCP flow as requested by the AIP SSM. Recommendation: Check syslog messages and alerts on the AIP SSM. Syslog messages: 420003
reset-in	TCP Reset-I	This reason is given for closing an outbound flow (from a low-security interface to a same- or high-security interface) when a TCP reset is received on the flow. Recommendation: None. Syslog messages: 302014
reset-out	TCP Reset-O	This reason is given for closing an inbound flow (from a high-security interface to low-security interface) when a TCP reset is received on the flow. Recommendation: None. Syslog messages: 302014
rm-host-limit	RM host limit reached	This counter is incremented when the maximum number of hosts for a context or the system has been reached and a new connection is attempted. Recommendation: The device administrator can use the commands show resource usage and show resource usage system to view context and system resource limits and "Denied" counts and adjust resource limits if desired. Syslog messages: 321001
rm-inspect-rate-limit	RM inspect rate limit reached	This counter is incremented when the maximum inspection rate for a context or the system has been reached and a new connection is attempted. Recommendation: The device administrator can use the commands show resource usage and show resource usage system to view context and system resource limits and "Denied" counts and adjust resource limits if desired. Syslog messages: 321002
rm-xlate-limit	RM xlate limit reached	This counter is incremented when the maximum number of xlates for a context or the system has been reached and a new connection is attempted. Recommendation: The device administrator can use the commands show resource usage and show resource usage system to view context and system resource limits and "Denied" counts and adjust resource limits if desired. Syslog messages: 321001
shunned	Flow shunned	This counter will increment when a packet is received that has a source IP address that matches a host in the shun database. When a shun command is applied, it will be incremented for each existing flow that matches the shun command. Recommendation: None. Syslog messages: 401004
ssl-bad-record-detect	SSL bad record detected	This counter is incremented for each unknown SSL record type received from the remote peer. Any unknown record type received from the peer is treated as a fatal error and the SSL connections that encounter this error must be terminated. Recommendation: It is not normal to see this counter increment at any time. If this counter is incremented, it usually means that the SSL protocol state is out of sync with the client software. The most likely cause of this problem is a software defect in the client software. Contact the Cisco TAC with the client software or web browser version and provide a network trace of the SSL data exchange to troubleshoot this problem. Syslog messages: None.
ssl-handshake-failed	SSL handshake failed	This counter is incremented when the TCP connection is dropped because the SSL handshake failed. Recommendation: This is to indicate that the TCP connection is dropped because the SSL handshake failed. If the problem cannot be resolved based on the syslog messages information generated by the handshake failure condition, please include the related syslog messages information when contacting the Cisco TAC. Syslog messages: 725006, 725014
ssl-malloc-error	SSL malloc error	This counter is incremented for each malloc failure that occurs in the SSL lib. This is to indicate that SSL encountered a low memory condition where it can't allocate a memory buffer or packet block. Recommendation: Check the security appliance memory and packet block condition and contact Cisco the TAC with this memory information. Syslog messages: None.
ssl-received-close-alert	SSL received close alert	This counter is incremented each time the security appliance receives a close alert from the remote client. This indicates that the client has notified us they are going to drop the connection. It is part of the normal disconnect process. Recommendation: None. Syslog messages: 725007.
ssl-record-decrypt-error	SSL record decryption failed	This counter is incremented when a decryption error occurs during SSL data receive. This usually means that there is a bug in the SSL code of the ASA or peer, or an attacker may be modifying the data stream. The SSL connection has been closed. Recommendation: Investigate the SSL data streams to and from your ASA. If there is no attacker, then this indicates a software error that should be reported to the Cisco TAC. Syslog messages: None.
ssm-app-fail	Service module failed	This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when a connection that is being inspected by the SSM is terminated because the SSM has failed. Recommendation: The card manager process running in the security appliance control plane issued system messages and CLI warning to inform you of the failure. Please consult the documentation that comes with the SSM to trouble shoot the SSM failure. Contact Cisco TAC if needed. Syslog messages: 421001
ssm-app-incompetent	Service module incompetent	This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when a connection is supposed to be inspected by the SSM, but the SSM is not able to inspect it. This counter is reserved for future use. It should always be 0 in the current release. Recommendation: None. Syslog messages: None.
ssm-app-request	Flow terminated by service module	This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the application running on the SSM requests the security appliance to terminate a connection. Recommendation: You can obtain more information by querying the incident report or system messages generated by the SSM itself. Please consult the documentation that comes with comes with the SSM for instructions. Syslog messages: None.
svc-failover	An SVC socket connection is being disconnected on the standby unit	This counter is incremented for each new SVC socket connection that is disconnected when the active unit is transitioning into standby state as part of a failover transition. Recommendation: None. This is part of a normal cleanup of a SVC connection when the current device is transitioning from active to standby. Existing SVC connections on the device are no longer valid and need to be removed. Syslog messages: None.
svc-replacement-conn	SVC replacement connection established	This counter is incremented when an SVC connection is replaced by a new connection. Recommendation: None. This may indicate that users are having difficulty maintaining connections to the security appliance. Users should evaluate the quality of their home network and Internet connection. Syslog messages: 722032
svc-spoof-detect	SVC spoof packet detected	This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established SVC connection on the security appliance but was received unencrypted. This is a security issue. Recommendation: Analyze your network traffic to determine the source of the spoofed SVC traffic. Syslog messages: None.
syn-timeout	SYN Timeout	This reason is given for closing a TCP flow due to expiry of embryonic timer. Recommendation: If these are valid sessions that take longer to establish a connection, then increase the embryonic timeout. Syslog messages: 302014
tcp-fins	TCP FINs	This reason is given for closing a TCP flow when TCP FIN packets are received. Recommendation: This counter will increment for each TCP connection that is terminated normally with FINs. Syslog messages: 302014
tcp-intercept-kill	Flow terminated by TCP Intercept	TCP intercept tore down the connection for the following reasons: 1. This is the first SYN 2. A connection is created for the SYN 3. TCP intercept replied with a SYN cookie; or TCP intercept sends a SYN to the server and the server replies with a RST after seeing a valid ACK from the client. Recommendation: TCP intercept normally does not create a connection for the first SYN, except when there are nailed rules, the packet comes over a VPN tunnel, or the next hop gateway address to reach the client is not resolved. So for the first SYN, this indicates that a connection was created. When TCP intercept receives a RST from server, it is likely that the corresponding port is closed on the server. Syslog messages: None.
tcp-intercept-no-response	TCP intercept server no respond	SYN retransmission timeout after trying three times, once every second. Server unreachable, tearing down connection. Recommendation: Check if the server is reachable from the security appliance. Syslog messages: None.
tcp-intercept-unexpected	TCP intercept unexpected state	Logic error in the TCP intercept module; this should never happen. Recommendation: Indicates memory corruption or some other logic error in the TCP intercept module. Syslog messages: None.
tcpmod-connect-clash	TCP module port collision between client and server	A TCP connect socket clashes with an existing listen connection. This is an internal system error. Recommendation: Contact TAC. Syslog messages: None.
tcpnorm-invalid-syn	TCP invalid SYN	This reason is given for closing a TCP flow when the SYN packet is invalid. Recommendation: The SYN packet could be invalid for a number of reasons, such as an invalid checksum or an invalid TCP header. Please use the packet capture feature to understand why the SYN packet is invalid. If you would like to allow these connections, use the tcp-map configuration to bypass checks. Syslog messages: 302014
tcpnorm-rexmit-bad	TCP bad retransmission	This reason is given for closing a TCP flow when the check-retransmission feature is enabled, and the TCP endpoint sent a retransmission with different data from the original packet. Recommendation: The TCP endpoint may be attacking by sending different data in TCP retransmits. Please use the packet capture feature to learn more about the origin of the packet. Syslog messages: 302014
tcpnorm-win-variation	TCP unexpected window size variation	This reason is given for closing a TCP flow when the window size advertised by the TCP endpoint is drastically changed without accepting that much data. Recommendation: In order to allow this connection, use the window-variation command. Syslog messages: 302014
timeout	Conn-timeout	This counter is incremented when a flow is closed because of the expiration of its inactivity timer. Recommendation: None. Syslog messages: 302014, 302016, 302018, 302021
tracer-flow	Packet-tracer traced flow drop	This counter is internally used by packet-tracer for flow freed once tracing is complete. Recommendation: None. Syslog messages: None.
tunnel-pending	Tunnel being brought up or torn down	This counter will increment when the security appliance receives a packet matching an entry in the security policy database (i.e. crypto map) but the security association is in the process of being negotiated; its not complete yet. This counter will also increment when the security appliance receives a packet matching an entry in the security policy database but the security association has been or is in the process of being deleted. The difference between this indication and the "'Tunnel has been torn down" indication is that the "Tunnel has been torn down" indication is for established flows. Recommendation: This is a normal condition when the IPSec tunnel is in the process of being negotiated or deleted. Syslog messages: None.
tunnel-torn-down	Tunnel has been torn down	This counter will increment when the security appliance receives a packet associated with an established flow whose IPSec security association is in the process of being deleted. Recommendation: This is a normal condition when the IPSec tunnel is torn down for any reason. Syslog messages: None
vpn-handle-error	VPN handle Error	This counter is incremented when the security appliance is unable to create a VPN handle because the VPN handle already exists. Recommendation: It is possible to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of VPN-based applications, then this may be caused by a software defect. Use the following commands to gather more information about this counter and contact the Cisco TAC to investigate the issue further: capture name type asp-drop vpn-handle-error show asp table classify crypto show asp table vpn-context detail Syslog messages: None
vpn-handle-not-found	VPN handle not found	This counter is incremented when a datagram hits an encrypt or decrypt rule, and no VPN handle is found for the flow the datagram is on. Recommendation: It is possible to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of VPN-based applications, then this may be caused by a software defect. Use the following commands to gather more information about this counter and contact Cisco TAC to investigate the issue further. capture name type asp-drop vpn-handle-not-found show asp table classify crypto show asp table vpn-context detail Syslog messages: None.
xlate-removed	Xlate Clear	The flow was removed in response to the clear xlate command or clear local-host command. Recommendation: This is an information counter. Syslog messages: 302014, 302016, 302018, 302021, 305010, 305012, 609002

Examples

The following is sample output from the show asp drop command, with the timestamp indicating when the last time the counters were cleared:

hostname# show asp drop

Frame drop:

  Flow is denied by configured rule (acl-drop)                                 3

  Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                             4110

  L2 Src/Dst same LAN port (l2_same-lan-port)                                760

  Expired flow (flow-expired)                                                  1

Last clearing: Never

Flow drop:

  Flow is denied by access rule (acl-drop)                                    24

  NAT failed (nat-failed)                                                  28739

  NAT reverse path failed (nat-rpf-failed)                                 22266

  Inspection failure (inspect-fail)                                        19433

Last clearing: 17:02:12 UTC Jan 17 2008 by enable_15

Related Commands

Command	Description
capture	Captures packets, including the option to capture packets based on an asp drop code.
clear asp drop	Clears drop statistics for the accelerated security path.
show conn	Shows information about connections.

show asp load-balance per-packet

To debug the accelerated security path dispatch-unit, use the show asp load-balance per-packet command in privileged EXEC mode. Use the no form of this command to remove the specified behavior for the security appliance.

show asp load-balance per-packet

[no] asp load-balance per-packet

Syntax Description

detail

(Optional) Shows detailed dispatch unit information.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
8.1(1)	This command was introduced.

Usage Guidelines

The show asp load-balance per-packet command shows detailed dispatch unit information, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp load-balance per-packet command:

hostname# show asp load-balance per-packet 

Histogram of 'ASP load balancer queue sizes'

  64 buckets sampling from 1 to 65 (1 per bucket)

  0 samples within range (average=0)

<no data for 'ASP load balancer queue sizes' histogram>

show asp load-balance per-packet 

Histogram of 'ASP load balancer queue sizes'

  64 buckets sampling from 1 to 65 (1 per bucket)

  6 samples within range (average=6)

                     ASP load balancer queue sizes                     

  100 +                                                                

      |                                                                

      |                                                                

      |                                                                

S     |                                                                

a     |                                                                

m     |                                                                

p     |                                                                

l  10 +                                                                

e     |                                                                

s     |                                                                

      |                                                                

      |                                                                

      |                                                                

      | #### #          #                                              

      | #### #          #                                              

      +---------+---------+---------+---------+---------+---------+----

                10        20        30        40        50        60   

Related Commands # of queued jobs per queue > ASP load balancer queue sizes

Command	Description
show blocks	Shows the system buffer utilization.

show asp multiprocessor accelerated-features

To debug the accelerated security path multiprocessor accelerate, use the show asp multiprocessor accelerated-features command in privileged EXEC mode.

show asp multiprocessor accelerated-features

Syntax Description

multiprocessor accelerated-features

Lists features accelerated for multiprocessors.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
8.1(1)	This command was introduced.

Usage Guidelines

The show asp multiprocessor accelerated-features command shows the lists of features accelerated for multiprocessors, which might help you troubleshoot a performance problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp multiprocessor accelerated-features command:

hostname# show asp multiprocessor accelerated-features

MultiProcessor accelerated feature list:

        Access Lists

        DNS Guard

        Failover Stateful Updates

        Flow Operations(create, update, and tear-down)

        Inspect HTTP URL Logging

        Inspect HTTP (AIC)

        Inspect IPSec Pass through

        Inspect ICMP and ICMP error

        Inspect RTP/RTCP

        IP Audit

        IP Fragmentation & Re-assembly

        MPF L2-L4 Classify

        Multicast forwarding

        NAT/PAT

        Netflow using UDP transport

        Non-AIC Inspect DNS

        Packet Capture

        QOS

        Resource Management

        Routing Lookup

        Shun

        Syslogging using UDP transport

        TCP Intercept

        TCP Security Engine

        Threat Detection

        Unicast RPF

        WCCP Re-direct

Above list applies to routed, transparent, single and multi mode.

Related Commands

Command	Description
show cpu core	Shows CPU usage information.
cpu profile activate	Activates the cpu profile.
show asp event dp-cp	Shows the asp event dp-cp.
show logging queue	Shows the logging queue.
show blocks	Shows the system buffer utilization.
show asp dispatch-unit detail	Shows the dispatch-unit information
show interface	Shows the interface status information

show asp table arp

To debug the accelerated security path ARP tables, use the show asp table arp command in privileged EXEC mode.

show asp table arp [interface interface_name] [address ip_address [netmask mask]]

Syntax Description

address ip_address	(Optional) Identifies an IP address for which you want to view ARP table entries.
interface interface_name	(Optional) Identifies a specific interface for which you want to view the ARP table.
netmask mask	(Optional) Sets the subnet mask for the IP address.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The show arp command shows the contents of the control plane, while the show asp table arp command shows the contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table arp command:

hostname# show asp table arp

Context: single_vf, Interface: inside

  10.86.194.50                            Active   000f.66ce.5d46 hits 0

  10.86.194.1                             Active   00b0.64ea.91a2 hits 638

  10.86.194.172                           Active   0001.03cf.9e79 hits 0

  10.86.194.204                           Active   000f.66ce.5d3c hits 0

  10.86.194.188                           Active   000f.904b.80d7 hits 0

Context: single_vf, Interface: identity

  ::                                      Active   0000.0000.0000 hits 0

  0.0.0.0                                 Active   0000.0000.0000 hits 50208

Related Commands

Command	Description
show arp	Shows the ARP table.
show arp statistics	Shows ARP statistics.

show asp table classify

To debug the accelerated security path classifier tables, use the show asp table classify command in privileged EXEC mode. The classifier examines properties of incoming packets, such as protocol, and source and destination address, to match each packet to an appropriate classification rule. Each rule is labeled with a classification domain that determines what types of actions are performed, such as dropping a packet or allowing it through.

show asp table classify [hit | crypto | domain domain_name | interface interface_name]

Syntax Description

domain domain_name	(Optional) Shows entries for a specific classifier domain. See "Usage Guidelines" for a list of domains.
hits	(Optional) Shows classifier entries which have non-zero hits values
interface interface_name	(Optional) Identifies a specific interface for which you want to view the classifier table.
crypto	(Optional) Shows the encrypt, decrypt, and ipsec tunnel flow domains only.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.
7.2(4)	Added the hits option, and the timestamp indicating when the last time the asp table counters were cleared.
8.0(2)	A new counter was added to show the number of times a tmatch compilation was aborted. This counter is shown only if the value is greater than 0.

Usage Guidelines

The show asp table classifier command shows the classifier contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Classifier domains include the following:

aaa-acct

aaa-auth

aaa-user

accounting

arp

capture

capture

conn-nailed

conn-set

ctcp

decrypt

encrypt

established

filter-activex

filter-ftp

filter-https

filter-java

filter-url

host

ids

inspect

inspect-ctiqbe

inspect-dns

inspect-dns-ids

inspect-ftp

inspect-ftp-data

inspect-gtp

inspect-h323

inspect-http

inspect-icmp

inspect-icmp-error

inspect-ils

inspect-mgcp

inspect-netbios

inspect-pptp

inspect-rsh

inspect-rtsp

inspect-sip

inspect-skinny

inspect-smtp

inspect-snmp

inspect-sqlnet

inspect-sqlnet-plus

inspect-sunrpc

inspect-tftp

inspect-xdmcp

ipsec-natt

ipsec-tunnel-flow

ipsec-user

limits

lu

mac-permit

mgmt-lockdown

mgmt-tcp-intercept

multicast

nat

nat-exempt

nat-exempt-reverse

nat-reverse

null

permit

permit-ip-option

permit-log

pim

ppp

priority-q

punt

punt-l2

punt-root

qos

qos-per-class

qos-per-dest

qos-per-flow

qos-per-source

shun

tcp-intercept

Examples

The following is sample output from the show asp table classify command:

hostname# show asp table classify

Interface test:

No. of aborted compiles for input action table 0x33b3d70: 29

in  id=0x36f3800, priority=10, domain=punt, deny=false

        hits=0, user_data=0x0, flags=0x0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=10.86.194.60, mask=255.255.255.255, port=0

in  id=0x33d3508, priority=99, domain=inspect, deny=false

        hits=0, user_data=0x0, use_real_addr, flags=0x0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

in  id=0x33d3978, priority=99, domain=inspect, deny=false

        hits=0, user_data=0x0, use_real_addr, flags=0x0

        src ip=0.0.0.0, mask=0.0.0.0, port=53

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

...

The following is sample output from the show asp table classify hits command with a record of the last clearing hits counters:

Interface mgmt: 

in id=0x494cd88, priority=210, domain=permit, deny=true 

hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, 
mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, 
dscp=0x0 

in id=0x494d1b8, priority=112, domain=permit, deny=false 

hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0, 
mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 

Interface inside: 

in id=0x48f1580, priority=210, domain=permit, deny=true 

hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, 
mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, 
dscp=0x0 

in id=0x48f09e0, priority=1, domain=permit, deny=false 

hits=101, user_data=0x0, cs_id=0x0, l3_type=0x608 src mac=0000.0000.0000, 
mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 

Interface outside: 

in id=0x48c0970, priority=210, domain=permit, deny=true 

hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, 
mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, 
dscp=0x0 

Related Commands

Command	Description
show asp drop	Shows the accelerated security path counters for dropped packets.

show asp table interfaces

To debug the accelerated security path interface tables, use the show asp table interfaces command in privileged EXEC mode.

show asp table interfaces

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The show asp table interfaces command shows the interface table contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table interfaces command:

hostname# show asp table interfaces

** Flags: 0x0001-DHCP, 0x0002-VMAC, 0x0010-Ident Ifc, 0x0020-HDB Initd,

   0x0040-RPF Enabled

Soft-np interface 'dmz' is up

    context single_vf, nicnum 0, mtu 1500

        vlan 300, Not shared, seclvl 50

        0 packets input, 1 packets output

        flags 0x20

Soft-np interface 'foo' is down

    context single_vf, nicnum 2, mtu 1500

        vlan <None>, Not shared, seclvl 0

        0 packets input, 0 packets output

        flags 0x20

Soft-np interface 'outside' is down

    context single_vf, nicnum 1, mtu 1500

        vlan <None>, Not shared, seclvl 50

        0 packets input, 0 packets output

        flags 0x20

Soft-np interface 'inside' is up

    context single_vf, nicnum 0, mtu 1500

        vlan <None>, Not shared, seclvl 100

        680277 packets input, 92501 packets output

        flags 0x20

...

Related Commands

Command	Description
interface	Configures an interface and enters interface configuration mode.
show interface	Displays the runtime status and statistics of interfaces.

show asp table routing

To debug the accelerated security path routing tables, use the show asp table routing command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show asp table routing [input | output] [address ip_address [netmask mask] | interface interface_name]

Syntax Description

address ip_address	Sets the IP address for which you want to view routing entries. For IPv6 addresses, you can include the subnet mask as a slash (/) followed by the prefix (0 to 128). For example, enter the following: fe80::2e0:b6ff:fe01:3b7a/128
input	Shows the entries from the input route table.
interface interface_name	(Optional) Identifies a specific interface for which you want to view the routing table.
netmask mask	For IPv4 addresses, specifies the subnet mask.
output	Shows the entries from the output route table.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The show asp table routing command shows the routing table contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table routing command:

hostname# show asp table routing

in   255.255.255.255 255.255.255.255 identity

in   224.0.0.9       255.255.255.255 identity

in   10.86.194.60    255.255.255.255 identity

in   10.86.195.255   255.255.255.255 identity

in   10.86.194.0     255.255.255.255 identity

in   209.165.202.159 255.255.255.255 identity

in   209.165.202.255 255.255.255.255 identity

in   209.165.201.30  255.255.255.255 identity

in   209.165.201.0   255.255.255.255 identity

in   10.86.194.0     255.255.254.0   inside

in   224.0.0.0       240.0.0.0       identity

in   0.0.0.0         0.0.0.0         inside

out  255.255.255.255 255.255.255.255 foo

out  224.0.0.0       240.0.0.0       foo

out  255.255.255.255 255.255.255.255 test

out  224.0.0.0       240.0.0.0       test

out  255.255.255.255 255.255.255.255 inside

out  10.86.194.0     255.255.254.0   inside

out  224.0.0.0       240.0.0.0       inside

out  0.0.0.0         0.0.0.0         via 10.86.194.1, inside

out  0.0.0.0         0.0.0.0         via 0.0.0.0, identity

out  ::              ::              via 0.0.0.0, identity

Related Commands

Command	Description
show route	Shows the routing table in the control plane.

show asp table socket

To debug the accelerated security path socket information, use the show asp table socket command in privileged EXEC mode.

show asp table socket

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

The show asp table socket command lets you debug the accelerated security path socket information.

Examples

This is an example of the the show asp table socket command:

Protocol  Socket    Local Address               Foreign Address         State

TCP       00012bac  10.86.194.224:23            0.0.0.0:*               LISTEN

TCP       0001c124  10.86.194.224:22            0.0.0.0:*               LISTEN

SSL       00023b84  10.86.194.224:443           0.0.0.0:*               LISTEN

SSL       0002d01c  192.168.1.1:443             0.0.0.0:*               LISTEN

DTLS      00032b1c  10.86.194.224:443           0.0.0.0:*               LISTEN

SSL       0003a3d4  0.0.0.0:443                 0.0.0.0:*               LISTEN

DTLS      00046074  0.0.0.0:443                 0.0.0.0:*               LISTEN

TCP       02c08aec  10.86.194.224:22            171.69.137.139:4190     ESTAB

Related CommandsProtocol Socket Local Address Foreign Address State

Related CommandsTCP 00012bac 10.86.194.224:23 0.0.0.0:* LISTEN

Related CommandsTCP 0001c124 10.86.194.224:22 0.0.0.0:* LISTEN

Related CommandsSSL 00023b84 10.86.194.224:443 0.0.0.0:* LISTEN

Related CommandsSSL 0002d01c 192.168.1.1:443 0.0.0.0:* LISTEN

Related CommandsDTLS 00032b1c 10.86.194.224:443 0.0.0.0:* LISTEN

Related CommandsSSL 0003a3d4 0.0.0.0:443 0.0.0.0:* LISTEN

Related CommandsDTLS 00046074 0.0.0.0:443 0.0.0.0:* LISTEN

Related CommandsTCP 02c08aec 10.86.194.224:22 171.69.137.139:4190 ESTAB

Related Commands

Command	Description
show asp table vpn-context	Debugs the accelerated security path VPN context tables.

show asp table vpn-context

To debug the accelerated security path VPN context tables, use the show asp table vpn-context command in privileged EXEC mode.

show asp table vpn-context [detail]

Syntax Description

detail

(Optional) Shows additional detail for the VPN context tables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The show asp table vpn-context command shows the VPN context contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table vpn-context command:

hostname# show asp table vpn-context

VPN ID=0058070576, DECR+ESP, UP, pk=0000000000, rk=0000000000, gc=0

VPN ID=0058193920, ENCR+ESP, UP, pk=0000000000, rk=0000000000, gc=0

VPN ID=0058168568, DECR+ESP, UP, pk=0000299627, rk=0000000061, gc=2

VPN ID=0058161168, ENCR+ESP, UP, pk=0000305043, rk=0000000061, gc=1

VPN ID=0058153728, DECR+ESP, UP, pk=0000271432, rk=0000000061, gc=2

VPN ID=0058150440, ENCR+ESP, UP, pk=0000285328, rk=0000000061, gc=1

VPN ID=0058102088, DECR+ESP, UP, pk=0000268550, rk=0000000061, gc=2

VPN ID=0058134088, ENCR+ESP, UP, pk=0000274673, rk=0000000061, gc=1

VPN ID=0058103216, DECR+ESP, UP, pk=0000252854, rk=0000000061, gc=2

...

The following is sample output from the show asp table vpn-context detail command:

hostname# show asp table vpn-context detail

VPN Ctx  = 0058070576 [0x03761630]

State    = UP

Flags    = DECR+ESP

SA       = 0x037928F0

SPI      = 0xEA0F21F0

Group    = 0

Pkts     = 0

Bad Pkts = 0

Bad SPI  = 0

Spoof    = 0

Bad Crypto = 0

Rekey Pkt  = 0

Rekey Call = 0

VPN Ctx  = 0058193920 [0x0377F800]

State    = UP

Flags    = ENCR+ESP

SA       = 0x037B4B70

SPI      = 0x900FDC32

Group    = 0

Pkts     = 0

Bad Pkts = 0

Bad SPI  = 0

Spoof    = 0

Bad Crypto = 0

Rekey Pkt  = 0

Rekey Call = 0

...

Related Commands

Command	Description
show asp drop	Shows the accelerated security path counters for dropped packets.

show blocks

To show the packet buffer utilization, use the show blocks command in privileged EXEC mode.

show blocks [core | interface]

show blocks [{address hex | all | assigned| free| old | pool size [summary]}] [diagnostics | dump | header | packet]

show blocks old core-local [core_number] [diagnostics |dump | header | packet]

show blocks queue history [detail]

show blocks queue history core-local [core_number] [detail]

Syntax Description

address hex	(Optional) Shows a block corresponding to this address, in hexadecimal.
all	(Optional) Shows all blocks.
assigned	(Optional) Shows blocks that are assigned and in use by an application.
core	(Optional) Shows usage on buffers attached to cores.
detail	(Optional) Shows a portion (128 bytes) of the first block for each unique queue type.
dump	(Optional) Shows the entire block contents, including the header and packet information. The difference between dump and packet is that dump includes additional information between the header and the packet.
diagnostics	(Optional) Shows block diagnostics.
free	(Optional) Shows blocks that are available for use.
header	(Optional) Shows the header of the block.
interface	(Optional) Shows usage on buffers attached to interfaces.
old	(Optional) Shows blocks that were assigned more than a minute ago.
packet	(Optional) Shows the header of the block as well as the packet contents.
pool size	(Optional) Shows blocks of a specific size.
queue history	(Optional) Shows where blocks are assigned when the security appliance runs out of blocks. Sometimes, a block is allocated from the pool but never assigned to a queue. In that case, the location is the code address that allocated the block.
summary	(Optional) Shows detailed information about block usage sorted by the program addresses of applications that allocated blocks in this class, program addresses of applications that released blocks in this class, and the queues to which valid blocks in this class belong.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	The pool summary option was added.
8.0(2)	The dupb block uses 0 length blocks now instead of 4 byte blocks. An additional line was added for 0 byte blocks.
8.1	The core and interface options were added.

Usage Guidelines

The show blocks command helps you determine if the security appliance is overloaded. This command lists preallocated system buffer utilization. A full memory condition is not a problem as long as traffic is moving through the security appliance. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is full, there may be a problem.

You can also view this information using SNMP.

The information shown in a security context includes the system-wide information as well as context-specific information about the blocks in use and the high water mark for block usage.

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show blocks command in single mode:

hostname# show blocks

  SIZE    MAX    LOW    CNT

     0    100     99    100

     4   1600   1598   1599

    80    400    398    399

   256   3600   3540   3542

  1550   4716   3177   3184

 16384     10     10     10

  2048   1000   1000   1000

Table 25-3 shows each field description.

Table 25-3 show blocks Fields 

Field	Description
SIZE	Size, in bytes, of the block pool. Each size represents a particular type. Examples are shown below.
0	Used by dupb blocks.
4	Duplicates existing blocks in applications such as DNS, ISAKMP, URL filtering, uauth, TFTP, and TCP modules. Also, this sized block can be used normally by code to send packets to drivers, etc.
80	Used in TCP intercept to generate acknowledgment packets and for failover hello messages.
256	Used for Stateful Failover updates, syslogging, and other TCP functions. These blocks are mainly used for Stateful Failover messages. The active security appliance generates and sends packets to the standby security appliance to update the translation and connection table. In bursty traffic, where high rates of connections are created or torn down, the number of available blocks might drop to 0. This situation indicates that one or more connections were not updated to the standby security appliance. The Stateful Failover protocol catches the missing translation or connection the next time. If the CNT column for 256-byte blocks stays at or near 0 for extended periods of time, then the security appliance is having trouble keeping the translation and connection tables synchronized because of the number of connections per second that the security appliance is processing. Syslog messages sent out from the security appliance also use the 256-byte blocks, but they are generally not released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows that the number of 256-byte blocks is near 0, ensure that you are not logging at Debugging (level 7) to the syslog server. This is indicated by the logging trap line in the security appliance configuration. We recommend that you set logging at Notification (level 5) or lower, unless you require additional information for debugging purposes.
1550	Used to store Ethernet packets for processing through the security appliance. When a packet enters a security appliance interface, it is placed on the input interface queue, passed up to the operating system, and placed in a block. The security appliance determines whether the packet should be permitted or denied based on the security policy and processes the packet through to the output queue on the outbound interface. If the security appliance is having trouble keeping up with the traffic load, the number of available blocks will hover close to 0 (as shown in the CNT column of the command output). When the CNT column is zero, the security appliance attempts to allocate more blocks, up to a maximum of 8192. If no more blocks are available, the security appliance drops the packet.
16384	This sized blocks are used by the 1 Gbps NIC driver when jumbo frame support is enabled.
9216	This is used by 10GE NIC driver when jumbo frame is enabled.
2048	Control or guided frames used for control updates.
MAX	Maximum number of blocks available for the specified byte block pool. The maximum number of blocks are carved out of memory at bootup. Typically, the maximum number of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the security appliance can dynamically create more when needed, up to a maximum of 8192.
LOW	Low-water mark. This number indicates the lowest number of this size blocks available since the security appliance was powered up, or since the last clearing of the blocks (with the clear blocks command). A zero in the LOW column indicates a previous event where memory was full.
CNT	Current number of blocks available for that specific size block pool. A zero in the CNT column means memory is full now.

The following is sample output from the show blocks all command:

hostname# show blocks all

Class 0, size 4

     Block   allocd_by    freed_by  data size    alloccnt     dup_cnt  oper location

0x01799940  0x00000000  0x00101603          0           0           0 alloc not_specified

0x01798e80  0x00000000  0x00101603          0           0           0 alloc not_specified

0x017983c0  0x00000000  0x00101603          0           0           0 alloc not_specified

...

    Found 1000 of 1000 blocks

    Displaying 1000 of 1000 blocks

Table 25-4 shows each field description.

Table 25-4 show blocks all Fields

Field	Description
Block	The block address.
allocd_by	The program address of the application that last used the block (0 if not used).
freed_by	The program address of the application that last released the block.
data size	The size of the application buffer/packet data that is inside the block.
alloccnt	The number of times this block has been used since the block came into existence.
dup_cnt	The current number of references to this block if used: 0 means 1 reference, 1 means 2 references.
oper	One of the four operations that was last performed on the block: alloc, get, put, or free.
location	The application that uses the block, or the program address of the application that last allocated the block (same as the allocd_by field).

The following is sample output from the show blocks command in a context:

hostname/contexta# show blocks

  SIZE    MAX    LOW    CNT  INUSE   HIGH

     4   1600   1599   1599      0      0

    80    400    400    400      0      0

   256   3600   3538   3540      0      1

  1550   4616   3077   3085      0      0

The following is sample output from the show blocks queue history command:

hostname# show blocks queue history

Each Summary for User and Queue_type is followed its top 5 individual queues

Block Size: 4

Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1396

Blk_cnt Q_cnt Last_Op Queue_Type        User      Context

    186     1 put                                 contexta

     15     1 put                                 contexta

      1     1 put                                 contexta

      1     1 put                                 contextb

      1     1 put                                 contextc

Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200

Blk_cnt Q_cnt Last_Op Queue_Type        User      Context

     21     1 put                                 contexta

      1     1 put                                 contexta

      1     1 put                                 contexta

      1     1 put                                 contextb

      1     1 put                                 contextc

Blk_cnt Q_cnt Last_Op Queue_Type        User      Context

    200     1 alloc   ip_rx             tcp       contexta

    108     1 get     ip_rx             udp       contexta

     85     1 free    fixup             h323_ras  contextb

     42     1 put     fixup             skinny    contextb

Block Size: 1550

Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1000

Blk_cnt Q_cnt Last_Op Queue_Type        User      Context

    186     1 put                                 contexta

     15     1 put                                 contexta

      1     1 put                                 contexta

      1     1 put                                 contextb

      1     1 put                                 contextc

...

The following is sample output from the show blocks queue history detail command:

hostname# show blocks queue history detail

History buffer memory usage: 2136 bytes (default)

Each Summary for User and Queue type is followed its top 5 individual queues

Block Size: 4

Summary for User "http", Queue_Type "tcp_unp_c_in", Blocks 1595, Queues 1396

Blk_cnt Q_cnt Last_Op Queue_Type        User      Context

    186     1 put                                 contexta

     15     1 put                                 contexta

      1     1 put                                 contexta

      1     1 put                                 contextb

      1     1 put                                 contextc

 First Block information for Block at 0x.....

  dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,

  start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193

  urgent_addr 0xefb118c, end_addr 0xefb17b2

  0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00  |  ....G.a....8v...

  0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3  |  ....E...........

  0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62  |  .......P...=..`b

  0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49  |  ~sU.P...E...-- I

  0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09  |  P --..10.7.13.1.

  0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d  |  ==>.10.7.0.80...

Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200

Blk_cnt Q_cnt Last_Op Queue_Type        User      Context

     21     1 put                                 contexta

      1     1 put                                 contexta

      1     1 put                                 contexta

      1     1 put                                 contextb

      1     1 put                                 contextc

 First Block information for Block at 0x.....

  dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,

  start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193

  urgent_addr 0xefb118c, end_addr 0xefb17b2

  0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00  |  ....G.a....8v...

  0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3  |  ....E...........

  0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62  |  .......P...=..`b

  0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49  |  ~sU.P...E...-- I

  0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09  |  P --..10.7.13.1.

  0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d  |  ==>.10.7.0.80...

...

total_count: total buffers in this class

The following is sample output from the show blocks pool summary command:

hostname# show blocks pool 1550 summary

Class 3, size 1550

=================================================

         total_count=1531    miss_count=0

Alloc_pc        valid_cnt       invalid_cnt

0x3b0a18        00000256        00000000

         0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000

0x3a8f6b        00001275        00000012

         0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000 

0x00000000

=================================================

         total_count=9716    miss_count=0

Freed_pc        valid_cnt       invalid_cnt

0x9a81f3        00000104        00000007

         0x05006140 0x05000380 0x04fffa20 0x04ffde00 00000000 0x00000000

0x9a0326        00000053        00000033

         0x05006aa0 0x050057e0 0x05004e80 0x05003260 00000000 0x00000000

0x4605a2        00000005        00000000

         0x04ff5ac0 0x01e8e2e0 0x01e2eac0 0x01e17d20 00000000 0x00000000

...

=================================================

         total_count=1531    miss_count=0

Queue   valid_cnt       invalid_cnt

0x3b0a18        00000256        00000000  Invalid Bad qtype

         0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000

0x3a8f6b        00001275        00000000  Invalid Bad qtype

         0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000 

0x00000000

=================================================

free_cnt=8185  fails=0  actual_free=8185  hash_miss=0

   03a8d3e0  03a8b7c0  03a7fc40  03a6ff20  03a6f5c0  03a6ec60 kao-f1#

Table 25-5 shows each field description.

Table 25-5 show blocks pool summary Fields

Field	Description
total_count	The number of blocks for a given class.
miss_count	The number of blocks not reported in the specified category due to technical reasons.
Freed_pc	The program addresses of applications that released blocks in this class.
Alloc_pc	The program addresses of applications that allocated blocks in this class.
Queue	The queues to which valid blocks in this class belong.
valid_cnt	The number of blocks that are currently allocated.
invalid_cnt	The number of blocks that are not currently allocated.
Invalid Bad qtype	Either this queue has been freed and the contents are invalid or this queue was never initialized.
Valid tcp_usr_conn_inp	The queue is valid.

The following is sample output from the show blocks core command:

CORE  LIMIT  ALLOC   HIGH    CNT       FAILED

   0  24576   3816   5538      3            0

   1  24576   1246   1246    728            0

   2  24576    145    145   1745            0

   3  24576     13     13   2744            0

Table 25-6 shows each field description.

Table 25-6 show blocks core Fields

Field	Description
CORE	core number
LIMIT	system limit for this core
ALLCO	Number of entries currently allocated (similar to MAX column in show blocks), will dynamically grow and shrink, buffers need initialization.
HIGH	High watermark for AllCO
CNT	Entries currently in cache, ready to go buffers.
FAILED	Number of attempts a block cannot be allocated due to reaching LIMIT

The following is sample output from the show blocks interface command:

Interface    SIZE  LIMIT/MAX     LOW     CNT  GLB:HELD     GLB:TOTAL

     Gi3/0    1550       1024     512     543         0             0

     Gi3/1    1550       1024     450     510         0             0

     Gi3/2    1550       1024     513     531         0             0

     Gi3/3    1550       1024     513     539         0             0

Table 25-7 shows each field description.

Table 25-7 show blocks interface Fields

Field	Description
Interface, GLB:HELD GLB:TOTAL	These indicate the number of blocks currently borrowed from the global pool and the cumulative total of blocks borrowed respectively. Note The global pool is the one displayed by the show blocks command.
SIZE	Size of the block used by the driver for this interface.
LIMIT	system limit for this interface.
LOW	Low-water mark. This number indicates the lowest number of this size blocks available since the security appliance was powered up, or since the last clearing of the blocks (with the clear blocks command). A zero in the LOW column indicates a previous event where memory was full.
CNT	Current number of blocks available in this pool for this interface.

---

Note This CLI will be available in both single and multiprocessor platforms.

---

Related Commands.

Command	Description
blocks	Increases the memory assigned to block diagnostics
clear blocks	Clears the system buffer statistics.
show conn	Shows active connections.
block queue history enable [size]	Jumbo-frame reservation.

show blocks core

To display the CPU usage on a per block basis, use the show blocks core command in privileged EXEC mode.

show blocks core

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
8.1(1)	This command was introduced.

Usage Guidelines

You can use the show blocks core command to show core limts on a per block basis. Information includes core limits, maximum number of entries allowed, entries currently in the cache, and the number of failed attempts that a block cannot be reached becasue the block has reached the limit.

Examples

The following example shows how to display the CPU utilization in single or muliple context mode:

hostname# show blocks core

CORE 	LIMIT 		ALLOC HIGH CNT FAILED

0 	 4096 		1024 	 400 1009 0

1 	 4096 		2048 	 3220 124 0

2 	 4096 		3076 	 4096 548 1000

3 	 4096 		4096 	 4096 500 0

4 	 4096 		4096 	 4096 0 0

Related Commands

Command	Description
show blocks interface	Displays the information of the block pool per interface.

show blocks interface

To display the CPU usage on a per interface basis, use the show blocks interface command in privileged EXEC mode.

show blocks interface

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
8.1(1)	This command was introduced.

Usage Guidelines

You can use the show blocks interface command to show core limts on a per interface basis. Information includes the specific interfaces and their limits. If there is no interface for a particular pool, the system will use a public or global pool.

Examples

The following example shows how to display the block interface information in single or muliple context mode:

hostname# show blocks interface

Interface    SIZE  LIMIT/MAX     LOW     CNT  GLB:HELD     GLB:TOTAL

     Ma0/0     n/a          -       -       -         -             -

     Ma0/1     n/a          -       -       -         -             -

     Gi3/0    1550       1024     512     559         0             0

     Gi3/1    1550       1024     447     474         0             0

     Gi3/2    1550       1024     512     523         0             0

     Gi3/3    1550       1024     511     551         0             0

     Gi7/0    1550       1024     513     513         0             0

     Gi7/1    1550       1024     513     513         0             0

     Gi7/2    1550       1024     513     513         0             0

     Gi7/3    1550       1024     513     513         0             0

4 	 4096 		4096 	 4096 0 0

Related Commands

Command	Description
show blocks core	Displays the the CPU usage on a per block basis.

show bootvar

To show the boot file and configuration properties, use the show bootvar command in privileged EXEC mode.

show bootvar

Syntax Description

show bootvar

Displays the system boot properties.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The BOOT variable specifies a list of bootable images on various devices. The CONFIG_FILE variable specifies the configuration file used during system initialization. Set these variables with the boot system and boot config commands, respectively.

Examples

In the following example, the BOOT variable contains disk0:/f1_image, which is the image that is booted when the system reloads. The current value of BOOT is disk0:/f1_image; disk0:/f1_backupimage, which means the BOOT variable has been modified with the boot system command; however, the running configuration has not been saved with the write memory command. When the running configuration is saved, the BOOT variable and current BOOT variable will both have the values of disk0:/f1_image; disk0:/f1_backupimage. If the running configuration is saved, the boot loader attempts to load the contents of the BOOT variable, starting with disk0:/f1image. If the BOOT variable is not present or invalid, the boot loader attempts to boot disk0:1/f1_backupimage.

The CONFIG_FILE variable points to the system startup configuration. In this example it is not set, so the startup configuration file is the default specified with the boot config command. The current CONFIG_FILE variable may be modified with the boot config command and saved with the write memory command.

hostname# show bootvar

BOOT variable = disk0:/f1_image

Current BOOT variable = disk0:/f1_image; disk0:/f1_backupimage

CONFIG_FILE variable = 

Current CONFIG_FILE variable = 

hostname# 

Related Commands

Command	Description
boot	Specifies the configuration file or image file used at startup.

show capture

To display the capture configuration when no options are specified, use the show capture command.

show capture [capture_name] [access-list access_list_name] [count number] [decode] [detail] [dump] [packet-number number]

Syntax Description

capture_name	(Optional) Name of the packet capture.
access-list access_list_name	(Optional) Displays information for packets that are based on IP or higher fields for the specific access list identification.
count number	(Optional) Displays the number of packets specified data.
decode	This option is useful when a capture of type isakmp is applied to an interface. All isakmp data flowing through that interface will be captured after decryption and shown with more information after decoding the fields.
detail	(Optional) Displays additional protocol information for each packet.
dump	(Optional) Displays a hexadecimal dump of the packets that are transported over the data link transport.
packet-number number	Starts the display at the specified packet number.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	·	·	·	·	·

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

If you specify the capture_name, then the capture buffer contents for that capture are displayed.

The dump keyword does not display MAC information in the hexadecimal dump.

The decoded output of the packets depend on the protocol of the packet. In Table 25-8, the bracketed output is displayed when you specify the detail keyword.

Table 25-8 Packet Capture Output Formats 

Packet Type	Capture Output Format
802.1Q	HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet
ARP	HH:MM:SS.ms [ether-hdr] arp-type arp-info
IP/ICMP	HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure]
IP/UDP	HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: [checksum-info] udp payload-len
IP/TCP	HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options
IP/Other	HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length
Other	HH:MM:SS.ms ether-hdr: hex-dump

Examples

This example shows how to display the capture configuration:

hostname(config)# show capture

capture arp ethernet-type arp interface outside

capture http access-list http packet-length 74 interface inside

This example shows how to display the packets that are captured by an ARP capture:

hostname(config)# show capture arp

2 packets captured

19:12:23.478429 arp who-has 171.69.38.89 tell 171.69.38.10

19:12:26.784294 arp who-has 171.69.38.89 tell 171.69.38.10

2 packets shown

Related Commands

Command	Description
capture	Enables packet capture capabilities for packet sniffing and network fault isolation.
clear capture	Clears the capture buffer.
copy capture	Copies a capture file to a server.

show chardrop

To display the count of characters dropped from the serial console, use the show chardrop command in privileged EXEC mode.

show chardrop

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following is sample output from the show chardrop command:

hostname# show chardrop

Chars dropped pre-TxTimeouts: 0, post-TxTimeouts: 0

Related Commands

Command	Description
show running-config	Shows the current operating configuration.

show checkheaps

To show the checkheaps statistics, use the show checkheaps command in privileged EXEC mode. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.

show checkheaps

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following is sample output from the show checkheaps command:

hostname# show checkheaps

Checkheaps stats from buffer validation runs

--------------------------------------------

Time elapsed since last run     : 42 secs

Duration of last run            : 0 millisecs

Number of buffers created       : 8082

Number of buffers allocated     : 7808

Number of buffers free          : 274

Total memory in use             : 43570344 bytes

Total memory in free buffers    : 87000 bytes

Total number of runs            : 310

Related Commands

Command	Description
checkheaps	Sets the checkheap verification intervals.

show checksum

To display the configuration checksum, use the show checksum command in privileged EXEC mode.

show checksum

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	·	·	·	·

Command History

Release	Modification
7.0(1)	Support for this command was introduced on the security appliance.

Usage Guidelines

The show checksum command allows you to display four groups of hexadecimal numbers that act as a digital summary of the configuration contents. This checksum is calculated only when you store the configuration in Flash memory.

If a dot (".") appears before the checksum in the show config or show checksum command output, the output indicates a normal configuration load or write mode indicator (when loading from or writing to the security appliance Flash partition). The "." shows that the security appliance is preoccupied with the operation but is not "hung up." This message is similar to a "system processing, please wait" message.

Examples

This example shows how to display the configuration or the checksum:

hostname(config)# show checksum

Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81

show chunkstat

To display the chunk statistics, use the show chunkstat command in privileged EXEC mode.

show chunkstat

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Examples

This example shows how to display the chunk statistics:

hostname# show chunkstat

Global chunk statistics: created 181, destroyed 34, siblings created 94, siblings 
destroyed 34

Per-chunk statistics: siblings created 0, siblings trimmed 0

Dump of chunk at 01edb4cc, name "Managed Chunk Queue Elements", data start @ 01edbd24, end 
@ 01eddc54

next: 01eddc8c, next_sibling: 00000000, prev_sibling: 00000000

flags 00000001

maximum chunk elt's: 499, elt size: 16, index first free 498

# chunks in use: 1, HWM of total used: 1, alignment: 0

Per-chunk statistics: siblings created 0, siblings trimmed 0

Dump of chunk at 01eddc8c, name "Registry Function List", data start @ 01eddea4, end @ 
01ede348

next: 01ede37c, next_sibling: 00000000, prev_sibling: 00000000

flags 00000001

maximum chunk elt's: 99, elt size: 12, index first free 42

# chunks in use: 57, HWM of total used: 57, alignment: 0

Related Commands

Command	Description
show counters	Displays the protocol stack counters.
show cpu	Displays the CPU utilization information.

show class

To show the contexts assigned to a class, use the show class command in privileged EXEC mode.

show class name

Syntax Description

name	Specifies the name as a string up to 20 characters long. To show the default class, enter default for the name.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	—	—	•

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following is sample output from the show class default command:

hostname# show class default

Class Name           Members    ID   Flags

default                All       1    0001

Related Commands

Command	Description
class	Configures a resource class.
clear configure class	Clears the class configuration.
context	Configures a security context.
limit-resource	Sets the resource limit for a class.
member	Assigns a context to a resource class.

show clock

To view the time on the security appliance, use the show clock command in user EXEC mode.

show clock [detail]

Syntax Description

detail

(Optional) Indicates the clock source (NTP or user configuration) and the current summer-time setting (if any).

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Examples

The following is sample output from the show clock command:

hostname> show clock

12:35:45.205 EDT Tue Jul 27 2004

The following is sample output from the show clock detail command:

hostname> show clock detail

12:35:45.205 EDT Tue Jul 27 2004

Time source is user configuration

Summer time starts 02:00:00 EST Sun Apr 4 2004

Summer time ends 02:00:00 EDT Sun Oct 31 2004

Related Commands

Command	Description
clock set	Manually sets the clock on the security appliance.
clock summer-time	Sets the date range to show daylight saving time.
clock timezone	Sets the time zone.
ntp server	Identifies an NTP server.
show ntp status	Shows the status of the NTP association.

show compression svc

To view compression statistics for SVC connections on the security appliance, use the show compression svc command from privileged EXEC mode:

show compression svc

Defaults

There is no default behavior for this command.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Examples

The following example shows the output of the show compression svc command:

hostname# show compression svc

Compression SVC Sessions                            1

Compressed Frames                              249756

Compressed Data In (bytes) 												 0048042

Compressed Data Out (bytes)    												 4859704

Expanded Frames 							 							1

Compression Errors 														0

Compression Resets 														0

Compression Output Buf Too Small   														0

Compression Ratio													 2.06

Decompressed Frames					 								876687

Decompressed Data In                      												279300233

Related Commands

Command	Description
compression	Enables compression for all SVC and WebVPN connections.
svc compression	Enables compression of http data over an SVC connection for a specific group or user.

show configuration

To display the configuration that is saved in flash memory on the security appliance, use the show configuration command in privileged EXEC mode.

show configuration

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was modified.

Usage Guidelines

The show configuration command displays the saved configuration in flash memory on the security appliance. Unlike the show running-config command, the show configuration command does not use many CPU resources to run.

To display the active configuration in memory (including saved configuration changes) on the security appliance, use the show running-config command.

Examples

This example shows how to display the configuration that is saved in flash memory on the security appliance:

hostname# show configuration

: enable password 8Ry2YjIyt7RRXU24 encrypted

names

dns-guard

!

interface Ethernet0/0

 nameif inside

 security-level 100

 ip address 192.168.2.5 255.255.255.0

!

interface Ethernet0/1

 nameif outside

 security-level 0

 ip address 10.132.12.6 255.255.255.0

!

interface Ethernet0/2

 nameif dmz

 security-level 50

 ip address 40.0.0.5 255.0.0.0

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/newImage

ftp mode passive

access-list acl1 extended permit ip any any

access-list mgcpacl extended permit udp any any eq 2727

access-list mgcpacl extended permit udp any any eq 2427

access-list mgcpacl extended permit udp any any eq tftp

access-list mgcpacl extended permit udp any any eq 1719

access-list permitIp extended permit ip any any

pager lines 25

logging enable

logging console debugging

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any dmz

asdm image disk0:/pdm

no asdm history enable

arp timeout 14400

global (outside) 1 10.132.12.50-10.132.12.52

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group permitIp in interface inside

access-group permitIp in interface outside

access-group mgcpacl in interface dmz

!

router ospf 1

 network 40.0.0.0 255.0.0.0 area 192.168.2.0

 network 192.168.2.0 255.255.255.0 area 192.168.2.0

 log-adj-changes

 redistribute static subnets

 default-information originate

!

route outside 0.0.0.0 0.0.0.0 10.132.12.1 1

route outside 10.129.0.0 255.255.0.0 10.132.12.1 1

route outside 88.0.0.0 255.0.0.0 10.132.12.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.132.12.0 255.255.255.0 outside

http 192.168.2.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.2.0 255.255.255.0 inside

telnet 10.132.12.0 255.255.255.0 outside

telnet timeout 5

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect mgcp

policy-map type inspect mgcp mgcpapp

 parameters

  call-agent 150.0.0.210 101

  gateway 50.0.0.201 101

  gateway 100.0.0.201 101

  command-queue 150

!

service-policy global_policy global

webvpn

 memory-size percent 25

 enable inside

 internal-password enable

 onscreen-keyboard logon

username snoopy password /JcYsjvxHfBHc4ZK encrypted

prompt hostname context

Cryptochecksum:62bf8f5de9466cdb64fe758079594635: 

end

Related Commands

Command	Description
configure terminal	Configures the security appliance from the terminal.

show conn

To display the connection state for the designated connection type, use the show conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show conn [count | [all] [detail] [long] [state state_type] [protocol {tcp | udp}] [address src_ip[-src_ip] [netmask mask]] [port src_port[-src_port]] [address dest_ip[-dest_ip] [netmask mask]] [port dest_port[-dest_port]]]

Syntax Description

address	(Optional) Displays connections with the specified source or destination IP address.
all	(Optional) Displays connections that are to the device or from the device, in addition to through-traffic connections.
count	(Optional) Displays the number of active connections.
dest_ip	(Optional) Specifies the destination IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-), For example: 10.1.1.1-10.1.1.5
dest_port	(Optional) Specifies the destination port number. To specify a range, separate the port numbers with a dash (-), For example: 1000-2000
detail	(Optional) Displays connections in detail, including translation type and interface information.
long	(Optional) Displays connections in long format.
netmask mask	(Optional) Specifies a subnet mask for use with the given IP address.
port	(Optional) Displays connections with the specified source or destination port.
protocol {tcp | udp}	(Optional) Specifies the connection protocol, tcp or udp.
src_ip	(Optional) Specifies the source IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-), For example: 10.1.1.1-10.1.1.5
src_port	(Optional) Specifies the source port number. To specify a range, separate the port numbers with a dash (-), For example: 1000-2000
state state_type	(Optional) Specifies the connection state type. See Table 25-9 for a list of the keywords available for connection state types.

Defaults

All through connections are shown by default. You need to use the all keyword to also view management connections to the device.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(8)/7.2(4)/8.0(4)/8.1(1)	The syntax was simplified to use source and destination concepts instead of "local" and "foreign." In the new syntax, the source address is the first address entered and the destination is the second address. The old syntax used keywords like foreign and fport to determine the destination address and port.

Usage Guidelines

The show conn command displays the number of active TCP and UDP connections, and provides information about connections of various types. Use the show conn all command to see the entire table of connections.

---

Note When the security appliance creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear conn command.

---

The connection types that you can specify using the show conn state command are defined in Table 25-9. When specifying multiple connection types, use commas without spaces to separate the keywords.

Table 25-9 Connection State Types 

Keyword	Connection Type Displayed
up	Connections in the up state.
conn_inbound	Inbound connections.
ctiqbe	CTIQBE connections
data_in	Inbound data connections.
data_out	Outbound data connections.
finin	FIN inbound connections.
finout	FIN outbound connections.
h225	H.225 connections
h323	H.323 connections
http_get	HTTP get connections.
mgcp	MGCP connections.
nojava	Connections that deny access to Java applets.
rpc	RPC connections.
service_module	Connections being scanned by an SSM.
sip	SIP connections.
skinny	SCCP connections.
smtp_data	SMTP mail data connections.
sqlnet_fixup_data	SQL*Net data inspection engine connections.

When you use the detail option, the system displays information about the translation type and interface information using the connection flags defined in Table 25-10.

Table 25-10 Connection Flags 

Flag	Description
a	awaiting outside ACK to SYN
A	awaiting inside ACK to SYN
B	initial SYN from outside
C	Computer Telephony Interface Quick Buffer Encoding (CTIQBE) media connection
d	dump
D	DNS
E	outside back connection
f	inside FIN
F	outside FIN
g	Media Gateway Control Protocol (MGCP) connection
G	connection is part of a group1
h	H.225
H	H.323
i	incomplete TCP or UDP connection
I	inbound data
k	Skinny Client Control Protocol (SCCP) media connection
K	GTP t3-response
m	SIP media connection
M	SMTP data
O	outbound data
p	replicated (unused)
P	inside back connection
q	SQL*Net data
r	inside acknowledged FIN
R	outside acknowledged FIN for TCP connection
R	UDP RPC2
s	awaiting outside SYN
S	awaiting inside SYN
t	SIP transient connection3
T	SIP connection4
U	up
X	Inspected by the service module, such as a CSC SSM.

1 The G flag indicates the connection is part of a group. It is set by the GRE and FTP Strict fixups to designate the control connection and all its associated secondary connections. If the control connection terminates, then all associated secondary connections are also terminated. 2 Because each row of show conn command output represents one connection (TCP or UDP ), there will be only one R flag per row. 3 For UDP connections, the value t indicates that it will timeout after one minute. 4 For UDP connections, the value T indicates that the connection will timeout according to the value specified using the timeout sip command.

---

Note For connections using a DNS server, the source port of the connection may be replaced by the IP address of DNS server in the show conn command output.

---

A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Because the app_id expires independently, a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource build-up. However, when you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.

---

Note When there is no TCP traffic for the period of inactivity defined by the timeout tcp command (by default, 1:00:00), the connection is closed and the corresponding conn flag entries are no longer displayed.

---

Examples

When specifying multiple connection types, use commas without spaces to separate the keywords. The following example displays information about RPC, H.323, and SIP connections in the Up state:

hostname# show conn state up,rpc,h323,sip

The following is sample output from the show conn count command:

hostname# show conn count

29 in use, 63 most used

The following is sample output from the show conn command. This example shows a TCP session connection from inside host 10.1.1.15 to the outside Telnet server at 10.10.49.10. Because there is no B flag, the connection is initiated from the inside. The "U", "I", and "O" flags denote that the connection is active and has received inbound and outbound data.

hostname# show conn

29 in use, 63 most used

TCP out 10.10.49.10:23 in 10.1.1.15:1026 idle 0:00:22 bytes 1774 flags UIO

UDP out 10.10.49.10:31649 in 10.1.1.15:1028 idle 0:00:14 bytes 0 flags D-

UDP out 10.132.64.109:31807 in 10.130.64.182:0 idle 0:01:05 bytes 0 flags Ci

UDP out 10.132.64.109:31806 in 10.130.64.182:4472 idle 0:00:00 bytes 567084 flags C

TCP out 10.132.64.25:2748 in 10.130.64.182:4471 idle 0:00:00 bytes 5750 flags UIO

UDP out 10.132.64.179:1719 in 10.130.64.182:4470 idle 0:01:28 bytes 133 flags H-

UDP out 10.68.226.120:53 in 10.130.64.21:47349 idle 0:00:04 bytes 45 flags -

UDP out 10.68.226.120:53 in 10.130.64.21:47346 idle 0:00:19 bytes 90 flags -

UDP out 10.68.226.120:53 in 10.130.64.21:47344 idle 0:00:39 bytes 90 flags -

UDP out 10.68.226.120:53 in 10.130.64.21:47342 idle 0:00:52 bytes 43 flags -

UDP out 10.68.226.120:53 in 10.130.64.21:47340 idle 0:00:59 bytes 90 flags -

UDP out 10.68.226.120:53 in 10.130.64.21:47338 idle 0:01:19 bytes 90 flags -

UDP out 10.68.226.120:53 in 10.130.64.21:47336 idle 0:01:39 bytes 90 flags -

UDP out 10.68.226.120:53 in 10.130.64.21:47334 idle 0:01:59 bytes 90 flags -

UDP out 10.132.64.109:0 in 10.130.64.182:28301 idle 0:01:05 bytes 0 flags Ci

UDP out 10.132.64.109:0 in 10.130.64.182:28300 idle 0:01:05 bytes 0 flags Ci

UDP out 10.132.64.25:0 in 10.130.64.182:28301 idle 0:01:05 bytes 0 flags Ci

UDP out 10.132.64.25:0 in 10.130.64.182:28300 idle 0:01:05 bytes 0 flags Ci

The following is sample output from the show conn command, which includes the "X" flag to indicate that the connection is being scanned by the SSM:

hostname# show conn address 10.0.0.122 state service_module

TCP out 10.1.0.121:22 in 10.0.0.122:34446 idle 0:00:03 bytes 2733 flags UIOX

The following is sample output from the show conn detail command. This example shows a UDP connection from outside host 10.10.49.10 to inside host 10.1.1.15. The D flag denotes that this is a DNS connection. The number 1028 is the DNS ID over the connection.

hostname(config)# show conn detail

27 in use, 63 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

       B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,

       E - outside back connection, F - outside FIN, f - inside FIN,

       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,

       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response

       k - Skinny media, M - SMTP data, m - SIP media, n - GUP

       O - outbound data, P - inside back connection, q - SQL*Net data,

       R - outside acknowledged FIN,

       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,

       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, W - WAAS,

       X - inspected by service module

TCP outside:10.10.49.10/23 inside:10.1.1.15/1026 flags UIO

UDP outside:10.10.49.10/31649 inside:10.1.1.15/1028 flags dD

UDP outside:10.132.64.109/31807 inside:10.130.64.182/0 flags Ci

UDP outside:10.132.64.109/31806 inside:10.130.64.182/4472 flags C

TCP outside:10.132.64.25/2748 inside:10.130.64.182/4471 flags UIO

UDP outside:10.132.64.179/1719 inside:10.130.64.182/4470 flags H-

UDP outside:10.68.226.120/53 inside:10.130.64.21/47349 flags -

UDP outside:10.68.226.120/53 inside:10.130.64.21/47346 flags -

UDP outside:10.68.226.120/53 inside:10.130.64.21/47344 flags -

UDP outside:10.68.226.120/53 inside:10.130.64.21/47342 flags -

UDP outside:10.68.226.120/53 inside:10.130.64.21/47340 flags -

UDP outside:10.68.226.120/53 inside:10.130.64.21/47338 flags -

UDP outside:10.68.226.120/53 inside:10.130.64.21/47336 flags -

UDP outside:10.132.64.109/0 inside:10.130.64.182/28301 flags Ci

UDP outside:10.132.64.109/0 inside:10.130.64.182/28300 flags Ci

UDP outside:10.132.64.25/0 inside:10.130.64.182/28301 flags Ci

UDP outside:10.132.64.25/0 inside:10.130.64.182/28300 flags Ci

Related Commands

Commands	Description
clear conn	Clears a specific connection or connections.
inspect ctiqbe	Enables CTIQBE application inspection.
inspect h323	Enables H.323 application inspection.
inspect mgcp	Enables MGCP application inspection.
inspect sip	Removes Java applets from HTTP traffic.
inspect skinny	Enables SCCP application inspection.

show console-output

To display the currently captured console output, use the show console-output command in privileged EXEC mode.

show console-output

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Examples

The following example shows the message that displays when there is no console output:

hostname# show console-output

Sorry, there are no messages to display

Related Commands

Command