Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
show asp drop through show curpriv
Download this chapter
show asp drop through show curprivshow asp drop through show curpriv
Download the complete book
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 2.3 -- Whole Book PDF Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 2.3 -- Whole Book PDF (PDF - 23 MB)
give_us_feedback

Table Of Contents

show asp drop through show curpriv Commands

show asp drop

show asp table arp

show asp table classify

show asp table interfaces

show asp table mac-address-table

show asp table routing

show asp table vpn-context

show asr

show auto-update

show blocks

show capture

show checkheaps

show checksum

show chunkstat

show class

show conn

show console-output

show context

show counters

show counters description

show cpu

show crashinfo

show crypto accelerator statistics

show crypto ca certificates

show crypto ca crls

show crypto ipsec df-bit

show crypto ipsec fragmentation

show crypto key mypubkey

show crypto protocol statistics

show ctiqbe

show curpriv


show asp drop through show curpriv Commands

show asp drop

To debug dropped packets or connections that take place in the control plane path, use the show asp drop command in privileged EXEC mode. This command only shows packet and flow drops for traffic that passes through the control plane path, including most inspected traffic, traffic destined directly to the FWSM, and all IPv6 traffic. Packets and flows that are processed and dropped in the FWSM hardware do not appear in the output.

show asp drop [flow drop_reason | frame drop_reason]

Syntax Description

flow

(Optional) Shows the dropped flows (connections).

frame

(Optional) Shows the dropped packets.

drop_reason

(Optional) Shows the flows or packets dropped by a particular process.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp drop command might help you troubleshoot a problem with the control plane. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp drop command: 

hostname# show asp drop


Frame drop: 

No route to host                                          600 

TCP packet SEQ past window                                 13 

TCP invalid ACK                                           2051

TCP packet buffer full                                     15 

TCP DUP and has been ACKed                               4206 

TCP packet failed PAWS test                                32 

No inspect found                                          151 

Invalid connection address in delete indication          1465 


Flow drop:

Related Commands

Command
Description

clear asp drop

Clears drop statistics for the accelerated security path.

show conn

Shows information about connections.


show asp table arp

To debug the accelerated security path ARP tables, use the show asp table arp command in privileged EXEC mode.

show asp table arp [interface interface_name] [address ip_address [netmask mask]]

Syntax Description

address ip_address

(Optional) Identifies an IP address for which you want to view ARP table entries.

interface interface_name

(Optional) Identifies a specific interface for which you want to view the ARP table.

netmask mask

(Optional) Sets the subnet mask for the IP address.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show arp command shows the contents of the control plane, while the show asp table arp command shows the contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table arp command: 

hostname# show asp table arp


Context: single_vf, Interface: inside

  10.86.194.50                            Active   000f.66ce.5d46 hits 0

  10.86.194.1                             Active   00b0.64ea.91a2 hits 638

  10.86.194.172                           Active   0001.03cf.9e79 hits 0

  10.86.194.204                           Active   000f.66ce.5d3c hits 0

  10.86.194.188                           Active   000f.904b.80d7 hits 0


Context: single_vf, Interface: identity

  ::                                      Active   0000.0000.0000 hits 0

  0.0.0.0                                 Active   0000.0000.0000 hits 50208

Related Commands

Command
Description

show arp

Shows the ARP table.

show arp statistics

Shows ARP statistics.


show asp table classify

To debug the accelerated security path classifier tables, use the show asp table classify command in privileged EXEC mode. The classifier examines properties of incoming packets, such as protocol, and source and destination address, to match each packet to an appropriate classification rule. Each rule is labeled with a classification domain that determines what types of actions are performed, such as dropping a packet or allowing it through.

show asp table classify [crypto | domain domain_name | interface interface_name]

Syntax Description

domain domain_name

(Optional) Shows entries for a specific classifier domain. See "Usage Guidelines" for a list of domains.

interface interface_name

(Optional) Identifies a specific interface for which you want to view the classifier table.

crypto

(Optional) Shows the encrypt, decrypt, and ipsec tunnel flow domains only.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table classifier command shows the classifier contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Classifier domains include the following: 

aaa-acct

aaa-auth

aaa-user

accounting

arp

capture

capture

conn-nailed

conn-set

ctcp

decrypt

encrypt

established

filter-activex

filter-ftp

filter-https

filter-java

filter-url

host

inspect

inspect-ctiqbe

inspect-dns

inspect-dns-ids

inspect-ftp

inspect-ftp-data

inspect-gtp

inspect-h323

inspect-http

inspect-icmp

inspect-icmp-error

inspect-ils

inspect-mgcp

inspect-netbios

inspect-pptp

inspect-rsh

inspect-rtsp

inspect-sip

inspect-skinny

inspect-smtp

inspect-snmp

inspect-sqlnet

inspect-sqlnet-plus

inspect-sunrpc

inspect-tftp

inspect-xdmcp

ipsec-natt

ipsec-tunnel-flow

ipsec-user

limits

lu

mac-permit

mgmt-lockdown

mgmt-tcp-intercept

multicast

nat

nat-exempt

nat-exempt-reverse

nat-reverse

null

permit

permit-ip-option

permit-log

pim

ppp

punt

punt-l2

punt-root

shun

tcp-intercept

Examples

The following is sample output from the show asp table classify command: 

hostname# show asp table classify


Interface test:

in  id=0x36f3800, priority=10, domain=punt, deny=false

        hits=0, user_data=0x0, flags=0x0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=10.86.194.60, mask=255.255.255.255, port=0

in  id=0x33d3508, priority=99, domain=inspect, deny=false

        hits=0, user_data=0x0, use_real_addr, flags=0x0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

in  id=0x33d3978, priority=99, domain=inspect, deny=false

        hits=0, user_data=0x0, use_real_addr, flags=0x0

        src ip=0.0.0.0, mask=0.0.0.0, port=53

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

...

Related Commands

Command
Description

show asp drop

Shows the accelerated security path counters for dropped packets.


show asp table interfaces

To debug the accelerated security path interface tables, use the show asp table interfaces command in privileged EXEC mode.

show asp table interfaces

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table interfaces command shows the interface table contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table interfaces command: 

hostname# show asp table interfaces


** Flags: 0x0001-DHCP, 0x0002-VMAC, 0x0010-Ident Ifc, 0x0020-HDB Initd,

   0x0040-RPF Enabled

Soft-np interface 'dmz' is up

    context single_vf, nicnum 0, mtu 1500

        vlan 300, Not shared, seclvl 50

        0 packets input, 1 packets output

        flags 0x20


Soft-np interface 'foo' is down

    context single_vf, nicnum 2, mtu 1500

        vlan 301, Not shared, seclvl 0

        0 packets input, 0 packets output

        flags 0x20


Soft-np interface 'outside' is down

    context single_vf, nicnum 1, mtu 1500

        vlan 302, Not shared, seclvl 50

        0 packets input, 0 packets output

        flags 0x20


Soft-np interface 'inside' is up

    context single_vf, nicnum 0, mtu 1500

        vlan 303, Not shared, seclvl 100

        680277 packets input, 92501 packets output

        flags 0x20

...

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.


show asp table mac-address-table

To debug the accelerated security path MAC address tables, use the show asp table mac-address-table command in privileged EXEC mode.

show asp table mac-address-table [interface interface_name]

Syntax Description

interface interface_name

(Optional) Shows MAC address tables for a specific interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table mac-address-table command shows the MAC address table contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table mac-address-table command: 

hostname# show asp table mac-address-table


interface                 mac  address       flags

--------------------------------------------------------

    inside1                   0009.b74d.3800     None

    inside1                   0007.e903.ad6e     None

    inside1                   0007.e950.2067     None

    inside1                   0050.0499.3749     None

    inside1                   0012.d96f.e200     None

    inside1                   0001.02a7.f4ec     None

    inside1                   0001.032c.6477     None

    inside1                   0004.5a2d.a1c8     None

    inside1                   0003.4773.c87b     None

    inside1                   000d.88ef.5d1c     None

    inside1                   00c0.b766.adce     None

    inside1                   0050.5640.450d     None

    inside1                   0001.03cf.0431     None

...

Related Commands

Command
Description

show mac-address-table

Shows the MAC address table, including dynamic and static entries.


show asp table routing

To debug the accelerated security path routing tables, use the show asp table routing command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show asp table routing [input | output] [address ip_address [netmask mask] | interface interface_name]

Syntax Description

address ip_address

Sets the IP address for which you want to view routing entries. For IPv6 addresses, you can include the subnet mask as a slash (/) followed by the prefix (0 to 128). For example, enter the following: 

fe80::2e0:b6ff:fe01:3b7a/128

input

Shows the entries from the input route table.

interface interface_name

(Optional) Identifies a specific interface for which you want to view the routing table.

netmask mask

For IPv4 addresses, specifies the subnet mask.

output

Shows the entries from the output route table.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table routing command shows the routing table contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table routing command: 

hostname# show asp table routing


in   255.255.255.255 255.255.255.255 identity

in   224.0.0.9       255.255.255.255 identity

in   10.86.194.60    255.255.255.255 identity

in   10.86.195.255   255.255.255.255 identity

in   10.86.194.0     255.255.255.255 identity

in   209.165.202.159 255.255.255.255 identity

in   209.165.202.255 255.255.255.255 identity

in   209.165.201.30  255.255.255.255 identity

in   209.165.201.0   255.255.255.255 identity

in   10.86.194.0     255.255.254.0   inside

in   224.0.0.0       240.0.0.0       identity

in   0.0.0.0         0.0.0.0         inside

out  255.255.255.255 255.255.255.255 foo

out  224.0.0.0       240.0.0.0       foo

out  255.255.255.255 255.255.255.255 test

out  224.0.0.0       240.0.0.0       test

out  255.255.255.255 255.255.255.255 inside

out  10.86.194.0     255.255.254.0   inside

out  224.0.0.0       240.0.0.0       inside

out  0.0.0.0         0.0.0.0         via 10.86.194.1, inside

out  0.0.0.0         0.0.0.0         via 0.0.0.0, identity

out  ::              ::              via 0.0.0.0, identity

Related Commands

Command
Description

show route

Shows the routing table in the control plane.


show asp table vpn-context

To debug the accelerated security path VPN context tables, use the show asp table vpn-context command in privileged EXEC mode.

show asp table vpn-context [detail]

Syntax Description

detail

(Optional) Shows additional detail for the VPN context tables.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table vpn-context command shows the VPN context contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table vpn-context command: 

hostname# show asp table vpn-context


VPN ID=0058070576, DECR+ESP, UP, pk=0000000000, rk=0000000000, gc=0

VPN ID=0058193920, ENCR+ESP, UP, pk=0000000000, rk=0000000000, gc=0

VPN ID=0058168568, DECR+ESP, UP, pk=0000299627, rk=0000000061, gc=2

VPN ID=0058161168, ENCR+ESP, UP, pk=0000305043, rk=0000000061, gc=1

VPN ID=0058153728, DECR+ESP, UP, pk=0000271432, rk=0000000061, gc=2

VPN ID=0058150440, ENCR+ESP, UP, pk=0000285328, rk=0000000061, gc=1

VPN ID=0058102088, DECR+ESP, UP, pk=0000268550, rk=0000000061, gc=2

VPN ID=0058134088, ENCR+ESP, UP, pk=0000274673, rk=0000000061, gc=1

VPN ID=0058103216, DECR+ESP, UP, pk=0000252854, rk=0000000061, gc=2

...

The following is sample output from the show asp table vpn-context detail command: 

hostname# show asp table vpn-context detail


VPN Ctx  = 0058070576 [0x03761630]

State    = UP

Flags    = DECR+ESP

SA       = 0x037928F0

SPI      = 0xEA0F21F0

Group    = 0

Pkts     = 0

Bad Pkts = 0

Bad SPI  = 0

Spoof    = 0

Bad Crypto = 0

Rekey Pkt  = 0

Rekey Call = 0

VPN Ctx  = 0058193920 [0x0377F800]

State    = UP

Flags    = ENCR+ESP

SA       = 0x037B4B70

SPI      = 0x900FDC32

Group    = 0

Pkts     = 0

Bad Pkts = 0

Bad SPI  = 0

Spoof    = 0

Bad Crypto = 0

Rekey Pkt  = 0

Rekey Call = 0

...

Related Commands

Command
Description

show asp drop

Shows the accelerated security path counters for dropped packets.


show asr

To display the members of ASR groups, use the show asr command in privileged EXEC mode.

show asr {group_id | all}

Syntax Description

group_id

Displays the VLANs that are members of the specified ASR group. Valid values are 1 through 32.

all

Displays the membership for all 32 ASR groups.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

An ASR group can contain up to 8 members. A "0" (zero) in the output indicates an empty slot.

The show asr command provides the same output as the show np asr command.

Examples

The following is sample output from the show asr command. It limits the display to VLANs that are members of ASR group 1. 

hostname# sh asr 1


ASR Group |    Vlan Entries in ASR Group (0 denotes empty slot)

----------|----------------------------------------------------

        1 |    10   20   0    0    0    0    0    0

The following is sample output from the show asr command. It displays VLAN membership for all possible ASR groups. In this example, only ASR group 1 has member VLANs. 

hostname# sh asr all

ASR Group |    Vlan Entries in ASR Group (0 denotes empty slot)

----------|----------------------------------------------------

        1 |    10   20   0    0    0    0    0    0

        2 |    0    0    0    0    0    0    0    0

        3 |    0    0    0    0    0    0    0    0

        4 |    0    0    0    0    0    0    0    0

        5 |    0    0    0    0    0    0    0    0

        6 |    0    0    0    0    0    0    0    0

        7 |    0    0    0    0    0    0    0    0

        8 |    0    0    0    0    0    0    0    0

        9 |    0    0    0    0    0    0    0    0

       10 |    0    0    0    0    0    0    0    0

       11 |    0    0    0    0    0    0    0    0

       12 |    0    0    0    0    0    0    0    0

       13 |    0    0    0    0    0    0    0    0

       14 |    0    0    0    0    0    0    0    0

       15 |    0    0    0    0    0    0    0    0

       16 |    0    0    0    0    0    0    0    0

       17 |    0    0    0    0    0    0    0    0

       18 |    0    0    0    0    0    0    0    0

       19 |    0    0    0    0    0    0    0    0

       20 |    0    0    0    0    0    0    0    0

       21 |    0    0    0    0    0    0    0    0

       22 |    0    0    0    0    0    0    0    0

       23 |    0    0    0    0    0    0    0    0

       24 |    0    0    0    0    0    0    0    0

       25 |    0    0    0    0    0    0    0    0

       26 |    0    0    0    0    0    0    0    0

       27 |    0    0    0    0    0    0    0    0

       28 |    0    0    0    0    0    0    0    0

       29 |    0    0    0    0    0    0    0    0

       30 |    0    0    0    0    0    0    0    0

       31 |    0    0    0    0    0    0    0    0

       32 |    0    0    0    0    0    0    0    0

Related Commands

Command
Description

asr-group

Specifies an interface as a member of an ASR group.


show auto-update

To view the Auto Update Server configfuration, use the show auto-update command in privileged EXEC mode.

show auto-update

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following is sample output from the show auto-update command: 

hostname# show arp-inspection

Poll period: 1 minutes, retry count: 1, retry period: 5 minutes

Timeout: none

Device ID: host name [farscape]

Related Commands

Command
Description

auto-update device-id

Sets the FWSM device ID for use with an Auto Update Server.

auto-update poll-period

Sets how often the FWSM checks for updates from an Auto Update Server.

auto-update server

Identifies the Auto Update Server.

auto-update timeout

Stops traffic from passing through the FWSM if the Auto Update Server is not contacted within the timeout period.

clear configure auto-update

Clears the Auto Update Server configuration


show blocks

To show the packet buffer utilization, use the show blocks command in privileged EXEC mode.

show blocks [{address hex | all | assigned | free | old | pool size [summary]} [diagnostics | dump | header | packet] | queue history [detail]]

Syntax Description

address hex

(Optional) Shows a block corresponding to this address, in hexadecimal.

all

(Optional) Shows all blocks.

assigned

(Optional) Shows blocks that are assigned and in use by an application.

detail

(Optional) Shows a portion (128 bytes) of the first block for each unique queue type.

dump

(Optional) Shows the entire block contents, including the header and packet information. The difference between dump and packet is that dump includes additional information between the header and the packet.

diagnostics

(Optional) Shows block diagnostics.

free

(Optional) Shows blocks that are available for use.

header

(Optional) Shows the header of the block.

old

(Optional) Shows blocks that were assigned more than a minute ago.

packet

(Optional) Shows the header of the block as well as the packet contents.

pool size

(Optional) Shows blocks of a specific size.

queue history

(Optional) Shows where blocks are assigned when the FWSM runs out of blocks. Sometimes, a block is allocated from the pool but never assigned to a queue. In that case, the location is the code address that allocated the block.

summary

(Optional) Shows detailed information about block usage sorted by the program addresses of applications that allocated blocks in this class, program addresses of applications that released blocks in this class, and the queues to which valid blocks in this class belong.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

The pool summary option was added.


Usage Guidelines

The show blocks command helps you determine if the FWSM is overloaded. This command lists preallocated system buffer utilization. A full memory condition is not a problem as long as traffic is moving through the FWSM. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is full, there may be a problem.

You can also view this information using SNMP.

The information shown in a security context includes the system-wide information as well as context-specific information about the blocks in use and the high water mark for block usage.

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show blocks command in single mode: 

hostname# show blocks

SIZE    MAX    LOW    CNT

     4   1600   1598   1599

    80    400    398    399

   256   3600   3540   3542

  1550   4716   3177   3184

 16384     10     10     10

  2048   1000   1000   1000

Table 3 shows each field description.

Table 25-1 show blocks Fields 

Field
Description

SIZE

Size, in bytes, of the block pool. Each size represents a particular type. Examples are shown below.

4

Duplicates existing blocks in applications such as DNS, ISAKMP, URL filtering, uauth, TFTP, and TCP modules.

80

Used in TCP intercept to generate acknowledgment packets and for failover hello messages.

256

Used for Stateful Failover updates, syslogging, and other TCP functions.

These blocks are mainly used for Stateful Failover messages. The active FWSM generates and sends packets to the standby FWSM to update the translation and connection table. In bursty traffic, where high rates of connections are created or torn down, the number of available blocks might drop to 0. This situation indicates that one or more connections were not updated to the standby FWSM. The Stateful Failover protocol catches the missing translation or connection the next time. If the CNT column for 256-byte blocks stays at or near 0 for extended periods of time, then the FWSM is having trouble keeping the translation and connection tables synchronized because of the number of connections per second that the FWSM is processing.

Syslog messages sent out from the FWSM also use the 256-byte blocks, but they are generally not released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows that the number of 256-byte blocks is near 0, ensure that you are not logging at Debugging (level 7) to the syslog server. This is indicated by the logging trap line in the FWSM configuration. We recommend that you set logging at Notification (level 5) or lower, unless you require additional information for debugging purposes.

1550

Used to store Ethernet packets for processing through the FWSM.

When a packet enters a FWSM interface, it is placed on the input interface queue, passed up to the operating system, and placed in a block. The FWSM determines whether the packet should be permitted or denied based on the security policy and processes the packet through to the output queue on the outbound interface. If the FWSM is having trouble keeping up with the traffic load, the number of available blocks will hover close to 0 (as shown in the CNT column of the command output). When the CNT column is zero, the FWSM attempts to allocate more blocks, up to a maximum of 8192. If no more blocks are available, the FWSM drops the packet.

16384

Only used for the 64-bit, 66-MHz Gigabit Ethernet cards (i82543).

See the description for 1550 for more information about Ethernet packets.

2048

Control or guided frames used for control updates.

MAX

Maximum number of blocks available for the specified byte block pool. The maximum number of blocks are carved out of memory at bootup. Typically, the maximum number of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the FWSM can dynamically create more when needed, up to a maximum of 8192.

LOW

Low-water mark. This number indicates the lowest number of this size blocks available since the FWSM was powered up, or since the last clearing of the blocks (with the clear blocks command). A zero in the LOW column indicates a previous event where memory was full.

CNT

Current number of blocks available for that specific size block pool. A zero in the CNT column means memory is full now.


The following is sample output from the show blocks all command: 

hostname# show blocks all

Class 0, size 4

     Block   allocd_by    freed_by  data size    alloccnt     dup_cnt  oper location

0x01799940  0x00000000  0x00101603          0           0           0 alloc not_specified

0x01798e80  0x00000000  0x00101603          0           0           0 alloc not_specified

0x017983c0  0x00000000  0x00101603          0           0           0 alloc not_specified


...


    Found 1000 of 1000 blocks

    Displaying 1000 of 1000 blocks

Table 4 shows each field description.

Table 25-2 show blocks all Fields

Field
Description

Block

The block address.

allocd_by

The program address of the application that last used the block (0 if not used).

freed_by

The program address of the application that last released the block.

data size

The size of the application buffer/packet data that is inside the block.

alloccnt

The number of times this block has been used since the block came into existence.

dup_cnt

The current number of references to this block if used: 0 means 1 reference, 1 means 2 references.

oper

One of the four operations that was last performed on the block: alloc, get, put, or free.

location

The application that uses the block, or the program address of the application that last allocated the block (same as the allocd_by field).


The following is sample output from the show blocks command in a context: 

hostname/contexta# show blocks

  SIZE    MAX    LOW    CNT  INUSE   HIGH