Oct 01 2010
Troubleshoot and Monitor Traffic on Cisco PIX/ASA
You are experiencing extremely slow response times, bandwidth is flat-lining or unusually high, or download speeds are close to 0? Here you will find how to troubleshoot and monitor traffic going through a Cisco ASA or PIX firewall with the command line.
Access Lists Statistics
You’ve most likely configured some access lists to filter the traffic going through the device. This is what firewalls do. You can get a quick overview of what kind of traffic is coming through your firewall with ACL statistics.
You can add more rules to narrow down where the traffic is going.
cisco_pix# show access-list acl_in
access-list acl_in; 17 elements
access-list acl_in line 1 permit tcp any any eq domain (hitcnt=7)
access-list acl_in line 2 permit udp any any eq domain (hitcnt=40379)
access-list acl_in line 3 permit tcp any any eq www (hitcnt=157103)
access-list acl_in line 4 permit tcp any any eq 8080 (hitcnt=466)
access-list acl_in line 5 permit tcp any any eq https (hitcnt=1910)
access-list acl_in line 6 permit tcp any any eq ftp (hitcnt=2)
access-list acl_in line 7 permit tcp any any eq smtp (hitcnt=550)
access-list acl_in line 8 permit tcp any any eq pop3 (hitcnt=14660)
Reset hit counters in configuration mode to get the latest statistics:
cisco_pix# configure terminal
cisco_pix(config)# clear access-list acl_in counters
Traffic Statistics
You can also display each PIX interface global traffic. You’re better off resetting data to get accurate results.
cisco_pix# clear traffic
Give it a few minutes to collect the data and display the overall traffic.
cisco_pix# show traffic
outside:
received (in 9.570 secs):
133 packets 19918 bytes
13 pkts/sec 2081 bytes/sec
transmitted (in 9.570 secs):
199 packets 22997 bytes
20 pkts/sec 2403 bytes/sec
inside:
received (in 9.570 secs):
158 packets 14392 bytes
16 pkts/sec 1503 bytes/sec
transmitted (in 9.570 secs):
102 packets 14264 bytes
10 pkts/sec 1490 bytes/sec
Monitor the Type of Traffic
You can also display the number of connections per second for each type of traffic, from transport to application layers.
cisco_pix# show perfmon
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 27/s 1/s
TCPIntercept 0/s 0/s
HTTP Fixup 5/s 2/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
Sessions Details
Display the current and maximum number of connections:
cisco_pix# show connections count
35 in use, 195 most used
Or going deeper into details with each established connection:
cisco_pix# show connections
33 in use, 195 most used
TCP out 172.18.0.1:23 in 192.168.9.101:1155 idle 0:00:32 Bytes 19354 flags UIO
TCP out 172.18.0.1:23 in 192.168.9.107:1151 idle 0:03:49 Bytes 156840 flags UIO
...
Useful since it shows the amount of tranfered bytes for each connection.
Memory and Processor
Pay attention to your memory and CPU resources indeed. Entry level Cisco firewalls aren’t equipped with a lot of memory.
cisco_pix# show cpu usage
CPU utilization for 5 seconds = 2%; 1 minute: 2%; 5 minutes: 6%
cisco_pix$ show memory
Free memory: 5069344 bytes
Used memory: 11707872 bytes
------------- ----------------
Total memory: 16777216 bytes
Ongoing Traffic Monitoring
Many tools are available out there to monitor traffic on Cisco ASA / PIX. You can detect something is wrong only if you can compare with previous data. Graphs are the best way to achieve this.
Among the most popular tools, I’ve retained Cacti, MRTG as well as Smokeping. Smokeping lets you graph and check links latency.
You can get more information on this online on Cisco documentation.