Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
23-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Monitoring QoS For traffic shaping, you can only use the class-default class map, which is automatically created by the ASA, and which matches all traffic. You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. See the “How QoS Features Interact” section on page 23-4 for information about valid QoS configurations. You cannot configure traffic shaping in the global policy. Detailed Steps Step 1Configure a service policy on the Configuration > Firewall > Service Policy Rules pane according to Chapter 1, “Configuring a Service Policy.” You can configure QoS as part of a new service policy rule, or you can edit an existing service policy. Step 2In the Rule Actions dialog box, click the QoS tab. Step 3Click Enable traffic shaping, and configure the following fields: Average Rate—Sets the average rate of traffic in bits per second over a given fixed time period, between 64000 and 154400000. Specify a value that is a multiple of 8000. Burst Size—Sets the average burst size in bits that can be transmitted over a given fixed time period, between 2048 and 154400000. Specify a value that is a multiple of 128. If you do not specify the Burst Size, the default value is equivalent to 4-milliseconds of traffic at the specified Average Rate. For example, if the average rate is 1000000 bits per second, 4 ms worth = 1000000 * 4/1000 = 4000. Step 4(Optional) To configure priority queuing for a subset of shaped traffic: a.Click Enforce priority to selected shape traffic. b.Click Configure to identify the traffic that you want to prioritize. You are prompted to identify the traffic for which you want to apply priority queuing. c.After you identify the traffic (see the “Adding a Service Policy Rule for Through Traffic” section on page 1-8), click Next. d.Click Enable priority for this flow. e.Click Finish. You return to the QoS tab. Step 5Click Finish. The service policy rule is added to the rule table. Step 6Click Apply to send the configuration to the device. Monitoring QoS To monitor QoS in ASDM, you can enter commands at the Command Line Interface tool. This section includes the following topics: Viewing QoS Police Statistics, page 23-12 Viewing QoS Standard Priority Statistics, page 23-12 Viewing QoS Shaping Statistics, page 23-13
23-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Monitoring QoS Viewing QoS Standard Priority Queue Statistics, page 23-13 Viewing QoS Police Statistics To view the QoS statistics for traffic policing, use the show service-policy command with the police keyword: ciscoasa# show service-policy police The following is sample output for the show service-policy police command: ciscoasa# show service-policy police Global policy: Service-policy: global_fw_policy Interface outside: Service-policy: qos Class-map: browse police Interface outside: cir 56000 bps, bc 10500 bytes conformed 10065 packets, 12621510 bytes; actions: transmit exceeded 499 packets, 625146 bytes; actions: drop conformed 5600 bps, exceed 5016 bps Class-map: cmap2 police Interface outside: cir 200000 bps, bc 37500 bytes conformed 17179 packets, 20614800 bytes; actions: transmit exceeded 617 packets, 770718 bytes; actions: drop conformed 198785 bps, exceed 2303 bps Viewing QoS Standard Priority Statistics To view statistics for service policies implementing the priority command, use the show service-policy command with the priority keyword: ciscoasa# show service-policy priority The following is sample output for the show service-policy priority command: ciscoasa# show service-policy priority Global policy: Service-policy: global_fw_policy Interface outside: Service-policy: qos Class-map: TG1-voice Priority: Interface outside: aggregate drop 0, aggregate transmit 9383 Note“Aggregate drop” denotes the aggregated drop in this interface; “aggregate transmit” denotes the aggregated number of transmitted packets in this interface.
23-13
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 23 Configuring QoS
Monitoring QoS
Viewing QoS Shaping Statistics
To view statistics for service policies implementing the shape command, use the show service-policy
command with the shape keyword:
ciscoasa# show service-policy shape
The following is sample output for the show service-policy shape command:
ciscoasa# show service-policy shape
Interface outside
Service-policy: shape
Class-map: class-default
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 2000000, bc 8000, be 8000
The following is sample output of the show service policy shape command, which includes service
policies that include the shape command and the service-policy command that calls the hierarchical
priority policy and the related statistics:
ciscoasa# show service-policy shape
Interface outside:
Service-policy: shape
Class-map: class-default
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 2000000, bc 16000, be 16000
Service-policy: voip
Class-map: voip
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: class-default
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Viewing QoS Standard Priority Queue Statistics
To display the priority-queue statistics for an interface, use the show priority-queue statistics command
in privileged EXEC mode. The results show the statistics for both the best-effort (BE) queue and the
low-latency queue (LLQ). The following example shows the use of the show priority-queue statistics
command for the interface named test, and the command output.
ciscoasa# show priority-queue statistics test
23-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 23 Configuring QoS Feature History for QoS Priority-Queue Statistics interface test Queue Type = BE Packets Dropped = 0 Packets Transmit = 0 Packets Enqueued = 0 Current Q Length = 0 Max Q Length = 0 Queue Type = LLQ Packets Dropped = 0 Packets Transmit = 0 Packets Enqueued = 0 Current Q Length = 0 Max Q Length = 0 ciscoasa# In this statistical report, the meaning of the line items is as follows: “Packets Dropped” denotes the overall number of packets that have been dropped in this queue. “Packets Transmit” denotes the overall number of packets that have been transmitted in this queue. “Packets Enqueued” denotes the overall number of packets that have been queued in this queue. “Current Q Length” denotes the current depth of this queue. “Max Q Length” denotes the maximum depth that ever occurred in this queue. Feature History for QoS Table 23-3 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 23-3 Feature History for QoS Feature NamePlatform Releases Feature Information Priority queuing and policing 7.0(1) We introduced QoS priority queuing and policing. We introduced the following screens: Configuration > Device Management > Advanced > Priority Queue Configuration > Firewall > Service Policy Rules Shaping and hierarchical priority queuing 7.2(4)/8.0(4) We introduced QoS shaping and hierarchical priority queuing. We modified the following screen: Configuration > Firewall > Service Policy Rules. Ten Gigabit Ethernet support for a standard priority queue on the ASA 5585-X8.2(3)/8.4(1) We added support for a standard priority queue on Ten Gigabit Ethernet interfaces for the ASA 5585-X.
CH A P T E R 24-1 Cisco ASA Series Firewall ASDM Configuration Guide 24 Troubleshooting Connections and Resources This chapter describes how to troubleshoot the ASA and includes the following sections: Testing Your Configuration, page 24-1 Monitoring Performance, page 24-8 Monitoring System Resources, page 24-9 Monitoring Connections, page 24-11 Monitoring Per-Process CPU Usage, page 24-12 Testing Your Configuration This section describes how to test connectivity for the single mode ASA or for each security context, how to ping the ASA interfaces, and how to allow hosts on one interface to ping through to hosts on another interface. This section includes the following topics: Pinging ASA Interfaces, page 24-1 Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping, page 24-3 Determining Packet Routing with Traceroute, page 24-6 Tracing Packets with Packet Tracer, page 24-7 Pinging ASA Interfaces To test whether the ASA interfaces are up and running and that the ASA and connected routers are operating correctly, you can ping the ASA interfaces. To ping the ASA interfaces, perform the following steps: Step 1Draw a diagram of your single-mode ASA or security context that shows the interface names, security levels, and IP addresses. NoteAlthough this procedure uses IP addresses, the ping command also supports DNS names and names that are assigned to a local IP address with the name command.
24-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration The diagram should also include any directly connected routers and a host on the other side of the router from which you will ping the ASA. (See Figure 24-1.) Figure 24-1 Network Diagram with Interfaces, Routers, and Hosts Step 2 Ping each ASA interface from the directly connected routers. For transparent mode, ping the management IP address. This test ensures that the ASA interfaces are active and that the interface configuration is correct. A ping might fail if the ASA interface is not active, the interface configuration is incorrect, or if a switch between the ASA and a router is down (see Figure 24-2). In this case, no debugging messages or syslog messages appear, because the packet never reaches the ASA. Figure 24-2 Ping Failure at the ASA Interface If the ping reaches the ASA, and it responds, debugging messages similar to the following appear: ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2 ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1 If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist (see Figure 24-3). Routed ASA 10.1.1.56 10.1.3.6209.265.200.230 10.1.2.90 10.1.4.6710.1.0.34209.165.201.24 10.1.1.5Transp. ASA 10.1.0.3 Host Host dmz1 192.1 68.1.outside 209.165.201.1 security0 inside 192.168.0.1 security100 outside security0 inside security100dmz2 192.168.2.1 security40 dmz3 192.1 68.3. dmz4 192.168.4.1 security80 330857 HostHost Host Host HostHost Router Router Router Router Router Router Router Router Ping Router Host ? ASA330858
24-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Figure 24-3 Ping Failure Because of IP Addressing Problems Step 3 Ping each ASA interface from a remote host. For transparent mode, ping the management IP address. This test checks whether the directly connected router can route the packet between the host and the ASA, and whether the ASA can correctly route the packet back to the host. A ping might fail if the ASA does not have a return route to the host through the intermediate router (see Figure 24-4). In this case, the debugging messages show that the ping was successful, but syslog message 110001 appears, indicating a routing failure has occurred. Figure 24-4 Ping Failure Because the ASA Has No Return Route Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping The Ping tool is useful for verifying the configuration and operation of the ASA and surrounding communications links, as well as for testing other network devices. This section includes the following topics: Information About Ping, page 24-3 Pinging From an ASA Interface, page 24-4 Pinging to an ASA Interface, page 24-4 Pinging Through the ASA Interface, page 24-4 Troubleshooting the Ping Tool, page 24-4 Using the Ping Tool, page 24-5 Information About Ping A ping is sent to an IP address and it returns a reply. This process enables network devices to discover, identify, and test each other. The Ping tool uses ICMP (as described in RFC 777 and RFC 792) to define an echo request-and-reply transaction between two network devices. The echo request packet is sent to the IP address of a network device. The receiving device reverses the source and destination address and sends the packet back as the echo reply. 192.168.1.1 192.168.1.2 192.168.1.2 PingRouterSecurity Appliance Host126696 Ping ASARouter330860
24-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Administrators can use the ASDM Ping interactive diagnostic tool in these ways: Loopback testing of two interfaces—A ping may be initiated from one interface to another on the same ASA, as an external loopback test to verify basic “up” status and operation of each interface. Pinging to an ASA—The Ping tool can ping an interface on another ASA to verify that it is up and responding. Pinging through an ASA—Ping packets originating from the Ping tool may pass through an intermediate ASA on their way to a device. The echo packets will also pass through two of its interfaces as they return. This procedure can be used to perform a basic test of the interfaces, operation, and response time of the intermediate unit. Pinging to test questionable operation of a network device—A ping may be initiated from an ASA interface to a network device that is suspected of functioning incorrectly. If the interface is configured correctly and an echo is not received, there may be problems with the device. Pinging to test intermediate communications—A ping may be initiated from an ASA interface to a network device that is known to be functioning correctly and returning echo requests. If the echo is received, the correct operation of any intermediate devices and physical connectivity is confirmed. Pinging From an ASA Interface For basic testing of an interface, you can initiate a ping from an ASA interface to a network device that you know is functioning correctly and returning replies through the intermediate communications path. For basic testing, make sure you do the following: Verify receipt of the ping from the ASA interface by the “known good” device. If the ping is not received, a problem with the transmitting hardware or interface configuration may exist. If the ASA interface is configured correctly and it does not receive an echo reply from the “known good” device, problems with the interface hardware receiving function may exist. If a different interface with “known good” receiving capability can receive an echo after pinging the same “known good” device, the hardware receiving problem of the first interface is confirmed. Pinging to an ASA Interface When you try to ping to an ASA interface, verify that the pinging response (ICMP echo reply) is enabled for that interface by choosing To o l s > P i n g. When pinging is disabled, the ASA cannot be detected by other devices or software applications, and does not respond to the ASDM Ping tool. Pinging Through the ASA Interface To verify that other types of network traffic from “known good” sources are being passed through the ASA, choose Monitoring > Interfaces > Interface Graphs or an SNMP management station. To enable internal hosts to ping external hosts, configure ICMP inspection. Choose Configuration > Firewall > Service Policies. Troubleshooting the Ping Tool When pings fail to receive an echo, it may be the result of a configuration or operational error in an ASA, and not necessarily because of no response from the IP address being pinged. Before using the Ping tool to ping from, to, or through an ASA interface, perform the following basic checks: Verify that interfaces are configured. Choose Configuration > Device Setup > Interfaces.
24-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Verify that devices in the intermediate communications path, such as switches or routers, are correctly delivering other types of network traffic. Make sure that traffic of other types from “known good” sources is being passed. Choose Monitoring > Interfaces > Interface Graphs. Using the Ping Tool To use the Ping tool, perform the following steps: Step 1In the main ASDM application window, choose To o l s > P i n g. The Ping dialog box appears. Step 2Enter the destination IP address for the ICMP echo request packets in the IP Address field. Ping also supports IPv6 addresses. NoteIf a hostname has been assigned in the Configuration > Firewall > Objects > Service Objects/Groups pane, you can use the hostname in place of the IP address. Step 3(Optional) Choose the ASA interface that transmits the echo request packets from the drop-down list. If it is not specified, the ASA checks the routing table to find the destination address and uses the required interface. Step 4Click Ping to send an ICMP echo request packet from the specified or default interface to the specified IP address and start the response timer. The response appears in the Ping Output area. Three attempts are made to ping the IP address, and results display the following fields: The IP address of the device pinged or a device name, if available. The name of the device, if assigned, may be displayed, even if NO response is the result. When the ping is transmitted, a millisecond timer starts with a specified maximum, or timeout value. This timer is useful for testing the relative response times of different routes or activity levels. Example Ping output: Sending 5, 100-byte ICMP Echos to out-pc, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms If the ping fails, the output is as follows: Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) Step 5To enter a new IP address, click Clear Screen to remove the previous response from the Ping output area.
24-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Determining Packet Routing with Traceroute The Traceroute tool helps you to determine the route that packets will take to their destination. The tool prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. The following table lists the output symbols printed by this tool. To use the Traceroute tool, perform the following steps: Step 1In the main ASDM application window, choose Tools > Traceroute. The Traceroute dialog box appears. Step 2Enter hostname or IP address to which the route is traced. If the hostname is given, define it by choosing Configuration > Firewall > Objects > Service Objects/Groups, or configure a DNS server to enable this tool to resolve the hostname to an IP address. Step 3Enter the amount of time in seconds to wait for a response before the connection times out. The default is three seconds. Step 4Type the destination port used by the UDP probe messages. The default is 33434. Step 5Enter the number of probes to be sent at each TTL level. The default is three. Step 6Specify the minimum and maximum TTL values for the first probes. The minimum default is one, but it can be set to a higher value to suppress the display of known hops. The maximum default is 30. The traceroute terminates when the packet reaches the destination or when the maximum value is reached. Step 7Check the Specify source interface or IP address check box. Choose the source interface or IP address for the packet trace from the drop-down list. This IP address must be the IP address of one of the interfaces. In transparent mode, it must be the management IP address of the ASA. Step 8Check the Reverse Resolve check box to have the output display the names of hops encountered if name resolution is configured. Leave this check box unchecked to have the output display IP addresses. Step 9Check the Use ICMP check box to specify the use of ICMP probe packets instead of UDP probe packets. Step 10Click Tr a c e R o u t e to start the traceroute. The Traceroute Output area displays detailed messages about the traceroute results. Step 11Click Clear Output to start a new traceroute. Output Symbol Description * No response was received for the probe within the timeout period. nn msec For each node, the round-trip time (in milliseconds) for the specified number of probes. !N. ICMP network unreachable. !H ICMP host unreachable. !P ICMP unreachable. !A ICMP administratively prohibited. ? Unknown ICMP error.