Cisco Firewall :: 3.2(10) / Inconsistent Show Resource Usage Output
Feb 15, 2012
I've multiple FWSMs running. The funny thing: When I do a "show resource usage" I have one blade showing a "Conns [rate]" and "Syslogs [rate]" values and one blade isn't.
All modules are running the same software version 3.2(10).And the even more funny thing is: on one blade I have different output for all the contexts on it.What's the reason for that behaviour? A bug?
One of our firewalls - Cisco ASA 5550 8.4.3 - has got a problem. Our monitoring system requests the cpu usage on the box and from time to time we got an error. It was now possible to catch the error message - the output of show cpu usage looks like on the attached picture.We did not found something in the know bugs neither in the "Resolved Caveats in ASA Version 8.4(4.1) ".
I am on a call right now troubleshooting some latency issue. The CPU usage on the sup card is low. Don't see any drops or input errors. I am aware that the switch and its modules have capability limits. Is there command I can run which will tell me if any module is overloaded or if the fabric/backplane is over utilized?My chassis is WS-C6513 and sup card is WS-SUP720-3B.
Only because we want to updeate A/C system in server room, we need to know what Cisco 2800's the power usage and heat output are. It is on the racks and can't see its spesc.
I have copied status codes from show ip bg command output and its explanation (from Cisco documentation site)., d and h (suppressed, dampened and history). I read somewhere that these are to control flapping routes. But not able to understand it completly.Raised this question in a couple of forums but didnt get a proper reply.The table entry is suppressed.??The table entry is dampened. ??The table entry history. The table entry is validThe table entry is the best entry to use for that network.
In a basic VPN l2l scenario using ezVPN, server behind NAT device, client using 3G. What would be the reason to have in the output of the show crypto ipsec sa, a current peer different from remote crypto endpoint on the server ?
There're more than twenty 6509VE running in the network. All of them has got 1GE or 10GE SFP / GBIC.However, when I tried "show int trans" in some of them, there's nothing shown:
Router_A#sh int transceiv No transceiver present Router_A#sh inv Router_A#sh int status | i connected Gi1/1 connected 304 full 1000 1000BaseSX Gi1/2 To WLC5508 connected trunk full 1000 1000BaseSX Gi1/3 To WLC5508 connected trunk full 1000 1000BaseSX
We're having kind of a problem with our Catalyst 4507r switches. If we do a "show interface" command we're getting a lot of "Total output drops" on some of our interfaces. It seems to be most of the time on the same vlan.I was wondering if it has got something to do with QOS or queue selection As we don't have any QOS markings configured, is it possible that all traffic is using only one of the four tx queue's?
I have a 5508 WLC running on 7.0.116, I need to be able to pull all configured users off the WLC and import into excel, I have 900 odd users configured. When I run a show net user summary it only displays a third of users. I'm hitting space to tab through each page, then eventually I just get dumped back to the command prompt.
How to approach an overnight upgrade from autonomous AP1231/1242 deployment into a 2504 controller-based AP1602 deployment.I do not have access to the existing 1231/1242 deployment ==> I need to ask network manager for all necessary config info to be ported onto the 2504.Example: the 1231 show run output does not list the various SSID that are in use.Therefore the question is: which commands' output do I need to ask to have all possible config data from 1231/1242 to use when configuring the 2504/1602 deployment.
Is there anyway I can see the power usage on either a 3550 switch and/or 7301 router? I have some far away I wish to see the usage off.
Devices with module power supplies like cat 4500s/6500s/7600 etc all have commands like "show power ...", which will show me input voltage, current and power usage in watts. Is there anything like this for devices without module power supplies?
I recently configured a network with a 4500 Sup7E and a 3560G with jumbo frame support. I am trying to confirm operation. On the 4500 this is straight forward using "sho int g0/nn count detail". [code] The 3560 doesn't support that command. The closest I can come to finding the number of jumbo packets is "show controllers ethernet" (example below). On the transmit side I assume that jumbo frames would be tallied in the "Too large frames" counter. The receive side is a little more ambiguous. There are 2 counters that seem to be duplicates, "Valid frames, too large" and "Valid oversize frames". In operation they are not. I am seeing the "Valid frames, too large" counter incrementing while the "Valid oversize frames" remains at zero. [code]
I have a really weired thing happening on 6509 device with one of my customers.The device has a SUP 2 (MSFC2) with version 12.2.18SXF17B.
any VLAN interface once administratively down or simply down shows on "show interface status" output as VLAN.While it supposed to show "Routed". However once the port is up it is shows "routed" like it should.
I installed a CISCO ASA5505 with 50 user license to my network as the gateway firewall. So ASA is acting as the gaeway router which is connected to a fibre circuit and also it gives DHCP to the network. The strange thing is that except for two computers rest does not have internet. I also have an asterisk phone system which works fine..
I tried everything.... static IP's DHCP, DNS nothing worked. But strange enough two computers works fine and have internet.. but are no special computers. One is Win XP and the other one is Win7. When I troubleshoot the problem in win 7 on one of the computers it says
"The remote device or resource won't accept the connection"
however recently when i check my internet usage log on my wireless company (Rogers) the usage is totally off from what my bandwidth tracker shows me. So i decide to turn off my wifi and see what happens, there has always been this weird wifi connection appearing whenever my wifi appears, then afterwards when i turn off my wifi the suspicious wifi connections disappear. is this possible that someone is using our wifi? i might just be overreacting but it has brought me to concern that if the usage continues my family will have to end up paying over $30 for extra internet use. it is very frustrating me because when i check my DHCP client table it only shows 3 connection, ethernet - my desktop which is not turned on, 2 wireless connection - my laptop and my sister's laptop.
I have an asa5510 on 8.2.2. I have my logging configuration as below [code] I am not getting any syslog output to the syslog server. I'm using kiwi syslog server latest version. Have tried disabling/reenabling logging and changing inside host destinations. Is there another command needed
How do you save the command output from the CLI to a file on flash?
With IOS, I would normally use a pipe command to redirect to tftp, but the ASA doesn't support this as far as I can tell. As a work around I was thinking I could save the output to flash and then tftp that file off the ASA.
We have an ASA 5540 failover bundle working in Active/Standby mode. On our active asa 5540 when the sh run command is issued it gets stuck and displays the output after more than 15-20 mins.. and it takes another 10-15 mins to get back to the prompt..
However on the standby asa 5540 if the sh run command is issued, it displays the ouput and comes back to the prompt (even though this also takes 2-3 seconds)
I have tried rebooting the active asa 5540.We are running asa version 8.2.2.
I'm having a bit trouble to limit the bandwidth on outgoing traffic with a Cisco ASA 5505.
In my case I want to limit the bandwidth to 31mbit/s up and down on the outside interface. but with my current configuration, just the download rate gets limited to 31mbit/s when I do a tptest. and the upload is around 40/50mbit.
Here is the policy configuration,
access-list outside_bw extended permit ip any any class-map outside_bw match access-list outside_bw
I decided to migrate to ASA 8.4(5) from 7 and everything went very well with the exception of this one issue. All ACL and NAT for our various remote desktop servers work perfectly as long as the servers are running an RDP server version greater than 5.2. For instance, Server 2008 machines (or Win 7 Pro desktops) work perfectly as configured; however, Server 2003 machines (or WinXP Pro desktops) will not. I'm using manual, static NAT for the object to avoid automatic NAT issues.
The client computer displays the non-vista warning message, "The indentity of the remote computer cannot be verified...", but then fails to properly connect stopping at the "Configuring remote session..." status message. The ASA log shows that it built the TCP, then it displays a teardown with reason TCP Reset-I.
I can use a working ACL and NAT (using default TCP 3389 for instance) with a Server 2008 at IP 192.168.15.10 and move a Server 2003 machine to that same IP without touching any configuration at the firewall and it fails. Move the Server 2008 machine back to that IP and it works perfectly (both set at Port 3389 of course).
Here is the relevant info from the config that I am using for this: ------------------------------------------
object network RDPServer host 192.168.15.10
object service RDP service tcp source eq 3389
access-list out2in line 1 extended permit tcp any object 192.168.15.10 eq 3389
nat (inside,outside) 1 source static RDPServer interface service RDP RDP,The above works pefect as long as a server 2008 machine is at the IP, but fails with a server 2003 machine at the IP.
I am currently working with ASA 5585 with several contexts. What is the percentage of the CPU used per context. I already have the opportunity to do it for the whole ASA (context admin) using the SNMP mib CISCO-PROCES but, unfortunalty, this mib doesn't allow us to know the percentage of used CPU per context.
I was able to know the number of core used per context but not the percentage of the CPU used.
Our company’s Cisco ASA 5520 CPU usage drastically increased up to 93% after installing the antivirus our company purchased. Upon entering the show commands, which I will post the result later, it shows that the “Dispatch Unit is very high. I tried to clear the conn of each IP address that has very high bytes, but nothing happened.
INTFW(config)# show proc cpu-usage sorted non-zero PC Thread 5Sec 1Min 5Min Process 081aa324 6bdaf870 81.3% 81.5% 81.4% Dispatch Unit
I am trying to troubleshoot a problem where in one of my remote site is not able to access some networks at HQ over Site to SIte VPN ( asa 5505 at Remote and 5520 at HQ). I ran packet tracer and HQ ASA looks clean as everything came out as ALLOW. Remote site ASA packet tracer give me DROP out at Phase 9 (VPN). I am not very sure what to look in ASA for resolution now. Is it an access list that is blocking the traffice or VPN setup.
Im running ASA 8.0(3) on Active/StandBy failover pair.Last night I realized the CPU usage of my production ASA was 99%,,, on the ASDM Firewall Dashboard I can see counters like this:
Dropped Packet Rate (ACL Dropped) = 6000+ (more than 6 thousand) Scanning Attacks = 18600+ (more than Eighteen thousand)
I went on the ASDM and checked the RealTime Log viewer and I have about 30 entries per second of these: 4Oct 19 201111:35:12401004Shunned packet: 10.64.10.1 ==> 10.64.0.1 on interface NewLAN
I have an ASA 5520 with a CSC-SSM modul,the problem is when i am logging in to my ASDM, on the content security monitoring, it's showing the CPU and memory are at 100%(CSC) but when i directly connect csc-ssm MODULE it comes down,so is it problem with ASDM , java OR csc.
I have configured an ASA 5510 and 2960S 48 port switch in a lab environment. I have two laptops connected to seperate subinterfaces with server 2003 as dhcp server for one network. Everything has been working fine as we have been testing the ASA while also testing the csc smm module. When we came in today we noticed the csc module cpu is running at 100% constantly and http traffic is extremely slow. I have not yet received my smartnet contracts from the vendor or I would open a TAC case and I have read on the net that this is a common problem.
I recently reboot my asa 5520, I was trying to remove webvpn listening from my outside nic, even though it wasn't configured. [code]I was planning to do another reload without the fast reload option.
I have ASA that just started to reboot through out the day yesterday. It seems to happen every few hours but not in a pattern.Right before it reboots there is a flood of sys log id 305006 messages "portmap translation creation failed for tcp src inside:xxx dst outside:xxx the xlats go from around 2-3k to about 30+k then crash.Memory ussage is already pretty high normally on this device (about %75 used) CPU is around %15-20 I notice that the portmap translation errors are always from 3 inside host.
Today I upgraded my Cisco ASA 5505 ASDM from version 6.34 to 6.41 cause of some problems on old version with NetFlow. But now when I switch to dashboard i can not see "Top Usage" tab. That was quite usefull for me. It simply disappeared.
Can i somehow configure which tabs are displayed on dashboard ? I really need that one and I do not want to downgrade :/