Cisco ASA 5506-X Configuration Manual page 368
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Monitoring the ASA FirePOWER Module
The following example shows the location of the ASA FirePOWER boot image that was used with the
sw-module module sfr recover command when installing the module.
hostname# show module sfr recover
Module sfr recover parameters...
Boot Recovery Image: No
Image File Path:
Showing Module Statistics
Use the show service-policy sfr command to display statistics and status for each service policy that
includes the sfr command. Use clear service-policy to clear the counters.
The following example shows the ASA FirePOWER service policy and the current statistics as well as
the module status. In monitor-only mode, the input counters remain at zero.
ciscoasa# show service-policy sfr
Global policy:
Service-policy: global_policy
Monitoring Module Connections
To show connections through the ASA FirePOWER module, enter one of the following commands:
•
•
•
The show asp drop command can include the following drop reasons related to the ASA FirePOWER
module.
Frame Drops:
•
•
•
Cisco ASA Series Firewall CLI Configuration Guide
16-28
disk0:/asasfr-5500x-boot-5.3.1-44.img
Class-map: my-sfr-class
SFR: card status Up, mode fail-close
packet input 2626422041, packet output 2626877967, drop 0, reset-drop 0, proxied 0
show asp table classify domain sfr
Shows the NP rules created to send traffic to the ASA FirePOWER module.
show asp drop
Shows dropped packets. The drop types are explained below.
show conn
Shows if a connection is being forwarded to a module by displaying the 'X - inspected by service
module' flag.
sfr-bad-tlv-received—This occurs when ASA receives a packet from FirePOWER without a Policy
ID TLV. This TLV must be present in non-control packets if it does not have the Standby/Active bit
set in the actions field.
sfr-request—The frame was requested to be dropped by FirePOWER due a policy on FirePOWER
whereby FirePOWER would set the actions to Deny Source, Deny Destination, or Deny Pkt. If the
frame should not have been dropped, review the policies on the module that are denying the flow.
sfr-fail-close—The packet is dropped because the card is not up and the policy configured was
'fail-close' (rather than 'fail-open' which allows packets through even if the card was down). Check
card status and attempt to restart services or reboot it.
Chapter 16
ASA FirePOWER (SFR) Module
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
