Firewall Wizards mailing list archives
RE: Cisco PIX 'unicast rpf drops' counter not showing
From: Karl Vogel <karl.vogel () seagha com>
Date: Wed, 6 Mar 2002 15:30:26 +0100
Don't know how it is on PIX, but in the 'normal' IOS you have to do a 'show ip interface XXX' You can also enable debugging to view the dropped packets: debug ip cef drops If you are on a remote console, do a 'term monitor' to see the logging in your session.
-----Original Message----- From: Basil Hussain [mailto:basil.hussain () kodakweddings com] Sent: Wednesday, March 06, 2002 13:31 To: firewall-wizards () nfr com Subject: [fw-wiz] Cisco PIX 'unicast rpf drops' counter not showing Hi, I have recently enabled the 'ip verify reverse-path' feature on the inside interface on my Cisco PIX-515 to perform egress filtering. It seems to be working, but I want to be absolutely sure that everything is correct and no packets are inadvertently being dropped. According to the Cisco PIX docs (for version 6.0, which is what I'm running), it tells you that it's possible to see if packets are deing dropped by watching the 'unicast rpf drops' counter on the relevant interface's statistics. The trouble is, when I issue a 'show interface' command for the interface, there's no sight of such a counter! Here's a cut & paste of the output I'm getting: ----<snip>---- interface ethernet1 "inside" is up, line protocol is up Hardware is i82559 ethernet, address is 0003.6bf6.6c35 IP address ###.###.###.###, subnet mask 255.255.255.0 MTU 1500 bytes, BW 100000 Kbit full duplex 132202347 packets input, 1301809850 bytes, 0 no buffer Received 18126500 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 121728147 packets output, 4182466678 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/57) output queue (curr/max blocks): hardware (0/48) software (0/12) ----<snip>---- The 'unicast rpf drops' counter should be right at the end of line 8 - as you can see, it's not! I'm slightly worried that: a) I'm missing something with the config of the 'ip verify reverse-path' feature; b) It's not working at all; c) I have a bug in my version of the PIX software. Can anyone help uncover what's going on? Regards, Basil Hussain _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX 'unicast rpf drops' counter not showing Basil Hussain (Mar 06)
- <Possible follow-ups>
- RE: Cisco PIX 'unicast rpf drops' counter not showing Karl Vogel (Mar 06)