6-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Xlates 8526 8966 N/A 0 Summary
Hosts 254 254 N/A 0 Summary
Conns [rate] 270 535 N/A 1704 Summary
Inspects [rate] 270 535 N/A 0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage summary command, which shows the
limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then
the combined limit is 125. The system limit is only 100, so the system limit is shown.
hostname# show resource usage summary
Resource Current Peak Limit Denied Context
Telnet 1 1 100[S] 0 Summary
SSH 2 2 100[S] 0 Summary
Conns 56 90 N/A 0 Summary
Hosts 89 102 N/A 0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage system command, which shows the
resource usage for all contexts, but it shows the system limit instead of the combined context limits. The
counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate
how many times the resource was denied due to the system limit, if available.
hostname# show resource usage system counter all 0
Resource Current Peak Limit Denied Context
Telnet 0 0 100 0 System
SSH 0 0 100 0 System
ASDM 0 0 32 0 System
Syslogs [rate] 1 18 N/A 0 System
Conns 0 1 280000 0 System
Xlates 0 0 N/A 0 System
Hosts 0 2 N/A 0 System
Conns [rate] 1 1 N/A 0 System
Inspects [rate] 0 0 N/A 0 System
Monitoring SYN Attacks in Contexts
The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies
algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN
packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the
server SYN queue full, which prevents it from servicing connection requests. When the embryonic
connection threshold of a connection is crossed, the security appliance acts as a proxy for the server and
generates a SYN-ACK response to the client SYN request. When the security appliance receives an ACK
back from the client, it can then authenticate the client and allow the connection to the server.
You can monitor the rate of attacks for individual contexts using the show perfmon command; you can
monitor the amount of resources being used by TCP intercept for individual contexts using the show
resource usage detail command; you can monitor the resources being used by TCP intercept for the
entire system using the show resource usage summary detail command.
The following is sample output from the show perfmon command that shows the rate of TCP intercepts
for a context called admin.
hostname/admin# show perfmon
Context:admin
PERFMON STATS: Current Average
Xlates 0/s 0/s
To Next Page
Loading...
Need help?
General