So I'm looking at the "show perfmon" output from my ASA (5550, 9.0 software), and am confused by the "VALID CONNS RATE in TCP INTERCEPT" output:
primary-int# sh perfmon
PERFMON STATS: Current Average
Xlates 111/s 0/s
Connections 155/s 0/s
TCP Conns 106/s 0/s
UDP Conns 45/s 0/s
URL Access 66/s 0/s
URL Server Req 41/s 0/s
TCP Fixup 3761/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 3/s 0/s
HTTP Fixup 3761/s 0/s
FTP Fixup 9/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 5027.59%
I can't really figure out what this means, nor why it's such a ridiculously high number… though I suspect the latter is due to this being a failover ASA in an HA pair, which has been powered on and in standby state for several months. Of course, I didn't get a chance to look at these numbers on the primary. 🙁
So, 2 part question:
What does "VALID CONNS RATE in TCP INTERCEPT" mean? and
why is the average so extraordinarily high?
Best Answer
TCP Intercept is a firewall function (ASA or IOS) that acts as an inline-proxy for all TCP connections, vs. mere inspection and passing through (with possible NAT rewrite.) This is a means of syn flood protection. "Valid conns rate" is the rate of valid (fully completed tcp three-way handshake) connections forming when this feature is enabled.
Bug? I'm assuming you do not have the tcp-intercept feature enabled, so it's using nonsense numbers and/or attempting to divide by zero.
[See Also: TCP intercept Feature on the ASA device]
(PS: I'm not a fan of Cisco's blog documentation.)