show services stateful-firewall statistics

Name of an adaptive services interface.

Name of a service set.

Rule match counters for new flows:

• Rule Accepts—New flows accepted.

• Rule Discards—New flows discarded.

• Rule Rejects—New flows rejected.

Rule match counters for existing flows:

• Accepts—Match existing forward or watch flow.

• Drop—Match existing discard flow.

• Rejects—Match existing reject flow.

Hairpinning counters:

• Slow Path Hairpinned Packets—Slow path packets that were hairpinned back to the internal network.

• Fast Path Hairpinned Packets—Fast path packets that were hairpinned back to the internal network.

Drop counters:

• IP option—Packets dropped in IP options processing.

• TCP SYN defense—Packets dropped by SYN defender.

• NAT ports exhausted—Hide mode. The router has no available Network Address Translation (NAT) ports for a given address or pool.

• Sessions dropped due to subscriber flow limit—Sessions dropped because the subscriber’s flow limit was exceeded.

Total errors, categorized by protocol:

• IP—Total IP version 4 errors.

• TCP—Total Transmission Control Protocol (TCP) errors.

• UDP—Total User Datagram Protocol (UDP) errors.

• ICMP—Total Internet Control Message Protocol (ICMP) errors.

• Non-IP packets—Total non-IPv4 errors.

• ALG—Total application-level gateway (ALG) errors

IPv4 errors:

• IP packet length inconsistencies—IP packet length does not match the Layer 2 reported length.

• Minimum IP header length check failures—Minimum IP header length is 20 bytes. The received packet contains less than 20 bytes.

• Reassembled packet exceeds maximum IP length—After fragment reassembly, the reassembled IP packet length exceeds 65,535.

• Illegal source address 0—Source address is not a valid address. Invalid addresses are, loopback, broadcast, multicast, and reserved addresses. Source address 0, however, is allowed to support BOOTP and the destination address 0xffffffff.

• Illegal destination address 0—Destination address is not a valid address.  The address is reserved.

• TTL zero errors—Received packet had a time-to-live (TTL) value of 0.

• Illegal IP protocol number (0 or 255)—IP protocol is 0 or 255.

• Land attack—IP source address is the same as the destination address.

• Non-IPv4 packets—Packet was not IPv4. (Only IPv4 is supported.)

• Bad checksum—Packet had an invalid IP checksum.

• Illegal IP fragment length—Illegal fragment length. All fragments (other than the last fragment) must have a length that is a multiple of 8 bytes.

• IP fragment overlap—Fragments have overlapping fragment offsets.

• IP fragment reassembly timeout—Some of the fragments for an IP packet were not received in time, and the reassembly handler dropped partial fragments.

• IP fragment limit exceeded: 0—Fragments that exceeded the limit.

• Unknown: 0—Unknown fragments.

TCP protocol errors:

• TCP header length inconsistencies—Minimum TCP header length is 20 bytes, and the IP packet received does not contain at least 20 bytes.

• Source or destination port number is zero—TCP source or destination port is zero.

• Illegal sequence number and flags combinations — Dropped because of TCP errors, such as an illegal sequence number, which causes an illogical combination of flags to be set.

• SYN attack (multiple SYN messages seen for the same flow)—Multiple SYN packets received for the same flow are treated as a SYN attack. The packets might be retransmitted SYN packets and therefore valid, but a large number is cause for concern.

• First packet not a SYN message—First packets for a connection are not SYN packets. These packets might originate from previous connections or from someone performing an ACK/FIN scan.

• TCP port scan (TCP handshake, RST seen from server for SYN)—In the case of a SYN defender, if an RST (reset) packet is received instead of a SYN/ACK message, someone is probably trying to scan the server. This behavior can result in false alarms if the RST packet is not combined with an intrusion detection service (IDS).

• Bad SYN cookie response—SYN cookie generates a SYN/ACK message for all incoming SYN packets. If the ACK received for the SYN/ACK message does not match, this counter is incremented.

• TCP reconstructor sequence number error—This counter is incremented in the following cases:

  The TCP seqno is 0 and all the TCP flags are also 0.

  The TCP seqno is 0 and FIN/PSH/URG TCP flags are set.

• TCP reconstructor retransmissions—This counter is incremented for the retransmitted packets during connection 3-way handshake.

• TCP partially opened connection timeout (SYN)—This counter is incremented when the SYN Defender is enabled and the 3-way handshake is not completed within the SYN DEFENDER TIMEOUT. The connection will be closed and resources will be released by sending RST to the responder.

• TCP partially opened connection timeout (SYN-ACK)—This counter is incremented when the SYN Defender is enabled and the 3-way handshake is not completed within the SYN DEFENDER TIMEOUT. The connection will be closed and resources will be released by sending RST to the responder.

• TCP partially closed connection reuse—Not supported.

• TCP 3-way error - client sent SYN+ACK—A SYN/ACK should be sent by the server on receiving a SYN. This counter is incremented when the first message received from the initiator is SYN+ACK.

• TCP 3-way error - server sent ACK—ACK should be sent by the client on receiving a SYN/ACK from the server. This counter is incremented when the ACK is received from the Server instead of from the Client.

• TCP 3-way error - SYN seq number retransmission mismatch—This counter is incremented when the SYN is received again with a different sequence number from the first SYN sequence number.

• TCP 3-way error - RST seq number mismatch—A reset could be received from either side. The server could send a RST on receiving a SYN or the client could send a RST on receiving SYN/ACK. This counter is incremented when the RST is received either from the client or server with a non-matching sequence number.

• TCP 3-way error - FIN received—This counter is incremented when the FIN is received during the 3-way handshake.

• TCP 3-way error - invalid flags (PSH, URG, ECE, CWR)—This counter is incremented when any of the PSH, URG, ECE, or CWR flags were received during the 3-way handshake.

• TCP 3-way error - SYN recvd but no client flows—This counter is incremented when SYN is received but not from the connection initiator. The counter is not incremented in the case of simultaneous open, when the SYN is received in both the directions.

• TCP 3-way error - first packet SYN+ACK—The first packet received was SYN+ACK instead of SYN.

• TCP 3-way error - first packet FIN+ACK—The first packet received was FIN+ACK instead of SYN.

• TCP 3-way error - first packet FIN—The first packet received was FIN instead of SYN.

• TCP 3-way error - first packet RST—The first packet received was RST instead of SYN.

• TCP 3-way error - first packet ACK—The first packet received was ACK instead of SYN.

• TCP 3-way error - first packet invalid flags (PSH, URG, ECE, CWR)—The first packet received had invalid flags.

• TCP Close error - no final ACK—This counter is incremented when ACK is not received after the FINs are received from both directions.

• TCP Resumed Flow—Plain ACKs create flows if rule match permits, and these are classified as TCP Resumed Flows. This counter is incremented in the case of a TCP Resumed Flow.

UDP protocol errors:

• IP data length less than minimum UDP header length (8 bytes)—Minimum UDP header length is 8 bytes. The received IP packets contain less than 8 bytes.

• Source or destination port is zero—UDP source or destination port is 0.

• UDP port scan (ICMP error seen for UDP flow)—ICMP error is received for a UDP flow. This could be a genuine UDP flow, but it is counted as an error.

ICMP protocol errors:

• IP data length less than minimum ICMP header length (8 bytes)—ICMP header length is 8 bytes. This counter is incremented when received IP packets contain less than 8 bytes.

• ICMP error length inconsistencies—Minimum length of an ICMP error packet is 48 bytes, and the maximum length is 576 bytes. This counter is incremented when the received ICMP error falls outside this range.

• Duplicate ping sequence number—Received ping packet has a duplicate sequence number.

• Mismatched ping sequence number—Received ping packet has a mismatched sequence number.

• No matching flow—No matching existing flow was found for the ICMP error.

Accumulation of all the application-level gateway protocol (ALG) drops counted separately in the ALG context:

• BOOTP—Bootstrap protocol errors

• DCE-RPC—Distributed Computing Environment-Remote Procedure Call protocols errors

• DCE-RPC portmap—Distributed Computing Environment-Remote Procedure Call protocols portmap service errors

• DNS—Domain Name System protocol errors

• Exec—Exec errors

• FTP—File Transfer Protocol errors

• H323—H.323 standards errors

• ICMP—Internet Control Message Protocol errors

• IIOP—Internet Inter-ORB Protocol errors

• Login—Login errors

• NetBIOS—NetBIOS errors

• Netshow—NetShow errors

• Real Audio—RealAudio errors

• RPC—Remote Procedure Call protocol errors

• RPC portmap—Remote Procedure Call protocol portmap service errors

• RTSP—Real-Time Streaming Protocol errors

• Shell—Shell errors

• SIP—Session Initiation Protocol errors

• SNMP—Simple Network Management Protocol errors

• SQLNet—SQLNet errors

• TFTP—Trivial File Transfer Protocol errors

• Traceroute—Traceroute errors

• Maximum Ingress Drop flows allowed-–Maximum number of ingress flow drops allowed.

• Maximum Egress Drop flows allowed-–Maximum number of egress flow drops allowed.

• Current Ingress Drop flows-–Current number of ingress flow drops.

• Current Egress Drop flows-–Current number of egress flow drops.

• Ingress Drop Flow limit drops count-–Number of ingress flow drops due to maximum number of ingress flow drops being exceeded.

• Egress Drop Flow limit drops count-–Number of egress flow drops due to maximum number of egress flow drops being exceeded.