Cisco Virtual Security Gateway for KVM Troubleshooting Guide, Release 5.2(1)VSG2(1.3)

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: May 26, 2015

Chapter: Troubleshooting Cisco VSG Flow Issues on KVM VEM Module

Understanding KLM Flow Messages
Troubleshooting TCP State Connection Objects

Troubleshooting Cisco VSG Flow Issues on KVM VEM Module

This chapter describes how to troubleshoot Cisco Virtual Security Gateway (VSG) flow issues on KVM VEM module.

This chapter includes the following sections:

Understanding KLM Flow Messages

The Cisco vPath support on KVM is limited to a VSG type service node. The flows are offloaded to the KLM when the VSG decides to offload a PERMIT or DENY action to the VEM. When offloaded, KLM flows with following actions are created: vpath_permit, vpath_permit_tcp, and vpath_deny. Table 9-1 lists the messages generated:

Table 9-1 KLM Flow Messages

KLM Flow	Information
ICMP deny flow	key=in_port:21,vlan:120,dmac:06:0d:eb:00:80:01,smac:06:0d:eb:00:70:01,etype:0x0800,dip:172.23.128.8,sip:172.23.128.7,proto:1,tos:0,dport:0,sport:8 actions=vpath_deny: pkts=1 bytes=98 drops=1 punts=0
ICMP permit flow	key=in_port:21,vlan:120,dmac:06:0d:eb:00:80:01,smac:06:0d:eb:00:50:01,etype:0x0800,dip:172.23.128.8,sip:172.23.128.5,proto:1,tos:0,dport:0,sport:8 actions=vpath_permit : pkts=10 bytes=980 drops=0 punts=0
UDP permit flow	key=in_port:51,vlan:120,dmac:06:0d:eb:00:50:01,smac:06:0d:eb:00:80:01,etype:0x0800,dip:172.23.128.5,sip:172.23.128.8,proto:17,tos:0,dport:47161,sport:44260 actions=vpath_permit : pkts=1003114 bytes=1452509072 drops=0 punts=0
TCP permit flow	key=in_port:21,vlan:120,dmac:06:0d:eb:00:80:01,smac:06:0d:eb:00:50:01,etype:0x0800,dip:172.23.128.8,sip:172.23.128.5,proto:6,tos:0,dport:2083,sport:59759 actions=vpath_permit_tcp :0141000001000000 pkts=4 bytes=292 drops=0 punts=0

Troubleshooting TCP State Connection Objects

When TCP permit flows are offloaded to the KLM, connection objects are programmed in the KLM to facilitate TCP state verification, which is performed as part of the vpath_permit_tcp action.You can use the vem cmd show klm vpath command to list statistics related to TCP state connection objects:

[root@kvm-cuda5 ~]# vemcmd show klm vpath

num_conns: 2

num_conn_adds: 27

num_conn_dels: 25

num_conn_gets: 152

num_conn_sets: 152

where,

num_conns: Indicates the number of connection objects currently programmed in the KLM.

Note The remaining stats indicate the number of times operations have been performed to add, delete, fetch, and set connection objects in the KLM.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)