Home
Login
Register
Search
Home
Cisco ASA Troubleshooting Commands _ Itsecworks
Cisco ASA Troubleshooting Commands _ Itsecworks
March 26, 2018 | Author: LinuxManCR | Category:
Firewall (Computing)
,
Transmission Control Protocol
,
Data Transmission
,
Telecommunications Standards
,
Computer Standards
DOWNLOAD
Share
Report this link
Comments
Description
28/3/2015Cisco ASA troubleshooting commands | itsecworks RSS Subscribe: RSS feed itsecworks It is all about security and co I have already met Cisco ASA troubleshooting commands Posted on September 18, 2013 6 i 8 Votes With my requirements for any networking layer 3 security device I collected the basic commands that you have to know or you will not be able to manage your device. 1.0 Check the basic settings and firewall states Check the system status Check the hardware performance Check the High Availability state Check the session table of the firewall 2.0 Check the interface settings Check the state, speed and duplexity an IP of the interfaces Check the ARP Table 3.0 Check the Routing Table Check the matching route 4.0 VPN Troubleshooting Change the tunnel state Check the tunnel state Check packet counters for the tunnel http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/ 1/38 28/3/2015 Cisco ASA troubleshooting commands | itsecworks Check the uptime of the VPN Tunnels 5.1 Sniffertrace 5.2 Test traffic through the firewall 5.3 Test tcp traffic from the firewall 6.0 View logging on cli Configure logging Viewing the logs 7.0 Inspection and asp‑drop 8.0 Threat Detection (check the top talkers) 9.0 Backup and Restore 1.0 Check the basic settings and firewall states Check the system status To see the actual software version, operational mode, HA, etc and the system time: myfirewall/pri/act# show firewall Firewall mode: Router myfirewall/pri/act# show version Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(1)52 Compiled on Wed 28‐Nov‐12 10:38 by builders System image file is "disk0:/asa911‐k8.bin" Config file at boot was "startup‐config" myfirewall up 218 days 1 hour failover cluster up 5 years 10 days Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz, Internal ATA Compact Flash, 256MB http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/ 2/38 28/3/2015 Cisco ASA troubleshooting commands | itsecworks BIOS Flash M50FW080 @ 0xfff00000, 1024KB Encryption hardware device : Cisco ASA‐55xx on‐board accelerator (revision 0x0) Boot microcode : CN1000‐MC‐BOOT‐2.00 SSL/IKE microcode : CNLite‐MC‐SSLm‐PLUS‐2.03 IPSec microcode : CNlite‐MC‐IPSECm‐MAIN‐2.08 Number of accelerators: 1 0: Ext: GigabitEthernet0/0 : address is 001f.abcc.a8c6, irq 9 1: Ext: GigabitEthernet0/1 : address is 001f.abcc.a5e7, irq 9 2: Ext: GigabitEthernet0/2 : address is 001f.abcc.a5e8, irq 9 3: Ext: GigabitEthernet0/3 : address is 001f.abcc.a5e9, irq 9 4: Ext: Management0/0 : address is 001f.abcc.a5ea, irq 11 5: Int: Not used : irq 11 6: Int: Not used : irq 5 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption‐DES : Enabled perpetual Encryption‐3DES‐AES : Enabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 750 perpetual Total VPN Peers : 750 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Disabled perpetual This platform has an ASA 5520 VPN Plus license. Failover cluster licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/ 3/38 myfirewall/pri/act(config)# sh failover state State Last Failure Reason Date/Time This host ‐ Primary Active None Other host ‐ Secondary Standby Ready Ifc Failure 17:38:56 CEDT Jun 10 2013 dmz5: Failed inside: Failed ====Configuration State=== Sync Done Sync Done ‐ STANDBY ====Communication State=== Mac set http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/ 4/38 . Serial Number: JMX4567L1DA Running Permanent Activation Key: 0x650e6758 0x345sb616 0x1233615a 0xc234fca3 0x111 Configuration register is 0x1 Configuration last modified by admin at 10:41:22.791 CEDT Fri Sep 13 2013 The failover state.28/3/2015 Cisco ASA troubleshooting commands | itsecworks Encryption‐DES : Enabled perpetual Encryption‐3DES‐AES : Enabled perpetual Security Contexts : 4 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 4 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 750 perpetual Total VPN Peers : 750 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 4 perpetual Total UC Proxy Sessions : 4 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Disabled perpetual This platform has an ASA 5520 VPN Plus license. 5 minutes: 9% myfirewall/pri/act(config)# myfirewall/pri/act(config)# myfirewall/pri/act(config)# sh memory Free memory: 1722679208 bytes (80%) Used memory: 424804440 bytes (20%) ‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Total memory: 2147483648 bytes (100%) myfirewall/pri/act# show processes cpu‐usage sorted PC Thread 5Sec 1Min 5Min Process 0x0827e731 0x6e5d2d8c 8.5% Dispatch Unit 0x0878d2de 0x6e5bf254 0. drop 0. packet 0.0% 0.com/2013/09/18/ciscoasatroubleshootingcommands/ 5/38 . drop 0. v6‐fail‐close 0 Inspect: tftp.0% 0.0% 0.28/3/2015 Cisco ASA troubleshooting commands | itsecworks To see what the firewall has seen so far. drop 1226951.0% 0. packet 14657730.0% 0.0% 0. packet 285884.2% 0.0% fover_health_monitoring_thread 0x0935c832 0x6e5bc964 0.0% update_cpu_usage 0x084e2936 0x6e5c04c0 0.0% 0. reset‐drop 0.0% IP Thread 0x081735b4 0x6e5c56a0 0.0% 0.9% 0. reset‐drop 0.4% ARP Thread 0x090b0155 0x6e5b7fb4 0. v6‐fail‐close 0 tcp‐proxy: bytes in buffer 0. v6‐fail‐close 0 Inspect: dcerpc.0% CTM message handler 0x08cdd5cc 0x6e5c2580 0. v6‐fail‐close 0 Inspect: icmp.7% 8. v6‐fail Inspect: ftp. the traffic mix conserning the enabled inspections: myfirewall/pri/act(config)# sh service‐policy Global policy: Service‐policy: global_policy Class‐map: inspection_default Inspect: dns preset_dns_map. reset‐drop 0.0% vpnfol_thread_timer http://itsecworks. 1 minute: 9%. bytes dropped 0 Check the hardware performance To see what is the state of the cpu and the memory: myfirewall/pri/act(config)# sh cpu usage CPU utilization for 5 seconds = 8%. packet 0. reset‐drop 0. v6‐fail‐close 0 Inspect: icmp error. reset‐drop 0. drop 0.4% 8. drop 0.2% 0. v6‐fail‐close 0 Inspect: netbios.0% 0.1% ssh 0x08785b0e 0x6e5bf460 0. reset‐drop 0. packet 6206448.0% 0.2% 0. drop 1493. drop 0. reset‐drop 0. packet 199070. packet 10377. 0% 0.0% CMGR Timer Process 0x0816d455 0x6e5d049c 0.0% 0.0% lina_int 0x0807209d 0x6e5d1f38 0.0% 0.001 lina_int 1 0 0.0% cts_task 0x081cf2ed 0x6e5cfc6c 0.0% 0.0% dbgtrace 0x0856b194 0x6e5cec0c 0.0% 0. myfirewall/pri/act(config)# sh perfmon PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s http://itsecworks.0% 0.0% 0.0% 0.008 CMGR Timer Process 1 0 0.0% block_diag 0x08854a74 0x6e5d2974 0.0% 0.0% aaa_shim_thread 0x080bae3c 0x6e5d14fc 0.0% 0.0% aaa 0x0916ad6d 0x6e5d1b20 0.0% RBM CORE 0x081cde3c 0x6e5cfe78 0.0% 0.0% 0..0% 0.0% 0.0% 557statspoll .0% CF OIR 0x08eafaec 0x6e5d255c 0.012 CF OIR 1 0 0.0% 0.0% 0.0% 557mcfix 0x0856b126 0x6e5cea00 0.0% WebVPN KCD Process 0x084c6b6d 0x6e5d2768 0..0% 0.com/2013/09/18/ciscoasatroubleshootingcommands/ 6/38 .0% 0.0% CMGR Server Process 0x080bd4ad 0x6e5d12f0 0.025 block_diag 1926681692 1926681692 32.0% 0.0% 0.0% 0.189 WebVPN KCD Process 1 0 0.0% 0.0% 0.0% 0..0% SXP CORE 0x081d7041 0x6e5d0084 0..0% 0.0% 0.28/3/2015 Cisco ASA troubleshooting commands | itsecworks 0x080596a4 0x6e5d31a4 0.0% 0.044 SXP CORE .104 aaa_shim_thread 2 0 0.003 Reload Control Thread 374305 233705 0.0% CTM Daemon 0x081df2c5 0x6e5d0290 0.427 UserFromCert Thread 64 63 0.0% Reload Control Thread 0x08086369 0x6e5d1d2c 0.0% 0.0% 0.0% 0.0% 0.0% cts_timer_task 0x0827c804 0x6e5cf43c 0.135 aaa 10 4 1.679 Dispatch Unit 3768836 0 0.009 CMGR Server Process 2 0 0.0% 0.0% 0.0% UserFromCert Thread 0x0916ad6d 0x6e5d1914 0.0% 0.0% 0.0% 0.001 CTM Daemon 62 0 0. myfirewall/pri/act# show processes internals Invoked Giveups Max_Runtime Process 1 0 0. exec Show failover command execution information history Show failover switching history interface Show failover command interface information state Show failover internal state information statistics Show failover command interface statistics information | Output modifiers Check the failover state: myfirewall/pri/act(config)# show failover Failover On http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/ 7/38 . collect the show output from both units and verify that the numbers match. Two numbers are shown for each interface. this unit uses the first number in messages it sends to its peer.28/3/2015 Cisco ASA troubleshooting commands | itsecworks URL Server Req 0/s 0/s TCP Fixup 0/s 0/s TCP Intercept Established Conns 0/s 0/s TCP Intercept Attempts 0/s 0/s TCP Embryonic Conns Timeout 0/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s VALID CONNS RATE in TCP INTERCEPT: Current Average N/A 100. And it expects the second number in messages it receives from its peer. When exchanging information regarding a particular interface.00% Check the High Availability state to get the High Availability state info with show failover command: myfirewall/pri/act(config)# show failover ? exec mode commands/options: descriptor Show failover interface descriptors. For trouble shooting. 36.168.99.0.0.1): Normal (Monitored) Interface dmz6 (192.168.1(1).5): Normal (Monitored) Interface oob (192.47.com/2013/09/18/ciscoasatroubleshootingcommands/ 8/38 .0.6): Normal (Monitored) Interface oob (192.1(1) Last Failover at: 07:31:49 CEST Feb 12 2013 This host: Primary ‐ Active Active time: 18841674 (sec) slot 0: ASA5520 hw/sw rev (2. holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 160 maximum Version: Ours 9.28/3/2015 Cisco ASA troubleshooting commands | itsecworks Failover unit Primary Failover LAN Interface: failover GigabitEthernet0/2 (up) Unit Poll frequency 1 seconds.1(1)) status (Up Sys) Interface dmz5 (192.168.2): Normal (Monitored) Interface management (0.168.1): Normal (Not‐Monitored) Interface inside (172.168.0.0): Normal (Not‐Monitored) slot 1: empty Stateful Failover Logical Update Statistics Link : failover GigabitEthernet0/2 (up) Stateful Obj xmit xerr rcv rerr General 372747905 0 2453073 0 sys cmd 2452421 0 2452415 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 1275302 0 0 0 UDP conn 17706401 0 36 0 ARP tbl 351007284 0 621 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 0 0 0 0 VPN IKEv1 SA 0 0 0 0 VPN IKEv1 P2 0 0 0 0 VPN IKEv2 SA 0 0 0 0 VPN IKEv2 P2 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 http://itsecworks.0): No Link (Not‐Monitored) slot 1: empty Other host: Secondary ‐ Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (2.1(1)) status (Up Sys) Interface dmz5 (192.0/9.47. Mate 9.24.3. holdtime 15 seconds Interface Poll frequency 5 seconds.1): Normal (Monitored) Interface management (0.99.168.2): Normal (Monitored) Interface dmz6 (192.36.24.0/9.3.2): Normal (Not‐Monitored) Interface inside (172. 109 255.92.168.252 My IP Address : 192.92.255.com/2013/09/18/ciscoasatroubleshootingcommands/ 9/38 .110 myfirewall/pri/act(config)# show failover descriptor dmz5 send: 000200000e000000 receive: 000200000e000000 dmz6 send: 0002000041000000 receive: 0002000041000000 inside send: 0002010064000000 receive: 0002010064000000 oob send: 00020300ffff0000 receive: 00020300ffff0000 management send: 01010000ffff0000 receive: 01010000ffff0000 myfirewall/pri/act(config)# show failover history ========================================================================== From State To State Reason ========================================================================== 07:30:59 CEST Feb 12 2013 Not Detected Negotiation No Error 07:31:03 CEST Feb 12 2013 Negotiation Cold Standby Detected an Active mate 07:31:05 CEST Feb 12 2013 Cold Standby Sync Config Detected an Active mate 07:31:15 CEST Feb 12 2013 Sync Config Sync File System Detected an Active mate 07:31:15 CEST Feb 12 2013 Sync File System Bulk Sync Detected an Active mate http://itsecworks.168.255.168.92.28/3/2015 Cisco ASA troubleshooting commands | itsecworks SIP Session 0 0 0 0 Route Session 306520 0 0 0 User‐Identity 5 0 1 0 CTS SGTNAME 0 0 0 0 CTS PAC 0 0 0 0 TrustSec‐SXP 0 0 0 0 IPv6 Route 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 88 2453116 Xmit Q: 0 29 381560801 myfirewall/pri/act(config)# show failover interface interface failover GigabitEthernet0/2 System IP Address: 192.109 Other IP Address : 192. com/2013/09/18/ciscoasatroubleshootingcommands/ 10/38 .28/3/2015 Cisco ASA troubleshooting commands | itsecworks 07:31:29 CEST Feb 12 2013 Bulk Sync Standby Ready Detected an Active mate 07:31:49 CEST Feb 12 2013 Standby Ready Just Active HELLO not heard from mate 07:31:49 CEST Feb 12 2013 Just Active Active Drain HELLO not heard from mate 07:31:49 CEST Feb 12 2013 Active Drain Active Applying Config HELLO not heard from mate 07:31:49 CEST Feb 12 2013 Active Applying Config Active Config Applied HELLO not heard from mate 07:31:49 CEST Feb 12 2013 Active Config Applied Active HELLO not heard from mate ========================================================================== myfirewall/pri/act(config)# show failover state State Last Failure Reason Date/Time This host ‐ Primary Active None Other host ‐ Secondary Standby Ready Ifc Failure 17:38:56 CEDT Jun 10 2013 dmz5: Failed inside: Failed ====Configuration State=== Sync Done Sync Done ‐ STANDBY ====Communication State=== Mac set myfirewall/pri/act(config)# show failover statistics tx:384585696 rx:29127977 Check the failover configuration: http://itsecworks. 28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall/pri/act(config)# sh run all failover failover failover lan unit primary failover lan interface failover GigabitEthernet0/2 failover polltime unit 1 holdtime 15 failover polltime interface 5 holdtime 25 failover interface‐policy 1 failover link failover GigabitEthernet0/2 failover interface ip failover 192.168.com/2013/09/18/ciscoasatroubleshootingcommands/ 11/38 .109 255.255.252 standby 192.255.168.92.92.11 Check the session table of the firewall With class‑map you can set the maximum session for a specific traffic or generally with any: myfirewall(config)# class‐map CONNS myfirewall(config‐cmap)# match any myfirewall(config‐cmap)# policy‐map CONNS myfirewall(config‐pmap)# class CONNS myfirewall(config‐pmap‐c)# set connection conn‐max 1000 embryonic‐conn‐max 3000 The values from the session table of the firewall (the max against the used if configured): http://itsecworks. 28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall/pri/act(config)# show conn ? exec mode commands/options: address Enter this keyword to specify IP address all Enter this keyword to show conns including to‐the‐box and from‐the‐box count Enter this keyword to show conn count only detail Enter this keyword to show conn in detail long Enter this keyword to show conn in long format port Enter this keyword to specify port protocol Enter this keyword to specify conn protocol scansafe Enter this keyword to show conns being forwarded to scansafe server security‐group Enter this keyword to show security‐group attributes in conns state Enter this keyword to specify conn state user Enter this keyword to specify conn user user‐group Enter this keyword to specify conn user group user‐identity Enter this keyword to show user names | Output modifiers myfirewall/pri/act(config)# show conn count 77 in use. bytes 597473 TCP dmz5 192.229.11:80 dmz5 192. TCP dmz5 192.3.168.36.8:80 dmz5 192.38.38. idle 0:00:00. bytes 12905.2:54320.1. bytes 93168 You can filter to the session that you looking for (example): http://itsecworks.168.38. bytes 335503 TCP dmz5 192.24. idle 0:02:29.38.250:4634 inside 172.24.3.168. idle 0:00:00.68:62940.37. bytes 161830708 TCP dmz6 192.252.168.24. bytes 61797243 TCP dmz6 192. idle 0:02:29.168. flag TCP dmz6 192.168. idle 0:00:00.250:3389 inside 192.168.168.66:4042. idle 0:00:00. 1013 most used myfirewall/pri/act(config)# show conn state ? exec mode commands/options: WORD Enter any number of the following conn states using '.227:55339.168.38.250:23757 inside 172.250:4633 inside 172.10:80 dmz5 192. idle 0:00:48. idle 0:00:00.31. bytes 47451 TCP dmz5 192.47.250:23757 inside 172.37.217:57429. idle 0:00:00.2:135.1. idle 0:00:00.251:80 inside 172. bytes 3378 TCP dmz5 192.37.com/2013/09/18/ciscoasatroubleshootingcommands/ 12/38 .24.168.168.251:80 inside 172.227:55335.40:63433.47.' as separator: up finin finout http_get smtp_data nojava data_in data_out sunrpc h225 h323 sqlnet_fixup_data conn_inbound sip mgcp ctiqbe skinny service_module stub tcp_embryonic vpn_orphan myfirewall/pri/act(config)# show conn state up 80 in use.24. 1013 most used TCP dmz5 192.162.168.168.227:65521. bytes 684. bytes 38116666 TCP dmz5 192.38:1165.36.47.168. b ‐ TCP state‐bypass or nailed. K ‐ GTP t3‐response k ‐ Skinny media. W ‐ WAAS.47. C ‐ CTIQBE media.168. U ‐ up.47. V ‐ VPN orphan.37. Y ‐ director stub flow. the packet and byte counters.227/65521 (192. H ‐ H.225.10/80 (192.28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall/pri/act(config)# show conn long address 192. P ‐ inside back connection. E ‐ outside back connection.323. http://itsecworks.3 Check the traffic on interfaces. a ‐ awaiting outside ACK to SYN. x ‐ per session. f ‐ inside G ‐ group. g ‐ MGCP.10 74 in use. I ‐ inbound data. B ‐ initial SYN from outside. y ‐ backup stub flow. J ‐ GTP. M ‐ SMTP data.10/80) dmz5: 192. z ‐ forwarding stub flow TCP dmz6: 192. r ‐ inside acknowledged FIN.168. Z ‐ Scansafe redirection. X ‐ inspected by service module. R ‐ UDP SUNRPC. t ‐ SIP transient. T ‐ SIP. R ‐ outside acknowledged FIN.168. D ‐ DNS. s ‐ awaiting outside SYN. h ‐ H. n ‐ GUP O ‐ outbound data. S ‐ awaiting inside SYN. F ‐ outside FIN. 1013 most used Flags: A ‐ awaiting inside ACK to SYN.47.com/2013/09/18/ciscoasatroubleshootingcommands/ 13/38 . d ‐ dump. j ‐ GTP data. c ‐ cluster centralized.168. i ‐ incomplete.168. m ‐ SIP media.0. p ‐ Phone‐proxy TFTP connecti q ‐ SQL*Net data. 67887 bytes/sec 5 minute output rate 3589 pkts/sec. 53821 bytes/sec 5 minute drop rate.com/2013/09/18/ciscoasatroubleshootingcommands/ 14/38 . 21 pkts/sec Check the timeout values in the firewall: http://itsecworks.406 secs): 38728179279 packets 53732439765301 bytes 23000 pkts/sec 32334000 bytes/sec 1 minute input rate 1382 pkts/sec. 13180 bytes/sec 1 minute drop rate.416 secs): 14299138045 packets 572124451016 bytes 8000 pkts/sec 344002 bytes/sec 1 minute input rate 3535 pkts/sec.406 secs): 14637140684 packets 673671106797 bytes 8001 pkts/sec 405002 bytes/sec transmitted (in 1661754. 0 pkts/sec inside: received (in 1661754. 4923809 bytes/sec 1 minute drop rate. 54206 bytes/sec 1 minute drop rate. 14443 bytes/sec 5 minute drop rate. 4993200 bytes/sec 5 minute output rate 1345 pkts/sec.416 secs): 38627911784 packets 53724170049557 bytes 23002 pkts/sec 32329000 bytes/sec transmitted (in 1661754. 0 pkts/sec 5 minute input rate 3577 pkts/sec.416 secs): 826826503 packets 60669330026 bytes 1 pkts/sec 36000 bytes/sec transmitted (in 1661754. 4923119 bytes/sec 1 minute output rate 1354 pkts/sec. 0 pkts/sec 5 minute input rate 1375 pkts/sec. 2772 bytes/sec 1 minute output rate 25 pkts/sec.28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall/pri/act(config)# show traffic dmz5: received (in 1661754. 2829 bytes/sec 5 minute output rate 28 pkts/sec. 21 pkts/sec 5 minute input rate 45 pkts/sec. 67193 bytes/sec 1 minute output rate 3546 pkts/sec.416 secs): 245271895 packets 109518736779 bytes 0 pkts/sec 65000 bytes/sec 1 minute input rate 44 pkts/sec. 4994000 bytes/sec 5 minute drop rate. 0 pkts/sec dmz6: received (in 1661754. 36.3.0 standby 192.36.248.2 ! interface GigabitEthernet0/1.0 standby 172.168.5 255.168.252.255.168.28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall2/pri/act# sh run timeout timeout xlate 3:00:00 timeout conn 1:00:00 half‐closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp‐pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip‐invite 0:03:00 sip‐disconnect 0:02:00 timeout sip‐provisional‐media 0:02:00 uauth 0:05:00 absolute timeout tcp‐proxy‐reassembly 0:01:00 timeout floating‐conn 0:00:00 2.100 vlan 100 nameif inside security‐level 100 ip address 192.47.47.0 Check the interface settings Check the state.168.255.2 ! interface GigabitEthernet0/0.com/2013/09/18/ciscoasatroubleshootingcommands/ 15/38 .65 vlan 65 nameif dmz6 security‐level 0 ip address 192.24.6 Show ip address and security level only: http://itsecworks.255.255.1 255.1 255.168. speed and duplexity an IP of the interfaces Show the running config only for the interfaces with ip address: myfirewall/pri/act(config)# sh run ip address ! interface GigabitEthernet0/0.3.14 vlan 14 nameif dmz5 security‐level 0 ip address 192.0 standby 192. 17.0 CON Current IP Addresses: Interface Name IP address Subnet mask Met Port‐channel1.5 255.168.5.0 CON myfirewall2/pri/act# sh nameif Interface Name Security Management0/0 management 100 Port‐channel1.151 255.255.192 CONFIG Port‐channel2 Failover 192.255.255.13 255.255.com/2013/09/18/ciscoasatroubleshootingcommands/ 16/38 . The name of the interface in the example below is internal.721 inside 172.5 255.131.255.252 uns Port‐channel4.255.5.17.255.255.255. Here you can see following in the output – Interface name – MAC – Link state – Speed – Duplex – MTU – Packet and Byte counters – Errors http://itsecworks.721 inside 172.5.255.5.168.1001 dmz1 0 Port‐channel4.92.1001 dmz1 5.131.192 CONFIG Port‐channel2 Failover 192.28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall2/pri/act# sh ip System IP Addresses: Interface Name IP address Subnet mask Met Port‐channel1.1001 dmz1 5.92.13 255.255.151 255.255.252 uns Port‐channel4.721 inside 100 Check the MAC and the state of the interfaces. subnet mask 255. 2 interface resets 0 late collisions. 0 deferred 0 input reset drops.a5e6. 0 collisions. output flow control is off Available but not configured via nameif MAC address 001f.a5e6. 0 overrun. BW 1000 Mbps. DLY 10 usec VLAN identifier 65 Description: dmz6 MAC address 001f.abcc. 0 no buffer Received 167625118 broadcasts.com/2013/09/18/ciscoasatroubleshootingcommands/ 17/38 . 0 output reset drops.255. Auto‐Speed(1000 Mbps) Input flow control is unsupported.1.255. BW 1000 Mbps. 53740092462779 bytes 14303479193 packets output. 0 resume input 0 L2 decode drops 53043155385 packets output. MTU 1500 IP address 192. 0 ignored. DLY 10 usec VLAN identifier 14 Description: dmz5 MAC address 001f. line protocol is up Hardware is i82546GB rev03.252. 0 CRC.abcc.abcc. MTU not set IP address unassigned 53280934440 packets input.168. 0 runts. BW 1000 Mbps. 0 resume output 0 output errors. 55516746848674 bytes. MTU 1500 IP address 192. 572298134370 bytes 83451 packets dropped Check the ARP Table http://itsecworks.0 Traffic Statistics for "dmz5": 14641601950 packets input. is up. DLY 10 usec Auto‐Duplex(Full‐duplex). subnet mask 255.28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall/pri/act# show interface Interface GigabitEthernet0/0 "".0 Traffic Statistics for "dmz6": 38639332463 packets input.36. 0 giants 0 input errors. 673897945554 bytes 38739676247 packets output. 0 abort 0 pause input.a5e6. line protocol is up Hardware is i82546GB rev03. 53748403391129 bytes 51923927 packets dropped Interface GigabitEthernet0/0.14 "dmz5". line protocol is up Hardware is i82546GB rev03.168.47. is up.65 "dmz6".1. 55671972432495 bytes.255. is up. 0 tx hangs input queue (blocks free curr/low): hardware (255/230) output queue (blocks free curr/low): hardware (255/122) Interface GigabitEthernet0/0. 0 frame. 0 underruns 0 pause output. 3.0 C 172.255.168.a9e2 0 dmz5 192.255.255.39.38.0 is directly connected. EX ‐ EIGRP external.168.248..0 is directly connected. myfirewall/pri/act# show route Codes: C ‐ connected.9987.0 0.5676 0 .0 255.168.168.c0b2.0.d733. inside C 192.236 2c27.0 is directly connected.226 2c27.0 Check the Routing Table With the show route you can see the actual routing table from the firewall with the statis and the dynamic routes and the directly connected networks. L1 ‐ IS‐IS level‐1.0. O ‐ OSPF.4066 0 dmz5 192.168.255.255.252 is directly connected.0.168.24.0.168.37. oob C 192.847c 0 dmz5 192.0 255.0.43 0020. dmz6 C 192.4ab0.37.2. L2 ‐ IS‐IS level‐2.108 255.168. R ‐ RIP.a59f 0 dmz5 192. I ‐ IGRP.. inside C 192.28/3/2015 Cisco ASA troubleshooting commands | itsecworks This contains the permanent and the dynamic ARP entries myfirewall/pri/act# show arp dmz5 192.37.99ae.0.24. dmz5 http://itsecworks.255.0 is directly connected. U ‐ per‐user static route. IA ‐ OSPF inter area N1 ‐ OSPF NSSA external type 1.2.92. E ‐ EGP i ‐ IS‐IS. o ‐ ODR P ‐ periodic downloaded static route Gateway of last resort is 172.235 78ac.99. E2 ‐ OSPF external type 2.168.d733.255.24.2 to network 0.0 [1/0] via 172.47.37.0 255. N2 ‐ OSPF NSSA external type 2 E1 ‐ OSPF external type 1.240 0019.0 255. B ‐ BGP D ‐ EIGRP. M ‐ mobile. failover S* 0.2.0.com/2013/09/18/ciscoasatroubleshootingcommands/ 18/38 . S ‐ static.168.255. ia ‐ IS‐IS inter area * ‐ candidate default.252.a89e 0 dmz5 192.240 0019.36. ia ‐ IS‐IS inter area * ‐ candidate default.690 CEDT Wed Sep 18 2013) clock offset is 0. E2 ‐ OSPF external type 2.0.31. o ‐ ODR P ‐ periodic downloaded static route Gateway of last resort is 172.231. peer dispersion is 15.com/2013/09/18/ciscoasatroubleshootingcommands/ 19/38 .0 4.b0b7a760 (11:13:01. stratum 3.2 to network 0.2.0 VPN Troubleshooting The most significant part for vpn is the time on the devices. L1 ‐ IS‐IS level‐1.64 msec Change the tunnel state http://itsecworks. precision is 2**6 reference time is d5e3ed1d.1998 msec.55 msec root dispersion is 36. reference is 172. The check the time use the following command: myfirewall/pri/act# show clock 11:19:45. L2 ‐ IS‐IS level‐2. U ‐ per‐user static route. M ‐ mobile.246 Codes: C ‐ connected. I ‐ IGRP. root delay is 18.24.9968 Hz.100 nominal freq is 99. IA ‐ OSPF inter area N1 ‐ OSPF NSSA external type 1. E ‐ EGP i ‐ IS‐IS. actual freq is 99. O ‐ OSPF.01 msec.9984 Hz.485 CEDT Wed Sep 18 2013 myfirewall/pri/act# show ntp status Clock is synchronized.24. B ‐ BGP D ‐ EIGRP. N2 ‐ OSPF NSSA external type 2 E1 ‐ OSPF external type 1.0.10. EX ‐ EIGRP external.28/3/2015 Cisco ASA troubleshooting commands | itsecworks Check the matching route Are you looking for a specific route in a big database? No problem use the show route with more details: myfirewall/pri/act# sh route inside 172. R ‐ RIP. S ‐ static. 2.18 Check the tunnel state If there is no SA that means the tunnel is down and does not work. Shut down a vpn tunnel manually.2 myfirewall2/pri/act# clear cry ikev1 sa 2. To see if the tunnel is up you can use the “show crypto isakmp sa” or “show crypto ipsec sa” command.2 shutdown for longer time: myfirewall2/pri/act(config)# no crypto map l2lvpns 10 set peer 211.176. No traffic required.2.2. To see if the tunnel is up we need to check if any SA exist.com/2013/09/18/ciscoasatroubleshootingcommands/ 20/38 .2.66. Tunnel state is down Tunnel does not exist if there is no output of the commands below: myfirewall3/pri/act# sh cry isakmp sa There are no IKEv1 SAs There are no IKEv2 SAs myfirewall3/pri/act# show crypto ipsec sa There are no ipsec sas Tunnel state is up Informations from the output of the command below: http://itsecworks. All tunnels: myfirewall3/pri/act# clear crypto isakmp sa Only specific tunnel: myfirewall3/pri/act# clear ipsec sa peer 2.28/3/2015 Cisco ASA troubleshooting commands | itsecworks Bring up a vpn tunnel manually. com/2013/09/18/ciscoasatroubleshootingcommands/ 21/38 .28/3/2015 Cisco ASA troubleshooting commands | itsecworks Informations from the output of the command below: – vpn peers – encrypted traffic (source and destination) – traffic counters for encrypted traffic – SPI for encrypt and decrypt – Encryption method http://itsecworks. 212.255/0/0) remote ident (addr/mask/prot/port): (192.: 3.3.255. remote crypto endpt. #pkts comp failed: 0. Tunnel. #PMTUs rcvd: 0.5.5/0. #pkts digest: 26 #pkts decaps: 9.255. media mtu 1500 current outbound spi: AB092E6E current inbound spi : 910F4308 inbound esp sas: spi: 0x910F4308 (2433696520) transform: esp‐aes‐256 esp‐sha‐hmac no compression in use settings ={L2L.15. #decapsulated frgs needing reassembly: 0 #send errors: 0.3 #pkts encaps: 26.5.72 255. #pkts decomp failed: 0 #pre‐frag successes: 0.10 192.3 Crypto map tag: firmen.3.28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall2/pri/act# show cry ips sa peer 3. #pkts decompressed: 0 #pkts not compressed: 26. crypto‐map: firmen sa timing: remaining key lifetime (kB/sec): (4373999/3360) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x000003FF outbound esp sas: spi: 0xAB092E6E (2869505646) transform: esp‐aes‐256 esp‐sha‐hmac no compression in use settings ={L2L.168.5.15.com/2013/09/18/ciscoasatroubleshootingcommands/ 22/38 .3. PFS Group 2. seq num: 22. } slot: 0.3.168.19. conn_id: 25923584.5. PFS Group 2.3.3. } slot: 0.: 5.72/255.212.3.255.19. crypto‐map: firmen sa timing: remaining key lifetime (kB/sec): (4373997/3360) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 http://itsecworks. conn_id: 25923584. local ident (addr/mask/prot/port): (172.248/0/0) current_peer: 3. #pre‐frag failures: 0.3. ipsec overhead 74. #recv errors: 0 local crypto endpt.3/0 path mtu 1500.3 peer address: 3.255. #pkts decrypt: 9. #pkts verify: 9 #pkts compressed: 0.5 access‐list tun‐voss extended permit ip host 172. #fragments created: 0 #PMTUs sent: 0. #pkts encrypt: 26. local addr: 5. Tunnel.10/255. 28/3/2015 Cisco ASA troubleshooting commands | itsecworks Check packet counters for the tunnel To see if the encryption and decryption of the packages works use 2 or more times the show cry ipsec sa command and compare the values.9 Protocol : IKEv1 IPsec Encryption : 3DES Hashing : MD5 Bytes Tx : 83496278 Bytes Rx : 420469160 Login Time : 02:17:25 CEDT Wed Sep 18 2013 Duration : 12h:15m:49s Connection : 3.com/2013/09/18/ciscoasatroubleshootingcommands/ 23/38 .9.3. On the second and third outputs the counter should show larger number.3.9.9 Index : 5671 IP Addr : 9.3 Index : 6329 IP Addr : 3. myfirewall2/pri/act# show vpn‐sessiondb l2l Session Type: LAN‐to‐LAN Connection : 9.3.9.3 Protocol : IKEv1 IPsec Encryption : AES256 Hashing : SHA1 Bytes Tx : 6100 Bytes Rx : 5992 Login Time : 14:26:13 CEDT Wed Sep 18 2013 Duration : 0h:07m:01s Check the uptime of the VPN tunnels Uptime for site to site VPN http://itsecworks. On the following output the firewall has 1 active vpn peer.9.3. 55.com/2013/09/18/ciscoasatroubleshootingcommands/ 24/38 .45.25.35.28/3/2015 Cisco ASA troubleshooting commands | itsecworks asa‐firewall/pri/act# show vpn‐sessiondb l2l Session Type: LAN‐to‐LAN Connection : 25.25 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (3)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (3)SHA1 Bytes Tx : 73653504 Bytes Rx : 31342653 Login Time : 01:15:18 CEST Thu Nov 28 2013 Duration : 12h:36m:51s Connection : dyn‐vpn‐tunnel Index : 34902 IP Addr : 35.45.35.25.25.55 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth : preshared Lifetime: 14400 Lifetime Remaining: 12462 http://itsecworks.35 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 17679966 Bytes Rx : 2626429 Login Time : 12:38:17 CEST Thu Nov 28 2013 Duration : 1h:13m:52s SA Lifetime for IKE /phase1/ for site to site (lifetime in seconds) asa‐firewall/pri/act# show crypto isa sa detail IKEv1 SAs: Active SA: 4 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 4 1 IKE Peer: 45.45 Type : L2L Role : responder Rekey : no State : AM_ACTIVE Encrypt : aes‐256 Hash : SHA Auth : preshared Lifetime: 14400 Lifetime Remaining: 12039 2 IKE Peer: 55.25 Index : 34872 IP Addr : 25.25.55. 168.48/255.48 255.255. Tunnel.46. #pkts digest: 38097 #pkts decaps: 34559. seq num: 20. conn_id: 143024128. ipsec overhead 74(44).1. #Invalid ICMP Errors rcvd: 0 #send errors: 0. #TFC sent: 0 #Valid ICMP Errors rcvd: 0.28/3/2015 Cisco ASA troubleshooting commands | itsecworks SA Lifetimes for inbound and outbound esp sa‑s /phase2/ for site to site (lifetime in seconds) asa‐firewall/pri/act# show crypto ipsec sa interface: outside Crypto map tag: tunnel. crypto‐map: tunnel sa timing: remaining key lifetime (kB/sec): (4371840/26381) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x22512A19 (575744537) transform: esp‐aes‐256 esp‐sha‐hmac no compression in use settings ={L2L. #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0.46.255.10.255/0/0) remote ident (addr/mask/prot/port): (192.13. #PMTUs rcvd: 0. local addr: 46. } slot: 0.10. IKEv1. #pkts decomp failed: 0 #pre‐frag successes: 0.: 13. #pkts comp failed: 0.11 192. #recv errors: 0 local crypto endpt.13.: 46. #pkts decrypt: 34559.255.13. #pre‐frag failures: 0.13 #pkts encaps: 38097.255 local ident (addr/mask/prot/port): (10.1.com/2013/09/18/ciscoasatroubleshootingcommands/ 25/38 .46.11/255. #pkts decompressed: 0 #pkts not compressed: 38097.46 access‐list tun‐acl1 extended permit ip host 10. } http://itsecworks.46/0. #pkts encrypt: 38097. #pkts verify: 34559 #pkts compressed: 0.46. remote crypto endpt. TFC packets: disabled current outbound spi: 22512A19 current inbound spi : 8F46C331 inbound esp sas: spi: 0x8F46C331 (2403779377) transform: esp‐aes‐256 esp‐sha‐hmac no compression in use settings ={L2L.168.10.13/0 path mtu 1500. DF policy: copy‐df ICMP error validation: disabled. #fragments created: 0 #PMTUs sent: 0.13.240/0/0) current_peer: 13. Tunnel. media mtu 1500 PMTU time remaining (sec): 0.255. IKEv1.10. conn_id: 143024128. crypto‐map: tunnel sa timing: remaining key lifetime (kB/sec): (4350795/26381) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Uptime for old vpn client asa‐firewall/pri/act# show vpn‐sessiondb ra‐ikev1‐ipsec Session Type: IKEv1 IPsec Username : einsteina@vpn‐tungrp1 Index : 3856 Assigned IP : 192.244.168.44.158 Protocol : IKEv1 IPsecOverTCP License : Other VPN Encryption : AES128 Hashing : SHA1 Bytes Tx : 64670782 Bytes Rx : 49769295 Group Policy : vpn‐grp‐p2 Tunnel Group : vpn‐ext‐rsa Login Time : 09:07:46 CEST Wed Nov 27 2013 Duration : 1d 4h:45m:42s Uptime for new vpn client (Anyconnect) http://itsecworks.113 Protocol : IKEv1 IPsecOverTCP License : Other VPN Encryption : AES128 Hashing : SHA1 Bytes Tx : 667580222 Bytes Rx : 195368751 Group Policy : vpn‐grp‐p1 Tunnel Group : vpn‐de‐ol Login Time : 10:15:51 CEST Tue Nov 19 2013 Duration : 9d 3h:37m:37s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Username : leonardo@vpn‐tungrp2 Index : 12473 Assigned IP : 192.249 Public IP : 37.209.com/2013/09/18/ciscoasatroubleshootingcommands/ 26/38 .151 Public IP : 145.28/3/2015 Cisco ASA troubleshooting commands | itsecworks slot: 0.253.168.236.227. 2.67.194 Public IP : 84.14.163. after that you have to define the interface* (or the keyword any): raise the packet‑lenght to a higher value.247 Protocol : AnyConnect‐Parent SSL‐Tunnel License : AnyConnect Essentials Encryption : 3DES Hashing : none SHA1 Bytes Tx : 552426724 Bytes Rx : 264841827 Group Policy : vpn‐grp‐p3 Tunnel Group : DefaultWEBVPNGroup Login Time : 10:21:29 CEST Wed Nov 27 2013 Duration : 1d 3h:44m:57s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Username : baromarcu@vpn‐tun‐grp3 Index : 13405 Assigned IP : 192.80.212 Public IP : 91.238.250 Protocol : AnyConnect‐Parent SSL‐Tunnel License : AnyConnect Essentials Encryption : 3DES Hashing : none SHA1 Bytes Tx : 376838398 Bytes Rx : 153802768 Group Policy : vpn‐grp‐p3 Tunnel Group : DefaultWEBVPNGroup Login Time : 07:22:24 CEST Thu Nov 28 2013 Duration : 6h:44m:02s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none 5.2.168.2.com/2013/09/18/ciscoasatroubleshootingcommands/ 27/38 .2.28/3/2015 Cisco ASA troubleshooting commands | itsecworks asa‐firewall/pri/act# sh vpn‐sessiondb anyconnect Session Type: AnyConnect Username : beck@vpn‐tun‐grp3 Index : 12579 Assigned IP : 192.1 sniffertrace The basic command is “capture”.236.168.2 myfirewall2/pri/act# myfirewall2/pri/act# sh cap capture capturename type raw‐data [Capturing ‐ 0 bytes] match tcp host 2.2 any eq https http://itsecworks. if you need the payload from the packets! myfirewall2/pri/act# capture capturename packet‐length 1600 match tcp host 2. 1.28/3/2015 Cisco ASA troubleshooting commands | itsecworks you can you access‑list for more detailed traffic… To export the sniffertrace to a pcap file use the command: myfirewall2/pri/act# copy /pcap capture: tftp Source capture name []? capturename Address or name of remote host []? 3.1.3 Destination filename [capturename]? capturename.4.3.18.com/2013/09/18/ciscoasatroubleshootingcommands/ 28/38 .3 Test tcp traffic from the firewall myfirewall/pri/act# ping tcp inside 10.1 1024 10.3.23.28 80 source 10.134.1 23 Phase: 3 Type: ACCESS‐LIST Subtype: log Result: ALLOW Config: access‐group inside in interface inside access‐list inside extended permit 5.14 1324 http://itsecworks.pcap !!!! myfirewall2/pri/act# 5.26.2 Test traffic through the firewall myfirewall/pri/act# packet‐tracer input inside tcp 10.1. myfirewall3/pri/act# logging savelog mylogs myfirewall3/pri/act# cd syslog myfirewall3/pri/act# dir Directory of disk0:/syslog/ 113 ‐rwx 2880 14:41:18 Sep 18 2013 mylogs 255426560 bytes total (181706752 bytes free) http://itsecworks.219 logging permit‐hostdown Configure logging Important commands are the: logging enable logging timestamp logging host fw‑trans 172.24.218 logging host fw‐trans 172.com/2013/09/18/ciscoasatroubleshootingcommands/ 29/38 .0 View logging on cli The buffer size is limited and if the buffer is full the old logs will be overwritten.2.2.2.com level alerts logging host fw‐trans 172. To check your log settings issue the following: myfirewall3/pri/act# sh run logging logging enable logging timestamp logging buffered alerts logging trap errors logging asdm debugging logging mail alerts logging from‐address
[email protected]
logging trap errors Save the logs from buffer to file and after you can copy it to your tftp server.24.28/3/2015 Cisco ASA troubleshooting commands | itsecworks 6.24.com logging recipient‐address network@mycompany. since we do not know since when the counters show the actual values. myfirewall/pri/act# sh service‐policy set connection detail Interface germany: Service‐policy: voice‐http‐map Class‐map: voice‐http‐map Set connection policy: drop 0 Set connection advanced‐options: max‐mss‐size Retransmission drops: 0 TCP checksum drops : 0 Exceeded MSS drops : 0 SYN with data drops: 0 Invalid ACK drops : 0 SYN‐ACK with data drops: 0 Out‐of‐order (OoO) packets : 0 OoO no buffer drops: 0 OoO buffer timeout drops : 0 SEQ past window drops: 208 Reserved bit cleared: 0 Reserved bit drops : 0 IP TTL modified : 0 Urgent flag cleared: 0 Window varied resets: 0 TCP‐options: Selective ACK cleared: 0 Timestamp cleared : 0 Window scale cleared : 0 Other options cleared: 0 Other options drops: 0 http://itsecworks.28/3/2015 Cisco ASA troubleshooting commands | itsecworks Viewing the logs Too see the buffer logs issue: myfirewall3/pri/act# show logging 7. Issuing the command just once has not too much sence. that can lead to a problem.com/2013/09/18/ciscoasatroubleshootingcommands/ 30/38 .0 Inspection and aspdrop These commands should be issued multiple times to see which counter actually increases. 28/3/2015 Cisco ASA troubleshooting commands | itsecworks ——————————————————————————————— myfirewall/pri/act# sh asp drop flow Inspection failure (inspect‐fail) 14616790 SSL handshake failed (ssl‐handshake‐failed) 85 SSL received close alert (ssl‐received‐close‐alert) 40 Last clearing: Never ——————————————————————————————— http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/ 31/38 . 0 Threat Detection (check the top talkers) threat‑detection configuration example: http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/ 32/38 .28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall/pri/act# sh asp drop frame Flow is being freed (flow‐being‐freed) 121 Invalid TCP Length (invalid‐tcp‐hdr‐length) 1 No valid adjacency (no‐adjacency) 36 Reverse‐path verify failed (rpf‐violated) 6990253 Flow is denied by configured rule (acl‐drop) 864778803 Flow denied due to resource limitation (unable‐to‐create‐flow) 1374 First TCP packet not SYN (tcp‐not‐syn) 471046343 Bad TCP flags (bad‐tcp‐flags) 46770 TCP data send after FIN (tcp‐data‐past‐fin) 128 TCP failed 3 way handshake (tcp‐3whs‐failed) 1560684 TCP RST/FIN out of order (tcp‐rstfin‐ooo) 30625519 TCP SEQ in SYN/SYNACK invalid (tcp‐seq‐syn‐diff) 9582 TCP SYNACK on established conn (tcp‐synack‐ooo) 8770 TCP packet SEQ past window (tcp‐seq‐past‐win) 77478 TCP invalid ACK (tcp‐invalid‐ack) 53427 TCP ACK in 3 way handshake invalid (tcp‐discarded‐ooo) 5710 TCP Out‐of‐Order packet buffer full (tcp‐buffer‐full) 1 TCP Out‐of‐Order packet buffer timeout (tcp‐buffer‐timeout) 5541 TCP RST/SYN in window (tcp‐rst‐syn‐in‐win) 326943 TCP dup of packet in Out‐of‐Order queue (tcp‐dup‐in‐queue) 769 TCP packet failed PAWS test (tcp‐paws‐fail) 1530 Expired flow (flow‐expired) 284 ICMP Inspect bad icmp code (inspect‐icmp‐bad‐code) 300 ICMP Inspect seq num not matched (inspect‐icmp‐seq‐num‐not‐matched) 633646 ICMP Error Inspect no existing conn (inspect‐icmp‐error‐no‐existing‐conn) DNS Inspect invalid packet (inspect‐dns‐invalid‐pak) 35 DNS Inspect invalid domain label (inspect‐dns‐invalid‐domain‐label) 628 DNS Inspect packet too long (inspect‐dns‐pak‐too‐long) 5044504 DNS Inspect id not matched (inspect‐dns‐id‐not‐matched) 1589860 Unable to obtain connection lock (connection‐lock) 13 Interface is down (interface‐down) 35 RM connection limit reached (rm‐conn‐limit) 136021 Dropped pending packets in a closed socket (np‐socket‐closed) 27886 Last clearing: Never ——————————————————————————————— 8. ) myfirewall/pri/act# sh threat‐detection statistics top ? access‐list Enter this keyword to display top N access‐list statistics host Enter this keyword to display top N host statistics port‐protocol Enter this keyword to display top N port statistics rate‐1 Enter this keyword to display top N's first rate statistics rate‐2 Enter this keyword to display top N's second rate statistics rate‐3 Enter this keyword to display top N's third rate statistics tcp‐intercept Show statistics information for tcp intercept | Output modifiers an example with port and protocol myfirewall/pri/act# sh threat‐detection statistics top port‐protocol Top Name Id Average(eps) Current(eps) Trigger Total events 0‐min Sent attack: 0‐min Recv attack: 01 DNS 53 2972 3552 27100 1783308 02 LDAP 389 639 474 2549 383645 03 HTTP 80 162 152 14066 97668 04 NetBIOS‐Name 137 160 193 8031 96239 05 HTTPS 443 131 85 11242 79013 06 Port‐8191‐65535 108 97 3513 64974 07 XMPP‐SSL‐Uno 5223 48 10 224 28884 08 SNMPTRAP 162 46 46 50537 27859 http://itsecworks. passing through the firewall. we can see who owns currently the line (whos head must be under the guillotine.28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall/pri/act(config)# sh run threat‐detection threat‐detection basic‐threat threat‐detection statistics host threat‐detection statistics port threat‐detection statistics protocol threat‐detection statistics access‐list no threat‐detection statistics tcp‐intercept show commands threat‑detection: This command ‑IF activated‑ can give us really useful basic information about network flows.com/2013/09/18/ciscoasatroubleshootingcommands/ 33/38 . Or if we have a performance problem with our internet connection. com/2013/09/18/ciscoasatroubleshootingcommands/ 34/38 .28/3/2015 Cisco ASA troubleshooting commands | itsecworks 09 SYSLOG 514 36 32 9773 21995 10 MS‐DS/SMB 445 30 40 45220 18030 1‐hour Sent byte: 01 HTTP 80 25194299 24939838 0 90699477563 02 MS‐DS/SMB 445 8260884 8225102 0 29739184085 03 Port‐8191‐65535 7038543 10227395 0 25338757949 04 LDAP 389 2334189 2347930 0 8403081060 05 Microsoft SQL 1433 1373774 1196909 0 4945586558 06 HTTPS 443 1318144 1258745 0 4745319756 07 HTTP‐Alternat 8080 520889 566088 0 1875202977 08 DNS 53 430705 452066 0 1550540194 09 Port‐7780 7780 264564 258684 0 952431991 10 Port‐3380 3380 230415 12096 0 829497591 1‐hour Sent pkts: 01 MS‐DS/SMB 445 40571 41786 0 146057206 02 HTTP 80 22612 22957 0 81406406 03 Port‐8191‐65535 8834 11379 0 31804979 04 HTTPS 443 2528 2777 0 9101589 05 LDAP 389 1956 1954 0 7041854 06 Microsoft SQL 1433 1723 1527 0 6204903 07 Port‐135 135 679 572 0 2445229 08 HTTP‐Alternat 8080 414 447 0 1493298 09 DNS 53 393 387 0 1418233 10 ICMP * 1 281 365 0 1012609 1‐hour Recv byte: 01 MS‐DS/SMB 445 8241588 8308370 0 29669717400 02 HTTP 80 3148829 4675871 0 11335784733 03 Port‐8191‐65535 2908739 2644375 0 10471460696 04 Port‐2055 2055 292614 281589 0 1053413852 05 SYSLOG 514 269208 323164 0 969151225 06 HTTPS 443 266550 283114 0 959582362 07 Microsoft SQL 1433 200255 173645 0 720919352 08 LDAP 389 149348 149286 0 537653925 09 SMTP 25 88919 104011 0 320111885 10 Port‐135 135 76251 63814 0 274507044 1‐hour Recv pkts: 01 MS‐DS/SMB 445 40120 41355 0 144433605 02 HTTP 80 16028 17115 0 57703486 03 Port‐8191‐65535 7853 8933 0 28273380 04 Microsoft SQL 1433 1441 1281 0 5188677 05 LDAP 389 1329 1339 0 4785811 06 HTTPS 443 988 921 0 3559831 07 Port‐135 135 694 588 0 2498510 08 SYSLOG 514 292 355 0 1051921 09 HTTP‐Alternat 8080 272 289 0 981307 10 DNS 53 252 251 0 909608 http://itsecworks. 45.191 1 1 319 1293 06 10.123.123.45.10.226 11 0 60162 13697 02 145.45.10.2 1 1 5 2048 20‐min Recv attack: 01 192.0 Backup and Restore Backup command with tftp server: http://itsecworks.22.210 4 4 19756 5209 08 172.146 6 7 8214 7536 06 145.28.16.6 1 2 0 2398 03 172.133.211 1 0 830 1575 05 192.234 6 45 33096 7890 05 192.20 0 0 0 1004 08 172.16.224 1 1 202 2247 10 10.45.27 1 0 17 1256 07 172.45.1.45.99 1 1 0 2160 04 145.16.168..45.45.com/2013/09/18/ciscoasatroubleshootingcommands/ 35/38 .200.232 7 0 40045 9173 04 145.45.241.16.10 0 0 216 903 09 172.136 3 3 1977 4278 02 172.242 9 9 5657 11297 03 145.211 5 7 6109 6024 07 145.31.45.41 2 1 8 2620 09 172.168.135.2. 7.31.45.28/3/2015 Cisco ASA troubleshooting commands | itsecworks and the top talkers list for hosts: myfirewall/pri/act(config)# sh threat‐detection statistics top host Top Name Id Average(eps) Current(eps) Trigger Total events 20‐min Sent attack: 01 145.11 0 0 1382 713 10 10.135.45.30.4.45.168..16.26.45.2 0 0 7983 653 . Reply http://itsecworks.com/category/security/). certificates and private keys Thats all folks! About these ads (http://wordpress.28/3/2015 Cisco ASA troubleshooting commands | itsecworks myfirewall3/pri/act# copy running‐config tftp Source filename [running‐config]? Address or name of remote host []? 3. troubleshooting Posted in: ASA (http://itsecworks.com/category/security/cisco/asa/).com/2013/09/18/ciscoasatroubleshootingcommands/ 36/38 . commands. Troubleshootings (http://itsecworks..com/about-these-ads/) Tagged: Cisco ASA.com/category/security/cisco/asa/troubleshootings/) 6 Responses “Cisco ASA troubleshooting commands” → Krish September 19.3. Security (http://itsecworks. 2013 i Rate This 1 0 Very useful for basic troubleshooting.3. Cisco (http://itsecworks.com/category/security/cisco/).3 Destination filename [running‐config]? Cryptochecksum: ee921f66 a8586880 f2d4fc17 c76933b2 For more info read my post: Migrate Cisco ASA configuration. 28/3/2015 Cisco ASA troubleshooting commands | itsecworks itsecworks September 19..thank you Reply itsecworks February 22. Can you also try to post a bit more complex troubleshooting.. http://itsecworks. 2014 1 i Rate This 0 Good Stuff.com/2013/09/18/ciscoasatroubleshootingcommands/ 37/38 . 2014 i Rate This 0 0 Feel free to suggest and it will be added to this post. only for basic troubleshooting :‑) the rest will be posted soon :‑) Reply akesh February 22. 2013 1 0 i Rate This Yes. 2014 0 0 i Rate This I found this document very useful. all basic commands at one place Reply Ramesh February 4. The Inuit Types Theme.28/3/2015 Cisco ASA troubleshooting commands | itsecworks Reply Bhumika November 3.com http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/ 38/38 .com. 2015 1 0 i Rate This good for beginners Reply Create a free website or blog at WordPress. Follow Follow “itsecworks” Build a website with WordPress. Documents Similar To Cisco ASA Troubleshooting Commands _ ItsecworksSkip carouselcarousel previouscarousel nextsftpDistributed Trunking CookbookCisco ASA IPS ModuleDhcpHP ProCurve - Management and Configuration Guide W.14.03DHCPSite-To-Site VPN Configuration ExamplesHardening ProCurve Switches White PaperTroubleshoot DHCPcisco ASA04 Configuring and Troubleshooting DhcpProCurve VLAN ConfigurationCLI commands Cisco VS. Juniper routerCisco ASA NAT Port ForwardingO'Reilly Cisco IOS Access ListsWorkshop Vlan ProcurveCCNA Data Center DCICT 640-916 Official Cert Guide (Certification Guide) (1)Rob Rig Gins (CCNA 2 Lab 1.5.2 - Basic Router Configuration)Cisco VPN Configuration Guide - Step-By-Step Configuration of Cisco VPNs for ASA and Routers - 1st Edition (2014)Configuracion Switch HP Procurveasa-vpn-cliSSFIPS Securing Cisco Networks With Sourcefire Intrusion PreventAsa 91 VPN ConfigHP CLI Ref Guide Ver3 FinalMore From LinuxManCRSkip carouselcarousel previouscarousel nextConfiguring HRSPSh May2012 IcgAsterisk CLI - Voip-InfoCisco ASA Troubleshooting Commands _ ItsecworksConsultas OracleHigh CPU Utilization Due to Cat4k Mgmt LoPri in WS-C4507R-E _ LAN, Switching and Routing _ Cisco Support Community _ 6016 _ 11545226QualifyingCisco Subnet ZeroReadmeEnable SecretList.activityCustomFooter MenuBack To TopAboutAbout ScribdPressOur blogJoin our team!Contact UsJoin todayInvite FriendsGiftsLegalTermsPrivacyCopyrightSupportHelp / FAQAccessibilityPurchase helpAdChoicesPublishersSocial MediaCopyright © 2018 Scribd Inc. .Browse Books.Site Directory.Site Language: English中文EspañolالعربيةPortuguês日本語DeutschFrançaisTurkceРусский языкTiếng việtJęzyk polskiBahasa indonesiaSign up to vote on this titleUsefulNot usefulYou're Reading a Free PreviewDownloadClose DialogAre you sure?This action might not be possible to undo. Are you sure you want to continue?CANCELOK
Report "Cisco ASA Troubleshooting Commands _ Itsecworks"
×
Please fill this form, we will try to respond as soon as possible.
Your name
Email
Reason
-Select Reason-
Pornographic
Defamatory
Illegal/Unlawful
Spam
Other Terms Of Service Violation
File a copyright complaint
Description
Copyright © 2024 DOKUMEN.SITE Inc.