Troubleshooting ASA Firewalls

Resource use

show cpu usage
show cpu usage detailed
show memory
show blocks

Hardware and license information

show version
show module all
show mode

Connections and translations

show conn
! idle == no packets received for the last x seconds
show perfmon
show nat
! idle == last conn created was x seconds ago 
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
! s-static.timeout == does not have
show xlate
show xlate detail
show local-host

Drops

show service-policy
show asp drop
show logging

Drop debug

capture drops type asp-drop all circular-buffer
show cap drops | include x.x.x.x
no cap drops

High availability

show failover

Interface information

show ip
show nameif
show traffic
show route | inc 10.1.1.1

Debug

terminal monitor ! SSH sessions
show arp
debug icmp trace
debug arp
debug esmtp
debug http

Logging

(config)# logging enable
(config)# logging timestamp
(config)# logging buffered debugging
(config)# logging monitor debugging
(config)# logging trap debugging
(config)# logging buffer-size 65000
# show logging

Packet tracer

packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678

Packet Capture

capture pcap interface outside match tcp host 2.2.2.2 any eq 443 
show capture pcap | inc 200.1.1.1
no capture pcap 

VPN

show crypto isakmp sa
show crypto ipsec sa