Difference between revisions of "Troubleshooting ASA Firewalls"

From Tech-Wiki
Jump to: navigation, search
(Created page with "Category:Cisco Systems Resource use # show cpu usage detailed # show memory # show blocks Hardware and license information # show version # show module all # show mode C...")
 
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
[[Category:Cisco Systems]]
 
[[Category:Cisco Systems]]
 +
 
Resource use
 
Resource use
 +
show cpu usage
 +
show cpu usage detailed
 +
show memory
 +
show blocks
  
# show cpu usage detailed
 
# show memory
 
# show blocks
 
 
Hardware and license information
 
Hardware and license information
 +
show version
 +
show module all
 +
show mode
  
# show version
 
# show module all
 
# show mode
 
 
Connections and translations
 
Connections and translations
 +
show conn
 +
! idle == no packets received for the last x seconds
 +
show perfmon
 +
show nat
 +
! idle == last conn created was x seconds ago
 +
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
 +
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
 +
! s-static.timeout == does not have
 +
show xlate
 +
show xlate detail
 +
show local-host
  
# show conn
 
! idle == no packets received for the last x seconds
 
# show perfmon
 
# show nat
 
! idle == last conn created was x seconds ago
 
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
 
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
 
! s-static.timeout == does not have
 
# show xlate
 
# show local-host
 
 
Drops
 
Drops
 +
show service-policy
 +
show asp drop
 +
show logging
 +
 +
Drop debug
 +
capture drops type asp-drop all circular-buffer
 +
show cap drops | include x.x.x.x
 +
no cap drops
  
# show service-policy
 
# show asp drop
 
# show logging
 
 
High availability
 
High availability
 +
show failover
  
# show failover
 
 
Interface information
 
Interface information
 +
show ip
 +
show nameif
 +
show traffic
 +
show route | inc 10.1.1.1
  
# show ip
 
# show nameif
 
# show traffic
 
 
Debug
 
Debug
 +
terminal monitor ! SSH sessions
 +
show arp
 +
debug icmp trace
 +
debug arp
 +
debug esmtp
 +
debug http
  
# terminal monitor ! SSH sessions
 
# debug icmp trace
 
# debug arp
 
# debug esmtp
 
# debug http
 
 
Logging
 
Logging
 +
(config)# logging enable
 +
(config)# logging timestamp
 +
(config)# logging buffered debugging
 +
(config)# logging monitor debugging
 +
(config)# logging trap debugging
 +
(config)# logging buffer-size 65000
 +
# show logging
  
(config)# logging enable
+
Packet tracer
(config)# logging timestamp
+
packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678
(config)# logging buffered debugging
+
(config)# logging buffer-size 65000
+
# show logging
+
Packet capture
+
  
(config)# access-list capture_acl extended permit ip host 1.1.1.1 host 2.2.2.2
+
Packet Capture
(config)# access-list capture_acl extended permit ip host 2.2.2.2 host 1.1.1.1
+
capture pcap interface outside match tcp host 2.2.2.2 any eq 443
# capture capture_name interface interface_name access-list capture_acl
+
show capture pcap | inc 200.1.1.1
# clear capture capture_name
+
no capture pcap  
# show capture capture_name
+
! wget -O capture_name.pcap --user=asa_user --password=asa_password https://asa_ip/capture/capture_name/pcap
+
# no capture capture_name
+
Packet-tracert
+
  
# packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678
 
 
VPN
 
VPN
 
+
show crypto isakmp sa
# show crypto isakmp sa
+
show crypto ipsec sa
# show crypto ipsec sa
+

Latest revision as of 17:29, 17 June 2019


Resource use 

show cpu usage
show cpu usage detailed
show memory
show blocks

Hardware and license information 

show version
show module all
show mode

Connections and translations 

show conn
! idle == no packets received for the last x seconds
show perfmon
show nat
! idle == last conn created was x seconds ago 
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
! s-static.timeout == does not have
show xlate
show xlate detail
show local-host

Drops 

show service-policy
show asp drop
show logging

Drop debug 

capture drops type asp-drop all circular-buffer
show cap drops | include x.x.x.x
no cap drops

High availability 

show failover

Interface information 

show ip
show nameif
show traffic
show route | inc 10.1.1.1

Debug 

terminal monitor ! SSH sessions
show arp
debug icmp trace
debug arp
debug esmtp
debug http

Logging 

(config)# logging enable
(config)# logging timestamp
(config)# logging buffered debugging
(config)# logging monitor debugging
(config)# logging trap debugging
(config)# logging buffer-size 65000
# show logging

Packet tracer 

packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678

Packet Capture 

capture pcap interface outside match tcp host 2.2.2.2 any eq 443 
show capture pcap | inc 200.1.1.1
no capture pcap

VPN 

show crypto isakmp sa
show crypto ipsec sa
Retrieved from ‘http://tech-wiki.net/index.php?title=Troubleshooting_ASA_Firewalls&oldid=1373