Difference between revisions of "Troubleshooting ASA Firewalls"

From Tech-Wiki
Jump to: navigation, search
 
(7 intermediate revisions by the same user not shown)
Line 29: Line 29:
 
  show asp drop
 
  show asp drop
 
  show logging
 
  show logging
 +
 +
Drop debug
 +
capture drops type asp-drop all circular-buffer
 +
show cap drops | include x.x.x.x
 +
no cap drops
  
 
High availability
 
High availability
Line 37: Line 42:
 
  show nameif
 
  show nameif
 
  show traffic
 
  show traffic
 +
show route | inc 10.1.1.1
  
 
Debug
 
Debug
Line 55: Line 61:
 
  # show logging
 
  # show logging
  
Packet capture
+
Packet tracer
  (config)# access-list capture_acl extended permit ip host 1.1.1.1 host 2.2.2.2
+
  packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678
(config)# access-list capture_acl extended permit ip host 2.2.2.2 host 1.1.1.1
+
# capture capture_name interface interface_name access-list capture_acl
+
# clear capture capture_name
+
# show capture capture_name
+
! wget -O capture_name.pcap --user=asa_user --password=asa_password https://asa_ip/capture/capture_name/pcap
+
# no capture capture_name
+
  
  # capture capturename interface outside match tcp host 2.2.2.2 any eq 443  
+
Packet Capture
  # show capture capturename
+
  capture pcap interface outside match tcp host 2.2.2.2 any eq 443  
 
+
  show capture pcap | inc 200.1.1.1
# capture capturename interface inside match ip 192.168.10.10 255.255.255.255
+
  no capture pcap
  # no capture capturename interface inside
+
 
+
Packet-tracert
+
packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678
+
  
 
VPN
 
VPN
 
  show crypto isakmp sa
 
  show crypto isakmp sa
 
  show crypto ipsec sa
 
  show crypto ipsec sa

Latest revision as of 17:29, 17 June 2019


Resource use

show cpu usage
show cpu usage detailed
show memory
show blocks

Hardware and license information

show version
show module all
show mode

Connections and translations

show conn
! idle == no packets received for the last x seconds
show perfmon
show nat
! idle == last conn created was x seconds ago 
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
! s-static.timeout == does not have
show xlate
show xlate detail
show local-host

Drops

show service-policy
show asp drop
show logging

Drop debug

capture drops type asp-drop all circular-buffer
show cap drops | include x.x.x.x
no cap drops

High availability

show failover

Interface information

show ip
show nameif
show traffic
show route | inc 10.1.1.1

Debug

terminal monitor ! SSH sessions
show arp
debug icmp trace
debug arp
debug esmtp
debug http

Logging

(config)# logging enable
(config)# logging timestamp
(config)# logging buffered debugging
(config)# logging monitor debugging
(config)# logging trap debugging
(config)# logging buffer-size 65000
# show logging

Packet tracer

packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678

Packet Capture

capture pcap interface outside match tcp host 2.2.2.2 any eq 443 
show capture pcap | inc 200.1.1.1
no capture pcap 

VPN

show crypto isakmp sa
show crypto ipsec sa