Difference between revisions of "Troubleshooting ASA Firewalls"
From Tech-Wiki
Line 49: | Line 49: | ||
(config)# logging timestamp | (config)# logging timestamp | ||
(config)# logging buffered debugging | (config)# logging buffered debugging | ||
+ | (config)# logging monitor debugging | ||
+ | (config)# logging trap debugging | ||
(config)# logging buffer-size 65000 | (config)# logging buffer-size 65000 | ||
# show logging | # show logging |
Revision as of 21:25, 7 August 2016
Resource use
show cpu usage show cpu usage detailed show memory show blocks
Hardware and license information
show version show module all show mode
Connections and translations
show conn ! idle == no packets received for the last x seconds show perfmon show nat ! idle == last conn created was x seconds ago ! i-dynamic.timeout == will begin when the last conn is removed (3 hours) ! r-portmap.timeout == will begin when the last conn is removed (30 seconds) ! s-static.timeout == does not have show xlate show xlate detail show local-host
Drops
show service-policy show asp drop show logging
High availability
show failover
Interface information
show ip show nameif show traffic
Debug
terminal monitor ! SSH sessions debug icmp trace debug arp debug esmtp debug http
Logging
(config)# logging enable (config)# logging timestamp (config)# logging buffered debugging (config)# logging monitor debugging (config)# logging trap debugging (config)# logging buffer-size 65000 # show logging
Packet capture
(config)# access-list capture_acl extended permit ip host 1.1.1.1 host 2.2.2.2 (config)# access-list capture_acl extended permit ip host 2.2.2.2 host 1.1.1.1 # capture capture_name interface interface_name access-list capture_acl # clear capture capture_name # show capture capture_name ! wget -O capture_name.pcap --user=asa_user --password=asa_password https://asa_ip/capture/capture_name/pcap # no capture capture_name
Packet-tracert
packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678
VPN
show crypto isakmp sa show crypto ipsec sa