Difference between revisions of "Troubleshooting ASA Firewalls"

From Tech-Wiki
Jump to: navigation, search
(Created page with "Category:Cisco Systems Resource use # show cpu usage detailed # show memory # show blocks Hardware and license information # show version # show module all # show mode C...")
 
Line 1: Line 1:
 
[[Category:Cisco Systems]]
 
[[Category:Cisco Systems]]
 +
 
Resource use
 
Resource use
 +
show cpu usage
 +
show cpu usage detailed
 +
show memory
 +
show blocks
  
# show cpu usage detailed
 
# show memory
 
# show blocks
 
 
Hardware and license information
 
Hardware and license information
 +
show version
 +
show module all
 +
show mode
  
# show version
 
# show module all
 
# show mode
 
 
Connections and translations
 
Connections and translations
 +
show conn
 +
! idle == no packets received for the last x seconds
 +
show perfmon
 +
show nat
 +
! idle == last conn created was x seconds ago
 +
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
 +
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
 +
! s-static.timeout == does not have
 +
show xlate
 +
show xlate detail
 +
show local-host
  
# show conn
 
! idle == no packets received for the last x seconds
 
# show perfmon
 
# show nat
 
! idle == last conn created was x seconds ago
 
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
 
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
 
! s-static.timeout == does not have
 
# show xlate
 
# show local-host
 
 
Drops
 
Drops
 +
show service-policy
 +
show asp drop
 +
show logging
  
# show service-policy
 
# show asp drop
 
# show logging
 
 
High availability
 
High availability
 +
show failover
  
# show failover
 
 
Interface information
 
Interface information
 +
show ip
 +
show nameif
 +
show traffic
  
# show ip
 
# show nameif
 
# show traffic
 
 
Debug
 
Debug
 +
terminal monitor ! SSH sessions
 +
debug icmp trace
 +
debug arp
 +
debug esmtp
 +
debug http
  
# terminal monitor ! SSH sessions
 
# debug icmp trace
 
# debug arp
 
# debug esmtp
 
# debug http
 
 
Logging
 
Logging
 +
(config)# logging enable
 +
(config)# logging timestamp
 +
(config)# logging buffered debugging
 +
(config)# logging buffer-size 65000
 +
# show logging
  
(config)# logging enable
 
(config)# logging timestamp
 
(config)# logging buffered debugging
 
(config)# logging buffer-size 65000
 
# show logging
 
 
Packet capture
 
Packet capture
 +
(config)# access-list capture_acl extended permit ip host 1.1.1.1 host 2.2.2.2
 +
(config)# access-list capture_acl extended permit ip host 2.2.2.2 host 1.1.1.1
 +
# capture capture_name interface interface_name access-list capture_acl
 +
# clear capture capture_name
 +
# show capture capture_name
 +
! wget -O capture_name.pcap --user=asa_user --password=asa_password https://asa_ip/capture/capture_name/pcap
 +
# no capture capture_name
  
(config)# access-list capture_acl extended permit ip host 1.1.1.1 host 2.2.2.2
 
(config)# access-list capture_acl extended permit ip host 2.2.2.2 host 1.1.1.1
 
# capture capture_name interface interface_name access-list capture_acl
 
# clear capture capture_name
 
# show capture capture_name
 
! wget -O capture_name.pcap --user=asa_user --password=asa_password https://asa_ip/capture/capture_name/pcap
 
# no capture capture_name
 
 
Packet-tracert
 
Packet-tracert
 +
packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678
  
# packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678
 
 
VPN
 
VPN
 
+
show crypto isakmp sa
# show crypto isakmp sa
+
show crypto ipsec sa
# show crypto ipsec sa
+

Revision as of 21:20, 7 August 2016


Resource use

show cpu usage
show cpu usage detailed
show memory
show blocks

Hardware and license information

show version
show module all
show mode

Connections and translations

show conn
! idle == no packets received for the last x seconds
show perfmon
show nat
! idle == last conn created was x seconds ago 
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
! s-static.timeout == does not have
show xlate
show xlate detail
show local-host

Drops

show service-policy
show asp drop
show logging

High availability

show failover

Interface information

show ip
show nameif
show traffic

Debug

terminal monitor ! SSH sessions
debug icmp trace
debug arp
debug esmtp
debug http

Logging

(config)# logging enable
(config)# logging timestamp
(config)# logging buffered debugging
(config)# logging buffer-size 65000
# show logging

Packet capture

(config)# access-list capture_acl extended permit ip host 1.1.1.1 host 2.2.2.2
(config)# access-list capture_acl extended permit ip host 2.2.2.2 host 1.1.1.1
# capture capture_name interface interface_name access-list capture_acl
# clear capture capture_name
# show capture capture_name
! wget -O capture_name.pcap --user=asa_user --password=asa_password https://asa_ip/capture/capture_name/pcap
# no capture capture_name

Packet-tracert

packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678

VPN

show crypto isakmp sa
show crypto ipsec sa