Troubleshooting ASA Firewalls

Resource use

1. show cpu usage detailed
2. show memory
3. show blocks

Hardware and license information

1. show version
2. show module all
3. show mode

Connections and translations

1. show conn

! idle == no packets received for the last x seconds

1. show perfmon
2. show nat

! idle == last conn created was x seconds ago ! i-dynamic.timeout == will begin when the last conn is removed (3 hours) ! r-portmap.timeout == will begin when the last conn is removed (30 seconds) ! s-static.timeout == does not have

1. show xlate
2. show local-host

Drops

1. show service-policy
2. show asp drop
3. show logging

High availability

1. show failover

Interface information

1. show ip
2. show nameif
3. show traffic

Debug

1. terminal monitor ! SSH sessions
2. debug icmp trace
3. debug arp
4. debug esmtp
5. debug http

Logging

(config)# logging enable (config)# logging timestamp (config)# logging buffered debugging (config)# logging buffer-size 65000

1. show logging

Packet capture

(config)# access-list capture_acl extended permit ip host 1.1.1.1 host 2.2.2.2 (config)# access-list capture_acl extended permit ip host 2.2.2.2 host 1.1.1.1

1. capture capture_name interface interface_name access-list capture_acl
2. clear capture capture_name
3. show capture capture_name

! wget -O capture_name.pcap --user=asa_user --password=asa_password https://asa_ip/capture/capture_name/pcap

1. no capture capture_name

Packet-tracert

1. packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678

VPN

1. show crypto isakmp sa
2. show crypto ipsec sa