Troubleshooting ASA Firewalls

Resource use

show cpu usage
show cpu usage detailed
show memory
show blocks

Hardware and license information

show version
show module all
show mode

Connections and translations

show conn
! idle == no packets received for the last x seconds
show perfmon
show nat
! idle == last conn created was x seconds ago 
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
! s-static.timeout == does not have
show xlate
show xlate detail
show local-host

Drops

show service-policy
show asp drop
show logging

High availability

show failover

Interface information

show ip
show nameif
show traffic

Debug

terminal monitor ! SSH sessions
show arp
debug icmp trace
debug arp
debug esmtp
debug http

Logging

(config)# logging enable
(config)# logging timestamp
(config)# logging buffered debugging
(config)# logging monitor debugging
(config)# logging trap debugging
(config)# logging buffer-size 65000
# show logging

Packet capture

(config)# access-list capture_acl extended permit ip host 1.1.1.1 host 2.2.2.2
(config)# access-list capture_acl extended permit ip host 2.2.2.2 host 1.1.1.1
# capture capture_name interface interface_name access-list capture_acl
# clear capture capture_name
# show capture capture_name
! wget -O capture_name.pcap --user=asa_user --password=asa_password https://asa_ip/capture/capture_name/pcap
# no capture capture_name

# capture capturename interface outside match tcp host 2.2.2.2 any eq 443 
# show capture capturename

# capture capturename interface inside match ip 192.168.10.10 255.255.255.255
# no capture capturename interface inside

Packet-tracert

packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678

VPN

show crypto isakmp sa
show crypto ipsec sa