Scribd
Upload
585 views38 pages

Cisco ASA Troubleshooting Commands - Itsecworks

The document provides a list of basic troubleshooting commands for the Cisco ASA firewall. It covers commands to check settings and states, interface settings, routing table, VPN troubleshooting, logging, inspection, threat detection, and backup/restore. The commands can be used to check the system status, hardware performance, interface status, routing table, VPN tunnel states, logs, traffic inspection statistics, and top talkers for troubleshooting Cisco ASA devices.

Uploaded by

LinuxManCR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
585 views38 pages

Cisco ASA Troubleshooting Commands - Itsecworks

The document provides a list of basic troubleshooting commands for the Cisco ASA firewall. It covers commands to check settings and states, interface settings, routing table, VPN troubleshooting, logging, inspection, threat detection, and backup/restore. The commands can be used to check the system status, hardware performance, interface status, routing table, VPN tunnel states, logs, traffic inspection statistics, and top talkers for troubleshooting Cisco ASA devices.

Uploaded by

LinuxManCR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

RSS Subscribe:RSSfeed
itsecworks
ItisallaboutsecurityandcoIhavealreadymet

CiscoASAtroubleshootingcommands
PostedonSeptember18,2013
6

i
8Votes
Withmyrequirementsforanynetworkinglayer3securitydeviceIcollectedthebasiccommands
thatyouhavetoknoworyouwillnotbeabletomanageyourdevice.
1.0Checkthebasicsettingsandfirewallstates
Checkthesystemstatus
Checkthehardwareperformance
ChecktheHighAvailabilitystate
Checkthesessiontableofthefirewall
2.0Checktheinterfacesettings
Checkthestate,speedandduplexityanIPoftheinterfaces
ChecktheARPTable
3.0ChecktheRoutingTable
Checkthematchingroute
4.0VPNTroubleshooting
Changethetunnelstate
Checkthetunnelstate
Checkpacketcountersforthetunnel
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

1/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

ChecktheuptimeoftheVPNTunnels
5.1Sniffertrace
5.2Testtrafficthroughthefirewall
5.3Testtcptrafficfromthefirewall
6.0Viewloggingoncli
Configurelogging
Viewingthelogs
7.0Inspectionandaspdrop
8.0ThreatDetection(checkthetoptalkers)
9.0BackupandRestore

1.0Checkthebasicsettingsandfirewallstates

Checkthesystemstatus
Toseetheactualsoftwareversion,operationalmode,HA,etcandthesystemtime:
myfirewall/pri/act#showfirewall
Firewallmode:Router
myfirewall/pri/act#showversion
CiscoAdaptiveSecurityApplianceSoftwareVersion9.1(1)
DeviceManagerVersion7.1(1)52
CompiledonWed28Nov1210:38bybuilders
Systemimagefileis"disk0:/asa911k8.bin"
Configfileatbootwas"startupconfig"
myfirewallup218days1hour
failoverclusterup5years10days
Hardware:ASA5520,2048MBRAM,CPUPentium4Celeron2000MHz,
InternalATACompactFlash,256MB
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

2/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

BIOSFlashM50FW080@0xfff00000,1024KB
Encryptionhardwaredevice:CiscoASA55xxonboardaccelerator(revision0x0)
Bootmicrocode:CN1000MCBOOT2.00
SSL/IKEmicrocode:CNLiteMCSSLmPLUS2.03
IPSecmicrocode:CNliteMCIPSECmMAIN2.08
Numberofaccelerators:1
0:Ext:GigabitEthernet0/0:addressis001f.abcc.a8c6,irq9
1:Ext:GigabitEthernet0/1:addressis001f.abcc.a5e7,irq9
2:Ext:GigabitEthernet0/2:addressis001f.abcc.a5e8,irq9
3:Ext:GigabitEthernet0/3:addressis001f.abcc.a5e9,irq9
4:Ext:Management0/0:addressis001f.abcc.a5ea,irq11
5:Int:Notused:irq11
6:Int:Notused:irq5
Licensedfeaturesforthisplatform:
MaximumPhysicalInterfaces:Unlimitedperpetual
MaximumVLANs:150perpetual
InsideHosts:Unlimitedperpetual
Failover:Active/Activeperpetual
EncryptionDES:Enabledperpetual
Encryption3DESAES:Enabledperpetual
SecurityContexts:2perpetual
GTP/GPRS:Disabledperpetual
AnyConnectPremiumPeers:2perpetual
AnyConnectEssentials:Disabledperpetual
OtherVPNPeers:750perpetual
TotalVPNPeers:750perpetual
SharedLicense:Disabledperpetual
AnyConnectforMobile:Disabledperpetual
AnyConnectforCiscoVPNPhone:Disabledperpetual
AdvancedEndpointAssessment:Disabledperpetual
UCPhoneProxySessions:2perpetual
TotalUCProxySessions:2perpetual
BotnetTrafficFilter:Disabledperpetual
IntercompanyMediaEngine:Disabledperpetual
Cluster:Disabledperpetual
ThisplatformhasanASA5520VPNPluslicense.
Failoverclusterlicensedfeaturesforthisplatform:
MaximumPhysicalInterfaces:Unlimitedperpetual
MaximumVLANs:150perpetual
InsideHosts:Unlimitedperpetual
Failover:Active/Activeperpetual
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

3/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

EncryptionDES:Enabledperpetual
Encryption3DESAES:Enabledperpetual
SecurityContexts:4perpetual
GTP/GPRS:Disabledperpetual
AnyConnectPremiumPeers:4perpetual
AnyConnectEssentials:Disabledperpetual
OtherVPNPeers:750perpetual
TotalVPNPeers:750perpetual
SharedLicense:Disabledperpetual
AnyConnectforMobile:Disabledperpetual
AnyConnectforCiscoVPNPhone:Disabledperpetual
AdvancedEndpointAssessment:Disabledperpetual
UCPhoneProxySessions:4perpetual
TotalUCProxySessions:4perpetual
BotnetTrafficFilter:Disabledperpetual
IntercompanyMediaEngine:Disabledperpetual
Cluster:Disabledperpetual
ThisplatformhasanASA5520VPNPluslicense.

SerialNumber:JMX4567L1DA
RunningPermanentActivationKey:0x650e67580x345sb6160x1233615a0xc234fca30x111
Configurationregisteris0x1
Configurationlastmodifiedbyadminat10:41:22.791CEDTFriSep132013
Thefailoverstate.
myfirewall/pri/act(config)#shfailoverstate
StateLastFailureReasonDate/Time
ThishostPrimary
ActiveNone
OtherhostSecondary
StandbyReadyIfcFailure17:38:56CEDTJun102013
dmz5:Failed
inside:Failed
====ConfigurationState===
SyncDone
SyncDoneSTANDBY
====CommunicationState===
Macset

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

4/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Toseewhatthefirewallhasseensofar,thetrafficmixconserningtheenabledinspections:
myfirewall/pri/act(config)#shservicepolicy

Globalpolicy:
Servicepolicy:global_policy
Classmap:inspection_default
Inspect:dnspreset_dns_map,packet6206448,drop1493,resetdrop0,v6fail
Inspect:ftp,packet0,drop0,resetdrop0,v6failclose0
Inspect:netbios,packet285884,drop0,resetdrop0,v6failclose0
Inspect:tftp,packet0,drop0,resetdrop0,v6failclose0
Inspect:icmp,packet14657730,drop1226951,resetdrop0,v6failclose0
Inspect:icmperror,packet10377,drop0,resetdrop0,v6failclose0
Inspect:dcerpc,packet199070,drop0,resetdrop0,v6failclose0
tcpproxy:bytesinbuffer0,bytesdropped0

Checkthehardwareperformance
Toseewhatisthestateofthecpuandthememory:
myfirewall/pri/act(config)#shcpuusage
CPUutilizationfor5seconds=8%;1minute:9%;5minutes:9%
myfirewall/pri/act(config)#
myfirewall/pri/act(config)#
myfirewall/pri/act(config)#shmemory
Freememory:1722679208bytes(80%)
Usedmemory:424804440bytes(20%)

Totalmemory:2147483648bytes(100%)

myfirewall/pri/act#showprocessescpuusagesorted
PCThread5Sec1Min5MinProcess
0x0827e7310x6e5d2d8c8.4%8.7%8.5%DispatchUnit
0x0878d2de0x6e5bf2540.2%0.9%0.4%ARPThread
0x090b01550x6e5b7fb40.2%0.2%0.1%ssh
0x08785b0e0x6e5bf4600.0%0.0%0.0%IPThread
0x081735b40x6e5c56a00.0%0.0%0.0%CTMmessagehandler
0x08cdd5cc0x6e5c25800.0%0.0%0.0%update_cpu_usage
0x084e29360x6e5c04c00.0%0.0%0.0%fover_health_monitoring_thread
0x0935c8320x6e5bc9640.0%0.0%0.0%vpnfol_thread_timer
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

5/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

0x080596a40x6e5d31a40.0%0.0%0.0%block_diag
0x08854a740x6e5d29740.0%0.0%0.0%WebVPNKCDProcess
0x084c6b6d0x6e5d27680.0%0.0%0.0%CFOIR
0x08eafaec0x6e5d255c0.0%0.0%0.0%lina_int
0x0807209d0x6e5d1f380.0%0.0%0.0%ReloadControlThread
0x080863690x6e5d1d2c0.0%0.0%0.0%aaa
0x0916ad6d0x6e5d1b200.0%0.0%0.0%UserFromCertThread
0x0916ad6d0x6e5d19140.0%0.0%0.0%aaa_shim_thread
0x080bae3c0x6e5d14fc0.0%0.0%0.0%CMGRServerProcess
0x080bd4ad0x6e5d12f00.0%0.0%0.0%CMGRTimerProcess
0x0816d4550x6e5d049c0.0%0.0%0.0%CTMDaemon
0x081df2c50x6e5d02900.0%0.0%0.0%SXPCORE
0x081d70410x6e5d00840.0%0.0%0.0%RBMCORE
0x081cde3c0x6e5cfe780.0%0.0%0.0%cts_task
0x081cf2ed0x6e5cfc6c0.0%0.0%0.0%cts_timer_task
0x0827c8040x6e5cf43c0.0%0.0%0.0%dbgtrace
0x0856b1940x6e5cec0c0.0%0.0%0.0%557mcfix
0x0856b1260x6e5cea000.0%0.0%0.0%557statspoll
...
myfirewall/pri/act#showprocessesinternals
InvokedGiveupsMax_RuntimeProcess
100.025block_diag
1926681692192668169232.679DispatchUnit
376883600.189WebVPNKCDProcess
100.012CFOIR
100.001lina_int
100.003ReloadControlThread
3743052337050.135aaa
1041.427UserFromCertThread
64630.104aaa_shim_thread
200.009CMGRServerProcess
200.008CMGRTimerProcess
100.001CTMDaemon
6200.044SXPCORE
...
myfirewall/pri/act(config)#shperfmon
PERFMONSTATS:CurrentAverage
Xlates0/s0/s
Connections0/s0/s
TCPConns0/s0/s
UDPConns0/s0/s
URLAccess0/s0/s
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

6/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

URLServerReq0/s0/s
TCPFixup0/s0/s
TCPInterceptEstablishedConns0/s0/s
TCPInterceptAttempts0/s0/s
TCPEmbryonicConnsTimeout0/s0/s
HTTPFixup0/s0/s
FTPFixup0/s0/s
AAAAuthen0/s0/s
AAAAuthor0/s0/s
AAAAccount0/s0/s
VALIDCONNSRATEinTCPINTERCEPT:CurrentAverage
N/A100.00%

ChecktheHighAvailabilitystate
togettheHighAvailabilitystateinfowithshowfailovercommand:
myfirewall/pri/act(config)#showfailover?
execmodecommands/options:
descriptorShowfailoverinterfacedescriptors.Twonumbersareshownfor
eachinterface.Whenexchanginginformationregardinga
particularinterface,thisunitusesthefirstnumberinmessages
itsendstoitspeer.Anditexpectsthesecondnumberin
messagesitreceivesfromitspeer.Fortroubleshooting,collect
theshowoutputfrombothunitsandverifythatthenumbers
match.
execShowfailovercommandexecutioninformation
historyShowfailoverswitchinghistory
interfaceShowfailovercommandinterfaceinformation
stateShowfailoverinternalstateinformation
statisticsShowfailovercommandinterfacestatisticsinformation
|Outputmodifiers
Checkthefailoverstate:
myfirewall/pri/act(config)#showfailover
FailoverOn
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

7/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

FailoverunitPrimary
FailoverLANInterface:failoverGigabitEthernet0/2(up)
UnitPollfrequency1seconds,holdtime15seconds
InterfacePollfrequency5seconds,holdtime25seconds
InterfacePolicy1
MonitoredInterfaces3of160maximum
Version:Ours9.1(1),Mate9.1(1)
LastFailoverat:07:31:49CESTFeb122013
Thishost:PrimaryActive
Activetime:18841674(sec)
slot0:ASA5520hw/swrev(2.0/9.1(1))status(UpSys)
Interfacedmz5(192.168.36.1):Normal(Monitored)
Interfacedmz6(192.168.47.1):Normal(NotMonitored)
Interfaceinside(172.24.3.5):Normal(Monitored)
Interfaceoob(192.168.99.1):Normal(Monitored)
Interfacemanagement(0.0.0.0):NoLink(NotMonitored)
slot1:empty
Otherhost:SecondaryStandbyReady
Activetime:0(sec)
slot0:ASA5520hw/swrev(2.0/9.1(1))status(UpSys)
Interfacedmz5(192.168.36.2):Normal(Monitored)
Interfacedmz6(192.168.47.2):Normal(NotMonitored)
Interfaceinside(172.24.3.6):Normal(Monitored)
Interfaceoob(192.168.99.2):Normal(Monitored)
Interfacemanagement(0.0.0.0):Normal(NotMonitored)
slot1:empty
StatefulFailoverLogicalUpdateStatistics
Link:failoverGigabitEthernet0/2(up)
StatefulObjxmitxerrrcvrerr
General372747905024530730
syscmd2452421024524150
uptime0000
RPCservices0000
TCPconn1275302000
UDPconn177064010360
ARPtbl35100728406210
Xlate_Timeout0000
IPv6NDtbl0000
VPNIKEv1SA0000
VPNIKEv1P20000
VPNIKEv2SA0000
VPNIKEv2P20000
VPNCTCPupd0000
VPNSDIupd0000
VPNDHCPupd0000
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

8/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

SIPSession0000
RouteSession306520000
UserIdentity5010
CTSSGTNAME0000
CTSPAC0000
TrustSecSXP0000
IPv6Route0000
LogicalUpdateQueueInformation
CurMaxTotal
RecvQ:0882453116
XmitQ:029381560801
myfirewall/pri/act(config)#showfailoverinterface
interfacefailoverGigabitEthernet0/2
SystemIPAddress:192.168.92.109255.255.255.252
MyIPAddress:192.168.92.109
OtherIPAddress:192.168.92.110
myfirewall/pri/act(config)#showfailoverdescriptor
dmz5send:000200000e000000receive:000200000e000000
dmz6send:0002000041000000receive:0002000041000000
insidesend:0002010064000000receive:0002010064000000
oobsend:00020300ffff0000receive:00020300ffff0000
managementsend:01010000ffff0000receive:01010000ffff0000
myfirewall/pri/act(config)#showfailoverhistory
==========================================================================
FromStateToStateReason
==========================================================================
07:30:59CESTFeb122013
NotDetectedNegotiationNoError
07:31:03CESTFeb122013
NegotiationColdStandbyDetectedanActivemate
07:31:05CESTFeb122013
ColdStandbySyncConfigDetectedanActivemate
07:31:15CESTFeb122013
SyncConfigSyncFileSystemDetectedanActivemate
07:31:15CESTFeb122013
SyncFileSystemBulkSyncDetectedanActivemate

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

9/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

07:31:29CESTFeb122013
BulkSyncStandbyReadyDetectedanActivemate
07:31:49CESTFeb122013
StandbyReadyJustActiveHELLOnotheardfrommate
07:31:49CESTFeb122013
JustActiveActiveDrainHELLOnotheardfrommate
07:31:49CESTFeb122013
ActiveDrainActiveApplyingConfigHELLOnotheardfrommate
07:31:49CESTFeb122013
ActiveApplyingConfigActiveConfigAppliedHELLOnotheardfrommate
07:31:49CESTFeb122013
ActiveConfigAppliedActiveHELLOnotheardfrommate
==========================================================================
myfirewall/pri/act(config)#showfailoverstate
StateLastFailureReasonDate/Time
ThishostPrimary
ActiveNone
OtherhostSecondary
StandbyReadyIfcFailure17:38:56CEDTJun102013
dmz5:Failed
inside:Failed
====ConfigurationState===
SyncDone
SyncDoneSTANDBY
====CommunicationState===
Macset
myfirewall/pri/act(config)#showfailoverstatistics
tx:384585696
rx:29127977
Checkthefailoverconfiguration:

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

10/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#shrunallfailover
failover
failoverlanunitprimary
failoverlaninterfacefailoverGigabitEthernet0/2
failoverpolltimeunit1holdtime15
failoverpolltimeinterface5holdtime25
failoverinterfacepolicy1
failoverlinkfailoverGigabitEthernet0/2
failoverinterfaceipfailover192.168.92.109255.255.255.252standby192.168.92.11

Checkthesessiontableofthefirewall
Withclassmapyoucansetthemaximumsessionforaspecifictrafficorgenerallywithany:
myfirewall(config)#classmapCONNS
myfirewall(configcmap)#matchany
myfirewall(configcmap)#policymapCONNS
myfirewall(configpmap)#classCONNS
myfirewall(configpmapc)#setconnectionconnmax1000embryonicconnmax3000
Thevaluesfromthesessiontableofthefirewall(themaxagainsttheusedifconfigured):

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

11/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#showconn?
execmodecommands/options:
addressEnterthiskeywordtospecifyIPaddress
allEnterthiskeywordtoshowconnsincludingtotheboxand
fromthebox
countEnterthiskeywordtoshowconncountonly
detailEnterthiskeywordtoshowconnindetail
longEnterthiskeywordtoshowconninlongformat
portEnterthiskeywordtospecifyport
protocolEnterthiskeywordtospecifyconnprotocol
scansafeEnterthiskeywordtoshowconnsbeingforwardedtoscansafe
server
securitygroupEnterthiskeywordtoshowsecuritygroupattributesinconns
stateEnterthiskeywordtospecifyconnstate
userEnterthiskeywordtospecifyconnuser
usergroupEnterthiskeywordtospecifyconnusergroup
useridentityEnterthiskeywordtoshowusernames
|Outputmodifiers
myfirewall/pri/act(config)#showconncount
77inuse,1013mostused
myfirewall/pri/act(config)#showconnstate?

execmodecommands/options:
WORDEnteranynumberofthefollowingconnstatesusing','asseparator:
upfininfinouthttp_getsmtp_datanojavadata_indata_outsunrpch225
h323sqlnet_fixup_dataconn_inboundsipmgcpctiqbeskinny
service_modulestubtcp_embryonicvpn_orphan
myfirewall/pri/act(config)#showconnstateup
80inuse,1013mostused
TCPdmz5192.168.38.250:4634inside172.24.1.2:54320,idle0:02:29,bytes12905,
TCPdmz5192.168.38.250:4633inside172.24.1.2:135,idle0:02:29,bytes684,flag
TCPdmz6192.168.47.8:80dmz5192.168.37.227:55335,idle0:00:00,bytes161830708
TCPdmz6192.168.47.10:80dmz5192.168.37.227:65521,idle0:00:00,bytes61797243
TCPdmz6192.168.47.11:80dmz5192.168.37.227:55339,idle0:00:00,bytes38116666
TCPdmz5192.168.36.251:80inside172.31.229.68:62940,idle0:00:00,bytes335503
TCPdmz5192.168.36.251:80inside172.24.162.217:57429,idle0:00:00,bytes47451
TCPdmz5192.168.38.250:23757inside172.24.3.38:1165,idle0:00:00,bytes597473
TCPdmz5192.168.38.250:3389inside192.168.252.66:4042,idle0:00:48,bytes3378
TCPdmz5192.168.38.250:23757inside172.24.3.40:63433,idle0:00:00,bytes93168
Youcanfiltertothesessionthatyoulookingfor(example):
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

12/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#showconnlongaddress192.168.47.10
74inuse,1013mostused
Flags:AawaitinginsideACKtoSYN,aawaitingoutsideACKtoSYN,
BinitialSYNfromoutside,bTCPstatebypassornailed,
CCTIQBEmedia,cclustercentralized,
DDNS,ddump,Eoutsidebackconnection,FoutsideFIN,finside
Ggroup,gMGCP,HH.323,hH.225.0,Iinbounddata,
iincomplete,JGTP,jGTPdata,KGTPt3response
kSkinnymedia,MSMTPdata,mSIPmedia,nGUP
Ooutbounddata,Pinsidebackconnection,pPhoneproxyTFTPconnecti
qSQL*Netdata,RoutsideacknowledgedFIN,
RUDPSUNRPC,rinsideacknowledgedFIN,SawaitinginsideSYN,
sawaitingoutsideSYN,TSIP,tSIPtransient,Uup,
VVPNorphan,WWAAS,
Xinspectedbyservicemodule,
xpersession,Ydirectorstubflow,ybackupstubflow,
ZScansaferedirection,zforwardingstubflow
TCPdmz6:192.168.47.10/80(192.168.47.10/80)dmz5:192.168.37.227/65521(192.168.3
Checkthetrafficoninterfaces,thepacketandbytecounters.

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

13/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#showtraffic
dmz5:
received(in1661754.406secs):
14637140684packets673671106797bytes
8001pkts/sec405002bytes/sec
transmitted(in1661754.406secs):
38728179279packets53732439765301bytes
23000pkts/sec32334000bytes/sec
1minuteinputrate1382pkts/sec,67193bytes/sec
1minuteoutputrate3546pkts/sec,4923809bytes/sec
1minutedroprate,0pkts/sec
5minuteinputrate1375pkts/sec,67887bytes/sec
5minuteoutputrate3589pkts/sec,4994000bytes/sec
5minutedroprate,0pkts/sec
dmz6:
received(in1661754.416secs):
38627911784packets53724170049557bytes
23002pkts/sec32329000bytes/sec
transmitted(in1661754.416secs):
14299138045packets572124451016bytes
8000pkts/sec344002bytes/sec
1minuteinputrate3535pkts/sec,4923119bytes/sec
1minuteoutputrate1354pkts/sec,54206bytes/sec
1minutedroprate,0pkts/sec
5minuteinputrate3577pkts/sec,4993200bytes/sec
5minuteoutputrate1345pkts/sec,53821bytes/sec
5minutedroprate,0pkts/sec
inside:
received(in1661754.416secs):
826826503packets60669330026bytes
1pkts/sec36000bytes/sec
transmitted(in1661754.416secs):
245271895packets109518736779bytes
0pkts/sec65000bytes/sec
1minuteinputrate44pkts/sec,2772bytes/sec
1minuteoutputrate25pkts/sec,13180bytes/sec
1minutedroprate,21pkts/sec
5minuteinputrate45pkts/sec,2829bytes/sec
5minuteoutputrate28pkts/sec,14443bytes/sec
5minutedroprate,21pkts/sec
Checkthetimeoutvaluesinthefirewall:

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

14/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall2/pri/act#shruntimeout
timeoutxlate3:00:00
timeoutconn1:00:00halfclosed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcppat0:05:00
timeoutsip0:30:00sip_media0:02:00sipinvite0:03:00sipdisconnect0:02:00
timeoutsipprovisionalmedia0:02:00uauth0:05:00absolute
timeouttcpproxyreassembly0:01:00
timeoutfloatingconn0:00:00

2.0Checktheinterfacesettings

Checkthestate,speedandduplexityanIPoftheinterfaces
Showtherunningconfigonlyfortheinterfaceswithipaddress:
myfirewall/pri/act(config)#shrunipaddress
!
interfaceGigabitEthernet0/0.14
vlan14
nameifdmz5
securitylevel0
ipaddress192.168.36.1255.255.252.0standby192.168.36.2
!
interfaceGigabitEthernet0/0.65
vlan65
nameifdmz6
securitylevel0
ipaddress192.168.47.1255.255.255.0standby192.168.47.2
!
interfaceGigabitEthernet0/1.100
vlan100
nameifinside
securitylevel100
ipaddress192.168.3.5255.255.248.0standby172.24.3.6
Showipaddressandsecuritylevelonly:
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

15/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall2/pri/act#ship
SystemIPAddresses:
InterfaceNameIPaddressSubnetmaskMet
Portchannel1.1001dmz15.5.5.5255.255.255.192CONFIG
Portchannel2Failover192.168.92.13255.255.255.252uns
Portchannel4.721inside172.17.131.151255.255.255.0CON
CurrentIPAddresses:
InterfaceNameIPaddressSubnetmaskMet
Portchannel1.1001dmz15.5.5.5255.255.255.192CONFIG
Portchannel2Failover192.168.92.13255.255.255.252uns
Portchannel4.721inside172.17.131.151255.255.255.0CON
myfirewall2/pri/act#shnameif
InterfaceNameSecurity
Management0/0management100
Portchannel1.1001dmz10
Portchannel4.721inside100
ChecktheMACandthestateoftheinterfaces.Thenameoftheinterfaceintheexamplebelowis
internal.
Hereyoucanseefollowingintheoutput
Interfacename
MAC
Linkstate
Speed
Duplex
MTU
PacketandBytecounters
Errors

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

16/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act#showinterface
InterfaceGigabitEthernet0/0"",isup,lineprotocolisup
Hardwareisi82546GBrev03,BW1000Mbps,DLY10usec
AutoDuplex(Fullduplex),AutoSpeed(1000Mbps)
Inputflowcontrolisunsupported,outputflowcontrolisoff
Availablebutnotconfiguredvianameif
MACaddress001f.abcc.a5e6,MTUnotset
IPaddressunassigned
53280934440packetsinput,55671972432495bytes,0nobuffer
Received167625118broadcasts,0runts,0giants
0inputerrors,0CRC,0frame,0overrun,0ignored,0abort
0pauseinput,0resumeinput
0L2decodedrops
53043155385packetsoutput,55516746848674bytes,0underruns
0pauseoutput,0resumeoutput
0outputerrors,0collisions,2interfaceresets
0latecollisions,0deferred
0inputresetdrops,0outputresetdrops,0txhangs
inputqueue(blocksfreecurr/low):hardware(255/230)
outputqueue(blocksfreecurr/low):hardware(255/122)
InterfaceGigabitEthernet0/0.14"dmz5",isup,lineprotocolisup
Hardwareisi82546GBrev03,BW1000Mbps,DLY10usec
VLANidentifier14
Description:dmz5
MACaddress001f.abcc.a5e6,MTU1500
IPaddress192.168.36.1,subnetmask255.255.252.0
TrafficStatisticsfor"dmz5":
14641601950packetsinput,673897945554bytes
38739676247packetsoutput,53748403391129bytes
51923927packetsdropped
InterfaceGigabitEthernet0/0.65"dmz6",isup,lineprotocolisup
Hardwareisi82546GBrev03,BW1000Mbps,DLY10usec
VLANidentifier65
Description:dmz6
MACaddress001f.abcc.a5e6,MTU1500
IPaddress192.168.47.1,subnetmask255.255.255.0
TrafficStatisticsfor"dmz6":
38639332463packetsinput,53740092462779bytes
14303479193packetsoutput,572298134370bytes
83451packetsdropped

ChecktheARPTable
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

17/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

ThiscontainsthepermanentandthedynamicARPentries
myfirewall/pri/act#showarp
dmz5192.168.38.430020.4ab0.a59f0
dmz5192.168.37.2262c27.d733.a9e20
dmz5192.168.37.2362c27.d733.a89e0
dmz5192.168.37.23578ac.c0b2.40660
dmz5192.168.37.2400019.99ae.847c0
dmz5192.168.39.2400019.9987.56760
...

3.0ChecktheRoutingTable
Withtheshowrouteyoucanseetheactualroutingtablefromthefirewallwiththestatisandthe
dynamicroutesandthedirectlyconnectednetworks.
myfirewall/pri/act#showroute
Codes:Cconnected,Sstatic,IIGRP,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2,EEGP
iISIS,L1ISISlevel1,L2ISISlevel2,iaISISinterarea
*candidatedefault,Uperuserstaticroute,oODR
Pperiodicdownloadedstaticroute
Gatewayoflastresortis172.24.2.2tonetwork0.0.0.0
C172.24.0.0255.255.248.0isdirectlyconnected,inside
C192.168.99.0255.255.255.0isdirectlyconnected,oob
C192.168.47.0255.255.255.0isdirectlyconnected,dmz6
C192.168.92.108255.255.255.252isdirectlyconnected,failover
S*0.0.0.00.0.0.0[1/0]via172.24.2.2,inside
C192.168.36.0255.255.252.0isdirectlyconnected,dmz5

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

18/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Checkthematchingroute
Areyoulookingforaspecificrouteinabigdatabase?Noproblemusetheshowroutewithmore
details:
myfirewall/pri/act#shrouteinside172.31.231.246
Codes:Cconnected,Sstatic,IIGRP,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2,EEGP
iISIS,L1ISISlevel1,L2ISISlevel2,iaISISinterarea
*candidatedefault,Uperuserstaticroute,oODR
Pperiodicdownloadedstaticroute
Gatewayoflastresortis172.24.2.2tonetwork0.0.0.0

4.0VPNTroubleshooting
Themostsignificantpartforvpnisthetimeonthedevices.Thecheckthetimeusethefollowing
command:
myfirewall/pri/act#showclock
11:19:45.485CEDTWedSep182013
myfirewall/pri/act#showntpstatus
Clockissynchronized,stratum3,referenceis172.24.10.100
nominalfreqis99.9984Hz,actualfreqis99.9968Hz,precisionis2**6
referencetimeisd5e3ed1d.b0b7a760(11:13:01.690CEDTWedSep182013)
clockoffsetis0.1998msec,rootdelayis18.55msec
rootdispersionis36.01msec,peerdispersionis15.64msec

Changethetunnelstate
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

19/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Bringupavpntunnelmanually.Notrafficrequired.
Shutdownavpntunnelmanually.
Alltunnels:
myfirewall3/pri/act#clearcryptoisakmpsa
Onlyspecifictunnel:
myfirewall3/pri/act#clearipsecsapeer2.2.2.2
myfirewall2/pri/act#clearcryikev1sa2.2.2.2
shutdownforlongertime:
myfirewall2/pri/act(config)#nocryptomapl2lvpns10setpeer211.66.176.18

Checkthetunnelstate
IfthereisnoSAthatmeansthetunnelisdownanddoesnotwork.Toseeifthetunnelisupwe
needtocheckifanySAexist.
Toseeifthetunnelisupyoucanusetheshowcryptoisakmpsaorshowcryptoipsecsa
command.
Tunnelstateisdown
Tunneldoesnotexistifthereisnooutputofthecommandsbelow:
myfirewall3/pri/act#shcryisakmpsa
TherearenoIKEv1SAs
TherearenoIKEv2SAs
myfirewall3/pri/act#showcryptoipsecsa
Therearenoipsecsas
Tunnelstateisup

Informationsfromtheoutputofthecommandbelow:

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

20/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Informationsfromtheoutputofthecommandbelow:
vpnpeers
encryptedtraffic(sourceanddestination)
trafficcountersforencryptedtraffic
SPIforencryptanddecrypt
Encryptionmethod

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

21/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall2/pri/act#showcryipssapeer3.3.3.3
peeraddress:3.3.3.3
Cryptomaptag:firmen,seqnum:22,localaddr:5.5.5.5

accesslisttunvossextendedpermitiphost172.19.212.10192.168.15.72255.
localident(addr/mask/prot/port):(172.19.212.10/255.255.255.255/0/0)
remoteident(addr/mask/prot/port):(192.168.15.72/255.255.255.248/0/0)
current_peer:3.3.3.3
#pktsencaps:26,#pktsencrypt:26,#pktsdigest:26
#pktsdecaps:9,#pktsdecrypt:9,#pktsverify:9
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:26,#pktscompfailed:0,#pktsdecompfailed:0
#prefragsuccesses:0,#prefragfailures:0,#fragmentscreated:0
#PMTUssent:0,#PMTUsrcvd:0,#decapsulatedfrgsneedingreassembly:0
#senderrors:0,#recverrors:0
localcryptoendpt.:5.5.5.5/0,remotecryptoendpt.:3.3.3.3/0
pathmtu1500,ipsecoverhead74,mediamtu1500
currentoutboundspi:AB092E6E
currentinboundspi:910F4308
inboundespsas:
spi:0x910F4308(2433696520)
transform:espaes256espshahmacnocompression
inusesettings={L2L,Tunnel,PFSGroup2,}
slot:0,conn_id:25923584,cryptomap:firmen
satiming:remainingkeylifetime(kB/sec):(4373999/3360)
IVsize:16bytes
replaydetectionsupport:Y
Antireplaybitmap:
0x000000000x000003FF
outboundespsas:
spi:0xAB092E6E(2869505646)
transform:espaes256espshahmacnocompression
inusesettings={L2L,Tunnel,PFSGroup2,}
slot:0,conn_id:25923584,cryptomap:firmen
satiming:remainingkeylifetime(kB/sec):(4373997/3360)
IVsize:16bytes
replaydetectionsupport:Y
Antireplaybitmap:
0x000000000x00000001

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

22/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Checkpacketcountersforthetunnel
Toseeiftheencryptionanddecryptionofthepackagesworksuse2ormoretimestheshowcry
ipsecsacommandandcomparethevalues.Onthesecondandthirdoutputsthecountershould
showlargernumber.
Onthefollowingoutputthefirewallhas1activevpnpeer.
myfirewall2/pri/act#showvpnsessiondbl2l
SessionType:LANtoLAN
Connection:9.9.9.9
Index:5671IPAddr:9.9.9.9
Protocol:IKEv1IPsec
Encryption:3DESHashing:MD5
BytesTx:83496278BytesRx:420469160
LoginTime:02:17:25CEDTWedSep182013
Duration:12h:15m:49s
Connection:3.3.3.3
Index:6329IPAddr:3.3.3.3
Protocol:IKEv1IPsec
Encryption:AES256Hashing:SHA1
BytesTx:6100BytesRx:5992
LoginTime:14:26:13CEDTWedSep182013
Duration:0h:07m:01s

ChecktheuptimeoftheVPNtunnels
UptimeforsitetositeVPN

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

23/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

asafirewall/pri/act#showvpnsessiondbl2l
SessionType:LANtoLAN
Connection:25.25.25.25
Index:34872IPAddr:25.25.25.25
Protocol:IKEv1IPsec
Encryption:IKEv1:(1)AES256IPsec:(3)AES256
Hashing:IKEv1:(1)SHA1IPsec:(3)SHA1
BytesTx:73653504BytesRx:31342653
LoginTime:01:15:18CESTThuNov282013
Duration:12h:36m:51s
Connection:dynvpntunnel
Index:34902IPAddr:35.35.35.35
Protocol:IKEv1IPsec
Encryption:IKEv1:(1)AES256IPsec:(1)AES256
Hashing:IKEv1:(1)SHA1IPsec:(1)SHA1
BytesTx:17679966BytesRx:2626429
LoginTime:12:38:17CESTThuNov282013
Duration:1h:13m:52s
SALifetimeforIKE/phase1/forsitetosite(lifetimeinseconds)
asafirewall/pri/act#showcryptoisasadetail
IKEv1SAs:
ActiveSA:4
RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)
TotalIKESA:4
1IKEPeer:45.45.45.45
Type:L2LRole:responder
Rekey:noState:AM_ACTIVE
Encrypt:aes256Hash:SHA
Auth:presharedLifetime:14400
LifetimeRemaining:12039
2IKEPeer:55.55.55.55
Type:L2LRole:responder
Rekey:noState:MM_ACTIVE
Encrypt:3desHash:MD5
Auth:presharedLifetime:14400
LifetimeRemaining:12462
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

24/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

SALifetimesforinboundandoutboundespsas/phase2/forsitetosite(lifetimeinseconds)
asafirewall/pri/act#showcryptoipsecsa
interface:outside
Cryptomaptag:tunnel,seqnum:20,localaddr:46.46.46.46

accesslisttunacl1extendedpermitiphost10.10.10.11192.168.1.48255.255
localident(addr/mask/prot/port):(10.10.10.11/255.255.255.255/0/0)
remoteident(addr/mask/prot/port):(192.168.1.48/255.255.255.240/0/0)
current_peer:13.13.13.13
#pktsencaps:38097,#pktsencrypt:38097,#pktsdigest:38097
#pktsdecaps:34559,#pktsdecrypt:34559,#pktsverify:34559
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:38097,#pktscompfailed:0,#pktsdecompfailed:0
#prefragsuccesses:0,#prefragfailures:0,#fragmentscreated:0
#PMTUssent:0,#PMTUsrcvd:0,#decapsulatedfrgsneedingreassembly:0
#TFCrcvd:0,#TFCsent:0
#ValidICMPErrorsrcvd:0,#InvalidICMPErrorsrcvd:0
#senderrors:0,#recverrors:0
localcryptoendpt.:46.46.46.46/0,remotecryptoendpt.:13.13.13.13/0
pathmtu1500,ipsecoverhead74(44),mediamtu1500
PMTUtimeremaining(sec):0,DFpolicy:copydf
ICMPerrorvalidation:disabled,TFCpackets:disabled
currentoutboundspi:22512A19
currentinboundspi:8F46C331
inboundespsas:
spi:0x8F46C331(2403779377)
transform:espaes256espshahmacnocompression
inusesettings={L2L,Tunnel,IKEv1,}
slot:0,conn_id:143024128,cryptomap:tunnel
satiming:remainingkeylifetime(kB/sec):(4371840/26381)
IVsize:16bytes
replaydetectionsupport:Y
Antireplaybitmap:
0xFFFFFFFF0xFFFFFFFF
outboundespsas:
spi:0x22512A19(575744537)
transform:espaes256espshahmacnocompression
inusesettings={L2L,Tunnel,IKEv1,}
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

25/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

slot:0,conn_id:143024128,cryptomap:tunnel
satiming:remainingkeylifetime(kB/sec):(4350795/26381)
IVsize:16bytes
replaydetectionsupport:Y
Antireplaybitmap:
0x000000000x00000001
Uptimeforoldvpnclient
asafirewall/pri/act#showvpnsessiondbraikev1ipsec
SessionType:IKEv1IPsec
Username:einsteina@vpntungrp1Index:3856
AssignedIP:192.168.236.249PublicIP:37.209.44.113
Protocol:IKEv1IPsecOverTCP
License:OtherVPN
Encryption:AES128Hashing:SHA1
BytesTx:667580222BytesRx:195368751
GroupPolicy:vpngrpp1TunnelGroup:vpndeol
LoginTime:10:15:51CESTTueNov192013
Duration:9d3h:37m:37s
Inactivity:0h:00m:00s
NACResult:Unknown
VLANMapping:N/AVLAN:none
Username:leonardo@vpntungrp2Index:12473
AssignedIP:192.168.244.151PublicIP:145.253.227.158
Protocol:IKEv1IPsecOverTCP
License:OtherVPN
Encryption:AES128Hashing:SHA1
BytesTx:64670782BytesRx:49769295
GroupPolicy:vpngrpp2TunnelGroup:vpnextrsa
LoginTime:09:07:46CESTWedNov272013
Duration:1d4h:45m:42s

Uptimefornewvpnclient(Anyconnect)

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

26/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

asafirewall/pri/act#shvpnsessiondbanyconnect
SessionType:AnyConnect
Username:beck@vpntungrp3Index:12579
AssignedIP:192.168.236.194PublicIP:84.163.80.247
Protocol:AnyConnectParentSSLTunnel
License:AnyConnectEssentials
Encryption:3DESHashing:noneSHA1
BytesTx:552426724BytesRx:264841827
GroupPolicy:vpngrpp3TunnelGroup:DefaultWEBVPNGroup
LoginTime:10:21:29CESTWedNov272013
Duration:1d3h:44m:57s
Inactivity:0h:00m:00s
NACResult:Unknown
VLANMapping:N/AVLAN:none
Username:baromarcu@vpntungrp3Index:13405
AssignedIP:192.168.238.212PublicIP:91.14.67.250
Protocol:AnyConnectParentSSLTunnel
License:AnyConnectEssentials
Encryption:3DESHashing:noneSHA1
BytesTx:376838398BytesRx:153802768
GroupPolicy:vpngrpp3TunnelGroup:DefaultWEBVPNGroup
LoginTime:07:22:24CESTThuNov282013
Duration:6h:44m:02s
Inactivity:0h:00m:00s
NACResult:Unknown
VLANMapping:N/AVLAN:none

5.1sniffertrace
Thebasiccommandiscapture,afterthatyouhavetodefinetheinterface*(orthekeywordany):
raisethepacketlenghttoahighervalue,ifyouneedthepayloadfromthepackets!

myfirewall2/pri/act#capturecapturenamepacketlength1600matchtcphost2.2.2.2
myfirewall2/pri/act#
myfirewall2/pri/act#shcap
capturecapturenametyperawdata[Capturing0bytes]
matchtcphost2.2.2.2anyeqhttps
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

27/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

youcanyouaccesslistformoredetailedtraffic
Toexportthesniffertracetoapcapfileusethecommand:
myfirewall2/pri/act#copy/pcapcapture:tftp
Sourcecapturename[]?capturename
Addressornameofremotehost[]?3.3.3.3
Destinationfilename[capturename]?capturename.pcap
!!!!
myfirewall2/pri/act#

5.2Testtrafficthroughthefirewall
myfirewall/pri/act#packettracerinputinsidetcp10.1.1.1102410.4.1.123

Phase:3
Type:ACCESSLIST
Subtype:log
Result:ALLOW
Config:accessgroupinsideininterfaceinsideaccesslistinsideextendedpermit

5.3Testtcptrafficfromthefirewall
myfirewall/pri/act#pingtcpinside10.26.134.2880source10.23.18.141324

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

28/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

6.0Viewloggingoncli
Thebuffersizeislimitedandifthebufferisfulltheoldlogswillbeoverwritten.
Tocheckyourlogsettingsissuethefollowing:
myfirewall3/pri/act#shrunlogging
loggingenable
loggingtimestamp
loggingbufferedalerts
loggingtraperrors
loggingasdmdebugging
loggingmailalerts
[email protected]
[email protected]
logginghostfwtrans172.24.2.218
logginghostfwtrans172.24.2.219
loggingpermithostdown

Configurelogging
Importantcommandsarethe:
loggingenable
loggingtimestamp
logginghostfwtrans172.24.2.218
loggingtraperrors
Savethelogsfrombuffertofileandafteryoucancopyittoyourtftpserver.
myfirewall3/pri/act#loggingsavelogmylogs
myfirewall3/pri/act#cdsyslog
myfirewall3/pri/act#dir
Directoryofdisk0:/syslog/
113rwx288014:41:18Sep182013mylogs
255426560bytestotal(181706752bytesfree)
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

29/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Viewingthelogs
Tooseethebufferlogsissue:
myfirewall3/pri/act#showlogging

7.0Inspectionandaspdrop
Thesecommandsshouldbeissuedmultipletimestoseewhichcounteractuallyincreases,thatcan
leadtoaproblem.
Issuingthecommandjustoncehasnottoomuchsence,sincewedonotknowsincewhenthe
countersshowtheactualvalues.
myfirewall/pri/act#shservicepolicysetconnectiondetail

Interfacegermany:
Servicepolicy:voicehttpmap
Classmap:voicehttpmap
Setconnectionpolicy:drop0
Setconnectionadvancedoptions:maxmsssize
Retransmissiondrops:0TCPchecksumdrops:0
ExceededMSSdrops:0SYNwithdatadrops:0
InvalidACKdrops:0SYNACKwithdatadrops:0
Outoforder(OoO)packets:0OoOnobufferdrops:0
OoObuffertimeoutdrops:0SEQpastwindowdrops:208
Reservedbitcleared:0Reservedbitdrops:0
IPTTLmodified:0Urgentflagcleared:0
Windowvariedresets:0
TCPoptions:
SelectiveACKcleared:0Timestampcleared:0
Windowscalecleared:0
Otheroptionscleared:0
Otheroptionsdrops:0

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

30/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act#shaspdropflow
Inspectionfailure(inspectfail)14616790
SSLhandshakefailed(sslhandshakefailed)85
SSLreceivedclosealert(sslreceivedclosealert)40
Lastclearing:Never

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

31/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act#shaspdropframe
Flowisbeingfreed(flowbeingfreed)121
InvalidTCPLength(invalidtcphdrlength)1
Novalidadjacency(noadjacency)36
Reversepathverifyfailed(rpfviolated)6990253
Flowisdeniedbyconfiguredrule(acldrop)864778803
Flowdeniedduetoresourcelimitation(unabletocreateflow)1374
FirstTCPpacketnotSYN(tcpnotsyn)471046343
BadTCPflags(badtcpflags)46770
TCPdatasendafterFIN(tcpdatapastfin)128
TCPfailed3wayhandshake(tcp3whsfailed)1560684
TCPRST/FINoutoforder(tcprstfinooo)30625519
TCPSEQinSYN/SYNACKinvalid(tcpseqsyndiff)9582
TCPSYNACKonestablishedconn(tcpsynackooo)8770
TCPpacketSEQpastwindow(tcpseqpastwin)77478
TCPinvalidACK(tcpinvalidack)53427
TCPACKin3wayhandshakeinvalid(tcpdiscardedooo)5710
TCPOutofOrderpacketbufferfull(tcpbufferfull)1
TCPOutofOrderpacketbuffertimeout(tcpbuffertimeout)5541
TCPRST/SYNinwindow(tcprstsyninwin)326943
TCPdupofpacketinOutofOrderqueue(tcpdupinqueue)769
TCPpacketfailedPAWStest(tcppawsfail)1530
Expiredflow(flowexpired)284
ICMPInspectbadicmpcode(inspecticmpbadcode)300
ICMPInspectseqnumnotmatched(inspecticmpseqnumnotmatched)633646
ICMPErrorInspectnoexistingconn(inspecticmperrornoexistingconn)
DNSInspectinvalidpacket(inspectdnsinvalidpak)35
DNSInspectinvaliddomainlabel(inspectdnsinvaliddomainlabel)628
DNSInspectpackettoolong(inspectdnspaktoolong)5044504
DNSInspectidnotmatched(inspectdnsidnotmatched)1589860
Unabletoobtainconnectionlock(connectionlock)13
Interfaceisdown(interfacedown)35
RMconnectionlimitreached(rmconnlimit)136021
Droppedpendingpacketsinaclosedsocket(npsocketclosed)27886
Lastclearing:Never

8.0ThreatDetection(checkthetoptalkers)
threatdetectionconfigurationexample:
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

32/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#shrunthreatdetection
threatdetectionbasicthreat
threatdetectionstatisticshost
threatdetectionstatisticsport
threatdetectionstatisticsprotocol
threatdetectionstatisticsaccesslist
nothreatdetectionstatisticstcpintercept
showcommandsthreatdetection:
ThiscommandIFactivatedcangiveusreallyusefulbasicinformationaboutnetworkflows,
passingthroughthefirewall.
Orifwehaveaperformanceproblemwithourinternetconnection,wecanseewhoowns
currentlytheline(whosheadmustbeundertheguillotine.)
myfirewall/pri/act#shthreatdetectionstatisticstop?
accesslistEnterthiskeywordtodisplaytopNaccessliststatistics
hostEnterthiskeywordtodisplaytopNhoststatistics
portprotocolEnterthiskeywordtodisplaytopNportstatistics
rate1EnterthiskeywordtodisplaytopN'sfirstratestatistics
rate2EnterthiskeywordtodisplaytopN'ssecondratestatistics
rate3EnterthiskeywordtodisplaytopN'sthirdratestatistics
tcpinterceptShowstatisticsinformationfortcpintercept
|Outputmodifiers

anexamplewithportandprotocol
myfirewall/pri/act#shthreatdetectionstatisticstopportprotocol
TopNameIdAverage(eps)Current(eps)TriggerTotalevents
0minSentattack:
0minRecvattack:
01DNS5329723552271001783308
02LDAP3896394742549383645
03HTTP801621521406697668
04NetBIOSName137160193803196239
05HTTPS443131851124279013
06Port81916553510897351364974
07XMPPSSLUno5223481022428884
08SNMPTRAP16246465053727859
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

33/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

09SYSLOG5143632977321995
10MSDS/SMB44530404522018030
1hourSentbyte:
01HTTP802519429924939838090699477563
02MSDS/SMB44582608848225102029739184085
03Port819165535703854310227395025338757949
04LDAP3892334189234793008403081060
05MicrosoftSQL14331373774119690904945586558
06HTTPS4431318144125874504745319756
07HTTPAlternat808052088956608801875202977
08DNS5343070545206601550540194
09Port778077802645642586840952431991
10Port33803380230415120960829497591
1hourSentpkts:
01MSDS/SMB44540571417860146057206
02HTTP802261222957081406406
03Port819165535883411379031804979
04HTTPS4432528277709101589
05LDAP3891956195407041854
06MicrosoftSQL14331723152706204903
07Port13513567957202445229
08HTTPAlternat808041444701493298
09DNS5339338701418233
10ICMP*128136501012609
1hourRecvbyte:
01MSDS/SMB44582415888308370029669717400
02HTTP8031488294675871011335784733
03Port81916553529087392644375010471460696
04Port2055205529261428158901053413852
05SYSLOG5142692083231640969151225
06HTTPS4432665502831140959582362
07MicrosoftSQL14332002551736450720919352
08LDAP3891493481492860537653925
09SMTP25889191040110320111885
10Port13513576251638140274507044
1hourRecvpkts:
01MSDS/SMB44540120413550144433605
02HTTP801602817115057703486
03Port81916553578538933028273380
04MicrosoftSQL14331441128105188677
05LDAP3891329133904785811
06HTTPS44398892103559831
07Port13513569458802498510
08SYSLOG51429235501051921
09HTTPAlternat80802722890981307
10DNS532522510909608
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

34/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

andthetoptalkerslistforhosts:
myfirewall/pri/act(config)#shthreatdetectionstatisticstophost
TopNameIdAverage(eps)Current(eps)TriggerTotalevents
20minSentattack:
01145.45.45.2261106016213697
02145.45.45.24299565711297
03145.45.45.23270400459173
04145.45.45.234645330967890
05192.168.135.1466782147536
06145.45.45.2115761096024
07145.45.45.21044197565209
08172.31.4.412182620
09172.16.2.224112022247
1010.10.123.21152048
20minRecvattack:
01192.168.135.1363319774278
02172.16.28.61202398
03172.31.241.991102160
04145.45.45.211108301575
05192.168.133.191113191293
0610.16.200.2710171256
07172.26.30.200001004
08172.16.1.1000216903
09172.16.22.11001382713
1010.10.123.2007983653
...

7.0BackupandRestore
Backupcommandwithtftpserver:

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

35/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall3/pri/act#copyrunningconfigtftp
Sourcefilename[runningconfig]?
Addressornameofremotehost[]?3.3.3.3
Destinationfilename[runningconfig]?
Cryptochecksum:ee921f66a8586880f2d4fc17c76933b2
Formoreinforeadmypost:MigrateCiscoASAconfiguration,certificatesandprivatekeys
Thatsallfolks!
About these ads (http://wordpress.com/about-these-ads/)

Tagged:CiscoASA,commands,troubleshooting
Postedin:ASA(http://itsecworks.com/category/security/cisco/asa/),Cisco
(http://itsecworks.com/category/security/cisco/),Security(http://itsecworks.com/category/security/),
Troubleshootings(http://itsecworks.com/category/security/cisco/asa/troubleshootings/)

6ResponsesCiscoASAtroubleshootingcommands
Krish
September19,2013

i
RateThis

1
0

Veryusefulforbasictroubleshooting..
Reply
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

36/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

itsecworks
September19,2013

i
RateThis

Yes,onlyforbasictroubleshooting:)therestwillbepostedsoon:)
Reply
akesh
February22,2014

i
RateThis

GoodStuff..Canyoualsotrytopostabitmorecomplextroubleshooting..thankyou
Reply
itsecworks
February22,2014

i
RateThis

0
0

Feelfreetosuggestanditwillbeaddedtothispost.
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

37/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Reply
Bhumika
November3,2014

i
RateThis

Ifoundthisdocumentveryuseful.allbasiccommandsatoneplace
Reply
Ramesh
February4,2015

i
RateThis
goodforbeginners
Reply
CreateafreewebsiteorblogatWordPress.com.
TheInuitTypesTheme.
Follow

Followitsecworks
BuildawebsitewithWordPress.com

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

38/38

You might also like