Cisco ASA troubleshooting commands guide

8/5/2021 Cisco ASA troubleshooting commands | itsecworks
RSS Subscribe:
RSS feed
itsecworks
It is all about security and co I have already met
Cisco ASA troubleshooting commands
Posted on September 18, 2013
22

i
42 Votes
With my requirements for any networking layer 3 security device I collected the basic commands that you have to know or you will not
be able to manage your device.
1.0 Check the basic settings and firewall states
Check the system status

Check the hardware performance
Check the High Availability state
Check the session table of the firewall
2.0 Check the interface settings
Check the state, speed and duplexity an IP of the interfaces

Check the ARP Table
3.0 Check the Routing Table
Check the matching route
4.0 VPN Troubleshooting
Change the tunnel state

Check the tunnel state
Check packet counters for the tunnel
Check the uptime of the VPN Tunnels
5.1 Sniffertrace
5.2 Test traffic through the firewall
5.3 Test tcp traffic from the firewall
6.0 View logging on cli
Configure logging
Viewing the logs
7.0 Inspection and asp-drop
8.0 Threat Detection (check the top talkers)
9.0 Backup and Restore
https://itsecworks.com/2013/09/18/cisco-asa-troubleshooting-commands/ 1/33
1.0 Check the basic settings and firewall states
Check the system status
To see the actual software version, operational mode, HA, etc and the system time:
myfirewall/pri/act# show firewall
Firewall mode: Router
myfirewall/pri/act# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(1)52
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
myfirewall up 218 days 1 hour
failover cluster up 5 years 10 days
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is 001f.abcc.a8c6, irq 9
1: Ext: GigabitEthernet0/1 : address is 001f.abcc.a5e7, irq 9
4: Ext: Management0/0 : address is 001f.abcc.a5ea, irq 11

5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX4567L1DA
Running Permanent Activation Key: 0x650e6758 0x345sb616 0x1233615a 0xc234fca3 0x111e9982
Configuration register is 0x1
Configuration last modified by admin at 10:41:22.791 CEDT Fri Sep 13 2013
The failover state.
myfirewall/pri/act(config)# sh failover state
State Last Failure Reason Date/Time

This host - Primary
Active None
Other host - Secondary
Standby Ready Ifc Failure 17:38:56 CEDT Jun 10 2013
dmz5: Failed
inside: Failed
====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set
To see what the firewall has seen so far, the traffic mix conserning the enabled inspections:
myfirewall/pri/act(config)# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 6206448, drop 1493, reset-drop 0, v6-fail-close 0
Inspect: ftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: netbios, packet 285884, drop 0, reset-drop 0, v6-fail-close 0
Inspect: tftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: icmp, packet 14657730, drop 1226951, reset-drop 0, v6-fail-close 0
Inspect: icmp error, packet 10377, drop 0, reset-drop 0, v6-fail-close 0
Inspect: dcerpc, packet 199070, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Check the hardware performance
To see what is the state of the cpu and the memory:
myfirewall/pri/act(config)# sh cpu usage
CPU utilization for 5 seconds = 8%; 1 minute: 9%; 5 minutes: 9%
myfirewall/pri/act(config)#
myfirewall/pri/act(config)#
myfirewall/pri/act(config)# sh memory
Free memory: 1722679208 bytes (80%)
Used memory: 424804440 bytes (20%)
------------- ------------------
Total memory: 2147483648 bytes (100%)
myfirewall/pri/act# show processes cpu-usage sorted
PC Thread 5Sec 1Min 5Min Process
0x0827e731 0x6e5d2d8c 8.4% 8.7% 8.5% Dispatch Unit
0x0878d2de 0x6e5bf254 0.2% 0.9% 0.4% ARP Thread
0x090b0155 0x6e5b7fb4 0.2% 0.2% 0.1% ssh
0x08785b0e 0x6e5bf460 0.0% 0.0% 0.0% IP Thread
0x081735b4 0x6e5c56a0 0.0% 0.0% 0.0% CTM message handler
0x08cdd5cc 0x6e5c2580 0.0% 0.0% 0.0% update_cpu_usage
0x084e2936 0x6e5c04c0 0.0% 0.0% 0.0% fover_health_monitoring_thread
0x0935c832 0x6e5bc964 0.0% 0.0% 0.0% vpnfol_thread_timer
0x080596a4 0x6e5d31a4 0.0% 0.0% 0.0% block_diag
0x08854a74 0x6e5d2974 0.0% 0.0% 0.0% WebVPN KCD Process
0x084c6b6d 0x6e5d2768 0.0% 0.0% 0.0% CF OIR
0x08eafaec 0x6e5d255c 0.0% 0.0% 0.0% lina_int
0x0807209d 0x6e5d1f38 0.0% 0.0% 0.0% Reload Control Thread
0x08086369 0x6e5d1d2c 0.0% 0.0% 0.0% aaa
0x0916ad6d 0x6e5d1b20 0.0% 0.0% 0.0% UserFromCert Thread
0x0916ad6d 0x6e5d1914 0.0% 0.0% 0.0% aaa_shim_thread
0x080bae3c 0x6e5d14fc 0.0% 0.0% 0.0% CMGR Server Process
0x080bd4ad 0x6e5d12f0 0.0% 0.0% 0.0% CMGR Timer Process
0x0816d455 0x6e5d049c 0.0% 0.0% 0.0% CTM Daemon
0x081df2c5 0x6e5d0290 0.0% 0.0% 0.0% SXP CORE
0x081d7041 0x6e5d0084 0.0% 0.0% 0.0% RBM CORE
0x081cde3c 0x6e5cfe78 0.0% 0.0% 0.0% cts_task
0x081cf2ed 0x6e5cfc6c 0.0% 0.0% 0.0% cts_timer_task
0x0827c804 0x6e5cf43c 0.0% 0.0% 0.0% dbgtrace
0x0856b194 0x6e5cec0c 0.0% 0.0% 0.0% 557mcfix
0x0856b126 0x6e5cea00 0.0% 0.0% 0.0% 557statspoll
...
myfirewall/pri/act# show processes internals
Invoked Giveups Max_Runtime Process
1 0 0.025 block_diag
1926681692 1926681692 32.679 Dispatch Unit
3768836 0 0.189 WebVPN KCD Process
1 0 0.012 CF OIR
1 0 0.001 lina_int
1 0 0.003 Reload Control Thread
374305 233705 0.135 aaa
10 4 1.427 UserFromCert Thread
64 63 0.104 aaa_shim_thread
2 0 0.009 CMGR Server Process
2 0 0.008 CMGR Timer Process
1 0 0.001 CTM Daemon
62 0 0.044 SXP CORE
...
myfirewall/pri/act(config)# sh perfmon
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 100.00%
Check the High Availability state
to get the High Availability state info with show failover command:
myfirewall/pri/act(config)# show failover ?
exec mode commands/options:
descriptor Show failover interface descriptors. Two numbers are shown for
each interface. When exchanging information regarding a
particular interface, this unit uses the first number in messages
it sends to its peer. And it expects the second number in
messages it receives from its peer. For trouble shooting, collect
the show output from both units and verify that the numbers
match.
exec Show failover command execution information
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
Check the failover state:
myfirewall/pri/act(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 9.1(1), Mate 9.1(1)
Last Failover at: 07:31:49 CEST Feb 12 2013
This host: Primary - Active
Active time: 18841674 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
Interface dmz5 (192.168.36.1): Normal (Monitored)
Interface dmz6 (192.168.47.1): Normal (Not-Monitored)
Interface inside (172.24.3.5): Normal (Monitored)
Interface oob (192.168.99.1): Normal (Monitored)
Interface management (0.0.0.0): No Link (Not-Monitored)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
Interface dmz5 (192.168.36.2): Normal (Monitored)
Interface dmz6 (192.168.47.2): Normal (Not-Monitored)
Interface inside (172.24.3.6): Normal (Monitored)
Interface oob (192.168.99.2): Normal (Monitored)
Interface management (0.0.0.0): Normal (Not-Monitored)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 372747905 0 2453073 0
sys cmd 2452421 0 2452415 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1275302 0 0 0
UDP conn 17706401 0 36 0
ARP tbl 351007284 0 621 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 306520 0 0 0
User-Identity 5 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 88 2453116
Xmit Q: 0 29 381560801
myfirewall/pri/act(config)# show failover interface
interface failover GigabitEthernet0/2
System IP Address: 192.168.92.109 255.255.255.252
My IP Address : 192.168.92.109
Other IP Address : 192.168.92.110
myfirewall/pri/act(config)# show failover descriptor
dmz5 send: 000200000e000000 receive: 000200000e000000

dmz6 send: 0002000041000000 receive: 0002000041000000
inside send: 0002010064000000 receive: 0002010064000000
oob send: 00020300ffff0000 receive: 00020300ffff0000
management send: 01010000ffff0000 receive: 01010000ffff0000
myfirewall/pri/act(config)# show failover history
==========================================================================
From State To State Reason
==========================================================================
07:30:59 CEST Feb 12 2013
Not Detected Negotiation No Error
07:31:03 CEST Feb 12 2013
Negotiation Cold Standby Detected an Active mate
07:31:05 CEST Feb 12 2013
Cold Standby Sync Config Detected an Active mate
07:31:15 CEST Feb 12 2013
Sync Config Sync File System Detected an Active mate
07:31:15 CEST Feb 12 2013
Sync File System Bulk Sync Detected an Active mate
07:31:29 CEST Feb 12 2013
Bulk Sync Standby Ready Detected an Active mate
07:31:49 CEST Feb 12 2013
Standby Ready Just Active HELLO not heard from mate
07:31:49 CEST Feb 12 2013
Just Active Active Drain HELLO not heard from mate
07:31:49 CEST Feb 12 2013
Active Drain Active Applying Config HELLO not heard from mate
07:31:49 CEST Feb 12 2013
Active Applying Config Active Config Applied HELLO not heard from mate
07:31:49 CEST Feb 12 2013
Active Config Applied Active HELLO not heard from mate
==========================================================================
myfirewall/pri/act(config)# show failover state
State Last Failure Reason Date/Time

This host - Primary
Active None
Other host - Secondary
Standby Ready Ifc Failure 17:38:56 CEDT Jun 10 2013
dmz5: Failed
inside: Failed
====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set
myfirewall/pri/act(config)# show failover statistics
tx:384585696
rx:29127977
Check the failover configuration:
myfirewall/pri/act(config)# sh run all failover
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit 1 holdtime 15
failover polltime interface 5 holdtime 25
failover interface-policy 1
failover link failover GigabitEthernet0/2
failover interface ip failover 192.168.92.109 255.255.255.252 standby 192.168.92.110
Check the session table of the firewall
With class-map you can set the maximum session for a specific traffic or generally with any:
myfirewall(config)# class-map CONNS
myfirewall(config-cmap)# match any
myfirewall(config-cmap)# policy-map CONNS
myfirewall(config-pmap)# class CONNS
myfirewall(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000
The values from the session table of the firewall (the max against the used if configured):
myfirewall/pri/act(config)# show conn ?
address Enter this keyword to specify IP address
all Enter this keyword to show conns including to-the-box and
from-the-box
count Enter this keyword to show conn count only
detail Enter this keyword to show conn in detail
long Enter this keyword to show conn in long format

port Enter this keyword to specify port
protocol Enter this keyword to specify conn protocol
scansafe Enter this keyword to show conns being forwarded to scansafe
server
security-group Enter this keyword to show security-group attributes in conns
state Enter this keyword to specify conn state
user Enter this keyword to specify conn user
user-group Enter this keyword to specify conn user group
user-identity Enter this keyword to show user names
| Output modifiers
myfirewall/pri/act(config)# show conn count
77 in use, 1013 most used
myfirewall/pri/act(config)# show conn state ?
WORD Enter any number of the following conn states using ',' as separator:
up finin finout http_get smtp_data nojava data_in data_out sunrpc h225
h323 sqlnet_fixup_data conn_inbound sip mgcp ctiqbe skinny
service_module stub tcp_embryonic vpn_orphan
myfirewall/pri/act(config)# show conn state up
TCP dmz5 192.168.38.250:4634 inside 172.24.1.2:54320, idle 0:02:29, bytes 12905, flags UIOB
TCP dmz5 192.168.38.250:4633 inside 172.24.1.2:135, idle 0:02:29, bytes 684, flags UIOB
TCP dmz6 192.168.47.8:80 dmz5 192.168.37.227:55335, idle 0:00:00, bytes 1618307080, flags UIOB
TCP dmz5 192.168.36.251:80 inside 172.31.229.68:62940, idle 0:00:00, bytes 335503, flags UIO
You can filter to the session that you looking for (example):
myfirewall/pri/act(config)# show conn long address 192.168.47.10

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow
TCP dmz6: 192.168.47.10/80 (192.168.47.10/80) dmz5: 192.168.37.227/65521 (192.168.37.227/65521), flags UIOB
Check the traffic on interfaces, the packet and byte counters.
myfirewall/pri/act(config)# show traffic
dmz5:
received (in 1661754.406 secs):
14637140684 packets 673671106797 bytes
8001 pkts/sec 405002 bytes/sec
transmitted (in 1661754.406 secs):
38728179279 packets 53732439765301 bytes
1 minute input rate 1382 pkts/sec, 67193 bytes/sec
1 minute output rate 3546 pkts/sec, 4923809 bytes/sec
1 minute drop rate, 0 pkts/sec
dmz6:
38627911784 packets 53724170049557 bytes
14299138045 packets 572124451016 bytes
inside:
826826503 packets 60669330026 bytes
245271895 packets 109518736779 bytes
Check the timeout values in the firewall:
myfirewall2/pri/act# sh run timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
2.0 Check the interface settings
Check the state, speed and duplexity an IP of the interfaces
Show the running config only for the interfaces with ip address:
myfirewall/pri/act(config)# sh run ip address
interface GigabitEthernet0/0.14
vlan 14
nameif dmz5
security-level 0
ip address 192.168.36.1 255.255.252.0 standby 192.168.36.2
vlan 65
nameif dmz6
security-level 0
vlan 100
nameif inside
security-level 100
Show ip address and security level only:
myfirewall2/pri/act# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel1.1001 dmz1 5.5.5.5 255.255.255.192 CONFIG
Port-channel2 Failover 192.168.92.13 255.255.255.252 unset
Port-channel4.721 inside 172.17.131.151 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel1.1001 dmz1 5.5.5.5 255.255.255.192 CONFIG
Port-channel2 Failover 192.168.92.13 255.255.255.252 unset
Port-channel4.721 inside 172.17.131.151 255.255.255.0 CONFIG
myfirewall2/pri/act# sh nameif
Interface Name Security
Management0/0 management 100
Port-channel1.1001 dmz1 0
Port-channel4.721 inside 100
Check the MAC and the state of the interfaces. The name of the interface in the example below is internal.
Here you can see following in the output
– Interface name
– MAC
– Link state
– Speed
– Duplex
– MTU
– Packet
and Byte counters
– Errors
myfirewall/pri/act# show interface
Interface GigabitEthernet0/0 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Available but not configured via nameif
MAC address 001f.abcc.a5e6, MTU not set
IP address unassigned
53280934440 packets input, 55671972432495 bytes, 0 no buffer
Received 167625118 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
53043155385 packets output, 55516746848674 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/122)
Interface GigabitEthernet0/0.14 "dmz5", is up, line protocol is up
VLAN identifier 14
Description: dmz5
MAC address 001f.abcc.a5e6, MTU 1500
IP address 192.168.36.1, subnet mask 255.255.252.0
Traffic Statistics for "dmz5":
14641601950 packets input, 673897945554 bytes
38739676247 packets output, 53748403391129 bytes
51923927 packets dropped
Interface GigabitEthernet0/0.65 "dmz6", is up, line protocol is up
VLAN identifier 65
Description: dmz6
MAC address 001f.abcc.a5e6, MTU 1500
IP address 192.168.47.1, subnet mask 255.255.255.0
Traffic Statistics for "dmz6":
38639332463 packets input, 53740092462779 bytes
14303479193 packets output, 572298134370 bytes
83451 packets dropped
Check the ARP Table
This contains the permanent and the dynamic ARP entries
myfirewall/pri/act# show arp
dmz5 192.168.38.43 0020.4ab0.a59f 0
dmz5 192.168.37.226 2c27.d733.a9e2 0
dmz5 192.168.37.236 2c27.d733.a89e 0
dmz5 192.168.37.235 78ac.c0b2.4066 0
dmz5 192.168.37.240 0019.99ae.847c 0
dmz5 192.168.39.240 0019.9987.5676 0
...
3.0 Check the Routing Table
With the show route you can see the actual routing table from the firewall with the statis and the dynamic routes and the directly
connected networks.
myfirewall/pri/act# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route
Gateway of last resort is 172.24.2.2 to network 0.0.0.0
C 172.24.0.0 255.255.248.0 is directly connected, inside
C 192.168.99.0 255.255.255.0 is directly connected, oob
C 192.168.47.0 255.255.255.0 is directly connected, dmz6
C 192.168.92.108 255.255.255.252 is directly connected, failover
S* 0.0.0.0 0.0.0.0 [1/0] via 172.24.2.2, inside
C 192.168.36.0 255.255.252.0 is directly connected, dmz5
Check the matching route
Are you looking for a specific route in a big database? No problem use the show route with more details:
myfirewall/pri/act# sh route inside 172.31.231.246
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route
Gateway of last resort is 172.24.2.2 to network 0.0.0.0
4.0 VPN Troubleshooting
The most significant part for vpn is the time on the devices. The check the time use the following command:
myfirewall/pri/act# show clock
11:19:45.485 CEDT Wed Sep 18 2013
myfirewall/pri/act# show ntp status
Clock is synchronized, stratum 3, reference is 172.24.10.100
nominal freq is 99.9984 Hz, actual freq is 99.9968 Hz, precision is 2**6
reference time is d5e3ed1d.b0b7a760 (11:13:01.690 CEDT Wed Sep 18 2013)
clock offset is 0.1998 msec, root delay is 18.55 msec
root dispersion is 36.01 msec, peer dispersion is 15.64 msec
Change the tunnel state
Bring up a vpn tunnel manually. No traffic required.
Shut down a vpn tunnel manually.
All tunnels:
myfirewall3/pri/act# clear crypto isakmp sa
Only specific tunnel:
myfirewall3/pri/act# clear ipsec sa peer 2.2.2.2
myfirewall2/pri/act# clear cry ikev1 sa 2.2.2.2
shutdown for longer time:
myfirewall2/pri/act(config)# no crypto map l2lvpns 10 set peer 211.66.176.18
Check the tunnel state
If there is no SA that means the tunnel is down and does not work. To see if the tunnel is up we need to check if any SA exist.
To see if the tunnel is up you can use the “show crypto isakmp sa” or “show crypto ipsec sa” command.
Tunnel state is down
Tunnel does not exist if there is no output of the commands below:
myfirewall3/pri/act# sh cry isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
myfirewall3/pri/act# show crypto ipsec sa
There are no ipsec sas
Tunnel state is up
Informations from the output of the command below:

– vpn peers
– encrypted
traffic (source and destination)

– traffic counters for encrypted traffic
– SPI for encrypt and decrypt
– Encryption method
myfirewall2/pri/act# show cry ips sa peer 3.3.3.3
peer address: 3.3.3.3
Crypto map tag: firmen, seq num: 22, local addr: 5.5.5.5
access-list tun-voss extended permit ip host 172.19.212.10 192.168.15.72 255.255.255.248 time-range En

local ident (addr/mask/prot/port): (172.19.212.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.15.72/255.255.255.248/0/0)
current_peer: 3.3.3.3
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 26, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 5.5.5.5/0, remote crypto endpt.: 3.3.3.3/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: AB092E6E
current inbound spi : 910F4308
inbound esp sas:
spi: 0x910F4308 (2433696520)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 25923584, crypto-map: firmen
sa timing: remaining key lifetime (kB/sec): (4373999/3360)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0xAB092E6E (2869505646)
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 25923584, crypto-map: firmen
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x00000001
Check packet counters for the tunnel
To see if the encryption and decryption of the packages works use 2 or more times the show cry ipsec sa command and compare the
values. On the second and third outputs the counter should show larger number.
On the following output the firewall has 1 active vpn peer.
myfirewall2/pri/act# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 9.9.9.9
Index : 5671 IP Addr : 9.9.9.9
Protocol : IKEv1 IPsec
Encryption : 3DES Hashing : MD5
Bytes Tx : 83496278 Bytes Rx : 420469160
Login Time : 02:17:25 CEDT Wed Sep 18 2013
Duration : 12h:15m:49s
Index : 6329 IP Addr : 3.3.3.3
Encryption : AES256 Hashing : SHA1
Bytes Tx : 6100 Bytes Rx : 5992
Login Time : 14:26:13 CEDT Wed Sep 18 2013
Check the uptime of the VPN tunnels
Uptime for site to site VPN
asa-firewall/pri/act# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Index : 34872 IP Addr : 25.25.25.25

Encryption : IKEv1: (1)AES256 IPsec: (3)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (3)SHA1
Bytes Tx : 73653504 Bytes Rx : 31342653
Login Time : 01:15:18 CEST Thu Nov 28 2013
Connection : dyn-vpn-tunnel
Index : 34902 IP Addr : 35.35.35.35

Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 17679966 Bytes Rx : 2626429
SA Lifetime for IKE /phase1/ for site to site (lifetime in seconds)
asa-firewall/pri/act# show crypto isa sa detail
IKEv1 SAs:
Active SA: 4
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 4
1 IKE Peer: 45.45.45.45
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 14400
Lifetime Remaining: 12039
2 IKE Peer: 55.55.55.55
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime: 14400
Lifetime Remaining: 12462
SA Lifetimes for inbound and outbound esp sa-s /phase2/ for site to site (lifetime in seconds)
asa-firewall/pri/act# show crypto ipsec sa
interface: outside
Crypto map tag: tunnel, seq num: 20, local addr: 46.46.46.46
access-list tun-acl1 extended permit ip host 10.10.10.11 192.168.1.48 255.255.255.240 time-range End-D
local ident (addr/mask/prot/port): (10.10.10.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.48/255.255.255.240/0/0)
current_peer: 13.13.13.13
#pkts encaps: 38097, #pkts encrypt: 38097, #pkts digest: 38097
#pkts decaps: 34559, #pkts decrypt: 34559, #pkts verify: 34559
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 38097, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 46.46.46.46/0, remote crypto endpt.: 13.13.13.13/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 22512A19
current inbound spi : 8F46C331
inbound esp sas:
spi: 0x8F46C331 (2403779377)
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 143024128, crypto-map: tunnel
IV size: 16 bytes
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x22512A19 (575744537)
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 143024128, crypto-map: tunnel
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x00000001
Uptime for old vpn client
asa-firewall/pri/act# show vpn-sessiondb ra-ikev1-ipsec
Session Type: IKEv1 IPsec
Username : einsteina@vpn-tungrp1 Index : 3856
Assigned IP : 192.168.236.249 Public IP : 37.209.44.113
Protocol : IKEv1 IPsecOverTCP
License : Other VPN
Bytes Tx : 667580222 Bytes Rx : 195368751
Group Policy : vpn-grp-p1 Tunnel Group : vpn-de-ol
Login Time : 10:15:51 CEST Tue Nov 19 2013
Duration : 9d 3h:37m:37s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Username : leonardo@vpn-tungrp2 Index : 12473
Protocol : IKEv1 IPsecOverTCP
License : Other VPN
Bytes Tx : 64670782 Bytes Rx : 49769295
Group Policy : vpn-grp-p2 Tunnel Group : vpn-ext-rsa

Login Time : 09:07:46 CEST Wed Nov 27 2013
Uptime for new vpn client (Anyconnect)
asa-firewall/pri/act# sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : beck@vpn-tun-grp3 Index : 12579
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Essentials
Encryption : 3DES Hashing : none SHA1
Bytes Tx : 552426724 Bytes Rx : 264841827
Group Policy : vpn-grp-p3 Tunnel Group : DefaultWEBVPNGroup
Login Time : 10:21:29 CEST Wed Nov 27 2013
Username : baromarcu@vpn-tun-grp3 Index : 13405
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Essentials
Encryption : 3DES Hashing : none SHA1
Bytes Tx : 376838398 Bytes Rx : 153802768
Group Policy : vpn-grp-p3 Tunnel Group : DefaultWEBVPNGroup
5.1 sniffertrace
The basic command is “capture”, after that you have to define the interface* (or the keyword any):
raise the packet-lenght to a higher value, if you need the payload from the packets!
myfirewall2/pri/act# capture capturename packet-length 1600 match tcp host 2.2.2.2 any eq 443
myfirewall2/pri/act#
myfirewall2/pri/act# sh cap
capture capturename type raw-data [Capturing - 0 bytes]
match tcp host 2.2.2.2 any eq https
you can you access-list for more detailed traffic…
To export the sniffertrace to a pcap file use the command:
myfirewall2/pri/act# copy /pcap capture: tftp
Source capture name []? capturename
Address or name of remote host []? 3.3.3.3
Destination filename [capturename]? capturename.pcap
!!!!
myfirewall2/pri/act#
5.2 Test traffic through the firewall
myfirewall/pri/act# packet-tracer input inside tcp 10.1.1.1 1024 10.4.1.1 23
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group inside in interface inside access-list inside extended permit ip any 10.4.1.0 255.255.2
5.3 Test tcp traffic from the firewall
myfirewall/pri/act# ping tcp inside 10.26.134.28 80 source 10.23.18.14 1324
6.0 View logging on cli
The buffer size is limited and if the buffer is full the old logs will be overwritten.
To check your log settings issue the following:
myfirewall3/pri/act# sh run logging
logging enable
logging timestamp
logging buffered alerts
logging trap errors
logging asdm debugging
logging mail alerts
logging from-address firewall@mycompany.com
logging recipient-address network@mycompany.com level alerts
logging host fw-trans 172.24.2.218
logging host fw-trans 172.24.2.219
logging permit-hostdown
Configure logging
Important commands are the:
logging enable

logging timestamp

172.24.2.218
logging host fw-trans
logging trap errors
Save the logs from buffer to file and after you can copy it to your tftp server.
myfirewall3/pri/act# logging savelog mylogs
myfirewall3/pri/act# cd syslog
myfirewall3/pri/act# dir
Directory of disk0:/syslog/
113 -rwx 2880 14:41:18 Sep 18 2013 mylogs
255426560 bytes total (181706752 bytes free)
Viewing the logs
Too see the buffer logs issue:
myfirewall3/pri/act# show logging
7.0 Inspection and asp-drop
These commands should be issued multiple times to see which counter actually increases, that can lead to a problem.
Issuing the command just once has not too much sence, since we do not know since when the counters show the actual
values.
myfirewall/pri/act# sh service-policy set connection detail
Interface germany:
Service-policy: voice-http-map
Class-map: voice-http-map
Set connection policy: drop 0
Set connection advanced-options: max-mss-size
Retransmission drops: 0 TCP checksum drops : 0
Exceeded MSS drops : 0 SYN with data drops: 0
Invalid ACK drops : 0 SYN-ACK with data drops: 0
Out-of-order (OoO) packets : 0 OoO no buffer drops: 0
OoO buffer timeout drops : 0 SEQ past window drops: 208
Reserved bit cleared: 0 Reserved bit drops : 0
IP TTL modified : 0 Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0 Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
———————————————————————————————
myfirewall/pri/act# sh asp drop flow
Inspection failure (inspect-fail) 14616790
SSL handshake failed (ssl-handshake-failed) 85
SSL received close alert (ssl-received-close-alert) 40
Last clearing: Never
———————————————————————————————
myfirewall/pri/act# sh asp drop frame
Flow is being freed (flow-being-freed) 121
Invalid TCP Length (invalid-tcp-hdr-length) 1
No valid adjacency (no-adjacency) 36
Reverse-path verify failed (rpf-violated) 6990253
Flow is denied by configured rule (acl-drop) 864778803
Flow denied due to resource limitation (unable-to-create-flow) 1374
First TCP packet not SYN (tcp-not-syn) 471046343
Bad TCP flags (bad-tcp-flags) 46770
TCP data send after FIN (tcp-data-past-fin) 128
TCP failed 3 way handshake (tcp-3whs-failed) 1560684
TCP RST/FIN out of order (tcp-rstfin-ooo) 30625519
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 9582
TCP SYNACK on established conn (tcp-synack-ooo) 8770
TCP packet SEQ past window (tcp-seq-past-win) 77478
TCP invalid ACK (tcp-invalid-ack) 53427
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 5710
TCP Out-of-Order packet buffer full (tcp-buffer-full) 1
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 5541
TCP RST/SYN in window (tcp-rst-syn-in-win) 326943
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 769
TCP packet failed PAWS test (tcp-paws-fail) 1530
Expired flow (flow-expired) 284
ICMP Inspect bad icmp code (inspect-icmp-bad-code) 300
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 633646
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)

DNS Inspect invalid packet (inspect-dns-invalid-pak) 35
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 628
DNS Inspect packet too long (inspect-dns-pak-too-long) 5044504
DNS Inspect id not matched (inspect-dns-id-not-matched) 1589860
Unable to obtain connection lock (connection-lock) 13
Interface is down (interface-down) 35
RM connection limit reached (rm-conn-limit) 136021
Dropped pending packets in a closed socket (np-socket-closed) 27886
Last clearing: Never
———————————————————————————————
8.0 Threat Detection (check the top talkers)
threat-detection configuration example:
myfirewall/pri/act(config)# sh run threat-detection
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
show commands threat-detection:
This command -IF activated- can give us really useful basic information about network flows, passing through the firewall.
Or if we have a performance problem with our internet connection, we can see who owns currently the line (whos head must
be under
the guillotine.)
myfirewall/pri/act# sh threat-detection statistics top ?
access-list Enter this keyword to display top N access-list statistics
host Enter this keyword to display top N host statistics
port-protocol Enter this keyword to display top N port statistics
rate-1 Enter this keyword to display top N's first rate statistics
rate-2 Enter this keyword to display top N's second rate statistics
rate-3 Enter this keyword to display top N's third rate statistics
tcp-intercept Show statistics information for tcp intercept
| Output modifiers
an example with port and protocol
myfirewall/pri/act# sh threat-detection statistics top port-protocol
Top Name Id Average(eps) Current(eps) Trigger Total events
0-min Sent attack:
0-min Recv attack:
01 DNS 53 2972 3552 27100 1783308
02 LDAP 389 639 474 2549 383645
03 HTTP 80 162 152 14066 97668
04 NetBIOS-Name 137 160 193 8031 96239
05 HTTPS 443 131 85 11242 79013
06 Port-8191-65535 108 97 3513 64974
07 XMPP-SSL-Uno 5223 48 10 224 28884
08 SNMPTRAP 162 46 46 50537 27859
09 SYSLOG 514 36 32 9773 21995
10 MS-DS/SMB 445 30 40 45220 18030
1-hour Sent byte:
01 HTTP 80 25194299 24939838 0 90699477563
02 MS-DS/SMB 445 8260884 8225102 0 29739184085
03 Port-8191-65535 7038543 10227395 0 25338757949
04 LDAP 389 2334189 2347930 0 8403081060
05 Microsoft SQL 1433 1373774 1196909 0 4945586558
06 HTTPS 443 1318144 1258745 0 4745319756
07 HTTP-Alternat 8080 520889 566088 0 1875202977
08 DNS 53 430705 452066 0 1550540194
09 Port-7780 7780 264564 258684 0 952431991
10 Port-3380 3380 230415 12096 0 829497591
1-hour Sent pkts:
01 MS-DS/SMB 445 40571 41786 0 146057206
02 HTTP 80 22612 22957 0 81406406
03 Port-8191-65535 8834 11379 0 31804979
04 HTTPS 443 2528 2777 0 9101589
05 LDAP 389 1956 1954 0 7041854
06 Microsoft SQL 1433 1723 1527 0 6204903
07 Port-135 135 679 572 0 2445229
08 HTTP-Alternat 8080 414 447 0 1493298
09 DNS 53 393 387 0 1418233
10 ICMP * 1 281 365 0 1012609
1-hour Recv byte:
01 MS-DS/SMB 445 8241588 8308370 0 29669717400
02 HTTP 80 3148829 4675871 0 11335784733
03 Port-8191-65535 2908739 2644375 0 10471460696
04 Port-2055 2055 292614 281589 0 1053413852
05 SYSLOG 514 269208 323164 0 969151225
06 HTTPS 443 266550 283114 0 959582362
07 Microsoft SQL 1433 200255 173645 0 720919352
08 LDAP 389 149348 149286 0 537653925
09 SMTP 25 88919 104011 0 320111885
10 Port-135 135 76251 63814 0 274507044
1-hour Recv pkts:
01 MS-DS/SMB 445 40120 41355 0 144433605
02 HTTP 80 16028 17115 0 57703486
03 Port-8191-65535 7853 8933 0 28273380
04 Microsoft SQL 1433 1441 1281 0 5188677
05 LDAP 389 1329 1339 0 4785811
06 HTTPS 443 988 921 0 3559831
07 Port-135 135 694 588 0 2498510
08 SYSLOG 514 292 355 0 1051921
09 HTTP-Alternat 8080 272 289 0 981307
10 DNS 53 252 251 0 909608
and the top talkers list for hosts:
myfirewall/pri/act(config)# sh threat-detection statistics top host
Top Name Id Average(eps) Current(eps) Trigger Total events
20-min Sent attack:
01 145.45.45.226 11 0 60162 13697
02 145.45.45.242 9 9 5657 11297
03 145.45.45.232 7 0 40045 9173
04 145.45.45.234 6 45 33096 7890
05 192.168.135.146 6 7 8214 7536
06 145.45.45.211 5 7 6109 6024
07 145.45.45.210 4 4 19756 5209
08 172.31.4.41 2 1 8 2620
09 172.16.2.224 1 1 202 2247
10 10.10.123.2 1 1 5 2048
20-min Recv attack:
01 192.168.135.136 3 3 1977 4278
02 172.16.28.6 1 2 0 2398
03 172.31.241.99 1 1 0 2160
04 145.45.45.211 1 0 830 1575
05 192.168.133.191 1 1 319 1293
06 10.16.200.27 1 0 17 1256
07 172.26.30.20 0 0 0 1004
08 172.16.1.10 0 0 216 903
09 172.16.22.11 0 0 1382 713
10 10.10.123.2 0 0 7983 653
...
7.0 Backup and Restore
Backup command with tftp server:
myfirewall3/pri/act# copy running-config tftp
Source filename [running-config]?
Address or name of remote host []? 3.3.3.3
Destination filename [running-config]?
Cryptochecksum: ee921f66 a8586880 f2d4fc17 c76933b2
For more info read my post: Migrate Cisco ASA configuration, certificates and private keys
Thats all folks!
Tagged: Cisco ASA, commands, troubleshooting

Posted in: ASA (https://itsecworks.com/category/security/cisco/asa/), Cisco (https://itsecworks.com/category/security/cisco/), Security
(https://itsecworks.com/category/security/), Troubleshootings (https://itsecworks.com/category/security/cisco/asa/troubleshootings/)
22 Responses “Cisco ASA troubleshooting commands” →
1.
Krish

September 19, 2013

9

0

i
Rate This
Very useful for basic troubleshooting..
Reply
itsecworks
September 19, 2013

5

0

i
Rate This
Yes, only for basic troubleshooting :-) the rest will be posted soon :-)
Reply
TechIE
April 12, 2016

5

0

i
Rate This
We’re still waiting for the rest. Thanks ;)
2.
akesh
February 22, 2014

6

0

i
Rate This
Good Stuff.. Can you also try to post a bit more complex troubleshooting..thank you
Reply
itsecworks
February 22, 2014

1

0

i
Rate This
Feel free to suggest and it will be added to this post.
Reply
3.
Bhumika
November 3, 2014

1

0

i
Rate This
I found this document very useful. all basic commands at one place
Reply
4.
Ramesh
February 4, 2015

1

0

i
Rate This
good for beginners
Reply
5.
Carlos Cosmo
January 14, 2016

1

0

i
Rate This
Great article, thanks!
Reply
6.
crisboullosa
May 1, 2016

0

0

i
Rate This
Thank you. It’s what I was looking for.
Reply
7.
Dhruv
June 13, 2016

1

0

i
Rate This
nice for troubleshooting
Reply
8.
Gui
January 20, 2017

0

0

i
Rate This
really nice!! tks a lot for u!!!
Reply
9.
Md Shahnawaz
May 1, 2017

0

0

i
Rate This
really good and very use full for basic troubleshoot…:)
Reply
10.
siddiqi
January 4, 2018

0

0

i
Rate This
I want to check by show command, whether perticular source/dest ip /port already allowed/denied by an ACL…it would be good for
me to verify the rule before implementing…do you know any show command like that
Reply
11.
Sa'ad Bhai
March 7, 2018

0

0

i
Rate This
Nice Notes on Troubleshooting for VPNs
Reply
12.
venkatesh
April 21, 2018

0

0

i
Rate This
good Documents. any way to capture the decapsulated packets via ipsec
Reply
13.
santa barbara
March 4, 2019

0

0

i
Rate This
Hello colleagues, its great article about educationand fully defined, keep it up all the
time.
Reply
14.
Tidwongsa Wicharn
July 2, 2019

0

0

i
Rate This
Thank you so must, I’ve issue Line application can’t call if use firewall ASA. Please recomend.
Reply
itsecworks
July 3, 2019

0

0

i
Rate This
what do you mean with line application cant call…?
Reply
15.
Vimal
July 3, 2019

1

0

i
Rate This
Helpful document
Reply
16.
Sam
July 22, 2019

0

0

i
Rate This
Great stuff. Would love to see part 2 !
Reply
2 Trackbacks For This Post

1. CISCO ASA VPN Troubleshooting Tips – Network Security Memo →
December 16th, 2015 → 3:47 pm

4

0

i
Rate This
[…] Please refer to this post. […]
2. CISCO ASA VPN Tips and Tricks - Cyber Security Memo →
March 7th, 2019 → 8:10 pm

0

0

i
Rate This
[…] Notes: Other ASA troubleshooting Commands Please refer to this post. […]
Blog at WordPress.com.

Cisco ASA troubleshooting commands guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco ASA troubleshooting commands guide

Uploaded by

Copyright:

Available Formats

8/5/2021 Cisco ASA troubleshooting commands | itsecworks

Cisco ASA troubleshooting commands

Posted on September 18, 2013

1.0 Check the basic settings and firewall states

Check the system status

2.0 Check the interface settings

Check the state, speed and duplexity an IP of the interfaces

3.0 Check the Routing Table

Check the matching route

4.0 VPN Troubleshooting

Change the tunnel state

6.0 View logging on cli

7.0 Inspection and asp-drop

8.0 Threat Detection (check the top talkers)

9.0 Backup and Restore

1.0 Check the basic settings and firewall states

Check the system status

myfirewall/pri/act# show firewall

Firewall mode: Router

myfirewall/pri/act# show version

Cisco Adaptive Security Appliance Software Version 9.1(1)

Device Manager Version 7.1(1)52

Compiled on Wed 28-Nov-12 10:38 by builders

System image file is "disk0:/asa911-k8.bin"

Config file at boot was "startup-config"

myfirewall up 218 days 1 hour

failover cluster up 5 years 10 days

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08

0: Ext: GigabitEthernet0/0 : address is 001f.abcc.a8c6, irq 9

1: Ext: GigabitEthernet0/1 : address is 001f.abcc.a5e7, irq 9

2: Ext: GigabitEthernet0/2 : address is 001f.abcc.a5e8, irq 9

3: Ext: GigabitEthernet0/3 : address is 001f.abcc.a5e9, irq 9

4: Ext: Management0/0 : address is 001f.abcc.a5ea, irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 150 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 750 perpetual

Total VPN Peers : 750 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

Cluster : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Failover cluster licensed features for this platform: