Professional Documents
Culture Documents
TACSEC-2006 Troubleshooting Cisco Secure Firewall Cluster Failures and Packet Drops - 2023
TACSEC-2006 Troubleshooting Cisco Secure Firewall Cluster Failures and Packet Drops - 2023
Troubleshooting Cisco
Secure Firewall Cluster
Failures and Packet Drops
#CiscoLive
Your presenter
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
“Simple can be harder than complex.
You have to work hard to get your
thinking clean to make it simple.”
-Steve Jobs
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• Introduction
• Connection Flags and Packet
Flow
• Unit Join Failures
• MTU issues
Agenda • NAT/PAT Failures
• Troubleshooting packet drops
• Q&A
TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction
Introduction – What is Cluster?
Clustering lets you group multiple units together as a single logical device
while achieving the increased throughput and redundancy.
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Introduction – Requirements
All units in a cluster:
• Must be the same model
• Running the same software version
• Same Firewall mode:
• Physical Appliance: routed/transparent
• Virtual Appliance: routed only
Supported on:
• FPR9300/FPR4100 - Up to 16 units
• Secure Firewall 3100 - Up to 8 units
• vFTD AWS, GCP, Azure – Up to 16 units
• vFTD KVM, Vmware – Up to 4 units
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Introduction – How FTD cluster is deployed?
• Spanned EtherChannels: all data links are grouped into one EtherChannel on
the switch side.
• Cluster Control Link (CCL) includes control and data traffic.
• Recommended to have per-unit EtherChannel for link redundancy on CCL.
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Introduction – Cluster Node terminology
Control Unit - One node is elected as Control Unit.
Data Unit - The rest of nodes are Data Units.
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Connection Flags
and Packet Flow
Connection Flags - Cluster flow terminology
• Flow Owner: Whichever unit receiving the first packet for a new connection
will become the flow owner.
FTD1# cluster exec show conn add 192.0.2.152 | in 59718
FTD1(LOCAL):******************************************************
TCP VLAN2401 192.0.2.152:59718 VLAN2401 172.16.10.131:1523, idle 0:06:32, bytes 15826, flags UIO
FTD2:*************************************************************
TCP VLAN2401 192.0.2.152:59718 VLAN2401 172.16.10.131:1523, idle 0:06:32, bytes 0, flags Y
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Connection Flags - Cluster flow terminology
• Forwarder Flow: If a unit receives a packet for a flow that it doesn't own, it
will contact the director for that flow to learn which unit owns the flow.
Once it knows this, it will become a Forwarder, which will then be used to
forward any packets it receives on that connection directly to the owner.
FTD1# cluster exec show conn add 192.0.2.152 | in 59718
[output omitted]
FTD3:*************************************************************
TCP VLAN2401 192.0.2.152:59718 VLAN2401 172.16.10.131:1523, idle 0:06:32, bytes 0, flags z
• Backup director flow: If the director chosen for the flow is also the owner
then a 'backup director' flow will be created.
FTD1# cluster exec show conn add 192.0.2.152 | in 59718
[output omitted]
FTD4:*************************************************************
TCP VLAN2401 192.0.2.152:59718 VLAN2401 172.16.10.131:1523, idle 0:06:32, bytes 0, flags y
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Packet Flow
1. TCP SYN originates from Client and arrives to FTD1. FTD1 becomes the flow owner. FTD2 is elected the flow director.
2. TCP SYN/ACK packet arrives from Server to FTD3.
3. FTD3 asks the director for the flow owner. FTD3 then forward the packet to the owner.
4. Owner unit sends state update to director unit.
5. The owner reinjects the packet on the interface OUTSIDE and then forwards the packet towards the Client.
6. Any subsequent packets delivered to director unit or forwarder will be forwarded to owner.
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Unit Join Failures
Case Study 1: Interface health check failure
• By default, interface monitoring is enabled.
• In case of a link failure, the node is removed from the cluster until the issue is
fixed.
• In the following example FTD1 is out of cluster due to CCL link failure, but the
same issue can also happen due to data link failure.
Switching
CCL failed Infra
CCL Po48 CCL Po48
Troubleshooting commands:
• show cluster history
Data Po1 Data Po1 • show cluster info trace
• scope eth-uplink
scope fabric a
CCL Po48 Data Po1 show port-channel
• connect fxos
show port-channel summary
show port-channel database
show lacp neighbor
show lacp counters interface port-channel ID
show lacp interface ethernet x/x
FTD1 FTD2 FTD3
Control Unit Data Unit Data Unit
show lacp internal event history errors
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Case Study 1: Interface health check failure
• show cluster history command:
FTD1> show cluster history
May 02 09:01:31.162 [DBUG]Cluster state machine client Cluster Unit_Test Client returns is done with progression
May 02 09:01:31.162 [DBUG]Cluster state machine notify client Cluster Unit_Test Client of progression
May 02 09:01:31.162 [INFO]State machine changed from state CONTROL_NODE to DISABLED
May 02 09:01:31.162 [INFO]Interface Port-channel48 is going down
May 02 09:01:31.162 [CRIT]Unit FTD1 is quitting due to Cluster Control Link down (1 times after last rejoin). Rejoin will be attempted after 5
minutes.
May 02 09:01:31.162 [DBUG]Send event (DISABLE, RESTART | INTERNAL-EVENT, 300000 msecs, Cluster interface down) to FSM. Current state CONTROL_NODE
May 02 09:01:29.932 [DBUG]RPC call, Cluster SVM Client to id 0 with parameter 0x0000000000000000, returns RPC_SUCCESS
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Case Study 1: Interface health check failure
• LACP errors on FXOS:
FTD1(fxos)# show lacp internal event-history interface ethernet 1/2
10) FSM:<Ethernet2/1> Transition at 258423 usecs after Tue May 2 09:01:31 2023
Previous state: [LACP_ST_PORT_MEMBER_COLLECTING_AND_DISTRIBUTING_ENABLED]
Triggered event: [LACP_EV_UNGRACEFUL_DOWN]
Next state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED]
11) FSM:<Ethernet2/1> Transition at 350583 usecs after Tue May 2 09:01:31 2023
Previous state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED]
Triggered event: [LACP_EV_PORT_HW_PATH_DISABLED]
Next state: [FSM_ST_NO_CHANGE]
12) FSM:<Ethernet2/1> Transition at 434181 usecs after Tue May 2 09:01:31 2023
Previous state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED]
Triggered event: [LACP_EV_CLNUP_PHASE_II]
Next state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED] Interfaces on the switch were modified causing the
operational state changing to down, so the CCL Po
went to down as LACP BPDUs were not received.
• Switch Logs:
Nexus# show logging
2023 May 2 09:01:11 Nexus1 %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel10: first operational port changed from Ethernet1/1 to none
2023 May 2 09:01:11 Nexus1 %ETH_PORT_CHANNEL-5-PORT_DOWN: port-channel10: Ethernet1/1 is down
2023 May 2 09:01:11 Nexus1 %ETHPORT-5-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN: Interface port-channel10 is down (No operational members)
2023 May 2 09:01:11 Nexus1 %ETHPORT-5-IF_BANDWIDTH_CHANGE: Interface port-channel10,bandwidth changed to 100000 Kbit
2023 May 2 09:01:11 Nexus1 %ETHPORT-5-IF_DOWN_LINK_FAILURE: Interface Ethernet1/1 is down (Link failure)
2023 May 2 09:01:11 Nexus1 %ETHPORT-5-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN: Interface port-channel10 is down (No operational members)
2023 May 2 09:01:11 Nexus1 %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel1: first operational port changed from Ethernet1/2 to none
2023 May 2 09:01:11 Nexus1 %ETH_PORT_CHANNEL-5-PORT_DOWN: port-channel1: Ethernet1/2 is down
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Next Actions:
• Verify the port-channel configuration and make sure the port-channels
are up.
• Schedule switch interface/vPC/Port-channel interface configuration
changes during maintenance window.
• If data port-channels will be modified on switch, disable health-
monitoring on cluster side to avoid a cluster event.
• Take advantage of auto-rejoin configuration to tweak the existing unit re-
join timers.
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Case Study 2: Snort engine failure
In the following example FTD2 is out of cluster due to snort failure.
Troubleshooting commands:
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Case Study 2: Snort engine failure
• show cluster history command:
FTD1> show cluster history
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Case Study 2: Snort engine failure
• Syslog logs:
FTD1# show logging | include 7481
May 02 06:40:41 %FTD-3-748101: Clustering: Peer unit FTD2(1) reported its snort application status is down
May 02 06:40:41 %FTD-3-748103: Clustering: Asking data node FTD2 to quit due to snort Application health check failure, and data node's
application state is down
May 02 06:40:41 %FTD-3-748101: Clustering: Peer unit FTD2(1) reported its diskstatus application status is up
May 02 06:40:41 %FTD-3-748101: Clustering: Peer unit FTD2(1) reported its snort application status is down
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Next Actions:
• By default, snort engine and disk status are monitored by ndclientd process as part
of the cluster health-check.
• If snort fails or disk is full, the unit is removed from the cluster as it is not healthy.
• For snort failure:
• Check the /ngfw/var/log/messages file for failure reason
• Snort traceback, core files can be collected from /ngfw/var/log/crashinfo and
/ngfw/var/data/cores respectively.
• Engage TAC with a troubleshooting file for further RCA.
• In case High Disk usage is detected, remove unnecessary files to free disk space.
• Troubleshoot Excessive Disk Utilization
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
MTU Issues
Case Study 3: CCL MTU mismatch
In the following example FTD2 is not joining the cluster due to CCL MTU
test failure.
Switch:
• show interface Ethernet x/x
FTD1 FTD2 FTD3 • show port-channel xx
Data Po1 Data Po1 Data Po1 • show run | in mtu
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Case Study 3: CCL MTU mismatch
• show cluster history command:
FTD1> show cluster history
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Case Study 3: CCL MTU size mismatch
• Ping test over the CCL to verify if the MTU:
FTD2# ping cluster 127.2.2.1 size 1600
Type escape sequence to abort.
Sending 5, 1600-byte ICMP Echos to 127.2.2.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Case Study 3: CCL MTU size mismatch
• Check interface MTU configuration on FTD2 and switch:
FTD2# show interfaces port-channel 1
Interface Port-channel1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 80000 Mbps, DLY 1600 usec
MAC address f8e5.7e1f.418e, MTU 1500
IP address 172.20.1.1, subnet mask 255.255.255.0
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Case Study 4: Database connections timeout through
the Firewall
In the following example, users report intermittent connection problems
between application and database.
Troubleshooting commands:
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Case Study 4: Database connections timeout through
the Firewall
• show conn detail command for the specific flow:
FTD1# show conn detail port 46638
TCP Inside:172.16.20.1/46638 Outside: 192.168.100.2/1524,
flags UIO , idle 12m5s, uptime 12m5s, timeout 1h0m, bytes 28576, cluster sent/rcvd bytes
[output omitted]
From director/backup FTD2: 16858 (23 byte/s)
Initiator: 172.16.20.1, Responder: 192.168.100.2
Connection lookup keyid: 1345113130
capture ASP type asp-drop all circular-buffer headers-only [Capturing - 3700 bytes]
match ip host 172.16.20.1 host 192.168.100.2
FTD1(LOCAL):******************************************************
FTD2:*************************************************************
1: 19:31:40.797093 Outside P0 192.168.100.2.1524 > 172.16.20.1.46638: P 81975167:81975360(193) ack
17763954 win 122 Drop-reason: (tcp-not-syn) First TCP packet not SYN,
Drop-location: frame 0x000055d587d1c36a flow (NA)/NA
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Case Study 4: Database connections timeout through
the Firewall
• Syslogs about this flow:
FTD1> show logging | inc 192.168.100.2
May 23 19:25:38 10.129.10.34 : %FTD-6-302022: Built director stub TCP connection for Inside:/46638
(172.16.20.1/46638) to Outside:192.168.100.2/1524 (192.168.100.2/1524)
May 23 19:25:38 10.129.10.34 : %FTD-6-302022: Built forwarder stub TCP connection for
Outside:192.168.100.2/1524 (192.168.100.2/1524) to unknown:172.16.20.1/46638 (172.16.20.1/46638)
May 23 19:25:38 10.129.10.33 : %FTD-6-302013: Built inbound TCP connection 796624636 for
Inside:172.16.20.1/46638 (172.16.20.1/46638) to Outside:192.168.100.2/1524 (192.168.100.2/1524)
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Case Study 4: Database connections timeout through
the Firewall
• cluster-cflow-clu-timeout
A cluster flow with CLU is considered idle if director/backup
unit no longer receives periodical update from the owner.
• show conn detail confirms there is no director/backup
flow for the connection on FTD2.
FTD1# cluster exec show conn detail port 46638 port 1524
FTD1(LOCAL):******************************************************
TCP Inside: 172.16.20.1/46638 Outside: 192.168.100.2/1524,
flags UIO , idle 12m5s, uptime 12m5s, timeout 1h0m, bytes 28576, cluster sent/rcvd bytes
[output omitted]
From director/backup FTD2: 16858 (23 byte/s)
Initiator: 172.16.20.1, Responder: 192.168.100.2
Connection lookup keyid: 1345113130
FTD2:*************************************************************
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Case Study 4: Database connections timeout
through the Firewall
MTU on FTD1 and FTD2: MTU on switch:
switch# show int po7 | grep MTU
MTU 9000 bytes, BW 10000000 Kbit, DLY 1 usec
FTD1# show run mtu switch# show int po17 | grep MTU
mtu Inside 9000 MTU 9000 bytes, BW 10000000 Kbit, DLY 1 usec
mtu Outside 9000 switch# show int po9 | grep MTU
mtu diagnostic 1500 MTU 9000 bytes, BW 20000000 Kbit, DLY 1 usec
mtu cluster 9184
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Next Actions:
The cluster control link traffic includes data packet forwarding, so the cluster
control link needs to accommodate the entire size of a data packet plus
cluster traffic overhead.
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
NAT/PAT Failures
Case Study 5: PAT allocation Imbalance (Firepower 6.6)
In the following example, FTD1 is unable to create new NAT connections
when FTD1 rejoined the cluster after a cluster failure.
Troubleshooting commands:
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Case Study 5: PAT allocation Imbalance (Firepower 6.6)
• Before the failure, each unit is owner of an IP address of the pool:
FTD1# show running-config object Server
object network inside-net
subnet 192.168.100.0 255.255.255.0
object network Mapped-IPGroup
range 192.0.2.150 192.0.2.151
Switch
show running-config nat infra
object network inside-net
nat (Inside,Outside) dynamic pat-pool Mapped-IPGroup
Outside
192.0.2.150 192.0.2.151
FTD1# show nat pool cluster
IP outside 192.0.2.150, owner FTD1, backup FTD2 FTD2
FTD1 Data Unit
IP outside 192.0.2.151, owner FTD2, backup FTD1 Control Unit
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Case Study 5: PAT allocation Imbalance (Firepower 6.6)
• FTD1 failed and left the cluster. FTD2 becomes now owner of both
IP addresses:
FTD2# show nat pool cluster
IP outside 192.0.2.150, owner FTD2, backup FTD1
IP outside 192.0.2.151, owner FTd2, backup FTD1
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Case Study 5: PAT allocation Imbalance (Firepower 6.6)
• Since the PAT pool is composed of only two IP addresses.
FTD2 will keep the ownership of both IP addresses as it
has active xlates.
TCP PAT from inside:192.168.100.10/53740 to outside:192.0.2.150/53740 flags ri idle 0:07:36 timeout 0:00:30
TCP PAT from inside:192.168.100.23/63850 to outside:192.0.2.150/63850 flags ri idle 0:38:16 timeout 0:00:30
TCP PAT from inside:192.168.100.12/63841 to outside:192.0.2.151/33683 flags ri idle 0:42:38 timeout 0:00:30
TCP PAT from inside:192.168.100.114/62036 to outside:192.0.2.151/62036 flags ri idle 2:02:13 timeout 0:00:30
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Next Actions:
• An IP address can be re-balanced when zero xlates exist for that IP
address.
• As workaround, the xlates can be cleared from the IP to make it
available for redistribution.
• Starting Firepower 6.7, cluster uses Port block-based distribution PAT.
• More enhancements were made to Firepower 7.0 and 7.1
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Troubleshooting
Packet Drops
How to troubleshoot Packet drops through a
cluster?
1. Define a specific flow
2. What service is impacted?
3. Define a source host, destination host,
destination port and protocol
4. Define Ingress and egress interface
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
5. Collect packet captures: can be applied on Data Plane, CCL and ASP drop.
FTD1# cluster exec capture CAPI interface INSIDE match tcp host 172.16.10.10 host 72.163.4.161 eq 443
FTD1# cluster exec cap CAPO reinject-hide interface OUTSIDE match tcp host 192.0.2.150 host 72.163.4.161 eq 443
FTD1# cluster exec cap ASP type asp-drop all buffer 33554432 headers-only match ip host 172.16.10.10 host 72.163.4.161
FTD1# cluster exec capture capccl interface cluster trace match icmp any any
FTD2:*************************************************************
capture CAPI type raw-data buffer 33554432 interface INSIDE [Capturing - 260 bytes]
match tcp host 172.16.10.10 host 72.163.4.161 eq 443
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
• trace: to see how packets are handled by the data plane
FTD1# show cap CAPI packet-number 1 trace
25985 packets captured
1: 08:42:09.362697 802.1Q vlan#201 P0 172.16.10.10.45954 > 72.163.4.161.443: S 992089269:992089269(0) win 29200
<mss 1460,sackOK,timestamp 495153655 0,nop,wscale 7>
...
Phase: 4
Type: CLUSTER-EVENT
Subtype:
Result: ALLOW
Config:
Additional Information:
Input interface: 'INSIDE'
Flow type: NO FLOW
I (0) got initial, attempting ownership.
Phase: 5
Type: CLUSTER-EVENT
Subtype:
Result: ALLOW
Config:
Additional Information:
Input interface: 'INSIDE'
Flow type: NO FLOW
I (0) am becoming owner
...
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
6. Connection logs and syslogs:
FTD1(LOCAL):******************************************************
TCP Outside 72.163.4.161:443 INSIDE 172.16.10.10:1526, idle 0:06:32, bytes 15826, flags UIO
FTD2:*************************************************************
TCP Outside 72.163.4.161:443 INSIDE 172.16.10.10:1526, idle 0:06:32, bytes 0, flags Y
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Key Takeaways
• For packet drops, define and specific source and destination host,
destination port and protocol to set up packet captures
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Cluster Troubleshooting commands:
show cluster history: To view event history for the cluster
show cluster access-list: Shows hit counters for access policies.
show cluster conn: Shows the aggregated count of in-use connections for all units.
show cluster conn count: Only the connection count is display
show cluster interface-mode: Shows the cluster interface mode, either spanned or individual.
show cluster memory: Shows system memory utilization
show cluster resource usage: Shows system resources and usage.
show cluster traffic: Shows traffic statistics.
show cluster xlate count: Shows current translation information.
show cluster info: Shows cluster information.
show cluster info trace: this command shows the debug information
show cluster info trace module hc: this command shows the debug information regarding health checks
show cluster info health details: To verify the heartbeat frequency
show cluster info conn-distribution: To Shows the connection distribution in the cluster.
show cluster info packet-distribution: Shows packet distribution in the cluster.
cluster exec show nat pool cluster: command to check if the pool is distributed
cluster exec show nat pool: To display statistics of NAT pool usage on all units
cluster exec show conn detail: Displays connections in detail, including translation type and interface
information.
cluster exec show conn long address: Displays connections in long format.
cluster exec capture <name> interface <name> trace match <protocol> host <IP1> host <IP2>: configure captures in
Data Plane and CCL
cluster exec capture <name> type asp-drop all <protocol> host <IP1> host <IP2>: Configure ASP drop captures
Cluster exec show cap <name>: To display the details of the capture
cluster exec show asp drop: To debug the accelerated security path dropped packets or connections.
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
“Simple can be harder than complex.
You have to work hard to get your
thinking clean to make it simple.”
-Steve Jobs
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Fill out your session surveys!
These points help you get on the leaderboard and increase your chances of winning daily and grand prizes
#CiscoLive TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Q&A
• Visit the Cisco Showcase
for related demos
TACSEC-2006 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Thank you
#CiscoLive
#CiscoLive