Anda di halaman 1dari 38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

RSS Subscribe:RSSfeed
itsecworks
ItisallaboutsecurityandcoIhavealreadymet

CiscoASAtroubleshootingcommands
PostedonSeptember18,2013
6

i
8Votes
Withmyrequirementsforanynetworkinglayer3securitydeviceIcollectedthebasiccommands
thatyouhavetoknoworyouwillnotbeabletomanageyourdevice.
1.0Checkthebasicsettingsandfirewallstates
Checkthesystemstatus
Checkthehardwareperformance
ChecktheHighAvailabilitystate
Checkthesessiontableofthefirewall
2.0Checktheinterfacesettings
Checkthestate,speedandduplexityanIPoftheinterfaces
ChecktheARPTable
3.0ChecktheRoutingTable
Checkthematchingroute
4.0VPNTroubleshooting
Changethetunnelstate
Checkthetunnelstate
Checkpacketcountersforthetunnel
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

1/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

ChecktheuptimeoftheVPNTunnels
5.1Sniffertrace
5.2Testtrafficthroughthefirewall
5.3Testtcptrafficfromthefirewall
6.0Viewloggingoncli
Configurelogging
Viewingthelogs
7.0Inspectionandaspdrop
8.0ThreatDetection(checkthetoptalkers)
9.0BackupandRestore

1.0Checkthebasicsettingsandfirewallstates

Checkthesystemstatus
Toseetheactualsoftwareversion,operationalmode,HA,etcandthesystemtime:
myfirewall/pri/act#showfirewall
Firewallmode:Router
myfirewall/pri/act#showversion
CiscoAdaptiveSecurityApplianceSoftwareVersion9.1(1)
DeviceManagerVersion7.1(1)52
CompiledonWed28Nov1210:38bybuilders
Systemimagefileis"disk0:/asa911k8.bin"
Configfileatbootwas"startupconfig"
myfirewallup218days1hour
failoverclusterup5years10days
Hardware:ASA5520,2048MBRAM,CPUPentium4Celeron2000MHz,
InternalATACompactFlash,256MB
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

2/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

BIOSFlashM50FW080@0xfff00000,1024KB
Encryptionhardwaredevice:CiscoASA55xxonboardaccelerator(revision0x0)
Bootmicrocode:CN1000MCBOOT2.00
SSL/IKEmicrocode:CNLiteMCSSLmPLUS2.03
IPSecmicrocode:CNliteMCIPSECmMAIN2.08
Numberofaccelerators:1
0:Ext:GigabitEthernet0/0:addressis001f.abcc.a8c6,irq9
1:Ext:GigabitEthernet0/1:addressis001f.abcc.a5e7,irq9
2:Ext:GigabitEthernet0/2:addressis001f.abcc.a5e8,irq9
3:Ext:GigabitEthernet0/3:addressis001f.abcc.a5e9,irq9
4:Ext:Management0/0:addressis001f.abcc.a5ea,irq11
5:Int:Notused:irq11
6:Int:Notused:irq5
Licensedfeaturesforthisplatform:
MaximumPhysicalInterfaces:Unlimitedperpetual
MaximumVLANs:150perpetual
InsideHosts:Unlimitedperpetual
Failover:Active/Activeperpetual
EncryptionDES:Enabledperpetual
Encryption3DESAES:Enabledperpetual
SecurityContexts:2perpetual
GTP/GPRS:Disabledperpetual
AnyConnectPremiumPeers:2perpetual
AnyConnectEssentials:Disabledperpetual
OtherVPNPeers:750perpetual
TotalVPNPeers:750perpetual
SharedLicense:Disabledperpetual
AnyConnectforMobile:Disabledperpetual
AnyConnectforCiscoVPNPhone:Disabledperpetual
AdvancedEndpointAssessment:Disabledperpetual
UCPhoneProxySessions:2perpetual
TotalUCProxySessions:2perpetual
BotnetTrafficFilter:Disabledperpetual
IntercompanyMediaEngine:Disabledperpetual
Cluster:Disabledperpetual
ThisplatformhasanASA5520VPNPluslicense.
Failoverclusterlicensedfeaturesforthisplatform:
MaximumPhysicalInterfaces:Unlimitedperpetual
MaximumVLANs:150perpetual
InsideHosts:Unlimitedperpetual
Failover:Active/Activeperpetual
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

3/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

EncryptionDES:Enabledperpetual
Encryption3DESAES:Enabledperpetual
SecurityContexts:4perpetual
GTP/GPRS:Disabledperpetual
AnyConnectPremiumPeers:4perpetual
AnyConnectEssentials:Disabledperpetual
OtherVPNPeers:750perpetual
TotalVPNPeers:750perpetual
SharedLicense:Disabledperpetual
AnyConnectforMobile:Disabledperpetual
AnyConnectforCiscoVPNPhone:Disabledperpetual
AdvancedEndpointAssessment:Disabledperpetual
UCPhoneProxySessions:4perpetual
TotalUCProxySessions:4perpetual
BotnetTrafficFilter:Disabledperpetual
IntercompanyMediaEngine:Disabledperpetual
Cluster:Disabledperpetual
ThisplatformhasanASA5520VPNPluslicense.

SerialNumber:JMX4567L1DA
RunningPermanentActivationKey:0x650e67580x345sb6160x1233615a0xc234fca30x111
Configurationregisteris0x1
Configurationlastmodifiedbyadminat10:41:22.791CEDTFriSep132013
Thefailoverstate.
myfirewall/pri/act(config)#shfailoverstate
StateLastFailureReasonDate/Time
ThishostPrimary
ActiveNone
OtherhostSecondary
StandbyReadyIfcFailure17:38:56CEDTJun102013
dmz5:Failed
inside:Failed
====ConfigurationState===
SyncDone
SyncDoneSTANDBY
====CommunicationState===
Macset

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

4/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Toseewhatthefirewallhasseensofar,thetrafficmixconserningtheenabledinspections:
myfirewall/pri/act(config)#shservicepolicy

Globalpolicy:
Servicepolicy:global_policy
Classmap:inspection_default
Inspect:dnspreset_dns_map,packet6206448,drop1493,resetdrop0,v6fail
Inspect:ftp,packet0,drop0,resetdrop0,v6failclose0
Inspect:netbios,packet285884,drop0,resetdrop0,v6failclose0
Inspect:tftp,packet0,drop0,resetdrop0,v6failclose0
Inspect:icmp,packet14657730,drop1226951,resetdrop0,v6failclose0
Inspect:icmperror,packet10377,drop0,resetdrop0,v6failclose0
Inspect:dcerpc,packet199070,drop0,resetdrop0,v6failclose0
tcpproxy:bytesinbuffer0,bytesdropped0

Checkthehardwareperformance
Toseewhatisthestateofthecpuandthememory:
myfirewall/pri/act(config)#shcpuusage
CPUutilizationfor5seconds=8%;1minute:9%;5minutes:9%
myfirewall/pri/act(config)#
myfirewall/pri/act(config)#
myfirewall/pri/act(config)#shmemory
Freememory:1722679208bytes(80%)
Usedmemory:424804440bytes(20%)

Totalmemory:2147483648bytes(100%)

myfirewall/pri/act#showprocessescpuusagesorted
PCThread5Sec1Min5MinProcess
0x0827e7310x6e5d2d8c8.4%8.7%8.5%DispatchUnit
0x0878d2de0x6e5bf2540.2%0.9%0.4%ARPThread
0x090b01550x6e5b7fb40.2%0.2%0.1%ssh
0x08785b0e0x6e5bf4600.0%0.0%0.0%IPThread
0x081735b40x6e5c56a00.0%0.0%0.0%CTMmessagehandler
0x08cdd5cc0x6e5c25800.0%0.0%0.0%update_cpu_usage
0x084e29360x6e5c04c00.0%0.0%0.0%fover_health_monitoring_thread
0x0935c8320x6e5bc9640.0%0.0%0.0%vpnfol_thread_timer
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

5/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

0x080596a40x6e5d31a40.0%0.0%0.0%block_diag
0x08854a740x6e5d29740.0%0.0%0.0%WebVPNKCDProcess
0x084c6b6d0x6e5d27680.0%0.0%0.0%CFOIR
0x08eafaec0x6e5d255c0.0%0.0%0.0%lina_int
0x0807209d0x6e5d1f380.0%0.0%0.0%ReloadControlThread
0x080863690x6e5d1d2c0.0%0.0%0.0%aaa
0x0916ad6d0x6e5d1b200.0%0.0%0.0%UserFromCertThread
0x0916ad6d0x6e5d19140.0%0.0%0.0%aaa_shim_thread
0x080bae3c0x6e5d14fc0.0%0.0%0.0%CMGRServerProcess
0x080bd4ad0x6e5d12f00.0%0.0%0.0%CMGRTimerProcess
0x0816d4550x6e5d049c0.0%0.0%0.0%CTMDaemon
0x081df2c50x6e5d02900.0%0.0%0.0%SXPCORE
0x081d70410x6e5d00840.0%0.0%0.0%RBMCORE
0x081cde3c0x6e5cfe780.0%0.0%0.0%cts_task
0x081cf2ed0x6e5cfc6c0.0%0.0%0.0%cts_timer_task
0x0827c8040x6e5cf43c0.0%0.0%0.0%dbgtrace
0x0856b1940x6e5cec0c0.0%0.0%0.0%557mcfix
0x0856b1260x6e5cea000.0%0.0%0.0%557statspoll
...
myfirewall/pri/act#showprocessesinternals
InvokedGiveupsMax_RuntimeProcess
100.025block_diag
1926681692192668169232.679DispatchUnit
376883600.189WebVPNKCDProcess
100.012CFOIR
100.001lina_int
100.003ReloadControlThread
3743052337050.135aaa
1041.427UserFromCertThread
64630.104aaa_shim_thread
200.009CMGRServerProcess
200.008CMGRTimerProcess
100.001CTMDaemon
6200.044SXPCORE
...
myfirewall/pri/act(config)#shperfmon
PERFMONSTATS:CurrentAverage
Xlates0/s0/s
Connections0/s0/s
TCPConns0/s0/s
UDPConns0/s0/s
URLAccess0/s0/s
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

6/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

URLServerReq0/s0/s
TCPFixup0/s0/s
TCPInterceptEstablishedConns0/s0/s
TCPInterceptAttempts0/s0/s
TCPEmbryonicConnsTimeout0/s0/s
HTTPFixup0/s0/s
FTPFixup0/s0/s
AAAAuthen0/s0/s
AAAAuthor0/s0/s
AAAAccount0/s0/s
VALIDCONNSRATEinTCPINTERCEPT:CurrentAverage
N/A100.00%

ChecktheHighAvailabilitystate
togettheHighAvailabilitystateinfowithshowfailovercommand:
myfirewall/pri/act(config)#showfailover?
execmodecommands/options:
descriptorShowfailoverinterfacedescriptors.Twonumbersareshownfor
eachinterface.Whenexchanginginformationregardinga
particularinterface,thisunitusesthefirstnumberinmessages
itsendstoitspeer.Anditexpectsthesecondnumberin
messagesitreceivesfromitspeer.Fortroubleshooting,collect
theshowoutputfrombothunitsandverifythatthenumbers
match.
execShowfailovercommandexecutioninformation
historyShowfailoverswitchinghistory
interfaceShowfailovercommandinterfaceinformation
stateShowfailoverinternalstateinformation
statisticsShowfailovercommandinterfacestatisticsinformation
|Outputmodifiers
Checkthefailoverstate:
myfirewall/pri/act(config)#showfailover
FailoverOn
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

7/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

FailoverunitPrimary
FailoverLANInterface:failoverGigabitEthernet0/2(up)
UnitPollfrequency1seconds,holdtime15seconds
InterfacePollfrequency5seconds,holdtime25seconds
InterfacePolicy1
MonitoredInterfaces3of160maximum
Version:Ours9.1(1),Mate9.1(1)
LastFailoverat:07:31:49CESTFeb122013
Thishost:PrimaryActive
Activetime:18841674(sec)
slot0:ASA5520hw/swrev(2.0/9.1(1))status(UpSys)
Interfacedmz5(192.168.36.1):Normal(Monitored)
Interfacedmz6(192.168.47.1):Normal(NotMonitored)
Interfaceinside(172.24.3.5):Normal(Monitored)
Interfaceoob(192.168.99.1):Normal(Monitored)
Interfacemanagement(0.0.0.0):NoLink(NotMonitored)
slot1:empty
Otherhost:SecondaryStandbyReady
Activetime:0(sec)
slot0:ASA5520hw/swrev(2.0/9.1(1))status(UpSys)
Interfacedmz5(192.168.36.2):Normal(Monitored)
Interfacedmz6(192.168.47.2):Normal(NotMonitored)
Interfaceinside(172.24.3.6):Normal(Monitored)
Interfaceoob(192.168.99.2):Normal(Monitored)
Interfacemanagement(0.0.0.0):Normal(NotMonitored)
slot1:empty
StatefulFailoverLogicalUpdateStatistics
Link:failoverGigabitEthernet0/2(up)
StatefulObjxmitxerrrcvrerr
General372747905024530730
syscmd2452421024524150
uptime0000
RPCservices0000
TCPconn1275302000
UDPconn177064010360
ARPtbl35100728406210
Xlate_Timeout0000
IPv6NDtbl0000
VPNIKEv1SA0000
VPNIKEv1P20000
VPNIKEv2SA0000
VPNIKEv2P20000
VPNCTCPupd0000
VPNSDIupd0000
VPNDHCPupd0000
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

8/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

SIPSession0000
RouteSession306520000
UserIdentity5010
CTSSGTNAME0000
CTSPAC0000
TrustSecSXP0000
IPv6Route0000
LogicalUpdateQueueInformation
CurMaxTotal
RecvQ:0882453116
XmitQ:029381560801
myfirewall/pri/act(config)#showfailoverinterface
interfacefailoverGigabitEthernet0/2
SystemIPAddress:192.168.92.109255.255.255.252
MyIPAddress:192.168.92.109
OtherIPAddress:192.168.92.110
myfirewall/pri/act(config)#showfailoverdescriptor
dmz5send:000200000e000000receive:000200000e000000
dmz6send:0002000041000000receive:0002000041000000
insidesend:0002010064000000receive:0002010064000000
oobsend:00020300ffff0000receive:00020300ffff0000
managementsend:01010000ffff0000receive:01010000ffff0000
myfirewall/pri/act(config)#showfailoverhistory
==========================================================================
FromStateToStateReason
==========================================================================
07:30:59CESTFeb122013
NotDetectedNegotiationNoError
07:31:03CESTFeb122013
NegotiationColdStandbyDetectedanActivemate
07:31:05CESTFeb122013
ColdStandbySyncConfigDetectedanActivemate
07:31:15CESTFeb122013
SyncConfigSyncFileSystemDetectedanActivemate
07:31:15CESTFeb122013
SyncFileSystemBulkSyncDetectedanActivemate

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

9/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

07:31:29CESTFeb122013
BulkSyncStandbyReadyDetectedanActivemate
07:31:49CESTFeb122013
StandbyReadyJustActiveHELLOnotheardfrommate
07:31:49CESTFeb122013
JustActiveActiveDrainHELLOnotheardfrommate
07:31:49CESTFeb122013
ActiveDrainActiveApplyingConfigHELLOnotheardfrommate
07:31:49CESTFeb122013
ActiveApplyingConfigActiveConfigAppliedHELLOnotheardfrommate
07:31:49CESTFeb122013
ActiveConfigAppliedActiveHELLOnotheardfrommate
==========================================================================
myfirewall/pri/act(config)#showfailoverstate
StateLastFailureReasonDate/Time
ThishostPrimary
ActiveNone
OtherhostSecondary
StandbyReadyIfcFailure17:38:56CEDTJun102013
dmz5:Failed
inside:Failed
====ConfigurationState===
SyncDone
SyncDoneSTANDBY
====CommunicationState===
Macset
myfirewall/pri/act(config)#showfailoverstatistics
tx:384585696
rx:29127977
Checkthefailoverconfiguration:

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

10/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#shrunallfailover
failover
failoverlanunitprimary
failoverlaninterfacefailoverGigabitEthernet0/2
failoverpolltimeunit1holdtime15
failoverpolltimeinterface5holdtime25
failoverinterfacepolicy1
failoverlinkfailoverGigabitEthernet0/2
failoverinterfaceipfailover192.168.92.109255.255.255.252standby192.168.92.11

Checkthesessiontableofthefirewall
Withclassmapyoucansetthemaximumsessionforaspecifictrafficorgenerallywithany:
myfirewall(config)#classmapCONNS
myfirewall(configcmap)#matchany
myfirewall(configcmap)#policymapCONNS
myfirewall(configpmap)#classCONNS
myfirewall(configpmapc)#setconnectionconnmax1000embryonicconnmax3000
Thevaluesfromthesessiontableofthefirewall(themaxagainsttheusedifconfigured):

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

11/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#showconn?
execmodecommands/options:
addressEnterthiskeywordtospecifyIPaddress
allEnterthiskeywordtoshowconnsincludingtotheboxand
fromthebox
countEnterthiskeywordtoshowconncountonly
detailEnterthiskeywordtoshowconnindetail
longEnterthiskeywordtoshowconninlongformat
portEnterthiskeywordtospecifyport
protocolEnterthiskeywordtospecifyconnprotocol
scansafeEnterthiskeywordtoshowconnsbeingforwardedtoscansafe
server
securitygroupEnterthiskeywordtoshowsecuritygroupattributesinconns
stateEnterthiskeywordtospecifyconnstate
userEnterthiskeywordtospecifyconnuser
usergroupEnterthiskeywordtospecifyconnusergroup
useridentityEnterthiskeywordtoshowusernames
|Outputmodifiers
myfirewall/pri/act(config)#showconncount
77inuse,1013mostused
myfirewall/pri/act(config)#showconnstate?

execmodecommands/options:
WORDEnteranynumberofthefollowingconnstatesusing','asseparator:
upfininfinouthttp_getsmtp_datanojavadata_indata_outsunrpch225
h323sqlnet_fixup_dataconn_inboundsipmgcpctiqbeskinny
service_modulestubtcp_embryonicvpn_orphan
myfirewall/pri/act(config)#showconnstateup
80inuse,1013mostused
TCPdmz5192.168.38.250:4634inside172.24.1.2:54320,idle0:02:29,bytes12905,
TCPdmz5192.168.38.250:4633inside172.24.1.2:135,idle0:02:29,bytes684,flag
TCPdmz6192.168.47.8:80dmz5192.168.37.227:55335,idle0:00:00,bytes161830708
TCPdmz6192.168.47.10:80dmz5192.168.37.227:65521,idle0:00:00,bytes61797243
TCPdmz6192.168.47.11:80dmz5192.168.37.227:55339,idle0:00:00,bytes38116666
TCPdmz5192.168.36.251:80inside172.31.229.68:62940,idle0:00:00,bytes335503
TCPdmz5192.168.36.251:80inside172.24.162.217:57429,idle0:00:00,bytes47451
TCPdmz5192.168.38.250:23757inside172.24.3.38:1165,idle0:00:00,bytes597473
TCPdmz5192.168.38.250:3389inside192.168.252.66:4042,idle0:00:48,bytes3378
TCPdmz5192.168.38.250:23757inside172.24.3.40:63433,idle0:00:00,bytes93168
Youcanfiltertothesessionthatyoulookingfor(example):
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

12/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#showconnlongaddress192.168.47.10
74inuse,1013mostused
Flags:AawaitinginsideACKtoSYN,aawaitingoutsideACKtoSYN,
BinitialSYNfromoutside,bTCPstatebypassornailed,
CCTIQBEmedia,cclustercentralized,
DDNS,ddump,Eoutsidebackconnection,FoutsideFIN,finside
Ggroup,gMGCP,HH.323,hH.225.0,Iinbounddata,
iincomplete,JGTP,jGTPdata,KGTPt3response
kSkinnymedia,MSMTPdata,mSIPmedia,nGUP
Ooutbounddata,Pinsidebackconnection,pPhoneproxyTFTPconnecti
qSQL*Netdata,RoutsideacknowledgedFIN,
RUDPSUNRPC,rinsideacknowledgedFIN,SawaitinginsideSYN,
sawaitingoutsideSYN,TSIP,tSIPtransient,Uup,
VVPNorphan,WWAAS,
Xinspectedbyservicemodule,
xpersession,Ydirectorstubflow,ybackupstubflow,
ZScansaferedirection,zforwardingstubflow
TCPdmz6:192.168.47.10/80(192.168.47.10/80)dmz5:192.168.37.227/65521(192.168.3
Checkthetrafficoninterfaces,thepacketandbytecounters.

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

13/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#showtraffic
dmz5:
received(in1661754.406secs):
14637140684packets673671106797bytes
8001pkts/sec405002bytes/sec
transmitted(in1661754.406secs):
38728179279packets53732439765301bytes
23000pkts/sec32334000bytes/sec
1minuteinputrate1382pkts/sec,67193bytes/sec
1minuteoutputrate3546pkts/sec,4923809bytes/sec
1minutedroprate,0pkts/sec
5minuteinputrate1375pkts/sec,67887bytes/sec
5minuteoutputrate3589pkts/sec,4994000bytes/sec
5minutedroprate,0pkts/sec
dmz6:
received(in1661754.416secs):
38627911784packets53724170049557bytes
23002pkts/sec32329000bytes/sec
transmitted(in1661754.416secs):
14299138045packets572124451016bytes
8000pkts/sec344002bytes/sec
1minuteinputrate3535pkts/sec,4923119bytes/sec
1minuteoutputrate1354pkts/sec,54206bytes/sec
1minutedroprate,0pkts/sec
5minuteinputrate3577pkts/sec,4993200bytes/sec
5minuteoutputrate1345pkts/sec,53821bytes/sec
5minutedroprate,0pkts/sec
inside:
received(in1661754.416secs):
826826503packets60669330026bytes
1pkts/sec36000bytes/sec
transmitted(in1661754.416secs):
245271895packets109518736779bytes
0pkts/sec65000bytes/sec
1minuteinputrate44pkts/sec,2772bytes/sec
1minuteoutputrate25pkts/sec,13180bytes/sec
1minutedroprate,21pkts/sec
5minuteinputrate45pkts/sec,2829bytes/sec
5minuteoutputrate28pkts/sec,14443bytes/sec
5minutedroprate,21pkts/sec
Checkthetimeoutvaluesinthefirewall:

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

14/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall2/pri/act#shruntimeout
timeoutxlate3:00:00
timeoutconn1:00:00halfclosed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcppat0:05:00
timeoutsip0:30:00sip_media0:02:00sipinvite0:03:00sipdisconnect0:02:00
timeoutsipprovisionalmedia0:02:00uauth0:05:00absolute
timeouttcpproxyreassembly0:01:00
timeoutfloatingconn0:00:00

2.0Checktheinterfacesettings

Checkthestate,speedandduplexityanIPoftheinterfaces
Showtherunningconfigonlyfortheinterfaceswithipaddress:
myfirewall/pri/act(config)#shrunipaddress
!
interfaceGigabitEthernet0/0.14
vlan14
nameifdmz5
securitylevel0
ipaddress192.168.36.1255.255.252.0standby192.168.36.2
!
interfaceGigabitEthernet0/0.65
vlan65
nameifdmz6
securitylevel0
ipaddress192.168.47.1255.255.255.0standby192.168.47.2
!
interfaceGigabitEthernet0/1.100
vlan100
nameifinside
securitylevel100
ipaddress192.168.3.5255.255.248.0standby172.24.3.6
Showipaddressandsecuritylevelonly:
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

15/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall2/pri/act#ship
SystemIPAddresses:
InterfaceNameIPaddressSubnetmaskMet
Portchannel1.1001dmz15.5.5.5255.255.255.192CONFIG
Portchannel2Failover192.168.92.13255.255.255.252uns
Portchannel4.721inside172.17.131.151255.255.255.0CON
CurrentIPAddresses:
InterfaceNameIPaddressSubnetmaskMet
Portchannel1.1001dmz15.5.5.5255.255.255.192CONFIG
Portchannel2Failover192.168.92.13255.255.255.252uns
Portchannel4.721inside172.17.131.151255.255.255.0CON
myfirewall2/pri/act#shnameif
InterfaceNameSecurity
Management0/0management100
Portchannel1.1001dmz10
Portchannel4.721inside100
ChecktheMACandthestateoftheinterfaces.Thenameoftheinterfaceintheexamplebelowis
internal.
Hereyoucanseefollowingintheoutput
Interfacename
MAC
Linkstate
Speed
Duplex
MTU
PacketandBytecounters
Errors

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

16/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act#showinterface
InterfaceGigabitEthernet0/0"",isup,lineprotocolisup
Hardwareisi82546GBrev03,BW1000Mbps,DLY10usec
AutoDuplex(Fullduplex),AutoSpeed(1000Mbps)
Inputflowcontrolisunsupported,outputflowcontrolisoff
Availablebutnotconfiguredvianameif
MACaddress001f.abcc.a5e6,MTUnotset
IPaddressunassigned
53280934440packetsinput,55671972432495bytes,0nobuffer
Received167625118broadcasts,0runts,0giants
0inputerrors,0CRC,0frame,0overrun,0ignored,0abort
0pauseinput,0resumeinput
0L2decodedrops
53043155385packetsoutput,55516746848674bytes,0underruns
0pauseoutput,0resumeoutput
0outputerrors,0collisions,2interfaceresets
0latecollisions,0deferred
0inputresetdrops,0outputresetdrops,0txhangs
inputqueue(blocksfreecurr/low):hardware(255/230)
outputqueue(blocksfreecurr/low):hardware(255/122)
InterfaceGigabitEthernet0/0.14"dmz5",isup,lineprotocolisup
Hardwareisi82546GBrev03,BW1000Mbps,DLY10usec
VLANidentifier14
Description:dmz5
MACaddress001f.abcc.a5e6,MTU1500
IPaddress192.168.36.1,subnetmask255.255.252.0
TrafficStatisticsfor"dmz5":
14641601950packetsinput,673897945554bytes
38739676247packetsoutput,53748403391129bytes
51923927packetsdropped
InterfaceGigabitEthernet0/0.65"dmz6",isup,lineprotocolisup
Hardwareisi82546GBrev03,BW1000Mbps,DLY10usec
VLANidentifier65
Description:dmz6
MACaddress001f.abcc.a5e6,MTU1500
IPaddress192.168.47.1,subnetmask255.255.255.0
TrafficStatisticsfor"dmz6":
38639332463packetsinput,53740092462779bytes
14303479193packetsoutput,572298134370bytes
83451packetsdropped

ChecktheARPTable
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

17/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

ThiscontainsthepermanentandthedynamicARPentries
myfirewall/pri/act#showarp
dmz5192.168.38.430020.4ab0.a59f0
dmz5192.168.37.2262c27.d733.a9e20
dmz5192.168.37.2362c27.d733.a89e0
dmz5192.168.37.23578ac.c0b2.40660
dmz5192.168.37.2400019.99ae.847c0
dmz5192.168.39.2400019.9987.56760
...

3.0ChecktheRoutingTable
Withtheshowrouteyoucanseetheactualroutingtablefromthefirewallwiththestatisandthe
dynamicroutesandthedirectlyconnectednetworks.
myfirewall/pri/act#showroute
Codes:Cconnected,Sstatic,IIGRP,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2,EEGP
iISIS,L1ISISlevel1,L2ISISlevel2,iaISISinterarea
*candidatedefault,Uperuserstaticroute,oODR
Pperiodicdownloadedstaticroute
Gatewayoflastresortis172.24.2.2tonetwork0.0.0.0
C172.24.0.0255.255.248.0isdirectlyconnected,inside
C192.168.99.0255.255.255.0isdirectlyconnected,oob
C192.168.47.0255.255.255.0isdirectlyconnected,dmz6
C192.168.92.108255.255.255.252isdirectlyconnected,failover
S*0.0.0.00.0.0.0[1/0]via172.24.2.2,inside
C192.168.36.0255.255.252.0isdirectlyconnected,dmz5

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

18/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Checkthematchingroute
Areyoulookingforaspecificrouteinabigdatabase?Noproblemusetheshowroutewithmore
details:
myfirewall/pri/act#shrouteinside172.31.231.246
Codes:Cconnected,Sstatic,IIGRP,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2,EEGP
iISIS,L1ISISlevel1,L2ISISlevel2,iaISISinterarea
*candidatedefault,Uperuserstaticroute,oODR
Pperiodicdownloadedstaticroute
Gatewayoflastresortis172.24.2.2tonetwork0.0.0.0

4.0VPNTroubleshooting
Themostsignificantpartforvpnisthetimeonthedevices.Thecheckthetimeusethefollowing
command:
myfirewall/pri/act#showclock
11:19:45.485CEDTWedSep182013
myfirewall/pri/act#showntpstatus
Clockissynchronized,stratum3,referenceis172.24.10.100
nominalfreqis99.9984Hz,actualfreqis99.9968Hz,precisionis2**6
referencetimeisd5e3ed1d.b0b7a760(11:13:01.690CEDTWedSep182013)
clockoffsetis0.1998msec,rootdelayis18.55msec
rootdispersionis36.01msec,peerdispersionis15.64msec

Changethetunnelstate
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

19/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Bringupavpntunnelmanually.Notrafficrequired.
Shutdownavpntunnelmanually.
Alltunnels:
myfirewall3/pri/act#clearcryptoisakmpsa
Onlyspecifictunnel:
myfirewall3/pri/act#clearipsecsapeer2.2.2.2
myfirewall2/pri/act#clearcryikev1sa2.2.2.2
shutdownforlongertime:
myfirewall2/pri/act(config)#nocryptomapl2lvpns10setpeer211.66.176.18

Checkthetunnelstate
IfthereisnoSAthatmeansthetunnelisdownanddoesnotwork.Toseeifthetunnelisupwe
needtocheckifanySAexist.
Toseeifthetunnelisupyoucanusetheshowcryptoisakmpsaorshowcryptoipsecsa
command.
Tunnelstateisdown
Tunneldoesnotexistifthereisnooutputofthecommandsbelow:
myfirewall3/pri/act#shcryisakmpsa
TherearenoIKEv1SAs
TherearenoIKEv2SAs
myfirewall3/pri/act#showcryptoipsecsa
Therearenoipsecsas
Tunnelstateisup

Informationsfromtheoutputofthecommandbelow:

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

20/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Informationsfromtheoutputofthecommandbelow:
vpnpeers
encryptedtraffic(sourceanddestination)
trafficcountersforencryptedtraffic
SPIforencryptanddecrypt
Encryptionmethod

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

21/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall2/pri/act#showcryipssapeer3.3.3.3
peeraddress:3.3.3.3
Cryptomaptag:firmen,seqnum:22,localaddr:5.5.5.5

accesslisttunvossextendedpermitiphost172.19.212.10192.168.15.72255.
localident(addr/mask/prot/port):(172.19.212.10/255.255.255.255/0/0)
remoteident(addr/mask/prot/port):(192.168.15.72/255.255.255.248/0/0)
current_peer:3.3.3.3
#pktsencaps:26,#pktsencrypt:26,#pktsdigest:26
#pktsdecaps:9,#pktsdecrypt:9,#pktsverify:9
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:26,#pktscompfailed:0,#pktsdecompfailed:0
#prefragsuccesses:0,#prefragfailures:0,#fragmentscreated:0
#PMTUssent:0,#PMTUsrcvd:0,#decapsulatedfrgsneedingreassembly:0
#senderrors:0,#recverrors:0
localcryptoendpt.:5.5.5.5/0,remotecryptoendpt.:3.3.3.3/0
pathmtu1500,ipsecoverhead74,mediamtu1500
currentoutboundspi:AB092E6E
currentinboundspi:910F4308
inboundespsas:
spi:0x910F4308(2433696520)
transform:espaes256espshahmacnocompression
inusesettings={L2L,Tunnel,PFSGroup2,}
slot:0,conn_id:25923584,cryptomap:firmen
satiming:remainingkeylifetime(kB/sec):(4373999/3360)
IVsize:16bytes
replaydetectionsupport:Y
Antireplaybitmap:
0x000000000x000003FF
outboundespsas:
spi:0xAB092E6E(2869505646)
transform:espaes256espshahmacnocompression
inusesettings={L2L,Tunnel,PFSGroup2,}
slot:0,conn_id:25923584,cryptomap:firmen
satiming:remainingkeylifetime(kB/sec):(4373997/3360)
IVsize:16bytes
replaydetectionsupport:Y
Antireplaybitmap:
0x000000000x00000001

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

22/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Checkpacketcountersforthetunnel
Toseeiftheencryptionanddecryptionofthepackagesworksuse2ormoretimestheshowcry
ipsecsacommandandcomparethevalues.Onthesecondandthirdoutputsthecountershould
showlargernumber.
Onthefollowingoutputthefirewallhas1activevpnpeer.
myfirewall2/pri/act#showvpnsessiondbl2l
SessionType:LANtoLAN
Connection:9.9.9.9
Index:5671IPAddr:9.9.9.9
Protocol:IKEv1IPsec
Encryption:3DESHashing:MD5
BytesTx:83496278BytesRx:420469160
LoginTime:02:17:25CEDTWedSep182013
Duration:12h:15m:49s
Connection:3.3.3.3
Index:6329IPAddr:3.3.3.3
Protocol:IKEv1IPsec
Encryption:AES256Hashing:SHA1
BytesTx:6100BytesRx:5992
LoginTime:14:26:13CEDTWedSep182013
Duration:0h:07m:01s

ChecktheuptimeoftheVPNtunnels
UptimeforsitetositeVPN

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

23/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

asafirewall/pri/act#showvpnsessiondbl2l
SessionType:LANtoLAN
Connection:25.25.25.25
Index:34872IPAddr:25.25.25.25
Protocol:IKEv1IPsec
Encryption:IKEv1:(1)AES256IPsec:(3)AES256
Hashing:IKEv1:(1)SHA1IPsec:(3)SHA1
BytesTx:73653504BytesRx:31342653
LoginTime:01:15:18CESTThuNov282013
Duration:12h:36m:51s
Connection:dynvpntunnel
Index:34902IPAddr:35.35.35.35
Protocol:IKEv1IPsec
Encryption:IKEv1:(1)AES256IPsec:(1)AES256
Hashing:IKEv1:(1)SHA1IPsec:(1)SHA1
BytesTx:17679966BytesRx:2626429
LoginTime:12:38:17CESTThuNov282013
Duration:1h:13m:52s
SALifetimeforIKE/phase1/forsitetosite(lifetimeinseconds)
asafirewall/pri/act#showcryptoisasadetail
IKEv1SAs:
ActiveSA:4
RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)
TotalIKESA:4
1IKEPeer:45.45.45.45
Type:L2LRole:responder
Rekey:noState:AM_ACTIVE
Encrypt:aes256Hash:SHA
Auth:presharedLifetime:14400
LifetimeRemaining:12039
2IKEPeer:55.55.55.55
Type:L2LRole:responder
Rekey:noState:MM_ACTIVE
Encrypt:3desHash:MD5
Auth:presharedLifetime:14400
LifetimeRemaining:12462
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

24/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

SALifetimesforinboundandoutboundespsas/phase2/forsitetosite(lifetimeinseconds)
asafirewall/pri/act#showcryptoipsecsa
interface:outside
Cryptomaptag:tunnel,seqnum:20,localaddr:46.46.46.46

accesslisttunacl1extendedpermitiphost10.10.10.11192.168.1.48255.255
localident(addr/mask/prot/port):(10.10.10.11/255.255.255.255/0/0)
remoteident(addr/mask/prot/port):(192.168.1.48/255.255.255.240/0/0)
current_peer:13.13.13.13
#pktsencaps:38097,#pktsencrypt:38097,#pktsdigest:38097
#pktsdecaps:34559,#pktsdecrypt:34559,#pktsverify:34559
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:38097,#pktscompfailed:0,#pktsdecompfailed:0
#prefragsuccesses:0,#prefragfailures:0,#fragmentscreated:0
#PMTUssent:0,#PMTUsrcvd:0,#decapsulatedfrgsneedingreassembly:0
#TFCrcvd:0,#TFCsent:0
#ValidICMPErrorsrcvd:0,#InvalidICMPErrorsrcvd:0
#senderrors:0,#recverrors:0
localcryptoendpt.:46.46.46.46/0,remotecryptoendpt.:13.13.13.13/0
pathmtu1500,ipsecoverhead74(44),mediamtu1500
PMTUtimeremaining(sec):0,DFpolicy:copydf
ICMPerrorvalidation:disabled,TFCpackets:disabled
currentoutboundspi:22512A19
currentinboundspi:8F46C331
inboundespsas:
spi:0x8F46C331(2403779377)
transform:espaes256espshahmacnocompression
inusesettings={L2L,Tunnel,IKEv1,}
slot:0,conn_id:143024128,cryptomap:tunnel
satiming:remainingkeylifetime(kB/sec):(4371840/26381)
IVsize:16bytes
replaydetectionsupport:Y
Antireplaybitmap:
0xFFFFFFFF0xFFFFFFFF
outboundespsas:
spi:0x22512A19(575744537)
transform:espaes256espshahmacnocompression
inusesettings={L2L,Tunnel,IKEv1,}
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

25/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

slot:0,conn_id:143024128,cryptomap:tunnel
satiming:remainingkeylifetime(kB/sec):(4350795/26381)
IVsize:16bytes
replaydetectionsupport:Y
Antireplaybitmap:
0x000000000x00000001
Uptimeforoldvpnclient
asafirewall/pri/act#showvpnsessiondbraikev1ipsec
SessionType:IKEv1IPsec
Username:einsteina@vpntungrp1Index:3856
AssignedIP:192.168.236.249PublicIP:37.209.44.113
Protocol:IKEv1IPsecOverTCP
License:OtherVPN
Encryption:AES128Hashing:SHA1
BytesTx:667580222BytesRx:195368751
GroupPolicy:vpngrpp1TunnelGroup:vpndeol
LoginTime:10:15:51CESTTueNov192013
Duration:9d3h:37m:37s
Inactivity:0h:00m:00s
NACResult:Unknown
VLANMapping:N/AVLAN:none
Username:leonardo@vpntungrp2Index:12473
AssignedIP:192.168.244.151PublicIP:145.253.227.158
Protocol:IKEv1IPsecOverTCP
License:OtherVPN
Encryption:AES128Hashing:SHA1
BytesTx:64670782BytesRx:49769295
GroupPolicy:vpngrpp2TunnelGroup:vpnextrsa
LoginTime:09:07:46CESTWedNov272013
Duration:1d4h:45m:42s

Uptimefornewvpnclient(Anyconnect)

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

26/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

asafirewall/pri/act#shvpnsessiondbanyconnect
SessionType:AnyConnect
Username:beck@vpntungrp3Index:12579
AssignedIP:192.168.236.194PublicIP:84.163.80.247
Protocol:AnyConnectParentSSLTunnel
License:AnyConnectEssentials
Encryption:3DESHashing:noneSHA1
BytesTx:552426724BytesRx:264841827
GroupPolicy:vpngrpp3TunnelGroup:DefaultWEBVPNGroup
LoginTime:10:21:29CESTWedNov272013
Duration:1d3h:44m:57s
Inactivity:0h:00m:00s
NACResult:Unknown
VLANMapping:N/AVLAN:none
Username:baromarcu@vpntungrp3Index:13405
AssignedIP:192.168.238.212PublicIP:91.14.67.250
Protocol:AnyConnectParentSSLTunnel
License:AnyConnectEssentials
Encryption:3DESHashing:noneSHA1
BytesTx:376838398BytesRx:153802768
GroupPolicy:vpngrpp3TunnelGroup:DefaultWEBVPNGroup
LoginTime:07:22:24CESTThuNov282013
Duration:6h:44m:02s
Inactivity:0h:00m:00s
NACResult:Unknown
VLANMapping:N/AVLAN:none

5.1sniffertrace
Thebasiccommandiscapture,afterthatyouhavetodefinetheinterface*(orthekeywordany):
raisethepacketlenghttoahighervalue,ifyouneedthepayloadfromthepackets!

myfirewall2/pri/act#capturecapturenamepacketlength1600matchtcphost2.2.2.2
myfirewall2/pri/act#
myfirewall2/pri/act#shcap
capturecapturenametyperawdata[Capturing0bytes]
matchtcphost2.2.2.2anyeqhttps
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

27/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

youcanyouaccesslistformoredetailedtraffic
Toexportthesniffertracetoapcapfileusethecommand:
myfirewall2/pri/act#copy/pcapcapture:tftp
Sourcecapturename[]?capturename
Addressornameofremotehost[]?3.3.3.3
Destinationfilename[capturename]?capturename.pcap
!!!!
myfirewall2/pri/act#

5.2Testtrafficthroughthefirewall
myfirewall/pri/act#packettracerinputinsidetcp10.1.1.1102410.4.1.123

Phase:3
Type:ACCESSLIST
Subtype:log
Result:ALLOW
Config:accessgroupinsideininterfaceinsideaccesslistinsideextendedpermit

5.3Testtcptrafficfromthefirewall
myfirewall/pri/act#pingtcpinside10.26.134.2880source10.23.18.141324

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

28/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

6.0Viewloggingoncli
Thebuffersizeislimitedandifthebufferisfulltheoldlogswillbeoverwritten.
Tocheckyourlogsettingsissuethefollowing:
myfirewall3/pri/act#shrunlogging
loggingenable
loggingtimestamp
loggingbufferedalerts
loggingtraperrors
loggingasdmdebugging
loggingmailalerts
loggingfromaddressfirewall@mycompany.com
loggingrecipientaddressnetwork@mycompany.comlevelalerts
logginghostfwtrans172.24.2.218
logginghostfwtrans172.24.2.219
loggingpermithostdown

Configurelogging
Importantcommandsarethe:
loggingenable
loggingtimestamp
logginghostfwtrans172.24.2.218
loggingtraperrors
Savethelogsfrombuffertofileandafteryoucancopyittoyourtftpserver.
myfirewall3/pri/act#loggingsavelogmylogs
myfirewall3/pri/act#cdsyslog
myfirewall3/pri/act#dir
Directoryofdisk0:/syslog/
113rwx288014:41:18Sep182013mylogs
255426560bytestotal(181706752bytesfree)
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

29/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Viewingthelogs
Tooseethebufferlogsissue:
myfirewall3/pri/act#showlogging

7.0Inspectionandaspdrop
Thesecommandsshouldbeissuedmultipletimestoseewhichcounteractuallyincreases,thatcan
leadtoaproblem.
Issuingthecommandjustoncehasnottoomuchsence,sincewedonotknowsincewhenthe
countersshowtheactualvalues.
myfirewall/pri/act#shservicepolicysetconnectiondetail

Interfacegermany:
Servicepolicy:voicehttpmap
Classmap:voicehttpmap
Setconnectionpolicy:drop0
Setconnectionadvancedoptions:maxmsssize
Retransmissiondrops:0TCPchecksumdrops:0
ExceededMSSdrops:0SYNwithdatadrops:0
InvalidACKdrops:0SYNACKwithdatadrops:0
Outoforder(OoO)packets:0OoOnobufferdrops:0
OoObuffertimeoutdrops:0SEQpastwindowdrops:208
Reservedbitcleared:0Reservedbitdrops:0
IPTTLmodified:0Urgentflagcleared:0
Windowvariedresets:0
TCPoptions:
SelectiveACKcleared:0Timestampcleared:0
Windowscalecleared:0
Otheroptionscleared:0
Otheroptionsdrops:0

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

30/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act#shaspdropflow
Inspectionfailure(inspectfail)14616790
SSLhandshakefailed(sslhandshakefailed)85
SSLreceivedclosealert(sslreceivedclosealert)40
Lastclearing:Never

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

31/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act#shaspdropframe
Flowisbeingfreed(flowbeingfreed)121
InvalidTCPLength(invalidtcphdrlength)1
Novalidadjacency(noadjacency)36
Reversepathverifyfailed(rpfviolated)6990253
Flowisdeniedbyconfiguredrule(acldrop)864778803
Flowdeniedduetoresourcelimitation(unabletocreateflow)1374
FirstTCPpacketnotSYN(tcpnotsyn)471046343
BadTCPflags(badtcpflags)46770
TCPdatasendafterFIN(tcpdatapastfin)128
TCPfailed3wayhandshake(tcp3whsfailed)1560684
TCPRST/FINoutoforder(tcprstfinooo)30625519
TCPSEQinSYN/SYNACKinvalid(tcpseqsyndiff)9582
TCPSYNACKonestablishedconn(tcpsynackooo)8770
TCPpacketSEQpastwindow(tcpseqpastwin)77478
TCPinvalidACK(tcpinvalidack)53427
TCPACKin3wayhandshakeinvalid(tcpdiscardedooo)5710
TCPOutofOrderpacketbufferfull(tcpbufferfull)1
TCPOutofOrderpacketbuffertimeout(tcpbuffertimeout)5541
TCPRST/SYNinwindow(tcprstsyninwin)326943
TCPdupofpacketinOutofOrderqueue(tcpdupinqueue)769
TCPpacketfailedPAWStest(tcppawsfail)1530
Expiredflow(flowexpired)284
ICMPInspectbadicmpcode(inspecticmpbadcode)300
ICMPInspectseqnumnotmatched(inspecticmpseqnumnotmatched)633646
ICMPErrorInspectnoexistingconn(inspecticmperrornoexistingconn)
DNSInspectinvalidpacket(inspectdnsinvalidpak)35
DNSInspectinvaliddomainlabel(inspectdnsinvaliddomainlabel)628
DNSInspectpackettoolong(inspectdnspaktoolong)5044504
DNSInspectidnotmatched(inspectdnsidnotmatched)1589860
Unabletoobtainconnectionlock(connectionlock)13
Interfaceisdown(interfacedown)35
RMconnectionlimitreached(rmconnlimit)136021
Droppedpendingpacketsinaclosedsocket(npsocketclosed)27886
Lastclearing:Never

8.0ThreatDetection(checkthetoptalkers)
threatdetectionconfigurationexample:
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

32/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall/pri/act(config)#shrunthreatdetection
threatdetectionbasicthreat
threatdetectionstatisticshost
threatdetectionstatisticsport
threatdetectionstatisticsprotocol
threatdetectionstatisticsaccesslist
nothreatdetectionstatisticstcpintercept
showcommandsthreatdetection:
ThiscommandIFactivatedcangiveusreallyusefulbasicinformationaboutnetworkflows,
passingthroughthefirewall.
Orifwehaveaperformanceproblemwithourinternetconnection,wecanseewhoowns
currentlytheline(whosheadmustbeundertheguillotine.)
myfirewall/pri/act#shthreatdetectionstatisticstop?
accesslistEnterthiskeywordtodisplaytopNaccessliststatistics
hostEnterthiskeywordtodisplaytopNhoststatistics
portprotocolEnterthiskeywordtodisplaytopNportstatistics
rate1EnterthiskeywordtodisplaytopN'sfirstratestatistics
rate2EnterthiskeywordtodisplaytopN'ssecondratestatistics
rate3EnterthiskeywordtodisplaytopN'sthirdratestatistics
tcpinterceptShowstatisticsinformationfortcpintercept
|Outputmodifiers

anexamplewithportandprotocol
myfirewall/pri/act#shthreatdetectionstatisticstopportprotocol
TopNameIdAverage(eps)Current(eps)TriggerTotalevents
0minSentattack:
0minRecvattack:
01DNS5329723552271001783308
02LDAP3896394742549383645
03HTTP801621521406697668
04NetBIOSName137160193803196239
05HTTPS443131851124279013
06Port81916553510897351364974
07XMPPSSLUno5223481022428884
08SNMPTRAP16246465053727859
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

33/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

09SYSLOG5143632977321995
10MSDS/SMB44530404522018030
1hourSentbyte:
01HTTP802519429924939838090699477563
02MSDS/SMB44582608848225102029739184085
03Port819165535703854310227395025338757949
04LDAP3892334189234793008403081060
05MicrosoftSQL14331373774119690904945586558
06HTTPS4431318144125874504745319756
07HTTPAlternat808052088956608801875202977
08DNS5343070545206601550540194
09Port778077802645642586840952431991
10Port33803380230415120960829497591
1hourSentpkts:
01MSDS/SMB44540571417860146057206
02HTTP802261222957081406406
03Port819165535883411379031804979
04HTTPS4432528277709101589
05LDAP3891956195407041854
06MicrosoftSQL14331723152706204903
07Port13513567957202445229
08HTTPAlternat808041444701493298
09DNS5339338701418233
10ICMP*128136501012609
1hourRecvbyte:
01MSDS/SMB44582415888308370029669717400
02HTTP8031488294675871011335784733
03Port81916553529087392644375010471460696
04Port2055205529261428158901053413852
05SYSLOG5142692083231640969151225
06HTTPS4432665502831140959582362
07MicrosoftSQL14332002551736450720919352
08LDAP3891493481492860537653925
09SMTP25889191040110320111885
10Port13513576251638140274507044
1hourRecvpkts:
01MSDS/SMB44540120413550144433605
02HTTP801602817115057703486
03Port81916553578538933028273380
04MicrosoftSQL14331441128105188677
05LDAP3891329133904785811
06HTTPS44398892103559831
07Port13513569458802498510
08SYSLOG51429235501051921
09HTTPAlternat80802722890981307
10DNS532522510909608
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

34/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

andthetoptalkerslistforhosts:
myfirewall/pri/act(config)#shthreatdetectionstatisticstophost
TopNameIdAverage(eps)Current(eps)TriggerTotalevents
20minSentattack:
01145.45.45.2261106016213697
02145.45.45.24299565711297
03145.45.45.23270400459173
04145.45.45.234645330967890
05192.168.135.1466782147536
06145.45.45.2115761096024
07145.45.45.21044197565209
08172.31.4.412182620
09172.16.2.224112022247
1010.10.123.21152048
20minRecvattack:
01192.168.135.1363319774278
02172.16.28.61202398
03172.31.241.991102160
04145.45.45.211108301575
05192.168.133.191113191293
0610.16.200.2710171256
07172.26.30.200001004
08172.16.1.1000216903
09172.16.22.11001382713
1010.10.123.2007983653
...

7.0BackupandRestore
Backupcommandwithtftpserver:

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

35/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

myfirewall3/pri/act#copyrunningconfigtftp
Sourcefilename[runningconfig]?
Addressornameofremotehost[]?3.3.3.3
Destinationfilename[runningconfig]?
Cryptochecksum:ee921f66a8586880f2d4fc17c76933b2
Formoreinforeadmypost:MigrateCiscoASAconfiguration,certificatesandprivatekeys
Thatsallfolks!
About these ads (http://wordpress.com/about-these-ads/)

Tagged:CiscoASA,commands,troubleshooting
Postedin:ASA(http://itsecworks.com/category/security/cisco/asa/),Cisco
(http://itsecworks.com/category/security/cisco/),Security(http://itsecworks.com/category/security/),
Troubleshootings(http://itsecworks.com/category/security/cisco/asa/troubleshootings/)

6ResponsesCiscoASAtroubleshootingcommands
Krish
September19,2013

i
RateThis

1
0

Veryusefulforbasictroubleshooting..
Reply
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

36/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

itsecworks
September19,2013

i
RateThis

Yes,onlyforbasictroubleshooting:)therestwillbepostedsoon:)
Reply
akesh
February22,2014

i
RateThis

GoodStuff..Canyoualsotrytopostabitmorecomplextroubleshooting..thankyou
Reply
itsecworks
February22,2014

i
RateThis

0
0

Feelfreetosuggestanditwillbeaddedtothispost.
http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

37/38

28/3/2015

CiscoASAtroubleshootingcommands|itsecworks

Reply
Bhumika
November3,2014

i
RateThis

Ifoundthisdocumentveryuseful.allbasiccommandsatoneplace
Reply
Ramesh
February4,2015

i
RateThis
goodforbeginners
Reply
CreateafreewebsiteorblogatWordPress.com.
TheInuitTypesTheme.
Follow

Followitsecworks
BuildawebsitewithWordPress.com

http://itsecworks.com/2013/09/18/ciscoasatroubleshootingcommands/

38/38