Cisco ASA Troubleshooting Commands _ Itsecworks

26/12/2014

Ci sco ASA tr oubl eshooti ng comm ands | i tsecwor ks

RSS Subscribe: RSS feed itsecworks itsecworks It is all is all about security and co I have already met

Cisco Cisco ASA troubleshooting troubleshooting commands osted osted on September 18, 2013 5

i 7 Votes With my requirements for any networking layer 3 security device I collected the basic commands that you have to know or you will not be able to manage your device. 1.0 Check the basic settings and firewall states Check the system status Check the hardware performance Check the High Availability state Check the session table of the firewall 2.0 Check the interface settings Check the state, speed and duplexity an IP of the interfaces Check the ARP Table 3.0 Check Check the Routing Routing Table Table Check the matching route 4.0 VPN Troubleshooting Change the tunnel state Check the tunnel state Check packet counters for the tunnel http://i ts tsecwor ks ks.com/2013/09/18/ci sc sco- as asa- tr tr ou oubleshooti ng ng- co comm an ands/#Upti me meoftheVPNtunnel s

1/37

26/12/2014


Check the uptime of the VPN Tunnels 5.0 sniffertrace 6.0 View logging on cli Configure logging Viewing the logs 7.0 Inspection and asp‑drop 8.0 Threat Detection (check the top talkers) 9.0 Backup and Restore

1.0 Check the basic settings and firewall states

Check the system status To see the actual software version, operational mode, HA, etc and the system time: myfirewall/pri/act# show firewall Firewall mode: Router myfirewall/pri/act# show version Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(1)52 Compiled on Wed 28‐Nov‐12 10:38 by builders System image file is "disk0:/asa911‐k8.bin" Config file at boot was "startup‐config" myfirewall up 218 days 1 hour failover cluster up 5 years 10 days Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz, Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xfff00000, 1024KB

http://i ts tsecwor ks ks.com/2013/09/18/ci sc sco- as asa- tr tr ou oubleshooti ng ng- co comm an ands/#Upti me meoftheVPNtunnel s

2/37

26/12/2014


Encryption hardware device : Cisco ASA‐55xx on‐board accelerator (revision 0 Boot microcode : CN1000‐MC‐BOOT‐2.00 SSL/IKE microcode : CNLite‐MC‐SSLm‐PLUS‐2.0 IPSec microcode : CNlite‐MC‐IPSECm‐MAIN‐2 Number of accelerators: 1

0: 1: 2: 3: 4: 5: 6:

Ext: Ext: Ext: Ext: Ext: Int: Int:

GigabitEthernet0/0 GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/2 GigabitEthernet0/3 GigabitEthernet0/3 Management0/0 Not used Not used

: : : : : : :

address address address address address address address address address irq 11 irq 5

is is is is is

001f.abcc.a8c6, 001f.abcc.a5e7, 001f.abcc.a5e8, 001f.abcc.a5e9, 001f.abcc.a5ea,

Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active Encryption‐DES : Enabled Encryption‐3DES‐AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 750 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled Intercompany Media Engine : Disabled Cluster : Disabled

irq irq irq irq irq

9 9 9 9 11

perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual

This platform has an ASA 5520 VPN Plus license. Failover cluster licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption‐DES : Enabled perpetual Encryption‐3DES‐AES : Enabled perpetual http://i ts tsecwor ks ks.com/2013/09/18/ci sc sco- as asa- tr tr ou oubleshooti ng ng- co comm an ands/#Upti me meoftheVPNtunnel s

3/37

26/12/2014

Cisco ASA troubleshooting commands | itsecworks

Security Contexts GTP/GPRS AnyConnect Premium Peers AnyConnect Essentials Other VPN Peers Total VPN Peers Shared License AnyConnect for Mobile AnyConnect for Cisco VPN Phone Advanced Endpoint Assessment UC Phone Proxy Sessions Total UC Proxy Sessions Botnet Traffic Filter Intercompany Media Engine Cluster

: : : : : : : : : : : : : : :

4 Disabled 4 Disabled 750 750 Disabled Disabled Disabled Disabled 4 4 Disabled Disabled Disabled

perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual

This platform has an ASA 5520 VPN Plus license. Serial Number: JMX4567L1DA Running Permanent Activation Key: 0x650e6758 0x345sb616 0x1233615a 0xc234fca Configuration register is 0x1 Configuration last modified by admin at 10:41:22.791 CEDT Fri Sep 13 2013

The failover state. myfirewall/pri/act(config)# sh failover state

This host

‐

Other host ‐

State Primary Active Secondary Standby Ready

Last Failure Reason

Date/Time

None Ifc Failure dmz5: Failed inside: Failed

17:38:56 CEDT Jun 10

====Configuration State=== Sync Done Sync Done ‐ STANDBY ====Communication State=== Mac set

To see what the firewall has seen so far, the traffic mix conserning the enabled inspections: http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

4/37

26/12/2014


myfirewall/pri/act(config)# sh service‐policy Global policy: Service‐policy: global_policy Class‐map: inspection_default Inspect: dns preset_dns_map, packet 6206448, drop 1493, reset‐drop 0, Inspect: ftp, packet 0, drop 0, reset‐drop 0, v6‐fail‐close 0 Inspect: netbios, packet 285884, drop 0, reset‐drop 0, v6‐fail‐close 0 Inspect: tftp, packet 0, drop 0, reset‐drop 0, v6‐fail‐close 0 Inspect: icmp, packet 14657730, drop 1226951, reset‐drop 0, v6‐fail‐cl Inspect: icmp error, packet 10377, drop 0, reset‐drop 0, v6‐fail‐close Inspect: dcerpc, packet 199070, drop 0, reset‐drop 0, v6‐fail‐close 0 tcp‐proxy: bytes in buffer 0, bytes dropped 0

Check the hardware performance To see what is the state of the cpu and the memory: myfirewall/pri/act(config)# sh cpu usage CPU utilization for 5 seconds = 8%; 1 minute: 9%; 5 minutes: 9% myfirewall/pri/act(config)# myfirewall/pri/act(config)# myfirewall/pri/act(config)# sh memory Free memory: 1722679208 bytes (80%) Used memory: 424804440 bytes (20%) ‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Total memory: 2147483648 bytes (100%) myfirewall/pri/act# show processes cpu‐usage sorted PC Thread 5Sec 1Min 5Min Process 0x0827e731 0x6e5d2d8c 8.4% 8.7% 8.5% Dispatch Unit 0x0878d2de 0x6e5bf254 0.2% 0.9% 0.4% ARP Thread 0x090b0155 0x6e5b7fb4 0.2% 0.2% 0.1% ssh 0x08785b0e 0x6e5bf460 0.0% 0.0% 0.0% IP Thread 0x081735b4 0x6e5c56a0 0.0% 0.0% 0.0% CTM message handler 0x08cdd5cc 0x6e5c2580 0.0% 0.0% 0.0% update_cpu_usage 0x084e2936 0x6e5c04c0 0.0% 0.0% 0.0% fover_health_monitoring 0x0935c832 0x6e5bc964 0.0% 0.0% 0.0% vpnfol_thread_timer 0x080596a4 0x6e5d31a4 0.0% 0.0% 0.0% block_diag 0x08854a74 0x6e5d2974 0.0% 0.0% 0.0% WebVPN KCD Process 0x084c6b6d 0x6e5d2768 0.0% 0.0% 0.0% CF OIR http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

5/37

26/12/2014

0x08eafaec 0x0807209d 0x08086369 0x0916ad6d 0x0916ad6d 0x080bae3c 0x080bd4ad 0x0816d455 0x081df2c5 0x081d7041 0x081cde3c 0x081cf2ed 0x0827c804 0x0856b194 0x0856b126 ...


0x6e5d255c 0x6e5d1f38 0x6e5d1d2c 0x6e5d1b20 0x6e5d1914 0x6e5d14fc 0x6e5d12f0 0x6e5d049c 0x6e5d0290 0x6e5d0084 0x6e5cfe78 0x6e5cfc6c 0x6e5cf43c 0x6e5cec0c 0x6e5cea00

0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

lina_int Reload Control Thread aaa UserFromCert Thread aaa_shim_thread CMGR Server Process CMGR Timer Process CTM Daemon SXP CORE RBM CORE cts_task cts_timer_task dbgtrace 557mcfix 557statspoll

myfirewall/pri/act# show processes internals Invoked 1 1926681692 3768836 1 1 1 374305 10 64 2 2 1 62 ...

Giveups Max_Runtime Process 0 0.025 block_diag 1926681692 32.679 Dispatch Unit 0 0.189 WebVPN KCD Process 0 0.012 CF OIR 0 0.001 lina_int 0 0.003 Reload Control Thread 233705 0.135 aaa 4 1.427 UserFromCert Thread 63 0.104 aaa_shim_thread 0 0.009 CMGR Server Process 0 0.008 CMGR Timer Process 0 0.001 CTM Daemon 0 0.044 SXP CORE

myfirewall/pri/act(config)# sh perfmon PERFMON STATS: Xlates Connections TCP Conns UDP Conns URL Access URL Server Req TCP Fixup TCP Intercept Established Conns

Current 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s

http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

Average 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 6/37

26/12/2014


TCP Intercept Attempts TCP Embryonic Conns Timeout HTTP Fixup FTP Fixup AAA Authen AAA Author AAA Account

0/s 0/s 0/s 0/s 0/s 0/s 0/s

0/s 0/s 0/s 0/s 0/s 0/s 0/s

VALID CONNS RATE in TCP INTERCEPT:

Current N/A

Average 100.00%

Check the High Availability state to get the High Availability state info with show failover command: myfirewall/pri/act(config)# show failover ? exec mode commands/options: descriptor Show failover interface descriptors. Two numbers are shown for each interface. When exchanging information regarding a particular interface, this unit uses the first number in messa it sends to its peer. And it expects the second number in messages it receives from its peer. For trouble shooting, coll the show output from both units and verify that the numbers match. exec Show failover command execution information history Show failover switching history interface Show failover command interface information state Show failover internal state information statistics Show failover command interface statistics information | Output modifiers

Check the failover state: myfirewall/pri/act(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failover GigabitEthernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

7/37

26/12/2014


Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 160 maximum Version: Ours 9.1(1), Mate 9.1(1) Last Failover at: 07:31:49 CEST Feb 12 2013 This host: Primary ‐ Active Active time: 18841674 (sec) slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys) Interface dmz5 (192.168.36.1): Normal (Monitored) Interface dmz6 (192.168.47.1): Normal (Not‐Monitored) Interface inside (172.24.3.5): Normal (Monitored) Interface oob (192.168.99.1): Normal (Monitored) Interface management (0.0.0.0): No Link (Not‐Monitored) slot 1: empty Other host: Secondary ‐ Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys) Interface dmz5 (192.168.36.2): Normal (Monitored) Interface dmz6 (192.168.47.2): Normal (Not‐Monitored) Interface inside (172.24.3.6): Normal (Monitored) Interface oob (192.168.99.2): Normal (Monitored) Interface management (0.0.0.0): Normal (Not‐Monitored) slot 1: empty Stateful Failover Logical Update Statistics Link : failover GigabitEthernet0/2 (up) Stateful Obj xmit xerr rcv General 372747905 0 2453073 sys cmd 2452421 0 2452415 up time 0 0 0 RPC services 0 0 0 TCP conn 1275302 0 0 UDP conn 17706401 0 36 ARP tbl 351007284 0 621 Xlate_Timeout 0 0 0 IPv6 ND tbl 0 0 0 VPN IKEv1 SA 0 0 0 VPN IKEv1 P2 0 0 0 VPN IKEv2 SA 0 0 0 VPN IKEv2 P2 0 0 0 VPN CTCP upd 0 0 0 VPN SDI upd 0 0 0 VPN DHCP upd 0 0 0 SIP Session 0 0 0 Route Session 306520 0 0 User‐Identity 5 0 1 http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

rerr 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8/37

26/12/2014


CTS SGTNAME CTS PAC TrustSec‐SXP IPv6 Route

0 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

Logical Update Queue Information Cur Max Total Recv Q: 0 88 2453116 Xmit Q: 0 29 381560801 myfirewall/pri/act(config)# show failover interface interface failover GigabitEthernet0/2 System IP Address: 192.168.92.109 255.255.255.252 My IP Address : 192.168.92.109 Other IP Address : 192.168.92.110 myfirewall/pri/act(config)# show failover descriptor dmz5 send: 000200000e000000 receive: 000200000e000000 dmz6 send: 0002000041000000 receive: 0002000041000000 inside send: 0002010064000000 receive: 0002010064000000 oob send: 00020300ffff0000 receive: 00020300ffff0000 management send: 01010000ffff0000 receive: 01010000ffff0000 myfirewall/pri/act(config)# show failover history ========================================================================== From State To State Reason ========================================================================== 07:30:59 CEST Feb 12 2013 Not Detected Negotiation No Error 07:31:03 CEST Feb 12 2013 Negotiation

Cold Standby

Detected an Active mat

07:31:05 CEST Feb 12 2013 Cold Standby

Sync Config


07:31:15 CEST Feb 12 2013 Sync Config

Sync File System


07:31:15 CEST Feb 12 2013 Sync File System

Bulk Sync


07:31:29 CEST Feb 12 2013 Bulk Sync

Standby Ready



9/37

26/12/2014


07:31:49 CEST Feb 12 2013 Standby Ready

Just Active

HELLO not heard from m

07:31:49 CEST Feb 12 2013 Just Active

Active Drain


07:31:49 CEST Feb 12 2013 Active Drain

Active Applying Config


07:31:49 CEST Feb 12 2013 Active Applying Config

Active Config Applied


07:31:49 CEST Feb 12 2013 Active Config Applied

Active


========================================================================== myfirewall/pri/act(config)# show failover state

This host

‐

Other host ‐

State Primary Active Secondary Standby Ready

Last Failure Reason

Date/Time

None Ifc Failure dmz5: Failed inside: Failed

17:38:56 CEDT Jun 10

====Configuration State=== Sync Done Sync Done ‐ STANDBY ====Communication State=== Mac set myfirewall/pri/act(config)# show failover statistics tx:384585696 rx:29127977

Check the failover configuration:


10/37

26/12/2014


myfirewall/pri/act(config)# sh run all failover failover failover lan unit primary failover lan interface failover GigabitEthernet0/2 failover polltime unit 1 holdtime 15 failover polltime interface 5 holdtime 25 failover interface‐policy 1 failover link failover GigabitEthernet0/2 failover interface ip failover 192.168.92.109 255.255.255.252 standby 192.16

Check the session table of the firewall With class‑map you can set the maximum session for a specific traffic or generally with any: myfirewall(config)# class‐map CONNS myfirewall(config‐cmap)# match any myfirewall(config‐cmap)# policy‐map CONNS myfirewall(config‐pmap)# class CONNS myfirewall(config‐pmap‐c)# set connection conn‐max 1000 embryonic‐conn‐max 3

The values from the session table of the firewall (the max against the used if configured):


11/37

26/12/2014


myfirewall/pri/act(config)# show conn ? exec mode commands/options: address Enter this keyword all Enter this keyword from‐the‐box count Enter this keyword detail Enter this keyword long Enter this keyword port Enter this keyword protocol Enter this keyword scansafe Enter this keyword server security‐group Enter this keyword state Enter this keyword user Enter this keyword user‐group Enter this keyword user‐identity Enter this keyword | Output modifiers

to specify IP address to show conns including to‐the‐box and to show conn count only to show conn in detail to show conn in long format to specify port to specify conn protocol to show conns being forwarded to scansa to to to to to

show security‐group attributes in co specify conn state specify conn user specify conn user group show user names

myfirewall/pri/act(config)# show conn count 77 in use, 1013 most used myfirewall/pri/act(config)# show conn state ? exec mode commands/options: WORD Enter any number of the following conn states using ',' as separator up finin finout http_get smtp_data nojava data_in data_out sunrpc h2 h323 sqlnet_fixup_data conn_inbound sip mgcp ctiqbe skinny service_module stub tcp_embryonic vpn_orphan myfirewall/pri/act(config)# show conn state up 80 in use, 1013 most used TCP dmz5 192.168.38.250:4634 inside 172.24.1.2:54320, idle 0:02:29, bytes TCP dmz5 192.168.38.250:4633 inside 172.24.1.2:135, idle 0:02:29, bytes 68 TCP dmz6 192.168.47.8:80 dmz5 192.168.37.227:55335, idle 0:00:00, bytes 16 TCP dmz6 192.168.47.10:80 dmz5 192.168.37.227:65521, idle 0:00:00, bytes 6 TCP dmz6 192.168.47.11:80 dmz5 192.168.37.227:55339, idle 0:00:00, bytes 3 TCP dmz5 192.168.36.251:80 inside 172.31.229.68:62940, idle 0:00:00, bytes TCP dmz5 192.168.36.251:80 inside 172.24.162.217:57429, idle 0:00:00, byte TCP dmz5 192.168.38.250:23757 inside 172.24.3.38:1165, idle 0:00:00, bytes TCP dmz5 192.168.38.250:3389 inside 192.168.252.66:4042, idle 0:00:48, byt TCP dmz5 192.168.38.250:23757 inside 172.24.3.40:63433, idle 0:00:00, byte

You can filter to the session that you looking for (example): http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

12/37

26/12/2014


myfirewall/pri/act(config)# show conn long address 192.168.47.10 74 in use, 1013 most used Flags: A ‐ awaiting inside ACK to SYN, a ‐ awaiting outside ACK to SYN, B ‐ initial SYN from outside, b ‐ TCP state‐bypass or nailed, C ‐ CTIQBE media, c ‐ cluster centralized, D ‐ DNS, d ‐ dump, E ‐ outside back connection, F ‐ outside FIN, f ‐ G ‐ group, g ‐ MGCP, H ‐ H.323, h ‐ H.225.0, I ‐ inbound data, i ‐ incomplete, J ‐ GTP, j ‐ GTP data, K ‐ GTP t3‐response k ‐ Skinny media, M ‐ SMTP data, m ‐ SIP media, n ‐ GUP O ‐ outbound data, P ‐ inside back connection, p ‐ Phone‐proxy TFTP c q ‐ SQL*Net data, R ‐ outside acknowledged FIN, R ‐ UDP SUNRPC, r ‐ inside acknowledged FIN, S ‐ awaiting inside SYN, s ‐ awaiting outside SYN, T ‐ SIP, t ‐ SIP transient, U ‐ up, V ‐ VPN orphan, W ‐ WAAS, X ‐ inspected by service module, x ‐ per session, Y ‐ director stub flow, y ‐ backup stub flow, Z ‐ Scansafe redirection, z ‐ forwarding stub flow TCP dmz6: 192.168.47.10/80 (192.168.47.10/80) dmz5: 192.168.37.227/65521 (19

Check the traffic on interfaces, the packet and byte counters.


13/37

26/12/2014


myfirewall/pri/act(config)# show traffic dmz5: received (in 1661754.406 secs): 14637140684 packets 673671106797 bytes 8001 pkts/sec 405002 bytes/sec transmitted (in 1661754.406 secs): 38728179279 packets 53732439765301 bytes 23000 pkts/sec 32334000 bytes/sec 1 minute input rate 1382 pkts/sec, 67193 bytes/sec 1 minute output rate 3546 pkts/sec, 4923809 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 1375 pkts/sec, 67887 bytes/sec 5 minute output rate 3589 pkts/sec, 4994000 bytes/sec 5 minute drop rate, 0 pkts/sec dmz6: received (in 1661754.416 secs): 38627911784 packets 53724170049557 bytes 23002 pkts/sec 32329000 bytes/sec transmitted (in 1661754.416 secs): 14299138045 packets 572124451016 bytes 8000 pkts/sec 344002 bytes/sec 1 minute input rate 3535 pkts/sec, 4923119 bytes/sec 1 minute output rate 1354 pkts/sec, 54206 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 3577 pkts/sec, 4993200 bytes/sec 5 minute output rate 1345 pkts/sec, 53821 bytes/sec 5 minute drop rate, 0 pkts/sec inside: received (in 1661754.416 secs): 826826503 packets 60669330026 bytes 1 pkts/sec 36000 bytes/sec transmitted (in 1661754.416 secs): 245271895 packets 109518736779 bytes 0 pkts/sec 65000 bytes/sec 1 minute input rate 44 pkts/sec, 2772 bytes/sec 1 minute output rate 25 pkts/sec, 13180 bytes/sec 1 minute drop rate, 21 pkts/sec 5 minute input rate 45 pkts/sec, 2829 bytes/sec 5 minute output rate 28 pkts/sec, 14443 bytes/sec 5 minute drop rate, 21 pkts/sec

Check the timeout values in the firewall:


14/37

26/12/2014


myfirewall2/pri/act# sh run timeout timeout xlate 3:00:00 timeout conn 1:00:00 half‐closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp‐pat 0:05: timeout sip 0:30:00 sip_media 0:02:00 sip‐invite 0:03:00 sip‐disconnect 0:02 timeout sip‐provisional‐media 0:02:00 uauth 0:05:00 absolute timeout tcp‐proxy‐reassembly 0:01:00 timeout floating‐conn 0:00:00

2.0 Check the interface settings

Check the state, speed and duplexity an IP of the interfaces Show the running config only for the interfaces with ip address: myfirewall/pri/act(config)# sh run ip address ! interface GigabitEthernet0/0.14 vlan 14 nameif dmz5 security‐level 0 ip address 192.168.36.1 255.255.252.0 standby 192.168.36.2 ! interface GigabitEthernet0/0.65 vlan 65 nameif dmz6 security‐level 0 ip address 192.168.47.1 255.255.255.0 standby 192.168.47.2 ! interface GigabitEthernet0/1.100 vlan 100 nameif inside security‐level 100 ip address 192.168.3.5 255.255.248.0 standby 172.24.3.6

Show ip address and security level only: http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

15/37

26/12/2014


myfirewall2/pri/act# sh ip System IP Addresses: Interface Name Port‐channel1.1001 dmz1 Port‐channel2 Failover Port‐channel4.721 inside Current IP Addresses: Interface Name Port‐channel1.1001 dmz1 Port‐channel2 Failover Port‐channel4.721 inside myfirewall2/pri/act# sh nameif Interface Name Management0/0 management Port‐channel1.1001 dmz1 Port‐channel4.721 inside

IP address Subnet mask 5.5.5.5 255.255.255.192 CO 192.168.92.13 255.255.255. 172.17.131.151 255.255.255. IP address Subnet mask 5.5.5.5 255.255.255.192 CO 192.168.92.13 255.255.255. 172.17.131.151 255.255.255.

Security 100 0 100

Check the MAC and the state of the interfaces. The name of the interface in the example below is internal. Here you can see following in the output ‑ Interface name – MAC – Link state – Speed – Duplex – MTU – Packet and Byte counters – Errors


16/37

26/12/2014


myfirewall/pri/act# show interface Interface GigabitEthernet0/0 "", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto‐Duplex(Full‐duplex), Auto‐Speed(1000 Mbps) Input flow control is unsupported, output flow control is off Available but not configured via nameif MAC address 001f.abcc.a5e6, MTU not set IP address unassigned 53280934440 packets input, 55671972432495 bytes, 0 no buffer Received 167625118 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input 0 L2 decode drops 53043155385 packets output, 55516746848674 bytes, 0 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 2 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops, 0 tx hangs input queue (blocks free curr/low): hardware (255/230) output queue (blocks free curr/low): hardware (255/122) Interface GigabitEthernet0/0.14 "dmz5", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec VLAN identifier 14 Description: dmz5 MAC address 001f.abcc.a5e6, MTU 1500 IP address 192.168.36.1, subnet mask 255.255.252.0 Traffic Statistics for "dmz5": 14641601950 packets input, 673897945554 bytes 38739676247 packets output, 53748403391129 bytes 51923927 packets dropped Interface GigabitEthernet0/0.65 "dmz6", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec VLAN identifier 65 Description: dmz6 MAC address 001f.abcc.a5e6, MTU 1500 IP address 192.168.47.1, subnet mask 255.255.255.0 Traffic Statistics for "dmz6": 38639332463 packets input, 53740092462779 bytes 14303479193 packets output, 572298134370 bytes 83451 packets dropped

Check the ARP Table http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

17/37

26/12/2014


This contains the permanent and the dynamic ARP entries myfirewall/pri/act# show arp dmz5 192.168.38.43 0020.4ab0.a59f 0 dmz5 192.168.37.226 2c27.d733.a9e2 0 dmz5 192.168.37.236 2c27.d733.a89e 0 dmz5 192.168.37.235 78ac.c0b2.4066 0 dmz5 192.168.37.240 0019.99ae.847c 0 dmz5 192.168.39.240 0019.9987.5676 0 ...

3.0 Check the Routing Table With the show route you can see the actual routing table from the firewall with the statis and the dynamic routes and the directly connected networks. myfirewall/pri/act# show route Codes: C ‐ connected, S ‐ static, I ‐ IGRP, R ‐ RIP, M ‐ mobile, B ‐ BGP D ‐ EIGRP, EX ‐ EIGRP external, O ‐ OSPF, IA ‐ OSPF inter area N1 ‐ OSPF NSSA external type 1, N2 ‐ OSPF NSSA external type 2 E1 ‐ OSPF external type 1, E2 ‐ OSPF external type 2, E ‐ EGP i ‐ IS‐IS, L1 ‐ IS‐IS level‐1, L2 ‐ IS‐IS level‐2, ia ‐ IS‐IS inter a * ‐ candidate default, U ‐ per‐user static route, o ‐ ODR P ‐ periodic downloaded static route Gateway of last resort is 172.24.2.2 to network 0.0.0.0 C C C C S* C

172.24.0.0 255.255.248.0 is directly connected, inside 192.168.99.0 255.255.255.0 is directly connected, oob 192.168.47.0 255.255.255.0 is directly connected, dmz6 192.168.92.108 255.255.255.252 is directly connected, failover 0.0.0.0 0.0.0.0 [1/0] via 172.24.2.2, inside 192.168.36.0 255.255.252.0 is directly connected, dmz5


18/37

26/12/2014


Check the matching route Are you looking for a specific route in a big database? No problem use the show route with more details: myfirewall/pri/act# sh route inside 172.31.231.246 Codes: C ‐ connected, S ‐ static, I ‐ IGRP, R ‐ RIP, M ‐ mobile, B ‐ BGP D ‐ EIGRP, EX ‐ EIGRP external, O ‐ OSPF, IA ‐ OSPF inter area N1 ‐ OSPF NSSA external type 1, N2 ‐ OSPF NSSA external type 2 E1 ‐ OSPF external type 1, E2 ‐ OSPF external type 2, E ‐ EGP i ‐ IS‐IS, L1 ‐ IS‐IS level‐1, L2 ‐ IS‐IS level‐2, ia ‐ IS‐IS inter a * ‐ candidate default, U ‐ per‐user static route, o ‐ ODR P ‐ periodic downloaded static route Gateway of last resort is 172.24.2.2 to network 0.0.0.0

4.0 VPN Troubleshooting The most significant part for vpn is the time on the devices. The check the time use the following command: myfirewall/pri/act# show clock 11:19:45.485 CEDT Wed Sep 18 2013 myfirewall/pri/act# show ntp status Clock is synchronized, stratum 3, reference is 172.24.10.100 nominal freq is 99.9984 Hz, actual freq is 99.9968 Hz, precision is 2**6 reference time is d5e3ed1d.b0b7a760 (11:13:01.690 CEDT Wed Sep 18 2013) clock offset is 0.1998 msec, root delay is 18.55 msec root dispersion is 36.01 msec, peer dispersion is 15.64 msec

Change the tunnel state http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

19/37

26/12/2014


Bring up a vpn tunnel manually. No traffic required. Shut down a vpn tunnel manually. All tunnels: myfirewall3/pri/act# clear crypto isakmp sa

Only specific tunnel: myfirewall3/pri/act# clear ipsec sa peer 2.2.2.2 myfirewall2/pri/act# clear cry ikev1 sa 2.2.2.2 shutdown for longer time: myfirewall2/pri/act(config)# no crypto map l2lvpns 10 set peer 211.66.176.18

Check the tunnel state If there is no SA that means the tunnel is down and does not work. To see if the tunnel is up we need to check if any SA exist. To see if the tunnel is up you can use the “show crypto isakmp sa” or “show crypto ipsec sa” command. Tunnel state is down Tunnel does not exist if there is no output of the commands below: myfirewall3/pri/act# sh cry isakmp sa There are no IKEv1 SAs There are no IKEv2 SAs myfirewall3/pri/act# show crypto ipsec sa There are no ipsec sas Tunnel state is up


20/37

26/12/2014


Informations from the output of the command below: – vpn peers – encrypted traffic (source and destination) – traffic counters for encrypted traffic – SPI for encrypt and decrypt – Encryption method


21/37

26/12/2014


myfirewall2/pri/act# show cry ips sa peer 3.3.3.3 peer address: 3.3.3.3 Crypto map tag: firmen, seq num: 22, local addr: 5.5.5.5 access‐list tun‐voss extended permit ip host 172.19.212.10 192.168.15. local ident (addr/mask/prot/port): (172.19.212.10/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (192.168.15.72/255.255.255.248/0/0 current_peer: 3.3.3.3 #pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 26, #pkts comp failed: 0, #pkts decomp failed: 0 #pre‐frag successes: 0, #pre‐frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: #send errors: 0, #recv errors: 0 local crypto endpt.: 5.5.5.5/0, remote crypto endpt.: 3.3.3.3/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: AB092E6E current inbound spi : 910F4308 inbound esp sas: spi: 0x910F4308 (2433696520) transform: esp‐aes‐256 esp‐sha‐hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 25923584, crypto‐map: firmen sa timing: remaining key lifetime (kB/sec): (4373999/3360) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x000003FF outbound esp sas: spi: 0xAB092E6E (2869505646) transform: esp‐aes‐256 esp‐sha‐hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 25923584, crypto‐map: firmen sa timing: remaining key lifetime (kB/sec): (4373997/3360) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001


22/37

26/12/2014


Check packet counters for the tunnel To see if the encryption and decryption of the packages works use 2 or more times the show cry ipsec sa command and compare the values. On the second and third outputs the counter should show larger number. On the following output the firewall has 1 active vpn peer. myfirewall2/pri/act# show vpn‐sessiondb l2l Session Type: LAN‐to‐LAN Connection Index Protocol Encryption Bytes Tx Login Time Duration Connection Index Protocol Encryption Bytes Tx Login Time Duration

: : : : : : : : : : : : : :

9.9.9.9 5671 IP Addr IKEv1 IPsec 3DES Hashing 83496278 Bytes Rx 02:17:25 CEDT Wed Sep 18 2013 12h:15m:49s 3.3.3.3 6329 IP Addr IKEv1 IPsec AES256 Hashing 6100 Bytes Rx 14:26:13 CEDT Wed Sep 18 2013 0h:07m:01s

: 9.9.9.9 : MD5 : 420469160

: 3.3.3.3 : SHA1 : 5992

Check the uptime of the VPN tunnels Uptime for site to site VPN


23/37

26/12/2014


asa‐firewall/pri/act# show vpn‐sessiondb l2l Session Type: LAN‐to‐LAN Connection Index Protocol Encryption Hashing Bytes Tx Login Time Duration Connection Index Protocol Encryption Hashing Bytes Tx

: : : : : : : : : : : : : :

25.25.25.25 34872 IP Addr IKEv1 IPsec IKEv1: (1)AES256 IPsec: (3)AES256 IKEv1: (1)SHA1 IPsec: (3)SHA1 73653504 Bytes Rx 01:15:18 CEST Thu Nov 28 2013 12h:36m:51s dyn‐vpn‐tunnel 34902 IP Addr IKEv1 IPsec IKEv1: (1)AES256 IPsec: (1)AES256 IKEv1: (1)SHA1 IPsec: (1)SHA1 17679966 Bytes Rx

Login Time Duration

: 12:38:17 CEST Thu Nov 28 2013 : 1h:13m:52s

: 25.25.25.25

: 31342653

: 35.35.35.35

: 2626429

SA Lifetime for IKE /phase1/ for site to site (lifetime in seconds) asa‐firewall/pri/act# show crypto isa sa detail IKEv1 SAs: Active SA: 4 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 4 1

IKE Peer: 45.45.45.45 Type : L2L Rekey : no Encrypt : aes‐256 Auth : preshared

Role State Hash

: responder : AM_ACTIVE : SHA

Lifetime: 14400

Lifetime Remaining: 12039

2

IKE Peer: 55.55.55.55 Type : L2L Rekey : no Encrypt : 3des Auth : preshared

Role State Hash

: responder : MM_ACTIVE : MD5

Lifetime: 14400

Lifetime Remaining: 12462 http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

24/37

26/12/2014


SA Lifetimes for inbound and outbound esp sa‑s /phase2/ for site to site (lifetime in seconds) asa‐firewall/pri/act# show crypto ipsec sa interface: outside Crypto map tag: tunnel, seq num: 20, local addr: 46.46.46.46 access‐list tun‐acl1 extended permit ip host 10.10.10.11 192.168.1.48 local ident (addr/mask/prot/port): (10.10.10.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (192.168.1.48/255.255.255.240/0/0) current_peer: 13.13.13.13 #pkts encaps: 38097, #pkts encrypt: 38097, #pkts digest: 38097 #pkts decaps: 34559, #pkts decrypt: 34559, #pkts verify: 34559 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 38097, #pkts comp failed: 0, #pkts decomp failed #pre‐frag successes: 0, #pre‐frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 46.46.46.46/0, remote crypto endpt.: 13.13.13.13/ path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy‐df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 22512A19 current inbound spi : 8F46C331 inbound esp sas:

spi: 0x8F46C331 (2403779377) transform: esp‐aes‐256 esp‐sha‐hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 143024128, crypto‐map: tunnel sa timing: remaining key lifetime (kB/sec): (4371840/26381)

IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas:

spi: 0x22512A19 (575744537) transform: esp‐aes‐256 esp‐sha‐hmac no compression in use settings ={L2L, Tunnel, IKEv1, } http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

25/37

26/12/2014


slot: 0, conn_id: 143024128, crypto‐map: tunnel sa timing: remaining key lifetime (kB/sec): (4350795/26381)

IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001

Uptime for old vpn client

asa‐firewall/pri/act# show vpn‐sessiondb ra‐ikev1‐ipsec Session Type: IKEv1 IPsec Username Assigned IP Protocol License Encryption Bytes Tx Group Policy

: : : : : : :

einsteina@vpn‐tungrp1 192.168.236.249 IKEv1 IPsecOverTCP Other VPN AES128 667580222 vpn‐grp‐p1

Login Time Duration Inactivity

: 10:15:51 CEST Tue Nov 19 2013 : 9d 3h:37m:37s : 0h:00m:00s

NAC Result : Unknown VLAN Mapping : N/A leonardo@vpn‐tungrp2 192.168.244.151 IKEv1 IPsecOverTCP Other VPN AES128 64670782 vpn‐grp‐p2

Index Public IP

: 3856 : 37.209.44.113

Hashing : SHA1 Bytes Rx : 195368751 Tunnel Group : vpn‐de‐ol

VLAN

Username Assigned IP Protocol License Encryption Bytes Tx Group Policy

: : : : : : :

Index Public IP

Login Time Duration

: 09:07:46 CEST Wed Nov 27 2013 : 1d 4h:45m:42s

: none : 12473 : 145.253.227.158

Hashing : SHA1 Bytes Rx : 49769295 Tunnel Group : vpn‐ext‐rsa

Uptime for new vpn client (Anyconnect)


26/37

26/12/2014


asa‐firewall/pri/act# sh vpn‐sessiondb anyconnect Session Type: AnyConnect Username Assigned IP Protocol License Encryption Bytes Tx Group Policy

: : : : : : :

beck@vpn‐tun‐grp3 Index 192.168.236.194 Public IP AnyConnect‐Parent SSL‐Tunnel AnyConnect Essentials 3DES Hashing 552426724 Bytes Rx vpn‐grp‐p3 Tunnel Group


: 10:21:29 CEST Wed Nov 27 2013 : 1d 3h:44m:57s : 0h:00m:00s

NAC Result : Unknown VLAN Mapping : N/A

VLAN

Username Assigned IP Protocol License Encryption Bytes Tx Group Policy

: : : : : : :


: 07:22:24 CEST Thu Nov 28 2013 : 6h:44m:02s : 0h:00m:00s

: 12579 : 84.163.80.247

: none SHA1 : 264841827 : DefaultWEBVPNGroup

: none

baromarcu@vpn‐tun‐grp3 Index : 13405 192.168.238.212 Public IP : 91.14.67.250 AnyConnect‐Parent SSL‐Tunnel AnyConnect Essentials 3DES Hashing : none SHA1 376838398 Bytes Rx : 153802768 vpn‐grp‐p3 Tunnel Group : DefaultWEBVPNGroup

NAC Result : Unknown VLAN Mapping : N/A

VLAN

: none

5.0 sniffertrace The basic command is “capture”, after that you have to define the interface* (or the keyword any): raise the packet‑lenght to a higher value, if you need the payload from the packets! myfirewall2/pri/act# capture capturename packet‐length 1600 match tcp host 2 myfirewall2/pri/act# myfirewall2/pri/act# sh cap capture capturename type raw‐data [Capturing ‐ 0 bytes] match tcp host 2.2.2.2 any eq https http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

27/37

26/12/2014


you can you access‑list for more detailed traffic… To export the sniffertrace to a pcap file use the command: myfirewall2/pri/act# copy /pcap capture: tftp Source capture name []? capturename Address or name of remote host []? 3.3.3.3 Destination filename [capturename]? capturename.pcap !!!! myfirewall2/pri/act#

6.0 View logging on cli The buffer size is limited and if the buffer is full the old logs will be overwritten. To check your log settings issue the following: myfirewall3/pri/act# sh run logging logging enable logging timestamp logging buffered alerts logging trap errors logging asdm debugging logging mail alerts logging from‐address [email protected] logging recipient‐address [email protected] level alerts logging host fw‐trans 172.24.2.218 logging host fw‐trans 172.24.2.219 logging permit‐hostdown

Configure logging http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

28/37

26/12/2014


Important commands are the: logging enable logging timestamp logging host fw‑trans 172.24.2.218 logging trap errors Save the logs from buffer to file and after you can copy it to your tftp server. myfirewall3/pri/act# logging savelog mylogs myfirewall3/pri/act# cd syslog myfirewall3/pri/act# dir Directory of disk0:/syslog/ 113

‐rwx

2880

14:41:18 Sep 18 2013

mylogs

255426560 bytes total (181706752 bytes free)

Viewing the logs Too see the buffer logs issue: myfirewall3/pri/act# show logging

7.0 Inspection and asp-drop These commands should be issued multiple times to see which counter actually increases, that can lead to a problem. Issuing the command just once has not too much sence, since we do not know since when the counters show the actual values.


29/37

26/12/2014


myfirewall/pri/act# sh service‐policy set connection detail Interface germany: Service‐policy: voice‐http‐map Class‐map: voice‐http‐map Set connection policy: drop 0 Set connection advanced‐options: max‐mss‐size Retransmission drops: 0 TCP checksum drops : 0 Exceeded MSS drops : 0 SYN with data drops: 0 Invalid ACK drops : 0 SYN‐ACK with data drops: 0 Out‐of‐order (OoO) packets : 0 OoO no buffer drops: 0 OoO buffer timeout drops : 0 SEQ past window drops: 208 Reserved bit cleared: 0 Reserved bit drops : 0 IP TTL modified : 0 Urgent flag cleared: 0 Window varied resets: 0 TCP‐options: Selective ACK cleared: 0 Timestamp cleared : 0 Window scale cleared : 0 Other options cleared: 0 Other options drops: 0

——————————————————————————————— myfirewall/pri/act# sh asp drop flow Inspection failure (inspect‐fail) SSL handshake failed (ssl‐handshake‐failed) SSL received close alert (ssl‐received‐close‐alert)

1461

Last clearing: Never

———————————————————————————————


30/37

26/12/2014


myfirewall/pri/act# sh asp drop frame Flow is being freed (flow‐being‐freed) Invalid TCP Length (invalid‐tcp‐hdr‐length) No valid adjacency (no‐adjacency) Reverse‐path verify failed (rpf‐violated) 699 Flow is denied by configured rule (acl‐drop) 86477 Flow denied due to resource limitation (unable‐to‐create‐flow) First TCP packet not SYN (tcp‐not‐syn) 47104 Bad TCP flags (bad‐tcp‐flags) 4 TCP data send after FIN (tcp‐data‐past‐fin) TCP failed 3 way handshake (tcp‐3whs‐failed) 156 TCP RST/FIN out of order (tcp‐rstfin‐ooo) 3062 TCP SEQ in SYN/SYNACK invalid (tcp‐seq‐syn‐diff) TCP SYNACK on established conn (tcp‐synack‐ooo) TCP packet SEQ past window (tcp‐seq‐past‐win) 7 TCP invalid ACK (tcp‐invalid‐ack) 5 TCP ACK in 3 way handshake invalid (tcp‐discarded‐ooo) TCP Out‐of‐Order packet buffer full (tcp‐buffer‐full) TCP Out‐of‐Order packet buffer timeout (tcp‐buffer‐timeout) TCP RST/SYN in window (tcp‐rst‐syn‐in‐win) 32 TCP dup of packet in Out‐of‐Order queue (tcp‐dup‐in‐queue) TCP packet failed PAWS test (tcp‐paws‐fail) Expired flow (flow‐expired) ICMP Inspect bad icmp code (inspect‐icmp‐bad‐code) ICMP Inspect seq num not matched (inspect‐icmp‐seq‐num‐not‐matched) 63 ICMP Error Inspect no existing conn (inspect‐icmp‐error‐no‐existing‐conn) DNS Inspect invalid packet (inspect‐dns‐invalid‐pak) DNS Inspect invalid domain label (inspect‐dns‐invalid‐domain‐label) DNS Inspect packet too long (inspect‐dns‐pak‐too‐long) 504 DNS Inspect id not matched (inspect‐dns‐id‐not‐matched) 158 Unable to obtain connection lock (connection‐lock) Interface is down (interface‐down) RM connection limit reached (rm‐conn‐limit) 13 Dropped pending packets in a closed socket (np‐socket‐closed) 2 Last clearing: Never

———————————————————————————————

8.0 Threat Detection (check the top talkers) threat‑detection configuration example: http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

31/37

26/12/2014


myfirewall/pri/act(config)# sh run threat‐detection threat‐detection basic‐threat threat‐detection statistics host threat‐detection statistics port threat‐detection statistics protocol threat‐detection statistics access‐list no threat‐detection statistics tcp‐intercept

show commands threat‑detection: This command ‑IF activated‑ can give us really useful basic information about network flows, passing through the firewall. Or if we have a performance problem with our internet connection, we can see who owns currently the line (whos head must be under the guillotine.) myfirewall/pri/act# sh threat‐detection statistics top ? access‐list Enter this keyword to display top N access‐list statistics host Enter this keyword to display top N host statistics port‐protocol Enter this keyword to display top N port statistics rate‐1 Enter this keyword to display top N's first rate statistics rate‐2 Enter this keyword to display top N's second rate statistic rate‐3 Enter this keyword to display top N's third rate statistics tcp‐intercept Show statistics information for tcp intercept | Output modifiers

an example with port and protocol myfirewall/pri/act# sh threat‐detection statistics top port‐protocol Top Name Id Average(eps) Current(eps) Trigger Total ev 0‐min Sent attack: 0‐min Recv attack: 01 DNS 53 2972 3552 27100 178 02 LDAP 389 639 474 2549 38 03 HTTP 80 162 152 14066 9 04 NetBIOS‐Name 137 160 193 8031 9 05 HTTPS 443 131 85 11242 7 06 Port‐8191‐65535 108 97 3513 6 07 XMPP‐SSL‐Uno 5223 48 10 224 2 08 SNMPTRAP 162 46 46 50537 2 http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

32/37

26/12/2014

09 10 01 02 03 04 05 06 07 08 09 10 01 02 03 04 05 06 07 08 09 10 01 02 03 04 05 06 07 08 09 10 01 02 03 04 05 06 07 08 09 10

SYSLOG 514 MS‐DS/SMB 445 1‐hour Sent byte: HTTP 80 MS‐DS/SMB 445 Port‐8191‐65535 LDAP 389 Microsoft SQL 1433 HTTPS 443 HTTP‐Alternat 8080 DNS 53 Port‐7780 7780 Port‐3380 3380 1‐hour Sent pkts: MS‐DS/SMB 445 HTTP 80 Port‐8191‐65535 HTTPS 443 LDAP 389 Microsoft SQL 1433 Port‐135 135 HTTP‐Alternat 8080 DNS 53 ICMP * 1 1‐hour Recv byte: MS‐DS/SMB 445 HTTP 80 Port‐8191‐65535 Port‐2055 2055 SYSLOG 514 HTTPS 443 Microsoft SQL 1433 LDAP 389 SMTP 25 Port‐135 135 1‐hour Recv pkts: MS‐DS/SMB 445 HTTP 80 Port‐8191‐65535 Microsoft SQL 1433 LDAP 389 HTTPS 443 Port‐135 135 SYSLOG 514 HTTP‐Alternat 8080 DNS 53


36 30

32 40

9773 45220

2 1

25194299 8260884 7038543 2334189 1373774 1318144 520889 430705 264564 230415

24939838 8225102 10227395 2347930 1196909 1258745 566088 452066 258684 12096

0 0 0 0 0 0 0 0 0 0

9069947 2973918 2533875 840308 494558 474531 187520 155054 95243 82949

40571 22612 8834 2528 1956 1723 679 414 393 281

41786 22957 11379 2777 1954 1527 572 447 387 365

0 0 0 0 0 0 0 0 0 0

14605 8140 3180 910 704 620 244 149 141 101

8241588 3148829 2908739 292614 269208 266550 200255 149348 88919 76251

8308370 4675871 2644375 281589 323164 283114 173645 149286 104011 63814

0 0 0 0 0 0 0 0 0 0

2966971 1133578 1047146 105341 96915 95958 72091 53765 32011 27450

40120 16028 7853 1441 1329 988 694 292 272 252

41355 17115 8933 1281 1339 921 588 355 289 251

0 0 0 0 0 0 0 0 0 0

14443 5770 2827 518 478 355 249 105 98 90


33/37

26/12/2014


and the top talkers list for hosts: myfirewall/pri/act(config)# sh threat‐detection statistics top host Top Name Id Average(eps) Current(eps) Trigger Total ev 20‐min Sent attack: 01 145.45.45.226 11 0 60162 1 02 145.45.45.242 9 9 5657 1 03 145.45.45.232 7 0 40045 04 145.45.45.234 6 45 33096 05 192.168.135.146 6 7 8214 06 145.45.45.211 5 7 6109 07 145.45.45.210 4 4 19756 08 172.31.4.41 2 1 8 09 172.16.2.224 1 1 202 10 10.10.123.2 1 1 5 20‐min Recv attack: 01 192.168.135.136 3 3 1977 02 172.16.28.6 1 2 0 03 172.31.241.99 1 1 0 04 145.45.45.211 1 0 830 05 192.168.133.191 1 1 319 06 10.16.200.27 1 0 17 07 172.26.30.20 0 0 0 08 172.16.1.10 0 0 216 09 172.16.22.11 0 0 1382 10 10.10.123.2 0 0 7983 ...

7.0 Backup and Restore Backup command with tftp server:


34/37

26/12/2014


myfirewall3/pri/act# copy running‐config tftp Source filename [running‐config]? Address or name of remote host []? 3.3.3.3 Destination filename [running‐config]? Cryptochecksum: ee921f66 a8586880 f2d4fc17 c76933b2

For more info read my post: Migrate Cisco ASA configuration, certificates and private keys Thats all folks!

Tagged: Cisco ASA, commands, troubleshooting Posted in: ASA (http://itsecworks.com/category/security/cisco/asa/), Cisco (http://itsecworks.com/category/security/cisco/), Security (http://itsecworks.com/category/security/), Troubleshootings (http://itsecworks.com/category/security/cisco/asa/troubleshootings/)

5 Responses “Cisco ASA troubleshooting commands”

→

Krish September 19, 2013 1 0 i Rate This Very useful for basic troubleshooting.. Reply http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

35/37

26/12/2014


itsecworks September 19, 2013 1 0 i Rate This Yes, only for basic troubleshooting :‑) the rest will be posted soon :‑) Reply akesh February 22, 2014 1 0 i Rate This Good Stuff.. Can you also try to post a bit more complex troubleshooting..thank you Reply itsecworks February 22, 2014 0 0 i Rate This Feel free to suggest and it will be added to this post. http://i tsecwor ks.com/2013/09/18/ci sco- asa- tr oubleshooti ng- comm ands/#Upti meoftheVPNtunnel s

36/37

Cisco ASA Troubleshooting Commands _ Itsecworks

Recommend Documents