https://community.cisco.com/t5/network-security/which-debug/m-p/2276535#M348117 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The easiest way to test this is when you know the source and destination IP address and ports used by the connection</P><P></P><P>Then you can use the <STRONG>"packet-tracer"</STRONG> command on the ASA</P><P></P><P><STRONG>packet-tracer input <INTERFACE nameif=""> <TCP or="" udp=""> <SOURCE ip=""> <SOURCE port=""> <DESTINATION ip=""> <DESTINATION port=""></DESTINATION></DESTINATION></SOURCE></SOURCE></TCP></INTERFACE></STRONG></P><P></P><P>The <STRONG><INTERFACE nameif=""></INTERFACE></STRONG> is the <STRONG>"nameif" </STRONG>of the interface behind which the connecting host is located at</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 13 Jun 2013 10:16:41 GMT Jouni Forss 2013-06-13T10:16:41Z https://community.cisco.com/t5/network-security/which-debug/m-p/2276534#M348116 <P>Hi All,</P><P></P><P>I'd like to see if an ASA is blocking / dropping traffic whenI try to connect to a server. I'm basically getting timeout errors every so often, and want to see if it's the ASA which is in the path of the traffic.</P><P>What's the best Debug command to run to see IP traffic in general and check if the ASA is causing issues? Can I filter the debug via IP so I can narrow it down to whatever my source IP is? New to the ASA and want to narrow my debug down as much as I can.</P><P></P><P>Thanks</P> Tue, 12 Mar 2019 01:57:21 GMT https://community.cisco.com/t5/network-security/which-debug/m-p/2276534#M348116 GRANT3779 2019-03-12T01:57:21Z https://community.cisco.com/t5/network-security/which-debug/m-p/2276535#M348117 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The easiest way to test this is when you know the source and destination IP address and ports used by the connection</P><P></P><P>Then you can use the <STRONG>"packet-tracer"</STRONG> command on the ASA</P><P></P><P><STRONG>packet-tracer input <INTERFACE nameif=""> <TCP or="" udp=""> <SOURCE ip=""> <SOURCE port=""> <DESTINATION ip=""> <DESTINATION port=""></DESTINATION></DESTINATION></SOURCE></SOURCE></TCP></INTERFACE></STRONG></P><P></P><P>The <STRONG><INTERFACE nameif=""></INTERFACE></STRONG> is the <STRONG>"nameif" </STRONG>of the interface behind which the connecting host is located at</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 13 Jun 2013 10:16:41 GMT https://community.cisco.com/t5/network-security/which-debug/m-p/2276535#M348117 Jouni Forss 2013-06-13T10:16:41Z https://community.cisco.com/t5/network-security/which-debug/m-p/2276536#M348118 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for that. WHen using this command, can I leave out certain parts, e.g Source port? As this would be randomly generate I'd imagine. Can I just use Source IP with the packet tracer command?</P></BODY></HTML> Thu, 13 Jun 2013 11:10:26 GMT https://community.cisco.com/t5/network-security/which-debug/m-p/2276536#M348118 GRANT3779 2013-06-13T11:10:26Z https://community.cisco.com/t5/network-security/which-debug/m-p/2276537#M348119 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You need to enter the information mentioned above.</P><P></P><P>You can insert any random source port you want so its not really an issue with using this command.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 13 Jun 2013 11:45:52 GMT https://community.cisco.com/t5/network-security/which-debug/m-p/2276537#M348119 Jouni Forss 2013-06-13T11:45:52Z https://community.cisco.com/t5/network-security/which-debug/m-p/2276538#M348120 <HTML><HEAD></HEAD><BODY><P>The command isn't available from CLI or ASDM.. It's running in transparent mode but i'm sure there are default settings causing an issue somewhere.</P><P></P><P>It's a 551X.</P></BODY></HTML> Thu, 13 Jun 2013 11:51:52 GMT https://community.cisco.com/t5/network-security/which-debug/m-p/2276538#M348120 GRANT3779 2013-06-13T11:51:52Z https://community.cisco.com/t5/network-security/which-debug/m-p/2276539#M348121 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes, the command is not available when the ASA is in Transparent mode.</P><P></P><P>If I am not mistaken (dont use Transparent firewalls really) you still should be able to do a packet capture on the ASA.</P><P></P><P>Have you monitored the ASA logs while connecting to the remote site?</P><P></P><P>Are you facing problems connecting to some local server behind the ASA or is the server on the Internet?</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 13 Jun 2013 11:56:34 GMT https://community.cisco.com/t5/network-security/which-debug/m-p/2276539#M348121 Jouni Forss 2013-06-13T11:56:34Z