Which Debug

GRANT3779 · ‎06-13-2013

Hi All,

I'd like to see if an ASA is blocking / dropping traffic whenI try to connect to a server. I'm basically getting timeout errors every so often, and want to see if it's the ASA which is in the path of the traffic.

What's the best Debug command to run to see IP traffic in general and check if the ASA is causing issues? Can I filter the debug via IP so I can narrow it down to whatever my source IP is? New to the ASA and want to narrow my debug down as much as I can.

Thanks

Jouni Forss · ‎06-13-2013

Hi,

The easiest way to test this is when you know the source and destination IP address and ports used by the connection

Then you can use the "packet-tracer" command on the ASA

packet-tracer input

The is the "nameif" of the interface behind which the connecting host is located at

- Jouni

GRANT3779 · ‎06-13-2013

Hi,

Thanks for that. WHen using this command, can I leave out certain parts, e.g Source port? As this would be randomly generate I'd imagine. Can I just use Source IP with the packet tracer command?

Jouni Forss · ‎06-13-2013

Hi,

You need to enter the information mentioned above.

You can insert any random source port you want so its not really an issue with using this command.

- Jouni

GRANT3779 · ‎06-13-2013

The command isn't available from CLI or ASDM.. It's running in transparent mode but i'm sure there are default settings causing an issue somewhere.

It's a 551X.

Jouni Forss · ‎06-13-2013

Hi,

Yes, the command is not available when the ASA is in Transparent mode.

If I am not mistaken (dont use Transparent firewalls really) you still should be able to do a packet capture on the ASA.

Have you monitored the ASA logs while connecting to the remote site?

Are you facing problems connecting to some local server behind the ASA or is the server on the Internet?

- Jouni