Re: Debug messages in CLI (Do not have FDM)

johnchrapkowski · ‎06-15-2023

I have a firepower 1140 and I wish to see debug messages in the CLI. I ssh in, enable system wide logging, then run debug tcp. after I go into the support console with support diagnostic-cli. Exactly one time I have seen debug messages but not since. I don't even know where to start to troubleshoot this (I have disabled logging and tried everything from scratch but still nothing).

MHM Cisco World · ‎06-15-2023

If I am right there is two debug what you do here is see the debug of fxos.

But I will make double check about this point

Rob Ingram · ‎06-15-2023

system support diagnostic-cli is the right command, it's not a FXOS command.

What debug information did you configure, console/buffer? Provide a screenshot of the configuration

Also from system support diagnostic-cli run show logging to confirm what logging is enabled.

What FTD version?

johnchrapkowski · ‎06-15-2023

I do not have FDM unfortunately so I am only using CLI. Do you know of a guide to set up logging properly through the CLI?

Running show logging indicates console logging is disabled and is buffer logging

My version is 7.0.1

Rob Ingram · ‎06-15-2023

@johnchrapkowski what are you using to manage the FTD? You can either manage the FTD locally using (FDM) or centrally using FMC/CDO/cdFMC. I assume you have an FMC?

You cannot manage an FTD from the CLI, it's 99.9% via the GUI.

johnchrapkowski · ‎06-15-2023

Apologies as I am new to cisco equipment and getting used to the terms of their stuff. I use the web interface for configuration stuff, is that what is called FTD?

Rob Ingram · ‎06-15-2023

@johnchrapkowski You can only manage the FTD using a web interface, either locally using the Firepower Device Manager (local management) or FMC/ CDO (central). Do you connect to the FTD itself to manage it? if so then you are using FDM to manage the device. If you use another device to manage multiple FTD's then that probably FMC or if hosted in the cloud then it's CDO.

The configuration of the logging settings are completely different depending on how you manage the device.

If you use FMC, follow this guide to configure logging - https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

If using FDM here is how you enable logging via the GUI.

In both scenarios you must save and deploy the changes.

johnchrapkowski · ‎06-15-2023

Thank you! I am understanding much more now

engineer467 · ‎10-21-2024

Hello Rob,

I have exact same settings on my FDM as you have shared, yet I am unable to see any debug messages when trying debug webvpn anyconnect 255

MHM Cisco World · ‎06-15-2023

Did you do these steps

Debug

System support diagnostic-cli

Show console-output

johnchrapkowski · ‎06-15-2023

I tried:

debug tcp

system support diagnostic-cli

show console-output returns error and running show? gives me:

firepower> show ?

checksum Display configuration information cryptochecksum
community-list List community-list
curpriv Display current privilege level
disk0: Display information about disk0: file system
flash: Display information about flash: file system
history Display the session command history
import Show imported objects
inventory Show all inventory information for all slots
policy-list List IP Policy list
prefix-list List IP prefix lists
version Display system software version

MHM Cisco World · ‎06-15-2023

Debug

System support diagnostic-cli

Stop capture with ctrl+a then d

Show console-output

Marvin Rhoads · ‎06-15-2023

You need to change to enable mode before using "show console-output".

However the right way it to enable console logging from the respective manager (FDM or FMC).

MHM Cisco World · ‎06-15-2023

Sure as my instructor @Marvin Rhoads @Rob Ingram mention using fdm or fmc is better

johnchrapkowski · ‎06-15-2023

I cannot push it until later as we have some production data running on this right now, but I genuinely thank you all so much for this! I will report back later what results