Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
1
Replies

How the #$^&$# did that packet go there? Diagnosis of flow on FTD and FMC.

Go to solution
itsupport
Level 1
Level 1

‎08-16-2017 11:32 PM - edited ‎03-12-2019 02:50 AM

Hi.

I have an ASA 5508-X, runnig  FTD being controlled by a vFMC. Both are using 6.2.0.2 of thier respective software.  I am having trouble diagnosing some  flaws in my routing, NAT and rules logic.

How, with this setup can I trace the path of a packet and see how it routes, when it NATS, and what rule allows or blocks it? Happy to use either the GUI on the FMC, or drop to an SSH connection into the FTD.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Kaiser
Level 7
Level 7

‎08-17-2017 08:31 AM

You can use packet-tracer (either using cli or fmc ui) for packet flow analysis. packet tracer will simulate a connection and tell you what is being done by which component (if you have any layer 7 stuff, keep in mind that you might only see that the packet is being forwarded to snort for analysis).

Using FMC you can use the troubleshooting button in the device view and go to Advanced Troubleshooting to find the packet-tracer. Or just login to your FTD device using SSH and use the packet-tracer command.

In case you want to see how a live flow is being handled by snort (layer 7 engine) you can use several debug commands on the CLI or do a packet capture with trace (also possible at FMC UI at the advanced troubleshooting section).

Debugs include:

system support firewall-engine-debug -> debug ips/amp/url filtering

system support application-engine-debug -> debug application detection

There are other debugs as well but this should give you a good overview of the important tools available for troubleshooting.

If you have any question let me know.

regards

Oliver

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Oliver Kaiser
Level 7
Level 7

‎08-17-2017 08:31 AM

You can use packet-tracer (either using cli or fmc ui) for packet flow analysis. packet tracer will simulate a connection and tell you what is being done by which component (if you have any layer 7 stuff, keep in mind that you might only see that the packet is being forwarded to snort for analysis).

Using FMC you can use the troubleshooting button in the device view and go to Advanced Troubleshooting to find the packet-tracer. Or just login to your FTD device using SSH and use the packet-tracer command.

In case you want to see how a live flow is being handled by snort (layer 7 engine) you can use several debug commands on the CLI or do a packet capture with trace (also possible at FMC UI at the advanced troubleshooting section).

Debugs include:

system support firewall-engine-debug -> debug ips/amp/url filtering

system support application-engine-debug -> debug application detection

There are other debugs as well but this should give you a good overview of the important tools available for troubleshooting.

If you have any question let me know.

regards

Oliver

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card