Showing results for 
Search instead for 
Did you mean: 

ASR - Troubleshooting using Packet Tracer




This configuration example is meant to be  interpreted with the aid of the official documentation from the  configuration guide located here:


The ASR must be running minimum XE 3.10 code to be able to use this feature.


ASR-packet tracer.jpg


Let us say that the PC at is unable to telnet to  How can one troubleshoot this problem using packet tracer tool what steps are needed to configure it and capture the data.


Using packet trace is very straightforward. All you need to do is:

  1. Enable packet-trace

  2. Decide which kind of packets you want to trace and where to trace them

  3. Start collection

  4. View packet and then stop collection

Enable Packet-trace

Always required to operate packet trace. Providing this command means that matching packets will be accounted.

kusankar-ASR1002#debug platform packet-trace enable

Please remember to turn on 'debug platform condition start' for packet-trace to work

Defining What To Trace

The command will match any packets coming in interface g0/0/0

kusankar-ASR1002#debug platform condition interface g0/0/0 ingress

This command will match any IPv4 packets coming in interface g0/0/3 with a src or dst IP

kusankar-ASR1002#debug platform condition interface g0/0/0 ipv4 ingress

Specity How Many Packets to Collect

This command will collect 128 packets that matches what we defined to trace in the above step.

kusankar-ASR1002#deb platform packet-trace packet 128

Start Collection

Start the packet collection with the following command.  Send the test traffic or try the telnet that fails then, stop the data collection.

kusankar-ASR1002#debug platform condition start

Stop Collection

There is no reason to stop the collection in order to see the packets that are collected in the buffer.

kusankar-ASR1002#debug platform condition stop

How to see the packets captured

Once you find out what is being dropped we can focus on that particular packet to get more details.  In this case packet 17,20 and 28 are dropped due to firewall policy. Let us see if this is the telnet packet from destined to

kusankar-ASR1002#sh platform packet-trace sum | i DROP

Pkt   Input                 Output           State            Reason

17    Gi0/0/0          Gi0/0/3          DROP   183 (FirewallPolicy)

20    Gi0/0/0          Gi0/0/3          DROP   183 (FirewallPolicy)

28    Gi0/0/0          Gi0/0/3          DROP   183 (FirewallPolicy)

This command below will give more detail about packet no: 17. Clearly the feature ZBFW is dropping the packet. Notice the input interface, output interface, source IP, destination IP, protocol and port.

kusankar-ASR1002#sh platform packet-trace packet 17

Packet: 17          CBUG ID: 3019


  Input     : GigabitEthernet0/0/0

  Output    : GigabitEthernet0/0/3

  State     : DROP 183 (FirewallPolicy)


    Start   : 15071588347061

    Stop    : 15071588471841

Path Trace

  Feature: IPV4

    Source      :

    Destination :

    Protocol    : 6 (TCP)

      SrcPort : 52273

      DstPort : 23

  Feature: ZBFW

    Action  : Drop

    Reason  : Policy drop due to classification result

Now examining the ZBF config closely the relevant config is as follows: Clearly tcp traffic is not allowed from the inside host

interface GigabitEthernet0/0/0

ip address

ip nat inside

zone-member security INSIDE

negotiation auto



interface GigabitEthernet0/0/3

ip address

ip nat outside

zone-member security OUTSIDE

negotiation auto



zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-pm

zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE

service-policy type inspect OUTSIDE-pm

zone-member security INSIDE

zone-member security OUTSIDE


policy-map type inspect INSIDE-pm

class type inspect in-out-class


class class-default


class-map type inspect match-any in-out-class

match protocol udp

match protocol icmp

match protocol ftp 

<====> Only udp icmp and ftp traffic is allowed.  No tcp traffic is allowed and that is the reason telnet is breaking.