cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1475
Views
0
Helpful
0
Comments
jeaves@cisco.com
Cisco Employee
Cisco Employee

 

 

<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE

 

TrustSec ASA Specific Troubleshooting Information

How to find the downloaded SGT's from ISE?

 

Switches show the SGT's in the main environment data screen. The ASA is slightly different:

Prompt-5506-RA# show cts environment-data

CTS Environment Data

====================

Status:                    Active

Last download attempt:     Successful

Environment Data Lifetime: 86400 secs

Last update time:          08:50:27 UTC Apr 4 2016

Env-data expires in:       0:18:47:27 (dd:hr:mm:sec)

Env-data refreshes in:     0:18:37:27 (dd:hr:mm:sec)

Prompt-5506-RA# show cts environment-data sg-table

Security Group Table:

Valid until: 08:50:27 UTC Apr 5 2016

Showing 27 of 27 entries

SG Name                          SG Tag     Type

-------                          ------     -------------

11_Dev_Srvr                          11     unicast

12_ISE1_3                            12     unicast

14_PCI_Servers                       14     unicast

19_Prod_Srvr                         19     unicast

ANY                               65535     unicast

Auditors                              9     unicast

BYOD                                 15     unicast

Contractors                           5     unicast

Unknown                               0     unicast

How to check the IP-SGT mappings and SGT name in the ASP (Accelerated Security Path)?

You can check the mappings using the normal command:

Prompt-5506-RA# show cts sgt-map

Active IP-SGT Bindings Information

IP Address          SGT   Source

================================================================

10.3.8.10          4369   LOCAL

IP-SGT Active Bindings Summary

============================================

Total number of    LOCAL bindings = 1

Total number of   active bindings = 1

Total number of    shown bindings = 1

Can also check them in the ASP:

Can also check them in the ASP:

Prompt-5506-RA# show asp table cts sgt-map

IP Address                               SGT

==============================================

  10.3.8.10                               4369:Four369    <----- IP, SGT and SGT name

Total number of entries shown = 1

How to check the SGT assigned to an AnyConnect ASA remote access connection?

Prompt-5506-RA# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : tseng1                 Index        : 1

Assigned IP  : 10.3.8.10              Public IP    : 192.168.1.20

Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent

License      : AnyConnect Premium

Encryption   : IKEv2: (1)AES256  IPsecOverNatT: (1)AES256  AnyConnect-Parent: (1)none

Hashing      : IKEv2: (1)SHA1  IPsecOverNatT: (1)SHA1  AnyConnect-Parent: (1)none

Bytes Tx     : 2163                   Bytes Rx     : 36014

Group Policy : GroupPolicy_RA_Profile Tunnel Group : RA_Profile

Login Time   : 13:52:00 UTC Mon Apr 4 2016

Duration     : 0h:09m:00s

Inactivity   : 0h:00m:00s

VLAN Mapping : N/A                    VLAN         : none

Audt Sess ID : 0a0307020000100057027180

Security Grp : 4369:Four369    <----- SGT (and SGT name) assigned dynamically to the remote access session

How to show ASA connections which include a security-group?

Prompt-5506-RA# show conn security-group

8 in use, 36 most used

UDP outside (4369:Four369) 10.3.8.10:65338 inside  23.22.181.70:443, idle 0:01:15, bytes 382, flags -

ICMP outside (4369:Four369)10.3.8.10:1 inside  10.1.100.3:0, idle 0:00:00, bytes 128, flags

UDP outside (4369:Four369) 10.3.8.10:138 inside  10.3.8.255:138, idle 0:00:40, bytes 201, flags -

UDP outside (4369:Four369) 10.3.8.10:137 inside  10.3.8.255:137, idle 0:00:00, bytes 5708, flags -

ICMP outside (4369:Four369)10.3.8.10:1 inside  10.1.100.3:0, idle 0:00:00, bytes 128, flags

How to capture inline tag information on the ASA?

This is written up at the following location within this document:

https://communities.cisco.com/docs/DOC-69479#jive_content_id_ASA_How_to_capture_inline_tag_information

How to use the ASA packet-tracer function to test the SGT derivation?

If you use IP addresses in the packet-tracer tool, the ASA can derive the associated SGTs:

Prompt-5525x# packet-tracer input outside tcp 10.3.8.10 6000 10.1.100.2 21

Mapping security-group 4369:Four369 to IP address 10.3.8.10    <----- The ASA derives SGT 4369 from the source IP

Mapping security-group 1001:OneThousandandOne to IP address 10.1.100.2    <----- The ASA derives DGT 1001 from the destination IP

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.3.6.1 using egress ifc  inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 405, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

The inline-tag or security-group can be used in the packet-tracer tool for source and security-group for destination:

Prompt-5525x# packet-tracer input outside tcp ?

  A.B.C.D                  Enter the Source address if ipv4

  X:X:X:X::X               Enter the Source address if ipv6

  fqdn                        Enter this keyword if an FQDN is specified as source address

  inline-tag                Enter this keyword if trace packet is embedded with L2 CMD

                                Header

  security-group       Enter this keyword if a security group is specified as source

                                address

  user                       Enter this keyword if a user is specified as source address

 

<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: