09-04-2018 03:43 AM - edited 12-05-2018 05:15 AM
<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE
Switches show the SGT's in the main environment data screen. The ASA is slightly different:
Prompt-5506-RA# show cts environment-data
CTS Environment Data
====================
Status: Active
Last download attempt: Successful
Environment Data Lifetime: 86400 secs
Last update time: 08:50:27 UTC Apr 4 2016
Env-data expires in: 0:18:47:27 (dd:hr:mm:sec)
Env-data refreshes in: 0:18:37:27 (dd:hr:mm:sec)
Prompt-5506-RA# show cts environment-data sg-table
Security Group Table:
Valid until: 08:50:27 UTC Apr 5 2016
Showing 27 of 27 entries
SG Name SG Tag Type
------- ------ -------------
11_Dev_Srvr 11 unicast
12_ISE1_3 12 unicast
14_PCI_Servers 14 unicast
19_Prod_Srvr 19 unicast
ANY 65535 unicast
Auditors 9 unicast
BYOD 15 unicast
Contractors 5 unicast
Unknown 0 unicast
You can check the mappings using the normal command:
Prompt-5506-RA# show cts sgt-map
Active IP-SGT Bindings Information
IP Address SGT Source
================================================================
10.3.8.10 4369 LOCAL
IP-SGT Active Bindings Summary
============================================
Total number of LOCAL bindings = 1
Total number of active bindings = 1
Total number of shown bindings = 1
Can also check them in the ASP:
Can also check them in the ASP:
Prompt-5506-RA# show asp table cts sgt-map
IP Address SGT
==============================================
10.3.8.10 4369:Four369 <----- IP, SGT and SGT name
Total number of entries shown = 1
Prompt-5506-RA# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : tseng1 Index : 1
Assigned IP : 10.3.8.10 Public IP : 192.168.1.20
Protocol : IKEv2 IPsecOverNatT AnyConnect-Parent
License : AnyConnect Premium
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256 AnyConnect-Parent: (1)none
Hashing : IKEv2: (1)SHA1 IPsecOverNatT: (1)SHA1 AnyConnect-Parent: (1)none
Bytes Tx : 2163 Bytes Rx : 36014
Group Policy : GroupPolicy_RA_Profile Tunnel Group : RA_Profile
Login Time : 13:52:00 UTC Mon Apr 4 2016
Duration : 0h:09m:00s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a0307020000100057027180
Security Grp : 4369:Four369 <----- SGT (and SGT name) assigned dynamically to the remote access session
Prompt-5506-RA# show conn security-group
8 in use, 36 most used
UDP outside (4369:Four369) 10.3.8.10:65338 inside 23.22.181.70:443, idle 0:01:15, bytes 382, flags -
ICMP outside (4369:Four369)10.3.8.10:1 inside 10.1.100.3:0, idle 0:00:00, bytes 128, flags
UDP outside (4369:Four369) 10.3.8.10:138 inside 10.3.8.255:138, idle 0:00:40, bytes 201, flags -
UDP outside (4369:Four369) 10.3.8.10:137 inside 10.3.8.255:137, idle 0:00:00, bytes 5708, flags -
ICMP outside (4369:Four369)10.3.8.10:1 inside 10.1.100.3:0, idle 0:00:00, bytes 128, flags
This is written up at the following location within this document:
If you use IP addresses in the packet-tracer tool, the ASA can derive the associated SGTs:
Prompt-5525x# packet-tracer input outside tcp 10.3.8.10 6000 10.1.100.2 21
Mapping security-group 4369:Four369 to IP address 10.3.8.10 <----- The ASA derives SGT 4369 from the source IP
Mapping security-group 1001:OneThousandandOne to IP address 10.1.100.2 <----- The ASA derives DGT 1001 from the destination IP
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.3.6.1 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 405, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
The inline-tag or security-group can be used in the packet-tracer tool for source and security-group for destination:
Prompt-5525x# packet-tracer input outside tcp ?
A.B.C.D Enter the Source address if ipv4
X:X:X:X::X Enter the Source address if ipv6
fqdn Enter this keyword if an FQDN is specified as source address
inline-tag Enter this keyword if trace packet is embedded with L2 CMD
Header
security-group Enter this keyword if a security group is specified as source
address
user Enter this keyword if a user is specified as source address
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: