Introduction: This document describes the useful commands for troubleshooting Firewall related issues on ASR.Prerequisites:
1. ASR running Firewall feature set image2. Firewall Configuration
For Firewall related issues, use the following show commands as applicable
show platform hardware cpp feature firewall runtimeshow platform hardware cpp feature firewall memoryshow platform hardware cpp feature firewall session-query-contextshow platform hardware cpp feature firewall session <create|more|delete> <context> <num_of_session> [zonepair <zonepair_id>]show platform hardware cpp feature firewall ucode scb <src addr> <src port> <dst addr> <dst port> <proto>show platform hardware cpp feature e firewall ucode zonetable <src_zone> <dst_zone>show platform hardware cpp feature firewall ucode hostdb <host_addr>show platform hardware cpp feature firewall zonepair <zonepair_id>
For Firewall PAM related issues, use the following show commands
show platform hardware cpp classification class-group-manager class-group client fw-pam 2000show platform hardware cpp classification feature-manager class-group tcam fw-pam 2000 detail Use the following debug commands as applicable
debug platform hardware cpp feature firewall client <all|error|info|trace|warning>
debug platform hardware cpp feature firewall datapath global <all|layer4|alg-insp|alg-parse|event|create-delete|function|timer|ha|policy|drop|ipc> detail
debug platform hardware cpp feature firewall datapath zonepair <zp_id> class <class_id|all> <all|layer4|alg-insp|alg-parse|event|create_delete|function|timer|ha|policy|drop> detail
debug platform hardware cpp feature firewall datapath session <src_ip> <src_port> <dst_ip> <dst_port> <proto> <all|layer4|alg-insp|alg-parse|event|create-delete|function|timer|ha|policy|drop> detail
Hope this information is informative. Thanks for viewing.
