Episode Information

Jay Johnston · ‎04-11-2011

Episode Information
Show Notes
ASA
IPS

Episode Information

Episode Name: Episode 18 - Useful commands for the Cisco ASA and IPS platforms

Contributors: Blayne Dreier, Jay Johnston, Magnus Mortensen, David White

Posting Date: April 19, 2011

Description: In this episode, the panel discusses seldom known but extremely useful commands on the Cisco ASA and IPS platforms. These are commands that we use often in the TAC when diagnosing and troubleshooting network issues, but we find that many of our customers don't know about them. In this episode we discuss several commands, when to use them and how to interpret their output. For a list of commands discussed in the episode, see the show notes on this page.

Listen Now (MP3 xx.x MB; xx:xx mins)

Subscribe to the Podcast in iTunes by clicking the image below:

About the Cisco TAC Security Podcast

The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each episode provides an in-depth technical discussion of Cisco product security features, with emphasis on troubleshooting.

Complete episode listing and show information

Show Notes

ASA

show parser dump <feature>

This command dumps the entire parse chain on the ASA, displaying the privilege level of the commmand (first column), followed by the modifier (if applicable), the command, and any keywords or options.

Example:

ASA# show parser dump all

Mode Name :exec
. . .
15 crypto ca server revoke
15 crypto ca server unrevoke
15 crypto ca server crl issue
15 crypto ca server user-db email-otp user
15 crypto ca server user-db email-otp user
15 crypto ca server user-db email-otp all-unenrolled
15 crypto ca server user-db email-otp all-certholders
15 crypto ca server user-db email-otp
15 crypto ca server user-db show-otp
15 crypto ca server user-db add email

show proccess cpu-usage sorted non-zero

This command displays all of the processes running on the ASA that have non-zero cpu usage (meaning they are using some of the CPU) and sorts them by the amount of CPU usage. In this example, esw_stats is the top process, but this is normal since it is a ASA 5505 model, and this low-priority process functions to constantly poll the embedded 8-port switch.

Example:

ASA5505# show process cpu-usage sorted non-zero
PC             Thread       5Sec     1Min     5Min   Process
0x094c6cab   0xc81a87fc    12.4%     8.9%     8.7%   esw_stats
0x081ecc51   0xc81b497c     3.2%     1.3%     0.5%   Dispatch Unit
0x08e5f07c   0xc81adea8     0.6%     0.2%     0.1%   Logger
0x08e1e785   0xc8199214     0.6%     1.4%     0.4%   ssh
0x0866d56e   0xc81a3d68     0.1%     0.1%     0.1%   ARP Thread
0x087741d5   0xc81a2d48     0.1%     0.1%     0.1%   MFIB
0x08aad2dc   0xc81a69c0     0.1%     0.1%     0.1%   update_cpu_usage

failover exec mate

This command allows you to run any command from one firewall in an HA pair on the other. For example, from the PRIMARY ACTIVE firewall, one can run show failover on the mate (STANDBY) firewall:

asa/pri/act# failover exec ?

   active   Execute command on the active unit
   mate     Execute command on the peer unit
   standby Execute command on the standby unit
asa/pri/act# failover exec mate show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Ethernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 110 maximum
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 10:27:22 UTC Apr 8 2011
     This host: Secondary - Standby Ready
..

failover reload-standby

This command is useful when it comes to upgrading code. THis allows you to reload the standby ASA in a failover pair:

asa/pri/act# failover reload-standby
asa/pri/act#

And on the STANDBY firewall, the console shows:

asa/sec/stby#

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   requested by active unit
Process shutdown finished
Rebooting.....

failover reload-standby

This command is useful when it comes to upgrading code. This command allows you to reload the Standby ASA in a failover pair from the Active ASA:

asa/pri/act# failover reload-standby
asa/pri/act#

And on the STANDBY firewall, the console shows:

asa/sec/stby#

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** requested by active unit
Process shutdown finished
Rebooting.....

show service-policy flow

Shows each of the Modular Policy Framework (MPF) objects (access-lists, class-maps, policy-maps, and service-policies) that will affect a particular flow.

asa# show service-policy flow tcp host 10.1.1.1 eq 55555 host 198.133.219.25 eq 80

Global policy:
   Service-policy: global_policy
     Class-map: inspection_default
       Match: default-inspection-traffic
       Action:
         Input flow: inspect http
     Class-map: class-default
       Match: any
       Action:
         Output flow:
Interface corpnet:
   Service-policy: ips
     Class-map: ips
       Match: access-list ips
         Access rule: permit ip any any
       Action:
         Input flow: ips inline fail-open
     Class-map: class-default
       Match: any
       Action:
         Output flow:
Interface inside:
   Service-policy: ips
     Class-map: ips
       Match: access-list ips
         Access rule: permit ip any any
       Action:
         Input flow: ips inline fail-open
     Class-map: class-default
       Match: any
       Action:
asa#

show nat pool

This command shows the utilization of the different port ranges for a NAT global IP addresses configured on the ASA. In the example below, there is one global IP address of 172.18.254.123

Example:

ASA5505# show nat pool
TCP PAT pool outside, address 172.18.254.123, range 1-511, allocated 2
TCP PAT pool outside, address 172.18.254.123, range 512-1023, allocated 0
TCP PAT pool outside, address 172.18.254.123, range 1024-65535, allocated 38
UDP PAT pool outside, address 172.18.254.123, range 1-511, allocated 4
UDP PAT pool outside, address 172.18.254.123, range 512-1023, allocated 0
UDP PAT pool outside, address 172.18.254.123, range 1024-65535, allocated 4

show run <feature>

This command is very useful for displaying all the commands which make up a given feature. In the below, we can output all the commands which make up the call-home feature. The only other way of getting this data would be to issue show run | begin call-home.

ASA# show run call-home
service call-home
call-home
contact-email-addr user@cisco.com
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration export full periodic daily
subscribe-to-alert-group telemetry periodic daily
ASA#

perfmon verbose

This command displays the output of show perfmon every 60 seconds (by default). The output interval can be changed by issuing the perfmon interval <seconds> command.

To disable the displaying of the output, issue perfmon quiet command.

Example:

PERFMON STATS:                     Current      Average
Xlates                              3/s          4/s
Connections                        20/s         23/s
TCP Conns                          18/s         21/s
UDP Conns                           2/s          2/s
URL Access                          0/s          0/s
URL Server Req                      0/s          0/s
TCP Fixup                          15/s         11/s
TCP Intercept Established Conns     0/s          0/s
TCP Intercept Attempts              0/s          0/s
TCP Embryonic Conns Timeout         0/s          0/s
HTTP Fixup                          0/s          0/s
FTP Fixup                           0/s          0/s
AAA Authen                          0/s          0/s
AAA Author                          0/s          0/s
AAA Account                         0/s          0/s

VALID CONNS RATE in TCP INTERCEPT:    Current      Average
                                        N/A         100.00%

IPS

show statistics virtual-sensor

Number of seconds since a reset of the statistics

The number of seconds since a show statistics virtual-sensor clear was issued. If a show statistics virtual-sensor clear has never been issued, this is the up-time of the sensor.

Processing Load Percentage

A good overall measure of the sensor's inspection resource utilization.

Sig 1330.x

1330 sub-signatures are part of the TCP Normalizer Engine. Specific normalizer events can indicate TCP issues in the inspected traffic.

sensor# show stat virt Virtual Sensor Statistics
     Statistics for Virtual Sensor vs0
        Name of current Signature-Defintion instance = sig0
        Name of current Event-Action-Rules instance = rules0
        List of interfaces monitored by this virtual sensor = GigabitEthernet0/1 subinterface 0
        General Statistics for this Virtual Sensor
           Number of seconds since a reset of the statistics = 95110
           MemoryAlloPercent = 53
           MemoryUsedPercent = 52
           MemoryMaxCapacity = 614400
           MemoryMaxHighUsed = 378880
           MemoryCurrentAllo = 330232
           MemoryCurrentUsed = 325261
           Processing Load Percentage = 4
           Total packets processed since reset = 79409976
           Total number of bytes processed since reset = 68654420781
           The rate of packets per second since reset = 834
           The rate of bytes per second since reset = 721842
           The average bytes per packet since reset = 864
        SigEvent Preliminary Stage Statistics
           Number of Alerts received = 460137
           Number of Alerts Consumed by AlertInterval = 1881
           Number of Alerts Consumed by Event Count = 126
           Number of FireOnce First Alerts = 3
           Number of FireOnce Intermediate Alerts = 0
           Number of Summary First Alerts = 14262
           Number of Summary Intermediate Alerts = 428994
           Number of Regular Summary Final Alerts = 13039
           Number of Global Summary Final Alerts = 183
           Number of Active SigEventDataNodes = 52
           Number of Alerts Output for further processing = 458130
           Per-Signature SigEvent count since reset
              Sig 1306.0 = 9
              Sig 1311.0 = 27
              Sig 1317.0 = 19
              Sig 1330.5 = 470
              Sig 1330.10 = 73
              Sig 1330.12 = 73769
              Sig 1330.14 = 7
              Sig 1330.16 = 842
              Sig 1330.17 = 6624
              Sig 1330.18 = 5527

iplog

Via the global iplog command:

sensor# iplog vs0 10.1.1.1 bytes 5000 packets 250
Logging started for virtual sensor vs0, IP address 10.1.1.1, Log ID 1818324577
Warning: IP Logging will affect system performance.

Via a signature definition action:

sensor# conf t
sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 3327 13
sensor(config-sig-sig)# engine string-tcp
sensor(config-sig-sig-str)# event-action log-pair-packets
sensor(config-sig-sig-str)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes?[yes]:
sensor(config)#

packet capture

Defining a packet capture:

sensor# packet capture GigabitEthernet0/1 count 250 expression host 10.1.1.1 and tcp port 80

packet display

Displaying a live packet capture:

sensor# packet display GigabitEthernet0/1 count 250 expression host 10.1.1.1 and tcp port 80

Displaying the contents of a previous packet capture:

sensor# packet display packet-file

Displaying the contents of an iplog:

packet display iplog 1818324577
reading from file -, link-type EN10MB (Ethernet)
20:26:31.779644 IP 192.168.1.3.445 > 10.1.1.3.17236: P 1820139296:1820139297(1) ack 1556908342 win 8760
20:26:31.780040 IP 10.1.1.3.57550 > 192.168.1.3.445: S 2470220233:2470221489(1256) win 8760
20:26:31.780061 IP 192.168.1.3.445 > 10.1.1.3.7688: R 2055594473:2055594473(0) win 8760
20:26:31.780071 IP 192.168.1.3.445 > 10.1.1.3.44705: R 1228413248:1228413248(0) win 8760
20:26:31.780111 IP 192.168.1.3.445 > 10.1.1.3.44865: P 1625648103:1625648104(1) ack 1556916921 win 8760
20:26:31.780133 IP 192.168.1.3.445 > 10.1.1.3.46794: P 1741804190:1741804191(1) ack 1556925500 win 8760
20:26:31.780146 IP 192.168.1.3.445 > 10.1.1.3.45314: S 2055695379:2055695379(0) ack 1561395159 win 8760
20:26:31.780424 IP 10.1.1.3.53591 > 192.168.1.3.445: S 3168046082:3168047338(1256) win 8760
20:26:31.780439 IP 10.1.1.3.16866 > 192.168.1.3.445: . ack 966721888 win 8760
20:26:31.780448 IP 10.1.1.3.51611 > 192.168.1.3.445: . ack 966727921 win 8760
20:26:31.780457 IP 10.1.1.3.4907 > 192.168.1.3.445: . ack 966733954 win 8760
20:26:31.780469 IP 192.168.1.3.445 > 10.1.1.3.39042: S 2755602194:2755602194(0) ack 1561403738 win 8760
20:26:31.780495 IP 192.168.1.3.445 > 10.1.1.3.49863: P 1214725317:1214725318(1) ack 1556934079 win 8760
20:26:31.780517 IP 192.168.1.3.445 > 10.1.1.3.19870: P 2822795228:2822795229(1) ack 1556942658 win 8760
20:26:31.780527 IP 192.168.1.3.445 > 10.1.1.3.41920: R 1588614407:1588614407(0) win 8760
20:26:31.780549 IP 192.168.1.3.445 > 10.1.1.3.39849: P 2309451107:2309451108(1) ack 1556951237 win 8760
20:26:31.780571 IP 192.168.1.3.445 > 10.1.1.3.62491: P 1423823578:1423823579(1) ack 1556959816 win 8760
20:26:31.780861 IP 10.1.1.3.45122 > 192.168.1.3.445: S 3014003755:3014005011(1256) win 8760
20:26:31.781144 IP 10.1.1.3.40352 > 192.168.1.3.445: S 2474761156:2474762412(1256) win 8760

manish arora · ‎04-19-2011

Thanks Dude !

Jay Johnston · ‎04-21-2011

Thanks Manish! Do you have any useful commands that you use on the ASA that you can share?

manish arora · ‎04-21-2011

Jay,

I might not have any Command that you don't know of , the "show parser dump all" shows all the possible commands that you have an option of using. But I have used "clear/show crypto protocol ikev1/ipsec" alot when i am trying to troubleshoot a vpn issue of tunnel to coming up. It shows the requests for encrypting / dycrypting.

I am sure you were aware of these commands.

Thanks Again for the Post BTW

manish

karthikaravind · ‎04-29-2011

Would like to add this one:

ciscoasa(config)# vpnsetup ?

configure mode commands/options:
ipsec-remote-access Display IPSec Remote Access Configuration Commands
l2tp-remote-access     Display L2TP/IPSec Configuration Commands
site-to-site                 Display IPSec Site-to-Site Configuration Commands
ssl-remote-access      Display SSL Remote Access Configuration Commands

Jay Johnston · ‎05-02-2011

This is a great command, can you show the full sample output from it, such as 'vpnsetup site-to-site steps'? That will really show the usefulness of the command (expecially for those studying for the CCIE)

karthikaravind · ‎05-02-2011

Steps to configure a remote access IKE/IPSec connection with examples:

ciscoasa(config)# vpnsetup ipsec-remote-access steps

1. Configure Interfaces

    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown

    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown

2. Configure ISAKMP policy

    crypto isakmp policy 65535
     authentication pre-share
     encryption aes
     hash sha

3. Setup an address pool

ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

    aaa-server MyRadius protocol radius
    aaa-server MyRadius host 192.168.0.254
     key $ecretK3y

5. Define tunnel group

    tunnel-group client type remote-access
    tunnel-group client general-attributes
     address-pool client-pool
     authentication-server-group MyRadius
    tunnel-group client ipsec-attributes
     pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

crypto ipsec transform-set myset esp-aes esp-sha-hmac

7. Setup dynamic crypto map

crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route

8. Create crypto map entry and associate dynamic map with it

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

crypto map mymap interface outside

10. Enable isakmp on interface

crypto isakmp enable outside

Steps to configure a remote access L2TP/IPSec connection with examples:

ciscoasa(config)# vpnsetup l2tp-remote-access steps

1. Configure Interfaces

    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown

    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown

2. Configure ISAKMP policy

    crypto isakmp policy 65535
     authentication pre-share
     encryption aes
     hash sha

3. Setup an address pool

ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

    aaa-server MyRadius protocol radius
    aaa-server MyRadius host 192.168.0.254
     key $ecretK3y

5. Define tunnel group

    tunnel-group client type remote-access
    tunnel-group client general-attributes
     address-pool client-pool
     authentication-server-group MyRadius
    tunnel-group client ipsec-attributes
     pre-shared-key VpnUs3rsP@ss
    tunnel-group DefaultRAGroup ppp-attributes
     authentication pap

6. Setup ipsec parameters

crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec transform-set myset mode transport

7. Setup dynamic crypto map

crypto dynamic-map dynmap 1 set transform-set myset

8. Create crypto map entry and associate dynamic map with it

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

crypto map mymap interface outside

10. Enable isakmp on interface

crypto isakmp enable outside

Steps to configure a site-to-site IKE/IPSec connection with examples:

ciscoasa(config)# vpnsetup site-to-site steps

1. Configure Interfaces

    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown

    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown

2. Configure ISAKMP policy

    crypto isakmp policy 10
     authentication pre-share
     encryption aes
     hash sha

3. Configure transform-set

crypto ipsec transform-set myset esp-aes esp-sha-hmac

4. Configure ACL

access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

    tunnel-group 10.20.20.1 type ipsec-l2l
    tunnel-group 10.20.20.1 ipsec-attributes
     pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

    crypto map mymap 10 match address L2LAccessList
    crypto map mymap 10 set peer 10.10.4.108
    crypto map mymap 10 set transform-set myset
    crypto map mymap 10 set reverse-route
    crypto map mymap interface outside

7. Enable isakmp on interface

crypto isakmp enable outside

Steps to configure a remote access SSL VPN remote access connection and AnyConnect with examples:

ciscoasa(config)# vpnsetup ssl-remote-access steps

1. Configure and enable interface

    interface GigabitEthernet0/0
     ip address 10.10.4.200 255.255.255.0
     nameif outside
     no shutdown

    interface GigabitEthernet0/1
     ip address 192.168.0.20 255.255.255.0
     nameif inside
     no shutdown

2. Enable WebVPN on the interface

webvpn
enable outside

3. Configure default route

route outside 0.0.0.0 0.0.0.0 10.10.4.200

4. Configure AAA authentication and tunnel group

    tunnel-group DefaultWEBVPNGroup type remote-access
    tunnel-group DefaultWEBVPNGroup general-attributes
     authentication-server-group LOCAL

5. If using LOCAL database, add users to the Database

    username test password t3stP@ssw0rd
    username test attributes
     service-type remote-access

Proceed to configure AnyConnect VPN client:

6. Point the ASA to an AnyConnect image

webvpn
svc image anyconnect-win-2.1.0148-k9.pkg

7. enable AnyConnect

svc enable

8. Add an address pool to assign an ip address to the AnyConnect client

ip local pool client-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0

9. Configure group policy

    group-policy DfltGrpPolicy internal
    group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol svc webvpn

golly_wog · ‎05-10-2011

Don't rely on this command! It isn't in the code currently used in the lab... :-)

mohsinali9 · ‎06-03-2011

that so cool thanks for sharing.

Eugene Khabarov · ‎06-10-2011

Hi! In ASA OS 8.2.5 "show nat pool" command is missing.

andy.winford · ‎06-16-2011

Jay, I really enjoy the podcast. Tell David to speak up. I have to turn up the volume and then Magnus comes in and blows out my speaker. As a consultant for a Gold Partner, I would like to share a command that I use frequently to help my customers when troubleshooting site-to-site VPNs. Usually a change has been made around the configuration that may have modified the preshared key being utilized. Using the more system:running-config command, it will display the full key instead of the asterix. Hope this is helpful. Keep up the great podcast. I travel a lot and enjoy listening to you guys.

Jay Johnston · ‎06-20-2011

Eugene, The 'show nat pool' command is only available in version 8.3 and later.

Jay Johnston · ‎06-20-2011

Andy, thanks for the comments, we're working on making the audio quality better, and keeping the levels more "level"

Let us know if there are topics you would like us to cover in the future!

imagallanes · ‎01-29-2021

Hello

About command failover exec mate

What could be the reason when the output for that command from asa is,

Note: My HA is setup correctly

asa1/pri# failover exec mate show failover
ERROR: Failed to receive command response from mate

This host: Primary - Standby Ready

show failover state

====Configuration State===
Sync Done
====Communication State===
Mac set

TAC Security Podcast Episode #18 - Useful ASA and IPS Commands and Features You Might Not Know About

Episode Information

Show Notes

ASA

show parser dump <feature>

show proccess cpu-usage sorted non-zero

failover exec mate

failover reload-standby

show service-policy flow

show nat pool

show run <feature>

perfmon verbose

IPS

show statistics virtual-sensor

iplog

packet capture