Show Name: ASA/FTD Troubleshooting Enhancements and Cisco Live US 2018
Contributors: Kevin Klous, Jay Johnston, and Magnus Mortensen
Posting Date: June 2018
Description: The team discusses the recently released troubleshooting enhancements to ASA/FTD packet tracer and packet capture tools, some new facts about FTD 6.2.3, and a look ahead to Cisco Live US 2018 coming up in Orlando, Florida.
Listen Now (MP3 82.4 MB; 34:17 mins)
Subscribe to the Podcast in iTunes by clicking the image below:
Show Notes
Cisco Live US 2018 - June 10-14 in Orlando, FL, USA
https://www.ciscolive.com/us/
Sessions Mentioned:
BRKSEC-3020 - Troubleshooting ASA Firewalls
https://www.ciscolive.com/us/learn/sessions/session-catalog/?search=BRKSEC-3020&showEnrolled=false
TECSEC-3004 - Troubleshooting Firepower Threat Defense like a TAC Engineer (Additional cost)
https://www.ciscolive.com/us/learn/sessions/session-catalog/?search=TECSEC-3004&showEnrolled=false
New Commands Discussed and Examples:
Packet Tracer with 'transmit' option
asa# sh cap
capture capin type raw-data trace interface inside [Capturing - 0 bytes]
match icmp any any
capture capout type raw-data trace interface outside [Capturing - 0 bytes]
match tcp any any eq ssh
asa# packet-tracer input inside tcp 10.1.1.20 10000 10.1.2.100 22 transmit
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
asa# sh cap capout
1 packet captured
1: 07:48:37.428978 10.1.1.20.10000 > 10.1.2.100.22: S 2316587550:2316587550(0) win 8192
1 packet shown
asa#
Packet-tracer to simulate inbound VPN traffic with 'decrypted' option:
asa# packet-tracer input inside tcp 10.1.1.20 10000 10.1.2.100 22 decrypted
*********************************************************************
WARNING: An existing decryption SA was not found. Please confirm the
IPsec Phase 2 SA or Anyconnect Tunnel is established.
*********************************************************************
Note: Above output is seen when there are no active VPN Security Associations (SA) active on the ASA
Packet Capture of decrypted traffic using the 'include-decrypted' option
asa# cap capout interface outside include-decrypted match tcp any any eq 22
Important Links for More Information:
Firepower 6.2.3 Release Notes
https://www.cisco.com/c/en/us/td/docs/security/firepower/623/relnotes/Firepower_Release_Notes_623.html
ASA 9.9.2 Release Notes
https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html