Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1693
Views
0
Helpful
6
Replies

My access lists are not debugged, why?

ndarkness
Level 1
Level 1

‎08-01-2013 05:41 AM - edited ‎03-07-2019 02:42 PM

Hello,

I'm trying to debug my access lists number 103

SWITCH_AREA_1#show access-lists

Extended IP access list 101

    10 permit ip any any log (3167272 matches)

    20 permit ip host 172.17.0.80 any log

    30 permit ip any host 10.0.1.100

    40 permit ip host 172.17.0.82 any log

    50 permit ip any host 10.0.1.100 log

Extended IP access list 102

    10 permit icmp any any log (5110 matches)

Extended IP access list 103

    10 permit ip any host 88.199.43.165 log

    20 permit ip host 172.17.0.200 any log (6080 matches)

To do so I type

SWITCH_AREA_1#debug ip packet 103 detail

IP packet debugging is on (detailed) for access list 103

But when I issue the

#show logging

I only see the debuging packet for the list 101 and not for the 103 which is the one I have enabled. Why do I get that? Is that due to the fact that the log isn't long enough to reach 103 list?

Thanks in advance,

regards!

Labels:
0 Helpful
6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

‎08-01-2013 09:27 AM

Hi,

the command you entered will not debug the ACL but the referenced ACL will be applied as a filter to the debug command.

The logging buffer is a cyclical buffer that has a limited size by default  and also only process-switched packets will be seen by the debug( packets originated or destined to the router)

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

ndarkness
Level 1
Level 1
In response to cadet alain

‎08-02-2013 01:24 AM

Hi cadet alain, thanks for replying!

Could you tell me then how to debug the ACL? Or that is not possible?

Thanks again!

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to ndarkness

‎08-02-2013 03:11 AM

Hi,

The router will send an administratively prohibited ICMP unreachable message  to the source of the offending packet by default so sniffing on the source if it is a PC or debugging ip icmp on a router will tell you if there was a hit for a deny clause in an ACL.

I've never seen a debug for Access-list so AFAIK it doesn't exist.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Vignesh Rajendran Praveen
Cisco Employee
Cisco Employee

‎08-01-2013 08:21 PM

Hi,

Kindly try to increase the size of the logging buffer to a higher value & see if it helps. Also check by configuring "logging console" and see if the debug loggs get prined on the cli. You should definitely see the debug logs as the traffic according to your config would get process switched.

Thanks & Regards,

Vignesh R P

0 Helpful

ndarkness
Level 1
Level 1
In response to Vignesh Rajendran Praveen

‎08-02-2013 01:27 AM

Hi Vignesh Rajendran Praveen, thanks for replying,

I read on some Cisco references and forums that it is not too much advisable to debug in the console, since that can affect to system performance, isn't that true?

On the other hand, what would it be good buffer value?? Currently I'm using 13000 bytes, is that to low?

Regards

0 Helpful

shillings
Level 4
Level 4
In response to ndarkness

‎08-02-2013 01:58 AM 

I read on some Cisco references and forums that it is not too much advisable to debug in the console, since that can affect to system performance, isn't that true?

That's right Juan. I rarely log to the console. It's easy enough to view the local log.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card