はじめに
本ドキュメントでは、Firewall Management Center (FMC) 管理の Firewall Threat Defense (FTD)において、「system support diag」コマンドでアクセスできる、内部ASA (LINA) のデバッグ取得例について紹介します。
FMC GUIからFTDのロギング設定が必要ではありますが、その後の debug コマンドの操作や切り分けは ASA と同様に可能です。ASAの Debug を用いた切り分け例は、ASA: logging debug-traceを活用したトラブルシューティング を参照してください。
FMC管理 FTDの、デバッグ出力有効化方法
1. Devices > Syslog > Logging Setup から 「Send debug messages as syslogs」を有効化。また、Internal Bufferのシスログサイズを 200,00 bytes に拡張しておく。ASAでの「logging debug-trace」コマンドと同等
2. Logging Destinations から任意のデバッグ出力先と Logging Levelを設定。以下の画面例では、Internal Buffer (show logで確認可能)に Errorレベルのシスログを出力
注意:ログ出力量と負荷を抑えるため 常時 Notification や Informational・Debuggingのロギングレベル有効化は避けてください
3. Syslog Settings から 「+ Add」ボタンを押して、Syslog ID 711001 (デバッグログの固定ID)のロギングレベルを設定。今回は Errors を設定
4. 上記設定を任意FTDデバイスにデプロイ
5. デプロイ先 FTDにアクセスし、 「#1 Internal Buffered に 任意レベルのログ保存」「#2 デバッグのシスログ出力有効化」と「#3 Syslog ID 711001 のログ出力設定」が有効であることを確認
firepower>
Console connection detached.
>
> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower> en
Password: <--- 空ENTER
firepower#
firepower# show run logging
logging enable
logging list MANAGER_VPN_EVENT_LIST level errors class auth
logging list MANAGER_VPN_EVENT_LIST level errors class vpn
logging list MANAGER_VPN_EVENT_LIST level errors class vpnc
logging list MANAGER_VPN_EVENT_LIST level errors class vpnfo
logging list MANAGER_VPN_EVENT_LIST level errors class vpnlb
logging list MANAGER_VPN_EVENT_LIST level errors class webfo
logging list MANAGER_VPN_EVENT_LIST level errors class webvpn
logging list MANAGER_VPN_EVENT_LIST level errors class ca
logging list MANAGER_VPN_EVENT_LIST level errors class svc
logging list MANAGER_VPN_EVENT_LIST level errors class ssl
logging list MANAGER_VPN_EVENT_LIST level errors class dap
logging list MANAGER_VPN_EVENT_LIST level errors class ipaa
logging list MANAGER_VPN_EVENT_LIST message 880001
logging buffer-size 200000
logging buffered errors <--- #1
logging FMC MANAGER_VPN_EVENT_LIST
logging debug-trace persistent <--- #2
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
logging message 711001 level errors <--- #3
firepower#
動作確認
任意のデバッグを有効化。当ドキュメントでは「debug arp」で、ARPのデバッグを有効化
firepower# debug arp
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
debug arp enabled at level 1
firepower#
Internal Bufferedに貯められたデバッグメッセージを確認するためには「show logging」を実行。以下のように、ARPのデバッグログが、Syslog ID 711001で出力されていることを確認できる
firepower# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: enabled (persistent)
Console logging: disabled
Monitor logging: disabled
Buffer logging: level errors, 11670 messages logged
Trap logging: disabled
Permit-hostdown logging: enabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
FMC logging: list MANAGER_VPN_EVENT_LIST, 0 messages logged
%FTD-3-711001: arp-set: added arp outside 172.16.64.1 0060.b992.6efe and updating NPs at 09:17:01.432
%FTD-3-711001: arp-set: added arp outside 172.16.64.1 0060.b992.6efe and updating NPs at 09:17:01.882
%FTD-3-711001: arp-set: added arp outside 172.16.64.1 0060.b992.6efe and updating NPs at 09:17:02.822
%FTD-3-711001: arp-set: added arp outside 172.16.64.1 0060.b992.6efe and updating NPs at 09:17:03.032
%FTD-3-711001: arp-in: rqst for me from 192.168.0.18 for 192.168.0.254, on inside
%FTD-3-711001: arp-set: added arp inside 192.168.0.18 3acf.f28a.631f and updating NPs at 09:17:05.422
%FTD-3-711001: arp-in: generating reply from 192.168.0.254 10b3.d5ba.8d05 to 192.168.0.18 3acf.f28a.631f
%FTD-3-711001: arp-in: rqst for me from 192.168.0.79 for 192.168.0.254, on inside
%FTD-3-711001: arp-set: added arp inside 192.168.0.79 5e31.63ed.3181 and updating NPs at 09:17:08.612
debugを用いたトラブルシューティング完了後は必ず「undebug all」でデバッグを無効化し、「show debug 」で有効なデバッグがないことを確認
firepower# undebug all
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
firepower#
firepower# show debug
Debug fxos_parser off
Conditional debug filters:
Conditional debug features:
firepower#
参考ドキュメント
Cisco FTD How TO
https://community.cisco.com/t5/-/-/ta-p/5024782