This document provides information you can use in order to troubleshoot Cisco IOS® Firewall configurations.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Note: Refer to Important Information on Debug Commands before you issue debug commands.
In order to reverse (remove) an access list, put a "no" in front of the access-group command in interface configuration mode:
no ip access-group # in|out
If too much traffic is denied, study the logic of your list or try to define an additional broader list, and then apply it instead. For example:
access-list # permit tcp any any
access-list # permit udp any any
access-list # permit icmp any any
ip access-group # in|out
The show ip access-lists command shows which access lists are applied and what traffic is denied by them. If you look at the packet count denied before and after the failed operation with the source and destination IP address, this number increases if the access list blocks traffic.
If the router is not heavily loaded, debugging can be done at a packet level on the extended or ip inspect access list. If the router is heavily loaded, traffic is slowed through the router. Use discretion with debugging commands.
Temporarily add the no ip route-cache command to the interface:
no ip route-cache
Then, in enable (but not config) mode:
debug ip packet # det
produces output similar to this:
*Mar 1 04:38:28.078: IP: s=10.31.1.161 (Serial0), d=22.214.171.124 (Ethernet0),
g=10.31.1.21, len 100, forward
*Mar 1 04:38:28.086: IP: s=126.96.36.199 (Ethernet0), d=188.8.131.52 (Serial0), g=184.108.40.206,
len 100, forward
Extended access lists can also be used with the "log" option at the end of the various statements:
access-list 101 deny ip host 220.127.116.11 host 10.31.1.161 log
access-list 101 permit ip any any
You therefore see messages on the screen for permitted and denied traffic:
*Mar 1 04:44:19.446: %SEC-6-IPACCESSLOGDP: list 111 permitted icmp 18.104.22.168
-> 10.31.1.161 (0/0), 15 packets
*Mar 1 03:27:13.295: %SEC-6-IPACCESSLOGP: list 118 denied tcp 22.214.171.124(0)
-> 10.31.1.161(0), 1 packet
If the ip inspect list is suspect, the debug ip inspect <type_of_traffic> command produces output such as this output:
Feb 14 12:41:17 10.31.1.52 56: 3d05h: CBAC* sis 258488 pak 16D0DC TCP P ack 3195751223
seq 3659219376(2) (10.31.1.5:11109) => (126.96.36.199:23)
Feb 14 12:41:17 10.31.1.52 57: 3d05h: CBAC* sis 258488 pak 17CE30 TCP P ack 3659219378
seq 3195751223(12) (10.31.1.5:11109) <= (188.8.131.52:23)
For these commands, along with other troubleshooting information, refer to Troubleshooting Authentication Proxy.