Cisco ASA Series Command Reference, S Commands
show uauth -- show xlate
Downloads: This chapterpdf (PDF - 624.0KB) The complete bookPDF (PDF - 9.29MB) | The complete bookePub (ePub - 801.0KB) | The complete bookMobi (Mobi - 2.94MB) | Feedback

Table of Contents

show uauth through show xlate Commands

show uauth

show url-block

show url-cache statistics

show url-server

show user-identity ad-agent

show user-identity ad-group-members

show user-identity ad-groups

show user-identity ad-users

show user-identity group

show user-identity ip-of-user

show user-identity memory

show user-identity statistics

show user-identity statistics top user

show user-identity user active

show user-identity user all

show user-identity user inactive

show user-identity user-not-found

show user-identity user-of-group

show user-identity user-of-ip

show version

show vlan

show vm

show vpn load-balancing

show vpn-sessiondb

show vpn-sessiondb ratio

show vpn-sessiondb summary

show wccp

show webvpn csd

show webvpn group-alias

show webvpn group-url

show webvpn kcd

show webvpn sso-server

show webvpn anyconnect

show xlate

show uauth through show xlate Commands

show uauth

To display one or all currently authenticated users, the host IP to which they are bound, and any cached IP and port authorization information, use the show uauth command in privileged EXEC mode.

show uauth [ username ]

 
Syntax Description

username

(Optional) Specifies, by username, the user authentication and authorization information to display.

 
Defaults

Omitting username displays the authorization information for all users.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

The idle time was added to the output.

7.2(2)

The idle time was removed from the output.

 
Usage Guidelines

The show uauth command displays the AAA authorization and authentication caches for one user or for all users.

This command is used with the timeout command.

Each user host IP address has an authorization cache attached to it. The cache allows up to 16 address and service pairs for each user host. If the user attempts to access a service that has been cached from the correct host, the ASA considers it preauthorized and immediately proxies the connection. Once you are authorized to access a website, for example, the authorization server is not contacted for each image as it is loaded (assuming the images come from the same IP address). This process significantly increases performance and reduces the load on the authorization server.

The output from the show uauth command displays the username that is provided to the authorization server for authentication and authorization purposes, the IP address to which the username is bound, and if the user is authenticated only or has cached services.


NoteWhen you enable Xauth, an entry is added to the uauth table (as shown by the When you enable Xauth, an entry is added to the uauth table (as shown by the show uauth command) for the IP address that is assigned to the client. However, when using Xauth with the Easy VPN Remote feature in Network Extension Mode, the IPsec tunnel is created from network to network, so that the users behind the firewall cannot be associated with a single IP address. For this reason, a uauth entry cannot be created upon completion of Xauth. If AAA authorization or accounting services are required, you can enable the AAA authentication proxy to authenticate users behind the firewall. For more information on AAA authentication proxies, see to the aaa commands.


Use the timeout uauth command to specify how long the cache should be kept after the user connections become idle. Use the clear uauth command to delete all the authorization caches for all the users, which will cause them to have to reauthenticate the next time that they create a connection.

Examples

This example shows sample output from the show uauth command when no users are authenticated and one user authentication is in progress:

ciscoasa(config)# show uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'v039294' at 136.131.178.4, authenticated (idle for 0:00:00)
access-list #ACSACL#-IP-v039294-521b0b8b (*)
absolute timeout: 0:00:00
inactivity timeout: 0:05:00
 

This example shows sample output from the show uauth command when three users are authenticated and authorized to use services through the ASA:

ciscoasa(config)# show uauth
user ‘pat’ from 209.165.201.2 authenticated
user ‘robin’ from 209.165.201.4 authorized to:
port 192.168.67.34/telnet 192.168.67.11/http 192.168.67.33/tcp/8001
192.168.67.56/tcp/25 192.168.67.42/ftp
user ‘terry’ from 209.165.201.7 authorized to:
port 192.168.1.50/http 209.165.201.8/http
 

 
Related Commands

Command
Description

clear uauth

Removes current user authentication and authorization information.

timeout

Sets the maximum idle time duration.

show url-block

To display the number of packets held in the url-block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission, use the show url-block command in privileged EXEC mode.

show url-block [ block statistics ]

 
Syntax Description

block statistics

(Optional) Displays block buffer usage statistics.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The show url-block block statistics command displays the number of packets held in the url block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission.

Examples

The following is sample output from the show url-block command:

ciscoasa# show url-block
| url-block url-mempool 128 | url-block url-size 4 | url-block block 128
 

This shows the configuration of the URL block buffer.

 

The following is sample output from the show url-block block statistics command:

ciscoasa# show url-block block statistics
 
URL Pending Packet Buffer Stats with max block 128 |
Cumulative number of packets held: | 896
Maximum number of packets held (per URL): | 3
Current number of packets held (global): | 38
Packets dropped due to
| exceeding url-block buffer limit: | 7546
| HTTP server retransmission: | 10
Number of packets released back to client: | 0
 

 
Related Commands

Commands
Description

clear url-block block statistics

Clears the block buffer usage counters.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.

show url-cache statistics

To display information about the url-cache, which is used for URL responses received from an N2H2 or Websense filtering server, use the show url-cache statistics command in privileged EXEC mode.

show url-cache statistics

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The show url-cache statistics command displays the following entries:

  • Size—The size of the cache in kilobytes, set with the url-cache size option.
  • Entries—The maximum number of cache entries based on the cache size.
  • In Use—The current number of entries in the cache.
  • Lookups—The number of times the ASA has looked for a cache entry.
  • Hits—The number of times the ASA has found an entry in the cache.

You can view additional information about N2H2 Sentian or Websense filtering activity with the show perfmon command.

Examples

The following is sample output from the show url-cache statistics command:

ciscoasa# show url-cache statistics
 
URL Filter Cache Stats
----------------------
| Size : 1KB
Entries : 36
In Use : 30
Lookups : 300
| Hits : 290
 

 
Related Commands

Commands
Description

clear url-cache statistics

Removes url-cache command statements from the configuration.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching for responses received from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.

show url-server

To display information about the URL filtering server, use the show url-server command in privileged EXEC mode.

show url-server statistics

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The show url-server statistics command displays the URL server vendor; number of URLs total, allowed, and denied; number of HTTPS connections total, allowed, and denied; number of TCP connections total, allowed, and denied; and the URL server status.

The show url-server command displays the following information:

  • For N2H2, url-server ( if_name ) vendor n2h2 host local_ip port number timeout seconds protocol [{ TCP | UDP }{ version 1 | 4 }]
  • For Websense, url-server ( if_name ) vendor websense host local_ip timeout seconds protocol [{ TCP | UDP }]

Examples

The following is sample output from the show url-server statistics command:

ciscoasa## show url-server statistics
Global Statistics:
------------------
URLs total/allowed/denied 994387/155648/838739
URLs allowed by cache/server 70483/85165
URLs denied by cache/server 801920/36819
HTTPSs total/allowed/denied 994387/155648/838739
HTTPs allowed by cache/server 70483/85165
HTTPs denied by cache/server 801920/36819
FTPs total/allowed/denied 994387/155648/838739
FTPs allowed by cache/server 70483/85165
FTPs denied by cache/server 801920/36819
Requests dropped 28715
Server timeouts/retries 567/1350
Processed rate average 60s/300s 1524/1344 requests/second
Denied rate average 60s/300s 35648/33022 requests/second
Dropped rate average 60s/300s 156/189 requests/second
 
URL Server Statistics:
----------------------
192.168.0.1 UP
Vendor websense
Port 17035
Requests total/allowed/denied 366519/255495/110457
Server timeouts/retries 567/1350
Responses received 365952
Response time average 60s/300s 2/1 seconds/request
192.168.0.2 DOWN
Vendor websense
Port 17035
Requests total/allowed/denied 0/0/0
Server timeouts/retries 0/0
Responses received 0
Response time average 60s/300s 0/0 seconds/request
. . .
URL Packets Sent and Received Stats:
------------------------------------
Message Sent Received
STATUS_REQUEST 411 0
LOOKUP_REQUEST 366519 365952
LOG_REQUEST 0 NA
 
Errors:
-------
RFC noncompliant GET method 0
URL buffer update failure 0
 
Semantics:
This command allows the operator to display url-server statistics organized on a global and per-server basis. The output is reformatted to provide: more-detailed information and per-server organization.
 
Supported Modes:
privileged
router || transparent
single || multi/context
 
Privilege:
ATTR_ES_CHECK_CONTEXT
 
Debug support:
N/A
 
Migration Strategy (if any):
N/A
 

 
Related Commands

Commands
Description

clear url-server

Clears the URL filtering server statistics.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.

show user-identity ad-agent

To display information about the AD Agent for the Identify Firewall, use the show user-identity ad-agent command in privileged EXEC mode.

show user-identity ad-agent [ statistics ]

 
Syntax Description

statistics

(Optional) Displays statistical information about the AD Agent.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

You can monitor the AD Agent component of the Identity Firewall.

Use the show user-identity ad-agent command to obtain troubleshooting information for the AD Agent. This command displays the following information about the primary and secondary AD Agents:

  • Status of the AD Agents
  • Status of the domains
  • Statistics for the AD Agents

 

Table 14-1 Description of the Command Output

Type
Values
Description

Mode

Configuration mode

Specifies full download or on-demand download.

AD Agent IP Address

IP address

Displays the active AD Agent IP address.

Backup

IP address

Displays the backup AD Agent IP address.

AD Agent Status

  • Disabled
  • Down
  • Up (registered)
  • Probing
  • The Identity Firewall is disabled.
  • The AD Agent is down.
  • The AD Agent is up and running.
  • The ASA is registered and the AD Agent is up and running.
  • The ASA is trying to connect to the AD Agent.

Authentication Port

udp/1645

Displays the AD Agent authentication port.

Accounting Port

udp/1646

Displays the AD Agent accounting port.

ASA Listening Port

udp/3799

Displays the ASA listening port.

Interface

Interface

Displays the interface that the ASA uses to contact the AD Agent.

IP Address

IP address

Displays the IP address that the ASA uses to contact the AD Agent.

Uptime

Time

Displays the AD Agent up time.

Average RTT

Milliseconds

Displays the average round trip time the ASA uses to contact the AD Agent.

Domain

Domain nickname

Status: up

Status: down

Displays the Microsoft Active Directory domain for the AD Agent.

Examples

This example shows how to display information for the AD Agent for the Identify Firewall:

ciscoasa# show user-identity ad-agent
Primary AD Agent:
Status up (registered)
Mode: full-download
IP address: 172.23.62.125
Authentication port: udp/1645
Accounting port: udp/1646
ASA Listening port: udp/3799
Interface: mgmt
Up time: 15 mins 41 secs
Average RTT: 57 msec
 
Secondary AD Agent:
Status up
Mode: full-download
IP address: 172.23.62.136
Authentication port: udp/1645
Accounting port: udp/1646
ASA Listening port: udp/3799
Interface: mgmt
Up time: 7 mins 56 secs
Avg RTT: 15 msec

 
Related Commands

Command
Description

clear user-identity ad-agent statistics

Clears the statistics data of AD Agents maintained by the ASA for the Identity Firewall.

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity ad-group-members

Displays the group members in the domain of the AD Agent for the Identify Firewall.

show user-identity ad-group-members

To display the group members in the domain of the AD Agent for the Identify Firewall, use the show user-identity ad-group-members command in privileged EXEC mode.

show user-identity ad-group-members [ domain_nickname \] user_group_name [ timeout seconds seconds ]

 
Syntax Description

domain_nickname

(Optional) Specifies the domain name for the Identity Firewall.

timeout seconds seconds

(Optional) Sets a timer for retrieving group member statistics and specifies the length of time for the timer.

user_group_name

(Optional) Specifies the group name from which to retrieve statistics.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

The show user-identity ad-group-members command displays the immediate members (the users and groups) of the specified user group.


NoteThis command does not display information for locally defined groups on the ASA configured with the This command does not display information for locally defined groups on the ASA configured with the object-group user command.


The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server. Running this command is equivalent to running an LDAP browser command that allows you to check members of a specified user group. ASA issues one level of LDAP query to retrieve the immediate members of the specified group in the distinguishedName format. Running this command does not update the ASA internal cache of imported user groups.

When you do not specify domain_nickname , the ASA displays information for the group that has user_group_name in the default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

The group name is the AD group’s unique sAMAccountName not the CN name. To display information for a specific group sAMAccountName, use the show user-identity ad-groups filter filter_string command to retrieve group’s sAMAccountName.

Examples

This example shows how to display members of the group sample1 for the Identity Firewall:

ciscoasa# show user-identity ad-group-member group.sample1
Domain:CSCO AAA Server Group: CISCO_AD_SERVER
Group Member List Retrieved Successfully
Number of Members in AD Group group.schiang: 12
dn: CN=user1,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
dn: CN=user2,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
...

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity ad-groups

Displays information about the AD Agent for the Identify Firewall.

show user-identity ad-groups

To display information for a specific group for the Identify Firewall, use the show user-identity ad-groups command in privileged EXEC mode.

show user-identity ad-groups domain_nickname { filter filter_string | import-user-group [ count ]}

 
Syntax Description

count

(Optional) Displays the number of activated groups.

domain_nickname

Specifies the domain name for the Identity Firewall.

filter filter_string

Specifies to displays groups that contain the specified filter string in the CN attribute of the domain controller of the Microsoft Active Directory.

import-user-group

Displays only the activated groups for the Identity Firewall.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

When you run the show user-identity ad-groups command, the ASA sends an LDAP query to the Microsoft Active Directory to retrieve all user groups that are part of the specified domain nickname. The argument domain_nickname can be the real domain nickname or LOCAL. The ASA only retrieves groups that have the group objectclass attribute. The ASA displays the retrieved groups in distinguishedName format.

When you specify the filter filter_string keyword and argument, the ASA displays groups that contain the specified filter string in the CN attribute of the domain controller. Because the access-list and object-group commands only take sAMAccountName, you can run the show user-identity ad-users filter filter_string command to retrieve the sAMAccountName for a group. When you do not specify filter filter_string , the ASA displays all Active Directory groups.

When you specify the import-user-group count keywords, the ASA displays all Active Directory groups that are activated (because they are part an access-group, import-user-group, or service-policy configuration) and stored in the local database. The ASA only displays the sAMAccountName for the groups.

Examples

These examples show how to display user groups that are part of the specified domain nickname for the Identity Firewall:

ciscoasa# show user-identity ad-groups CSCO filter sampleuser1
Domain: CSCO AAA Server Group: CISCO_AD_SERVER
Group list retrieved successfully
Number of Active Directory Groups 6
dn: CN=group.reg.sampleuser1,OU=Organizational,OU=Cisco Groups,DC=cisco,DC=com
sAMAccountName: group.reg.sampleuser1
dn: CN=group.temp.sampleuser1,OU=Organizational,OU=Cisco Groups,DC=cisco,DC=com
sAMAccountName: group.temp.sampleuser1
...
 
 
ciscoasa# show user-identity ad-groups CSCO import-user-group count
Total AD groups in domain CSCO stored in local: 2
 
 
ciscoasa# show user-identity ad-groups CSCO import-user-group
Domain: CSCO
Groups:
group.SampleGroup1
group.SampleGroup2
...
 
 

This example shows how to run the command to apply a filter string to the results from an access-list and object-group command. Running the show user-identity ad-users CSCO filter SampleGroup1 command obtains the sAMAccountName of specified string:

ciscoasa# show user-identity ad-users CSCO filter SampleGroup1
Domain:CSCO AAA Server Group: CISCO_AD_SERVER
User list retrieved successfully
Number of Active Directory Users: 2
dn: CN=SampleUser1,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
sAMAccountName: SampleUser2
dn: CN=SAMPLEUSER2-WXP05,OU=Workstations,OU=Cisco Computers,DC=cisco,DC=com
sAMAccountName: SAMPLEUSER2-WXP05$

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity ad-users

To display Microsoft Active Directory users for the Identify Firewall, use the show user-identity ad-users command in privileged EXEC mode.

show user-identity ad-users domain_nickname [ filter filter_string ]

 
Syntax Description

domain_nickname

Specifies the domain name for the Identity Firewall.

filter filter_string

(Optional) Specifies to displays users that contain the specified filter string in the CN attribute of the domain controller of the Microsoft Active Directory.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

When you run the show user-identity ad-users command, the ASA sends an LDAP query to the Microsoft Active Directory to retrieve all users that are part of the specified domain nickname. The argument domain_nickname can be the real domain nickname or LOCAL.

When you specify the filter filter_string keyword and argument, the ASA displays users that contain the specified filter string in the CN attribute of the domain controller. The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server.

The ASA only retrieves users that have the user objectclass attribute and the samAccountType attribute 805306368. Other objects, such as machine objects, can be included in the user objectclass; however, the samAccountType 805306368 filters out the non-user objects. When you do not specify a filter string, the ASA displays all Active Directory users.

The ASA displays the retrieved users in distinguishedName format.

Examples

This example shows how to display information about Active Directory users for the Identity Firewall:

ciscoasa# show user-identity ad-users CSCO filter user
Domain: CSCO AAA Server Group: CISCO_AD_SERVER
User list retrieved successfully
Number of Active Directory Users: 10
dn: CN=sampleuser1,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
sAMAccountName: sampleuser1
dn: CN=sampleuser2,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
sAMAccountName: sampleuser2
dn: CN=user3,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
sAMAccountName: user3
...

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity group

To display the user groups configured for the Identify Firewall, use the show user-identity group command in privileged EXEC mode.

show user-identity group

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

Use the show user-identity group command to obtain troubleshooting information for the user groups configured for the Identity Firewall. The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server. This command displays the list of activated user groups in the following format:

domain \ group_name

The ASA only displays top groups that are applied to a security policy. The maximum number of activated top groups is 256. Groups are activated when they are part an access-group, import-user-group, or service-policy configuration.

Examples

This example shows how to display the activated groups for the Identity Firewall:

ciscoasa# show user-identity group
Group ID Activated Group Name (Domain\\Group)
-------- ------------------------------------
1 LOCAL\\og1
2 LOCAL\\marketing
3 CISCO\\group.sampleuser1
4 IDFW\\grp1
...

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity ip-of-user

To display the IP address for a specified user for the Identify Firewall, use the show user-identity ip-of-user command in privileged EXEC mode.

show user-identity ip-of-user [ domain_nickname \] user-name [ detail ]

 
Syntax Description

detail

(Optional) Displays the detailed output about the user and IP address.

domain_nickname

(Optional) Specifies the domain name for the Identity Firewall.

user-name

Specifies the user for which to obtain an IP address.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

This command displays user information and the IP addresses for the specified user. Users can have more than one IP address associated with them.

When you do not specify the domain_nickname argument, the ASA displays information for the user with user_name in default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

When you specify the detail keyword, the ASA displays the total number of active connections, the user-statistics period and the drops, and the input packets and output packets during the period over all IP addresses for the specified user. When you do not specify the detail option, the ASA displays only the domain nickname and status of each IP address.


NoteThe ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall. The ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall.


Examples

These examples show how to display IP addresses of specified users for the Identity Firewall:

ciscoasa# show user-identity ip-of-user sampleuser1
CSCO\172.1.1.1 (Login)
CSCO\172.100.3.23 (Login)
CSCO\10.23.51.3 (Inactive)
 
 
ciscoasa# show user-identity ip-of-user sampleuser1 detail
CSCO\172.1.1.1 (Login) Login time: 1440 mins; Idle time: 10 mins; 2 active conns
CSCO\172.100.3.23 (Login) Login time: 20 mins; Idle time: 10 mins; 10 active conns
CSCO\10.23.51.3 (Inactive) Login time: 3000 mins; Idle time: 2040 mins; 8 active conns
Total number of active connections: 20
1-hour recv packets: 12560
1-hour sent packets: 32560
20-min drops: 560
 
 
ciscoasa# show user-identity ip-of-user sampleuser2
ERROR: no such user
 
 
ciscoasa# show user-identity ip-of-user sampleuser3
ERROR: no IP address, user not login now
 

IPv6 support

ciscoasa# show user-identity ip-of-user sampleuser4
CSCO\172.1.1.1 (Login)
CSCO\8080:1:3::56 (Login)
CSCO\8080:2:3::34 (Inactive)
 
 
ciscoasa# show user-identity ip-of-user sampleuser4 detail
CSCO\172.1.1.1 (Login) Login time: 1440 mins; Idle time: 10 mins; 8 active conns
CSCO\8080:1:3::56 (Login) Login time: 20 mins; Idle time: 10 mins; 12 active conns
CSCO\8080:2:3::34 (Inactive) Total number of active connections: 20
1-hour recv packets: 12560
1-hour sent packets: 32560
20-min drops: 560

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user-of-ip

Displays the user information associated with the specified IP address

show user-identity memory

To display the memory of various modules of the Identify Firewall, use the show user-identity memory command in privileged EXEC mode.

show user-identity memory

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

You can monitor the memory usage that the Identity Firewall consumes on the ASA. Running the s how user-identity memory command displays the memory for user records, group records, host records, and their associated hash table. The ASA also displays the memory used by the identity-based tmatch table.

The command displays the memory usage in bytes of various modules in the Identity Firewall:

  • Users
  • Groups
  • User Statistics
  • LDAP

The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server. The Active Directory server authenticates users and generates user logon security logs.

  • AD Agent
  • Miscellaneous
  • Total Memory Usage

How you configure the Identity Firewall to retrieve user information from the AD Agent impacts the amount of memory used by the feature. You specify whether the ASA uses on demand retrieval or full download retrieval. Selecting On Demand has the benefit of using less memory as only users of received packets are queried and stored. See “Configuring Identity Options” in the CLI configuration guide for a description of these options.

Examples

This example shows how to display the memory status of the modules of the Identity Firewall:

ciscoasa# show user-identity memory
Users: 22416048 bytes
Groups: 320 bytes
User stats: 0 bytes
LDAP: 300 bytes
AD agent: 500 bytes
Misc: 32428 bytes
Total: 22449596 bytes
Users: 22416048 bytes
 

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity statistics

To display statistics for a user or user group for the Identify Firewall, use the show user-identity statistics command in privileged EXEC mode.

show user-identity statistics [ user [ domain_nickname \] user_name | user-group [ domain_nickname \] user_group_name ]

 
Syntax Description

domain_nickname

(Optional) Specifies the domain name for the Identity Firewall.

user user_name

(Optional) Specifies the user name from which to retrieve statistics.

user-group domain_nickname\
user_group_name

(Optional) Specifies the group name from which to retrieve statistics.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

Run the show user-identity statistics command to display the statistics for a user or user group.

When you do not specify the domain_nickname argument with the user keyword, the ASA displays information for the user with user_name in default domain.

When you do not specify domain_nickname with the user-group keyword, the ASA displays information for the group that has user_group_name in the default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

Examples

These examples show how to display statistics about users for the Identity Firewall:

ciscoasa# show user-identity statistics user
Current monitored users:11 Total not monitored users:0
Average(eps) Current(eps) Trigger Total events
User: CSCO\user1 tot-ses:4911 act-ses:1213 fw-drop:0 insp-drop:0 null-ses:4861 bad-acc:0
20-min Recv attack: 4 10 14 4861
1-hour Recv pkts: 1 10 0 4901
User: CSCO\user2 tot-ses:2456 act-ses:607 fw-drop:0 insp-drop:0 null-ses:2431 bad-acc:0
20-min Sent attack: 4 10 4 4862
1-hour Sent pkts: 0 5 0 2451
...
 
 
ciscoasa# show user-identity statistics user user1
Current Average(eps) Current(eps) Trigger Total events
User: -(user1-) tot-ses:4911 act-ses:1213 fw-drop:0 insp-drop:0 null-ses:4861 bad-acc:0
20-min Recv attack: 4 10 14 4861
1-hour Recv pkts: 1 10 0 4901
 

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity statistics top user

To display statistics for the top 10 users for the Identify Firewall, use the show user-identity statistics top user command in privileged EXEC mode.

show user-identity statistics top user

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

The show user-identity statistics top user command displays statistics for received EPS packets, sent EPS packets, and sent attacks for the top 10 users. For each user (displayed as domain \ user_name ), the ASA displays the average EPS packet, the current EPS packet, the trigger, and total events for that user.

Examples

This example shows how to display information about the top 10 users for the Identity Firewall:

ciscoasa# show user-identity statistics top user
Top Name Id Average(eps) Current(eps) Trigger Total events
1-hour Recv pkts:
01 APAC\sampleuser1
0 0 0 391
1-hour Sent pkts:
01 APAC\sampleuser2
0 0 0 196
02 CSCO\sampleuser3
0 0 0 195
10-min Sent attack:
01 CSCO\sampleuser4
0 0 0 352
02 CSCO\sampleuser3
0 0 0 350

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user active

To display the active users for the Identify Firewall, use the show user-identity user active command in privileged EXEC mode.

show user-identity user active [ domain domain_nickname | user-group [ domain_nickname \] user_group_name | user [ domain_nickname \] user_name ] [ list [ detail ]]

 
Syntax Description

detail

(Optional) Displays the detailed output of the active user sessions.

domain domain_nickname

Displays statistics for the active users in a specified domain.

list

(Optional) Displays a list summarizing the active user statistics.

user domain_nickname\ user_name

(Optional) Displays statistic for a specified user.

user-group domain_nickname\ user_group_name

(Optional) Displays statistics for a specified user group.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

You can display information about all users contained in the IP-user mapping database used by the Identity Firewall.

The show user-identity user active command displays the following information for users:

  • domain \ user_name
  • Active Connections
  • Minutes Idle

The default domain name can be the real domain name, a special reserved word, or LOCAL. The Identity Firewall uses the LOCAL domain name for all locally defined user groups or locally defined users (users who log in and authenticate by using a VPN or web portal). When default domain is not specified, the default domain is LOCAL.

A user’s name is appended with the number of minutes idle. The login time and idle time are stored on a per user basis instead of per the IP address of a user.

When the user-group keyword is specified, only the activated user-groups are displayed. Groups are activated when they are part an access-group, import-user-group, or service-policy configuration.

When you do not specify domain_nickname with the user-group keyword, the ASA displays information for the group that has user_group_name in the default domain.


NoteWhen the When the user-identity action domain-controller-down is configured with the disable-user-identity-rule keyword and the specified domain is down, or when user-identity action ad-agent-down command is configured with the disable-user-identity-rule keyword and the AD agent is down, all the logged on users are displayed as disabled in the user statistics.



NoteThe ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall. The ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall.


Examples

The following examples show how to display information about active users for the Identity Firewall:

ciscoasa# show user-identity user active
Total active users: 30 Total IP addresses: 35
LOCAL: 0 users, 0 IP addresses
cisco.com: 0 users, 0 IP addresses
d1: 0 users, 0 IP addresses
IDFW: 0 users, 0 IP addresses
idfw.com: 0 users, 0 IP addresses
IDFWTEST: 30 users, 35 IP addresses
 
 
ciscoasa# show user-identity user active domain CSCO
Total active users: 48020 Total IP addresses:10000
CSCO: 48020 users, 10000 IP addresses
 
 
ciscoasa# show user-identity user active domain CSCO list
Total active users: 48020 Total IP addresses: 10000
CSCO: 48020 users, 10000 IP addresses
CSCO\sampleuser1: 20 active conns; idle 0 mins
CSCO\member-1: 20 active conns; idle 5 mins
CSCO\member-2: 20 active conns; idle 20 mins
CSCO\member-3: 3 active conns; idle 101 mins
 
 
ciscoasa# show user-identity user active list
Total active users: 48032 Total IP addresses: 10000
CSCO\sampleuser1: 20 active conns; idle 0 mins
CSCO\member-1: 20 active conns; idle 6 mins
APAC\sampleuser2: 20 active conns; idle 0 mins
CSCO\member-2: 20 active conns; idle 1 mins
CSCO\member-3: 20 active conns; idle 0 mins
APAC\member-2: 20 active conns; idle 22 mins
CSCO\member-4: 3 active conns; idle 101 mins
ciscoasa# show user-identity user active list detail
Total active users: 48032 Total IP addresses: 10010
CSCO: 48020 users, 10000 IP addresses
APAC: 12 users, 10 IP addresses
CSCO\sampleuser1: 20 active conns; idle 0 mins
172.1.1.1: login 360 mins, idle 0 mins, 15 active conns
172.100.3.23: login 200 min, idle 15 mins , 5 active conns
10.23.51.3: inactive
1-hour recv packets: 12560
1-hour sent packets: 32560
20-min drops: 560
CSCO\member-1: 4 active connections; idle 350 mins
APAC\sampleuser12: 3 active conns; idle 101 mins
172.1.1.1: login 360 mins, idle 101 mins, 1 active conns
172.100.3.23: login 200 min, idle 150 mins, 2 active conns
10.23.51.3: inactive
1-hour recv packets: 12560
1-hour sent packets: 32560
20-min drops: 560
 
 
ciscoasa# show user-identity user active list detail
Total users: 25 Total IP addresses: 5
LOCAL\idfw: 0 active conns
6.1.1.1: inactive
cisco.com\sampleuser1: 0 active conns
cisco.com\sampleuser2: 0 active conns
cisco.com\sampleuser3: 0 active conns
20.0.0.3: login 0 mins, idle 0 mins, 0 active conns (disabled)
cisco.com\sampleuser4: 0 active conns; idle 0 mins
20.0.0.2: login 0 mins, idle 0 mins, 0 active conns (disabled)
cisco.com\sampleuser5: 0 active conns
...
 
 
ciscoasa# show user-identity user active user sampleuser1 list detail
CSCO\sampleuser1: 20 active conns; idle 3 mins
172.1.1.1: login 360 mins, idle 20 mins, 15 active conns
172.100.3.23: login 200 mins, idle 3 mins, 5 active conns
10.23.51.3: inactive
1-hour recv packets: 12560
1-hour sent packets: 32560
20-min drops: 560
 
 
ciscoasa# show user-identity user active user APAC\sampleuser2
APAC\sampleuser2: 20 active conns; idle 2 mins
 
 
ciscoasa# show user-identity user active user-group APAC\\marketing list
 
APAC\sampleuser1: 20 active conns; idle 2 mins
APAC\member-1: 20 active conns; idle 0 mins
APAC\member-2: 20 active conns; idle 0 mins
APAC\member-3: 20 active conns; idle 6 mins
...
 
ciscoasa# show user-identity user active user-group APAC\\inactive list
ERROR: group is not activated

 
Related Commands

Command
Description

clear user-identity active-user-database

Sets the status of a specified user, all users belong to a specified user group, or all users to logged out for the Identity Firewall.

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user all

To display statistics about users for the Identify Firewall, use the show user-identity user all command in privileged EXEC mode.

show user-identity user all [ list ] [ detail ]

 
Syntax Description

detail

(Optional) Displays the detailed output about all users for the Identity Firewall.

list

(Optional) Displays a list summarizing the statistics for all users for the Identity Firewall.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

Use the show user-identity all command to display information for all users contained in the IP-user mapping database used by the Identity Firewall.

When you include the detail keyword with this command and the command output shows an IP address is inactive, the IP address is not associated with the user. Searching for the user associated with that IP address will return an error.


NoteWhen the When the user-identity action domain-controller-down is configured with the disable-user-identity-rule keyword and the specified domain is down, or when user-identity action ad-agent-down command is configured with the disable-user-identity-rule keyword and the AD agent is down, all the logged on users are displayed as disabled in the user statistics.



NoteThe ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall. The ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall.


Examples

The following examples show how to display statistics about all users for the Identity Firewall:

ciscoasa# show user-identity user all list
Total inactive users: 1201 Total IP addresses: 100
 
 
ciscoasa# show user-identity user all list
Total users: 7
LOCAL\idfw: 0 active conns
cisco.com\sampleuser1: 0 active conns
cisco.com\sampleuser2: 0 active conns
cisco.com\sampleuser3: 0 active conns
cisco.com\sampleuser4: 0 active conns; idle 300 mins
cisco.com\sampleuser5: 0 active conns
cisco.com\sampleuser6: 0 active conns
cisco.com\sampleuser7: 0 active conns
 
 
ciscoasa# show user-identity user all list detail
Total users: 7 Total IP addresses: 3
LOCAL\idfw: 0 active conns
10.1.1.1: inactive
cisco.com\sampleuser1: 0 active conns
cisco.com\sampleuser2: 0 active conns
cisco.com\sampleuser3: 0 active conns; idle 300 mins
171.69.42.8: inactive
10.0.0.2: login 300 mins, idle 300 mins, 5 active conns
cisco.com\sampleuser4: 0 active conns
cisco.com\sampleuser5: 0 active conns
cisco.com\sampleuser6: 0 active conns
1-hour recv packets: 12560
1-hour sent packets: 32560
20-min drops: 560

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user inactive

To display information about the inactive users for the Identify Firewall, use the show user-identity user inactive command in privileged EXEC mode.

show user-identity user inactive [ domain domain_nickname | user-group [ domain_nickname \] user_group_name ]

 
Syntax Description

domain domain_nickname

(Optional) Displays statistics for the inactive users in the specified domain name for the Identity Firewall.

user-group domain_nickname\
user_group_name

(Optional) Displays statistics for the inactive users in the specified user group.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

Use the show user-identity user inactive command to display information about users who have no active traffic for longer than the value configured with the user-identity inactive-user-timer command.

When the user-group keyword is specified, only the activated user-groups are displayed. Groups are activated when they are part an access-group, import-user-group, or service-policy configuration.

When you do not specify domain_nickname with the user-group keyword, the ASA displays information for the group that has user_group_name in the default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

Examples

These examples show how to display the status of inactive users for the Identity Firewall:

ciscoasa# show user-identity user inactive
Total inactive users: 1201
APAC\sampleuser1
CSCO\sampleuser2
172.1.1.1: inactive …
...
 
ciscoasa# show user-identity user inactive domain CSCO
Total inactive users: 1101
CSCO: 1101
CSCO\sampleuser1
CSCO\sampleuser2
CSCO\sampleuser3
...
 
 
ciscoasa# show user-identity user inactive user-group CSCO\\marketing
Total inactive users: 21
CSCO\sampleuser1
CSCO\sampleuser2
...
 

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

user-identity inactive-user-timer

Specifies the amount of time before a user is considered idle for the Cisco Identify Firewall instance.

show user-identity user-not-found

To display the IP addresses of the Active Directory users not found for the Identify Firewall, use the show user-identity user-not-found command in privileged EXEC mode.

show user-identity user-not-found

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

Use the show user-identity user-not-found command to display the IP addresses of the users who are not found in Microsoft Active Directory.

The ASA maintains a local user-not-found database of these IP addresses. The ASA keeps only the last 1024 packets (contiguous packets from the same source IP address are treated as one packet) of the user-not-found list and not the entire list in the database.

Examples

This example shows how to display information about not-found users for the Identity Firewall:

ciscoasa# show user-identity user-not-found
172.13.1.2
171.1.45.5
169.1.1.2
172.13.12

 
Related Commands

Command
Description

clear user-identity user-not-found

Clears the ASA local user-not-found database for the Identity Firewall.

user-identity enable

Creates the Cisco Identify Firewall instance.

user-identity user-not-found

Enables user-not-found tracking for the Identify Firewall.

show user-identity user-of-group

To display the users of a specified user group for the Identify Firewall, use the show user-identity user-of-group command in privileged EXEC mode.

show user-identity user-of-group [ domain_nickname \] user_group_name

 
Syntax Description

domain_nickname

Specifies the domain name for the Identity Firewall.

user_group_name

Specifies the user group for which to display statistics.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

Use the show user-identity user-of-group command to display users whose group ID matches the specified user group. (The ASA scans the IP-user hash list for this information and rather than sending an LDAP query to Active Directory. The AD Agent maintains a cache of user ID and IP address mappings and notifies the ASA of changes.)

The user group name you specify must be activated, meaning the group is an import user group (defined as a user group in an access list or service policy configuration) or a local user group (defined in an object-group user).

The group can have more than one user member. The members of the user group are all immediate members (including users and groups) of the specified group.

When you do not specify domain_nickname with the user_group_name argument, the ASA displays information for the group that has user_group_name in the default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

When the command out put indicates a user’s status is inactive, the user can be logged out or has never logged in.

Examples

These examples show how to display users of a specified user group for the Identity Firewall:

ciscoasa# show user-identity user-of-group group.samplegroup1
Group: CSCO\\group.user1 Total users: 13
CSCO\user2 10.0.0.10(Login) 20.0.0.10(Inactive) …
CSCO\user3 10.0.0.11(Inactive)
CSCO\user4 10.0.0.12 (Login)
CSCO\user5 10.0.0.13 (Login)
CSCO\user6 10.0.0.14 (Inactive)
....
 
 
ciscoasa# show user-identity user-of-group group.local1
Group: LOCAL\\group.local1 Total users: 2
CSCO\user1 10.0.4.12 (Login)
LOCAL\user2 10.0.3.13 (Login)

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user-of-ip

To display information about a user with a specific IP address for the Identify Firewall, use the show user-identity user-of-ip command in privileged EXEC mode.

show user-identity user-of-ip ip_address [ detail ]

 
Syntax Description

detail

(Optional) Displays the detailed output about user with the specified IP address.

ip_address

Indicates the IP address of the user for which to display information.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(2)

The command was introduced.

 
Usage Guidelines

Use the show user-identity user-of-ip command to display the user information associated with the specified IP address.

When you specify the detail keyword, the ASA displays user login time, idle time, the number of active connections, the user-statistics period and the drops, and the input packets and output packets during the period. When you do not specify the detail keyword, the ASA only displays the domain nickname, user name, and status.

When user status is inactive, the user can be logged out or has never logged in.

When you include the detail keyword with this command and the command output for an IP address displays an error, the IP address is inactive, meaning that the IP address is not associated with a user.


NoteThe ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall. The ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall.


Examples

These examples show how to display the status of the active users for the Identity Firewall:

ciscoasa# show user-identity user-of-ip 172.1.1.1
CSCO\sampleuser1 (Login)
ciscoasa# show user-identity user-of-ip 172.1.1.1 detail
CSCO\sampleuser1 (Login) Login time: 240 mins; Idle time: 10 mins
Number of active connections: 20
1-hour sent packets: 3678
1-hour rcvd packets: 1256
20-min sent drops: 60
 
 
ciscoasa# show user-identity user-of-ip 172.1.2.2 detail
CSCO\sampleuser2 (Login) Login time: 1440 mins; Idle time: 100 mins
Number of active connections: 0
1-hour sent packets: 3678
1-hour rcvd packets: 1256
20-min sent drops: 60
 
 
ciscoasa# show user-identity user-of-ip 172.1.7.7
ERROR: no user with this IP address
 

IPv6 Support

ciscoasa# show user-identity user-of-ip 8080:1:1::4
CSCO\sampleuser1 (Login)
ciscoasa# show user-identity user-of-ip 8080:1:1::4 detail
CSCO\sampleuser1 (Login) Login time: 240 mins; Idle time: 10 mins
Number of active connections: 20
1-hour sent packets: 3678
1-hour rcvd packets: 1256
20-min sent drops: 60
 
 
ciscoasa# show user-identity user-of-ip 8080:1:1::6 detail
CSCO\sampleuser2 (Login) Login time: 1440 mins; Idle time: 100 mins
Number of active connections: 0
1-hour sent packets: 3678
1-hour rcvd packets: 1256
20-min sent drops: 60
 
ciscoasa# show user-identity user-of-ip 8080:1:1::100
ERROR: no user with this IP address

 
Related Commands

Command
Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show version

To display the software version, hardware configuration, license key, and related uptime data, use the show version command in user EXEC mode.

show version

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

In stateful failover mode, an additional line showing cluster uptime is displayed.

8.3(1)

The output now includes whether a feature uses the permanent or time-based key, as well as the duration of the time-based key in use.

8.4(1)

Support for No Payload Encryption models (NPE) was added.

 
Usage Guidelines

The show version command allows you to display the software version, operating time since the last reboot, processor type, Flash partition type, interface boards, serial number (BIOS ID), activation key value, license type, and time stamp for when the configuration was last modified.

The serial number listed with the show version command is for the flash partition BIOS. This number is different from the serial number on the chassis. When you get a software upgrade, you will need the serial number that appears in the show version command, not the chassis number.

The failover cluster uptime value indicates how long a failover set has been running. If one unit stops running, the uptime value continues to increase as long as the active unit continues to operate. Therefore, it is possible for the failover cluster uptime to be greater than the individual unit uptime. If you temporarily disable failover, and then reenable it, the failover cluster uptime reports the time the unit was up before failover was disabled plus the time the unit was up while failover was disabled.

If you have a No Payload Encryption model, then when you view the license, VPN and Unified Communications licenses will not be listed.

For the Total VPN Peers on the ASA 5505, the total combined number of VPN sessions of all types depends on your licenses. If you enable AnyConnect Essentials, then the total is the model maximum of 25. If you enable AnyConnect Premium, then the total is the AnyConnect Premium value plus the Other VPN value, not to exceed 25 sessions. Unlike other models, where the Other VPN value equals the model limit for all VPN sessions, the ASA 5505 has a lower Other VPN value than the model limit, so the total value can vary depending on the AnyConnect Premium license.

 

Examples

The following is sample output from the show version command, and shows the software version, hardware configuration, license key, and related uptime information. Note that in an environment where stateful failover is configured an additional line showing the failover cluster uptime is displayed. If failover is not configured, the line is not displayed. This display shows a warning message about minimum memory requirements.

 
*************************************************************************
** **
** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** **
** **
** ----> Minimum Memory Requirements NOT Met! <---- **
** **
** Installed RAM: 512 MB **
** Required RAM: 2048 MB **
** Upgrade part#: ASA5520-MEM-2GB= **
** **
** This ASA does not meet the minimum memory requirements needed to **
** run this image. Please install additional memory (part number **
** listed above) or downgrade to ASA version 8.2 or earlier. **
** Continuing to run without a memory upgrade is unsupported, and **
** critical system features will not function properly. **
** **
*************************************************************************
 
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
 
Compiled on Thu 20-Jan-12 04:05 by builders
System image file is "disk0:/cdisk.bin"
Config file at boot was "disk0:/tomm_backup.cfg"
asa3 up 3 days 3 hours
 
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 128MB
BIOS Flash AT49LW080 @ 0xfff00000, 1024KB
 
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPsec microcode : CNlite-MC-IPSECm-MAIN-2.06
0: Ext: GigabitEthernet0/0 : address is 0013.c480.82ce, irq 9
1: Ext: GigabitEthernet0/1 : address is 0013.c480.82cf, irq 9
2: Ext: GigabitEthernet0/2 : address is 0013.c480.82d0, irq 9
3: Ext: GigabitEthernet0/3 : address is 0013.c480.82d1, irq 9
4: Ext: Management0/0 : address is 0013.c480.82cd, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
 
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 10 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Enabled perpetual
Shared AnyConnect Premium Peers : 12000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 12 62 days
Total UC Proxy Sessions : 12 62 days
Botnet Traffic Filter : Enabled 646 days
Intercompany Media Engine : Disabled perpetual
 
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
 
Active Timebased Activation Key:
0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter : Enabled 646 days
0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2
Total UC Proxy Sessions : 10 62 days
 
Serial Number: JMX0938K0C0
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Configuration register is 0x1
Configuration last modified by docs at 15:23:22.339 EDT Fri Oct 30 2012
 

The following message appears if you enter the show version command after the eject command has been executed, but the device has not been physically removed:

Slot 1: Compact Flash has been ejected!
It may be removed and a new device installed.
 

 
Related Commands

Command
Description

eject

Allows shutdown of external compact flash device before physical removal from the ASA.

show hardware

Displays detail hardware information.

show serial

Displays the hardware serial information.

show uptime

Displays how long the ASA has been up.

show vlan

To display all VLANs configured on the ASA, use the show vlan command in privileged EXEC mode.

show vlan

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following example displays the configured VLANs:

ciscoasa# show vlan
10-11,30,40,300
 

 
Related Commands

Command
Description

clear interface

Clears counters for the show interface command.

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.

show vm

To display virtual platform information on the ASAv, use the show vm command in privileged EXEC mode.

show vm

 
Syntax Description

This command has no keywords or arguments.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

9.2(1)

This command was introduced.

 
Usage Guidelines

For the ASAv, note the following licensing guidelines:

  • The number of allowed vCPUs is determined by the vCPU platform license installed.

If the number of licensed vCPUs matches the number of provisioned vCPUs, the state is Compliant.

If the number of licensed vCPUs is less than the number of provisioned vCPUs, the state is Noncompliant: Over-provisioned.

If the number of licensed vCPUs is more than the number of provisioned vCPUs, the state is Compliant: Under-provisioned.

  • The memory limit is determined by the number of vCPUs provisioned.

If the provisioned memory is at the allowed limit, the state is Compliant.

If the provisioned memory is above the allowed limit, the state is Noncompliant: Over-provisioned.

If the provisioned memory is below the allowed limit, the state is Compliant: Under-provisioned.

  • The Frequency Reservation limit is determined by the number of vCPUs provisioned.

If the frequency reservation memory is at or above the required minimum (1000 MHz), the state is Compliant.

If the frequency reservation memory is below the required minimum (1000 MHz), the state is Compliant: Under-provisioned.

For example, the following output shows that no license has been applied. The number of allowed vCPUs refers to the number licensed, and Noncompliant: Over-provisioned indicates that the product is running with more resources than have been licensed.

Virtual platform CPU resources
------------------------------
Number of vCPUs : 1
Number of allowed vCPUs : 0
vCPU Status : Noncompliant: Over-provisioned
 

Examples

The following example displays the virtual platform information:

ciscoasa# show vm
 
Virtual Platform Resource Limits
--------------------------------
Number of vCPUs : 4
Processor Memory : 8192 MB
Minimum Processor Frequency : 1000 MHz
Maximum Processor Frequency : 20000 MHz
 
Virtual Platform Resource Status
--------------------------------
Number of vCPUs : 4 (Compliant)
Processor Memory : 8192 MB (Compliant)
Processor Frequency Reservation : 1000 MHz (Compliant)
Processor Frequency Limit : 20000 MHz (Compliant)
Average Usage (30 seconds) : 103 MHz

 
Related Commands

Command
Description

show cpu detail

Shows vCPU information on a per-vCPU basis.

show vpn load-balancing

To display the runtime statistics for the VPN load-balancing virtual cluster configuration, use the show vpn-load-balancing command in global configuration, privileged EXEC, or VPN load-balancing mode.

show vpn load-balancing

 
Syntax Description

This command has no variables or arguments.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Vpn load-balancing

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.1(1)

Added separate IPsec and SSL columns for both Load (%) display and Session display in the output example.

8.4(2)

New information was added to the displayed output.

 
Usage Guidelines

The show vpn load-balancing command displays statistical information for the virtual VPN load-balancing cluster. If the local device is not participating in the VPN load-balancing cluster, this command indicates that VPN load balancing has not been configured for this device.

The asterisk (*) in the output indicates the IP address of the ASA to which you are connected.

Examples

This example displays show vpn load-balancing command and its output for a situation in which the local device is participating in the VPN load-balancing cluster:

ciscoasa# sh vpn load-balancing
--------------------------------------------------------------------------
Status Role Failover Encryption Cluster IP Peers
--------------------------------------------------------------------------
Enabled Master n/a Disabled 192.0.2.255 0
 
Peers:
--------------------------------------------------------------------------
Public IP Role Pri Model Load-Balancing Version
--------------------------------------------------------------------------
192.0.2.255 Master 5 ASA-5520 3
 
Total License Load:
--------------------------------------------------------------------------
Public IP AnyConnect Premium/Essentials Other VPN
------------------------------- ---------------------
Limit Used Load Limit Used Load
--------------------------------------------------------------------------
192.0.2.255 750 0 0% 750 1 0%
 
Licenses Used By Inactive Sessions :
--------------------------------------------------------------------------
Public IP AnyConnect Premium/Essentials Inactive Load
--------------------------------------------------------------------------
192.0.2.255 0 0%
 

On the primary device, the Total License Load output includes information about the primary and backup device; however, the backup device only shows information about itself and not the primary device. Thus, the primary device knows about all licensed members, but the licensed members themselves only know about their own licenses.

The output also contains a License Used by Inactive Session section. When an AnyConnect session goes inactive, the ASA keeps that session as long as the session has not terminated by normal means. That way, AnyConnect sessions can reconnect using the same webvpn cookie and not have to re-authenticate. The inactive sessions will remain in that state until either the AnyConnect client resumes the session or an idle timeout occurs. The licenses for those sessions are maintained for these inactive sessions and are represented in this License Used by Inactive Session section.

If the local device is not participating in the VPN load-balancing cluster, the show vpn load-balancing command shows a different result:

ciscoasa(config)# show vpn load-balancing
VPN Load Balancing has not been configured.

 
Related Commands

Command
Description

clear configure vpn load-balancing

Removes vpn load-balancing command statements from the configuration.

show running-config vpn load-balancing

Displays the the current VPN load-balancing virtual cluster configuration.

vpn load-balancing

Enters vpn load-balancing mode.

show vpn-sessiondb

To display information about VPN sessions, use the show vpn-sessiondb command in privileged EXEC mode.The command includes options for displaying information in full or in detail, lets you specify type of sessions to display, and provides options to filter and sort the information. The syntax table and usage notes organize the choices accordingly

show vpn-sessiondb [detail] [ ospfv3 ] [ failover ] [full] [summary] [ratio {encryption | protocol}] [license-summary] {anyconnect | email-proxy | index indexnumber | l2l | ra-ikev1-ipsec | vpn-lb | webvpn} [filter {name username | ipaddress IPaddr | a-ipaddress IPaddr | p-ipaddress IPaddr | tunnel-group groupname | protocol protocol-name | encryption encryption-algo | inactive } ] [sort {name | ipaddress | a-ipaddress | p-ip address | tunnel-group | protocol | encryption | inactivity}]

 
Syntax Description

anyconnect

Displays AnyConnect VPN client sessions, including OSPFv3 session information.

detail

(Optional) Displays extended details about a session. For example, using the detail option for an IPsec session displays additional details such as the IKE hashing algorithm, authentication mode, and rekey interval.

If you choose detail, and the full option, the ASA displays the detailed output in a machine-readable format.

email-proxy

Displays email-proxy sessions.

encryption

Displays the ratio of encryption types as a ratio of the total number of sessions.

failover

Displays the session information for the failover IPsec tunnels.

filter filter_criteria

(Optional) Filters the output to display only the information you specify by using one or more of the filter options. For a list of filter_criteria options, see the “Usage Guidelines” section.

full

(Optional) Displays streamed, untruncated output. Output is delineated by | characters and a || string between records.

index indexnumber

Displays a single session by index number. Specifies the index number for the session, which ranges from 1 - 750.

l2l

Displays VPN LAN-to-LAN session information.

license-summary

Displays VPN license summary information.

ospfv3

Displays OSPFv3 session information.

protocol

Displays the ratio of protocol types as a ratio of the total number of sessions.

ra-ikev1-ipsec

Displays IPsec IKEv1 sessions.

sort sort_criteria

(Optional) Sorts the output according to the sort option you specify. For a list of sort_criteria options, see the “Usage Guidelines” section.

summary

Displays VPN session summary information.

vpn-lb

Displays VPN load balancing management sessions.

webvpn

Displays clientless SSL VPN sessions, including OSPFv3 session information.

 
Defaults

There is no default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

8.0(2)

Added VLAN field description.

8.0(5)

Added inactive as a filter option and inactivity as a sort option.

8.2(1)

License information was added to the output.

8.4(1)

The svc keyword was changed to anyconnect. The remote keyword was changed to ra-ikev1-ipsec. The ratio keyword was added.

9.0(1)

The ospfv3 keyword was added, and the OSPFv3 session information is now included in the VPN session summary.

The fitler a-ipversion and filter p-ipversion options were added to allow filtering on all AnyConnect, LAN-to-LAN, and Clientless SSL VPN sessions assigned IPv4 or IPv6 addresses.

9.1(2)

We added the failover tunnel type and failover keyword to support failover IPsec tunnels. See the failover ipsec pre-shared-key command.

9.1(4)

Output when using the detail anyconnect options has been updated to reflect the assigned IPv6 address and to indicate the GRE Transport Mode security association when doing IKEv2 dual traffic.

 
Usage Guidelines

You can use the following options to filter and to sort the session display:

Filter/Sort Option
Description

filter a-ipaddress IPaddr

Filters the output to display information for the specified assigned IP address or addresses only.

sort a-ipaddress

Sorts the display by assigned IP addresses.

filter a-ipversion {v4 | v6}

Filters the output to display information about all AnyConnect sessions assigned IPv4 or IPv6 addresses.

filter encryption encryption-algo

Filters the output to display information for sessions using the specified encryption algorithm(s) only.

sort encryption

Sorts the display by encryption algorithm. Encryption algorithms include: aes128, aes192, aes256, des, 3des, rc4

filter inactive

Filters inactive sessions which have gone idle and have possibly lost connectivity (due to hibernation, mobile device disconnection, and so on). The number of inactive sessions increases when TCP keepalives are sent from the ASA without a response from the AnyConnect client. Each session is time stamped with the SSL tunnel drop time. If the session is actively passing traffic over the SSL tunnel, 00:00m:00s is displayed.

Note The ASA does not send TCP keepalives to some devices (such as the iPhone, iPad, and iPod) to save battery life, so the failure detection cannot distinguish between a disconnect and a sleep. For this reason, the inactivity counter remains as 00:00:00 by design.

sort inactivity

Sorts inactive sessions.

filter ipaddress IPaddr

Filters the output to display information for the specified inside IP address or addresses only.

sort ipaddress

Sorts the display by inside IP addresses.

filter name username

sort name

Filters the output to display sessions for the specified username(s).

Sorts the display by usernames in alphabetical order.

filter p-address IPaddr

Filters the output to display information for the specified outside IP address only.

sort p-address

Sorts the display by the specified outside IP address or addresses.

filter p-ipversion {v4 | v6}

Filters the output to display information about all AnyConnect sessions originating from endpoints with IPv4 or IPv6 addresses.

filter protocol protocol-name

Filters the output to display information for sessions using the specified protocol(s) only.

sort protocol

Sorts the display by protocol. Protocols include: IKE, IMAP4S, IPsec, IPsecLAN2LAN, IPsecLAN2LANOverNatT, IPsecOverNatT, IPsecoverTCP, IPsecOverUDP, SMTPS, userHTTPS, vcaLAN2LAN

filter tunnel-group groupname

Filters the output to display information for the specified tunnel group(s) only.

sort tunnel-group

Sorts the display by tunnel group.

|

Modifies the output, using the following arguments: {begin | include | exclude | grep | [-v]} {reg_exp}

Examples

The following is sample output from the show vpn-sessiondb command:

ciscoasa# show vpn-sessiondb
 
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 1 : 78 : 2 : 0
SSL/TLS/DTLS : 1 : 72 : 2 : 0
IKEv2 IPsec : 0 : 6 : 1 : 0
Clientless VPN : 0 : 8 : 2
Browser : 0 : 8 : 2
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 86
Device Total VPN Capacity : 750
Device Load : 0%
---------------------------------------------------------------------------
 
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv2 : 0 : 6 : 1
IPsecOverNatT : 0 : 6 : 1
Clientless : 0 : 17 : 2
AnyConnect-Parent : 1 : 69 : 2
SSL-Tunnel : 1 : 75 : 2
DTLS-Tunnel : 1 : 56 : 2
---------------------------------------------------------------------------
Totals : 3 : 229
---------------------------------------------------------------------------
 
---------------------------------------------------------------------------
IPv6 Usage Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
AnyConnect SSL/TLS/DTLS : : :
IPv6 Peer : 1 : 41 : 2
Tunneled IPv6 : 1 : 70 : 2
AnyConnect IKEv2 : : :
IPv6 Peer : 0 : 4 : 1
Clientless : : :
IPv6 Peer : 0 : 1 : 1
---------------------------------------------------------------------------

 

The following is sample output from the show vpn-sessiondb detail l2l command, showing detailed information about LAN-to-LAN sessions:

ciscoasa# show vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed
 
Connection : 172.16.0.0
Index : 1
IP Addr : 172.16.0.0
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (1)AES256
Hashing : IKEv2: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 240 Bytes Rx : 160
Login Time : 14:50:35 UTC Tue May 1 2012
Duration : 0h:00m:11s
IKEv2 Tunnels: 1
IPsec Tunnels: 1
 
IKEv2:
Tunnel ID : 1.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 86389 Seconds
PRF : SHA1 D/H Group : 5
Filter Name :
IPv6 Filter :
 
IPsec:
Tunnel ID : 1.2
Local Addr : 10.0.0.0/255.255.255.0
Remote Addr : 209.165.201.30/255.255.255.0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel PFS Group : 5
Rekey Int (T): 120 Seconds Rekey Left(T): 107 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 240 Bytes Rx : 160
Pkts Tx : 3 Pkts Rx : 2
 
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 13 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
 
 
The following is sample output from the show vpn-sessiondb detail index 1 command:
 
AsaNacDev# show vpn-sessiondb detail index 1
 
Session Type: Remote Detailed
 
Username : user1
Index : 1
Assigned IP : 192.168.2.70 Public IP : 10.86.5.114
Protocol : IPsec Encryption : AES128
Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 604533
Client Type : WinNT Client Ver : 4.6.00.0049
Tunnel Group : bxbvpnlab
Login Time : 15:22:46 EDT Tue May 10 2005
Duration : 7h:02m:03s
Filter Name :
NAC Result : Accepted
Posture Token: Healthy
VM Result : Static
VLAN : 10
 
IKE Sessions: 1 IPsec Sessions: 1 NAC Sessions: 1
 
IKE:
Session ID : 1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeysXauth
Encryption : 3DES Hashing : MD5
Rekey Int (T): 86400 Seconds Rekey Left(T): 61078 Seconds
D/H Group : 2
 
IPsec:
Session ID : 2
Local Addr : 0.0.0.0
Remote Addr : 192.168.2.70
Encryption : AES128 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 26531 Seconds
Bytes Tx : 0 Bytes Rx : 604533
Pkts Tx : 0 Pkts Rx : 8126
 
NAC:
Reval Int (T): 3000 Seconds Reval Left(T): 286 Seconds
SQ Int (T) : 600 Seconds EoU Age (T) : 2714 Seconds
Hold Left (T): 0 Seconds Posture Token: Healthy
Redirect URL : www.cisco.com
 

The following is sample output from the show vpn-sessiondb ospfv3 command:

asa# show vpn-sessiondb ospfv3
 
Session Type: OSPFv3 IPsec
 
Connection :
Index : 1 IP Addr : 0.0.0.0
Protocol : IPsec
Encryption : IPsec: (1)none Hashing : IPsec: (1)SHA1
Bytes Tx : 0 Bytes Rx : 0
Login Time : 15:06:41 EST Wed Feb 1 2012
Duration : 1d 5h:13m:11s
 

The following is sample output from the show vpn-sessiondb detail ospfv3 command:

asa# show vpn-sessiondb detail ospfv3
 
Session Type: OSPFv3 IPsec Detailed
 
Connection :
Index : 1 IP Addr : 0.0.0.0
Protocol : IPsec
Encryption : IPsec: (1)none Hashing : IPsec: (1)SHA1
Bytes Tx : 0 Bytes Rx : 0
Login Time : 15:06:41 EST Wed Feb 1 2012
Duration : 1d 5h:14m:28s
IPsec Tunnels: 1
 
IPsec:
Tunnel ID : 1.1
Local Addr : ::/0/89/0
Remote Addr : ::/0/89/0
Encryption : none Hashing : SHA1
Encapsulation: Transport
Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes
Bytes Tx : 0 Bytes Rx : 0
Pkts Tx : 0 Pkts Rx : 0
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 105268 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
 

The following is sample output from the show vpn-sessiondb summary command:

ciscoasa# show vpn-sessiondb summary
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
OSPFv3 IPsec : 1 : 1 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 1
Device Total VPN Capacity : 10000
Device Load : 0%
-----------------------------------------------------------------------
 

The following is sample output from the show vpn-sessiondb det anyconnect command:

ciscoasa# show vpn-sessiondb det anyconnect
 
Session Type: AnyConnect Detailed
 
Username : userab Index : 2
Assigned IP : 65.2.1.100 Public IP : 75.2.1.60
Assigned IPv6: 2001:1000::10
Protocol : IKEv2 IPsecOverNatT AnyConnect-Parent
License : AnyConnect Premium
Encryption : IKEv2: (1)3DES IPsecOverNatT: (1)3DES AnyConnect-Parent: (1)none
Hashing : IKEv2: (1)SHA1 IPsecOverNatT: (1)SHA1 AnyConnect-Parent: (1)none
Bytes Tx : 0 Bytes Rx : 21248
Pkts Tx : 0 Pkts Rx : 238
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy Tunnel Group : test1
Login Time : 22:44:59 EST Tue Aug 13 2013
Duration : 0h:02m:42s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
 
IKEv2 Tunnels: 1
IPsecOverNatT Tunnels: 1
AnyConnect-Parent Tunnels: 1
 
AnyConnect-Parent:
Tunnel ID : 2.1
Public IP : 75.2.1.60
Encryption : none Hashing : none
Auth Mode : userPassword
Idle Time Out: 400 Minutes Idle TO Left : 397 Minutes
Conn Time Out: 500 Minutes Conn TO Left : 497 Minutes
Client OS : Windows
Client Type : AnyConnect
Client Ver : 3.1.05050
 
IKEv2:
Tunnel ID : 2.2
UDP Src Port : 64251 UDP Dst Port : 4500
Rem Auth Mode: userPassword
Loc Auth Mode: rsaCertificate
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 86241 Seconds
PRF : SHA1 D/H Group : 2
Filter Name : mixed1
Client OS : Windows
 
IPsecOverNatT:
Tunnel ID : 2.3
Local Addr : 75.2.1.23/255.255.255.255/47/0
Remote Addr : 75.2.1.60/255.255.255.255/47/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Transport, GRE
Rekey Int (T): 28400 Seconds Rekey Left(T): 28241 Seconds
Idle Time Out: 400 Minutes Idle TO Left : 400 Minutes
Conn Time Out: 500 Minutes Conn TO Left : 497 Minutes
Bytes Tx : 0 Bytes Rx : 21326
Pkts Tx : 0 Pkts Rx : 239
 
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 165 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
 

The following is sample output from the show vpn-sessiondb license-summary command:

---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : DISABLED : 250 : 10 : NONE
AnyConnect Essentials : ENABLED : 250 : 250 : NONE
Other VPN (Available by Default) : ENABLED : 250 : 250 : NONE
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : DISABLED
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------
 
---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
Local : Shared : All : Peak : Eff. :
In Use : In Use : In Use : In Use : Limit : Usage
----------------------------------------------------
AnyConnect Essentials : 1 : 0 : 1 : 1 : 250 : 0%
AnyConnect Client : : 0 : 0 : 0%
AnyConnect Mobile : : 0 : 0 : 0%
Other VPN : : 0 : 0 : 250 : 0%
Cisco VPN Client : : 0 : 0 : 0%
 
---------------------------------------------------------------------------
Shared License Network Summary
---------------------------------------------------------------------------
AnyConnect Premium
Total shared licenses in network : 500
Shared licenses held by this participant : 0
Shared licenses held by all participants in the network : 0
---------------------------------------------------------------------------
 

As shown in the examples, the fields displayed in response to the show vpn-sessiondb command vary, depending on the keywords you enter. Table 14-2 describes these fields.

 

Table 14-2 show vpn-sessiondb Command Fields

Field
Description

Auth Mode

Protocol or mode used to authenticate this session.

Bytes Rx

Total number of bytes received from the remote peer or client by the ASA.

Bytes Tx

Number of bytes transmitted to the remote peer or client by the ASA.

Client Type

Client software running on the remote peer, if available.

Client Ver

Version of the client software running on the remote peer.

Connection

Name of the connection or the private IP address.

D/H Group

Diffie-Hellman Group. The algorithm and key size used to generate IPsec SA encryption keys.

Duration

Elapsed time (HH:MM:SS) between the session login time and the last screen refresh.

EAPoUDP Session Age

Number of seconds since the last successful posture validation.

Encapsulation

Mode used to apply IPsec ESP (Encapsulation Security Payload protocol) encryption and authentication (that is, the part of the original IP packet that has ESP applied).

Encryption

Data encryption algorithm this session is using, if any.

EoU Age (T)

EAPoUDP Session Age. Number of seconds since the last successful posture validation.

Filter Name

Username specified to restrict the display of session information.

Hashing

Algorithm used to create a hash of the packet, which is used for IPsec data authentication.

Hold Left (T)

Hold-Off Time Remaining. 0 seconds if the last posture validation was successful. Otherwise, the number of seconds remaining before the next posture validation attempt.

Hold-Off Time Remaining

0 seconds if the last posture validation was successful. Otherwise, the number of seconds remaining before the next posture validation attempt.

IKE Neg Mode

IKE (IPsec Phase 1) mode for exchanging key information and setting up SAs: Aggressive or Main.

IKE Sessions

Number of IKE (IPsec Phase 1) sessions; usually 1. These sessions establish the tunnel for IPsec traffic.

Index

Unique identifier for this record.

IP Addr

Private IP address assigned to the remote client for this session. This is also known as the “inner” or “virtual” IP address. It lets the client appear to be a host on the private network.

IPsec Sessions

Number of IPsec (Phase 2) sessions, which are data traffic sessions through the tunnel. Each IPsec remote-access session can have two IPsec sessions: one consisting of the tunnel endpoints, and one consisting of the private networks reachable through the tunnel.

License Information

Shows information about the shared SSL VPN license.

Local IP Addr

IP address assigned to the local endpoint of the tunnel (that is the interface on the ASA).

Login Time

Date and time (MMM DD HH:MM:SS) that the session logged in. Time is displayed in 24-hour notation.

NAC Result

State of Network Admission Control Posture Validation. It can be one of the following:

  • Accepted—The ACS successfully validated the posture of the remote host.
  • Rejected—The ACS could not successfully validate the posture of the remote host.
  • Exempted—The remote host is exempt from posture validation according to the Posture Validation Exception list configured on the ASA.
  • Non-Responsive—The remote host did not respond to the EAPoUDP Hello message.
  • Hold-off—The ASA lost EAPoUDP communication with the remote host after successful posture validation.
  • N/A—NAC is disabled for the remote host according to the VPN NAC group policy.
  • Unknown—Posture validation is in progress.

NAC Sessions

Number of Network Admission Control (EAPoUDP) sessions.

Packets Rx

Number of packets received from the remote peer by the ASA.

Packets Tx

Number of packets transmitted to the remote peer by the ASA.

PFS Group

Perfect Forward Secrecy group number.

Posture Token

Informational text string configurable on the Access Control Server. The ACS downloads the posture token to the ASA for informational purposes to aid in system monitoring, reporting, debugging, and logging. A typical posture token is Healthy, Checkup, Quarantine, Infected, or Unknown.

Protocol

Protocol the session is using.

Public IP

Publicly routable IP address assigned to the client.

Redirect URL

Following posture validation or clientless authentication, the ACS downloads the access policy for the session to the ASA. The Redirect URL is an optional part of the access policy payload. The ASA redirects all HTTP (port 80) and HTTPS (port 443) requests for the remote host to the Redirect URL if it is present. If the access policy does not contain a Redirect URL, the ASA does not redirect HTTP and HTTPS requests from the remote host.

Redirect URLs remain in force until either the IPsec session ends or until posture revalidation, for which the ACS downloads a new access policy that can contain a different redirect URL or no redirect URL.

Rekey Int (T)

Lifetime of the IPsec (IKE) SA encryption keys.

Rekey Left (T)

Lifetime remaining of the IPsec (IKE) SA encryption keys.

Rekey Time Interval

Lifetime of the IPsec (IKE) SA encryption keys.

Remote IP Addr

IP address assigned to the remote endpoint of the tunnel (that is the interface on the remote peer).

Reval Int (T)

Revalidation Time Interval. Interval in seconds required between each successful posture validation.

Reval Left (T)

Time Until Next Revalidation. 0 if the last posture validation attempt was unsuccessful. Otherwise, the difference between the Revalidation Time Interval and the number of seconds since the last successful posture validation.

Revalidation Time Interval

Interval in seconds required between each successful posture validation.

Session ID

Identifier for the session component (subsession). Each SA has its own identifier.

Session Type

Type of session: LAN-to-LAN or Remote

SQ Int (T)

Status Query Time Interval. Time in seconds allowed between each successful posture validation or status query response and the next status query response. A status query is a request made by the ASA to the remote host to indicate whether the host has experienced any changes in posture since the last posture validation.

Status Query Time Interval

Time in seconds allowed between each successful posture validation or status query response and the next status query response. A status query is a request made by the ASA to the remote host to indicate whether the host has experienced any changes in posture since the last posture validation.

Time Until Next Revalidation

0 if the last posture validation attempt was unsuccessful. Otherwise, the difference between the Revalidation Time Interval and the number of seconds since the last successful posture validation.

Tunnel Group

Name of the tunnel group referenced by this tunnel for attribute values.

UDP Dst Port
or
UDP Destination Port

Port number used by the remote peer for UDP.

UDP Src Port
or
UDP Source Port

Port number used by the ASA for UDP.

Username

User login name with which the session is established.

VLAN

Egress VLAN interface assigned to this session. The ASA forwards all traffic to that VLAN. One of the following elements specifies the value:

  • Group policy
  • Inherited group policy

 
Related Commands

Command
Description

show running-configuration vpn-sessiondb

Displays the VPN session database running configuration (max-other-vpn-limit, max-anyconnect-premium-or-essentials-limit).

show vpn-sessiondb ratio

Displays VPN session encryption or protocol ratios.

show vpn-sessiondb ratio

To display the ratio of current sessions as a percentage by protocol or encryption algorithm, use the show vpn-sessiondb ratio command in privileged EXEC mode.

show vpn-sessiondb ratio {protocol | encryption} [filter groupname ]

 
Syntax Description

encryption

Identifies the encryption protocols you want to display. Refers to phase 2 encryption. Encryption algorithms include:

 

aes128

aes192

aes256

des

3des

rc4

filter groupname

Filters the output to include session ratios only for the tunnel group you specify.

protocol

Identifies the protocols you want to display. Protocols include:

 

IKEv1

IKEv2

IPsec

IPsecLAN2LAN

IPsecLAN2LANOverNatT

IPsecOverNatT

IPsecOverTCP

IPsecOverUDP

L2TPOverIPsec

L2TPOverIPsecOverNatT

Clientless

Port-Forwarding

IMAP4S

POP3S

SMTPS

AnyConnect-Parent

SSL-Tunnel

DTLS-Tunnel

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.4(1)

The output was enhanced to include IKEv2.

9.0(1)

Support for multiple context mode was added.

Examples

The following is sample output for the show vpn-sessiondb ratio command, with encryption as the argument:

ciscoasa# show vpn-sessiondb ratio encryption
Filter Group : All
Total Active Sessions: 5
Cumulative Sessions : 9
 
Encryption Sessions Percent
none 0 0%
DES 1 20%
3DES 0 0%
AES128 4 80%
AES192 0 0%
AES256 0 0%
 

The following is sample output for the show vpn-sessiondb ratio command with protocol as the argument:

 
ciscoasa# show vpn-sessiondb ratio protocol
Filter Group : All
Total Active Sessions: 6
Cumulative Sessions : 10
 
Protocol Sessions Percent
IKE 0 0%
IPsec 1 20%
IPsecLAN2LAN 0 0%
IPsecLAN2LANOverNatT 0 0%
IPsecOverNatT 0 0%
IPsecOverTCP 1 20%
IPsecOverUDP 0 0%
L2TP 0 0%
L2TPOverIPsec 0 0%
L2TPOverIPsecOverNatT 0 0%
PPPoE 0 0%
vpnLoadBalanceMgmt 0 0%
userHTTPS 0 0%
IMAP4S 3 30%
POP3S 0 0%
SMTPS 3 30%

 
Related Commands show vpn-sessiondb ratio

Command
Description

show vpn-sessiondb

Displays sessions with or without extended details, optionally filtered and sorted by criteria you specify.

show vpn-sessiondb summary

Displays a session summary, including total current session, current sessions of each type, peak and total cumulative, maximum concurrent sessions

show vpn-sessiondb summary

To display the number of IPsec, Cisco AnyConnect, and NAC sessions, use the show vpn-sessiondb summary command in privileged EXEC mode.

show vpn-sessiondb summary

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(7)

This command was introduced.

8.0(2)

Added the VLAN Mapping Sessions table.

8.0(5)

Added new output for active, cumulative, peak concurrent, and inactive.

9.0(1)

Support for multiple context mode was added.

Examples

The following is sample output for the show vpn-sessiondb summary command with one IPsec IKEv1 and one clientless session:


Note A device in standby does not differentiate active from inactive sessions.


ciscoasa# show vpn-sessiondb summary
 
VPN Session Summary
Sessions:
Active : Cumulative : Peak Concurrent : Inactive :
Clientless VPN : 1: 2: 1
Browser : 1: 2: 1
IKEv1 IPsec/L2TP IPsec 0 : 1: 1: 1
 
Total Active and Inactive: 2 Total Cumulative: 3
Device Total VPN Capacity: 10000
Device Load : 0%
 
License Information:
Shared VPN License Information:
SSL VPN : 12000
Allocated to this device : 0
Allocated to network : 0
Device limit : 750
 
IPsec : 750 Configured : 750 Active : 0 Load : 0%
SSL VPN : 750 Configured : 750 Active : 0 Load : 0%
Active : Cumulative : Peak Concurrent
SSL VPN : 0 : 1 : 1
Totals : 0 : 1 :
 
Active NAC Sessions:
Accepted : 0
Rejected : 0
Exempted : 0
Non-responsive : 0
Hold-off : 0
N/A : 0
 
Active VLAN Mapping Sessions:
Static : 0
Auth : 0
Access : 0
Guest : 0
Quarantine : 0
N/A : 0
 
ciscoasa#
 

You can use the SSL output to determine the physical device resources in respect to the number of licenses. A single user session may occupy a license but could use multiple tunnels. For example, an AnyConnect user with DTLS often has the parent session, SSL tunnel, and DTLS tunnels associated with it.


NoteThe parent session represents when the client is not actively connected. It does not represent an encrypted tunnel. If the client shuts down, or sleeps, IPsec, IKE, TLS, and DLTLS tunnels are closed, but the parent session remains until the idle time or maximum connect time limit is reached. This enables the user to reconnect without reauthenticating. The parent session represents when the client is not actively connected. It does not represent an encrypted tunnel. If the client shuts down, or sleeps, IPsec, IKE, TLS, and DLTLS tunnels are closed, but the parent session remains until the idle time or maximum connect time limit is reached. This enables the user to reconnect without reauthenticating.


With this example, you would see three tunnels allocated on the device, even if only one user is logged in. An IPsec LAN-to-LAN tunnel counts as one session, and it allows many host-to-host connections through the tunnel. An IPsec remote access session is one remote access tunnel that supports one user connection.

From the output you can see which sessions are active. If a session has no underlying tunnels associated to it, the status is waiting to resume mode (displayed as clientless in the session output). This mode means that dead peer detection from the head-end device has started, and the head-end device can no longer communicate with the client. When you encounter this condition, you can hold the session to allow the user to roam networks, go to sleep, recover the session, and so on. These sessions count towards the actively connected sessions (from a license standpoint) and are cleared with a user idle timeout, a user logging out, or a resumption of the original session.

The Active SSL VPN With Client column shows the number of active connections passing data. The Cumulative SSL VPN With Client column shows the number of active sessions that have been established. It includes those that are inactive and increments only when a new session is added. The Peak Concurrent SSL VPN With Client column shows the peak number of concurrently active sessions that are passing data. The Inactive SSL VPN With Client column shows how long the AnyConnect client was disconnected. You can use this Inactivity timeout value to determine when licenses are expired. The ASA can then determine whether reconnection is possible. These are AnyConnect sessions without an active SSL tunnel associated with them.

Table 14-3 explains the fields in the Active Sessions and Session Information tables.

 

Table 14-3 show vpn-sessiondb summary Command: Active Sessions and Session Information Fields

Field
Description

Concurrent Limit

Maximum number of concurrently active sessions permitted on this ASA.

Cumulative Sessions

Number of sessions of all types since the ASA was last booted or reset.

LAN-to-LAN

Number of IPsec LAN-to-LAN sessions that are currently active.

Peak Concurrent

Highest number of sessions of all types that were concurrently active since the ASA was last booted or reset.

Percent Session Load

Percentage of the vpn session allocation in use. This value equals the Total Active Sessions divided by the maximum number of sessions available, displayed as a percentage. The maximum number of sessions available can be either of the following:

  • Maximum number of IPsec and SSL VPN sessions licensed
  • vpn-sessiondb ? (maximum number of sessions configured)
  • max-anyconnect-premium-or-essentials-limit (maximum AnyConnect Premium or Essentials session limit)
  • max-other-vpn-limit (maximum other VPN session limit)

Remote Access

ra-ikev1-ipsec—Number of IKEv1 IPsec remote-access user, L2TP over IPsec, and IPsec through NAT sessions that are currently active.

Total Active Sessions

Number of sessions of all types that are currently active.

The Active NAC Sessions table shows general statistics about remote peers that are subject to posture validation.

The Cumulative NAC Sessions table shows general statistics about remote peers that are or have been subject to posture validation.

Table 14-2 explains the fields in the Active NAC Sessions and Total Cumulative NAC Sessions tables.

 

Table 14-4 show vpn-sessiondb summary Command: Active NAC Sessions and Total Cumulative NAC Sessions Fields

Field
Description

Accepted

Number of peers that passed posture validation and have been granted an access policy by an Access Control Server.

Exempted

Number of peers that are not subject to posture validation because they match an entry in the Posture Validation Exception list configured on the ASA.

Hold-off

Number of peers for which the ASA lost EAPoUDP communications after a successful posture validation. The NAC Hold Timer attribute (Configuration > VPN > NAC) determines the delay between this type of event and the next posture validation attempt for each peer.

N/A

Number of peers for which NAC is disabled according to the VPN NAC group policy.

Non-responsive

Number of peers not responsive to Extensible Authentication Protocol (EAP) over UDP requests for posture validation. Peers on which no CTA is running do not respond to these requests. If the ASA configuration supports clientless hosts, the Access Control Server downloads the access policy associated with clientless hosts to the ASA for these peers. Otherwise, the ASA assigns the NAC default policy.

Rejected

Number of peers that failed posture validation or were not granted an access policy by an Access Control Server.

The Active VLAN Mapping Sessions table shows general statistics about remote peers that are subject to posture validation.

The Cumulative VLAN Mapping Sessions table shows general statistics about remote peers that are or have been subject to posture validation.

Table 14-5 explains the fields in the Active VLAN Mapping Sessions and Cumulative VLAN Mapping Sessions tables.

 

Table 14-5 show vpn-sessiondb summary Command: Active VLAN Mapping Sessions and Cumulative Active VLAN Mapping Sessions Fields

Field
Description

Access

Reserved for future use.

Auth

Reserved for future use.

Guest

Reserved for future use.

N/A

Reserved for future use.

Quarantine

Reserved for future use.

Static

This field shows the number of VPN sessions assigned to a pre-configured VLAN.

 
Related Commands Total Active Sessions : 7

Command
Description

show vpn-sessiondb

Displays sessions with or without extended details, optionally filtered and sorted by criteria you specify.

show vpn-sessiondb ratio

Displays VPN session encryption or protocol ratios.

show wccp

To display global statistics related to Web Cache Communication Protocol (WCCP), use the show wccp command in privileged EXEC mode.

show wccp {web-cache | service -number }[ detail | view ]

 
Syntax Description

detail

(Optional) Displays information about the router and all web caches.

service-number

(Optional) Identification number of the web-cache service group being controlled by the cache. The number can be from 0 to 256. For web caches using Cisco Cache Engines, the reverse proxy service is indicated by a value of 99.

view

(Optional) Displays other members of a particular service group have or have not been detected.

web-cache

Specifies statistics for the web-cache service.

 
Defaults

This command is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following example shows how to display WCCP information:

ciscoasa(config)# show wccp
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
 
Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 0
Redirect access-list: foo
Total Connections Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: foobar
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
ciscoasa(config)#
 

 
Related Commands

Commands
Description

wccp

Enables support of WCCP with service groups.

wccp redirect

Enables support of WCCP redirection.

show webvpn csd

To determine whether CSD is enabled, display the CSD version in the running configuration, determine what image is providing the Host Scan package, and to test a file to see if it is a valid CSD distribution package, use the show webvpn csd command in privileged EXEC mode.

show webvpn csd [image filename ]

 
Syntax Description

filename

Specifies the name of a file to test for validity as a CSD distribution package. It must take the form csd_n.n.n-k9.pkg .

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC mode

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

Examples

Use the show webvpn csd command to check the operational status of CSD. The CLI responds with a message indicating if CSD is installed and if it is enabled, if Host Scan is installed and if it is enabled, and which image is supplying the Host Scan package if there is both a CSD package and a Host Scan package installed.

ciscoasa# show webvpn csd
 

These are the messages you could receive:

  • Secure Desktop is not installed

Hostscan is not installed

 
  • Secure Desktop version n.n.n.n is currently installed but not enabled

Standalone Hostscan package is not installed (Hostscan is currently installed via the CSD package but not enabled)

 
  • Secure Desktop version n.n.n.n is currently installed and enabled
Standalone Hostscan package is not installed (Hostscan is currently installed and enabled via the CSD package)
 

The message, “ Secure Desktop version n.n.n.n is currently installed ... ” means that the image is loaded on the ASA and in the running configuration. The image can be either enabled or not enabled. You can go to webvpn configuration mode and enter the csd enable command to enable CSD.

The messaage, “ (Hostscan is currently installed and enabled via the CSD package) ” means that the Host Scan package delivered with the CSD package is the Host Scan package in use.

  • Secure Desktop version n.n.n.n is currently installed and enabled

Hostscan version n.n.n.n is currently installed and enabled

 

The message, “ Secure Desktop version n.n.n.n is currently installed and enabled Hostscan version n.n.n.n is currently installed and enabled ” means that both CSD and a Host Scan package, delivered either as a standalone package or as part of an AnyConnect image, are installed. If Host Scan is enabled and both CSD and an AnyConnect image with Host Scan, or a standalone Host Scan package, are installed and enabled, the Host Scan package delivered as a standalone package or as part of an AnyConnect image takes precedence over the one provided with a CSD package.

 
  • Secure Desktop version n.n.n.n is currently installed but not enabled

Hostscan version n.n.n.n is currently installed but not enabled

 

Use the show webvpn csd image filename command to test a file to determine if a CSD distribution package is valid.

ciscoasa# show webvpn csd image csd_n.n.n-k9.pkg

The CLI responds with one of the following messages when you enter this command:

  • ERROR: This is not a valid Secure Desktop image file.

Make sure the filename is in the form the form csd_n.n.n_k9.pkg . If the csd package does not have this naming convention, replace the file with one obtained from the following website:

http://www.cisco.com/cgi-bin/tablebuild.pl/securedesktop

Then reenter the show webvpn csd image command. If the image is valid, use the csd image and csd enable commands in webvpn configuration mode to install and enable CSD.

  • This is a valid Cisco Secure Desktop image:

Version : 3.6.172.0

Hostscan Version : 3.6.172.0

Built on : Wed Feb 23 15:46:44 MST 2011

Note that the CLI provides both the version and date stamp if the file is valid.

 
Related Commands

Command
Description

csd enable

Enables CSD for management and remote user access.

csd image

Copies the CSD image named in the command, from the flash drive specified in the path to the running configuration.

show webvpn group-alias

To display the aliases for a specific tunnel-group or for all tunnel groups, use the group-alias command in privileged EXEC mode.

show webvpn group-alias [ tunnel-group ]

 
Syntax Description

tunnel-group

(Optional) Specifies a particular tunnel group for which to show the group aliases.

 
Defaults

If you do not enter a tunnel-group name, this command displays all the aliases for all the tunnel groups.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.1

This command was introduced.

 
Usage Guidelines

WebVPN must be running when you enter the show webvpn group-alias command.

Each tunnel group can have multiple aliases or no alias.

Examples

The following example shows the show webvpn group-alias command that displays the aliases for the tunnel group “devtest” and the output of that command:

ciscoasa# show webvpn group-alias devtest
QA
Fra-QA
 

 
Related Commands

Command
Description

group-alias

Specifies one or more URLs for the group.

tunnel-group webvpn-attributes

Enters the config-webvpn mode for configuring WebVPN tunnel-group attributes.

show webvpn group-url

To display the URLs for a specific tunnel-group or for all tunnel groups, use the group-url command in privileged EXEC mode.

show webvpn group-url [ tunnel-group ]

 
Syntax Description

tunnel-group

(Optional) Specifies a particular tunnel group for which to show the URLs.

 
Defaults

If you do not enter a tunnel-group name, this command displays all the URLs for all the tunnel groups.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

WebVPN must be running when you enter the show webvpn group-url command. Each group can have multiple URLs or no URL.

Examples

The following example shows the show webvpn group-url command that displays the URLs for the tunnel group “frn-eng1” and the output of that command:

ciscoasa# show webvpn group-url
http://www.cisco.com
https://fra1.example.com
https://fra2.example.com
 

 
Related Commands

Command
Description

group-url

Specifies one or more URLs for the group.

tunnel-group webvpn-attributes

Enters the config-webvpn mode for configuring WebVPN tunnel-group attributes.

show webvpn kcd

Use the show webvpn kcd command in webvpn configuration mode to display the Domain Controller information and Domain join status on the ASA.

show webvpn kcd

 
Syntax Description

None.

 
Defaults

There are no defaults for this command.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.4(1)

This command was introduced.

 
Usage Guidelines

The show webvpn kcd command in webvpn configuration mode displays the Domain Controller information and Domain join status on the ASA.

Examples

The following example shows important details to note from the show webvpn kcd command and the interpretation of the status message.

This example shows that the registration is under way and not finished:

ciscoasa# show webvpn kcd
Kerberos Realm: CORP.TEST.INTERNAL
Domain Join: In-Progress

This example shows that a registration was successful and that the ASA has joined the domain:

ciscoasa# show webvpn kcd
Kerberos Realm: CORP.TEST.INTERNAL
Domain Join: Complete

 
Related Commands

Command
Description

clear aaa kerberos

Clears all the Kerberos tickets cached on the ASA.

kcd-server

Allows the ASA to join an Active Directory domain.

show aaa kerberos

Displays all the Kerberos tickets cached on the ASA.

show webvpn sso-server

To display the operating statistics for Webvpn single sign-on servers, use the show webvpn sso-server command in privileged EXEC mode.

show webvpn sso-server [name ]

 
Syntax Description

 
Syntax DescriptionSyntax Description

name

Optionally specifies the name of the SSO server. The server name must be between four and 31 characters in length.

 
Defaults

No default values or behavior.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Config-webvpn-sso-saml

  • Yes

  • Yes

Config-webvpn-sso-siteminder

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The show webvpn sso-server command displays operating statistics for any and all SSO servers configured on the security device.

If no SSO server name argument is entered, statistics for all SSO servers display.

Examples

The following example, entered in privileged EXEC mode, displays statistics for a SiteMinder-type SSO server named example:

ciscoasa# show webvpn sso-server example
Name: example
Type: SiteMinder
Authentication Scheme Version: 1.0
Web Agent URL: http://www.example.com/webvpn
Number of pending requests: 0
Number of auth requests: 0
Number of retransmissions: 0
Number of accepts: 0
Number of rejects: 0
Number of timeouts: 0
Number of unrecognized responses: 0
ciscoasa#
 
The following example of the command issued without a specific SSO server name, displays statistics for all configured SSO servers on the ASA:
 
ciscoasa#(config-webvpn)# show webvpn sso-server
Name: high-security-server
Type: SAML-v1.1-POST
Assertion Consumer URL:
Issuer:
Number of pending requests: 0
Number of auth requests: 0
Number of retransmissions: 0
Number of accepts: 0
Number of rejects: 0
Number of timeouts: 0
Number of unrecognized responses: 0
Name: my-server
Type: SAML-v1.1-POST
Assertion Consumer URL:
Issuer:
Number of pending requests: 0
Number of auth requests: 0
Number of retransmissions: 0
Number of accepts: 0
Number of rejects: 0
Number of timeouts: 0
Number of unrecognized responses: 0
Name: server
Type: SiteMinder
Authentication Scheme Version: 1.0
Web Agent URL:
Number of pending requests: 0
Number of auth requests: 0
Number of retransmissions: 0
Number of accepts: 0
Number of rejects: 0
Number of timeouts: 0
Number of unrecognized responses: 0
ciscoasa(config-webvpn)#

 
Related Commands

Command
Description

max-retry-attempts

Configures the number of times the ASA retries a failed SSO authentication attempt.

policy-server-secret

Creates a secret key used to encrypt authentication requests to a SiteMinder-type SSO server.

request-timeout

Specifies the number of seconds before a failed SSO authentication attempt times out.

sso-server

Creates a single sign-on server.

web-agent-url

Specifies the SSO server URL to which the ASA makes SiteMinder SSO authentication requests.

show webvpn anyconnect

To view information about SSL VPN client images installed on the ASA and loaded in cache memory, or to test a file to see if it is a valid client image, use the show webvpn anyconnect command from privileged EXEC mode.

show webvpn anyconnect [image filename ]

 
Syntax Description

image filename

Specifies the name of a file to test as an SSL VPN client image file.

 
Defaults

This command has no default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

8.4(1)

The show webvpn anyconnect form of the command replaced show webvpn svc.

 
Usage Guidelines

Use the show webvpn anyconnect command to view information about SSL VPN client images that are loaded in cache memory and available for download to remote PCs. Use the image filename keyword and argument to test a file to see if it is a valid image. If the file is not a valid image, the following message appears:

ERROR: This is not a valid SSL VPN Client image file.

Examples

The following example shows the output of the show webvpn anyconnect command for currently installed images:

ciscoasa# show webvpn anyconnect
1. windows.pkg 1
SSL VPN Client
CISCO STC win2k+ 1.1.0
1,1,0,107
Thu 04/14/2005 09:27:54.43
2. window2.pkg 2
CISCO STC win2k+ 1.1.0
1,1,0,107
Thu 04/14/2005 09:27:54.43
 

The following example shows the output of the show webvpn anyconnect image filename command for a valid image:

ciscoasa(config-webvpn)# show webvpn anyconnect image sslclient-win-1.0.2.127.pkg
 
This is a valid SSL VPN Client image:
CISCO STC win2k+ 1.0.0
1,0,2,127
Fri 07/22/2005 12:14:45.43

 
Related Commands

Command
Description

anyconnect enable

Enables the ASA to download the SSL VPN client to remote PCs.

anyconnect image

Causes the security appliance to load SSL VPN client files from flash memory to cache memory, and specifies the order in which the security appliance downloads portions of the client image to the remote PC as it attempts to match the client image with the operating system.

vpn-tunnel-protocol

Enables specific VPN tunnel protocols for remote VPN users, including SSL used by an SSL VPN client.

show xlate

To display information about NAT sessions (xlates), use the show xlate command in privileged EXEC mode.

show xlate [ global ip1 [ - ip2 ] [ netmask mask ]] [ local ip1 [ - ip2 ] [ netmask mask ]]
[
gport port1 [ - port2 ]] [ lport port1 [ - port2 ]] [ interface if_name ] [ type type ]

show xlate count

 
Syntax Description

count

Displays the translation count.

global ip1 [ - ip2 ]

(Optional) Displays the active translations by mapped IP address or range of addresses.

gport port1 [ -port2 ]

Displays the active translations by the mapped port or range of ports.

interface if_name

(Optional) Displays the active translations by interface.

local ip1 [ - ip2 ]

(Optional) Displays the active translations by real IP address or range of addresses.

lport port1 [ -port2 ]

Displays the active translations by real port or range of ports.

netmask mask

(Optional) Specifies the network mask to qualify the mapped or real IP addresses.

type type

(Optional) Displays the active translations by type. You can enter one or more of the following types:

  • static
  • portmap
  • dynamic
  • twice-nat

When specifying more than one type, separate the types with a space.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.3(1)

This command was modified to support the new NAT implementation.

8.4(3)

The e flag was added to show use of extended PAT. In addition, the destination address to which the xlate is extended is shown.

9.0(1)

This command was modified to support IPv6.

 
Usage Guidelines

The show xlate command displays the contents of the translation slots.

When the vpnclient configuration is enabled and the inside host is sending out DNS requests, the show xlate command may list multiple xlates for a static translation.

In an ASA clustering environment, up to three xlates may be duplicated to different nodes in the cluster to handle a PAT session. One xlate is created on the unit that owns the connection. One xlate is created on a different unit to backup the PAT address. Finally, one xlate exists on the director that replicates the flow. In the case where the backup and director is the same unit, two instead of three xlates may be created.

Examples

The following is sample output from the show xlate command.

ciscoasa# show xlate
5 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended
NAT from any:10.90.67.2 to any:10.9.1.0/24
flags idle 277:05:26 timeout 0:00:00
NAT from any:10.1.1.0/24 to any:172.16.1.0/24
flags idle 277:05:26 timeout 0:00:00
NAT from any:10.90.67.2 to any:10.86.94.0
flags idle 277:05:26 timeout 0:00:00
NAT from any:10.9.0.9, 10.9.0.10/31, 10.9.0.12/30,
10.9.0.16/28, 10.9.0.32/29, 10.9.0.40/30,
10.9.0.44/31 to any:0.0.0.0
flags idle 277:05:26 timeout 0:00:00
NAT from any:10.1.1.0/24 to any:172.16.1.0/24
flags idle 277:05:14 timeout 0:00:00
 

The following is sample output from the show xlate command showing use of the e - extended flag and the destination address to which the xlate is extended.

ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended
ICMP PAT from inside:10.2.1.100/6000 to outside:172.16.2.200/6000(172.16.2.99)
flags idle 0:00:06 timeout 0:00:30
TCP PAT from inside:10.2.1.99/5 to outside:172.16.2.200/5(172.16.2.90)
flags idle 0:00:03 timeout 0:00:30
UDP PAT from inside:10.2.1.101/1025 to outside:172.16.2.200/1025(172.16.2.100)
flags idle 0:00:10 timeout 0:00:30
 

The following is sample output from the show xlate command showing a translation from IPv4 to IPv6.

ciscoasa# show xlate
1 in use, 2 most used
NAT from outside:0.0.0.0/0 to in:2001::/96
flags sT idle 0:16:16 timeout 0:00:00

 
Related Commands

Command
Description

clear xlate

Clears current translation and connection information.

show conn

Displays all active connections.

show local-host

Displays the local host network information.

show uauth

Displays the currently authenticated users.