Cisco ASA Series Command Reference, S Commands
show bgp -- show cpu
Downloads: This chapterpdf (PDF - 1.06MB) The complete bookPDF (PDF - 9.04MB) | Feedback

Table of Contents

show bgp through show cpu Commands

show bgp

show bgp all community

show bgp all neighbors

show bgp cidr-only

show bgp community

show bgp community-list

show bgp filter-list

show bgp injected-paths

show bgp ipv4

show bgp neighbors

show bgp paths

show bgp policy-list

show bgp prefix-list

show bgp regexp

show bgp replication

show bgp rib-failure

show bgp summary

show bgp system-config

show blocks

show boot device (IOS)

show bootvar

show bridge-group

show call-home

show call-home registered-module status

show capture

show chardrop

show checkheaps

show checksum

show chunkstat

show class

show clock

show cluster

show cluster info

show cluster user-identity

show compression svc

show configuration

show conn

show console-output

show context

show controller

show coredump filesystem

show coredump log

show counters

show cpu

show bgp through show cpu Commands

show bgp

To display entries in the Border Gateway Protocol (BGP) routing table, use the show bgp command in user EXEC or privileged EXEC mode.

show bgp [ip-address [mask [longer-prefixes [injected] | shorter-prefixes [length] | bestpath | multipaths | subnets] | bestpath | multipaths] | all | prefix-list name | pending-prefixes | route-map name]]

 
Syntax Description

ip-address

(Optional) Specifies the AS path access list name..

mask

(Optional) Mask to filter or match hosts that are part of the specified network.

longer-prefixes

(Optional) Displays the specified route and all more specific routes.

injected

(Optional) Displays more specific prefixes injected into the BGP routing table.

shorter-prefixes

(Optional) Displays the specified route and all less specific routes.

length

(Optional) The prefix length. The value for this argument is a number from 0 to 32.

bestpath

(Optional) Displays the bestpath for this prefix

multipaths

(Optional) Displays multipaths for this prefix.

subnets

(Optional) Displays the subnet routes for the specified prefix.

all

(Optional) Displays all address family information in the BGP routing table.

prefix-list name

(Optional) Filters the output based on the specified prefix list.

pending-prefixes

(Optional) Displays prefixes that are pending deletion from the BGP routing table.

route-map name

(Optional) Filters the output based on the specified route map.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

 
Usage Guidelines

The show bgp command is used to display the contents of the BGP routing table. The output can be filtered to display entries for a specific prefix, prefix length, and prefixes injected through a prefix list, route map, or conditional advertisement.

In Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS XE Release 2.4, and later releases, the Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions.

Examples

The following sample output shows the BGP routing table:

Router# show bgp
BGP table version is 22, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.1/32 0.0.0.0 0 32768 i
*>i10.2.2.2/32 172.16.1.2 0 100 0 i
*bi10.9.9.9/32 192.168.3.2 0 100 0 10 10 i
*> 192.168.1.2 0 10 10 i
* i172.16.1.0/24 172.16.1.2 0 100 0 i
*> 0.0.0.0 0 32768 i
*> 192.168.1.0 0.0.0.0 0 32768 i
*>i192.168.3.0 172.16.1.2 0 100 0 i
*bi192.168.9.0 192.168.3.2 0 100 0 10 10 i
*> 192.168.1.2 0 10 10 i
*bi192.168.13.0 192.168.3.2 0 100 0 10 10 i
*> 192.168.1.2 0 10 10 i
 

Table 4-1 shows each field description.

Table 4-1 show bgp Fields

 

Field
Description

BGP table version

Internal version number of the table. This number is incremented whenever the table changes.

local router ID

IP address of the router.

Status codes

Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values:

  • s—The table entry is suppressed.
  • d—The table entry is dampened.
  • h—The table entry history.
  • *—The table entry is valid.
  • >—The table entry is the best entry to use for that network.
  • i—The table entry was learned via an internal BGP (iBGP) session.
  • r—The table entry is a RIB-failure.
  • S—The table entry is stale.
  • m—The table entry has multipath to use for that network.
  • b—The table entry has backup path to use for that network.
  • x—The table entry has best external route to use for the network.

Origin codes

Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

  • i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.
  • e—Entry originated from an Exterior Gateway Protocol (EGP).
  • ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP.

Network

IP address of a network entity.

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the router has some non-BGP routes to this network.

Metric

If shown, the value of the interautonomous system metric.

LocPrf

Local preference value as set with the set local-preference route-map configuration command. The default value is 100.

Weight

Weight of the route as set via autonomous system filters

Path

Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path.

(stale)

Indicates that the following path for the specified autonomous system is marked as "stale" during a graceful restart process.

show bgp (4-Byte Autonomous System Numbers): Example

The following sample output shows the BGP routing table with 4-byte autonomous system numbers, 65536 and 65550, shown under the Path field. This example requires Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS XE Release 2.4, or a later release.

RouterB# show bgp
BGP table version is 4, local router ID is 172.17.1.99
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 192.168.1.2 0 0 65536 i
*> 10.2.2.0/24 192.168.3.2 0 0 65550 i
*> 172.17.1.0/24 0.0.0.0 0 32768 i

 

show bgp ip-address: Example

The following sample output displays information about the 192.168.1.0 entry in the BGP routing table:

Router# show bgp 192.168.1.0
BGP routing table entry for 192.168.1.0/24, version 22
Paths: (2 available, best #2, table default)
Additional-path
Advertised to update-groups:
3
10 10
192.168.3.2 from 172.16.1.2 (10.2.2.2)
Origin IGP, metric 0, localpref 100, valid, internal, backup/repair
10 10
192.168.1.2 from 192.168.1.2 (10.3.3.3)
Origin IGP, localpref 100, valid, external, best , recursive-via-connected

The following sample output displays information about the 10.3.3.3 255.255.255.255 entry in the BGP routing table:

Router# show bgp 10.3.3.3 255.255.255.255
BGP routing table entry for 10.3.3.3/32, version 35
Paths: (3 available, best #2, table default)
Multipath: eBGP
Flag: 0x860
Advertised to update-groups:
1
200
10.71.8.165 from 10.71.8.165 (192.168.0.102)
Origin incomplete, localpref 100, valid, external, backup/repair
Only allowed to recurse through connected route
200
10.71.11.165 from 10.71.11.165 (192.168.0.102)
Origin incomplete, localpref 100, weight 100, valid, external, best
Only allowed to recurse through connected route
200
10.71.10.165 from 10.71.10.165 (192.168.0.104)
Origin incomplete, localpref 100, valid, external,
Only allowed to recurse through connected route

Table 4-2 shows each field description.

Table 4-2 show bgp (4 byte autonomous system numbers) Fields

 

Field
Description

BGP routing table entry fo

IP address or network number of the routing table entry.

version

Internal version number of the table. This number is incremented whenever the table changes.

Paths

The number of available paths, and the number of installed best paths. This line displays "Default-IP-Routing-Table" when the best path is installed in the IP routing table.

Multipath

This field is displayed when multipath loadsharing is enabled. This field will indicate if the multipaths are iBGP or eBGP.

Advertised to update-groups

The number of each update group for which advertisements are processed.

Origin

Origin of the entry. The origin can be IGP, EGP, or incomplete. This line displays the configured metric (0 if no metric is configured), the local preference value (100 is default), and the status and type of route (internal, external, multipath, best).

Extended Community

This field is displayed if the route carries an extended community attribute. The attribute code is displayed on this line. Information about the extended community is displayed on a subsequent line.

show bgp all: Example

The following is sample output from the show bgp command entered with the all keyword. Information about all configured address families is displayed.

Router# show bgp all
For address family: IPv4 Unicast *****
BGP table version is 27, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 0.0.0.0 0 32768 ?
*> 10.13.13.0/24 0.0.0.0 0 32768 ?
*> 10.15.15.0/24 0.0.0.0 0 32768 ?
*>i10.18.18.0/24 172.16.14.105 1388 91351 0 100 e
*>i10.100.0.0/16 172.16.14.107 262 272 0 1 2 3 i
*>i10.100.0.0/16 172.16.14.105 1388 91351 0 100 e
*>i10.101.0.0/16 172.16.14.105 1388 91351 0 100 e
*>i10.103.0.0/16 172.16.14.101 1388 173 173 100 e
*>i10.104.0.0/16 172.16.14.101 1388 173 173 100 e
*>i10.100.0.0/16 172.16.14.106 2219 20889 0 53285 33299 51178 47751 e
*>i10.101.0.0/16 172.16.14.106 2219 20889 0 53285 33299 51178 47751 e
* 10.100.0.0/16 172.16.14.109 2309 0 200 300 e
*> 172.16.14.108 1388 0 100 e
* 10.101.0.0/16 172.16.14.109 2309 0 200 300 e
*> 172.16.14.108 1388 0 100 e
*> 10.102.0.0/16 172.16.14.108 1388 0 100 e
*> 172.16.14.0/24 0.0.0.0 0 32768 ?
*> 192.168.5.0 0.0.0.0 0 32768 ?
*> 10.80.0.0/16 172.16.14.108 1388 0 50 e
*> 10.80.0.0/16 172.16.14.108 1388 0 50 e

show bgp longer-prefixes: Example

The following is sample output from the show bgp command entered with the longer-prefixes keyword:

Router# show bgp 10.92.0.0 255.255.0.0 longer-prefixes
BGP table version is 1738, local router ID is 192.168.72.24
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.92.0.0 10.92.72.30 8896 32768 ?
* 10.92.72.30 0 109 108 ?
*> 10.92.1.0 10.92.72.30 8796 32768 ?
* 10.92.72.30 0 109 108 ?
*> 10.92.11.0 10.92.72.30 42482 32768 ?
* 10.92.72.30 0 109 108 ?
*> 10.92.14.0 10.92.72.30 8796 32768 ?
* 10.92.72.30 0 109 108 ?
*> 10.92.15.0 10.92.72.30 8696 32768 ?
* 10.92.72.30 0 109 108 ?
*> 10.92.16.0 10.92.72.30 1400 32768 ?
* 10.92.72.30 0 109 108 ?
*> 10.92.17.0 10.92.72.30 1400 32768 ?
* 10.92.72.30 0 109 108 ?
*> 10.92.18.0 10.92.72.30 8876 32768 ?
* 10.92.72.30 0 109 108 ?
*> 10.92.19.0 10.92.72.30 8876 32768 ?
* 10.92.72.30 0 109 108 ?

 

show bgp shorter-prefixes: Example

The following is sample output from the show bgp command entered with the shorter-prefixes keyword. An 8-bit prefix length is specified.

Router# show bgp 172.16.0.0/16 shorter-prefixes 8
*> 172.16.0.0 10.0.0.2 0 ?
* 10.0.0.2 0 0 200 ?

 

show bgp prefix-list: Example

The following is sample output from the show bgp command entered with the prefix-list keyword:

Router# show bgp prefix-list ROUTE
BGP table version is 39, local router ID is 10.0.0.1
Status codes:s suppressed, d damped, h history, * valid, > best, i -
internal
Origin codes:i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 192.168.1.0 10.0.0.2 0 ?
 
* 10.0.0.2 0 0 200 ?
 

show bgp route-map: Example

The following is sample output from the show bgp command entered with the route-map keyword:

Router# show bgp route-map LEARNED_PATH
BGP table version is 40, local router ID is 10.0.0.1
Status codes:s suppressed, d damped, h history, * valid, > best, i -
internal
Origin codes:i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 192.168.1.0 10.0.0.2 0 ?
* 10.0.0.2 0 0 200 ?

show bgp all community

To display routes for all address families belonging to a particular Border Gateway Protocol (BGP) community, use the show bgp all community command in user EXEC or privileged EXEC configuration mode.

show bgp all community [community-number...[community-number]] [local-as] [no-advertise] [no-export] [exact-match]

 
Syntax Description

community-number.

(Optional) Displays the routes pertaining to the community numbers specified.

You can specify multiple community numbers. The range is from 1 to 4294967295 or AA:NN (autonomous system:community number, which is a 2-byte number).

local-as

(Optional) Displays only routes that are not sent outside of the local autonomous system (well-known community).

no-advertise

(Optional) Displays only routes that are not advertised to any peer (well-known community).

no-export

(Optional) Displays only routes that are not exported outside of the local autonomous system (well-known community).

exact-match

(Optional) Displays only routes that match exactly with the BGP community list specified.

Note The availability of keywords in the command depends on the command mode. The exact-match keyword is not available in user EXEC mode.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

 
Usage Guidelines

User can enter the local-as, no-advertise and no-export keywords in any order. When using the bgp all community command, be sure to enter the numerical communities before the well-known communities.

.For example, the following string is not valid:

ciscoasa# show bgp all community local-as 111:12345

Use the following string instead:

ciscoasa# show bgp all community 111:12345 local-as

Examples

The following is sample output from the show bgp all community command, specifying communities of 1, 2345, and 6789012:

ciscoasa# show bgp all community 1 2345 6789012 no-advertise local-as no-export exact-match
For address family: IPv4 Unicast
BGP table version is 5, local router ID is 30.0.0.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.0.3.0/24 10.0.0.4 0 4 3 ?
*> 10.1.0.0/16 10.0.0.4 0 0 4 ?
*> 10.12.34.0/24 10.0.0.6 0 0 6 ?

 

Table 4-19 shows each field description.

 

Table 4-3 show bgp all community Fields

Field
Description

BGP table version

Internal version number of the table. This number is incremented whenever the table changes

local router ID

The router ID of the router on which the BGP communities are set to display. A 32-bit number written as 4 octets separated by periods (dotted-decimal format).

Status codes

Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values:

s—The table entry is suppressed.
d—The table entry is dampened.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP session.

Origin codes

Indicates the origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i—Entry originated from the Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.
e—Entry originated from the Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a route that is redistributed into BGP from an IGP.

Network

The network address and network mask of a network entity. The type of address depends on the address family.

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. The type of address depends on the address family

Metric

The value of the inter autonomous system metric. This field is not used frequently.

LocPrf

Local preference value as set with the set local-preference command. The default value is 100.

Weight

Weight of the route as set via autonomous system filters.

Path

Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path.

show bgp all neighbors

To display information about Border Gateway Protocol (BGP) connections to neighbors of all address families, use the show bgp all neighbors command in user EXEC or privileged EXEC mode.

show bgp all neighbors [ip-address ] [advertised-routes | paths [reg-exp] | policy [detail] | received prefix-filter | received-routes | routes]

 
Syntax Description

ip-address

(Optional) IP address of a neighbor. If this argument is omitted, information about all neighbors is displayed.

advertised-routes

Optional) Displays all routes that have been advertised to neighbors.

paths reg-exp

(Optional) Displays autonomous system paths learned from the specified neighbor. An optional regular expression can be used to filter the output.

policy

(Optional) Displays the policies applied to neighbor per address family.

detail

(Optional) Displays detailed policy information such as route maps, prefix lists, community lists, Access Control Lists (ACLs), and autonomous system path filter lists.

received prefix-filter

(Optional) Displays the prefix-list (outbound route filter [ORF]) sent from the specified neighbor.

received-routes

(Optional) Displays all received routes (both accepted and rejected) from the specified neighbor.

routes

(Optional) Displays all routes that are received and accepted. The output displayed when this keyword is entered is a subset of the output displayed by the received-routes keyword.

 
Defaults

The output of this command displays information for all neighbors.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

 
Usage Guidelines

Use the show bgp all neighbors command to display BGP and TCP connection information for neighbor sessions specific to address families such as IPv4.

Examples

The following example shows output of the show bgp all neighbors command:

ciscoasa# show bgp all neighbors
 
For address family: IPv4 Unicast
BGP neighbor is 172.16.232.53, remote AS 100, external link
Member of peer-group internal for session parameters
BGP version 4, remote router ID 172.16.232.53
BGP state = Established, up for 13:40:17
Last read 00:00:09, hold time is 180, keepalive interval is 60 seconds
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 3 3
Notifications: 0 0
Updates: 0 0
Keepalives: 113 112
Route Refresh: 0 0
Total: 116 11
Default minimum time between advertisement runs is 5 seconds
Connections established 22; dropped 21
Last reset 13:47:05, due to BGP Notification sent, hold time expired
External BGP neighbor may be up to 2 hops away.
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x1A0D543C):
Timer Starts Wakeups Next
Retrans 1218 5 0x0
TimeWait 0 0 0x0
AckHold 3327 3051 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
iss: 1805423033 snduna: 1805489354 sndnxt: 1805489354 sndwnd: 15531
irs: 821333727 rcvnxt: 821591465 rcvwnd: 15547 delrcvwnd: 837
SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms
minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms
Flags: higher precedence, nagle
Datagrams (max data segment is 1420 bytes):
Rcvd: 4252 (out of order: 0), with data: 3328, total data bytes: 257737
Sent:4445 (retransmit: 5), with data: 4445, total data bytes;244128

Table 4-4 shows each field description.

 

Table 4-4 show bgp all neighbor Fields

Field
Description

For address family

Address family to which the following fields refer.

BGP neighbor

IP address of the BGP neighbor and its autonomous system number.

remote AS

Autonomous system number of the neighbor.

external link

External Border Gateway Protocol (eBGP) peerP.

BGP version

BGP version being used to communicate with the remote router.

remote router ID

IP address of the neighbor.

BGP state

State of this BGP connection

up for

Time, in hh:mm:ss, that the underlying TCP connection has been in existence.

Last read

Time, in hh:mm:ss, since BGP last received a message from this neighbor.

hold time

Time, in seconds, that BGP will maintain the session with this neighbor without receiving messages.

keepalive interval

Time interval, in seconds, at which keepalive messages are transmitted to this neighbor.

Message statistics

Statistics organized by message type.

InQ depth is

Number of messages in the input queue.

OutQ depth is

Number of messages in the output queue.

Sent

Total number of transmitted messages.

Rcvd

Total number of received messages.

Opens

Number of open messages sent and received.

Notifications

Number of notification (error) messages sent and received.

Updates

Number of update messages sent and received.

Keepalives

Number of keepalive messages sent and received.

Route Refresh

Number of route refresh request messages sent and received.

Total

Total number of messages sent and received.

Default minimum time between...

Time, in seconds, between advertisement transmissions.

Connections established

Number of times a TCP and BGP connection has been successfully established.

dropped

Number of times that a valid session has failed or been taken down.

Last reset

Time, in hh:mm:ss, since this peering session was last reset. The reason for the reset is displayed on this line.

External BGP neighbor may be...

Indicates that the BGP Time-to-live (TTL) security check is enabled. The maximum number of hops that can separate the local and remote peer is displayed on this line.

Connection state

Connection status of the BGP peer.

Local host, Local

IP address of the local BGP speaker and the port number.

Foreign host, Foreign port

Neighbor address and BGP destination port number.

Enqueued packets for retransmit:

Packets queued for retransmission by TCP.

Event Timers

TCP event timers. Counters are provided for starts and wakeups (expired timers).

Retrans

Number of times a packet has been retransmitted.

TimeWait

Time waiting for the retransmission timers to expire.

AckHold

Acknowledgment hold timer.

SendWnd

Transmission (send) window.

KeepAlive

Number of keepalive packets.

GiveUp

Number times a packet is dropped due to no acknowledgment.

PmtuAger

Path MTU discovery timer.

DeadWait

Expiration timer for dead segments.

iss:

Initial packet transmission sequence number.

snduna:

Last transmission sequence number that has not been acknowledged

sndnxt:

Next packet sequence number to be transmitted.

sndwnd:

TCP window size of the remote host.

irs:

Initial packet receives sequence number.

rcvnxt:

Last receive sequence number that has been locally acknowledged.

rcvwnd:

TCP window size of the local host.

delrcvwnd:

Delayed receive window—data the local host has read from the connection, but has not yet subtracted from the receive window the host has advertised to the remote host. The value in this field gradually increases until it is larger than a full-sized packet, at which point it is applied to the rcvwnd field.

SRTT:

A calculated smoothed round-trip timeout.

RTTO:

Round-trip timeout.

RTV:

Variance of the round-trip time.

KRTT:

New round-trip timeout (using the Karn algorithm). This field separately tracks the round-trip time of packets that have been re-sent.

minRTT:

Smallest recorded round-trip timeout (hard-wire value used for calculation).

maxRTT:

Largest recorded round-trip timeout.

ACK hold

Length of time the local host will delay an acknowledgment to carry (piggyback) additional data.

IP Precedence value

IP precedence of the BGP packets.

Datagrams

Number of update packets received from a neighbor.

Rcvd:

Number of received packets.

with data

Number of update packets sent with data.

total data bytes

Total amount of data received, in bytes.

Sent

Number of update packets sent.

with data

Number of update packets received with data.

total data bytes

Total amount of data sent, in bytes.

 

show bgp cidr-only

To display routes with classless inter domain routing (CIDR), use the show bgp cidr-only command in EXEC mode.

show bgp cidr-only

 
Syntax Description

This command has no arguments or keywords.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

Examples

The following is sample output from the show bgp cidr-only command:

ciscoasa# show bgp cidr-only
BGP table version is 220, local router ID is 172.16.73.131
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 192.168.0.0/8 172.16.72.24 0 1878 ?
*> 172.16.0.0/16 172.16.72.30 0 108 ?
 

Table 4-5 shows each field description.

 

Table 4-5 show bgp cidr-only Fields

Field
Description

BGP table version is 220

Internal version number of the table. This number is incremented whenever the table changes..

local router ID

IP address of the router.

Status codes

Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values:

s—The table entry is suppressed.

*—The table entry is valid.

>—The table entry is the best entry to use for that network.

i—The table entry was learned via an internal BGP (iBGP) session.

Origin codes

Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.

e—Entry originated from an Exterior Gateway Protocol (EGP).

?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP.

Network

Internet address of the network the entry describes.

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network.

Metric

If shown, the value of the inter autonomous system metric.

LocPrf

Local preference value as set with the set local-preference route-map configuration command. The default value is 100.

Weight

Weight of the route as set via autonomous system filters.

Path

Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path:

i—The entry was originated with the IGP and advertised with a network router configuration command.

e—The route originated with EGP.

?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP..

show bgp community

To display routes that belong to specified BGP communities, use the show bgp community command in EXEC mode.

show bgp community community-number [exact]

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

Examples

The following is sample output from the show bgp community command in privileged EXEC mode:

ciscoasa# show bgp community 111:12345 local-as
BGP table version is 10, local router ID is 224.0.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 172.16.2.2/32 10.43.222.2 0 0 222 ?
*> 10.0.0.0 10.43.222.2 0 0 222 ?
*> 10.43.0.0 10.43.222.2 0 0 222 ?
*> 10.43.44.44/32 10.43.222.2 0 0 222 ?
* 10.43.222.0/24 10.43.222.2 0 0 222 i
*> 172.17.240.0/21 10.43.222.2 0 0 222 ?
*> 192.168.212.0 10.43.222.2 0 0 222 i
*> 172.31.1.0 10.43.222.2 0 0 222 ?
 

Table 4-6 shows each field description.

 

Table 4-6 show bgp community Fields

Field
Description

BGP table version

Internal version number of the table. This number is incremented whenever the table changes.

local router ID

IP address of the router.

Status codes

Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values:

s—The table entry is suppressed.

*—The table entry is valid.

>—The table entry is the best entry to use for that network.

i—The table entry was learned via an internal BGP (iBGP) session.

Origin codes

Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.

e—Entry originated from an Exterior Gateway Protocol (EGP).

?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP.

Network

Internet address of the network the entry describes.

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network.

Metric

If shown, the value of the inter autonomous system metric.

LocPrf

Local preference value as set with the set local-preference route-map configuration command. The default value is 100.

Weight

Weight of the route as set via autonomous system filters.

Path

Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path:

i—The entry was originated with the IGP and advertised with a network router configuration command.

e—The route originated with EGP.

?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP.

show bgp community-list

To display routes that are permitted by the Border Gateway Protocol (BGP) community list, use the show bgp community-list command in user or privileged EXEC mode.

show bgp community-list {community-list-number | community-list-name [exact-match]}

 
Syntax Description

community-list-number

A standard or expanded community list number in the range from 1 to 500.

community-list-name

Community list name. The community list name can be standard or expanded.

exact-match

(Optional) Displays only routes that have an exact match.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

 
Usage Guidelines

This command requires you to specify an argument when used. The exact-match keyword is optional.

Examples

The following is sample output of the show bgp community-list command in privileged EXEC mode:

ciscoasa# show bgp community-list 20
BGP table version is 716977, local router ID is 192.168.32.1
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i10.3.0.0 10.0.22.1 0 100 0 1800 1239 ?
*>i 10.0.16.1 0 100 0 1800 1239 ?
* i10.6.0.0 10.0.22.1 0 100 0 1800 690 568 ?
*>i 10.0.16.1 0 100 0 1800 690 568 ?
* i10.7.0.0 10.0.22.1 0 100 0 1800 701 35 ?
*>i 10.0.16.1 0 100 0 1800 701 35 ?
* 10.92.72.24 0 1878 704 701 35 ?
* i10.8.0.0 10.0.22.1 0 100 0 1800 690 560 ?
*>i 10.0.16.1 0 100 0 1800 690 560 ?
* 10.92.72.24 0 1878 704 701 560 ?
* i10.13.0.0 10.0.22.1 0 100 0 1800 690 200 ?
*>i 10.0.16.1 0 100 0 1800 690 200 ?
* 10.92.72.24 0 1878 704 701 200 ?
* i10.15.0.0 10.0.22.1 0 100 0 1800 174 ?
*>i 10.0.16.1 0 100 0 1800 174 ?
* i10.16.0.0 10.0.22.1 0 100 0 1800 701 i
*>i 10.0.16.1 0 100 0 1800 701 i
* 10.92.72.24 0 1878 704 701 i
 

Table 4-7 shows each field description.

 

Table 4-7 show bgp community-list Fields

Field
Description

BGP table version

Internal version number of the table. This number is incremented whenever the table changes.

local router ID

IP address of the router.

Status codes

Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values:

s—The table entry is suppressed.

*—The table entry is valid.

>—The table entry is the best entry to use for that network.

i—The table entry was learned via an internal BGP (iBGP) session.

Origin codes

Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.

e—Entry originated from an Exterior Gateway Protocol (EGP).

?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP.

Network

Internet address of the network the entry describes.

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network.

Metric

If shown, the value of the inter autonomous system metric.

LocPrf

Local preference value as set with the set local-preference route-map configuration command. The default value is 100.

Weight

Weight of the route as set via autonomous system filters.

Path

Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path:

i—The entry was originated with the IGP and advertised with a network router configuration command.

e—The route originated with EGP.

?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP..

show bgp filter-list

To display routes that conform to a specified filter list, use the show bgp filter-list command in EXEC mode.

show bgp filter-list access-list-name

 
Syntax Description

access-list-name

Name of an autonomous system path access list.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

Examples

The following is sample output of the show bgp filter-list command in privileged EXEC mode:

ciscoasa# show bgp filter-list filter-list-acl
BGP table version is 1738, local router ID is 172.16.72.24
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 172.16.0.0 172.16.72.30 0 109 108 ?
* 172.16.1.0 172.16.72.30 0 109 108 ?
* 172.16.11.0 172.16.72.30 0 109 108 ?
* 172.16.14.0 172.16.72.30 0 109 108 ?
* 172.16.15.0 172.16.72.30 0 109 108 ?
* 172.16.16.0 172.16.72.30 0 109 108 ?
* 172.16.17.0 172.16.72.30 0 109 108 ?
* 172.16.18.0 172.16.72.30 0 109 108 ?
* 172.16.19.0 172.16.72.30 0 109 108 ?
* 172.16.24.0 172.16.72.30 0 109 108 ?
* 172.16.29.0 172.16.72.30 0 109 108 ?
* 172.16.30.0 172.16.72.30 0 109 108 ?
* 172.16.33.0 172.16.72.30 0 109 108 ?
* 172.16.35.0 172.16.72.30 0 109 108 ?
* 172.16.36.0 172.16.72.30 0 109 108 ?
* 172.16.37.0 172.16.72.30 0 109 108 ?
* 172.16.38.0 172.16.72.30 0 109 108 ?
* 172.16.39.0 172.16.72.30 0 109 108 ?
 

Table 4-8 shows each field description.

 

Table 4-8 show bgp filter-list Fields

Field
Description

BGP table version

Internal version number of the table. This number is incremented whenever the table changes.

local router ID

IP address of the router.

Status codes

Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values:

s—The table entry is suppressed.

*—The table entry is valid.

>—The table entry is the best entry to use for that network.

i—The table entry was learned via an internal BGP (iBGP) session.

Origin codes

Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.

e—Entry originated from an Exterior Gateway Protocol (EGP).

?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP.

Network

Internet address of the network the entry describes.

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network.

Metric

If shown, the value of the inter autonomous system metric.

LocPrf

Local preference value as set with the set local-preference route-map configuration command. The default value is 100.

Weight

Weight of the route as set via autonomous system filters.

Path

Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path:

i—The entry was originated with the IGP and advertised with a network router configuration command.

e—The route originated with EGP.

?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP..

show bgp injected-paths

To display all the injected paths in the Border Gateway Protocol (BGP) routing table, use the show bgp injected-paths command in user or privileged EXEC mode.

show bgp injected-paths

 
Syntax Description

This command has no arguments or keywords.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

Examples

The following is sample output from the show bgp injected-paths command in EXEC mode:

ciscoasa# show bgp injected-paths
BGP table version is 11, local router ID is 10.0.0.1
Status codes:s suppressed, d damped, h history, * valid, > best, i -
internal
Origin codes:i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 172.16.0.0 10.0.0.2 0 ?
*> 172.17.0.0/16 10.0.0.2 0 ?

Table 4-9 shows each field description.

 

Table 4-9 show bgp injected-path Fields

Field
Description

BGP table version

Internal version number of the table. This number is incremented whenever the table changes.

local router ID

IP address of the router.

Status codes

Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values:

s—The table entry is suppressed.

*—The table entry is valid.

>—The table entry is the best entry to use for that network.

i—The table entry was learned via an internal BGP (iBGP) session.

Origin codes

Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.

e—Entry originated from an Exterior Gateway Protocol (EGP).

?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP.

Network

Internet address of the network the entry describes.

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network.

Metric

If shown, the value of the inter autonomous system metric.

LocPrf

Local preference value as set with the set local-preference route-map configuration command. The default value is 100.

Weight

Weight of the route as set via autonomous system filters.

Path

Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path:

i—The entry was originated with the IGP and advertised with a network router configuration command.

e—The route originated with EGP.

?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP.

show bgp ipv4

To display entries in the IP version 4 (IPv4) Border Gateway Protocol (BGP) routing table, use the show bgp ipv4 command in privileged EXEC mode.

show bgp ipv4

 
Syntax Description

This command has no arguments or keywords.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

Examples

The following is sample output from the show bgp ipv4 unicast command:

ciscoasa# show bgp ipv4 unicast
BGP table version is 4, local router ID is 10.0.40.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 172.16.10.1 0 0 300 i
*> 10.10.20.0/24 172.16.10.1 0 0 300 i
* 10.20.10.0/24 172.16.10.1 0 0 300 i

The following is sample output from the show bgp ipv4 multicast command:

Router# show bgp ipv4 multicast
BGP table version is 4, local router ID is 10.0.40.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 172.16.10.1 0 0 300 i
*> 10.10.20.0/24 172.16.10.1 0 0 300 i
* 10.20.10.0/24 172.16.10.1 0 0 300 i

Table 4-10 shows each field description.

 

Table 4-10 show bgp ipv4 Fields

Field
Description

BGP table version

Internal version number of the table. This number is incremented whenever the table changes.

local router ID

IP address of the router.

Status codes

Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values:

s—The table entry is suppressed.

*—The table entry is valid.

>—The table entry is the best entry to use for that network.

i—The table entry was learned via an internal BGP (iBGP) session.

Origin codes

Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.

e—Entry originated from an Exterior Gateway Protocol (EGP).

?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP.

Network

Internet address of the network the entry describes.

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network.

Metric

If shown, the value of the inter autonomous system metric.

LocPrf

Local preference value as set with the set local-preference route-map configuration command. The default value is 100.

Weight

Weight of the route as set via autonomous system filters.

Path

Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path:

i—The entry was originated with the IGP and advertised with a network router configuration command.

e—The route originated with EGP.

?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP..

show bgp neighbors

To display information about Border Gateway Protocol (BGP) and TCP connections to neighbors, use the show bgp neighbors command in user or privileged EXEC mode.

show bgp neighbors [slow | ip-address [advertised-routes | | paths [reg-exp] |policy [detail] | received prefix-filter | received-routes | routes]]

 
Syntax Description

slow

(Optional) Displays information about dynamically configured slow peers

ip-address

(Optional) Displays information about the IPv4 neighbor. If this argument is omitted, information about all neighbors is displayed.

advertised-routes

(Optional) Displays all routes that have been advertised to neighbors.

paths reg-exp

(Optional) Displays autonomous system paths learned from the specified neighbor. An optional regular expression can be used to filter the output.

policy

(Optional) Displays the policies applied to this neighbor per address family.

detail

(Optional) Displays detailed policy information such as route maps, prefix lists, community lists, access control lists (ACLs), and autonomous system path filter lists.

received prefix-filter

(Optional) Displays the prefix-list (outbound route filter [ORF]) sent from the specified neighbor.

received-routes

(Optional) Displays all received routes (both accepted and rejected) from the specified neighbor.

routes

(Optional) Displays all routes that are received and accepted. The output displayed when this keyword is entered is a subset of the output displayed by the received-routes keyword.

 
Command Default

The output of this command displays information for all neighbors.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

 
Usage Guidelines

Use the show bgp neighbors command to display BGP and TCP connection information for neighbor sessions. For BGP, this includes detailed neighbor attribute, capability, path, and prefix information. For TCP, this includes statistics related to BGP neighbor session establishment and maintenance.

Prefix activity is displayed based on the number of prefixes that are advertised and withdrawn. Policy denials display the number of routes that were advertised but then ignored based on the function or attribute that is displayed in the output.

Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions.

Examples

Example output is different for the various keywords available for the show bgp neighbors command. Examples using the various keywords appear in the following sections:

show bgp neighbors: Example

The following example shows output for the BGP neighbor at 10.108.50.2. This neighbor is an internal BGP (iBGP) peer. This neighbor supports the route refresh and graceful restart capabilities.

ciscoasa# show bgp neighbors 10.108.50.2
BGP neighbor is 10.108.50.2, remote AS 1, internal link
BGP version 4, remote router ID 192.168.252.252
BGP state = Established, up for 00:24:25
Last read 00:00:24, last write 00:00:24, hold time is 180, keepalive interval is
60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
MPLS Label capability: advertised and received
Graceful Restart Capability: advertised
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 3 3
Notifications: 0 0
Updates: 0 0
Keepalives: 113 112
Route Refresh: 0 0
Total: 116 115
Default minimum time between advertisement runs is 5 seconds
For address family: IPv4 Unicast
BGP additional-paths computation is enabled
BGP advertise-best-external is enabled
BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
Connections established 3; dropped 2
Last reset 00:24:26, due to Peer closed the session
External BGP neighbor may be up to 2 hops away.
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Local host: 10.108.50.1, Local port: 179
Foreign host: 10.108.50.2, Foreign port: 42698
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x68B944):
Timer Starts Wakeups Next
Retrans 27 0 0x0
TimeWait 0 0 0x0
AckHold 27 18 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
iss: 3915509457 snduna: 3915510016 sndnxt: 3915510016 sndwnd: 15826
irs: 233567076 rcvnxt: 233567616 rcvwnd: 15845 delrcvwnd: 539
SRTT: 292 ms, RTTO: 359 ms, RTV: 67 ms, KRTT: 0 ms
minRTT: 12 ms, maxRTT: 300 ms, ACK hold: 200 ms
Flags: passive open, nagle, gen tcbs
IP Precedence value : 6
Datagrams (max data segment is 1460 bytes):
Rcvd: 38 (out of order: 0), with data: 27, total data bytes: 539
Sent: 45 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 08

Below table describes the significant fields shown in the display. Fields that are preceded by the asterisk character (*) are displayed only when the counter has a nonzero value.

 

Table 4-10 shows each field description.

 

Table 4-11 show bgp ipv4 Fields

Field
Description

BGP neighbor

IP address of the BGP neighbor and its autonomous system number.

remote AS

Autonomous system number of the neighbor.

local AS 300 no-prepend (not shown in display)

Verifies that the local autonomous system number is not prepended to received external routes. This output supports the hiding of the local autonomous systems when migrating autonomous systems.

internal link

"internal link" is displayed for iBGP neighbors. "external link" is displayed for external BGP (eBGP) neighbors.

BGP version

BGP version being used to communicate with the remote router.

remote router ID

IP address of the neighbor.

BGP state

Finite state machine (FSM) stage of session negotiation.

up for

Time, in hhmmss, that the underlying TCP connection has been in existence.

Last read

Time, in hhmmss, since BGP last received a message from this neighbor.

last write

Time, in hhmmss, since BGP last sent a message to this neighbor.

hold time

Time, in seconds, that BGP will maintain the session with this neighbor without receiving a messages.

keepalive interval

Time interval, in seconds, at which keepalive messages are transmitted to this neighbor.

Neighbor capabilities

BGP capabilities advertised and received from this neighbor. "advertised and received" is displayed when a capability is successfully exchanged between two routers

Route Refresh

Status of the route refresh capability.

Graceful Restart Capability

Status of the graceful restart capability.

Address family IPv4 Unicast

IP Version 4 unicast-specific properties of this neighbor.

Message statistics

Statistics organized by message type.

InQ depth is

Number of messages in the input queue.

OutQ depth is

Number of messages in the output queue.

Sent

Total number of transmitted messages.

Received

Total number of received messages.

Opens

Number of open messages sent and received.

notifications

Number of notification (error) messages sent and received.

Updates

Number of update messages sent and received.

Keepalives

Number of keepalive messages sent and received.

Route Refresh

Number of route refresh request messages sent and received.

Total

Total number of messages sent and received.

Default minimum time between...

Time, in seconds, between advertisement transmissions.

For address family:

Address family to which the following fields refer.

BGP table version

Internal version number of the table. This number is incremented whenever the table changes.

neighbor version

Number used by the software to track prefixes that have been sent and those that need to be sent.

update-group

Number of update-group member for this address family

Prefix activity

Prefix statistics for this address family.

Prefixes current

Number of prefixes accepted for this address family.

Prefixes total

Total number of received prefixes.

Implicit Withdraw

Number of times that a prefix has been withdrawn and readvertised.

Explicit Withdraw

Number of times that prefix has been withdrawn because it is no longer feasible.

Used as bestpath

Number of received prefixes installed as bestpaths.

Used as multipath

Number of received prefixes installed as multipaths.

* Saved (soft-reconfig)

Number of soft resets performed with a neighbor that supports soft reconfiguration. This field is displayed only if the counter has a nonzero value.

* History paths

This field is displayed only if the counter has a nonzero value.

* Invalid paths

Number of invalid paths. This field is displayed only if the counter has a nonzero value.

Local Policy Denied Prefixes

Prefixes denied due to local policy configuration. Counters are updated for inbound and outbound policy denials. The fields under this heading are displayed only if the counter has a nonzero value.

* route-map

Displays inbound and outbound route-map policy denials.

* filter-list

Displays inbound and outbound filter-list policy denials.

* prefix-list

Displays inbound and outbound prefix-list policy denials.

* AS_PATH too long

Displays outbound AS-path length policy denials.

* AS_PATH loop

Displays outbound AS-path loop policy denials.

* AS_PATH confed info

Displays outbound confederation policy denials.

* AS_PATH contains AS 0

Displays outbound denials of autonomous system (AS) 0.

* NEXT_HOP Martian

Displays outbound martian denials.

* NEXT_HOP non-local

Displays outbound non-local next-hop denials.

* NEXT_HOP is us

Displays outbound next-hop-self denials.

* CLUSTER_LIST loop

Displays outbound cluster-list loop denials.

* ORIGINATOR loop

Displays outbound denials of local originated routes.

* unsuppress-map

Displays inbound denials due to an unsuppress-map.

* advertise-map

Displays inbound denials due to an advertise-map.

* Well-known Community

Displays inbound denials of well-known communities.

* SOO loop

Displays inbound denials due to site-of-origin.

* Bestpath from this peer

Displays inbound denials because the bestpath came from the local router.

* Suppressed due to dampening

Displays inbound denials because the neighbor or link is in a dampening state.

* Bestpath from iBGP peer

Deploys inbound denials because the bestpath came from an iBGP neighbor.

* Incorrect RIB for CE

Deploys inbound denials due to RIB errors for a CE router.

* BGP distribute-list

Displays inbound denials due to a distribute list.

Number of NLRIs...

Number of network layer reachability attributes in updates.

Connections established

Number of times a TCP and BGP connection has been successfully established.

dropped

Number of times that a valid session has failed or been taken down.

Last reset

Time since this peering session was last reset. The reason for the reset is displayed on this line.

External BGP neighbor may be... (not shown in the display)

Indicates that the BGP TTL security check is enabled. The maximum number of hops that can separate the local and remote peer is displayed on this line.

Connection state

Connection status of the BGP peer.

Connection is ECN Disabled

Explicit congestion notification status (enabled or disabled).

Local host: 10.108.50.1, Local port: 179

IP address of the local BGP speaker. BGP port number 179.

Foreign host: 10.108.50.2, Foreign port: 42698

Neighbor address and BGP destination port number.

Enqueued packets for retransmit:

Packets queued for retransmission by TCP.

Event Timers

TCP event timers. Counters are provided for starts and wakeups (expired timers).

Retrans

Number of times a packet has been retransmitted.

TimeWait

Time waiting for the retransmission timers to expire.

AckHold

Acknowledgment hold timer.

SendWnd

Transmission (send) window.

KeepAlive

Number of keepalive packets.

GiveUp

Number times a packet is dropped due to no acknowledgment.

PmtuAger

Path MTU discovery timer

DeadWait

Expiration timer for dead segments.

iss:

Initial packet transmission sequence number.

snduna

Last transmission sequence number that has not been acknowledged.

sndnxt:

Next packet sequence number to be transmitted.

sndwnd:

TCP window size of the remote neighbor.

irs:

Initial packet receive sequence number.

rcvnxt:

Last receive sequence number that has been locally acknowledged.

rcvwnd:

TCP window size of the local host.

delrcvwnd:

Delayed receive window—data the local host has read from the connection, but has not yet subtracted from the receive window the host has advertised to the remote host. The value in this field gradually increases until it is larger than a full-sized packet, at which point it is applied to the rcvwnd field.

SRTT:

A calculated smoothed round-trip timeout.

RTTO:

Round-trip timeout.

RTV:

Variance of the round-trip time.

KRTT:

New round-trip timeout (using the Karn algorithm). This field separately tracks the round-trip time of packets that have been re-sent.

minRTT:

Smallest recorded round-trip timeout (hard-wire value used for calculation).

maxRTT:

Largest recorded round-trip timeout.

ACK hold:

Length of time the local host will delay an acknowledgment to carry (piggyback) additional data.

IP Precedence value:

IP precedence of the BGP packets.

Datagrams

Number of update packets received from a neighbor.

Rcvd:

Number of received packets.

with data

Number of update packets sent with data.

total data bytes

Total amount of data received, in bytes.

Sent

Number of update packets sent.

Second Congestion

Number of second retransmissions sent due to congestion.

Datagrams: Rcvd

Number of update packets received from a neighbor.

out of order:

Number of packets received out of sequence.

with data

Number of update packets received with data.

Last reset

Elapsed time since this peering session was last reset.

unread input bytes

Number of bytes of packets still to be processed.

retransmit

Number of packets retransmitted.

fastretransmit

Number of duplicate acknowledgments retransmitted for an out of order segment before the retransmission timer expires.

partialack

Number of retransmissions for partial acknowledgments (transmissions before or without subsequent acknowledgments).

show bgp neighbors advertised-routes: Example

The following example displays routes advertised for only the 172.16.232.178 neighbor:

ciscoasa# show bgp neighbors 172.16.232.178 advertised-routes
BGP table version is 27, local router ID is 172.16.232.181
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i10.0.0.0 172.16.232.179 0 100 0 ?
*> 10.20.2.0 10.0.0.0 0 32768 i

Table 4-12 shows each field description.

 

Table 4-12 show bgp neighbors advertised routes Fields

Field
Description

BGP table version

Internal version number of the table. This number is incremented whenever the table changes.

local router ID

IP address of the router.

Status codes

Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values:

s—The table entry is suppressed.

*—The table entry is valid.

>—The table entry is the best entry to use for that network.

i—The table entry was learned via an internal BGP (iBGP) session.

Origin codes

Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:

i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.

e—Entry originated from an Exterior Gateway Protocol (EGP).

?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP.

Network

Internet address of the network the entry describes.

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network.

Metric

If shown, the value of the inter autonomous system metric.

LocPrf

Local preference value as set with the set local-preference route-map configuration command. The default value is 100.

Weight

Weight of the route as set via autonomous system filters.

Path

Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path:

i—The entry was originated with the IGP and advertised with a network router configuration command.

e—The route originated with EGP.

?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP..

show bgp neighbors paths: Example

The following is example output from the show bgp neighbors command entered with the paths keyword:

ciscoasa# show bgp neighbors 172.29.232.178 paths ^10
Address Refcount Metric Path
0x60E577B0 2 40 10 ?

Table 4-13 shows each field description.

 

Table 4-13 show bgp neighbors paths Fields

Field
Description

Address

Internal address where the path is stored.

Refcount

Number of routes using that path..

Metric

Multi Exit Discriminator (MED) metric for the path. (The name of this metric for BGP versions 2 and 3 is INTER_AS.).

Path

Autonomous system path for that route, followed by the origin code for that route..

show bgp neighbors received prefix-filter: Example

The following example shows that a prefix-list that filters all routes in the 10.0.0.0 network has been received from the 192.168.20.72 neighbor:

ciscoasa# show bgp neighbors 192.168.20.72 received prefix-filter
Address family:IPv4 Unicast
ip prefix-list 192.168.20.72:1 entries
seq 5 deny 10.0.0.0/8 le 32

Table 4-14 shows each field description.

 

Table 4-14 show bgp neighbors received prefix filter Fields

Field
Description

Address family

Address family mode in which the prefix filter is received.

ip prefix-list

Prefix list sent from the specified neighbor.

show bgp neighbors policy: Example

The following sample output shows the policies applied to the neighbor at 192.168.1.2. The output displays policies configured on the neighbor device.

ciscoasa# show bgp neighbors 192.168.1.2 policy
Neighbor: 192.168.1.2, Address-Family: IPv4 Unicast
Locally configured policies:
route-map ROUTE in
Inherited polices:
prefix-list NO-MARKETING in
route-map ROUTE in
weight 300
maximum-prefix 10000

 

show bgp neighbors: Example

The following is sample output from the show bgp neighbors command that verifies that BGP TCP path maximum transmission unit (MTU) discovery is enabled for the BGP neighbor at 172.16.1.2:

ciscoasa# show bgp neighbors 172.16.1.2
BGP neighbor is 172.16.1.2, remote AS 45000, internal link
BGP version 4, remote router ID 172.16.1.99
.
.
.
For address family: IPv4 Unicast
BGP table version 5, neighbor version 5/0
.
.
.
Address tracking is enabled, the RIB does have a route to 172.16.1.2
Address tracking requires at least a /24 route to the peer
Connections established 3; dropped 2
Last reset 00:00:35, due to Router ID changed
Transport(tcp) path-mtu-discovery is enabled
.
.
.
SRTT: 146 ms, RTTO: 1283 ms, RTV: 1137 ms, KRTT: 0 ms
minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms
Flags: higher precedence, retransmission timeout, nagle, path mtu capable

The following is partial output from the show bgp neighbors command that verifies the status of the BGP graceful restart capability for the external BGP peer at 192.168.3.2. Graceful restart is shown as disabled for this BGP peer.

ciscoasa# show bgp neighbors 192.168.3.2
BGP neighbor is 192.168.3.2, remote AS 50000, external link
Inherits from template S2 for session parameters
BGP version 4, remote router ID 192.168.3.2
BGP state = Established, up for 00:01:41
Last read 00:00:45, last write 00:00:45, hold time is 180, keepalive intervals
Neighbor sessions:
1 active, is multisession capable
Neighbor capabilities:
Route refresh: advertised and received(new)
Address family IPv4 Unicast: advertised and received
.
.
.
Address tracking is enabled, the RIB does have a route to 192.168.3.2
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0

show bgp paths

To display all the BGP paths in the database, use the show bgp paths command in EXEC mode.

show bgp paths

Cisco 10000 Series Router

show bgp paths regexp

 
Syntax Description

regexp

Regular expression to match the BGP autonomous system paths.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

Examples

The following is sample output from the show bgp paths command in privileged EXEC mode:

ciscoasa# show bgp paths
Address Hash Refcount Metric Path
0x60E5742C 0 1 0 i
0x60E3D7AC 2 1 0 ?
0x60E5C6C0 11 3 0 10 ?
0x60E577B0 35 2 40 10 ?

Table 4-15 shows each field description.

 

Table 4-15 show bgp paths Fields

Field
Description

Address

Internal address where the path is stored.

Hash

Hash bucket where path is stored.

Refcount

Number of routes using that path.

Metric

The Multi Exit Discriminator (MED) metric for the path. (The name of this metric for BGP versions 2 and 3 is INTER_AS.)

Path

The autonomous system path for that route, followed by the origin code for that route.

show bgp policy-list

To display information about a configured policy list and policy list entries, use the show bgp policy-list command in user EXEC mode.

show bgp policy-list [policy-list-name]

 
Syntax Description

policy-list-name

(Optional) Displays information about the specified policy list with this argument.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

Examples

The following is sample output from the show bgp policy-list command. The output of this command will display the policy-list name and configured match clauses. The following sample output is similar to the output that will be displayed:

ciscoasa# show bgp policy-list
policy-list POLICY-LIST-NAME-1 permit
Match clauses:
metric 20
policy-list POLICY-LIST-NAME-2 permit
Match clauses:
as-path (as-path filter): 1

 

show bgp prefix-list

To display information about a prefix list or prefix list entries, use the show bgp prefix-list command in user or privileged EXEC mode

show bgp prefix-list [detail | summary][prefix-list-name [seq sequence-number | network/length [longer| first-match]]]

 
Syntax Description

detail | summary

(Optional) Displays detailed or summarized information about all prefix lists.

first-match

(Optional) Displays the first entry of the specified prefix list that matches the given network/length.

longer

(Optional) Displays all entries of the specified prefix list that match or are more specific than the given network/length.

network/length

(Optional) Displays all entries in the specified prefix list that use this network address and netmask length (in bits).

prefix-list-name

(Optional) Displays the entries in a specific prefix list.

seq sequence-number

(Optional) Displays only the prefix list entry with the specified sequence number in the specified prefix-list.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

Examples

The following example shows the output of the show bgp prefix-list command with details about the prefix list named test:

ciscoasa# show bgp prefix-list detail test
ip prefix-list test:
Description: test-list
count: 1, range entries: 0, sequences: 10 - 10, refcount: 3
seq 10 permit 10.0.0.0/8 (hit count: 0, refcount: 1)

show bgp regexp

To display routes matching the autonomous system path regular expression, use the show bgp regexp command in EXEC mode.

show bgp regexp regexp

 
Syntax Description

regexp

Regular expression to match the BGP autonomous system paths.

For more details about autonomous system number formats, see the router bgp command.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

 
Usage Guidelines

Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions.

To ensure a smooth transition we recommend that all BGP speakers within an autonomous system that is identified using a 4-byte autonomous system number, are upgraded to support 4-byte autonomous system numbers.

Examples

The following is sample output from the show bgp regexp command in privileged EXEC mode:

Router# show bgp regexp 108$
BGP table version is 1738, local router ID is 172.16.72.24
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 172.16.0.0 172.16.72.30 0 109 108 ?
* 172.16.1.0 172.16.72.30 0 109 108 ?
* 172.16.11.0 172.16.72.30 0 109 108 ?
* 172.16.14.0 172.16.72.30 0 109 108 ?
* 172.16.15.0 172.16.72.30 0 109 108 ?
* 172.16.16.0 172.16.72.30 0 109 108 ?
* 172.16.17.0 172.16.72.30 0 109 108 ?
* 172.16.18.0 172.16.72.30 0 109 108 ?
* 172.16.19.0 172.16.72.30 0 109 108 ?
* 172.16.24.0 172.16.72.30 0 109 108 ?
* 172.16.29.0 172.16.72.30 0 109 108 ?
* 172.16.30.0 172.16.72.30 0 109 108 ?
* 172.16.33.0 172.16.72.30 0 109 108 ?
* 172.16.35.0 172.16.72.30 0 109 108 ?
* 172.16.36.0 172.16.72.30 0 109 108 ?
* 172.16.37.0 172.16.72.30 0 109 108 ?
* 172.16.38.0 172.16.72.30 0 109 108 ?
* 172.16.39.0 172.16.72.30 0 109 108 ?

After the bgp asnotation dot command is configured, the regular expression match format for 4-byte autonomous system paths is changed to asdot notation format. Although a 4-byte autonomous system number can be configured in a regular expression using either asplain or asdot format, only 4-byte autonomous system numbers configured using the current default format are matched. In the first example, the show bgp regexp command is configured with a 4-byte autonomous system number in asplain format. The match fails because the default format is currently asdot format and there is no output. In the second example using asdot format, the match passes and the information about the 4-byte autonomous system path is shown using the asdot notation.


Note The asdot notation uses a period which is a special character in Cisco regular expressions. to remove the special meaning, use a backslash before the period.


Router# show bgp regexp ^65536$
Router# show bgp regexp ^1\.0$
BGP table version is 2, local router ID is 172.17.1.99
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 192.168.1.2 0 0 1.0 i

The following is sample output from the show bgp regexp command after the bgp asnotation dot command has been entered to display 4-byte autonomous system numbers


Note The asdot notation uses a period which is a special character in Cisco regular expressions. to remove the special meaning, use a backslash before the period.


Router# show bgp regexp ^1\.14$
BGP table version is 4, local router ID is 172.17.1.99
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 192.168.1.2 0 0 1.14 i
 

show bgp replication

To display update replication statistics for Border Gateway Protocol (BGP) update groups, use the show bgp replication command in EXEC mode.

show bgp replication [index-group | ip-address]

 
Syntax Description

index-group

(Optional) Displays update replication statistics for the update group with the corresponding index number. The range of update-group index numbers is from 1 to 4294967295.

ip-address

(Optional) Displays update replication statistics for this neighbor.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

 
Usage Guidelines

The output of this command displays BGP update-group replication statistics.

When a change to outbound policy occurs, the router automatically recalculates update-group memberships and applies the changes by triggering an outbound soft reset after a 3-minute timer expires. This behavior is designed to provide the network operator with time to change the configuration if a mistake is made. You can manually enable an outbound soft reset before the timer expires by entering the clearbgp ip-address soft out command.

Examples

The following sample output from the show bgp replication command shows update-group replication information for all neighbors:

ciscoasa# show bgp replication
BGP Total Messages Formatted/Enqueued : 0/0
Index Type Members Leader MsgFmt MsgRepl Csize Qsize
1 internal 1 10.4.9.21 0 0 0 0
2 internal 2 10.4.9.5 0 0 0 0
The following sample output from the show bgp replication command shows update-group statistics for the 10.4.9.5 neighbor:
Router# show bgp replication 10.4.9.5
Index Type Members Leader MsgFmt MsgRepl Csize Qsize
2 internal 2 10.4.9.5 0 0 0 0
 

Table 4-16 shows each field description.

 

Table 4-16 show bgp replication Fields

Field
Description

Index

Index number of the update group.

Type

Type of peer (internal or external).

Members

Number of members in the dynamic update peer group.

Leader

First member of the dynamic update peer group.

show bgp rib-failure

To display Border Gateway Protocol (BGP) routes that failed to install in the Routing Information Base (RIB) table, use the show bgp rib-failure command in privileged EXEC mode.

show bgp rib-failure

 
Syntax Description

This command has no keywords or arguments.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

Examples

The following is a sample output from the show bgp rib-failure command:

ciscoasa# show bgp rib-failure
Network Next Hop RIB-failure RIB-NH Matches
10.1.15.0/24 10.1.35.5 Higher admin distance n/a
10.1.16.0/24 10.1.15.1 Higher admin distance n/a
 

Table 4-17 shows each field description.

 

Table 4-17 show bgp rib-failure Fields

Field
Description

Network

IP address of a network entity

Next Hop

IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the router has some non-BGP routes to this network.

RIB-failure

Cause of RIB failure. Higher admin distance means that a route with a better (lower) administrative distance such as a static route already exists in the IP routing table.

RIB-NH Matches

Route status that applies only when Higher admin distance appears in the RIB-failure column and bgp suppress-inactive is configured for the address family being used. There are three choices:

  • Yes—Means that the route in the RIB has the same next hop as the BGP route or next hop recurses down to the same adjacency as the BGP nexthop.
  • No—Means that the next hop in the RIB recurses down differently from the next hop of the BGP route.
  • n/a—Means that bgp suppress-inactive is not configured for the address family being used.

show bgp summary

To display the status of all Border Gateway Protocol (BGP) connections, use the show bgp summary command in user EXEC or privileged EXEC mode.

show bgp summary

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

 
Usage Guidelines

The show bgp summary command is used to display BGP path, prefix, and attribute information for all connections to BGP neighbors.

A prefix is an IP address and network mask. It can represent an entire network, a subset of a network, or a single host route. A path is a route to a given destination. By default, BGP will install only a single path for each destination. If multipath routes are configured, BGP will install a path entry for each multipath route, and only one multipath route will be marked as the bestpath.

BGP attribute and cache entries are displayed individually and in combinations that affect the bestpath selection process. The fields for this output are displayed when the related BGP feature is configured or attribute is received. Memory usage is displayed in bytes.

The Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions.

Examples

The following is sample output from the show bgp summary command in privileged EXEC mode:

Router# show bgp summary
BGP router identifier 172.16.1.1, local AS number 100
BGP table version is 199, main routing table version 199
37 network entries using 2850 bytes of memory
59 path entries using 5713 bytes of memory
18 BGP path attribute entries using 936 bytes of memory
2 multipath network entries and 4 multipath paths
10 BGP AS-PATH entries using 240 bytes of memory
7 BGP community entries using 168 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
90 BGP advertise-bit cache entries using 1784 bytes of memory
36 received paths for inbound soft reconfiguration
BGP using 34249 total bytes of memory
Dampening enabled. 4 history paths, 0 dampened paths
BGP activity 37/2849 prefixes, 60/1 paths, scan interval 15 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.100.1.1 4 200 26 22 199 0 0 00:14:23 23
10.200.1.1 4 300 21 51 199 0 0 00:13:40 0

Table 4-18 shows each field description.

 

Table 4-18 show bgp summary Fields

Field
Description

BGP router identifier

In order of precedence and availability, the router identifier specified by the bgp router-id command, a loopback address, or the highest IP address.

BGP table version

Internal version number of BGP database.

main routing table version

Last version of BGP database that was injected into the main routing table.

...network entries

Number of unique prefix entries in the BGP database.

...using ... bytes of memory

Amount of memory, in bytes, that is consumed for the path, prefix, or attribute entry displayed on the same line.

...path entries using

Number of path entries in the BGP database. Only a single path entry will be installed for a given destination. If multipath routes are configured, a path entry will be installed for each multipath route.

...multipath network entries using

Number of multipath entries installed for a given destination.

* ...BGP path/bestpath attribute entries using

Number of unique BGP attribute combinations for which a path is selected as the bestpath.

* ...BGP rrinfo entries using

Number of unique ORIGINATOR and CLUSTER_LIST attribute combinations.

...BGP AS-PATH entries using

Number of unique AS_PATH entries.

...BGP community entries using

Number of unique BGP community attribute combinations.

*...BGP extended community entries using

Number of unique extended community attribute combinations.

BGP route-map cache entries using

Number of BGP route-map match and set clause combinations. A value of 0 indicates that the route cache is empty.

...BGP filter-list cache entries using

Number of filter-list entries that match an AS-path access list permit or deny statements. A value of 0 indicates that the filter-list cache is empty.

BGP advertise-bit cache entries using

(Cisco IOS Release 12.4(11)T and later releases only) Number of advertised bitfield entries and the associated memory usage. A bitfield entry represents a piece of information (one bit) that is generated when a prefix is advertised to a peer. The advertised bit cache is built dynamically when required

...received paths for inbound soft reconfiguration

Number paths received and stored for inbound soft reconfiguration.

BGP using...

Total amount of memory, in bytes, used by the BGP process.

Dampening enabled...

Indicates that BGP dampening is enabled. The number of paths that carry an accumulated penalty and the number of dampened paths are displayed on this line.

BGP activity...

Displays the number of times that memory has been allocated or released for a path or prefix.

Neighbor

IP address of the neighbor.

V

BGP version number spoken to the neighbor.

AS

Autonomous system number.

MsgRcvd

Number of messages received from the neighbor.

MsgSent

Number of messages sent to the neighbor.

TblVer

Last version of the BGP database that was sent to the neighbor.

InQ

Number of messages queued to be processed from the neighbor.

OutQ

Number of messages queued to be sent to the neighbor.

Up/Down

The length of time that the BGP session has been in the Established state, or the current status if not in the Established state.

State/PfxRcd

Current state of the BGP session, and the number of prefixes that have been received from a neighbor or peer group. When the maximum number (as set by the neighbor maximum-prefix command) is reached, the string "PfxRcd" appears in the entry, the neighbor is shut down, and the connection is set to Idle.

An (Admin) entry with Idle status indicates that the connection has been shut down using the neighbor shutdown command.

The following output from the show bgp summary command shows that the BGP neighbor 192.168.3.2 was dynamically created and is a member of the listen range group, group192. The output also shows that the IP prefix range of 192.168.0.0/16 is defined for the listen range group named group192. In Cisco IOS Release 12.2(33)SXH and later releases, the BGP dynamic neighbor feature introduced the ability to support the dynamic creation of BGP neighbor peers using a subnet range associated with a peer group (listen range group).

ciscoasa# show bgp summary
BGP router identifier 192.168.3.1, local AS number 45000
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
*192.168.3.2 4 50000 2 2 0 0 0 00:00:37 0
* Dynamically created based on a listen range command
Dynamically created neighbors: 1/(200 max), Subnet ranges: 1
BGP peergroup group192 listen range group members:
192.168.0.0/16

The following output from the show bgp summary command shows two BGP neighbors, 192.168.1.2 and 192.168.3.2, in different 4-byte autonomous system numbers, 65536 and 65550. The local autonomous system 65538 is also a 4-byte autonomous system number and the numbers are displayed in the default asplain format.

Router# show bgp summary
BGP router identifier 172.17.1.99, local AS number 65538
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down Statd
192.168.1.2 4 65536 7 7 1 0 0 00:03:04 0
192.168.3.2 4 65550 4 4 1 0 0 00:00:15 0

The following output from the show bgp summary command shows the same two BGP neighbors, but the 4-byte autonomous system numbers are displayed in asdot notation format. To change the display format the bgp asnotation dot command must be configured in router configuration mode.

Router# show bgp summary
BGP router identifier 172.17.1.99, local AS number 1.2
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down Statd
192.168.1.2 4 1.0 9 9 1 0 0 00:04:13 0
192.168.3.2 4 1.14 6 6 1 0 0 00:01:24 0

The following example displays sample output of the show bgp summary slow command:

ciscoasa> show bgp summary slow
BGP router identifier 2.2.2.2, local AS number 100
BGP table version is 37, main routing table version 37
36 network entries using 4608 bytes of memory
36 path entries using 1872 bytes of memory
1/1 BGP path/bestpath attribute entries using 124 bytes of memory
1 BGP rrinfo entries using 24 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
1 BGP extended community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 6700 total bytes of memory
BGP activity 46/0 prefixes, 48/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
6.6.6.6 4 100 11 10 1 0 0 00:44:20 0

show bgp system-config

To display running configuration for bgp of system context in user context, use the show bgp system-config command in user or privileged EXEC mode.

show bgp system-config

 
Syntax Description

This command has no arguments or keywords.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC, User EXEC

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.2(1)

The command was introduced.

 
Usage Guidelines

This command can be used only in user context without any arguments or keywords. This command can be useful for checking the running configuration enforced on user context by system context.

Examples

The following sample output is similar to the output that will be displayed when the show bgp system-config command is entered in user EXEC mode:

ciscoasa/c1(config)# show bgp system-config
router bgp 1
bgp log-neighbor-changes
no bgp always-compare-med
no bgp asnotation dot
no bgp bestpath med
no bgp bestpath compare-routerid
bgp default local-preference 100
no bgp deterministic-med
bgp enforce-first-as
bgp maxas-limit 0
bgp transport path-mtu-discovery
timers bgp 60 180 0
address-family ipv4 unicast
bgp scan-time 0
bgp nexthop trigger enable
bgp nexthop trigger delay 5
exit-address-family
 

show blocks

To show the packet buffer utilization, use the show blocks command in privileged EXEC mode.

show blocks [{ address hex | all | assigned | free | old | pool size [ summary ]} [ diagnostics | dump | header | packet ] | queue history | [ exhaustion snapshot | history [ list ] [ 1-MAX_NUM_SNAPSHOT | index ] [ detail ]]

 
Syntax Description

address hex

(Optional) Shows a block corresponding to this address, in hexadecimal.

all

(Optional) Shows all blocks.

assigned

(Optional) Shows blocks that are assigned and in use by an application.

detail

(Optional) Shows a portion (128 bytes) of the first block for each unique queue type.

dump

(Optional) Shows the entire block contents, including the header and packet information. The difference between dump and packet is that dump includes additional information between the header and the packet.

diagnostics

(Optional) Shows block diagnostics.

exhaustion snapshot

(Optional) Prints the last x number (x is currently 10) of snapshots that were taken and the time stamp of the last snapshot). After a snapshot is taken, another snapshot is not taken if less than 5 minutes has passed.

free

(Optional) Shows blocks that are available for use.

header

(Optional) Shows the header of the block.

history 1-MAX_NUM_SNAPSHOT

history index

history list

The history option displays recent and all snapshots in the history.

The history list option displays a summary of snapshots in the history.

The history index option displays the index of snapshots in the history.

The history 1-MAX_NUM_SNAPSHOT option displays only one snapshot in the history.

old

(Optional) Shows blocks that were assigned more than a minute ago.

packet

(Optional) Shows the header of the block as well as the packet contents.

pool size

(Optional) Shows blocks of a specific size.

queue history

(Optional) Shows where blocks are assigned when the ASA runs out of blocks. Sometimes, a block is allocated from the pool but never assigned to a queue. In that case, the location is the code address that allocated the block.

summary

(Optional) Shows detailed information about block usage sorted by the program addresses of applications that allocated blocks in this class, program addresses of applications that released blocks in this class, and the queues to which valid blocks in this class belong.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

The pool summary option was added.

8.0(2)

The dupb block uses 0 length blocks now instead of 4 byte blocks. An additional line was added for 0 byte blocks.

9.1(5)

The exhaustion snapshot , history list , history index, and history 1-MAX_NUM_SNAPSHOT options were added.

 
Usage Guidelines

The show blocks command helps you determine if the ASA is overloaded. This command lists preallocated system buffer utilization. A full memory condition is not a problem as long as traffic is moving through the ASA. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is full, there may be a problem.

You can also view this information using SNMP.

The information shown in a security context includes the system-wide information as well as context-specific information about the blocks in use and the high water mark for block usage.

See the “Examples” section for a description of the display output.

Examples

The following is sample output from the show blocks command in single mode:

ciscoasa# show blocks
SIZE MAX LOW CNT
0 100 99 100
4 1600 1598 1599
80 400 398 399
256 3600 3540 3542
1550 4716 3177 3184
16384 10 10 10
2048 1000 1000 1000
 

Table 4-19 shows each field description.

 

Table 4-19 show blocks Fields

Field
Description

SIZE

Size, in bytes, of the block pool. Each size represents a particular type.

0

Used by dupb blocks.

4

Duplicates existing blocks in applications such as DNS, ISAKMP, URL filtering, uauth, TFTP, and TCP modules. Also, this sized block can be used normally by code to send packets to drivers, etc.

80

Used in TCP intercept to generate acknowledgment packets and for failover hello messages.

256

Used for Stateful Failover updates, syslogging, and other TCP functions.

These blocks are mainly used for Stateful Failover messages. The active ASA generates and sends packets to the standby ASA to update the translation and connection table. In bursty traffic, where high rates of connections are created or torn down, the number of available blocks might drop to 0. This situation indicates that one or more connections were not updated to the standby ASA. The Stateful Failover protocol catches the missing translation or connection the next time. If the CNT column for 256-byte blocks stays at or near 0 for extended periods of time, then the ASA is having trouble keeping the translation and connection tables synchronized because of the number of connections per second that the ASA is processing.

Syslog messages sent out from the ASA also use the 256-byte blocks, but they are generally not released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows that the number of 256-byte blocks is near 0, ensure that you are not logging at Debugging (level 7) to the syslog server. This is indicated by the logging trap line in the ASA configuration. We recommend that you set logging at Notification (level 5) or lower, unless you require additional information for debugging purposes.

1550

Used to store Ethernet packets for processing through the ASA.

When a packet enters an ASA interface, it is placed on the input interface queue, passed up to the operating system, and placed in a block. The ASA determines whether the packet should be permitted or denied based on the security policy and processes the packet through to the output queue on the outbound interface. If the ASA is having trouble keeping up with the traffic load, the number of available blocks will hover close to 0 (as shown in the CNT column of the command output). When the CNT column is zero, the ASA attempts to allocate more blocks. The maximum can be greater than 8192 for 1550-byte blocks if you issue this command. If no more blocks are available, the ASA drops the packet.

16384

Only used for the 64-bit, 66-MHz Gigabit Ethernet cards (i82543).

See the description for 1550 for more information about Ethernet packets.

2048

Control or guided frames used for control updates.

MAX

Maximum number of blocks available for the specified byte block pool. The maximum number of blocks are carved out of memory at bootup. Typically, the maximum number of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the ASA can dynamically create more when needed. The maximum can be greater than 8192 for 1550-byte blocks if you issue this command.

LOW

Low-water mark. This number indicates the lowest number of this size blocks available since the ASA was powered up, or since the last clearing of the blocks (with the clear blocks command). A zero in the LOW column indicates a previous event where memory was full.

CNT

Current number of blocks available for that specific size block pool. A zero in the CNT column means memory is full now.

The following is sample output from the show blocks all command:

ciscoasa# show blocks all
Class 0, size 4
Block allocd_by freed_by data size alloccnt dup_cnt oper location
0x01799940 0x00000000 0x00101603 0 0 0 alloc not_specified
0x01798e80 0x00000000 0x00101603 0 0 0 alloc not_specified
0x017983c0 0x00000000 0x00101603 0 0 0 alloc not_specified
 
...
 
Found 1000 of 1000 blocks
Displaying 1000 of 1000 blocks
 

Table 4-20 shows each field description.

 

Table 4-20 show blocks all Fields

Field
Description

Block

The block address.

allocd_by

The program address of the application that last used the block (0 if not used).

freed_by

The program address of the application that last released the block.

data size

The size of the application buffer/packet data that is inside the block.

alloccnt

The number of times this block has been used since the block came into existence.

dup_cnt

The current number of references to this block if used: 0 means 1 reference, 1 means 2 references.

oper

One of the four operations that was last performed on the block: alloc, get, put, or free.

location

The application that uses the block, or the program address of the application that last allocated the block (same as the allocd_by field).

The following is sample output from the show blocks command in a context:

ciscoasa/contexta# show blocks
SIZE MAX LOW CNT INUSE HIGH
4 1600 1599 1599 0 0
80 400 400 400 0 0
256 3600 3538 3540 0 1
1550 4616 3077 3085 0 0
 

The following is sample output from the show blocks queue history command:

ciscoasa# show blocks queue history
Each Summary for User and Queue_type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type User Context
186 1 put contexta
15 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type User Context
21 1 put contexta
1 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
Blk_cnt Q_cnt Last_Op Queue_Type User Context
200 1 alloc ip_rx tcp contexta
108 1 get ip_rx udp contexta
85 1 free fixup h323_ras contextb
42 1 put fixup skinny contextb
 
Block Size: 1550
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1000
Blk_cnt Q_cnt Last_Op Queue_Type User Context
186 1 put contexta
15 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
...
 

The following is sample output from the show blocks queue history detail command:

ciscoasa# show blocks queue history detail
History buffer memory usage: 2136 bytes (default)
Each Summary for User and Queue type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue_Type "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type User Context
186 1 put contexta
15 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
First Block information for Block at 0x.....
dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
urgent_addr 0xefb118c, end_addr 0xefb17b2
0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00 | ....G.a....8v...
0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3 | ....E...........
0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62 | .......P...=..`b
0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49 | ~sU.P...E...-- I
0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09 | P --..10.7.13.1.
0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d | ==>.10.7.0.80...
 
Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type User Context
21 1 put contexta
1 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
First Block information for Block at 0x.....
dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
urgent_addr 0xefb118c, end_addr 0xefb17b2
0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00 | ....G.a....8v...
0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3 | ....E...........
0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62 | .......P...=..`b
0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49 | ~sU.P...E...-- I
0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09 | P --..10.7.13.1.
0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d | ==>.10.7.0.80...
...
 
total_count: total buffers in this class
 

The following is sample output from the show blocks pool summary command:

ciscoasa# show blocks pool 1550 summary
Class 3, size 1550
 
=================================================
total_count=1531 miss_count=0
Alloc_pc valid_cnt invalid_cnt
0x3b0a18 00000256 00000000
0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000
0x3a8f6b 00001275 00000012
0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000
0x00000000
 
=================================================
total_count=9716 miss_count=0
Freed_pc valid_cnt invalid_cnt
0x9a81f3 00000104 00000007
0x05006140 0x05000380 0x04fffa20 0x04ffde00 00000000 0x00000000
0x9a0326 00000053 00000033
0x05006aa0 0x050057e0 0x05004e80 0x05003260 00000000 0x00000000
0x4605a2 00000005 00000000
0x04ff5ac0 0x01e8e2e0 0x01e2eac0 0x01e17d20 00000000 0x00000000
...
=================================================
total_count=1531 miss_count=0
Queue valid_cnt invalid_cnt
0x3b0a18 00000256 00000000 Invalid Bad qtype
0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000
0x3a8f6b 00001275 00000000 Invalid Bad qtype
0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000
0x00000000
 
=================================================
free_cnt=8185 fails=0 actual_free=8185 hash_miss=0
03a8d3e0 03a8b7c0 03a7fc40 03a6ff20 03a6f5c0 03a6ec60 kao-f1#
 

The following is sample output from the show blocks exhaustion history list command:

ciscoasa# show blocks exhaustion history list
1 Snapshot created at 18:01:03 UTC Feb 19 2014:
Snapshot created due to 16384 blocks running out
 
2 Snapshot created at 18:02:03 UTC Feb 19 2014:
Snapshot created due to 16384 blocks running out
 
3 Snapshot created at 18:03:03 UTC Feb 19 2014:
Snapshot created due to 16384 blocks running out
 
4 Snapshot created at 18:04:03 UTC Feb 19 2014:
Snapshot created due to 16384 blocks running out
 

Table 4-21 shows each field description.

 

Table 4-21 show blocks pool summary Fields

Field
Description

total_count

The number of blocks for a given class.

miss_count

The number of blocks not reported in the specified category due to technical reasons.

Freed_pc

The program addresses of applications that released blocks in this class.

Alloc_pc

The program addresses of applications that allocated blocks in this class.

Queue

The queues to which valid blocks in this class belong.

valid_cnt

The number of blocks that are currently allocated.

invalid_cnt

The number of blocks that are not currently allocated.

Invalid Bad qtype

Either this queue has been freed and the contents are invalid or this queue was never initialized.

Valid tcp_usr_conn_inp

The queue is valid.

 
Related Commands

Command
Description

blocks

Increases the memory assigned to block diagnostics

clear blocks

Clears the system buffer statistics.

show conn

Shows active connections.

show boot device (IOS)

To view the default boot partition, use the show boot device command.

show boot device [ mod_num ]

 
Syntax Description

mod_num

(Optional) Specifies the module number. Use the show module command to view installed modules and their numbers.

 
Defaults

The default boot partition is cf:4.

 
Command Modes

Privileged EXEC.

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show boot device command that shows the boot partitions for each installed ASA on Cisco IOS software:

Router# show boot device
[mod:1 ]:
[mod:2 ]:
[mod:3 ]:
[mod:4 ]: cf:4
[mod:5 ]: cf:4
[mod:6 ]:
[mod:7 ]: cf:4
[mod:8 ]:
[mod:9 ]:
 

 
Related Commands

Command
Description

boot device (IOS)

Sets the default boot partition.

show module (IOS)

Shows all installed modules.

show bootvar

To show the boot file and configuration properties, use the show bootvar command in privileged EXEC mode.

show bootvar

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

The BOOT variable specifies a list of bootable images on various devices. The CONFIG_FILE variable specifies the configuration file used during system initialization. Set these variables with the boot system command and boot config command, respectively.

Examples

The BOOT variable contains disk0:/f1_image, which is the image booted when the system reloads. The current value of BOOT is disk0:/f1_image; disk0:/f1_backupimage. This value means that the BOOT variable has been modified with the boot system command, but the running configuration has not been saved with the write memory command. When the running configuration is saved, the BOOT variable and current BOOT variable will both be disk0:/f1_image; disk0:/f1_backupimage. Assuming that the running configuration is saved, the boot loader will try to load the contents of the BOOT variable, starting with disk0:/f1image, but if that is not present or invalid, the boot loader will try to boot disk0:1/f1_backupimage.

The CONFIG_FILE variable points to the system startup configuration. In this example it is not set, so the startup configuration file is the default specified with the boot config command. The current CONFIG_FILE variable may be modified with the boot config command and saved with the write memory command.

The following is sample output from the show bootvar command:

ciscoasa# show bootvar
BOOT variable = disk0:/f1_image
Current BOOT variable = disk0:/f1_image; disk0:/f1_backupimage
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa#
 

 
Related Commands

Command
Description

boot

Specifies the configuration file or image file used at startup.

show bridge-group

To show bridge group information such as interfaces assigned, MAC addresses, and IP addresses, use the show bridge-group command in privileged EXEC mode.

show bridge-group bridge-group-number

 
Syntax Description

bridge-group-number

Specifies the bridge group number as an integer between 1 and 100.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(1)

We introduced this command.

Examples

The following is sample output from the show bridge-group command with IPv4 addresses:

ciscoasa# show bridge-group 1
Interfaces: GigabitEthernet0/0.101, GigabitEthernet0/0.201
Management System IP Address: 10.0.1.1 255.255.255.0
Management Current IP Address: 10.0.1.1 255.255.255.0
Management IPv6 Global Unicast Address(es):
N/A
Static mac-address entries: 0
Dynamic mac-address entries: 2
 

The following is sample output from the show bridge-group command with IPv4 and IPv6 addresses:

ciscoasa# show bridge-group 1
Interfaces: GigabitEthernet0/0.101, GigabitEthernet0/0.201
Management System IP Address: 10.0.1.1 255.255.255.0
Management Current IP Address: 10.0.1.1 255.255.255.0
Management IPv6 Global Unicast Address(es):
2000:100::1, subnet is 2000:100::/64
2000:101::1, subnet is 2000:101::/64
2000:102::1, subnet is 2000:102::/64
Static mac-address entries: 0
Dynamic mac-address entries: 2
 

 
Related Commands

Command
Description

bridge-group

Groups transparent firewall interfaces into a bridge group.

clear configure interface bvi

Clears the bridge group interface configuration.

interface

Configures an interface.

interface bvi

Creates a bridge virtual interface.

ip address

Sets the management IP address for a bridge group.

show running-config interface bvi

Shows the bridge group interface configuration.

show call-home

To display the configured Call Home information, use the show call-home command in privileged EXEC mode.

[ cluster exec ] show call-home [ alert-group | detail | events | mail-server status | profile { profile _name | all } | statistics ]

 
Syntax Description

alert-group

(Optional) Displays the available alert group.

cluster exec

(Optional) In a clustering environment, enables you to issue the show call-home command in one unit and run the command in all the other units at the same time.

detail

(Optional) Displays the Call Home configuration in detail.

events

(Optional) Displays current detected events.

mail-server status

(Optional) Displays the Call Home mail server status information.

profile profile _name all

(Optional) Displays configuration information for all existing profiles.

statistics

(Optional) Displays the Call Home statistics.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.2(2)

This command was introduced.

9.1(3)

A new type of Smart Call Home message has been added to include the output of the show cluster history command and show cluster info command.

Examples

The following is sample output from the show call-home command and displays the configured Call Home settings:

ciscoasa# show call-home
Current Smart Call-Home settings:
Smart Call-Home feature : enable
Smart Call-Home message's from address: from@example.com
Smart Call-Home message's reply-to address: reply-to@example.com
contact person's email address: example@example.com
contact person's phone: 111-222-3333
street address: 1234 Any Street, Any city, Any state, 12345
customer ID: ExampleCorp
contract ID: X123456789
site ID: SantaClara
Mail-server[1]: Address: smtp.example.com Priority: 1
Mail-server[2]: Address: 192.168.0.1 Priority: 10
Rate-limit: 60 message(s) per minute
Available alert groups:
Keyword State
------------------------ -------
Syslog Enable
diagnostic Enable
environmental Enable
inventory Enable
configuration Enable
firewall Enable
troubleshooting Enable
report Enable
Profiles:
Profile Name: CiscoTAC-1
Profile Name: prof1
Profile Name: prof2
 

The following is sample output from the show call-home detail command and displays detailed Call Home configuration information:

ciscoasa# show call-home detail
Description: Show smart call-home configuration in detail.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Current Smart Call-Home settings:
Smart Call-Home feature: enable
Smart Call-Home message's from address: from@example.example.com
Smart Call-Home message's reply-to address: reply-to@example.example.com
contact person's email address: abc@example.com
contact person's phone: 111-222-3333
street address: 1234 Any Street, Any city, Any state, 12345
customer ID: 111111
contract ID: 123123
site ID: SantaClara
Mail-server[1]: Address: example.example.com Priority: 1
Mail-server[2]: Address: example.example.com Priority: 10
Rate-limit: 60 message(s) per minute
Available alert groups:
Keyword State
------------------------ -------
syslog Enable
diagnostic Enable
environmental Enable
inventory Enable
configuration Enable
firewall Enable
troubleshooting Enable
report Enable
Profiles:
Profile Name: CiscoTAC-1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): anstage@cisco.com
HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService
Periodic inventory message is scheduled monthly at 01:00
Alert-group Severity
------------------------ ------------
inventory n/a
Profile Name: prof1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): example@example.com
HTTP address(es): https://kafan-lnx-01.cisco.com:8443/sch/sch.jsp
Periodic configuration message is scheduled daily at 01:00
Periodic inventory message is scheduled every 60 minutes
Alert-group Severity
------------------------ ------------
configuration n/a
inventory n/a
Profile Name: prof2
Profile status: ACTIVE Preferred Message Format: short-text
Message Size Limit: 1048576 Bytes
Email address(es): example@example.com
HTTP address(es): https://example.example.com:8443/sch/sch.jsp
Periodic configuration message is scheduled every 1 minutes
Periodic inventory message is scheduled every 1 minutes
Alert-group Severity
------------------------ ------------
configuration n/a
inventory n/a
 

The following is sample output from the show call-home events command and displays available Call Home events:

ciscoasa# show call-home events
Description: Show current detected events.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Active event list:
Event client alert-group severity active (sec)
--------------------------------------------------------------------
Configuration Client configuration none 5
Inventory inventory none 15
 

The following is sample output from the show call-home mail-server status command and displays available Call Home mail-server status:

ciscoasa# show call-home mail-server status
Description: Show smart call-home configuration, status, and statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Mail-server[1]: Address: example.example.com Priority: 1 [Available]
Mail-server[2]: Address: example.example.com Priority: 10 [Not Available]

The following is sample output from the show call-home alert-group comand and displays the available alert groups:

ciscoasa# show call-home alert-group
Description: Show smart call-home alert-group states.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Available alert groups:
Keyword State
------------------------ -------
syslog Enable
diagnostic Enable
environmental Enable
inventory Enable
configuration Enable
firewall Enable
troubleshooting Enable
report Enable
 

The following is sample output from the show call-home profile profile-name | all command and displays information for all predefined and user-defined profiles:

ciscoasa# show call-home profile {profile-name | all}
Description: Show smart call-home profile configuration.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Profiles:
Profile Name: CiscoTAC-1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): anstage@cisco.com
HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService
Periodic inventory message is scheduled monthly at 01:00
Alert-group Severity
------------------------ ------------
inventory n/a
Profile Name: prof1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): example@example.com
HTTP address(es): https://example.example.com:8443/sch/sch.jsp
Periodic configuration message is scheduled daily at 01:00
Periodic inventory message is scheduled every 60 minutes
Alert-group Severity
------------------------ ------------
configuration n/a
inventory n/a
Profile Name: prof2
Profile status: ACTIVE Preferred Message Format: short-text
Message Size Limit: 1048576 Bytes
Email address(es): example@example.com
HTTP address(es): https://example.example.com:8443/sch/sch.jsp
Periodic configuration message is scheduled every 1 minutes
Periodic inventory message is scheduled every 1 minutes
Alert-group Severity
------------------------ ------------
configuration n/a
inventory n/a
 

The following is sample output from the show call-home statistics command and displays the call-home statistics:

ciscoasa# show call-home statistics
Description: Show smart call-home statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 0 0 0
Total In-Queue 0 0 0
Total Dropped 5 4 1
Tx Failed 5 4 1
inventory 3 2 1
configuration 2 2 0
Event Types Total
-------------------- ----------------
Total Detected 2
inventory 1
configuration 1
Total In-Queue 0
Total Dropped 0
Last call-home message sent time: 2009-06-17 14:22:09 GMT-07:00
 

The following is sample output from the show call-home status command and displays the call-home status:

ciscoasa# show call-home mail-server status
Description: Show smart call-home configuration, status, and statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Mail-server[1]: Address: kafan-lnx-01.cisco.com Priority: 1 [Available]
Mail-server[2]: Address: kafan-lnx-02.cisco.com Priority: 10 [Not Available]

37. ciscoasa# show call-home events
Description: Show current detected events.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Active event list:
Event client alert-group severity active (sec)
--------------------------------------------------------------------
Configuration Client configuration none 5
Inventory inventory none 15
 

The following is sample output from the cluster exec show call-home statistics command and displays call-home statistics for a cluster:

ciscoasa(config)# cluster exec show call-home statistics
A(LOCAL):*************************************************************
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 3 3 0
test 3 3 0
 
Total In-Delivering 0 0 0
 
Total In-Queue 0 0 0
 
Total Dropped 8 8 0
Tx Failed 8 8 0
configuration 2 2 0
test 6 6 0
 
 
Event Types Total
-------------------- ----------------
Total Detected 10
configuration 1
test 9
 
Total In-Processing 0
 
Total In-Queue 0
 
Total Dropped 0
 
Last call-home message sent time: 2013-04-15 05:37:16 GMT+00:00
 
B:********************************************************************
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 1 1 0
test 1 1 0
 
Total In-Delivering 0 0 0
 
Total In-Queue 0 0 0
 
Total Dropped 2 2 0
Tx Failed 2 2 0
configuration 2 2 0
 
Event Types Total
-------------------- ----------------
Total Detected 2
configuration 1
test 1
 
Total In-Processing 0
 
Total In-Queue 0
 
Total Dropped 0
 
Last call-home message sent time: 2013-04-15 05:36:16 GMT+00:00
 
C:********************************************************************
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 0 0 0
 
Total In-Delivering 0 0 0
 
Total In-Queue 0 0 0
 
Total Dropped 2 2 0
Tx Failed 2 2 0
configuration 2 2 0
 
Event Types Total
-------------------- ----------------
Total Detected 1
configuration 1
 
Total In-Processing 0
 
Total In-Queue 0
 
Total Dropped 0
 
Last call-home message sent time: n/a
 
D:********************************************************************
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 1 1 0
test 1 1 0
 
Total In-Delivering 0 0 0
 
Total In-Queue 0 0 0
 
Total Dropped 2 2 0
Tx Failed 2 2 0
configuration 2 2 0
 
Event Types Total
-------------------- ----------------
Total Detected 2
configuration 1
test 1
 
Total In-Processing 0
 
Total In-Queue 0
 
Total Dropped 0
 
Last call-home message sent time: 2013-04-15 05:35:34 GMT+00:00
 
ciscoasa(config)#
 

 
Related Commands

Command
Description

call-home

Enters call home configuration mode.

call-home send alert-group

Sends a specific alert group message.

service call-home

Enables or disables Call Home.

show call-home registered-module status

To display the registered module status, use the show call-home registered-module status command in privileged EXEC mode.

show call-home registered-module status [ all ]


Note The [all] option is only valid in system context mode.


 
Syntax Description

all

Displays module status based on the device, not per context. In multiple context mode, if a module is enabled in at least one context, it is displayed as enabled if the “ all ” option is included.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.2(2)

This command was introduced.

Examples

The following example displays the show call-home registered-module status all output:

Output:
Module Name Status
---------------------------------------- --------------------
Smart Call-Home enabled
Failover Standby/Active

 
Related Commands36. ciscoasa# show call-home mail-server status
Description: Show smart call-home configuration, status, and statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Mail-server[1]: Address: kafan-lnx-01.cisco.com Priority: 1 [Available]
Mail-server[2]: Address: kafan-lnx-02.cisco.com Priority: 10 [Not Available]

37. ciscoasa# show call-home events
Description: Show current detected events.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Active event list:
Event client alert-group severity active (sec)
--------------------------------------------------------------------
Configuration Client configuration none 5
Inventory inventory none 15

Command
Description

call-home

Enters call-home configuration mode.

call-home send alert-group

Sends a specific alert group message.

service call-home

Enables or disables Call Home.

show capture

To display the capture configuration when no options are specified, use the show capture command in privileged EXEC mode.

[ cluster exec ] show capture [ capture_name ] [ access-list access_list_name ] [ count number ] [ decode ] [ detail ] [ dump ] [ packet-number number ]

 
Syntax Description

access-list access_list_name

(Optional) Displays information for packets that are based on IP or higher fields for the specific access list identification .

capture_name

(Optional) Specifies the name of the packet capture.

cluster exec

(Optional) In a clustering environment, enables you to issue the show capture command in one unit and run the command in all the other units at the same time.

count number

(Optional) Displays the number of packets specified data.

decode

This option is useful when a capture of type isakmp is applied to an interface. All ISAKMP data flowing through that interface will be captured after decryption and shown with more information after decoding the fields.

detail

(Optional) Displays additional protocol information for each packet.

dump

(Optional) Displays a hexadecimal dump of the packets that are transported over the data link.

packet-number number

Starts the display at the specified packet number.

 
Defaults

This command has no default settings.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.4(2)

Added detailed information in the output for IDS.

9.0(1)

The cluster exec option was added.

9.2(1)

The vpn-user domain name was changed to filter-aaa in the output.

9.3(1)

Added output for SGT plus Ethernet Tagging.

 
Usage Guidelines

If you specify the capture_name , then the capture buffer contents for that capture are displayed.

The dump keyword does not display MAC information in the hexadecimal dump.

The decoded output of the packets depend on the protocol of the packet. In Table 4-22 , the bracketed output is displayed when you specify the detail keyword.

 

Table 4-22 Packet Capture Output Formats

Packet Type
Capture Output Format

802.1Q

HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet

ARP

HH:MM:SS.ms [ether-hdr] arp-type arp-info

IP/ICMP

HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure]

IP/UDP

HH:MM:SS.ms [ether-hdr] src-addr . src-port dest-addr . dst-port : [checksum-info] udp payload-len

IP/TCP

HH:MM:SS.ms [ether-hdr] src-addr . src-port d est-addr . dst-port : tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

IP/Other

HH:MM:SS.ms [ether-hdr] src-addr dest-addr : ip-protocol ip-length

Other

HH:MM:SS.ms ether-hdr : hex-dump

Examples

This example shows how to display the capture configuration:

ciscoasa(config)# show capture
capture arp ethernet-type arp interface outside
capture http access-list http packet-length 74 interface inside
 

This example shows how to display the packets that are captured by an ARP capture:

ciscoasa(config)# show capture arp
2 packets captured
19:12:23.478429 arp who-has 171.69.38.89 tell 171.69.38.10
19:12:26.784294 arp who-has 171.69.38.89 tell 171.69.38.10
2 packets shown
 

The following example shows how to display the packets that are captured on a single unit in a clustering environment:

ciscoasa(config)# show capture
capture 1 cluster type raw-data interface primary interface cluster [Buffer Full - 524187 bytes]
capture 2 type raw-data interface cluster [Capturing - 232354 bytes]
 

The following example shows how to display the packets that are captured on all units in a clustering environment:

ciscoasa(config)# cluster exec show capture
mycapture (LOCAL):----------------------------------------------------------
 
capture 1 type raw-data interface primary [Buffer Full - 524187 bytes]
capture 2 type raw-data interface cluster [Capturing - 232354 bytes]
 
yourcapture:----------------------------------------------------------------
capture 1 type raw-data interface primary [Capturing - 191484 bytes]
capture 2 type raw-data interface cluster [Capturing - 532354 bytes]
 

The following example shows the packets that are captured on the cluster control link in a clustering environment after the following commands are entered:

ciscoasa (config)# capture a interface cluster
ciscoasa (config)# capture cp interface cluster match udp any eq 49495 any
ciscoasa (config)# capture cp interface cluster match udp any any eq 49495
ciscoasa (config)# access-list cc1 extended permit udp any any eq 4193
ciscoasa (config)# access-list cc1 extended permit udp any eq 4193 any
ciscoasa (config)# capture dp interface cluster access-list cc1
ciscoasa (config)# capture lacp type lacp interface gigabitEthernet 0/0
 
ciscoasa(config)# show capture
capture a type raw-data interface cluster [Capturing - 970 bytes]
capture cp type raw-data interface cluster [Capturing - 26236 bytes]
match udp any eq 49495 any
capture dp type raw-data access-list cc1 interface cluster [Capturing - 4545230 bytes]
capture lacp type lacp interface gigabitEthernet0/0 [Capturing - 140 bytes]
 

The following example shows the packets that are captured when SGT plus Ethernet tagging has been enabled on an interface:

ciscoasa(config)# show capture my-inside-capture
1: 11:34:42.931012 INLINE-TAG 36 10.0.101.22 > 11.0.101.100: icmp: echo request
2: 11:34:42.931470 INLINE-TAG 48 11.0.101.100 > 10.0.101.22: icmp: echo reply
3: 11:34:43.932553 INLINE-TAG 36 10.0.101.22 > 11.0.101.100: icmp: echo request
4: 11.34.43.933164 INLINE-TAG 48 11.0.101.100 > 10.0.101.22: icmp: echo reply
 

Note When SGT plus Ethernet tagging has been enabled on an interface, the interface can still receive tagged or untagged packets. The example shown is for tagged packets, which have INLINE-TAG 36 in the output. When the same interface receives untagged packets, the output remains unchanged (that is, no “INLINE-TAG 36” entry is included in the output).


 
Related Commands

Command
Description

capture

Enables packet capture capabilities for packet sniffing and network fault isolation.

clear capture

Clears the capture buffer.

copy capture

Copies a capture file to a server.

show chardrop

To display the count of characters dropped from the serial console, use the show chardrop command in privileged EXEC mode.

show chardrop

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following is sample output from the show chardrop command:

ciscoasa# show chardrop
Chars dropped pre-TxTimeouts: 0, post-TxTimeouts: 0
 

 
Related Commands

Command
Description

show running-config

Shows the current operating configuration.

show checkheaps

To show the checkheaps statistics, use the show checkheaps command in privileged EXEC mode. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.

show checkheaps

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show checkheaps command:

ciscoasa# show checkheaps
 
Checkheaps stats from buffer validation runs
--------------------------------------------
Time elapsed since last run : 42 secs
Duration of last run : 0 millisecs
Number of buffers created : 8082
Number of buffers allocated : 7808
Number of buffers free : 274
Total memory in use : 43570344 bytes
Total memory in free buffers : 87000 bytes
Total number of runs : 310

 
Related Commands

Command
Description

checkheaps

Sets the checkheap verification intervals.

show checksum

To display the configuration checksum, use the show checksum command in privileged EXEC mode.

show checksum

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

This command has no default settings.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

We introduced this command.

 
Usage Guidelines

The show checksum command allows you to display four groups of hexadecimal numbers that act as a digital summary of the configuration contents. This checksum is calculated only when you store the configuration in flash memory.

If a dot (“.”) appears before the checksum in the show config or show checksum command output, the output indicates a normal configuration load or write mode indicator (when loading from or writing to the ASA flash partition). The “.” shows that the ASA is preoccupied with the operation but is not “hung up.” This message is similar to a “system processing, please wait” message.

Examples

This example shows how to display the configuration or the checksum:

ciscoasa(config)# show checksum
Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81
 

show chunkstat

To display the chunk statistics, use the show chunkstat command in privileged EXEC mode.

show chunkstat

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

This example shows how to display the chunk statistics:

ciscoasa# show chunkstat
Global chunk statistics: created 181, destroyed 34, siblings created 94, siblings destroyed 34
 
Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01edb4cc, name "Managed Chunk Queue Elements", data start @ 01edbd24, end @ 01eddc54
next: 01eddc8c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 499, elt size: 16, index first free 498
# chunks in use: 1, HWM of total used: 1, alignment: 0
Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01eddc8c, name "Registry Function List", data start @ 01eddea4, end @ 01ede348
next: 01ede37c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 99, elt size: 12, index first free 42
# chunks in use: 57, HWM of total used: 57, alignment: 0
 

 
Related Commands

Command
Description

show counters

Displays the protocol stack counters.

show cpu

Displays the CPU utilization information.

show class

To show the contexts assigned to a class, use the show class command in privileged EXEC mode.

show class name

 
Syntax Description

name

Specifies the name as a string up to 20 characters long. To show the default class, enter default for the name.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following is sample output from the show class default command:

ciscoasa# show class default
 
Class Name Members ID Flags
default All 1 0001
 

 
Related Commands

Command
Description

class

Configures a resource class.

clear configure class

Clears the class configuration.

context

Configures a security context.

limit-resource

Sets the resource limit for a class.

member

Assigns a context to a resource class.

show clock

To view the time on the ASA, use the show clock command in user EXEC mode.

show clock [ detail ]

 
Syntax Description

detail

(Optional) Indicates the clock source (NTP or user configuration) and the current summer-time setting (if any).

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show clock command:

ciscoasa# show clock
12:35:45.205 EDT Tue Jul 27 2004
 

The following is sample output from the show clock detail command:

ciscoasa# show clock detail
12:35:45.205 EDT Tue Jul 27 2004
Time source is user configuration
Summer time starts 02:00:00 EST Sun Apr 4 2004
Summer time ends 02:00:00 EDT Sun Oct 31 2004
 

 
Related Commands

Command
Description

clock set

Manually sets the clock on the ASA.

clock summer-time

Sets the date range to show daylight saving time.

clock timezone

Sets the time zone.

ntp server

Identifies an NTP server.

show ntp status

Shows the status of the NTP association.

show cluster

To view aggregated data for the entire cluster or other information, use the show cluster command in privileged EXEC mode.

show cluster { access-list [ acl_name ] | conn [ count ] | cpu [ usage ] | history | interface-mode | memory | resource usage | traffic | xlate count }

 
Syntax Description

access-list [ acl_name ]

Shows hit counters for access policies. To see the counters for a specific ACL, enter the acl_name .

conn [ count ]

Shows the aggregated count of in-use connections for all units. If you enter the count keyword, only the connection count is shown.

cpu [ usage ]

Shows CPU usage information.

history

Shows cluster switching history.

interface-mode

Shows the cluster interface mode, either spanned or individual.

memory

Shows system memory utilization and other information.

resource usage

Shows system resources and usage.

traffic

Shows traffic statistics.

xlate count

Shows current translation information.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

See also the show cluster info and show cluster user-identity commands.

Examples

The following is sample output from the show cluster access-list command:

ciscoasa# show cluster access-list
hitcnt display order: cluster-wide aggregated result, unit-A, unit-B, unit-C, unit-D
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300
access-list 101; 122 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit tcp 192.168.143.0 255.255.255.0 any eq www (hitcnt=0, 0, 0, 0, 0) 0x207a2b7d
access-list 101 line 2 extended permit tcp any 192.168.143.0 255.255.255.0 (hitcnt=0, 0, 0, 0, 0) 0xfe4f4947
access-list 101 line 3 extended permit tcp host 192.168.1.183 host 192.168.43.238 (hitcnt=1, 0, 0, 0, 1) 0x7b521307
access-list 101 line 4 extended permit tcp host 192.168.1.116 host 192.168.43.238 (hitcnt=0, 0, 0, 0, 0) 0x5795c069
access-list 101 line 5 extended permit tcp host 192.168.1.177 host 192.168.43.238 (hitcnt=1, 0, 0, 1, 0) 0x51bde7ee
access list 101 line 6 extended permit tcp host 192.168.1.177 host 192.168.43.13 (hitcnt=0, 0, 0, 0, 0) 0x1e68697c
access-list 101 line 7 extended permit tcp host 192.168.1.177 host 192.168.43.132 (hitcnt=2, 0, 0, 1, 1) 0xc1ce5c49
access-list 101 line 8 extended permit tcp host 192.168.1.177 host 192.168.43.192 (hitcnt=3, 0, 1, 1, 1) 0xb6f59512
access-list 101 line 9 extended permit tcp host 192.168.1.177 host 192.168.43.44 (hitcnt=0, 0, 0, 0, 0) 0xdc104200
access-list 101 line 10 extended permit tcp host 192.168.1.112 host 192.168.43.44 (hitcnt=429, 109, 107, 109, 104)
0xce4f281d
access-list 101 line 11 extended permit tcp host 192.168.1.170 host 192.168.43.238 (hitcnt=3, 1, 0, 0, 2) 0x4143a818
access-list 101 line 12 extended permit tcp host 192.168.1.170 host 192.168.43.169 (hitcnt=2, 0, 1, 0, 1) 0xb18dfea4
access-list 101 line 13 extended permit tcp host 192.168.1.170 host 192.168.43.229 (hitcnt=1, 1, 0, 0, 0) 0x21557d71
access-list 101 line 14 extended permit tcp host 192.168.1.170 host 192.168.43.106 (hitcnt=0, 0, 0, 0, 0) 0x7316e016
access-list 101 line 15 extended permit tcp host 192.168.1.170 host 192.168.43.196 (hitcnt=0, 0, 0, 0, 0) 0x013fd5b8
access-list 101 line 16 extended permit tcp host 192.168.1.170 host 192.168.43.75 (hitcnt=0, 0, 0, 0, 0) 0x2c7dba0d
 

To display the aggregated count of in-use connections for all units, enter:

ciscoasa# show cluster conn count
Usage Summary In Cluster:*********************************************
200 in use (cluster-wide aggregated)
cl2(LOCAL):***********************************************************
100 in use, 100 most used
 
cl1:******************************************************************
100 in use, 100 most used
 

 
Related Commands

Command
Description

show cluster info

Shows cluster information.

show cluster user-identity

Shows cluster user identity information and statistics.

show cluster info

To view cluster information, use the show cluster info command in privileged EXEC mode.

show cluster info [ clients | conn-distribution | goid [ options ] | health | incompatible-config | loadbalance | old-members | packet-distribution | trace [ options ] | transport { asp | cp }]

 
Syntax Description

clients

(Optional) Shows the version of register clients.

conn-distribution

(Optional) Shows the connection distribution in the cluster.

goid [ options ]

(Optional) Shows the global object ID database. Options include:

  • classmap
  • conn-set
  • hwidb
  • idfw-domain
  • idfw-group
  • interface
  • policymap
  • virtual-context

health

(Optional) Shows health monitoring information.

incompatible-config

(Optional) Shows commands that are incompatible with clustering in the current running configuration. This command is useful before you enable clustering.

loadbalance

(Optional) Shows load balancing information.

old-members

(Optional) Shows former members of the cluster.

packet-distribution

(Optional) Shows packet distribution in the cluster.

trace [ options ]

(Optional) Shows the clustering control module event trace. Options include:

  • latest [ number ]—Displays the latest number events, where the number is from 1 to 2147483647. The default is to show all.
  • level level —Filters events by level where the level is one of the following: all , critical , debug , informational , or warning .
  • module module —Filters events by module where the module is one of the following: ccp , datapath , fsm , general , hc , license , rpc , or transport .
  • time {[ month day ] [ hh : mm : ss ]}—Shows events before the specified time or date.

transport { asp | cp }

(Optional) Show transport related statistics for the following:

  • asp —Data plane transport statistics.
  • cp —Control plane transport statistics.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

9.0(1)

We introduced this command.

9.3(1)

We added improved support for modules in the show cluster info health command.

 
Usage Guidelines

If you do not specify any options, the show cluster info command shows general cluster information including the cluster name and status, the cluster members, the member states, and so on.

Clear statistics using the clear cluster info command.

See also the show cluster and show cluster user-identity commands.

Examples

The following is sample output from the show cluster info command:

ciscoasa# show cluster info
Cluster stbu: On
This is "C" in state SLAVE
ID : 0
Version : 100.8(0.52)
Serial No.: P3000000025
CCL IP : 10.0.0.3
CCL MAC : 000b.fcf8.c192
Last join : 17:08:59 UTC Sep 26 2011
Last leave: N/A
Other members in the cluster:
Unit "D" in state SLAVE
ID : 1
Version : 100.8(0.52)
Serial No.: P3000000001
CCL IP : 10.0.0.4
CCL MAC : 000b.fcf8.c162
Last join : 19:13:11 UTC Sep 23 2011
Last leave: N/A
Unit "A" in state MASTER
ID : 2
Version : 100.8(0.52)
Serial No.: JAB0815R0JY
CCL IP : 10.0.0.1
CCL MAC : 000f.f775.541e
Last join : 19:13:20 UTC Sep 23 2011
Last leave: N/A
Unit "B" in state SLAVE
ID : 3
Version : 100.8(0.52)
Serial No.: P3000000191
CCL IP : 10.0.0.2
CCL MAC : 000b.fcf8.c61e
Last join : 19:13:50 UTC Sep 23 2011
Last leave: 19:13:36 UTC Sep 23 2011
 

The following is sample output from the show cluster info incompatible-config command:

ciscoasa(cfg-cluster)# show cluster info incompatible-config
INFO: Clustering is not compatible with following commands which given a user's confirmation upon enabling clustering, can be removed automatically from running-config.
policy-map global_policy
class scansafe-http
inspect scansafe http-map fail-close
policy-map global_policy
class scansafe-https
inspect scansafe https-map fail-close
 
INFO: No manually-correctable incompatible configuration is found.
 

The following is sample output from the show cluster info trace command:

ciscoasa# show cluster info trace
Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE
Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE
Feb 02 14:19:47.456 [DBUG]Send CCP message to all: CCP_MSG_KEEPALIVE from 80-1 at MASTER
 

The following is sample output from the show cluster info health command on the ASA 5500-X:

ciscoasa# show cluster info health
Member ID to name mapping:
0 - A 1 - B(myself)
 
0 1
GigabitEthernet0/0 up up
Management0/0 up up
 
ips (policy off) up None
sfr (policy off) None up
Unit overall healthy healthy
Cluster overall healthy
 

The above output lists both ASA IPS (ips) and ASA FirePOWER (sfr) modules, and for each module the ASA shows “policy on” or “policy off” to show if you configured the module in the service policy. For example:

class-map sfr-class
match sfr-traffic
policy-map sfr-policy
class sfr-class
sfr inline fail-close
service-policy sfr interface inside
 

With the above configuration, the ASA FirePOWER module (“sfr”) will be displayed as “policy on”. If one cluster member has a module as “up”, and the other member has the module as “down” or “None”, then the member with the down module will be kicked out of the cluster. However, if the service policy is not configured, then the cluster member would not be kicked out of the cluster; the module status is only relevant if the module is running.

The following is sample output from the show cluster info health command on the ASA 5585-X:

ciscoasa# show cluster info health
spyker-13# sh clu info heal
Member ID to name mapping:
0 - A(myself) 1 - B
 
0 1
GigabitEthernet0/0 upup
 
SSM Card (policy off) upup
Unit overall healthyhealth
Cluster overall healthyhealth
 

If you configure the module in the service policy, then the output shows “policy on”. If you do not configure the service policy, then the output shows “policy off”, even if a module is present in the chassis.

 
Related Commands

Command
Description

show cluster

Displays aggregated data for the entire cluster.

show cluster user-identity

Shows cluster user identity information and statistics.

show cluster user-identity

To view cluster-wide user identity information and statistics, use the show cluster user-identity command in privileged EXEC mode.

show cluster user-identity { statistics [ user name | user-group group_name ] | user [ active [ domain name ] | user name | user-group group_name ] [ list [ detail ] | all [ list [ detail ] | inactive { domain name | user-group group_name ] [ list [ detail ]]}

 
Syntax Description

active

Shows users with active IP-user mappings.

all

Shows all users in the user database.

domain name

Shows user info for a domain.

inactive

Shows users with inactive IP-user mappings.

list [ detail ]

Shows a list of users.

statistics

Shows cluster user identity statistics.

user

Shows the user database.

user name

Show information for a specific user.

user-group group_name

Shows information for each user of a specific group.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

See also the show cluster info and show cluster commands.

 
Related Commands

Command
Description

show cluster

Displays aggregated data for the entire cluster.

show cluster info

Shows cluster information.

show compression svc

To view compression statistics for SVC connections on the ASA, use the show compression svc command from privileged EXEC mode.

show compression svc

 
Defaults

There is no default behavior for this command.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 

 
Command History

Release
Modification

7.1(1)

This command was introduced.

Examples

The following example shows the output of the show compression svc command:

ciscoasa# show compression svc
Compression SVC Sessions 1
Compressed Frames 249756
Compressed Data In (bytes) 0048042
Compressed Data Out (bytes) 4859704
Expanded Frames 1
Compression Errors 0
Compression Resets 0
Compression Output Buf Too Small 0
Compression Ratio 2.06
Decompressed Frames 876687
Decompressed Data In 279300233
 

 
Related Commands

Command
Description

compression

Enables compression for all SVC and WebVPN connections.

svc compression

Enables compression of http data over an SVC connection for a specific group or user.

show configuration

To display the configuration that is saved in flash memory on the ASA, use the show configuration command in privileged EXEC mode.

show configuration

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was modified.

 
Usage Guidelines

The show configuration command displays the saved configuration in flash memory on the ASA. Unlike the show running-config command, the show configuration command does not use many CPU resources to run.

To display the active configuration in memory (including saved configuration changes) on the ASA, use the show running-config command.

Examples

The following is sample output from the show configuration command:

ciscoasa# show configuration
: enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.2.5 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.132.12.6 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.0.5 255.255.0.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/newImage
ftp mode passive
access-list acl1 extended permit ip any any
access-list mgcpacl extended permit udp any any eq 2727
access-list mgcpacl extended permit udp any any eq 2427
access-list mgcpacl extended permit udp any any eq tftp
access-list mgcpacl extended permit udp any any eq 1719
access-list permitIp extended permit ip any any
pager lines 25
logging enable
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/pdm
no asdm history enable
arp timeout 14400
global (outside) 1 10.132.12.50-10.132.12.52
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group permitIp in interface inside
access-group permitIp in interface outside
access-group mgcpacl in interface dmz
!
router ospf 1
network 10.0.0.0 255.255.0.0 area 192.168.2.0
network 192.168.2.0 255.255.255.0 area 192.168.2.0
log-adj-changes
redistribute static subnets
default-information originate
!
route outside 0.0.0.0 0.0.0.0 10.132.12.1 1
route outside 10.129.0.0 255.255.0.0 10.132.12.1 1
route outside 88.0.0.0 255.0.0.0 10.132.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.132.12.0 255.255.255.0 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.2.0 255.255.255.0 inside
telnet 10.132.12.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect mgcp
policy-map type inspect mgcp mgcpapp
parameters
call-agent 150.0.0.210 101
gateway 50.0.0.201 101
gateway 100.0.0.201 101
command-queue 150
!
service-policy global_policy global
webvpn
memory-size percent 25
enable inside
internal-password enable
onscreen-keyboard logon
username snoopy password /JcYsjvxHfBHc4ZK encrypted
prompt hostname context
Cryptochecksum:62bf8f5de9466cdb64fe758079594635:
end

 
Related Commands

Command
Description

configure

Configures the ASA from the terminal.

show conn

To display the connection state for the designated connection type, use the show conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show conn [ count | [ all ] [ detail ] [ long ] [ state state_type ] [ protocol { tcp | udp }] [ scansafe ] [ address src_ip [ - src_ip ] [ netmask mask ]] [ port src_port [ - src_port ]] [ address dest_ip [ - dest_ip ] [ netmask mask ]] [ port dest_port [ - dest_port ]]
[ user-identity | user [ domain_nickname \ ] user_name | user-group [ domain_nickname \\ ] user_group_name ] | security-group ]

 
Syntax Description

address

(Optional) Displays connections with the specified source or destination IP address.

all

(Optional) Displays connections that are to the device or from the device, in addition to through-traffic connections.

count

(Optional) Displays the number of active connections.

dest_ip

(Optional) Specifies the destination IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-). For example:

10.1.1.1-10.1.1.5

dest_port

(Optional) Specifies the destination port number. To specify a range, separate the port numbers with a dash (-). For example:

1000-2000

detail

(Optional) Displays connections in detail, including translation type and interface information.

long

(Optional) Displays connections in long format.

netmask mask

(Optional) Specifies a subnet mask for use with the given IP address.

port

(Optional) Displays connections with the specified source or destination port.

protocol { tcp | udp }

(Optional) Specifies the connection protocol, which can be tcp or udp .

scansafe

(Optional) Shows connections being forwarded to the Cloud Web Security server.

security-group

(Optional) Specifies that all connections displayed belong to the specified security group.

src_ip

(Optional) Specifies the source IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-). For example:

10.1.1.1-10.1.1.5

src_port

(Optional) Specifies the source port number. To specify a range, separate the port numbers with a dash (-). For example:

1000-2000

state state_type

(Optional) Specifies the connection state type. See Table 4-23 for a list of the keywords available for connection state types.

user [ domain_nickname \ ]
user_name

(Optional) Specifies that all connections displayed belong to the specified user. When you do not include the domain_nickname argument, the ASA displays information for the user in the default domain.

user-group [ domain_nickname \\ ]
user_group_name

(Optional) Specifies that all connections displayed belong to the specified user group. When you do not include the domain_nickname argument, the ASA displays information for the user group in the default domain.

user-identity

(Optional) Specifies that the ASA display all connections for the Identity Firewall feature. When displaying the connections, the ASA displays the user name and IP address when it identifies a matching user. Similarly, the ASA displays the host name and an IP address when it identifies a matching host.

 
Defaults

All through connections are shown by default. You need to use the all keyword to also view management connections to the device.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(8)/7.2(4)/8.0(4)

The syntax was simplified to use source and destination concepts instead of “local” and “foreign.” In the new syntax, the source address is the first address entered and the destination is the second address. The old syntax used keywords like foreign and fport to determine the destination address and port.

7.2(5)/8.0(5)/8.1(2)/8.2(4)/8.3(2)

The tcp_embryonic state type was added. This type shows all TCP connections with the i flag (incomplete connections); i flag connections for UDP are not shown.

8.2(1)

The b flag was added for TCP state bypass.

8.4(2)

Added the user-identity , user , and user-group keywords to support the Identity Firewall.

9.0(1)

Support for clustering was added. We added the scansafe and security-group keywords.

 
Usage Guidelines

The show conn command displays the number of active TCP and UDP connections, and provides information about connections of various types. Use the show conn all command to see the entire table of connections.


Note When the ASA creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear conn command.


The connection types that you can specify using the show conn state command are defined in Table 4-23 . When specifying multiple connection types, use commas without spaces to separate the keywords.

 

Table 4-23 Connection State Types

Keyword
Connection Type Displayed

up

Connections in the up state.

conn_inbound

Inbound connections.

ctiqbe

CTIQBE connections

data_in

Inbound data connections.

data_out

Outbound data connections.

finin

FIN inbound connections.

finout

FIN outbound connections.

h225

H.225 connections

h323

H.323 connections

http_get

HTTP get connections.

mgcp

MGCP connections.

nojava

Connections that deny access to Java applets.

rpc

RPC connections.

service_module

Connections being scanned by an SSM.

sip

SIP connections.

skinny

SCCP connections.

smtp_data

SMTP mail data connections.

sqlnet_fixup_data

SQL*Net data inspection engine connections.

tcp_embryonic

TCP embryonic connections.

vpn_orphan

Orphaned VPN tunneled flows.

When you use the detail option, the system displays information about the translation type and interface information using the connection flags defined in Table 4-24 .

 

Table 4-24 Connection Flags

Flag
Description

a

awaiting outside ACK to SYN

A

awaiting inside ACK to SYN

b

TCP state bypass

B

initial SYN from outside

C

Computer Telephony Interface Quick Buffer Encoding (CTIQBE) media connection

d

dump

D

DNS

E

outside back connection. This is a secondary data connection that must be initiated from the inside host. For example, using FTP, after the inside client issues the PASV command and the outside server accepts, the ASA preallocates an outside back connection with this flag set. If the inside client attempts to connect back to the server, then the ASA denies this connection attempt. Only the outside server can use the preallocated secondary connection.

f

inside FIN

F

outside FIN

g

Media Gateway Control Protocol (MGCP) connection

G

connection is part of a group1

h

H.225

H

H.323

i

incomplete TCP or UDP connection

I

inbound data

k

Skinny Client Control Protocol (SCCP) media connection

K

GTP t3-response

m

SIP media connection

M

SMTP data

O

outbound data

p

replicated (unused)

P

inside back connection. This is a secondary data connection that must be initiated from the inside host. For example, using FTP, after the inside client issues the PORT command and the outside server accepts, the ASA preallocates an inside back connection with this flag set. If the outside server attempts to connect back to the client, then the ASA denies this connection attempt. Only the inside client can use the preallocated secondary connection.

q

SQL*Net data

r

inside acknowledged FIN

R

outside acknowledged FIN for TCP connection

R

UDP RPC2

s

awaiting outside SYN

S

awaiting inside SYN

t

SIP transient connection3

T

SIP connection4

U

up

V

VPN orphan

W

WAAS

X

Inspected by the service module, such as a CSC SSM.

y

For clustering, identifies a backup owner flow.

Y

For clustering, identifies a director flow.

z

For clustering, identifies a forwarder flow.

Z

Cloud Web Security

1.The G flag indicates the connection is part of a group. It is set by the GRE and FTP Strict fixups to designate the control connection and all its associated secondary connections. If the control connection terminates, then all associated secondary connections are also terminated.

2.Because each row of show conn command output represents one connection (TCP or UDP ), there will be only one R flag per row.

3.For UDP connections, the value t indicates that it will timeout after one minute.

4.For UDP connections, the value T indicates that the connection will timeout according to the value specified using the timeout sip command.


Note For connections using a DNS server, the source port of the connection may be replaced by the IP address of DNS server in the show conn command output.


A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Because the app_id expires independently, a legitimate DNS response can only pass through the ASA within a limited period of time and there is no resource build-up. However, when you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.


Note When there is no TCP traffic for the period of inactivity defined by the timeout conn command (by default, 1:00:00), the connection is closed and the corresponding conn flag entries are no longer displayed.


If a LAN-to-LAN/Network-Extension Mode tunnel drops and does not come back, there might be a number of orphaned tunnel flows. These flows are not torn down as a result of the tunnel going down, but all the data attempting to flow through them is dropped. The show conn command output shows these orphaned flows with the V flag.

When the following TCP connection directionality flags are applied to connections between same-security interfaces (see the same-security permit command), the direction in the flag is not relevant because for same-security interfaces, there is no “inside” or “outside.” Because the ASA has to use these flags for same-security connections, the ASA may choose one flag over another (for example, f vs. F) based on other connection characteristics, but you should ignore the directionality chosen.

  • B—Initial SYN from outside
  • a—Awaiting outside ACK to SYN
  • A—Awaiting inside ACK to SYN
  • f—Inside FIN
  • F—Outside FIN
  • s—Awaiting outside SYN
  • S—Awaiting inside SYN

To display information for a specific connection, include the security-group keyword and specify a security group table value or security group name for both the source and destination of the connection. The ASA displays the connection matching the specific security group table values or security group names.

When you specify the security-group keyword without specifying a source and destination security group table value or a source and destination security group name, the ASA displays data for all SXP connections.

The ASA displays the connection data in the format security_group_name ( SGT_value ) or just as the SGT_value when the security group name is unknown.


Note Security group data is not available for stub connections because stub connection do not go through the slow path. Stub connections maintain only the information necessary to forward packets to the owner of the connection.


You can specify a single security group name to display all connections in a cluster; for example, the following example displays connections matching security-group mktg in all units of the cluster:

ciscoasa# show cluster conn security-group name mktg
 

Examples

When specifying multiple connection types, use commas without spaces to separate the keywords. The following example displays information about RPC, H.323, and SIP connections in the Up state:

ciscoasa# show conn state up,rpc,h323,sip
 

The following is sample output from the show conn count command:

ciscoasa# show conn count
54 in use, 123 most used
 

The following is sample output from the show conn command. This example shows a TCP session connection from inside host 10.1.1.15 to the outside Telnet server at 10.10.49.10. Because there is no B flag, the connection is initiated from the inside. The “U”, “I”, and “O” flags denote that the connection is active and has received inbound and outbound data.

ciscoasa# show conn
54 in use, 123 most used
TCP out 10.10.49.10:23 in 10.1.1.15:1026 idle 0:00:22, bytes 1774, flags UIO
UDP out 10.10.49.10:31649 in 10.1.1.15:1028 idle 0:00:14, bytes 0, flags D-
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:5060, idle 0:00:24, bytes 1940435, flags UTIOB
TCP dmz 10.10.10.50:49764 inside 192.168.1.21:5060, idle 0:00:42, bytes 2328346, flags UTIOB
TCP dmz 10.10.10.51:50196 inside 192.168.1.22:2000, idle 0:00:04, bytes 31464, flags UIB
TCP dmz 10.10.10.51:52738 inside 192.168.1.21:2000, idle 0:00:09, bytes 129156, flags UIOB
TCP dmz 10.10.10.50:49764 inside 192.168.1.21:0, idle 0:00:42, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):49736 inside 192.168.1.21:0, idle 0:01:32, bytes 0, flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:00:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:01:34, bytes 0, flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:02:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:03:34, bytes 0, flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:04:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:05:34, bytes 0, flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:06:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:07:34, bytes 0, flags Ti
 

The following is sample output from the show conn command, whcih includes the “X” flag to indicate that the connection is being scanned by the SSM.

ciscoasa# show conn address 10.0.0.122 state service_module
TCP out 10.1.0.121:22 in 10.0.0.122:34446 idle 0:00:03, bytes 2733, flags UIOX
 

The following is sample output from the show conn detail command. This example shows a UDP connection from outside host 10.10.49.10 to inside host 10.1.1.15. The D flag denotes that this is a DNS connection. The number 1028 is the DNS ID over the connection.

ciscoasa# show conn detail
54 in use, 123 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
TCP outside:10.10.49.10/23 inside:10.1.1.15/1026,
flags UIO, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435
UDP outside:10.10.49.10/31649 inside:10.1.1.15/1028,
flags dD, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435
TCP dmz:10.10.10.50/50026 inside:192.168.1.22/5060,
flags UTIOB, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435
TCP dmz:10.10.10.50/49764 inside:192.168.1.21/5060,
flags UTIOB, idle 56s, uptime 1D19h, timeout 1h0m, bytes 2328346
TCP dmz:10.10.10.51/50196 inside:192.168.1.22/2000,
flags UIB, idle 18s, uptime 1D19h, timeout 1h0m, bytes 31464
TCP dmz:10.10.10.51/52738 inside:192.168.1.21/2000,
flags UIOB, idle 23s, uptime 1D19h, timeout 1h0m, bytes 129156
TCP outside:10.132.64.166/52510 inside:192.168.1.35/2000,
flags UIOB, idle 3s, uptime 1D21h, timeout 1h0m, bytes 357405
TCP outside:10.132.64.81/5321 inside:192.168.1.22/5060,
flags UTIOB, idle 1m48s, uptime 1D21h, timeout 1h0m, bytes 2083129
TCP outside:10.132.64.81/5320 inside:192.168.1.21/5060,
flags UTIOB, idle 1m46s, uptime 1D21h, timeout 1h0m, bytes 2500529
TCP outside:10.132.64.81/5319 inside:192.168.1.22/2000,
flags UIOB, idle 31s, uptime 1D21h, timeout 1h0m, bytes 32718
TCP outside:10.132.64.81/5315 inside:192.168.1.21/2000,
flags UIOB, idle 14s, uptime 1D21h, timeout 1h0m, bytes 358694
TCP outside:10.132.64.80/52596 inside:192.168.1.22/2000,
flags UIOB, idle 8s, uptime 1D21h, timeout 1h0m, bytes 32742
TCP outside:10.132.64.80/52834 inside:192.168.1.21/2000,
flags UIOB, idle 6s, uptime 1D21h, timeout 1h0m, bytes 358582
TCP outside:10.132.64.167/50250 inside:192.168.1.35/2000,
flags UIOB, idle 26s, uptime 1D21h, timeout 1h0m, bytes 375617
 

The following is sample output from the show conn command when an orphan flow exists, as indicated by the V flag:

ciscoasa# show conn
16 in use, 19 most used
TCP out 192.168.110.251:7393 in 192.168.150.252:21 idle 0:00:00, bytes 1048, flags UOVB
TCP out 192.168.110.251:21137 in 192.168.150.252:21 idle 0:00:00, bytes 1048, flags UIOB
 

To limit the report to those connections that have orphan flows, add the vpn_orphan option to the show conn state command, as in the following example:

ciscoasa# show conn state vpn_orphan
14 in use, 19 most used
TCP out 192.168.110.251:7393 in 192.168.150.252:5013, idle 0:00:00, bytes 2841019, flags UOVB
 

For clustering, to troubleshoot the connection flow, first see connections on all units by entering the cluster exec show conn command on the master unit. Look for flows that have the following flags: director (Y), backup (y), and forwarder (z). The following example shows an SSH connection from 172.18.124.187:22 to 192.168.103.131:44727 on all three ASAs; ASA 1 has the z flag showing it is a forwarder for the connection, ASA3 has the Y flag showing it is the director for the connection, and ASA2 has no special flags showing it is the owner. In the outbound direction, the packets for this connection enter the inside interface on ASA2 and exit the outside interface. In the inbound direction, the packets for this connection enter the outside interface on ASA 1 and ASA3, are forwarded over the cluster control link to ASA2, and then exit the inside interface on ASA2.

ciscoasa/ASA1/master# cluster exec show conn
ASA1(LOCAL):**********************************************************
18 in use, 22 most used
Cluster stub connections: 0 in use, 5 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes 37240828, flags z
 
 
ASA2:*****************************************************************
12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes 37240828, flags UIO
 
 
ASA3:*****************************************************************
10 in use, 12 most used
Cluster stub connections: 2 in use, 29 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:03, bytes 0, flags Y
 

The output of show conn detail on ASA2 shows that the most recent forwarder was ASA1:

 
ciscoasa/ASA2/slave# show conn detail
12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS, Z - Scansafe redirection,
X - inspected by service module
Y - director stub flow
y - backup stub flow
z - forwarder stub flow
TCP outside: 172.18.124.187/22 inside: 192.168.103.131/44727,
flags UIO , idle 0s, uptime 25s, timeout 1h0m, bytes 1036044, cluster sent/rcvd bytes 0/1032983, cluster sent/rcvd total bytes 0/1080779, owners (1,255)
Traffic received at interface outside
Locally received: 0 (0 byte/s)
From most recent forwarder ASA1: 1032983 (41319 byte/s)
Traffic received at interface inside
Locally received: 3061 (122 byte/s)
 

The following examples show how to display connections for the Identity Firewall feature:

hostname# show conn user-identity ?
exec mode commands/options:
all Enter this keyword to show conns including to-the-box and from-the-box
detail Enter this keyword to show conn in detail
long Enter this keyword to show conn in long format
port Enter this keyword to specify port
protocol Enter this keyword to specify conn protocol
state Enter this keyword to specify conn state
| Output modifiers
 
hostname# show conn user-identity
1219 in use, 1904 most used
UDP inside (www.yahoo.com))10.0.0.2:1587 outside (user1)192.0.0.2:30000, idle 0:00:00, bytes 10, flags -
UDP inside (www.yahoo.com)10.0.0.2:1586 outside (user2)192.0.0.1:30000, idle 0:00:00, bytes 10, flags –
UDP inside 10.0.0.34:1586 outside 192.0.0.25:30000, idle 0:00:00, bytes 10, flags –
hostname# show conn user user1
2 in use
UDP inside (www.yahoo.com))10.0.0.2:1587 outside (user1)192.0.0.2:30000, idle 0:00:00, bytes 10, flags –
 

 
Related Commands

Commands
Description

clear conn

Clears connections.

inspect ctiqbe

Enables CTIQBE application inspection.

inspect h323

Enables H.323 application inspection.

inspect mgcp

Enables MGCP application inspection.

inspect sip

Removes Java applets from HTTP traffic.

inspect skinny

Enables SCCP application inspection.

show console-output

To display the currently captured console output, use the show console-output command in privileged EXEC mode.

show console-output

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show console-output command, which displays the following message when there is no console output:

ciscoasa# show console-output
Sorry, there are no messages to display
 

 
Related Commands

Command
Description

clear configure console

Restores the default console connection settings.

clear configure timeout

Restores the default idle time durations in the configuration.

console timeout

Sets the idle timeout for a console connection to the ASA.

show running-config console timeout

Displays the idle timeout for a console connection to the ASA.

show context

To show context information including allocated interfaces and the configuration file URL, the number of contexts configured, or from the system execution space, a list of all contexts, use the show context command in privileged EXEC mode.

show context [ name | detail | count ]

 
Syntax Description

count

(Optional) Shows the number of contexts configured.

detail

(Optional) Shows additional detail about the context(s) including the running state and information for internal use.

name

(Optional) Sets the context name. If you do not specify a name, the ASA displays all contexts. Within a context, you can only enter the current context name.

 
Defaults

In the system execution space, the ASA displays all contexts if you do not specify a name.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.0(2)

Information about assigned IPS virtual sensors was added.

 
Usage Guidelines

See the “Examples” section for a description of the display output.

Examples

The following is sample output from the show context command. The following sample display shows three contexts:

ciscoasa# show context
 
Context Name Interfaces URL
*admin GigabitEthernet0/1.100 flash:/admin.cfg
GigabitEthernet0/1.101
contexta GigabitEthernet0/1.200 flash:/contexta.cfg
GigabitEthernet0/1.201
contextb GigabitEthernet0/1.300 flash:/contextb.cfg
GigabitEthernet0/1.301
Total active Security Contexts: 3
 

Table 4-25 shows each field description.

 

Table 4-25 show context Fields

Field
Description

Context Name

Lists all context names. The context name with the asterisk (*) is the admin context.

Interfaces

The interfaces assigned to the context.

URL

The URL from which the ASA loads the context configuration.

The following is sample output from the show context detail command in the system execution space:

ciscoasa# show context detail
 
Context "admin", has been created, but initial ACL rules not complete
Config URL: flash:/admin.cfg
Real Interfaces: Management0/0
Mapped Interfaces: Management0/0
Real IPS Sensors: ips1, ips2
Mapped IPS Sensors: highsec, lowsec
Flags: 0x00000013, ID: 1
 
Context "ctx", has been created, but initial ACL rules not complete
Config URL: ctx.cfg
Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
GigabitEthernet0/2.30
Mapped Interfaces: int1, int2, int3
Real IPS Sensors: ips1, ips3
Mapped IPS Sensors: highsec, lowsec
Flags: 0x00000011, ID: 2
 
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Control0/0, GigabitEthernet0/0,
GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
GigabitEthernet0/3, Management0/0, Management0/0.1
Flags: 0x00000019, ID: 257
 
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Flags: 0x00000009, ID: 258
 

Table 4-26 shows each field description.

 

Table 4-26 Context States

Field
Description

Context

The context name. The null context information is for internal use only. The system context represents the system execution space.

State Message:

The context state. See the possible messages below.

Has been created, but initial ACL rules not complete

The ASA parsed the configuration but has not yet downloaded the default ACLs to establish the default security policy. The default security policy applies to all contexts initially, and includes disallowing traffic from lower security levels to higher security levels, enabling application inspection, and other parameters. This security policy ensures that no traffic can pass through the ASA after the configuration is parsed but before the configuration ACLs are compiled. You are unlikely to see this state because the configuration ACLs are compiled very quickly.

Has been created, but not initialized

You entered the context name command, but have not yet entered the config-url command.

Has been created, but the config hasn’t been parsed

The default ACLs were downloaded, but the ASA has not parsed the configuration. This state might exist because the configuration download might have failed because of network connectivity issues, or you have not yet entered the config-url command. To reload the configuration, from within the context, enter copy startup-config running-config . From the system, reenter the config-url command. Alternatively, you can start configuring the blank running configuration.

Is a system resource

This state applies only to the system execution space and to the null context. The null context is used by the system, and the information is for internal use only.

Is a zombie

You deleted the context using the no context or clear context command, but the context information persists in memory until the ASA reuses the context ID for a new context, or you restart.

Is active

This context is currently running and can pass traffic according to the context configuration security policy.

Is ADMIN and active

This context is the admin context and is currently running.

Was a former ADMIN, but is now a zombie

You deleted the admin context using the clear configure context command, but the context information persists in memory until the ASA reuses the context ID for a new context, or you restart.

Real Interfaces

The interfaces assigned to the context. If you mapped the interface IDs in the allocate-interface command, this display shows the real name of the interface.

Mapped Interfaces

If you mapped the interface IDs in the allocate-interface command, this display shows the mapped names. If you did not map the interfaces, the display lists the real names again.

Real IPS Sensors

The IPS virtual sensors assigned to the context if you have an AIP SSM installed. If you mapped the sensor names in the allocate-ips command, this display shows the real name of the sensor.

Mapped IPS Sensors

If you mapped the sensor names in the allocate-ips command, this display shows the mapped names. If you did not map the sensor names, the display lists the real names again.

Flag

For internal use only.

ID

An internal ID for this context.

The following is sample output from the show context count command:

ciscoasa# show context count
Total active contexts: 2
 

 
Related Commands

Command
Description

admin-context

Sets the admin context.

allocate-interface

Assigns interfaces to a context.

changeto

Changes between contexts or the system execution space.

config-url

Specifies the location of the context configuration.

context

Creates a security context in the system configuration and enters context configuration mode.

show controller

To view controller-specific information of all interfaces present, use the show controller command in privileged EXEC mode.

show controller [ slot ] [ physical_interface ] [ pci [ bridge [ bridge-id [ port-num ]]]] [ detail ]

 
Syntax Description

bridge

(Optional) Displays PCI bridge-specific information for the ASA 5585-X.

bridge-id

(Optional) Displays each unique PCI bridge identifier for the ASA 5585-X.

detail

(Optional) Shows additional detail about the controller.

pci

(Optional) Displays a summary of PCI devices along with their first 256 bytes of PCI configuration space for the ASA 5585-X.

physical_interface

(Optional) Identifies the interface ID.

port-num

(Optional) Displays the unique port number within each PCI bridge for the ASA 5585-X adaptive ASA.

slot

(Optional) Displays PCI-e bus and slot information for the ASA 5580 only.

 
Defaults

If you do not identify an interface, this command shows information for all interfaces.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

8.0(2)

This command now applies to all platforms, and not just the ASA 5505. The detail keyword was added.

8.1(1)

The slot keyword was added for the ASA 5580.

8.2(5)

The pci , bridge , bridge-id, and port-num options were added for the ASA 5585-X with an IPS SSP installed. In addition, support for sending pause frames to enable flow control on 1 GigabitEthernet interfaces has been added for all ASA models.

8.6(1)

Support was added for the detail keyword for the ASA 5512-X through ASA 5555-X Internal-Control0/0 interface, used for control traffic between the ASA and the software module, and for the Internal-Data0/1 interface used for data traffic to the ASA and the software module.

 
Usage Guidelines

This command helps Cisco TAC gather useful debug information about the controller when investigating internal and customer found defects. The actual output depends on the model and Ethernet controller. The command also displays information about all the PCI bridges of interest in the ASA 5585-X with an IPS SSP installed. For the ASA Services Module, the show controller command output does not show any PCIe slot information.

Examples

The following is sample output from the show controller command:

ciscoasa# show controller
 
Ethernet0/0:
Marvell 88E6095 revision 2, switch port 7
PHY Register:
Control: 0x3000 Status: 0x786d
Identifier1: 0x0141 Identifier2: 0x0c85
Auto Neg: 0x01e1 LP Ability: 0x40a1
Auto Neg Ex: 0x0005 PHY Spec Ctrl: 0x0130
PHY Status: 0x4c00 PHY Intr En: 0x0400
Int Port Sum: 0x0000 Rcv Err Cnt: 0x0000
Led select: 0x1a34
Reg 29: 0x0003 Reg 30: 0x0000
Port Registers:
Status: 0x0907 PCS Ctrl: 0x0003
Identifier: 0x0952 Port Ctrl: 0x0074
Port Ctrl-1: 0x0000 Vlan Map: 0x077f
VID and PRI: 0x0001 Port Ctrl-2: 0x0cc8
Rate Ctrl: 0x0000 Rate Ctrl-2: 0x3000
Port Asc Vt: 0x0080
In Discard Lo: 0x0000 In Discard Hi: 0x0000
In Filtered: 0x0000 Out Filtered: 0x0000
 
Global Registers:
Control: 0x0482
 
---------------------------------------------------------------------
Number of VLANs: 1
---------------------------------------------------------------------
Vlan[db]\Port| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
---------------------------------------------------------------------
<0001[01]> | EUT| EUT| EUT| EUT| EUT| EUT| EUT| EUT| EUM| NM | NM |
---------------------------------------------------------------------
 
....
 
Ethernet0/6:
Marvell 88E6095 revision 2, switch port 1
PHY Register:
Control: 0x3000 Status: 0x7849
Identifier1: 0x0141 Identifier2: 0x0c85
Auto Neg: 0x01e1 LP Ability: 0x0000
Auto Neg Ex: 0x0004 PHY Spec Ctrl: 0x8130
PHY Status: 0x0040 PHY Intr En: 0x8400
Int Port Sum: 0x0000 Rcv Err Cnt: 0x0000
Led select: 0x1a34
Reg 29: 0x0003 Reg 30: 0x0000
Port Registers:
Status: 0x0007 PCS Ctrl: 0x0003
Identifier: 0x0952 Port Ctrl: 0x0077
Port Ctrl-1: 0x0000 Vlan Map: 0x07fd
VID and PRI: 0x0001 Port Ctrl-2: 0x0cc8
Rate Ctrl: 0x0000 Rate Ctrl-2: 0x3000
Port Asc Vt: 0x0002
In Discard Lo: 0x0000 In Discard Hi: 0x0000
In Filtered: 0x0000 Out Filtered: 0x0000
----Inline power related counters and registers----
Power on fault: 0 Power off fault: 0
Detect enable fault: 0 Detect disable fault: 0
Faults: 0
Driver counters:
I2C Read Fail: 0 I2C Write Fail: 0
Resets: 1 Initialized: 1
PHY reset error: 0
LTC4259 registers:
INTRPT STATUS = 0x88 INTRPT MASK = 0x00 POWER EVENT = 0x00
DETECT EVENT = 0x03 FAULT EVENT = 0x00 TSTART EVENT = 0x00
SUPPLY EVENT = 0x02 PORT1 STATUS = 0x06 PORT2 STATUS = 0x06
PORT3 STATUS = 0x00 PORT4 STATUS = 0x00 POWER STATUS = 0x00
OPERATE MODE = 0x0f DISC. ENABLE = 0x30 DT/CLASS ENBL = 0x33
TIMING CONFIG = 0x00 MISC. CONFIG = 0x00
 
...
 
Internal-Data0/0:
Y88ACS06 Register settings:
rap 0xe0004000 = 0x00000000
ctrl_status 0xe0004004 = 0x5501064a
irq_src 0xe0004008 = 0x00000000
irq_msk 0xe000400c = 0x00000000
irq_hw_err_src 0xe0004010 = 0x00000000
irq_hw_err_msk 0xe0004014 = 0x00001000
bmu_cs_rxq 0xe0004060 = 0x002aaa80
bmu_cs_stxq 0xe0004068 = 0x01155540
bmu_cs_atxq 0xe000406c = 0x012aaa80
 
Bank 2: MAC address registers:
....
 

The following is sample output from the show controller detail command:

ciscoasa# show controller gigabitethernet0/0 detail
 
GigabitEthernet0/0:
Intel i82546GB revision 03
 
Main Registers:
Device Control: 0xf8260000 = 0x003c0249
Device Status: 0xf8260008 = 0x00003347
Extended Control: 0xf8260018 = 0x000000c0
RX Config: 0xf8260180 = 0x0c000000
TX Config: 0xf8260178 = 0x000001a0
RX Control: 0xf8260100 = 0x04408002
TX Control: 0xf8260400 = 0x000400fa
TX Inter Packet Gap: 0xf8260410 = 0x00602008
RX Filter Cntlr: 0xf8260150 = 0x00000000
RX Chksum: 0xf8265000 = 0x00000300
 
RX Descriptor Registers:
RX Descriptor 0 Cntlr: 0xf8262828 = 0x00010000
RX Descriptor 0 AddrLo: 0xf8262800 = 0x01985000
RX Desccriptor 0 AddrHi: 0xf8262804 = 0x00000000
RX Descriptor 0 Length: 0xf8262808 = 0x00001000
RX Descriptor 0 Head: 0xf8262810 = 0x00000000
RX Descriptor 0 Tail: 0xf8262818 = 0x000000ff
RX Descriptor 1 Cntlr: 0xf8262828 = 0x00010000
RX Descriptor 1 AddrLo: 0xf8260138 = 0x00000000
RX Descriptor 1 AddrHi: 0xf826013c = 0x00000000
RX Descriptor 1 Length: 0xf8260140 = 0x00000000
RX Descriptor 1 Head: 0xf8260148 = 0x00000000
RX Descriptor 1 Tail: 0xf8260150 = 0x00000000
 
TX Descriptor Registers:
TX Descriptor 0 Cntlr: 0xf8263828 = 0x00000000
TX Descriptor 0 AddrLo: 0xf8263800 = 0x01987000
TX Descriptor 0 AddrHi: 0xf8263804 = 0x00000000
TX Descriptor 0 Length: 0xf8263808 = 0x00001000
TX Descriptor 0 Head: 0xf8263810 = 0x00000000
TX Descriptor 0 Tail: 0xf8263818 = 0x00000000
 
RX Address Array:
Ethernet Address 0: 0012.d948.ef58
Ethernet Address 1: Not Valid!
Ethernet Address 2: Not Valid!
Ethernet Address 3: Not Valid!
Ethernet Address 4: Not Valid!
Ethernet Address 5: Not Valid!
Ethernet Address 6: Not Valid!
Ethernet Address 7: Not Valid!
Ethernet Address 8: Not Valid!
Ethernet Address 9: Not Valid!
Ethernet Address a: Not Valid!
Ethernet Address b: Not Valid!
Ethernet Address c: Not Valid!
Ethernet Address d: Not Valid!
Ethernet Address e: Not Valid!
Ethernet Address f: Not Valid!
 
PHY Registers:
Phy Control: 0x1140
Phy Status: 0x7969
Phy ID 1: 0x0141
Phy ID 2: 0x0c25
Phy Autoneg Advertise: 0x01e1
Phy Link Partner Ability: 0x41e1
Phy Autoneg Expansion: 0x0007
Phy Next Page TX: 0x2801
Phy Link Partnr Next Page: 0x0000
Phy 1000T Control: 0x0200
Phy 1000T Status: 0x4000
Phy Extended Status: 0x3000
 
Detailed Output - RX Descriptor Ring:
 
rx_bd[000]: baddr = 0x019823A2, length = 0x0000, status = 0x00
pkt chksum = 0x0000, errors = 0x00, special = 0x0000
rx_bd[001]: baddr = 0x01981A62, length = 0x0000, status = 0x00
pkt chksum = 0x0000, errors = 0x00, special = 0x0000
........

The following is sample output from the show controller detail command for the Internal interfaces on the ASA 5512-X through ASA 5555-X:

ciscoasa# show controller detail
 
Internal-Control0/0:
ASA IPS/VM Back Plane TunTap Interface , port id 9
Major Configuration Parameters
Device Name : en_vtun
Linux Tun/Tap Device : /dev/net/tun/tap1
Num of Transmit Rings : 1
Num of Receive Rings : 1
Ring Size : 128
Max Frame Length : 1550
Out of Buffer : 0
Reset : 0
Drop : 0
Transmit Ring [0]:
tx_pkts_in_queue : 0
tx_pkts : 176
tx_bytes : 9664
Receive Ring [0]:
rx_pkts_in_queue : 0
rx_pkts : 0
rx_bytes : 0
rx_drops : 0
 
Internal-Data0/1:
ASA IPS/VM Management Channel TunTap Interface , port id 9
Major Configuration Parameters
Device Name : en_vtun
Linux Tun/Tap Device : /dev/net/tun/tap2
Num of Transmit Rings : 1
Num of Receive Rings : 1
Ring Size : 128
Max Frame Length : 1550
Out of Buffer : 0
Reset : 0
Drop : 0
Transmit Ring [0]:
tx_pkts_in_queue : 0
tx_pkts : 176
tx_bytes : 9664
Receive Ring [0]:
rx_pkts_in_queue : 0
rx_pkts : 0
rx_bytes : 0
rx_drops : 0
 

The following is sample output from the show controller slot command:

Slot Card Description PCI-e Bandwidth Cap.
---- ---------------- ----------------------
3. ASA 5580 2 port 10GE SR Fiber Interface Card Bus: x4, Card: x8
 
4. ASA 5580 4 port GE Copper Interface Card Bus: x4, Card: x4
 
5. ASA 5580 2 port 10GE SR Fiber Interface Card Bus: x8, Card: x8
 
6. ASA 5580 4 port GE Fiber Interface Card Bus: x4, Card: x4
 
7. empty Bus: x8
 
8. empty Bus: x8
 

The following is sample output from the show controller pci command:

ciscoasa# show controller pci
 
PCI Evaluation Log:
---------------------------------------------------------------------------
Empty
 
PCI Bus:Device.Function (hex): 00:00.0 Vendor ID: 0x8086 Device ID: 0x3406
---------------------------------------------------------------------------
 
PCI Configuration Space (hex):
0x00: 86 80 06 34 00 00 10 00 22 00 00 06 10 00 00 00
0x10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x20: 00 00 00 00 00 00 00 00 00 00 00 00 86 80 00 00
0x30: 00 00 00 00 60 00 00 00 00 00 00 00 05 01 00 00
0x40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x60: 05 90 02 01 00 00 00 00 00 00 00 00 00 00 00 00
0x70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x90: 10 e0 42 00 20 80 00 00 00 00 00 00 41 3c 3b 00
0xa0: 00 00 41 30 00 00 00 00 c0 07 00 01 00 00 00 00
0xb0: 00 00 00 00 3e 00 00 00 09 00 00 00 00 00 00 00
0xc0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0xd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0xe0: 01 00 03 c8 08 00 00 00 00 00 00 00 00 00 00 00
0xf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Link Capabilities: x4, Gen1
Link Status: x4, Gen1
 

 
Related Commands

Command
Description

show interface

Shows the interface statistics.

show tech-support

Shows information so Cisco TAC can diagnose problems.

show coredump filesystem

To show the contents of the coredump filesystem, enter the show coredump filesystem command.

show coredump filesystem

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

By default, coredumps are not enabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

This command shows the contents of the coredump filesystem.

Examples

To show the contents of any recent coredumps generated, enter the show coredump filesystem command.

ciscoasa(config)# show coredump filesystem
Coredump Filesystem Size is 100 MB
Filesystem type is FAT for disk0
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/loop0 102182 75240 26942 74% /mnt/disk0/coredumpfsys
Directory of disk0:/coredumpfsys/
246 -rwx 20205386 19:14:53 Nov 26 2008 core_lina.2008Nov26_191244.203.11.gz
247 -rwx 36707919 19:17:27 Nov 26 2008 core_lina.2008Nov26_191456.203.6.gz

 
Related Commands248 -rwx 20130838 19:26:36 Nov 26 2008 core_lina.2008Nov26_192407.203.11.gz

Command
Description

coredump enable

Enables the coredump feature.

clear configure coredump

Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change or affect the coredump configuration.

clear coredump

Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change/effect the coredump configuration.

show coredump log

Shows the coredump log.

show coredump log

To show the contents of the coredump log, newest first, enter the show coredump log command. To show the contents of the coredump log, oldest first, enter the show coredump log reverse command.

show coredump log

show coredump log [ reverse ]

 
Syntax Description

reverse

Shows the oldest coredump log.

 
Defaults

By default, coredumps are not enabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

This command displays the contents of the coredump log. The logs should reflect what is currently on the disk.

Examples

The following example shows the output from these commands:

ciscoasa(config)# show coredump log
[ 1 ] Wed Feb 18 22:12:09 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_221032.203.6.gz', size 971722752 bytes, compressed size 21293688
[ 2 ] Wed Feb 18 22:11:01 2009: Filesystem full on 'disk0', removing module coredump record 'core_lina.2009Feb18_213558.203.11.gz'
[ 3 ] Wed Feb 18 22:10:32 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_221032.203.6.gz' on 'disk0'
[ 4 ] Wed Feb 18 21:37:35 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_213558.203.11.gz', size 971722752 bytes, compressed size 21286383
[ 5 ] Wed Feb 18 21:35:58 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_213558.203.11.gz' on 'disk0'

Note The older coredump file is deleted to make room for the new coredump. This is done automatically by the ASA in the event the coredump filesystem fills and room is needed for the current coredump. This is why it is imperative to archive coredumps as soon as possible, to insure they don’t get overwritten in the event of a crash.


ciscoasa(config)# show coredump log reverse

[ 1 ] Wed Feb 18 21:35:58 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_213558.203.11.gz' on 'disk0''
[ 2 ] Wed Feb 18 21:37:35 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_213558.203.11.gz', size 971722752 bytes, compressed size 21286383
[ 3 ] Wed Feb 18 22:10:32 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_221032.203.6.gz' on 'disk0'
[ 4 ] Wed Feb 18 22:11:01 2009: Filesystem full on 'disk0', removing module coredump record 'core_lina.2009Feb18_213558.203.11.gz'
[ 5 ] Wed Feb 18 22:12:09 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_221032.203.6.gz', size 971722752 bytes, compressed size 21293688
 

 
Related Commands

Command
Description

coredump enable

Enables the coredump feature.

clear configure coredump

Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change/effect the coredump configuration.

clear coredump

Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change or affect the coredump configuration.

show coredump filesystem

Shows the contents of the coredump filesystem.

show counters

To display the protocol stack counters, use the show counters command in privileged EXEC mode.

show counters [all | context context-name | summary | top N ] [ detail ] [protocol protocol_name [: counter_name ]] [ threshold N ]

 
Syntax Description

all

Displays the filter details.

context context-name

Specifies the context name.

: counter_name

Specifies a counter by name.

detail

Displays additional counters information.

protocol protocol_name

Displays the counters for the specified protocol.

summary

Displays a counter summary.

threshold N

Displays only those counters at or above the specified threshold. The range is 1 through 4294967295.

top N

Displays the counters at or above the specified threshold. The range is 1 through 4294967295.

 
Defaults

show counters summary detail threshold 1

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

9.2(1)

Counters for the event manager were added.

Examples

The following example shows how to display all counters:

ciscoasa# show counters all
Protocol Counter Value Context
IOS_IPC IN_PKTS 2 single_vf
IOS_IPC OUT_PKTS 2 single_vf
 
ciscoasa# show counters
Protocol Counter Value Context
NPCP IN_PKTS 7195 Summary
NPCP OUT_PKTS 7603 Summary
IOS_IPC IN_PKTS 869 Summary
IOS_IPC OUT_PKTS 865 Summary
IP IN_PKTS 380 Summary
IP OUT_PKTS 411 Summary
IP TO_ARP 105 Summary
IP TO_UDP 9 Summary
UDP IN_PKTS 9 Summary
UDP DROP_NO_APP 9 Summary
FIXUP IN_PKTS 202 Summary
UAUTH IPV6_UNSUPPORTED 27 Summary
IDFW HIT_USER_LIMIT 2 Summary
 

The following example shows how to display a summary of counters:

ciscoasa# show counters summary
Protocol Counter Value Context
IOS_IPC IN_PKTS 2 Summary
IOS_IPC OUT_PKTS 2 Summary
 

The following example shows how to display counters for a context:

ciscoasa# show counters context single_vf
Protocol Counter Value Context
IOS_IPC IN_PKTS 4 single_vf
IOS_IPC OUT_PKTS 4 single_vf
 

The following example shows how to display counters for the event manager:

ciscoasa# show counters protocol eem
Protocol Counter Value Context
EEM SYSLOG 22 Summary
EEM COMMANDS 6 Summary
EEM FILES 3 Summary
 

 
Related Commands

Command
Description

clear counters

Clears the protocol stack counters.

show cpu

To display the CPU utilization information, use the show cpu command in privileged EXEC mode.

[ cluster exec ] show cpu [ usage core-id | profile | dump | detailed ]

From the system configuration in multiple context mode:

[ cluster exec ] show cpu [ usage ] [ context { all | context_name }]

 
Syntax Description

all

Specifies that the display show all contexts.

cluster exec

(Optional) In a clustering environment, enables you to issue the show cpu command in one unit and run the command in all the other units at the same time.

context

Specifies that the display show a context.

context_name

Specifies the name of the context to display.

core-id

Specifies the number of the processor core.

detailed

(Optional) Displays the CPU usage internal details.

dump

(Optional) Displays the dump profiling data to the TTY.

profile

(Optional) Displays the CPU profiling data.

usage

(Optional) Displays the CPU usage.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.6(1)

The core-id option was added to support the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X.

9.1(2)

The output was updated for the show cpu profile and show cpu profile dump commands.

9.2(1)

Virtual platform CPU usage has been added to the output for the ASAv.

 
Usage Guidelines

The CPU usage is computed using an approximation of the load every five seconds, and by further feeding this approximation into two, following moving averages.

You can use the show cpu command to find process related loads (that is, activity on behalf of items listed by the output of the show process command in both single mode and from the system configuration in multiple context mode).

Further, you can request, when in multiple context mode, a breakdown of the process related load to CPU consumed by any configured contexts by changing to each context and entering the show cpu command or by entering the show cpu context command.

While process related load is rounded to the nearest whole number, context related loads include one additional decimal digit of precision. For example, entering the show cpu command from the system context produces a different number than from entering the show cpu context system command. The former is an approximate summary of everything that appears in the show cpu context all command, and the latter is only a portion of that summary.

You can use the show cpu profile dump command in conjunction with the cpu profile activate command to collect information for TAC use in troubleshooting CPU issues. The show cpu profile dump command output is in hexadecimal format.

If the CPU profiler is waiting for a starting condition to occur, the show cpu profile command displays the following output:

CPU profiling started: 12:45:57.209 UTC Wed Nov 14 2012
CPU Profiling waiting on starting condition.
Core 0: 0 out of 10 samples collected.
Core 1: 0 out of 10 samples collected.
Core 2: 0 out of 10 samples collected.
Core 3: 0 out of 10 samples collected.
CP
0 out of 10 samples collected.
 

For the ASAv, note the following licensing guidelines:

  • The number of allowed vCPUs is determined by the vCPU platform license installed.

If the number of licensed vCPUs matches the number of provisioned vCPUs, the state is Compliant.

If the number of licensed vCPUs is less than the number of provisioned vCPUs, the state is Noncompliant: Over-provisioned.

If the number of licensed vCPUs is more than the number of provisioned vCPUs, the state is Compliant: Under-provisioned.

  • The memory limit is determined by the number of vCPUs provisioned.

If the provisioned memory is at the allowed limit, the state is Compliant.

If the provisioned memory is above the allowed limit, the state is Noncompliant: Over-provisioned.

If the provisioned memory is below the allowed limit, the state is Compliant: Under-provisioned.

  • The Frequency Reservation limit is determined by the number of vCPUs provisioned.

If the frequency reservation memory is at or above the required minimum (1000 MHz), the state is Compliant.

If the frequency reservation memory is below the required minimum (1000 MHz), the state is Compliant: Under-provisioned.

For example, the following output shows that no license has been applied. The number of allowed vCPUs refers to the number licensed, and Noncompliant: Over-provisioned indicates that the product is running with more resources than have been licensed.

Virtual platform CPU resources
------------------------------
Number of vCPUs : 1
Number of allowed vCPUs : 0
vCPU Status : Noncompliant: Over-provisioned
 

Examples

The following example shows how to display the CPU utilization:

ciscoasa# show cpu usage
CPU utilization for 5 seconds = 18%; 1 minute: 18%; 5 minutes: 18%
 

The following example shows how to display detailed CPU utilization information:

ciscoasa# show cpu detailed
Break down of per-core data path versus control point cpu usage:
Core 5 sec 1 min 5 min
Core 0 0.0 (0.0 + 0.0) 3.3 (0.0 + 3.3) 2.4 (0.0 + 2.4)
 
Current control point elapsed versus the maximum control point elapsed for:
5 seconds = 99.0%; 1 minute: 99.8%; 5 minutes: 95.9%
 
CPU utilization of external processes for:
5 seconds = 0.2%; 1 minute: 0.0%; 5 minutes: 0.0%
 
Total CPU utilization for:
5 seconds = 0.2%; 1 minute: 3.3%; 5 minutes: 2.5%
 

Note The “Current control point elapsed versus the maximum control point elapsed for” statement means that the current control point load is compared to the maximum load seen within the defined time period. This is a ratio instead of an absolute number. The figure of 99% for the 5-second interval means that the current control point load is at 99% of the maximum load that is visible over this 5-second interval. If the load continues to increase all the time, then it will always remain at 100%. However, the actual CPU may still have a lot of free capacity because the maximum absolute value has not been defined.


The following example shows how to display the CPU utilization for the system context in multiple mode:

ciscoasa# show cpu context system
CPU utilization for 5 seconds = 9.1%; 1 minute: 9.2%; 5 minutes: 9.1%
 

The following example shows how to display the CPU utilization for all contexts:

ciscoasa# show cpu usage context all
5 sec 1 min 5 min Context Name
9.1% 9.2% 9.1% system
0.0% 0.0% 0.0% admin
5.0% 5.0% 5.0% one
4.2% 4.3% 4.2% two
 

The following example shows how to display the CPU utilization for a context named “one”:

ciscoasa/one# show cpu usage
CPU utilization for 5 seconds = 5.0%; 1 minute: 5.0%; 5 minutes: 5.0%
 

The following example activates the profiler and instructs it to store 1000 samples.

 
ciscoasa# cpu profile activate
Activated CPU profiling for 1000 samples.
Use "show cpu profile" to display the progress or "show cpu profile dump" to interrupt profiling and display the incomplete results.
 

The following examples show the status of the profiling (in-progress and completed):

ciscoasa# show cpu profile
CPU profiling started: 13:45:10.400 PST Fri Nov 16 2012
CPU profiling currently in progress:
Core 0: 209 out of 1000 samples collected.
Use "show cpu profile dump" to see the results after it is complete or to interrupt profiling and display the incomplete results.
 
ciscoasa# show cpu profile dump
Cisco Adaptive Security Appliance Software Version 9.1(2)
Hardware: ASA5555
CPU profiling started: 09:13:32.079 UTC Wed Jan 30 2013
No CPU profiling process specified.
No CPU profiling trigger specified.
cores: 2
 
Process virtual address map:
---------------------------
---------------------------
End of process map
Samples for core 0 - stopped
{0x00000000007eadb6,0x000000000211ee7e} ...
 

The following example shows CPU usage for the ASAv:

ciscoasa# show cpu
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
 
Virtual platform CPU resources
------------------------------
Number of vCPUs : 2
Number of allowed vCPUs : 2
vCPU Status : Compliant
 
Frequency Reservation : 1000 MHz
Minimum required : 1000 MHz
Frequency Limit : 4000 MHz
Maximum allowed : 56000 MHz
Frequency Status : Compliant
Average Usage (30 seconds) : 136 MHz
 

The following example shows details of CPU usage for the ASAv:

Break down of per-core data path versus control point cpu usage:
Core 5 sec 1 min 5 min
Core 0 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0)
Core 1 0.0 (0.0 + 0.0) 0.2 (0.2 + 0.0) 0.0 (0.0 + 0.0)
Core 2 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0)
Core 3 0.0 (0.0 + 0.0) 0.1 (0.0 + 0.1) 0.0 (0.0 + 0.0)
 
Current control point elapsed versus the maximum control point elapsed for:
5 seconds = 0.0%; 1 minute: 0.0%; 5 minutes: 0.0%
 
 
CPU utilization of external processes for:
5 seconds = 0.0%; 1 minute: 0.0%; 5 minutes: 0.0%
 
 
Total CPU utilization for:
5 seconds = 0.1%; 1 minute: 0.1%; 5 minutes: 0.1%
 
Virtual platform CPU resources
------------------------------
Number of vCPUs : 4
Number of allowed vCPUs : 4
vCPU Status : Compliant
 
Frequency Reservation : 1000 MHz
Minimum required : 1000 MHz
Frequency Limit : 20000 MHz
Maximum allowed : 20000 MHz
Frequency Status : Compliant
Average Usage (30 seconds) : 99 MHz
 

Copy this information and provide it to the TAC for decoding.

 
Related Commands

Command
Description

show counters

Displays the protocol stack counters.

cpu profile activate

Activates CPU profiling.