Cisco ASA Series Command Reference, S Commands
show isakmp ipsec-over-tcp stats -- show mroute
Downloads: This chapterpdf (PDF - 661.0KB) The complete bookPDF (PDF - 9.09MB) | The complete bookePub (ePub - 788.0KB) | The complete bookMobi (Mobi - 2.88MB) | Feedback

Table of Contents

show isakmp ipsec-over-tcp stats through show mroute Commands

show isakmp ipsec-over-tcp stats

show isakmp sa

show isakmp stats

show kernel

show kernel bridge

show lacp

show lacp cluster

show local-host

show logging

show logging flow-export-syslogs

show logging rate-limit

show mac-address-table

show management-access

show mdm-proxy sessions

show mdm-proxy statistics

show memory

show memory api

show memory app-cache

show memory binsize

show memory delayed-free-poisoner

show memory profile

show memory top-usage

show memory tracking

show memory webvpn

show memory-caller address

show mfib

show mfib active

show mfib count

show mfib interface

show mfib reserved

show mfib status

show mfib summary

show mfib verbose

show mgcp

show mmp

show mode

show module

show monitor-interface

show mrib client

show mrib route

show mroute

show isakmp ipsec-over-tcp stats through show mroute Commands

show isakmp ipsec-over-tcp stats

To display runtime statistics for IPsec over TCP, use the show isakmp ipsec-over tcp stats command in global configuration mode or privileged EXEC mode.

show isakmp ipsec-over-tcp stats

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes
  • Yes

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

ASAv(1)

The show isakmp ipsec-over-tcp stats command was introduced.

7.2(1)

The show isakmp ipsec-over-tcp stats command was deprecated. The show crypto isakmp ipsec-over-tcp stats command replaces it.

9.0(1)

Support for multiple context mode was added.

 
Usage Guidelines

The output from this command includes the following fields:

  • Embryonic connections
  • Active connections
  • Previous connections
  • Inbound packets
  • Inbound dropped packets
  • Outbound packets
  • Outbound dropped packets
  • RST packets
  • Received ACK heart-beat packets
  • Bad headers
  • Bad trailers
  • Timer failures
  • Checksum errors
  • Internal errors

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics:

ciscoasa(config)# show isakmp ipsec-over-tcp stats
Global IPsec over TCP Statistics
--------------------------------
Embryonic connections: 2
Active connections: 132
Previous connections: 146
Inbound packets: 6000
Inbound dropped packets: 30
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 260
Received ACK heart-beat packets: 10
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
ciscoasa(config)#

 
Related Commands

Command
Description

clear configure crypto isakmp

Clears all the ISAKMP configuration.

clear configure crypto isakmp policy

Clears all ISAKMP policy configuration.

clear crypto isakmp sa

Clears the IKE runtime SA database.

crypto isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.

show isakmp sa

To display the IKE runtime SA database, use the show isakmp sa command in global configuration mode or privileged EXEC mode.

show isakmp sa [ detail ]

 
Syntax Description

detail

Displays detailed output about the SA database.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes
  • Yes

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

The show isakmp sa command was introduced.

7.2(1)

This command was deprecated. The show crypto isakmp sa command replaces it.

9.0(1)

Support for multiple context mode was added.

 
Usage Guidelines

The output from this command includes the following fields:

Detail not specified.

IKE Peer

Type

Dir

Rky

State

209.165.200.225

L2L

Init

No

MM_Active

Detail specified.

IKE Peer

Type

Dir

Rky

State

Encrypt

Hash

Auth

Lifetime

209.165.200.225

L2L

Init

No

MM_Active

3des

md5

preshrd

86400

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database:

ciscoasa(config)# show isakmp sa detail
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
1 209.165.200.225 User Resp No AM_Active 3des SHA preshrd 86400
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
2 209.165.200.226 User Resp No AM_ACTIVE 3des SHA preshrd 86400
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
3 209.165.200.227 User Resp No AM_ACTIVE 3des SHA preshrd 86400
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
4 209.165.200.228 User Resp No AM_ACTIVE 3des SHA preshrd 86400
 
ciscoasa(config)#

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config isakmp

Displays all the active ISAKMP configuration.

show isakmp stats

To display runtime statistics, use the show isakmp stats command in global configuration mode or privileged EXEC mode.

show isakmp stats

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes
  • Yes

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

ASAv(1)

The show isakmp stats command was introduced.

7.2(1)

This command was deprecated. The show crypto isakmp stats command replaces it.

9.0(1)

Support for multiple context mode was added.

 
Usage Guidelines

Each one of the counters maps to an associated cikePhase1GW counter. For details on each of these counters, refer to CISCO-IPSEC-FLOW-MONITOR-MIB.my .

  • Active/Standby Tunnels—cikePhase1GWActiveTunnels
  • Previous Tunnels—cikePhase1GWPreviousTunnels
  • In Octets—cikePhase1GWInOctets
  • In Packets—cikePhase1GWInPkts
  • In Drop Packets—cikePhase1GWInDropPkts
  • In Notifys—cikePhase1GWInNotifys
  • In P2 Exchanges—cikePhase1GWInP2Exchgs
  • In P2 Exchange Invalids—cikePhase1GWInP2ExchgInvalids
  • In P2 Exchange Rejects—cikePhase1GWInP2ExchgRejects
  • In P2 Sa Delete Requests—cikePhase1GWInP2SaDelRequests
  • Out Octets—cikePhase1GWOutOctets
  • Out Packets—cikePhase1GWOutPkts
  • Out Drop Packets—cikePhase1GWOutDropPkts
  • Out Notifys—cikePhase1GWOutNotifys
  • Out P2 Exchanges—cikePhase1GWOutP2Exchgs
  • Out P2 Exchange Invalids—cikePhase1GWOutP2ExchgInvalids
  • Out P2 Exchange Rejects—cikePhase1GWOutP2ExchgRejects
  • Out P2 Sa Delete Requests—cikePhase1GWOutP2SaDelRequests
  • Initiator Tunnels—cikePhase1GWInitTunnels
  • Initiator Fails—cikePhase1GWInitTunnelFails
  • Responder Fails—cikePhase1GWRespTunnelFails
  • System Capacity Fails—cikePhase1GWSysCapFails
  • Auth Fails—cikePhase1GWAuthFails
  • Decrypt Fails—cikePhase1GWDecryptFails
  • Hash Valid Fails—cikePhase1GWHashValidFails
  • No Sa Fails—cikePhase1GWNoSaFails

The output from this command includes the following fields:

  • Global IKE Statistics
  • Active Tunnels
  • In Octets
  • In Packets
  • In Drop Packets
  • In Notifys
  • In P2 Exchanges
  • In P2 Exchange Invalids
  • In P2 Exchange Rejects
  • In P2 Sa Delete Requests
  • Out Octets
  • Out Packets
  • Out Drop Packets
  • Out Notifys
  • Out P2 Exchanges
  • Out P2 Exchange Invalids
  • Out P2 Exchange Rejects
  • Out P2 Sa Delete Requests
  • Initiator Tunnels
  • Initiator Fails
  • Responder Fails
  • System Capacity Fails
  • Auth Fails
  • Decrypt Fails
  • Hash Valid Fails
  • No Sa Fails

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics:

ciscoasa(config)# show isakmp stats
Global IKE Statistics
Active Tunnels: 132
Previous Tunnels: 132
In Octets: 195471
In Packets: 1854
In Drop Packets: 925
In Notifys: 0
In P2 Exchanges: 132
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 119029
Out Packets: 796
Out Drop Packets: 0
Out Notifys: 264
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
ciscoasa(config)#

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config isakmp

Displays all the active ISAKMP configuration.

show kernel

To display information that the Linux brctl utility provides that you can use for debugging, use the show kernel command in privileged EXEC mode.

show kernel [process | bridge | cgroup-controller | ifconfig | module]

 
Syntax Description

bridge

Displays tap bridges.

cgroup-controller

Displays the cgroup-controller statistics.

ifconfig

Displays the tap and bridge interface statistics.

module

Displays the modules that are installed and running.

process

Displays the current status of the active kernel processes running on the ASA.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

8.4(1)

The cgroup-controller keyword was added.

8.6(1)

The ifconfig , module , and bridge keywords were added.

 
Usage Guidelines

This command displays statistics for the various processes running on the kernel.

Examples

The following example displays output from the show kernel process command:

ciscoasa# show kernel process
 
PID PPID PRI NI VSIZE RSS WCHAN STAT RUNTIME COMMAND
1 0 16 0 991232 268 3725684979 S 78 init
2 1 34 19 0 0 3725694381 S 0 ksoftirqd/0
3 1 10 -5 0 0 3725736671 S 0 events/0
4 1 20 -5 0 0 3725736671 S 0 khelper
5 1 20 -5 0 0 3725736671 S 0 kthread
7 5 10 -5 0 0 3725736671 S 0 kblockd/0
8 5 20 -5 0 0 3726794334 S 0 kseriod
66 5 20 0 0 0 3725811768 S 0 pdflush
67 5 15 0 0 0 3725811768 S 0 pdflush
68 1 15 0 0 0 3725824451 S 2 kswapd0
69 5 20 -5 0 0 3725736671 S 0 aio/0
171 1 16 0 991232 80 3725684979 S 0 init
172 171 19 0 983040 268 3725684979 S 0 rcS
201 172 21 0 1351680 344 3725712932 S 0 lina_monitor
202 201 16 0 1017602048 899932 3725716348 S 212 lina
203 202 16 0 1017602048 899932 0 S 0 lina
204 203 15 0 1017602048 899932 0 S 0 lina
205 203 15 0 1017602048 899932 3725712932 S 6 lina
206 203 25 0 1017602048 899932 0 R 13069390 lina
ciscoasa#
 

Table 9-1 shows each field description.

 

Table 9-1 show kernel process Fields

Field
Description

PID

The process ID.

PPID

The parent process ID.

PRI

The priority of the process.

NI

The nice value, which is used in priority computation. The values range from 19 (nicest) to -19 (not nice to others),

VSIZE

The virtual memory size in bytes.

RSS

The resident set size of the process, in kilobytes.

WCHAN

The channel in which the process is waiting.

STAT

The state of the process:

  • R—Running
  • S—Sleeping in an interruptible wait
  • D—Waiting in an uninterruptible disk sleep
  • Z—zombie
  • T—Traced or stopped (on a signal)
  • P—Paging

RUNTIME

The number of jiffies that the process has been scheduled in user mode and kernel mode. The runtime is the sum of utime and stime.

COMMAND

The process name.

The following example displays output from the show kernel module command:

ciscoasa# show kernel module
 
Module Size Used by Tainted: P
cpp_base 861808 2
kvm_intel 44104 8
kvm 174304 1 kvm_intel
msrif 4180 0
tscsync 3852 0
 

The following example displays output for the show kernel ifconfig commands:

ciscoasa# show kernel ifconfig

br0 Link encap:Ethernet HWaddr 42:9E:B8:6C:1F:23
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1708 (1.6 KiB) TX bytes:0 (0.0 B)
 
br1 Link encap:Ethernet HWaddr 6A:03:EC:BA:89:26
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
 
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.255
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
 
tap0 Link encap:Ethernet HWaddr 6A:0C:48:32:FE:F4
inet addr:127.0.2.2 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:148 errors:0 dropped:0 overruns:0 frame:0
TX packets:186 errors:0 dropped:13 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:10320 (10.0 KiB) TX bytes:12452 (12.1 KiB)
 
tap1 Link encap:Ethernet HWaddr 8E:E7:61:CF:E9:BD
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:259 errors:0 dropped:0 overruns:0 frame:0
TX packets:187 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:19368 (18.9 KiB) TX bytes:14638 (14.2 KiB)
 
tap2 Link encap:Ethernet HWaddr 6A:03:EC:BA:89:26
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
 
tap3 Link encap:Ethernet HWaddr 42:9E:B8:6C:1F:23
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:187 errors:0 dropped:0 overruns:0 frame:0
TX packets:256 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:14638 (14.2 KiB) TX bytes:19202 (18.7 KiB)
 
tap4 Link encap:Ethernet HWaddr 6A:5C:60:BC:9C:ED
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
 

 
Related Commands

Command
Description

show module

Shows information about the installed modules in the ASA.

show kernel bridge

To display the Linux bridges, their member ports, and MAC addresses that have been learned at each port that you can use for debugging, use the show kernel bridge command in privileged EXEC mode.

show kernel bridge [ mac-address bridge name ]

 
Syntax Description

bridge name

Displays the bridge name.

mac-address

Displays the MAC address associated with each port.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.6(1)

This command was introduced.

 
Usage Guidelines

This command shows the Linux bridges, their member ports, and the MAC addresses that have been learned at each port (including remote MAC addresses) that you can use for debugging.

Examples

The following example displays output from the show kernel bridge command:

ciscoasa# show kernel bridge
 
bridge name bridge id STP enabled interfaces
br0 8000.0e3cd8a8909f no tap1
tap3
br1 8000.26d29f51a490 no tap2
tap4
tap5hostname#
 

The following example displays output from the show kernel bridge mac-address command:

ciscoasa# show kernel bridge mac-address br1
 
port no mac addr is local? ageing timer
1 00:21:d8:cb:dc:f7 no 12.93
3 00:22:bd:d8:7d:da no 12.93
2 26:d2:9f:51:a4:90 yes 0.00
1 4e:a4:e0:73:1f:ab yes 0.00
3 52:04:38:3d:79:c0 yes 0.00
 

 
Related Commands

Command
Description

show kernel

Shows information about the installed modules in the ASA.

show lacp

To display EtherChannel LACP information such as traffic statistics, system identifier, and neighbor details, enter this command in privileged EXEC mode.

show lacp {[ channel_group_number ] { counters | internal | neighbor } | sys-id }

 
Syntax Description

channel_group_number

(Optional) Specifies the EtherChannel channel group number, between 1 and 48, and only shows information about this channel group.

counters

Shows counters for the number of LACPDUs and markers sent and received.

internal

Shows internal information.

neighbor

Shows neighbor information.

sys-id

Shows the LACP system ID.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.4(1)

We introduced this command.

Examples

The following is sample output from the show lacp sys-id command:

ciscoasa# show lacp sys-id
32768,001c.c4e5.cfee
 

The following is sample output from the show lacp counters command:

ciscoasa# show lacp counters
 
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 1
Gi3/1 736 728 0 0 0 0 0
Gi3/2 739 730 0 0 0 0 0
Gi3/3 739 732 0 0 0 0 0
 

The following is sample output from the show lacp internal command:

ciscoasa# show lacp internal
 
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
 
Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
-----------------------------------------------------------------------------
Gi3/1 SA bndl 32768 0x1 0x1 0x302 0x3d
Gi3/2 SA bndl 32768 0x1 0x1 0x303 0x3d
Gi3/3 SA bndl 32768 0x1 0x1 0x304 0x3d
 

The following is sample output from the show lacp neighbor command:

ciscoasa# show lacp neighbor
 
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
 
Channel group 1 neighbors
 
Partner's information:
Partner Partner LACP Partner Partner Partner Partner Partner
Port Flags State Port Priority Admin Key Oper Key Port Number Port State
-----------------------------------------------------------------------------------
Gi3/1 SA bndl 32768 0x0 0x1 0x306 0x3d
Gi3/2 SA bndl 32768 0x0 0x1 0x303 0x3d
Gi3/3 SA bndl 32768 0x0 0x1 0x302 0x3d
 

 
Related Commands

Command
Description

channel-group

Adds an interface to an EtherChannel.

interface port-channel

Configures an EtherChannel.

lacp max-bundle

Specifies the maximum number of active interfaces allowed in the channel group.

lacp port-priority

Sets the priority for a physical interface in the channel group.

lacp system-priority

Sets the LACP system priority.

port-channel load-balance

Configures the load-balancing algorithm.

port-channel min-bundle

Specifies the minimum number of active interfaces required for the port-channel interface to become active.

show port-channel

Displays EtherChannel information in a detailed and one-line summary form. This command also displays the port and port-channel information.

show port-channel load-balance

Displays port-channel load-balance information along with the hash result and member interface selected for a given set of parameters.

show lacp cluster

To show the cLACP system MAC and ID, use the show lacp cluster command in privileged EXEC mode.

show lacp cluster { system-mac | system-id }

 
Syntax Description

system-mac

Shows the system ID and whether it was auto-generated or entered manually.

system-id

Shows the system ID and priority.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

Set the cLACP system ID and priority using the clacp system-mac command.

Examples

The following is sample output from the show lacp cluster system-mac command:

ciscoasa(cfg-cluster)# show lacp cluster system-mac
lacp cluster system MAC is automatically generated: a300.010a.010a.
 

The following is sample output from the show lacp cluster system-id command:

ciscoasa(cfg-cluster)# show lacp cluster system-id
5 ,a300.010a.010a

 
Related Commands

Command
Description

clacp system-mac

Sets the cLACP system ID and priority.

show local-host

To display the network states of local hosts, use the show local-host command in privileged EXEC mode.

show local-host | include interface [ ip_address ] [ detail ] [ all ][ brief ] [ connection { tcp start [- end ] | udp start [- end ] | embryonic start [- end ]}]

 
Syntax Description

all

(Optional) Includes local hosts connecting to the ASA and from the ASA.

brief

(Optional) Displays brief information on local hosts.

connection

(Optional) Displays three types of filters based on the number and type of connections: TCP, UDP and embryonic. These filters can be used individually or jointly.

detail

(Optional) Displays the detailed network states of local host information, including more information about active xlates and network connections.

include interface

Specifies the IP addresses being used on each interface.

ip_address

(Optional) Specifies the local host IP address.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

For models with host limits, this command now shows which interface is considered to be the outside interface.

7.2(4)

Two new options, connection and brief , were added to the show local-host command so that the output is filtered by the number of connections for the inside hosts.

9.1(2)

The Smart Call Home information sent to Cisco for telemetry-based alerts from the show local-host command has been changed to the show local-host | include interface command.

 
Usage Guidelines

The show local-host command lets you display the network states of local hosts. A local-host is created for any host that forwards traffic to, or through, the ASA.

This command lets you show the translation and connection slots for the local hosts. This command provides information for hosts that are configured with the nat 0 access-list command when normal translation and connection states may not apply.

This command also displays the connection limit values. If a connection limit is not set, the value displays as 0 and the limit is not applied.

For models with host limits, In routed mode, hosts on the inside (Work and Home zones) count towards the limit only when they communicate with the outside (Internet zone). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Work and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit.

In the event of a SYN attack (with TCP intercept configured), the show local-host command output includes the number of intercepted connections in the usage count. This field typically displays only full open connections.

In the show local-host command output, the TCP embryonic count to host counter is used when a maximum embryonic limit (TCP intercept watermark) is configured for a host using a static connection. This counter shows the total embryonic connections to the host from other hosts. If this total exceeds the maximum configured limit, TCP intercept is applied to new connections to the host.

Examples

The following is sample output from the show local-host command:

ciscoasa# show local-host
Interface inside: 0 active, 0 maximum active, 0 denied
Interface outside: 1 active, 2 maximum active, 0 denied
 

The following is sample output from the show local-host command on an ASA with host limits:

ciscoasa# show local-host
Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.
 
Current host count: 3, towards licensed host limit of: 50
 
Interface inside: 1 active, 1 maximum active, 0 denied
Interface outside: 0 active, 0 maximum active, 0 denied
 

The following is sample output from the show local-host command on an ASA with host limits. But without a default route, the host limits apply to all interfaces. The default route interface might not be detected if the default route or the interface that the route uses is down.

ciscoasa# show local-host
Unable to determine Internet interface from default route. Host limit applied to all interfaces.
 
Current host count: 3, towards licensed host limit of: 50
 
Interface c1in: 1 active, 1 maximum active, 0 denied
Interface c1out: 0 active, 0 maximum active, 0 denied
 

The following is sample output from the show local-host command on an ASA with unlimited hosts:

ciscoasa# show local-host
Licensed host limit: Unlimited
 
Interface c1in: 1 active, 1 maximum active, 0 denied
Interface c1out: 0 active, 0 maximum active, 0 denied
 

The following examples show the network states of local hosts:

ciscoasa# show local-host all
Interface outside: 1 active, 2 maximum active, 0 denied
local host: <11.0.0.4>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464
Interface inside: 1 active, 2 maximum active, 0 denied
local host: <17.3.8.2>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464
Interface NP Identity Ifc: 2 active, 4 maximum active, 0 denied
local host: <11.0.0.3>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464
105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464
local host: <17.3.8.1>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464
105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464
 
ciscoasa# show local-host 10.1.1.91
Interface third: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: <10.1.1.91>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to (from) host = 0 (0)
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
 
Xlate:
PAT Global 192.150.49.1(1024) Local 10.1.1.91(4984)
 
Conn:
TCP out 192.150.49.10:21 in 10.1.1.91:4984 idle 0:00:07 bytes 75 flags UI Interface
outside: 1 active, 1 maximum active, 0 denied
 
ciscoasa# show local-host 10.1.1.91 detail
Interface third: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: <10.1.1.91>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to (from) host = 0 (0)
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
 
Xlate:
TCP PAT from inside:10.1.1.91/4984 to outside:192.150.49.1/1024 flags ri
 
Conn:
TCP outside:192.150.49.10/21 inside:10.1.1.91/4984 flags UI Interface outside: 1 active, 1 maximum active, 0 denied
 
The following example shows all hosts who have at least four UDP connections and have between one to 10 TCP connections at the same time:
 
ciscoasa# show local-host connection udp 4 tcp 1-10
Interface mng: 0 active, 3 maximum active, 0 denied
Interface INSIDE: 4 active, 5 maximum active, 0 denied
local host: <10.1.1.11>,
TCP flow count/limit = 1/unlimited TCP embryonic count to host = 0 TCP intercept watermark = unlimited UDP flow count/limit = 4/unlimited
Xlate:
Global 192.168.1.24 Local 10.1.1.11 Conn: UDP out 192.168.1.10:80 in 10.1.1.11:1730 idle 0:00:21 bytes 0 flags - UDP out 192.168.1.10:80 in 10.1.1.11:1729 idle 0:00:22 bytes 0 flags - UDP out 192.168.1.10:80 in 10.1.1.11:1728 idle 0:00:23 bytes 0 flags - UDP out 192.168.1.10:80 in 10.1.1.11:1727 idle 0:00:24 bytes 0 flags - TCP out 192.168.1.10:22 in 10.1.1.11:27337 idle 0:01:55 bytes 2641 flags UIO Interface OUTSIDE: 3 active, 5 maximum active, 0 denied
 

The following example shows local-host addresses and connection counters using the brief option:

ciscoasa# show local-host connection udp 2
Interface mng: 0 active, 3 maximum active, 0 denied
Interface INSIDE: 4 active, 5 maximum active, 0 denied
local host: <10.1.1.11>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited UDP flow count/limit = 4/unlimited
Interface OUTSIDE: 3 active, 5 maximum active, 0 denied
 

The following examples shows the output when using the brief and connection options:

ciscoasa# show local-host brief
Interface inside: 1 active, 1 maximum active, 0 denied
Interface outside: 1 active, 1 maximum active, 0 denied
Interface mgmt: 5 active, 6 maximum active, 0 denied
 
ciscoasa# show local-host connection
Interface inside: 1 active, 1 maximum active, 0 denied
Interface outside: 1 active, 1 maximum active, 0 denied
Interface mgmt: 5 active, 6 maximum active, 0 denied

 
Related Commands

Command
Description

clear local-host

Releases network connections from local hosts displayed by the show local-host command.

nat

Associates a network with a pool of global IP addresses.

show logging

To show the logs in the buffer or other logging settings, use the show logging command in privileged EXEC mode.

show logging [ message [ syslog_id | all ] | asdm | queue | setting ]

 
Syntax Description

all

(Optional) Displays all syslog message IDs, along with whether they are enabled or disabled.

asdm

(Optional) Displays ASDM logging buffer content.

message

(Optional) Displays messages that are at a non-default level. See the logging message command to set the message level.

queue

(Optional) Displays the syslog message queue.

setting

(Optional) Displays the logging setting, without displaying the logging buffer.

syslog_id

(Optional) Specifies a message number to display.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command.

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.0(2)

Indicates whether a syslog server is configured to use an SSL/TLS connection.

8.4(1)

For the show logging command, the output includes an enry for the current state of the audit block.

 
Usage Guidelines

If the logging buffered command is in use, the show logging command without any keywords shows the current message buffer and the current settings.

The show logging queue command allows you to display the following:

  • Number of messages that are in the queue
  • Highest number of messages recorded that are in the queue
  • Number of messages that are discarded because block memory was not available to process them
  • Separate queues for traps and other syslog messages

Note Zero is an acceptable number for the configured queue size and represents the maximum queue size allowed. The output for the show logging queue command will display the actual queue size if the configured queue size is zero.


Examples

The following is sample output from the show logging command:

ciscoasa(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging:disabled
Debug-trace logging: disabled
Console logging: level informational, 3962 messages logged
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level informational, facility 20, 20549 messages logged
Logging to inside 10.2.5.3 tcp/50001 connected
Permit-hostdown state
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
 

NoteValid values ofstate are enabled, disabled, disabled-blocking, and disabled-not blocking.


The following is sample output from the show logging command with a secure syslog server configured:

ciscoasa(config)# logging host inside 10.0.0.1 TCP/1500 secure
ciscoasa(config)# show logging
Syslog logging: disabled
Facility:
Timestamp logging: disabled
Deny Conn when Queue Full: disabled
Console logging: level debugging, 135 messages logged
Monitor logging: disabled
Buffer logging: disabled
Trap logging: list show _syslog, facility, 20, 21 messages logged
Logging to inside 10.0.0.1 tcp/1500 SECURE
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging disabled
 
 

The following is sample output from the show logging queue command:

ciscoasa(config)# show logging queue
Logging Queue length limit: 512 msg(s)
0 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 0 msgs on queue, 0 msgs most on queue
 

The following is sample output from the show logging message all command:

ciscoasa(config)# show logging message all
 
syslog 111111: default-level alerts (enabled)
syslog 101001: default-level alerts (enabled)
syslog 101002: default-level alerts (enabled)
syslog 101003: default-level alerts (enabled)
syslog 101004: default-level alerts (enabled)
syslog 101005: default-level alerts (enabled)
syslog 102001: default-level alerts (enabled)
syslog 103001: default-level alerts (enabled)
syslog 103002: default-level alerts (enabled)
syslog 103003: default-level alerts (enabled)
syslog 103004: default-level alerts (enabled)
syslog 103005: default-level alerts (enabled)
syslog 103011: default-level alerts (enabled)
syslog 103012: default-level informational (enabled)
 

 
Related Commands

Command
Description

logging asdm

Enables logging to ASDM

logging buffered

Enables logging to the buffer.

logging host

Defines a syslog server.

logging message

Sets the message level or disables messages.

logging queue

Configures the logging queue.

show logging flow-export-syslogs

To display all of the syslog messages whose information is also captured by NetFlow and that will be affected by the logging flow-export-syslogs enable | disable commands, use the show logging flow-export-syslogs command in privileged EXEC mode.

show logging flow-export-syslogs

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.1(1)

This command was introduced.

 
Usage Guidelines

After you enter the logging flow-export syslogs disable command, make sure that you know which syslog messages have been disabled. The disabled syslog messages are as follows:

 

Syslog Message
Description

106015

A TCP flow was denied because the first packet was not a SYN packet.

106023

A flow that is denied by an ingress ACL or an egress ACL that is attached to an interface through the access-group command.

106100

A flow that is permitted or denied by an ACL.

302013 and 302014

A TCP connection and deletion.

302015 and 302016

A UDP connection and deletion.

302017 and 302018

A GRE connection and deletion.

302020 and 302021

An ICMP connection and deletion.

313001

An ICMP packet to the ASA was denied.

313008

An ICMPv6 packet to the ASA was denied.

710003

An attempt to connect to the ASA was denied.

Examples

The following is sample output from the show logging flow-export-syslogs command, which lists the syslog messages that will be disabled:

ciscoasa(config)# show logging flow-export-syslogs
 
Syslog ID Type Status
302013 Flow Created Enabled
302015 Flow Created Enabled
302017 Flow Created Enabled
302020 Flow Created Enabled
302014 Flow Deleted Enabled
302016 Flow Deleted Enabled
302018 Flow Deleted Enabled
302021 Flow Deleted Enabled
106015 Flow Denied Enabled
106023 Flow Denied Enabled
313001 Flow Denied Enabled
313008 Flow Denied Enabled
710003 Flow Denied Enabled
106100 Flow Created/Denied Enabled
 

 
Related Commands

Commands
Description

flow-export destination interface-name ipv4-address | hostname udp-port

Specifies the IP address or hostname of the NetFlow collector, and the UDP port on which the NetFlow collector is listening.

flow-export template timeout-rate minutes

Controls the interval at which the template information is sent to the NetFlow collector.

logging flow-export-syslogs enable

Enables syslog messages after you have entered the logging flow-export-syslogs disable command, and the syslog messages that are associated with NetFlow data.

show flow-export counters

Displays a set of runtime counters for NetFlow.

show logging rate-limit

To display disallowed syslog messages, use the show logging rate-limit command in privileged EXEC mode.

show logging rate-limit

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

This command has no default settings.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

After the information is cleared, nothing more displays until the hosts reestablish their connections.

Examples

The following example shows sample output from the show logging rate-limit command:

ciscoasa(config)# show logging rate-limit
%ASA-7-710005: TCP request discarded from 171.69.39.0/2678 to management:10.89.130.244/443
%ASA-7-711002: Task ran for 27 msec, Process = ssm_mgmt_ifc_poll_thread, PC = 896fcac, Traceback =
%ASA-7-711002: Task ran for 27 msec, Process = ssm_mgmt_ifc_poll_thread, PC = 896fcac, Traceback = 0x0807C0FA
%ASA-6-106015: Deny TCP (no connection) from 171.69.39.0/2685 to 10.89.130.244/443 flags FIN PSH ACK on interface management
%ASA-7-710005: TCP request discarded from 171.69.39.0/2685 to management:10.89.130.244/443
%ASA-6-302013: Built inbound TCP connection 2116 for management:171.69.39.0/2689 (171.69.39.0/2689) to identity:10.89.130.244/443 (10.89.130.244/443)
%ASA-6-725001: Starting SSL handshake with client management:171.69.39.0/2689 for TLSv1 session.
%ASA-6-725003: SSL client management:171.69.39.0/2689 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client management:171.69.39.0/2689
%ASA-6-605005: Login permitted from 171.69.39.0/2689 to management:10.89.130.244/https for user "enable_15"
%ASA-5-111007: Begin configuration: 171.69.39.0 reading from http [POST]

 
Related Commands

Command
Description

show logging

Displays the enabled logging options.

show mac-address-table

To show the MAC address table, use the show mac-address-table command in privileged EXEC mode.

show mac-address-table [ interface_name | count | static ]

 
Syntax Description

count

(Optional) Lists the total number of dynamic and static entries.

interface_name

(Optional) Identifies the interface name for which you want to view MAC address table entries.

static

(Optional) Lists only static entries.

 
Defaults

If you do not specify an interface, all interface MAC address entries are shown.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show mac-address-table command:

ciscoasa# show mac-address-table
interface mac address type Time Left
-----------------------------------------------------------------------
outside 0009.7cbe.2100 static -
inside 0010.7cbe.6101 static -
inside 0009.7cbe.5101 dynamic 10
 

The following is sample output from the show mac-address-table command for the inside interface:

ciscoasa# show mac-address-table inside
interface mac address type Time Left
-----------------------------------------------------------------------
inside 0010.7cbe.6101 static -
inside 0009.7cbe.5101 dynamic 10
 

The following is sample output from the show mac-address-table count command:

ciscoasa# show mac-address-table count
Static mac-address bridges (curr/max): 0/65535
Dynamic mac-address bridges (curr/max): 103/65535

 
Related Commands

Command
Description

firewall transparent

Sets the firewall mode to transparent.

mac-address-table aging-time

Sets the timeout for dynamic MAC address entries.

mac-address-table static

Adds a static MAC address entry to the MAC address table.

mac-learn

Disables MAC address learning.

show management-access

To display the name of the internal interface configured for management access, use the show management-access command in privileged EXEC mode.

show management-access

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The management-access command lets you define an internal management interface using the IP address of the firewall interface specified in mgmt_if . (The interface names are defined by the nameif command and displayed in quotes, “ ”, in the output of the show interface command.)

Examples

The following example shows how to configure a firewall interface named “inside” as the management access interface and display the result:

ciscoasa(config)# management-access inside
ciscoasa(config)# show management-access
management-access inside

 
Related Commands

Command
Description

clear configure management-access

Removes the configuration of an internal interface for management access of the ASA.

management-access

Configures an internal interface for management access.

show mdm-proxy sessions

To display current, active MDM Proxy sessions.

show mdm-proxy sessions [checkin | enrollment]

 
Syntax Description

Specifying only checkin displays only checkin session, specifying only enrollment displays only enrolled sessions.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.3(1)

This command was introduced.

 
Related Commands

Command
Description

mdm-proxy

Enter config-mdm-proxy mode to configure the MDM proxy service.

show mdm-proxy statistics

To display MDM Proxy service statistics.

show mdm-proxy statistics

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.3(1)

This command was introduced.

Examples

ciscoasa (config)# show mdm-proxy statistics<cr>
 
MDM proxy statistics:
=====================
Total number of successful MDM enrollments: 1230
Number of active MDM enrollments: 10
Maximum number of simultaneously active MDM enrollments: 90
Minimum duration of an MDM enrollment: 4 seconds
Maximum duration of an MDM enrollment: 25 seconds
Total number of failed MDM enrollments due to authentication failure: 23
Total number of failed MDM enrollments due to SCEP enrollment failure: 28.
Total number of failed MDM enrollments: 61
Total number of successful MDM check-ins: 3167
Number of active MDM check-ins: 26
Maximum number of simultaneously active MDM check-ins: 316
Minimum duration of an MDM check-in: 3 seconds
Maximum duration of an MDM check-in: 21 seconds
Total number of failed MDM check-ins: 118

 
Related Commands

Command
Description

clear mdm-proxy statistics

Clear MDM proxy counters, setting them to zero.

mdm-proxy

Enter config-mdm-proxy mode to configure the MDM proxy service.

show memory

To display a summary of the maximum physical memory and current free memory available to the operating system, use the show memory command in privileged EXEC mode.

[ cluster exec ] show memory [ detail ]

 
Syntax Description

cluster exec

(Optional) In a clustering environment, enables you to issue the show memory command in one unit and run the command in all the other units at the same time.

detail

(Optional) Displays a detailed view of free and allocated system memory.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

The cluster exec option was added.

9.2(1)

Virtual machine (VMs) statistics were added to the output to support the ASAv.

 
Usage Guidelines

The show memory command lets you display a summary of the maximum physical memory and current free memory available to the operating system. Memory is allocated as needed.

You can also display the information from the show memory command using SNMP.

You can use the show memory detail output with the show memory binsize command to debug memory leaks.

The show memory detail command output can be broken down into three sections: Summary, DMA Memory, and HEAP Memory. The summary displays how the total memory is allocated. Memory that is not tied to DMA or reserved is considered the HEAP. The Free Memory value is the unused memory in the HEAP. The Allocated memory in use value is how much of the HEAP has been allocated. The breakdown of HEAP allocation is displayed later in the output. Reserved memory and DMA Reserved memory are used by different system processes and primarily VPN services.

Values displayed in the allocated memory statistics total (bytes) column do not reflect real values (MEMPOOL_GLOBAL_SHARED POOL STATS) in the show memory detail command output.

The output shows that the block of size 49,152 was allocated then returned to the free pool, and another block of size 131,072 was allocated. In this case, you would think that free memory decreased by 131,072-49,152=81,920 bytes, but it actually decreased by 100,000 bytes (see the Free memory line).

ciscoasa# show memory detail
 
MEMPOOL_GLOBAL_SHARED POOL STATS: MEMPOOL_GLOBAL_SHARED POOL STATS:
 
Non-mmapped bytes allocated = 1862270976 Non-mmapped bytes allocated = 1862270976
Number of free chunks = 99 Number of free chunks = 100
Number of mmapped regions = 0 Number of mmapped regions = 0
Mmapped bytes allocated = 0 Mmapped bytes allocated = 0
Max memory footprint = 1862270976 Max memory footprint = 1862270976
Keepcost = 1762019304 Keepcost = 1761869256
Max contiguous free mem = 1762019304 Max contiguous free mem = 1761869256
Allocated memory in use = 100133944 Allocated memory in use = 100233944
Free memory = 1762137032 Free memory = 1762037032
 
 
----- fragmented memory statistics ----- ----- fragmented memory statistics -----
 
fragment size count total fragment size count total
(bytes) (bytes) (bytes) (bytes)
---------------- ---------- -------------- ---------------- ---------- --------------
32768 1 33176 32768 1 33176
49152 1 50048
1762019304 1 1762019304* 1761869256 1 1761869256*
 
 
----- allocated memory statistics ----- ----- allocated memory statistics -----
 
fragment size count total fragment size count total
(bytes) (bytes) (bytes) (bytes)
---------------- ---------- -------------- ---------------- ---------- --------------
49152 10 491520 49152 9 442368
65536 125 8192000 65536 125 8192000
98304 3 294912 98304 3 294912
131072 18 2359296 131072 19 2490368
 

The following output confirms that a block of size 150,000 was allocated, instead of 131,072:

ciscoasa# show memory binsize 131072
MEMPOOL_DMA pool bin stats:
MEMPOOL_GLOBAL_SHARED pool bin stats:
pc = 0x8eda524, size = 150000 , count = 1
pc = 0x8f08054, size = 163904 , count = 1
pc = 0x846e477, size = 139264 , count = 1
pc = 0x8068691, size = 393216 , count = 3
pc = 0x8eea09b, size = 131072 , count = 1
pc = 0x88ca830, size = 141212 , count = 1
pc = 0x9589e93, size = 593580 , count = 4
pc = 0x9589bd2, size = 616004 , count = 4
pc = 0x8f2e060, size = 327808 , count = 2
pc = 0x8068284, size = 182000 , count = 1
 
0x8eda524 <logger_buffer_init_int+148 at syslog/main.c:403>
 

The approximate number of total bytes shown in the show memory detail command output is by design. There are two reasons for this:

  • For each fragment size, if you had to get the sum of all fragments, a performance impact would occur because there can be very large number of allocations for a single fragment size and to get the accurate value, you need to walk over thousands of chunks.
  • For each binsize, you need to walk through the doubly linked list of allocations and there could be many allocations. In this case, you cannot hog the CPU for an extended period and would need to suspend allocations periodically. After you resume allocations, other processes may have allocated or deallocated memory and memory states may have changed. As a result, the total bytes column gives an approximate value instead of the real value.

Examples

The following is sample output from the show memory command:

ciscoasa# show memory
Free memory: 845044716 bytes (79%)
Used memory: 228697108 bytes (21%)
------------- ----------------
Total memory: 1073741824 bytes (100%)
 

The following is sample output from the show memory detail command:

ciscoasa# show memory detail
Free memory heap: 2473071872 bytes (xx%)
----------------------------------------------------
Total memory: 268435456 bytes (100%)
Dynamic Shared Objects(DSO): 0 bytes
DMA memory:
Unused memory: 3212128 bytes (8%)
Crypto reserved memory: 2646136 bytes (7%)
Crypto free: 1605536 bytes (4%)
Crypto used: 1040600 bytes (3%)
Block reserved memory: 33366816 bytes (85%)
Block free: 31867488 bytes (81%)
Block used: 1499328 bytes (4%)
Used memory: 178440 bytes (0%)
----------------------------------------------------
Total memory: 39403520 bytes (100%)
HEAP memory:
Free memory: 130546920 bytes (80%)
Used memory: 33030808 bytes (20%)
Init used memory by library: 4218752 bytes (3%)
Allocated memory: 28812056 bytes (18%)
----------------------------------------------------
Total memory: 163577728 bytes (100%)
 
Least free memory: 122963528 bytes (75%)
Most used memory: 40614200 bytes (25%)
 
----- fragmented memory statistics -----
 
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
16 113 1808
 
<More>
 

The following is sample output from the show memory command on the ASA 5525 after enabling the jumbo-frame reservation command and issuing the write memory command and the reload command:

ciscoasa# show memory
Free memory: 3008918624 bytes (70%)
Used memory: 1286048672 bytes (30%)
------------- ----------------------
Total memory: 4294967296 bytes (100%)
 

The following is sample output from the show memory command on the ASA 5525 without enabling the jumbo-frame reservation command:

ciscoasa# show memory
Free memory: 3318156400 bytes (77%)
Used memory: 976810896 bytes (23%)
------------- ------------------
Total memory: 4294967296 bytes (100%)
 

The following is sample output from the show memory command on the ASA 5515 after enabling the jumbo-frame reservation command:

ciscoasa# show memory
Free memory: 3276619472 bytes (76%)
Used memory: 1018347824 bytes (24%)
------------- ------------------
Total memory: 4294967296 bytes (100%)
 

The following is sample output from the show memory command on the ASA 5515 without enabling the jumbo-frame reservation command:

ciscoasa# show memory
Free memory: 3481145472 bytes (81%)
Used memory: 813821824 bytes (19%)
------------- ------------------
Total memory: 4294967296 bytes (100%)
 

The following is sample output from the show memory command on the ASA 5585 after enabling the jumbo-frame reservation command:

ciscoasa# show memory
Free memory: 8883297824 bytes (69%)
Used memory: 4001604064 bytes (31%)
------------- ------------------
Total memory: 12884901888 bytes (100%)
 

The following is sample output from the show memory command on the ASA 5585 without enabling the jumbo-frame reservation command:

ciscoasa# show memory
Free memory: 9872205104 bytes (77%)
Used memory: 3012696784 bytes (23%)
------------- ------------------
Total memory: 12884901888 bytes (100%)
 

The following is sample output from the show memory command on the ASA 5520, which does not support the jumbo-frame command:

ciscoasa# show memory
ree memory: 206128232 bytes (38%)
Used memory: 330742680 bytes (62%)
------------- -----------------
Total memory: 536870912 bytes (100%)
 

The following is sample output from the show memory command on the ASA 5505, which does not support the jumbo-frame command:

ciscoasa# show memory
Free memory: 48457848 bytes (18%)
Used memory: 219977608 bytes (82%)
------------- -----------------
Total memory: 268435456 bytes (100%
 
The following is sample output from the show memory command on the ASAv:
 
Free memory: 2694133440 bytes (63%)
Used memory: 1600833856 bytes (37%)
------------- ------------------
Total memory: 4294967296 bytes (100%)
 
Virtual platform memory
-----------------------
Provisioned 4096 MB
Allowed 4096 MB
Status Compliant
 

 
Related Commands

Command
Description

show memory profile

Displays information about the memory usage (profiling) of the ASA.

show memory binsize

Displays summary information about the chunks allocated for a specific bin size.

show memory api

To display the malloc stack APIs that are registered in the system , use the show memory api command in privileged EXEC mode.

show memory api

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command displays the malloc stack APIs that are registered in the system.

If any of the memory debugging features are turned on (that is, delay-free-poisoner, memory tracker, or memory profiler), their APIs appear in the show memory api command output.

Examples

This following is sample output from the show memory api command:

ciscoasa# show memory api
Resource Manager (0) ->
Tracking (0) ->
Delayed-free-poisoner (0) ->
Core malloc package (0)
 

 
Related Commands

Command
Description

show memory profile

Displays information about the memory usage (profiling) of the ASA.

show memory binsize

Displays summary information about the chunks allocated for a specific bin size.

show memory app-cache

To observe memory usage by application, use the show memory app-cache command in privileged EXEC mode.

show memory app-cache [threat-detection | host | flow | tcb | http | access-list] [detail]

 
Syntax Descriptionshow memory app-cache [threat-detection | host | flow | tcb | http | access-list] [detail]

access-list

(Optional) Shows the application level memory cache for access lists.

detail

(Optional) Shows a detailed view of free and allocated system memory.

flow

(Optional) Shows the application level memory cache for flows.

host

(Optional) Shows application level memory cache for hosts.

http

(Optional) Shows application level memory cache for HTTP.

tcb

(Optional) Shows application level memory cache for TCB.

threat-detection

(Optional) Shows application level memory cache for threat detection.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(1)

This command was introduced.

8.1(1)

The access-list and http options were added.

 
Usage Guidelines

This command enables you to observe memory usage by application.

Examples

The following is sample output from the show memory app-cache threat-detection command:

ciscoasa(config)# show memory app-cache threat-detection
LIMIT COUNT ALLOC FAILED BYTES USED
TOTAL 1350 460 115167 0 130926168
 

The following is sample output from the show memory app-cache threat-detection detail command:

ciscoasa(config)# show memory app-cache threat-detection detail
CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED
TD ACE stats 50 0 2 0 1936
TD Host/Port counte 100 0 2 0 48
TD Host/Port counte 100 0 2 0 48
TD Host/Port counte 100 0 2 0 48
TD Host/Port counte 100 0 2 0 48
TD Host stats 50 50 16120 0 116515360
TD Subnet stats 50 2 113 0 207016
TD Host/Port counte 100 100 24618 0 3544992
TD Host/Port counte 100 100 24618 0 3544992
TD Host/Port counte 100 100 24618 0 3544992
TD Host/Port counte 100 100 24618 0 3544992
TD Host/Port counte 100 2 113 0 5424
TD Host/Port counte 100 2 113 0 5424
TD Host/Port counte 100 2 113 0 5424
TD Host/Port counte 100 2 113 0 5424
 
LIMIT COUNT ALLOC FAILED BYTES USED
TOTAL 1350 460 115167 0 130926168
 

The following is sample output from the show memory app-cache host detail command:

ciscoasa(config)# show memory app-cache host detail
CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED
SNP Host Core 0 1000 1000 5116 0 961808
SNP Host Core 1 1000 1000 4968 0 933984
SNP Host Core 2 1000 1000 5413 0 1017644
SNP Host Core 3 1000 1000 4573 0 859724
 
LIMIT COUNT ALLOC FAILED BYTES USED
TOTAL 4000 4000 20070 0 3773160
 

The following is sample output from the show memory app-cache flow detail command:

ciscoasa(config)# show memory app-cache flow detail
CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED
SNP Conn Core 0 1000 1000 893 0 639388
SNP Conn Core 1 1000 948 980 0 701680
SNP Conn Core 2 1000 1000 1175 0 841300
SNP Conn Core 3 1000 1000 901 0 645116
 
LIMIT COUNT ALLOC FAILED BYTES USED
TOTAL 4000 3948 3949 0 2827484
 

The following is sample output from the show memory app-cache access-list detail command:

ciscoasa(config)# show memory app-cache access-list detail
CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED
NP ACL log c Core 0 1000 0 1 0 68
NP ACL log c Core 1 1000 0 6 0 408
NP ACL log c Core 2 1000 0 19 0 1292
NP ACL log c Core 3 1000 0 0 0 0
NP ACL log f Core 0 1000 0 0 0 0
NP ACL log f Core 1 1000 0 0 0 0
NP ACL log f Core 2 1000 0 0 0 0
NP ACL log f Core 3 1000 0 0 0 0
 
LIMIT COUNT ALLOC FAILED BYTES USED
TOTAL 8000 0 26 0 1768
 

The following is sample output from the show memory app-cache http detail command:

ciscoasa(config)# show memory app-cache http detail
CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED
Inspect HTTP Core 0 1000 0 0 0 0
Inspect HTTP Core 1 1000 0 0 0 0
Inspect HTTP Core 2 1000 0 0 0 0
Inspect HTTP Core 3 1000 0 0 0 0
HTTP Result Core 0 1000 0 0 0 0
HTTP Result Core 1 1000 0 0 0 0
HTTP Result Core 2 1000 0 0 0 0
HTTP Result Core 3 1000 0 0 0 0
 
LIMIT COUNT ALLOC FAILED BYTES USED
TOTAL 8000 0 0 0 0
 

The following is sample output from the show memory app-cache tcb detail command:

ciscoasa(config)# show memory app-cache tcb detail
CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED
SNP TCB Core 0 1000 1000 968 0 197472
SNP TCB Core 1 1000 1000 694 0 141576
SNP TCB Core 2 1000 1000 1304 0 266016
SNP TCB Core 3 1000 1000 1034 0 210936
 
LIMIT COUNT ALLOC FAILED BYTES USED
TOTAL 4000 4000 4000 0 816000
 

 
Related Commands

Command
Description

show memory profile

Displays information about the memory usage (profiling) of the ASA.

show memory binsize

Displays summary information about the chunks allocated for a specific bin size.

show memory

Displays a summary of the maximum physical memory and current free memory available to the operating system.

show memory binsize

To display summary information about the chunks allocated for a specific bin size, use the show memory binsize command in privileged EXEC mode.

show memory binsize size

 
Syntax Description

size

Displays chunks (memory blocks) of a specific bin size. The bin size is from the "fragment size" column of the show memory detail command output.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

This command has no usage guidelines.

Examples

The following example displays summary information about a chunk allocated to a bin size of 500:

ciscoasa# show memory binsize 500
pc = 0x00b33657, size = 460 , count = 1

 
Related Commands

Command
Description

show memory-caller address

Displays the address ranges configured on the ASA.

show memory profile

Displays information about the memory usage (profiling) of the ASA.

show memory

Displays a summary of the maximum physical memory and current free memory available to the operating system.

show memory delayed-free-poisoner

To display a summary of the memory delayed-free-poisoner queue usage, use the show memory delayed-free-poisoner command in privileged EXEC mode.

show memory delayed-free-poisoner

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Use the clear memory delayed-free-poisoner command to clear the queue and statistics.

Examples

This following is sample output from the show memory delayed-free-poisoner command:

ciscoasa# show memory delayed-free-poisoner
delayed-free-poisoner statistics:
3335600: memory held in queue
6095: current queue count
0: elements dequeued
3: frees ignored by size
1530: frees ignored by locking
27: successful validate runs
0: aborted validate runs
01:09:36: local time of last validate
 

Table 9-2 describes the significant fields in the show memory delayed-free-poisoner command output.

 

Table 9-2 show memory delayed-free-poisoner Command Output Descriptions

Field
Description

memory held in queue

The memory that is held in the delayed free-memory poisoner tool queue. Such memory is normally in the “Free” quantity in the show memory output if the delayed free-memory poisoner tool is not enabled.

current queue count

The number of elements in the queue.

elements dequeued

The number of elements that have been removed from the queue. This number begins to increase when most or all of the otherwise free memory in the system ends up in being held in the queue.

frees ignored by size

The number of free requests not placed into the queue because the request was too small to hold required tracking information.

frees ignored by locking

The number of free requests intercepted by the tool not placed into the queue because the memory is in use by more than one application. The last application to free the memory back to the system ends up placing such memory regions into the queue.

successful validate runs

The number of times since monitoring was enabled or cleared using the clear memory delayed-free-poisoner command that the queue contents were validated (either automatically or by the memory delayed-free-poisoner validate command).

aborted validate runs

The number of times since monitoring was enabled or cleared using the clear memory delayed-free-poisoner command that requests to check the queue contents have been aborted because more than one task (either the periodic run or a validate request from the CLI) attempted to use the queue at a time.

local time of last validate

The local system time when the last validate run completed.

 
Related Commands

Command
Description

clear memory delayed-free-poisoner

Clears the delayed free-memory poisoner tool queue and statistics.

memory delayed-free-poisoner enable

Enables the delayed free-memory poisoner tool.

memory delayed-free-poisoner validate

Forces validation of the elements in the delayed free-memory poisoner tool queue.

show memory profile

To display information about the memory usage (profiling) of the ASA, use the show memory profile command in privileged EXEC mode.

show memory profile [ peak ] [ detail | collated | status ]

 
Syntax Description

collated

(Optional) Collates the memory information displayed.

detail

(Optional) Displays detailed memory information.

peak

(Optional) Displays the peak capture buffer rather than the “in use” buffer.

status

(Optional) Displays the current state of memory profiling and the peak capture buffer.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Use the show memory profile command to troubleshoot memory usage level and memory leaks. You can still see the profile buffer contents even if profiling has been stopped. Starting profiling clears the buffer automatically.


NoteThe ASA might experience a temporary reduction in performance when memory profiling is enabled.


Examples

The following is sample output from the show memory profile command:

ciscoasa# show memory profile
Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004
Total = 0
 

The output of the show memory profile detail command is divided into six data columns and one header column, at the far left. The address of the memory bucket corresponding to the first data column is given at the header column (the hexidecimal number). The data itself is the number of bytes that is held by the text/code that falls in the bucket address. A period (.) in the data column means no memory is held by the text at this bucket. Other columns in the row correspond to the bucket address that is greater than the increment amount from the previous column. For example, the address bucket of the first data column in the first row is 0x001069e0. The address bucket of the second data column in the first row is 0x001069e4 and so on. Normally the header column address is the next bucket address; that is, the address of the last data column of the previous row plus the increment. All rows without any usage are suppressed. More than one such contiguous row can be suppressed, indicated with three periods at the header column (...).

The following is sample output from the show memory profile detail command:

ciscoasa# show memory profile detail
Range: start = 0x00100020, end = 0x00e006e0, increment = 00000004
Total = 48941152
...
0x001069e0 . 24462 . . . .
...
0x00106d88 . 1865870 . . . .
...
0x0010adf0 . 7788 . . . .
...
0x00113640 . . . . 433152 .
...
0x00116790 2480 . . . . .
<snip>
 

The following is sample output from the show memory profile collated command:

ciscoasa# show memory profile collated
Range: start = 0x00100020, end = 0x00e006e0, increment = 00000004
Total = 48941152
24462 0x001069e4
1865870 0x00106d8c
7788 0x0010adf4
433152 0x00113650
2480 0x00116790
<More>
 

The following is sample output from the show memory profile peak command, which shows the peak capture buffer:

ciscoasa# show memory profile peak
Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004
Total = 102400
 

The following is sample output from the show memory profile peak detail command, which shows the peak capture buffer and the number of bytes that is held by the text/code that falls in the corresponding bucket address:

ciscoasa# show memory profile peak detail
Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004
Total = 102400
...
0x00404c8c . . 102400 . . .
 

The following is sample output from the show memory profile status command, which shows the current state of memory profiling and the peak capture buffer:

ciscoasa# show memory profile status
InUse profiling: ON
Peak profiling: OFF
Memory used by profile buffers: 11518860 bytes
Profile:
0x00100020-0x00bfc3a8(00000004)
 

 
Related Commands

Command
Description

memory profile enable

Enables the monitoring of memory usage (memory profiling).

memory profile text

Configures a program text range of memory to profile.

clear memory profile

Clears the memory buffers held by the memory profiling function.

show memory top-usage

To display the top number of allocated fragment sizes from the show memory detail command, use the show memory top-usage command in privileged EXEC mode.

show memory top-usage [ num ]

 
Syntax Description

num

(Optional) Shows the number of bin sizes to list. Valid values are from 1-64.

 
Defaults

The default for num is 10.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.4(6)

This command was introduced.

 
Usage Guidelines

Use the show memory top-usage command to display the top number of allocated fragment sizes from the show memory detail command.

This command does not use clustering and does not need to be disabled when clustering is enabled.

Examples

The following is sample output from the show memory top-usage command:

ciscoasa# show memory top-usage 3
MEMPOOL_DMA pool binsize allocated byte totals:
 
----- allocated memory statistics -----
 
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
1572864 9 14155776
12582912 1 12582912
6291456 1 6291456
 
----- Binsize PC top usage -----
 
Binsize: 1572864 total (bytes): 14155776
 
pc = 0x805a870, size = 16422399 , count = 9
 
Binsize: 12582912 total (bytes): 12582912
 
pc = 0x805a870, size = 12960071 , count = 1
 
Binsize: 6291456 total (bytes): 6291456
 
pc = 0x9828a6c, size = 7962695 , count = 1
 
 
MEMPOOL_GLOBAL_SHARED pool binsize allocated byte totals:
 
----- allocated memory statistics -----
 
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
12582912 1 12582912
2097152 6 12582912
65536 181 11862016
 
----- Binsize PC top usage -----
 
Binsize: 12582912 total (bytes): 12582912
 
pc = 0x8249763, size = 37748736 , count = 1
 
Binsize: 2097152 total (bytes): 12582912
 
pc = 0x8a7ebfb, size = 2560064 , count = 1
pc = 0x8aa4413, size = 2240064 , count = 1
pc = 0x8a9bb13, size = 2240064 , count = 1
pc = 0x8a80542, size = 2097152 , count = 1
pc = 0x97e7172, size = 2097287 , count = 1
pc = 0x8996463, size = 2272832 , count = 1
 
Binsize: 65536 total (bytes): 11862016
 
pc = 0x913db2b, size = 11635232 , count = 161
pc = 0x91421eb, size = 138688 , count = 2
pc = 0x97e7172, size = 339740 , count = 4
pc = 0x97e7433, size = 197229 , count = 3
pc = 0x82c3412, size = 65536 , count = 1
pc = 0x8190e09, size = 155648 , count = 2
pc = 0x8190af6, size = 77824 , count = 1
pc = 0x93016a1, size = 65536 , count = 1
pc = 0x89f1a40, size = 65536 , count = 1
pc = 0x9131140, size = 163968 , count = 2
pc = 0x8ee56c8, size = 66048 , count = 1
pc = 0x8056a01, size = 66528 , count = 1
pc = 0x80569e5, size = 66528 , count = 1
 

 
Related Commands

Command
Description

show memory tracking

Shows all currently collected information.

show memory tracking

To display currently allocated memory tracked by the tool, use the show memory tracking command in privileged EXEC mode.

show memory tracking [ address | dump | detail ]

 
Syntax Description

address

(Optional) Shows memory tracking by address.

detail

(Optional) Shows the internal memory tracking state.

dump

(Optional) Shows the memory tracking address.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

Use the show memory tracking command to show currently allocated memory tracked by the tool.

Examples

The following is sample output from the show memory tracking command:

ciscoasa# show memory tracking
memory tracking by caller:
17 bytes from 1 allocates by 0x080c50c2
37 bytes from 1 allocates by 0x080c50f6
57 bytes from 1 allocates by 0x080c5125
20481 bytes from 1 allocates by 0x080c5154
 

The following is sample output from the show memory tracking address command:

ciscoasa# show memory tracking address
memory tracking by caller:
17 bytes from 1 allocates by 0x080c50c2
37 bytes from 1 allocates by 0x080c50f6
57 bytes from 1 allocates by 0x080c5125
20481 bytes from 1 allocates by 0x080c5154
 
memory tracking by address:
37 byte region @ 0xa893ae80 allocated by 0x080c50f6
57 byte region @ 0xa893aed0 allocated by 0x080c5125
20481 byte region @ 0xa8d7cc50 allocated by 0x080c5154
17 byte region @ 0xa8a6f370 allocated by 0x080c50c2
 

The following is sample output from the show memory tracking dump command:

ciscoasa# show memory tracking dump
Tracking data for the 57 byte region at 0xa893aed0:
Timestamp: 05:59:36.309 UTC Sun Jul 29 2007
Traceback:
0x080c5125
0x080b3695
0x0873f606
0x08740573
0x080ab530
0x080ac788
0x080ad141
0x0805df8f
Dumping 57 bytes of the 57 byte region:
a893aed0: 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c | ................
a893aee0: 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c | ................
a893aef0: 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c | ................
a893af00: 0c 0c 0c 0c 0c 0c 0c 0c 0c | .........

 
Related Commands

Command
Description

clear memory tracking

Clears all currently collected information.

show memory webvpn

To generate memory usage statistics for WebVPN, use the show memory webvpn command in privileged EXEC mode.

show memory webvpn [ allobjects | blocks | dumpstate [ cache | disk0 | disk1 | flash | ftp | system | tftp ] | pools | profile [ clear | dump | start | stop ] | usedobjects {{ begin | exclude | grep | include } line line }]

 
Syntax Description

allobjects

Displays WebVPN memory consumption details for pools, blocks , and all used and freed objects.

begin

Begins with the line that matches.

blocks

Displays WebVPN memory consumption details for memory blocks.

cache

Specifies a filename for a WebVPN memory cache state dump.

clear

Clears the WebVPN memory profile.

disk0

Specifies a filename for WebVPN memory disk0 state dump.

disk1

Specifies a filename for WebVPN memory disk1 state dump:.

dump

Puts WebVPN memory profile into a file.

dumpstate

Puts WebVPN memory state into a file.

exclude

Excludes the line(s) that match.

flash

Specifies a filename for the WebVPN memory flash state dump.

ftp

Specifies a filename for the WebVPN memory FTP state dump.

grep

Includes or excludes lines that match.

include

Includes the line(s) that match.

line

Identifies the line(s) to match.

line

Specifies the line(s) to match.

pools

Shows WebVPN memory consumption details for memory pools.

profile

Obtains the WebVPN memory profile and places it in a file.

system

Specifies a filename for the WebVPN memory system state dump.

start

Starts gathering the WebVPN memory profile.

stop

Stops getting the WebVPN memory profile.

tftp

Specifies a filename for a WebVPN memory TFTP state dump.

usedobjects

Displays WebVPN memory consumption details for used objects.

 
Defaults

No default behavior or value.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes

Global configuration

  • Yes

  • Yes

Webvpn configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

Examples

The following is sample output from the show memory webvpn allobjects command:

ciscoasa# show memory webvpn allobjects
Arena 0x36b14f8 of 4094744 bytes (61 blocks of size 66048), maximum 134195200
130100456 free bytes (97%; 1969 blocks, zone 0)
Arena is dynamically allocated, not contiguous
Features: GroupMgmt: SET, MemDebugLog: unset
Pool 0xd719a78 ("cp_entries" => "pool for class cpool entries") (next 0xd6d91d8)
Size: 66040 (1% of current, 0% of limit)
Object frame size: 32
Load related limits: 70/50/30
Callbacks: !init/!prep/!f2ca/!dstr/!dump
Blocks in use:
Block 0xd719ac0..0xd729cb8 (size 66040), pool "cp_entries"
Watermarks { 0xd7098f8 <= 0xd70bb60 <= 0xd719a60 } = 57088 ready
Block size 66040 not equal to arena block 66048 (realigned-to-8)
Used objects: 0
Top allocated count: 275
Objects dump:
0. Object 0xd70bb50: FREED (by "jvclass_pool_free")

 
Related Commands

Command
Description

memory-size

Sets the amount of memory on the ASA that WebVPN services can use.

show memory-caller address

To display the address ranges configured on the ASA, use the show memory-caller address command in privileged EXEC mode.

show memory-caller address

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

You must first configure an address ranges with the memory caller-address command before you can display them with the show memory-caller address command.

Examples

The following examples show how to configure the address ranges with the memory caller-address command, and the resulting output of the show memory-caller address command:

ciscoasa# memory caller-address 0x00109d5c 0x00109e08
ciscoasa# memory caller-address 0x009b0ef0 0x009b0f14
ciscoasa# memory caller-address 0x00cf211c 0x00cf4464
 
ciscoasa# show memory-caller address
Move down stack frame for the addresses:
pc = 0x00109d5c-0x00109e08
pc = 0x009b0ef0-0x009b0f14
pc = 0x00cf211c-0x00cf4464
 

If address ranges are not configured before entering the show memory-caller address command, no addresses display:

ciscoasa# show memory-caller address
Move down stack frame for the addresses:
 

 
Related Commands

Command
Description

memory caller-address

Configures a block of memory for the caller PC.

show mfib

To display MFIB in terms of forwarding entries and interfaces, use the show mfib command in user EXEC or privileged EXEC mode.

show mfib [ group [ source ]] [ verbose ] [ cluster ]

 
Syntax Description

cluster

(Optional) Displays the MFIB epoch number and the current timer value.

group

(Optional) Displays the IP address of the multicast group.

source

(Optional) Displays the IP address of the multicast route source. This is a unicast IP address in four-part dotted-decimal notation.

verbose

(Optional) Displays additional information about the entries.

 
Defaults

Without the optional arguments, information for all groups is shown.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

The cluster keyword was added. Applies to the ASA 5580 and 5585-X only.

Examples

The following is sample output from the show mfib command:

ciscoasa# show mfib 224.0.2.39
Entry Flags: C - Directly Connected, S - Signal, IA - Inherit A flag,
AR - Activity Required, D - Drop
Forwarding counts: Pkt Count/Pkts per second/Avg Pkt Size/Kbits per second
Other counts: Total/RPF failed/Other drops
Interface flags: A - Accept, F - Forward, NS - Negate Signalling
IC - Internal Copy, NP - Not platform switched
SP - Signal Present
Interface Counts: FS Pkt Count/PS Pkt Count
(*,224.0.1.39) Flags: S K
Forwarding: 0/0/0/0, Other: 0/0/0

 
Related Commands

Command
Description

show mfib verbose

Displays detail information about the forwarding entries and interfaces.

show mfib active

To display active multicast sources, use the show mfib active command in user EXEC or privileged EXEC mode.

show mfib [ group ] active [ kbps ]

 
Syntax Description

group

(Optional) IP address of the multicast group.

kbps

(Optional) Limits the display to multicast streams that are greater-than or equal to this value.

This command has no arguments or keywords.

 
Defaults

The default value for kbps is 4. If a group is not specified, all groups are shown.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The output for the show mfib active command displays either positive or negative numbers for the rate PPS. The ASA displays negative numbers when RPF packets fail or when the router observes RPF packets with an interfaces out (OIF) list. This type of activity may indicate a multicast routing problem.

Examples

The following is sample output from the show mfib active command:

ciscoasa# show mfib active
Active IP Multicast Sources - sending >= 4 kbps
 
Group: 224.2.127.254, (sdr.cisco.com)
Source: 192.168.28.69 (mbone.ipd.anl.gov)
Rate: 1 pps/4 kbps(1sec), 4 kbps(last 1 secs), 4 kbps(life avg)
 
Group: 224.2.201.241, ACM 97
Source: 192.168.52.160 (webcast3-e1.acm97.interop.net)
Rate: 9 pps/93 kbps(1sec), 145 kbps(last 20 secs), 85 kbps(life avg)
 
Group: 224.2.207.215, ACM 97
Source: 192.168.52.160 (webcast3-e1.acm97.interop.net)
Rate: 3 pps/31 kbps(1sec), 63 kbps(last 19 secs), 65 kbps(life avg)
 

 
Related Commands

Command
Description

show mroute active

Displays active multicast streams.

show mfib count

To display MFIB route and packet count data, use the show mfib count command in user EXEC or privileged EXEC mode.

show mfib [ group [ source ]] count

 
Syntax Description

group

(Optional) IP address of the multicast group.

source

(Optional) IP address of the multicast route source. This is a unicast IP address in four-part dotted-decimal notation.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command displays packet drop statistics.

Examples

The following sample output from the show mfib count command:

ciscoasa# show mfib count
MFIB global counters are :
* Packets [no input idb] : 0
* Packets [failed route lookup] : 0
* Packets [Failed idb lookup] : 0
* Packets [Mcast disabled on input I/F] : 0

 
Related Commands

Command
Description

clear mfib counters

Clears MFIB router packet counters.

show mroute count

Displays multicast route counters.

show mfib interface

To display packet statistics for interfaces that are related to the MFIB process, use the show mfib interface command in user EXEC or privileged EXEC mode.

show mfib interface [ interface ]

 
Syntax Description

interface

(Optional) Interface name. Limits the display to the specified interface.

 
Defaults

Information for all MFIB interfaces is shown.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following example is sample output from the show mfib interface command:

ciscoasa# show mfib interface
IP Multicast Forwarding (MFIB) status:
Configuration Status: enabled
Operational Status: running
MFIB interface status CEF-based output
[configured,available]
Ethernet0 up [ no, no]
Ethernet1 up [ no, no]
Ethernet2 up [ no, no]
 

 
Related Commands

Command
Description

show mfib

Displays MFIB information in terms of forwarding entries and interfaces.

show mfib reserved

To display reserved groups, use the show mfib reserved command in user EXEC or privileged EXEC mode.

show mfib reserved [ count | verbose | active [ kpbs ]]

 
Syntax Description

active

(Optional) Displays active multicast sources.

count

(Optional) Displays packet and route count data.

kpbs

(Optional) Limits the display to active multicast sources greater than or equal to this value.

verbose

(Optional) Displays additional information.

 
Defaults

The default value for kbps is 4.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command displays MFIB entries in the range 224.0.0.0 through 224.0.0.225.

Examples

The following is sample output from the show mfib reserved command:

ciscoasa# command example
Entry Flags: C - Directly Connected, S - Signal, IA - Inherit A flag,
AR - Activity Required, D - Drop Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kbits per second Other counts: Total/RPF failed/Other drops Interface Flags: A - Accept, F - Forward, NS - Negate Signalling
IC - Internal Copy, NP - Not platform switched
SP - Signal Present
Interface Counts: FS Pkt Count/PS Pkt Count
(*,224.0.0.0/4) Flags: C K
Forwarding: 0/0/0/0, Other: 0/0/0
(*,224.0.0.0/24) Flags: K
Forwarding: 0/0/0/0, Other: 0/0/0
(*,224.0.0.1) Flags:
Forwarding: 0/0/0/0, Other: 0/0/0
outside Flags: IC
dmz Flags: IC
inside Flags: IC
 

 
Related Commands

Command
Description

show mfib active

Displays active multicast streams.

show mfib status

To display the general MFIB configuration and operational status, use the show mfib status command in user EXEC or privileged EXEC mode.

show mfib status

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show mfib status command:

ciscoasa# show mfib status
IP Multicast Forwarding (MFIB) status:
Configuration Status: enabled
Operational Status: running
 

 
Related Commands

Command
Description

show mfib

Displays MFIB information in terms of forwarding entries and interfaces.

show mfib summary

To display summary information about the number of MFIB entries and interfaces, use the show mfib summary command in user EXEC or privileged EXEC mode.

show mfib summary

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show mfib summary command:

ciscoasa# show mfib summary
IPv6 MFIB summary:
 
54 total entries [1 (S,G), 7 (*,G), 46 (*,G/m)]
 
17 total MFIB interfaces
 

 
Related Commands

Command
Description

show mroute summary

Displays multicast routing table summary information.

show mfib verbose

To display detail information about the forwarding entries and interfaces, use the show mfib verbose command in user EXEC or privileged EXEC mode.

show mfib verbose

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show mfib verbose command:

ciscoasa# show mfib verbose
Entry Flags: C - Directly Connected, S - Signal, IA - Inherit A flag,
AR - Activity Required, D - Drop
Forwarding counts: Pkt Count/Pkts per second/Avg Pkt Size/Kbits per second
Other counts: Total/RPF failed/Other drops
Interface flags: A - Accept, F - Forward, NS - Negate Signalling
IC - Internal Copy, NP - Not platform switched
SP - Signal Present
Interface Counts: FS Pkt Count/PS Pkt Count
(*,224.0.1.39) Flags: S K
Forwarding: 0/0/0/0, Other: 0/0/0
(*,224.0.1.40) Flags: S K
Forwarding: 0/0/0/0, Other: 0/0/0
(*,224.0.0.0/8) Flags: K
Forwarding: 0/0/0/0, Other: 0/0/0

 
Related Commands

Command
Description

show mfib

Displays MFIB information in terms of forwarding entries and interfaces.

show mfib summary

Displays summary information about the number of MFIB entries and interfaces.

show mgcp

To display MGCP configuration and session information, use the show mgcp command in privileged EXEC mode.

show mgcp { commands | sessions } [ detail ]

 
Syntax Description

commands

Lists the number of MGCP commands in the command queue.

detail

(Optional) Lists additional information about each command (or session) in the output.

sessions

Lists the number of existing MGCP sessions.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The show mgcp commands command lists the number of MGCP commands in the command queue. The show mgcp sessions command lists the number of existing MGCP sessions. The detail option includes additional information about each command (or session) in the output.

Examples

The following are examples of the show mgcp command options:

ciscoasa# show mgcp commands
1 in use, 1 most used, 200 maximum allowed
CRCX, gateway IP: host-pc-2, transaction ID: 2052, idle: 0:00:07
ciscoasa#
 
ciscoasa# show mgcp commands detail
1 in use, 1 most used, 200 maximum allowed
CRCX, idle: 0:00:10
Gateway IP | host-pc-2
Transaction ID 2052
Endpoint name | aaln/1
Call ID | 9876543210abcdef
Connection ID |
Media IP | 192.168.5.7
Media port | 6058
ciscoasa#
 
ciscoasa# show mgcp sessions
1 in use, 1 most used
Gateway IP host-pc-2, connection ID 6789af54c9, active 0:00:11
ciscoasa#
 
ciscoasa# show mgcp sessions detail
1 in use, 1 most used
Session active 0:00:14
Gateway IP | host-pc-2
Call ID | 9876543210abcdef
Connection ID | 6789af54c9
Endpoint name | aaln/1
Media lcl port 6166
Media rmt IP | 192.168.5.7
Media rmt port 6058
ciscoasa#
 

 
Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug mgcp

Enables MGCP debug information.

inspect mgcp

Enables MGCP application inspection.

mgcp-map

Defines an MGCP map and enables MGCP map configuration mode.

show conn

Displays the connection state for different connection types.

show mmp

To display information about existing MMP sessions, use the show mmp command in privileged EXEC mode.

show mmp [ address ]

 
Syntax Description

address

Specifies the IP address of an MMP client/server.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

8.0(4)

The command was introduced.

Examples

The following example shows the use of the show mmp command to display information about existing MMP sessions:

ciscoasa# show mmp 10.0.0.42
MMP session:: inside:10.0.0.42/5443 outside:172.23.62.204/2442
session-id=71AD3EB1-7BE8-42E0-8DC3-E96E41D4ADD5
data:: rx-bytes=1258, tx-bytes=1258

 
Related Commands

Command
Description

debug mmp

Displays inspect MMP events.

inspect mmp

Configures the MMP inspection engine.

show debug mmp

Displays current debug settings for the MMP inspection module.

show mode

To show the security context mode for the running software image and for any image in Flash memory, use the show mode command in privileged EXEC mode.

show mode

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show mode command. The following example shows the current mode and the mode for the non-running image “image.bin”:

ciscoasa# show mode flash:/image.bin
Firewall mode: multiple
 

The mode can be multiple or single.

 
Related Commands

Command
Description

context

Creates a security context in the system configuration and enters context configuration mode.

mode

Sets the context mode to single or multiple.

show module

To show information about a module installed on the ASA, use the show module command in user EXEC mode.

show module [ id | all ] [ details | recover | log [ console ]

 
Syntax Description

all

(Default) Shows information for all modules.

console

(Optional) Shows console log information for the module.

details

(Optional) Shows additional information, including remote management configuration for modules.

id

Specifies the module ID. For a hardware module, specify the slot number, which can be 0 (for the ASA) or 1 (for an installed module). For a software module, specify one of the following names:

  • sfr —ASA FirePOWER module.
  • ips —IPS module
  • cxsc —ASA CX module

log

(Optional) Shows log information for the module.

recover

(Optional) Shows the settings for the hw-module or sw-module module recover command.

 
Defaults

By default, information for all modules is shown.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context 1
System

User EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

1.The show module recover command is only available in the system execution space.

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.1(1)

This command was modified to include more detail in the output.

8.2(1)

Information about the SSC is included in the output.

8.2(5)

Information about support for the ASA 5585-X and for the IPS SSP on the ASA 5585-X was added.

8.4(4.1)

We added support for the ASA CX module.

8.6(1)

For the ASA 5512-X through ASA 5555-X: the log and console keywords were added; the ips device ID was added.

9.1(1)

We added support for the ASA CX software module by adding the cxsc module ID.

9.2(1)

We added support for the ASA FirePOWER module, including the sfr keyword.

 
Usage Guidelines

This command shows information about the modules installed in the ASA. The ASA itself also appears as a module in the display (in slot 0).

Examples

The following is sample output from the show module command. Module 0 is the base device; module 1 is a CSC SSM.

ciscoasa# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520 P3000000034
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 0
 
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 000b.fcf8.c30d to 000b.fcf8.c311 1.0 1.0(10)0 7.1(0)5
1 000b.fcf8.012c to 000b.fcf8.012c 1.0 1.0(10)0 CSC SSM 5.0 (Build#1187)
 
Mod SSM Application Name SSM Application Version
--- ------------------------------ --------------------------
1 CSC SSM scan services are not
1 CSC SSM 5.0 (Build#1187)
 
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
 

The following table describes each field listed in the output.

 

Table 9-3 show module Output Fields

Field
Description

Mod

The module number, 0 or 1.

Ports

The number of ports.

Card Type

For the device shown in module 0, the type is the platform model. For the SSM in module 1, the type is the SSM type.

Model

The model number for this module.

Serial No.

The serial number.

MAC Address Range

The MAC address range for interfaces on this SSM or, for the device, the built-in interfaces.

Hw Version

The hardware version.

Fw Version

The firmware version.

Sw Version

The software version.

SSM Application Name

The name of the application running on the SSM.

SSM Application Version

The version of the application running on the SSM.

Status

For the device in module 0, the status is Up Sys. The status of the SSM in module 1 can be any of the following:

  • Initializing—The SSM is being detected and the control communication is being initialized by the device.
  • Up—The SSM has completed initialization by the device.
  • Unresponsive—The device encountered an error while communicating with this SSM.
  • Reloading—The SSM is reloading.
  • Shutting Down—The SSM is shutting down.
  • Down—The SSM is shut down.
  • Recover—The SSM is attempting to download a recovery image.
  • No Image Present—The IPS software has not been installed.

Data Plane Status

The current state of the data plane.

Compatibility

The compatibility of the SSM relative to the rest of the device.

Slot

The physical slot number (used only in dual SSP mode).

 

The output of the show module details command varies according to which module is installed. For example, output for the CSC SSM includes fields about components of the CSC SSM software.

The following is generic sample output from the show module 1 details command:

ciscoasa# show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-20
Model: ASA-SSM-20
Hardware version: V1.0
Serial Number: 12345678
Firmware version: 1.0(7)2
Software version: 4.1(1.1)S47(0.1)
MAC Address Range: 000b.fcf8.0156 to 000b.fcf8.0156
Data plane Status: Up
Status: Up
Mgmt IP addr: 10.89.147.13
Mgmt web ports: 443
Mgmt TLS enabled: true
 

The following table describes the additional fields in the output.

 

Table 9-4 show module details Additional Output Fields

Field
Description

DC address

(not shown)

(ASA FirePOWER only). The address of the FireSIGHT Management Center that manages the module.

Mgmt IP addr

Shows the IP address for the module’s management interface.

Mgmt Network Mask

(not shown)

Shows the subnet mask for the management address.

Mgmt Gateway

(not shown)

The gateway for the management address.

Mgmt web ports

Shows the ports configured for the module’s management interface.

Mgmt TLS enabled

Shows whether transport layer security is enabled (true or false) for connections to the management interface of the module.

 

For models that allow you to configure software modules, the show module command lists all possible modules. Status information indicates whether one of them is installed.

ciscoasa# show module
 
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt ASA5555 FCH1714J6HP
ips Unknown N/A FCH1714J6HP
cxsc Unknown N/A FCH1714J6HP
sfr FirePOWER Services Software Module ASA5555 FCH1714J6HP
 
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 bc16.6520.1dcd to bc16.6520.1dd6 1.0 2.1(9)8 100.8(66)11
ips bc16.6520.1dcb to bc16.6520.1dcb N/A N/A
cxsc bc16.6520.1dcb to bc16.6520.1dcb N/A N/A
sfr bc16.6520.1dcb to bc16.6520.1dcb N/A N/A 5.3.1-100
 
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr ASA FirePOWER Up 5.3.1-100
 
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Up Up
 
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Enabled 172 days
 

The following is sample output from the show module 1 recover command:

ciscoasa# show module 1 recover
Module 1 recover parameters. . .
Boot Recovery Image: Yes
Image URL: tftp://10.21.18.1/ids-oldimg
Port IP Address: 10.1.2.10
Port Mask : 255.255.255.0
Gateway IP Address: 10.1.2.254
 

The following is sample output from the show module 1 details command when an SSC is installed:

ciscoasa# show module 1 details
Getting details from the Service Module, please wait...
ASA 5505 Security Services Card
Model: ASA-SSC
Hardware version: 0.1
Serial Number: JAB11370240
Firmware version: 1.0(14)3
Software version: 6.2(1)E2
MAC Address Range: 001d.45c2.e832 to 001d.45c2.e832
App. Name: IPS
App. Status: Up
App. Status Desc:
App. Version: 6.2(1)E2
Data plane Status: Up
Status: Up
Mgmt IP Addr: 209.165.201.29
Mgmt Network Mask: 255.255.224.0
Mgmt Gateway: 209.165.201.30
Mgmt Access List: 209.165.201.31/32
209.165.202.158/32
209.165.200.254/24
Mgmt Vlan: 20
 

The following is sample output from the show module 1 details command when an IPS SSP is installed in an ASA 5585-X:

ciscoasa# show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-20
Model: ASA-SSM-20
Hardware version: V1.0
Serial Number: 12345678
Firmware version: 1.0(7)2
Software version: 4.1(1.1)S47(0.1)
MAC Address Range: 000b.fcf8.0156 to 000b.fcf8.0156
Data plane Status: Up
Status: Up
Mgmt IP addr: 10.89.147.13
Mgmt web ports: 443
Mgmt TLS enabled: true
 

The following is sample output from the show module all command when a CXSC SSP is installed in an ASA 5585-X:

ciscoasa# show module all
 
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5585-X Security Services Processor-10 wi ASA5585-SSP-10 JAF1504CBRM
1 ASA 5585-X CXSC Security Services Processor-1 ASA5585-SSP-IPS10 JAF1510BLSE
 
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 5475.d05b.1d54 to 5475.d05b.1d5f 1.0 2.0(7)0 100.7(14)13
1 5475.d05b.248c to 5475.d05b.2497 1.0 0.0(0)0 1.0
 
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 CXSC Security Module Up 1.0
 
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
 

The following is sample output from the show module 1 details command when a CXSC SSP is installed in an ASA 5585-X:

ciscoasa# show module 1 details
 
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-20
Model: ASA5585-S10C10-K8
Hardware version: 1.0
Serial Number: 123456789
Firmware version: 1.0(9)0
Software version: CXSC Security Module Version 1.0
App. name: CXSC Security Module
App. version: Version 1.0
Data plane Status: Up
Status: Up
HTTP Service: Up
Activated: Yes
Mgmt IP addr: 100.0.1.4
Mgmt web port: 8443
 

 
Related Commands

Command
Description

debug module-boot

Shows debugging messages about the module booting process.

hw-module module recover

Recovers an module by loading a recovery image from a TFTP server.

hw-module module reset

Shuts down an module and performs a hardware reset.

hw-module module reload

Reloads the module software.

hw-module module shutdown

Closes the module software in preparation for being powered off without losing configuration data.

sw-module

Configures a software module.

show monitor-interface

To display information about the interfaces monitored for failover, use the show monitor-interface command in privileged EXEC mode.

show monitor-interface

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.2(2)

This command was modified. The output includes IPv6 addresses.

 
Usage Guidelines

Because an interface can have more than one IPv6 address configured on it, only the link-local address is displayed in the show monitor-interface command. If both IPv4 and IPv6 addresses are configured on an interface, both addresses appear in the output. If there is no IPv4 address configured on the interface, the IPv4 address in the output appears as 0.0.0.0. If there is no IPv6 address configured on an interface, the address is simply omitted from the output.

Monitored failover interfaces can have the following status:

  • Unknown—Initial status. This status can also mean the status cannot be determined.
  • Normal—The interface is receiving traffic.
  • Normal (Waiting)—The interface is up but has not yet received a hello packet from the corresponding interface on the peer unit. Verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces.
  • Testing—Hello messages are not heard on the interface for five poll times.
  • Link Down—The interface or VLAN is administratively down.
  • No Link—The physical link for the interface is down.
  • Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Examples

The following is sample output from the show monitor-interface command:

ciscoasa# show monitor-interface
 
This host: Primary - Active
Interface outside (10.86.94.88): Normal (Waiting)
Interface management (192.168.1.1): Normal (Waiting)
Interface failif (0.0.0.0/fe80::223:4ff:fe77:fed): Normal (Waiting)
Other host: Secondary - Failed
Interface outside (0.0.0.0): Unknown (Waiting)
Interface management (0.0.0.0): Unknown (Waiting)
Interface failif (0.0.0.0): Unknown (Waiting)

 
Related Commands

Command
Description

monitor-interface

Enables health monitoring on a specific interface

show mrib client

To display information about the MRIB client connections, use the show mrib client command in user EXEC or privileged EXEC mode.

show mrib client [ filter ] [ name client_name ]

 
Syntax Description

filter

(Optional) Displays client filter. Used to view information about the MRIB flags that each client owns and the flags in which each clients is interested.

name client_name

(Optional) Name of a multicast routing protocol that acts as a client of MRIB, such as PIM or IGMP.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The filter option is used to display the route and interface level flag changes that various MRIB clients have registered. This command option also shows what flags are owned by the MRIB clients.

Examples

The following sample output from the show mrib client command using the filter keyword:

ciscoasa# show mrib client filter
MFWD:0 (connection id 0)
interest filter:
entry attributes: S C IA D
interface attributes: F A IC NS DP SP
groups:
include 0.0.0.0/0
interfaces:
include All
ownership filter:
groups:
include 0.0.0.0/0
interfaces:
include All
igmp:77964 (connection id 1)
ownership filter:
interface attributes: II ID LI LD
groups:
include 0.0.0.0/0
interfaces:
include All
pim:49287 (connection id 5)
interest filter:
entry attributes: E
interface attributes: SP II ID LI LD
groups:
include 0.0.0.0/0
interfaces:
include All
ownership filter:
entry attributes: L S C IA D
interface attributes: F A IC NS DP
groups:
include 0.0.0.0/0
interfaces:
include All
 

 
Related Commands

Command
Description

show mrib route

Displays MRIB table entries.

show mrib route

To display entries in the MRIB table, use the show mrib route command in user EXEC or privileged EXEC mode.

show mrib route [[ source | * ] [ group [/ prefix-length ]]]

 
Syntax Description

*

(Optional) Display shared tree entries.

/ prefix-length

(Optional) Prefix length of the MRIB route. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

group

(Optional) IP address or name of the group.

source

(Optional) IP address or name of the route source.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC or Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The MFIB table maintains a subset of entries and flags updated from MRIB. The flags determine the forwarding and signaling behavior according to a set of forwarding rules for multicast packets.

In addition to the list of interfaces and flags, each route entry shows various counters. Byte count is the number of total bytes forwarded. Packet count is the number of packets received for this entry. The show mfib count command displays global counters independent of the routes.

Examples

The following is sample output from the show mrib route command:

ciscoasa# show mrib route
IP Multicast Routing Information Base
Entry flags: L - Domain-Local Source, E - External Source to the Domain,
C - Directly-Connected Check, S - Signal, IA - Inherit Accept, D - Drop
Interface flags: F - Forward, A - Accept, IC - Internal Copy,
NS - Negate Signal, DP - Don't Preserve, SP - Signal Present,
II - Internal Interest, ID - Internal Disinterest, LI - Local Interest,
LD - Local Disinterest
(*,224.0.0.0/4) RPF nbr: 10.11.1.20 Flags: L C
Decapstunnel0 Flags: NS
 
(*,224.0.0.0/24) Flags: D
 
(*,224.0.1.39) Flags: S
 
(*,224.0.1.40) Flags: S
POS0/3/0/0 Flags: II LI
 
(*,238.1.1.1) RPF nbr: 10.11.1.20 Flags: C
POS0/3/0/0 Flags: F NS LI
Decapstunnel0 Flags: A
 
(*,239.1.1.1) RPF nbr: 10.11.1.20 Flags: C
POS0/3/0/0 Flags: F NS
Decapstunnel0 Flags: A
 

 
Related Commands

Command
Description

show mfib count

Displays route and packet count data for the MFIB table.

show mrib route summary

Displays a summary of the MRIB table entries.

show mroute

To display the IPv4 multicast routing table, use the show mroute command in privileged EXEC mode.

show mroute [ group [ source ] | reserved ] [ active [ rate ] | count | pruned | summary ]

 
Syntax Description

active rate

(Optional) Displays only active multicast sources. Active sources are those sending at the specified rate or higher. If the rate is not specified, active sources are those sending at a rate of 4 kbps or higher.

count

(Optional) Displays statistics about the group and source, including number of packets, packets per second, average packet size, and bits per second.

group

(Optional) IP address or name of the multicast group as defined in the DNS hosts table.

pruned

(Optional) Displays pruned routes.

reserved

(Optional) Displays reserved groups.

source

(Optional) Source hostname or IP address.

summary

(Optional) Displays a one-line, abbreviated summary of each entry in the multicast routing table.

 
Defaults

If not specified, the rate argument defaults to 4 kbps.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The show mroute command displays the contents of the multicast routing table. The ASA populates the multicast routing table by creating (S,G) and (*,G) entries based on PIM protocol messages, IGMP reports, and traffic. The asterisk (*) refers to all source addresses, the “S” refers to a single source address, and the “G” is the destination multicast group address. In creating (S, G) entries, the software uses the best path to that destination group found in the unicast routing table (through RPF).

To view the mroute commands in the running configuration, use the show running-config mroute command.

Examples

The following is sample output from the show mroute command:

ciscoasa(config)# show mroute
 
Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
C - Connected, L - Local, I - Received Source Specific Host Report,
P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
J - Join SPT
Timers: Uptime/Expires
Interface state: Interface, State
 
(*, 239.1.1.40), 08:07:24/never, RP 0.0.0.0, flags: DPC
Incoming interface: Null
RPF nbr: 0.0.0.0
Outgoing interface list:
inside, Null, 08:05:45/never
tftp, Null, 08:07:24/never
 
(*, 239.2.2.1), 08:07:44/never, RP 140.0.0.70, flags: SCJ
Incoming interface: outside
RPF nbr: 140.0.0.70
Outgoing interface list:
inside, Forward, 08:07:44/never
 

The following fields are shown in the show mroute output:

  • Flags —Provides information about the entry.

D—Dense . Entry is operating in dense mode.

S—Sparse . Entry is operating in sparse mode.

B—Bidir Group . Indicates that a multicast group is operating in bidirectional mode.

s—SSM Group . Indicates that a multicast group is within the SSM range of IP addresses. This flag is reset if the SSM range changes.

C—Connected . A member of the multicast group is present on the directly connected interface.

L—Local . The ASA itself is a member of the multicast group. Groups are joined locally by the igmp join-group command (for the configured group).

I—Received Source Specific Host Report . Indicates that an (S, G) entry was created by an (S, G) report. This (S, G) report could have been created by IGMP. This flag is set only on the DR.

P—Pruned . Route has been pruned. The software keeps this information so that a downstream member can join the source.

R—RP-bit set . Indicates that the (S, G) entry is pointing toward the RP.

F—Register flag . Indicates that the software is registering for a multicast source.

T—SPT-bit set . Indicates that packets have been received on the shortest path source tree.

J—Join SPT . For (*, G) entries, indicates that the rate of traffic flowing down the shared tree is exceeding the SPT-Threshold set for the group. (The default SPT-Threshold setting is 0 kbps.) When the J - Join shortest path tree (SPT) flag is set, the next (S, G) packet received down the shared tree triggers an (S, G) join in the direction of the source, thereby causing the ASA to join the source tree.

For (S, G) entries, indicates that the entry was created because the SPT-Threshold for the group was exceeded. When the J - Join SPT flag is set for (S, G) entries, the ASA monitors the traffic rate on the source tree and attempts to switch back to the shared tree for this source if the traffic rate on the source tree falls below the SPT-Threshold of the group for more than 1 minute.


Note The ASA measures the traffic rate on the shared tree and compares the measured rate to the SPT-Threshold of the group once every second. If the traffic rate exceeds the SPT-Threshold, the J - Join SPT flag is set on the (*, G) entry until the next measurement of the traffic rate. The flag is cleared when the next packet arrives on the shared tree and a new measurement interval is started.


If the default SPT-Threshold value of 0 kbps is used for the group, the J - Join SPT flag is always set on (*, G) entries and is never cleared. When the default SPT-Threshold value is used, the ASA immediately switches to the shortest path source tree when traffic from a new source is received.

  • Timers:Uptime/Expires —Uptime indicates per interface how long (in hours, minutes, and seconds) the entry has been in the IP multicast routing table. Expires indicates per interface how long (in hours, minutes, and seconds) until the entry will be removed from the IP multicast routing table.
  • Interface state —Indicates the state of the incoming or outgoing interface.

Interface —The interface name listed in the incoming or outgoing interface list.

State—Indicates that packets will either be forwarded, pruned, or null on the interface depending on whether there are restrictions due to access lists or a time-to-live (TTL) threshold.

  • (*, 239.1.1.40) and (* , 239.2.2.1) —Entries in the IP multicast routing table. The entry consists of the IP address of the source followed by the IP address of the multicast group. An asterisk (*) in place of the source indicates all sources.
  • RP—Address of the RP. For routers and access servers operating in sparse mode, this address is always 224.0.0.0.
  • Incoming interface —Expected interface for a multicast packet from the source. If the packet is not received on this interface, it is discarded.
  • RPF nbr —IP address of the upstream router to the source.
  • Outgoing interface list —Interfaces through which packets will be forwarded.

 
Related Commands

Command
Description

clear configure mroute

Removes the mroute commands from the running configuration.

mroute

Configures a static multicast route.

show mroute

Displays IPv4 multicast routing table.

show running-config mroute

Displays configured multicast routes.