Cisco Security Appliance Command Reference, Version 7.0
D through F Commands
Downloads: This chapterpdf (PDF - 1.97MB) The complete bookPDF (PDF - 18.73MB) | Feedback

D through F Commands

Table Of Contents

D through F Commands

debug aaa

debug arp

debug arp-inspection

debug asdm history

debug cmgr

debug context

debug cplane

debug crypto ca

debug crypto engine

debug crypto ipsec

debug crypto isakmp

debug ctiqbe

debug dhcpc

debug dhcpd

debug dhcprelay

debug disk

debug dns

debug entity

debug fixup

debug fover

debug fsm

debug ftp client

debug generic

debug gtp

debug h323

debug http

debug http-map

debug icmp

debug igmp

debug ils

debug imagemgr

debug ipsec-over-tcp

debug ipsec-pass-thru

debug ipv6

debug iua-proxy

debug kerberos

debug ldap

debug mac-address-table

debug menu

debug mfib

debug mgcp

debug module-boot

debug mrib

debug ntdomain

debug ntp

debug ospf

debug parser cache

debug pim

debug pix pkt2pc

debug pix process

debug pptp

debug radius

debug rip

debug rtsp

debug sdi

debug sequence

debug session-command

debug sip

debug skinny

debug smtp

debug sqlnet

debug ssh

debug ssl

debug sunrpc

debug tacacs

debug tcp-map

debug timestamps

debug vpn-sessiondb

debug xdmcp

default

default (crl configure)

default (time-range)

default enrollment

default-domain

default-group-policy

default-group-policy (webvpn)

default-idle-timeout

default-information originate

delete

deny version

description

dhcp-network-scope

dhcp-server

dhcpd address

dhcpd auto_config

dhcpd dns

dhcpd domain

dhcpd enable

dhcpd lease

dhcpd option

dhcpd ping_timeout

dhcpd wins

dhcprelay enable

dhcprelay server

dhcprelay setroute

dhcprelay timeout

dir

disable

distance ospf

dns domain-lookup

dns-guard

dns name-server

dns retries

dns timeout

dns-server

domain-name

downgrade

drop

duplex

email

enable

enable (webvpn)

enable password

enforcenextupdate

enrollment retry count

enrollment retry period

enrollment terminal

enrollment url

erase

established

exceed-mss

exit

failover

failover active

failover group

failover interface ip

failover interface-policy

failover key

failover lan enable

failover lan interface

failover lan unit

failover link

failover mac address

failover polltime

failover reload-standby

failover replication http

failover reset

failover timeout

filter

filter activex

filter ftp

filter https

filter java

filter url

fips enable

fips self-test poweron

firewall transparent

format

fqdn

fragment

ftp-map

ftp mode passive

functions


D through F Commands


debug aaa

To show debug messages for AAA, use the debug aaa command in privileged EXEC mode. To stop showing AAA messages, use the no form of this command.

debug aaa [ accounting | authentication | authorization | internal | vpn [ level ] ]

no debug aaa

Syntax Description

accounting

(Optional) Show debug messages for accounting only.

authentication

(Optional) Show debug messages for authentication only.

authorization

(Optional) Show debug messages for authorization only.

internal

(Optional) Show debug messages for AAA functions supported by the local database only.

level

(Optional) Specifies the debug level. Valid with the vpn keyword only.

vpn

(Optional) Show debug messages for VPN-related AAA functions only.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was modified to include new keywords.


Usage Guidelines

The debug aaa command displays detailed information about AAA activity. The no debug all or undebug all commands turn off all enabled debugs.

Examples

The following example enables debugging for AAA functions supported by the local database:

hostname(config)# debug aaa internal
debug aaa internal enabled at level 1
hostname(config)# uap allocated. remote address: 10.42.15.172, Session_id: 2147483841 
uap freed for user . remote address: 10.42.15.172, session id: 2147483841

Related Commands

Command
Description

show running-config aaa

Displays running configuration related to AAA.


debug arp

To show debug messages for ARP, use the debug arp command in privileged EXEC mode. To stop showing debug messages for ARP, use the no form of this command.

debug arp

no debug arp

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for ARP:

hostname# debug arp

Related Commands

Command
Description

arp

Adds a static ARP entry.

show arp statistics

Shows ARP statistics.

show debug

Shows all enabled debuggers.


debug arp-inspection

To show debug messages for ARP inspection, use the debug arp-inspection command in privileged EXEC mode. To stop showing debug messages for ARP inspection, use the no form of this command.

debug arp-inspection

no debug arp-inspection

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for ARP inspection:

hostname# debug arp-inspection

Related Commands

Command
Description

arp

Adds a static ARP entry.

arp-inspection

For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.

show debug

Shows all enabled debuggers.


debug asdm history

To view debug information for ASDM, use the debug asdm history command in privileged EXEC mode.

debug asdm history level

Syntax Description

level

(Optional) Specifies the debug level.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was changed from the debug pdm history command to the debug asdm history command.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables level 1 debugging of ASDM:

hostname# debug asdm history
debug asdm history enabled at level 1

hostname#

Related Commands

Command
Description

show asdm history

Displays the contents of the ASDM history buffer.


debug cmgr

To show debug messages about the SSM card manager, use the debug cmgr command in privileged EXEC mode. To stop showing debug messages for the card manager, use the no form of this command.

debug cmgr [level]

no debug cmgr [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for the card manager:

hostname# debug cmgr

Related Commands

Command
Description

hw-module module recover

Recovers an AIP SSM by loading a recovery image from a TFTP server.

hw-module module reset

Shuts down an AIP SSM and performs a hardware reset.

hw-module module reload

Reloads the AIP SSM software.

hw-module module shutdown

Shuts down the AIP SSM software in preparation for being powered off without losing configuration data.

show module

Shows SSM information.


debug context

To show debug messages when you add or delete a security context, use the debug context command in privileged EXEC mode. To stop showing debug messages for contexts, use the no form of this command.

debug context [level]

no debug context [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for context management:

hostname# debug context

Related Commands

Command
Description

context

Creates a security context in the system configuration and enters context configuration mode.

show context

Shows context information.

show debug

Shows all enabled debuggers.


debug cplane

To show debug messages about the control plane that connects internally to an SSM, use the debug cplane command in privileged EXEC mode. To stop showing debug messages for the control plane, use the no form of this command.

debug cplane [level]

no debug cplane [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for the control plane:

hostname# debug cplane

Related Commands

Command
Description

hw-module module recover

Recovers an intelligent SSM by loading a recovery image from a TFTP server.

hw-module module reset

Shuts down an SSM and performs a hardware reset.

hw-module module reload

Reloads the intelligent SSM software.

hw-module module shutdown

Shuts down the SSM software in preparation for being powered off without losing configuration data.

show module

Shows SSM information.


debug crypto ca

To show debug messages for PKI activity (used with CAs), use the debug crypto ca command in privileged EXEC mode. To stop showing debug messages for PKI, use the no form of this command.

debug crypto ca [messages | transactions] [level]

no debug crypto ca [messages | transactions] [level]

Syntax Description

messages

(Optional) Shows only debug messages for PKI input and output messages.

transactions

(Optional) Shows only debug messages for PKI transactions.

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number. Level 1 (the default) shows messages only when errors occur. Level 2 shows warnings. Level 3 shows informational messages. Levels 4 and up show additional information for troubleshooting.


Defaults

By default, this command shows all debug messages. The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for PKI:

hostname# debug crypto ca

Related Commands

Command
Description

debug crypto engine

Shows debug messages for the crypto engine.

debug crypto ipsec

Shows debug messages for IPSec.

debug crypto isakmp

Shows debug messages for ISAKMP.


debug crypto engine

To show debug messages for the crypto engine, use the debug crypto engine command in privileged EXEC mode. To stop showing debug messages for the crypto engine, use the no form of this command.

debug crypto engine [level]

no debug crypto engine [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for the crypto engine:

hostname# debug crypto engine

Related Commands

Command
Description

debug crypto ca

Shows debug messages for the CA.

debug crypto ipsec

Shows debug messages for IPSec.

debug crypto isakmp

Shows debug messages for ISAKMP.


debug crypto ipsec

To show debug messages for IPSec, use the debug crypto ipsec command in privileged EXEC mode. To stop showing debug messages for IPSec, use the no form of this command.

debug crypto ipsec [level]

no debug crypto ipsec [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for IPSec:

hostname# debug crypto ipsec

Related Commands

Command
Description

debug crypto ca

Shows debug messages for the CA.

debug crypto engine

Shows debug messages for the crypto engine.

debug crypto isakmp

Shows debug messages for ISAKMP.


debug crypto isakmp

To show debug messages for ISAKMP, use the debug crypto isakmp command in privileged EXEC mode. To stop showing debug messages for ISAKMP, use the no form of this command.

debug crypto isakmp [timers] [level]

no debug crypto isakmp [timers] [level]

Syntax Description

timers

(Optional) Shows debug messages for ISAKMP timer expiration.

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number. Level 1 (the default) shows messages only when errors occur. Levels 2 through 7 show additional information. Level 254 shows decrypted ISAKMP packets in a human readable format. Level 255 shows hexadecimal dumps of decrypted ISAKMP packets.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for ISAKMP:

hostname# debug crypto isakmp

Related Commands

Command
Description

debug crypto ca

Shows debug messages for the CA.

debug crypto engine

Shows debug messages for the crypto engine.

debug crypto ipsec

Shows debug messages for IPSec.


debug ctiqbe

To show debug messages for CTIQBE application inspection, use the debug ctiqbe command in privileged EXEC mode. To stop showing debug messages for CTIQBE application inspection, use the no form of this command.

debug ctiqbe [level]

no debug ctiqbe [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug ctiqbe command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for CTIQBE application inspection:

hostname# debug ctiqbe

Related Commands

Command
Description

inspect ctiqbe

Enables CTIQBE application inspection.

show ctiqbe

Displays information about CTIQBE sessions established through the security appliance.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.


debug dhcpc

To enable debugging of the DHCP client, use the debug dhcpc command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug dhcpc {detail | packet | error} [level]

no debug dhcpc {detail | packet | error} [level]

Syntax Description

detail

Displays detail event information that is associated with the DHCP client.

error

Displays error messages that are associated with the DHCP client.

level

(Optional) Specifies the debug level. Valid valuse range from 1 to 255.

packet

Displays packet information that is associated with the DHCP client.


Defaults

The default debug level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Displays DHCP client debug information.

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows how to enable debugging for the DHCP client:

hostname# debug dhcpc detail 5
debug dhcpc detail enabled at level 5

Related Commands

Command
Description

show ip address dhcp

Displays detailed information about the DHCP lease for an interface.

show running-config interface

Displays the running configuration of the specified interface.


debug dhcpd

To enable debugging of the DHCP server, use the debug dhcpd command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug dhcpd {event | packet} [level]

no debug dhcpd {event | packet} [level]

Syntax Description

event

Displays event information that is associated with the DHCP server.

level

(Optional) Specifies the debug level. Valid valuse range from 1 to 255.

packet

Displays packet information that is associated with the DHCP server.


Defaults

The default debug level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server.

Use the no form of the debug dhcpd commands to disable debugging.

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following shows an example of enabling DHCP event debugging:

hostname# debug dhcpd event
debug dhcpd event enabled at level 1

Related Commands

Command
Description

show dhcpd

Displays DHCP binding, statistic, or state information.

show running-config dhcpd

Displays the current DHCP server configuration.


debug dhcprelay

To enable debugging of the DHCP relay server, use the debug dhcpreleay command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug dhcprelay {event | packet | error} [level]

no debug dhcprelay {event | packet | error} [level]

Syntax Description

error

Displays error messages that are associated with the DHCP relay agent.

event

Displays event information that is associated with the DHCP relay agent.

level

(Optional) Specifies the debug level. Valid valuse range from 1 to 255.

packet

Displays packet information that is associated with the DHCP relay agent.


Defaults

The default debug level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows how to enable debugging for DHCP relay agent error messages:

hostname# debug dhcprelay error
debug dhcprelay error enabled at level 1

Related Commands

Command
Description

clear configure dhcprelay

Removes all DHCP relay agent settings.

clear dhcprelay statistics

Clears the DHCP relay agent statistic counters.

show dhcprelay statistics

Displays DHCP relay agent statistic information.

show running-config dhcprelay

Displays the current DHCP relay agent configuration.


debug disk

To display file system debug information, use the debug disk command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug disk {file | file-verbose | filesystem} [level]

no debug disk {file | file-verbose | filesystem}

Syntax Description

file

Enables file-level disk debug messages.

file-verbose

Enables verbose file-level disk debug messages

filesystem

Enables file system debug messages.

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables file-level disk debug messages. The show debug command reveals that file-level disk debug messages are enabled. The dir command causes several debug messages.

hostname# debug disk file
debug disk file enabled at level 1
hostname# show debug
debug vpn-sessiondb  enabled at level 1
hostname# dir
IFS: Opening: file flash:/, flags 1, mode 0
IFS: Opened: file flash:/ as fd 3
IFS: Getdent: fd 3
IFS: Getdent: fd 3
IFS: Getdent: fd 3
IFS: Getdent: fd 3

Directory of flash:/
IFS: Close: fd 3
IFS: Opening: file flash:/, flags 1, mode 0

4      -rw-  5124096     14:42:27 Apr 04 2005  cdisk.binIFS: Opened: file flash:/ as fd 3

9      -rw-  5919340     14:53:39 Apr 04 2005  ASDMIFS: Getdent: fd 3

11     drw-  0           15:18:56 Apr 21 2005  syslog
IFS: Getdent: fd 3
IFS: Getdent: fd 3
IFS: Getdent: fd 3
IFS: Close: fd 3

16128000 bytes total (5047296 bytes free)

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug dns

To show debug messages for DNS, use the debug dns command in privileged EXEC mode. To stop showing debug messages for DNS, use the no form of this command.

debug dns [resolver | all] [level]

no debug dns [resolver | all] [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

resolver

(Optional) Shows only DNS resolver messages.

all

(Default) Shows all messages, including messages about the DNS cache.


Defaults

The default level is 1. If you do not specify any keywords, the security appliance shows all mesages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for DNS:

hostname# debug dns

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect dns

Enables DNS application inspection.

policy-map

Associates a class map with specific security actions.

service-policy

Applies a policy map to one or more interfaces.


debug entity

To display management information base (MIB) debug information, use the debug entity command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug entity [level]

no debug entity

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables MIB debug messages. The show debug command reveals that MIB debug messages are enabled.

hostname# debug entity
debug entity  enabled at level 1
hostname# show debug
debug entity  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug fixup

To display detailed information about application inspection, use the debug fixup command in privileged EXEC mode. To disable debugging, Use the no form of this command.

debug fixup

no debug fixup

Defaults

All options are enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The debug fixup command displays detailed information about application inspection. The no debug all or undebug all commands turn off all enabled debugs.

Examples

The following example enables the display of detailed information about application inspection:

hostname# debug fixup

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

inspect protocol

Enables application inspection for specific protocols.

policy-map

Associates a class map with specific security actions.


debug fover

To display failover debug information, use the debug fover command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug fover {cable | fail | fmsg | ifc | open | rx | rxdmp | rxip | switch | sync | tx | txdmp | txip | verify}

no debug fover {cable | fail | fmsg | ifc | open | rx | rxdmp | rxip | switch | sync | tx | txdmp | txip | verify}

Syntax Description

cable

Failover LAN status or serial cable status.

fail

Failover internal exception.

fmsg

Failover message.

ifc

Network interface status trace.

open

Failover device open.

rx

Failover message receive.

rxdmp

Failover receive message dump (serial console only).

rxip

IP network failover packet receive.

switch

Failover switching status.

sync

Failover configuration/command replication.

tx

Failover message transmit.

txdmp

Failover transmit message dump (serial console only).

txip

IP network failover packet transmit.

verify

Failover message verify.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was modified. It includes additional debug keywords.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows how to display debug information for failover command replication:

hostname# debug fover sync
fover event trace on

Related Commands

Command
Description

show failover

Displays information about the failover configuration and operational statistics.


debug fsm

To display FSM debug information, use the debug fsm command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug fsm [level]

no debug fsm

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables FSM debug messages. The show debug command reveals that FSM debug messages are enabled.

hostname# debug fsm
debug fsm  enabled at level 1
hostname# show debug
debug fsm  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug ftp client

To show debug messages for FTP, use the debug ftp client command in privileged EXEC mode. To stop showing debug messages for FTP, use the no form of this command.

debug ftp client [level]

no debug ftp client [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug ftp client command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for FTP:

hostname# debug ftp client

Related Commands

Command
Description

copy

Uploads or downloads image files or configuration files to or from an FTP server.

ftp mode passive

Configures the mode for FTP sessions.

show running-config ftp mode

Displays FTP client configuration.


debug generic

To display miscellaneous debug information, use the debug generic command in privileged EXEC mode. To disable the display of miscellaneous debug information, use the no form of this command.

debug generic [level]

no debug generic

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables miscellaneous debug messages. The show debug command reveals that miscellaneous debug messages are enabled.

hostname# debug generic
debug generic  enabled at level 1
hostname# show debug
debug generic  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug gtp

To display detailed information about GTP inspection, use the debug gtp command in privileged EXEC mode. To disable debugging, Use the no form of this command.

debug gtp [ error | event | ha | parser ]

no debug gtp [ error | event | ha | parser ]

Syntax Description

error

(Optional) Displays debug information on errors encountered while processing the GTP message.

event

(Optional) Displays debug information on GTP events.

ha option

(Optional) Debugs information on GTP HA events.

parser

(Optional) Displays debug information for parsing the GTP messages.


Defaults

All options are enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The debug gtp command displays detailed information about GTP inspection. The no debug all or undebug all commands turn off all enabled debugs.


Note GTP inspection requires a special license.


Examples

The following example enables the display of detailed information about GTP inspection:

hostname# debug gtp

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.

show running-config gtp-map

Shows the GTP maps that have been configured.


debug h323

To show debug messages for H.323, use the debug h323 command in privileged EXEC mode. To stop showing debug messages for H.323, use the no form of this command.

debug h323 {h225 | h245 | ras} [asn | event]

no debug h323 {h225 | h245 | ras} [asn | event]

Syntax Description

h225

Specifies H.225 signaling.

h245

Specifies H.245 signaling.

ras

Specifies the registration, admission, and status protocol.

asn

(Optional) Displays the output of the decoded protocol data units (PDU)s.

event

(Optional) Displays the events of the H.245 signaling or turns on both traces.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug h323 command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for H.225 signaling

hostname# debug h323 h225

Related Commands

Command
Description

inspect h323

Enables H.323 application inspection.

show h225

Displays information for H.225 sessions established across the security appliance.

show h245

Displays information for H.245 sessions established across the security appliance by endpoints using slow start.

show h323-ras

Displays information for H.323 RAS sessions established across the security appliance.

timeout h225 | h323

Configures idle time after which an H.225 signalling connection or an H.323 control connection will be closed.


debug http

To display detailed information about HTTP traffic, use the debug http command in privileged EXEC mode. To disable debugging, Use the no form of this command.

debug http [ level ]

no debug http [ level ]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The defafult for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The debug http command displays detailed information about HTTP traffic. The no debug all or undebug all commands turn off all enabled debugs.

Examples

The following example enables the display of detailed information about HTTP traffic:

hostname# debug http

Related Commands

Commands
Description

http

Specifies hosts that can access the HTTP server internal to the security appliance.

http-proxy

Configures an HTTP proxy server.

http redirect

Redirects HTTP traffic to HTTPS.

http server enable

Enables the security appliance HTTP server.


debug http-map

To show debug messages for HTTP application inspection maps, use the debug http-map command in privileged EXEC mode. To stop showing debug messages for HTTP application inspection, use the no form of this command.

debug http-map

no debug http-map

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug http-map command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for HTTP application inspection:

hostname# debug http-map

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

debug appfw

Displays detailed information about HTTP application inspection.

http-map

Defines an HTTP map for configuring enhanced HTTP inspection.

inspect http

Applies a specific HTTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.


debug icmp

To display detailed information about ICMP inspection, use the debug icmp command in privileged EXEC mode. To disable debugging, Use the no form of this command.

debug icmp trace [ level ]

no debug icmp trace [ level ]

Syntax Description

trace

Displays debug information about ICMP trace activity.

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

All options are enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The debug icmp command displays detailed information about ICMP inspection. The no debug all or undebug all commands turn off all enabled debugs.

Examples

The following example enables the display of detailed information about ICMP inspection:

hostname# debug icmp

Related Commands

Commands
Description

clear configure icmp

Clears the ICMP configuration.

icmp

Configures access rules for ICMP traffic that terminates at a security appliance interface.

show conn

Displays the state of connections through the security appliance for different protocols and session types.

show icmp

Displays ICMP configuration.

timeout icmp

Configures idle timeout for ICMP.


debug igmp

To display IGMP debug information, use the debug igmp command in privileged EXEC mode. To stop the display of debug information, use the no form of this command.

debug igmp [group group_id | interface if_name]

no debug igmp [group group_id | interface if_name]

Syntax Description

group group_id

Displays IGMP debug information for the specified group.

interface if_name

Display IGMP debug information for the specified interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug igmp command:

hostname#debug igmp

IGMP debugging is on
IGMP: Received v2 Query on outside from 192.168.3.2
IGMP: Send v2 general Query on dmz
IGMP: Received v2 Query on dmz from 192.168.4.1
IGMP: Send v2 general Query on outside
IGMP: Received v2 Query on outside from 192.168.3.1
IGMP: Send v2 general Query on inside
IGMP: Received v2 Query on inside from 192.168.1.1
IGMP: Received v2 Report on inside from 192.168.1.6 for 224.1.1.1
IGMP: Updating EXCLUDE group timer for 224.1.1.1

Related Commands

Command
Description

show igmp groups

Displays the multicast groups with receivers that are directly connected to the security appliance and that were learned through IGMP.

show igmp interface

Displays multicast information for an interface.


debug ils

To show debug messages for ILS, use the debug ils command in privileged EXEC mode. To stop showing debug messages for ILS, use the no form of this command.

debug ils [level]

no debug ils [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug ils command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for ILS application inspection:

hostname# debug ils

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect ils

Enables ILS application inspection.

policy-map

Associates a class map with specific security actions.

service-policy

Applies a policy map to one or more interfaces.


debug imagemgr

To display Image Manager debug information, use the debug imagemgr command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug imagemgr [level]

no debug imagemgr

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables Image Manager debug messages. The show debug command reveals that Image Manager debug messages are enabled.

hostname# debug imagemgr
debug imagemgr  enabled at level 1
hostname# show debug
debug imagemgr  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug ipsec-over-tcp

To display IPSec-over-TCP debug information, use the debug ipsec-over-tcp command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug ipsec-over-tcp [level]

no debug ipsec-over-tcp

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables IPSec-over-TCP debug messages. The show debug command reveals that IPSec-over-TCP debug messages are enabled.

hostname# debug ipsec-over-tcp
debug ipsec-over-tcp  enabled at level 1
hostname# show debug
debug ipsec-over-tcp  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug ipsec-pass-thru

To show debug messages for ipsec-pass-thru, use the debug ipsec-pass-thru command in privileged EXEC mode. To stop showing debug messages for DNS, use the no form of this command.

debug ipsec-pass-thru level

no debug ipsec-pass-thru

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default level is 1. If you do not specify any keywords, the security appliance shows all mesages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(5)

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for DNS:

hostname# debug ipsec-pass-thru

Related Commands

Command
Description

inspect ipsec-pass-thru

Enables IPSec pass-thru application inspection.


debug ipv6

To display ipv6 debug messages, use the debug ipv6 command in privileged EXEC mode. To stop the display of debug messages, use the no form of this command.

debug ipv6 {icmp | interface | nd | packet | routing}

no debug ipv6 {icmp | interface | nd | packet | routing}

Syntax Description

icmp

Displays debug messages for IPv6 ICMP transactions, excluding ICMPv6 neighbor discovery transactions.

interface

Displays debug information for IPv6 interfaces.

nd

Displays debug messages for ICMPv6 neighbor discovery transactions.

packet

Displays debug messages for IPv6 packets.

routing

Displays debug messages for IPv6 routing table updates and route cache updates.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output for the debug ipv6 icmp command:

hostname# debug ipv6 icmp
13:28:40:ICMPv6:Received ICMPv6 packet from 2000:0:0:3::2, type 136
13:28:45:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 135
13:28:50:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 136
13:28:55:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 135

Related Commands

Command
Description

ipv6 icmp

Defines access rules for ICMP messages that terminate on a security appliance interface.

ipv6 address

Configures an interface with an IPv6 address or addresses.

ipv6 nd dad attempts

Defines the number of neighbor discovery attempts performed during duplicate address detection.

ipv6 route

Defines a static entry in the IPv6 routing table.


debug iua-proxy

To display individual user authentication (IUA) proxy debug information, use the debug iua-proxy command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug iua-proxy [level]

no debug iua-proxy

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables IUA-proxy debug messages. The show debug command reveals that IUA-proxy debug messages are enabled.

hostname# debug iua-proxy
debug iua-proxy  enabled at level 1
hostname# show debug
debug iua-proxy  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug kerberos

To display Kerberos authentication debug information, use the debug kerberos command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug kerberos [level]

no debug kerberos

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables Kerberos debug messages. The show debug command reveals that Kerberos debug messages are enabled.

hostname# debug kerberos
debug kerberos  enabled at level 1
hostname# show debug
debug kerberos  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug ldap

To display LDAP debug information, use the debug ldap command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug ldap [level]

no debug ldap

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables LDAP debug messages. The show debug command reveals that LDAP debug messages are enabled.

hostname# debug ldap
debug ldap  enabled at level 1
hostname# show debug
debug ldap  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug mac-address-table

To show debug messages for the MAC address table, use the debug mac-address-table command in privileged EXEC mode. To stop showing debug messages for the MAC address table, use the no form of this command.

debug mac-address-table [level]

no debug mac-address-table [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for the MAC address table:

hostname# debug mac-address-table

Related Commands

Command
Description

mac-address-table aging-time

Sets the timeout for dynamic MAC address entries.

mac-address-table static

Adds static MAC address entries to the MAC address table.

mac-learn

Disables MAC address learning.

show debug

Shows all enabled debuggers.

show mac-address-table

Shows MAC address table entries.


debug menu

To display detailed debug information for specific features, use the debug menu command in privileged EXEC mode.

debug menu


Caution The debug menu command should be used only under the supervision of Cisco technical support staff.

Syntax Description

This command should be used only under the supervision of Cisco technical support staff.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

This command should be used only under the supervision of Cisco technical support staff.

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug mfib

To display MFIB debug information, use the debug mfib command in privileged EXEC mode. To stop displaying debug information, use the no form of this command.

debug mfib {db | init | mrib | pak | ps | signal} [group]

no debug mfib {db | init | mrib | pak | ps | signal} [group]

Syntax Description

db

(Optional) Displays debug information for route database operations.

group

(Optional) IP address of the multicast group.

init

(Optional) Displays system initialization activity.

mrib

(Optional) Displays debug information for communication with MRIB.

pak

(Optional) Displays debug information for packet forwarding operations.

ps

(Optional) Displays debug information for process switching operations.

signal

(Optional) Displays debug information for MFIB signaling to routing protocols.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example displays MFIB dabase operation debug information:

hostname# debug mfib db
MFIB IPv4 db debugging enabled

Related Commands

Command
Description

show mfib

Displays MFIB forwarding entries and interfaces.


debug mgcp

To display detailed information about MGCP application inspection, use the debug mgcp command in privileged EXEC mode. To disable debugging, Use the no form of this command.

debug mgcp {messages | parser | sessions}

no debug mgcp {messages | parser | sessions}

messages

Displays debug information about MGCP messages.

parser

Displays debug information for parsing MGCP messages.

sessions

Displays debug information about MGCP sessions.


Defaults

All options are enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The debug mgcp command displays detailed information about mgcp inspection. The no debug all or undebug all commands turn off all enabled debugs.

Examples

The following example enables the display of detailed information about MGCP application inspection:

hostname# debug mgcp

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

inspect mgcp

Enables MGCP application inspection.

mgcp-map

Defines an MGCP map and enables MGCP map configuration mode.

show mgcp

Displays information about MGCP sessions established through the security appliance.

show conn

Displays the connection state for different connection types.


debug module-boot

To show debug messages about the SSM booting process, use the debug module-boot command in privileged EXEC mode. To stop showing debug messages for the SSM booting process, use the no form of this command.

debug module-boot [level]

no debug module-boot [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for the SSM booting process:

hostname# debug module-boot

Related Commands

Command
Description

hw-module module recover

Recovers an intelligent SSM by loading a recovery image from a TFTP server.

hw-module module reset

Shuts down an SSM and performs a hardware reset.

hw-module module reload

Reloads the intelligent SSM software.

hw-module module shutdown

Shuts down the SSM software in preparation for being powered off without losing configuration data.

show module

Shows SSM information.


debug mrib

To display MRIB debug information, use the debug mrib command in privileged EXEC mode. To stop the display of debug information, use the no form of this command.

debug mrib {client | io | route [group] | table}

no debug mrib {client | io | route [group] | table}

Syntax Description

client

Enables debugging for MRIB client management activity.

io

Enables debugging of MRIB I/O events.

route

Enables debugging of MRIB routing entry activity.

group

Enables debugging of MRIB routing entry activity for the specified group.

table

Enables debugging of MRIB table management activity.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows how to enable debugging of MRIB I/O events:

hostname# debug mrib io
IPv4 MRIB io debugging is on

Related Commands

Command
Description

show mrib client

Displays information about the MRIB client connections.

show mrib route

Displays MRIB table entries.


debug ntdomain

To display NT domain authentication debug information, use the debug ntdomain command in privileged EXEC mode. To disable the display of NT domain debug information, use the no form of this command.

debug ntdomain [level]

no debug ntdomain

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables NT domain debug messages. The show debug command reveals that NT domain debug messages are enabled.

hostname# debug ntdomain
debug ntdomain  enabled at level 1
hostname# show debug
debug ntdomain  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug ntp

To show debug messages for NTP, use the debug ntp command in privileged EXEC mode. To stop showing debug messages for NTP, use the no form of this command.

debug ntp {adjust | authentication | events | loopfilter | packets | params | select | sync | validity}

no debug ntp {adjust | authentication | events | loopfilter | packets | params | select | sync | validity}

Syntax Description

adjust

Shows messages about NTP clock adjustments.

authentication

Shows messages about NTP authentication.

events

Shows messages about NTP events.

loopfilter

Shows messages about NTP loop filter.

packets

Shows messages about NTP packets.

params

Shows messages about NTP clock parameters.

select

Shows messages about NTP clock selection.

sync

Shows messages about NTP clock synchronization.

validity

Shows messages about NTP peer clock validity.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for NTP:

hostname# debug ntp events

Related Commands

Command
Description

ntp authenticate

Enables NTP authentication.

ntp server

Identifies an NTP server.

show debug

Shows all enabled debuggers.

show ntp associations

Shows the NTP servers with which the security appliance is associated.

show ntp status

Shows the status of the NTP association.


debug ospf

To display debug information about the OSPF routing processes, use the debug ospf command in privileged EXEC mode.

debug ospf [adj | database-timer | events | flood | lsa-generation | packet | retransmission | spf [external | inter | intra] | tree]

no debug ospf [adj | database-timer | events | flood | lsa-generation | packet | retransmission | spf [external | inter | intra] | tree]

Syntax Description

adj

(Optional) Enables the debugging of OSPF adjacency events.

database-timer

(Optional) Enables the debugging of OSPF timer events.

events

(Optional) Enables the debugging of OSPF events.

external

(Optional) Limits SPF debugging to external events.

flood

(Optional) Enables the debugging of OSPF flooding.

inter

(Optional) Limits SPF debugging to inter-area events.

intra

(Optional) Limits SPF debugging to intra-area events.

lsa-generation

(Optional) Enables the debugging of OSPF summary LSA generation.

packet

(Optional) Enables the debugging of received OSPF packets.

retransmission

(Optional) Enables the debugging of OSPF retransmission events.

spf

(Optional) Enables the debugging of OSPF shortest path first calculations. You can limit the SPF debug information by using the external, inter, and intra keywords.

tree

(Optional) Enables the debugging of OSPF database events.


Defaults

Displays all OSPF debug information if no keyword is provided.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug ospf events command:

hostname# debug ospf events
ospf event debugging is on

OSPF:hello with invalid timers on interface Ethernet0
hello interval received 10 configured 10
net mask received 255.255.255.0 configured 255.255.255.0
dead interval received 40 configured 30

Related Commands

Command
Description

show ospf

Displays general information about the OSPF routing process.


debug parser cache

To display CLI parser debug information, use the debug parser cache command in privileged EXEC mode. To disable the display of CLI parser debug information, use the no form of this command.

debug parser cache [level]

no debug parser cache

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables CLI parser debug messages. The show debug command reveals the current debug configuration. The CLI parser debug messages appear before and after the output of the show debug command.

hostname# debug parser cache
debug parser cache enabled at level 1
hostname# show debug
parser cache: try to match 'show debug' in exec mode
debug parser cache enabled at level 1
parser cache: hit at index 8
hostname# 

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug pim

To display PI M debug information, use the debug pim command in privileged EXEC mode. To stop displaying debug information, use the no form of this command.

debug pim [df-election [interface if_name | rp rp] | group group | interface if_name | neighbor]

no debug pim [df-election [interface if_name | rp rp] | group group | interface if_name | neighbor]

Syntax Description

df-election

(Optional) Displays debug messages for PIM bidirectional DF-election message processing.

group group

(Optional) Displays debug information for the specified group. The value for group can be one of the following:

Name of the multicast group, as defined in the DNS hosts table or with the domain ipv4 host command.

IP address of the multicast group. This is a multicast IP address in four-part dotted-decimal notation.

interface if_name

(Optional) When used with the df-election keyword, it limits the DF election debug display to information for the specified interface.

When used without the df-election keyword, displays PIM error messages for the specified interface.

Note The debug pim interface command does not display PIM protocol activity messages; it only displays error messages. To see debug information for PIM protocol activity, use the debug pim command without the interface keyword. You can use the group keyword to limit the display to the specified multicast group.

neighbor

(Optional) Displays only the sent/received PIM hello messages.

rp rp

(Optional) Can be either one of the following:

Name of the RP, as defined in the Domain Name System (DNS) hosts table or with the domain ipv4 host command.

IP address of the RP. This is a multicast IP address in four-part dotted-decimal notation.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Logs PIM packets received and transmitted and also PIM-related events.

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug pim command:

hostname# debug pim
PIM: Received Join/Prune on Ethernet1 from 172.24.37.33
PIM: Received Join/Prune on Ethernet1 from 172.24.37.33
PIM: Received Join/Prune on Tunnel0 from 10.3.84.1
PIM: Received Join/Prune on Ethernet1 from 172.24.37.33
PIM: Received Join/Prune on Ethernet1 from 172.24.37.33
PIM: Received RP-Reachable on Ethernet1 from 172.16.20.31
PIM: Update RP expiration timer for 224.2.0.1
PIM: Forward RP-reachability packet for 224.2.0.1 on Tunnel0
PIM: Received Join/Prune on Ethernet1 from 172.24.37.33
PIM: Prune-list (10.221.196.51/32, 224.2.0.1)
PIM: Set join delay timer to 2 seconds for (10.221.0.0/16, 224.2.0.1) on Ethernet1
PIM: Received Join/Prune on Ethernet1 from 172.24.37.6
PIM: Received Join/Prune on Ethernet1 from 172.24.37.33
PIM: Received Join/Prune on Tunnel0 from 10.3.84.1
PIM: Join-list: (*, 224.2.0.1) RP 172.16.20.31
PIM: Add Tunnel0 to (*, 224.2.0.1), Forward state
PIM: Join-list: (10.0.0.0/8, 224.2.0.1)
PIM: Add Tunnel0 to (10.0.0.0/8, 224.2.0.1), Forward state
PIM: Join-list: (10.4.0.0/16, 224.2.0.1)
PIM: Prune-list (172.24.84.16/28, 224.2.0.1) RP-bit set RP 172.24.84.16
PIM: Send Prune on Ethernet1 to 172.24.37.6 for (172.24.84.16/28, 224.2.0.1), RP
PIM: For RP, Prune-list: 10.9.0.0/16
PIM: For RP, Prune-list: 10.16.0.0/16
PIM: For RP, Prune-list: 10.49.0.0/16
PIM: For RP, Prune-list: 10.84.0.0/16
PIM: For RP, Prune-list: 10.146.0.0/16
PIM: For 10.3.84.1, Join-list: 172.24.84.16/28
PIM: Send periodic Join/Prune to RP via 172.24.37.6 (Ethernet1)

Related Commands

Command
Description

show pim group-map

Displays group-to-protocol mapping table.

show pim interface

Displays interface-specific information for PIM.

show pim neighbor

Displays entries in the PIM neighbor table.


debug pix pkt2pc

To show debug messages that trace packets sent to the uauth code and that trace the event where the uauth proxy session is cut through to the data path, use the debug pix pkt2pc command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.

debug pix pkt2pc

no debug pix pkt2pc

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages that trace packets sent to the uauth code and that trace the event where the uauth proxy session is cut through to the data path:

hostname# debug pix pkt2pc

Related Commands

Command
Description

debug pix process

Shows debug messages for xlate and secondary connections processing.

show debug

Shows all enabled debuggers.


debug pix process

To show debug messages for xlate and secondary connections processing, use the debug pix process command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.

debug pix process

no debug pix process

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for xlate and secondary connections processing:

hostname# debug pix process

Related Commands

Command
Description

debug pix pkt2pc

Shows debug messages that trace packets sent to the uauth code and that trace the event where the uauth proxy session is cut through to the data path.

show debug

Shows all enabled debuggers.


debug pptp

To show debug messages for PPTP, use the debug pptp command in privileged EXEC mode. To stop showing debug messages for PPTP, use the no form of this command.

debug pptp [level]

no debug pptp [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug pptp command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for PPTP application inspection:

hostname# debug pptp

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect pptp

Enables PPTP application inspection.

policy-map

Associates a class map with specific security actions.

service-policy

Applies a policy map to one or more interfaces.


debug radius

To show debug messages for AAA, use the debug radius command in privileged EXEC mode. To stop showing RADIUS messages, use the no form of this command.

debug radius [ all | decode | session | user username ] ]

no debug radius

Syntax Description

all

(Optional) Show RADIUS debugging messages for all users and sessions, including decoded RADIUS messages.

decode

(Optional) Show decoded content of RADIUS messages. Content of all RADIUS packets display, including hexadecimal values and the decoded, eye-readable versions of these values.

session

(Optional) Show session-related RADIUS messages. Packet types for sent and received RADIUS messages display but not the packet content.

user

(Optional) Show RADIUS debugging messages for a specific user.

username

Specifies the user whose messages you want to see. Valid with the user keyword only.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The debug radius command displays detailed information about RADIUS messaging between the security appliance and a RADIUS AAA server. The no debug all or undebug all commands turn off all enabled debugs.

Examples

The following example shows decoded RADIUS messages, which happen to be accounting packets:

hostname(config)# debug radius decode
hostname(config)# RADIUS packet decode (accounting request)

--------------------------------------
Raw packet data (length = 216).....
i
Parsed packet data.....
Radius: Code = 4 (0x04)
Radius: Identifier = 105 (0x69)
Radius: Length = 216 (0x00D8)
Radius: Vector: 842E0E99F44C00C05A0A19AB88A81312
Radius: Type = 40 (0x28) Acct-Status-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.1.1.1 (0x0A010101)
Radius: Type = 14 (0x0E) Login-IP-Host
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.2.0.50 (0xD0FE1291)
Radius: Type = 16 (0x10) Login-TCP-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x50
Radius: Type = 44 (0x2C) Acct-Session-Id
Radius: Length = 12 (0x0C)
Radius: Value (String) = 
30 78 31 33 30 31 32 39 66 65                      |  0x130129fe
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) = 
62 72 6f 77 73 65 72                               |  browser
Radius: Type = 46 (0x2E) Acct-Session-Time
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x0
Radius: Type = 42 (0x2A) Acct-Input-Octets
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x256D
Radius: Type = 43 (0x2B) Acct-Output-Octets
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x3E1
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 30 (0x1E)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 24 (0x18)
Radius: Value (String) = 
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e    |  ip:source-ip=10.
31 2e 31 2e 31 30                                  |  1.1.10
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 27 (0x1B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 21 (0x15)
Radius: Value (String) = 
69 70 3a 73 6f 75 72 63 65 2d 70 6f 72 74 3d 33    |  ip:source-port=3
34 31 33                                           |  413
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 40 (0x28)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 34 (0x22)
Radius: Value (String) = 
69 70 3a 64 65 73 74 69 6e 61 74 69 6f 6e 2d 69    |  ip:destination-i
70 3d 32 30 38 2e 32 35 34 2e 31 38 2e 31 34 35    |  p=10.2.0.50
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 30 (0x1E)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 24 (0x18)
Radius: Value (String) = 
69 70 3a 64 65 73 74 69 6e 61 74 69 6f 6e 2d 70    |  ip:destination-p
6f 72 74 3d 38 30                                  |  ort=80

Related Commands

Command
Description

show running-config

Displays the configuration that is running on the security appliance.


debug rip

To display debug information for RIP, use the debug rip command in privileged EXEC mode. To disable the debug information display, use the no form of this command.

debug rip

no debug rip

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables level 1 debugging of RIP:

hostname# debug rip
debug rip enabled at level 1

hostname#

Related Commands

Command
Description

clear configure rip

Clears all RIP commands from the running configuration.

rip

Configures RIP on the specified interface.

show running-config rip

Displays the RIP commands in the running configuration.


debug rtsp

To show debug messages for RTSP application inspection, use the debug rtsp command in privileged EXEC mode. To stop showing debug messages for RTSP application inspection, use the no form of this command.

debug rtsp [level]

no debug rtsp [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug rtsp command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for RTSP application inspection:

hostname# debug rtsp

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect rtsp

Enables RTSP application inspection.

policy-map

Associates a class map with specific security actions.

service-policy

Applies a policy map to one or more interfaces.


debug sdi

To display SDI authentication debug information, use the debug sdi command in privileged EXEC mode. To disable the display of SDI debug information, use the no form of this command.

debug sdi [level]

no debug sdi

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables SDI debug messages. The show debug command reveals that SDI debug messages are enabled.

hostname# debug sdi
debug sdi  enabled at level 1
hostname# show debug
debug sdi  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug sequence

To add a sequence number to the beginning of all debug messages, use the debug sequence command in privileged EXEC mode. To disable the use of debug sequence numbers, use the no form of this command.

debug sequence [level]

no debug sequence

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The defaults are as follows:

Debug message sequence numbers are disabled.

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables sequence numbers in debug messages. The debug parser cache command enables CLI parser debug messages. The show debug command reveals the current debug configuration. The CLI parser debug messages shown include sequence numbers before each message.

hostname# debug sequence
debug sequence  enabled at level 1
hostname# debug parser cache
debug parser cache enabled at level 1
hostname# show debug
0: parser cache: try to match 'show debug' in exec mode
debug parser cache enabled at level 1
debug sequence  enabled at level 1
1: parser cache: hit at index 8
hostname# 

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug session-command

To show debug messages for a session to an SSM, use the debug session-command command in privileged EXEC mode. To stop showing debug messages for sessions, use the no form of this command.

debug session-command [level]

no debug session-command [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for sessions:

hostname# debug session-command

Related Commands

Command
Description

session

Sessions to an SSM.


debug sip

To show debug messages for SIP application inspection, use the debug sip command in privileged EXEC mode. To stop showing debug messages for SIP application inspection, use the no form of this command.

debug sip [level]

no debug sip [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug sip command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for SIP application inspection:

hostname# debug sip

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect sip

Enables SIP application inspection.

show conn

Displays the connection state for different connection types.

show sip

Displays information about SIP sessions established through the security appliance.

timeout

Sets the maximum idle time duration for different protocols and session types.


debug skinny

To show debug messages for SCCP (Skinny) application inspection, use the debug skinny command in privileged EXEC mode. To stop showing debug messages for SCCP application inspection, use the no form of this command.

debug skinny [level]

no debug skinny [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug skinny command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for SCCP application inspection:

hostname# debug skinny

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect skinny

Enables SCCP application inspection.

show skinny

Displays information about SCCP sessions established through the security appliance.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.


debug smtp

To show debug messages for SMTP/ESMTP application inspection, use the debug smtp command in privileged EXEC mode. To stop showing debug messages for SMTP/ESMTP application inspection, use the no form of this command.

debug smtp [level]

no debug smtp [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug smtp command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for SMTP/ESMTP application inspection:

hostname# debug smtp

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect esmtp

Enables ESMTP application inspection.

policy-map

Associates a class map with specific security actions.

service-policy

Applies a policy map to one or more interfaces.

show conn

Displays the connection state for different connection types, including SMTP.


debug sqlnet

To show debug messages for SQL*Net application inspection, use the debug sqlnet command in privileged EXEC mode. To stop showing debug messages for SQL*Net application inspection, use the no form of this command.

debug sqlnet [level]

no debug sqlnet [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug sqlnet command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for SQL*Net application inspection:

hostname# debug sqlnet

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect sqlnet

Enables SQL*Net application inspection.

policy-map

Associates a class map with specific security actions.

service-policy

Applies a policy map to one or more interfaces.

show conn

Displays the connection state for different connection types, including SQL*Net.


debug ssh

To display debug information and error messages associated with SSH, use the debug ssh command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug ssh [level]

no debug ssh [level]

Syntax Description

level

(Optional) Specifies an optional level of debug.


Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug ssh 255 command:

hostname# debug ssh 255
debug ssh  enabled at level 255
SSH2 0: send: len 64 (includes padlen 17)
SSH2 0: done calc MAC out #239
SSH2 0: send: len 32 (includes padlen 7)
SSH2 0: done calc MAC out #240
SSH2 0: send: len 64 (includes padlen 15)
SSH2 0: done calc MAC out #241
SSH2 0: send: len 32 (includes padlen 16)
SSH2 0: done calc MAC out #242
SSH2 0: send: len 64 (includes padlen 7)
SSH2 0: done calc MAC out #243
SSH2 0: send: len 64 (includes padlen 18)
SSH2 0: done calc MAC out #244
SSH2 0: send: len 64 (includes padlen 8)
SSH2 0: done calc MAC out #245
SSH2 0: send: len 64 (includes padlen 18)
SSH2 0: done calc MAC out #246
SSH2 0: send: len 64 (includes padlen 7)
SSH2 0: done calc MAC out #247
SSH2 0: send: len 64 (includes padlen 18)
SSH2 0: done calc MAC out #248
SSH2 0: send: len 64 (includes padlen 7)
SSH2 0: done calc MAC out #249
SSH2 0: send: len 64 (includes padlen 18)
SSH2 0: done calc MAC out #250
SSH2 0: send: len 64 (includes padlen 8)
SSH2 0: done calc MAC out #251
SSH2 0: send: len 64 (includes padlen 18)
SSH2 0: done calc MAC out #252
SSH2 0: send: len 64 (includes padlen 7)
SSH2 0: done calc MAC out #253
SSH2 0: send: len 64 (includes padlen 18)
SSH2 0: done calc MAC out #254
SSH2 0: send: len 64 (includes padlen 8)
SSH2 0: done calc MAC out #255
SSH2 0: send: len 64 (includes padlen 18)
SSH2 0: done calc MAC out #256
SSH2 0: send: len 64 (includes padlen 7)
SSH2 0: done calc MAC out #257
SSH2 0: send: len 64 (includes padlen 18)
SSH2 0: done calc MAC out #258

Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

show running-config ssh

Displays the current SSH commands in the running configuration.

show ssh sessions

Displays information about active SSH sessions to the security appliance.

ssh

Allows SSH connectivity to the security appliance from the specified client or network.


debug ssl

To display SSL debug information, use the debug ssl command in privileged EXEC mode. To disable the display of SSL debug information, use the no form of this command.

debug ssl {cipher | device} [level]

no debug ssl {cipher | device}

Syntax Description

cipher

Display information about the cipher negotiation between the HTTP server and the client.

device

Displays information about the SSL device including session initiation and ongoing status.

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables SSL debug messages, specifically for cipher negotiation. The show debug command reveals that SSL debug messages are enabled.

hostname# debug ssl cipher
debug ssl cipher enabled at level 1
hostname# show debug
debug ssl cipher enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug sunrpc

To show debug messages for RPC application inspection, use the debug sunrpc command in privileged EXEC mode. To stop showing debug messages for RPC application inspection, use the no form of this command.

debug sunrpc [level]

no debug sunrpc [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug sunrpc command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for RPC application inspection:

hostname# debug sunrpc

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect sunrpc

Enables Sun RPC application inspection.

policy-map

Associates a class map with specific security actions.

show conn

Displays the connection state for different connection types, including RPC.

timeout

Sets the maximum idle time duration for different protocols and session types.


debug tacacs

To display TACACS+ debug information, use the debug tacacs command in privileged EXEC mode. To disable the display of TACACS+ debug information, use the no form of this command.

debug tacacs [session | user username]

no debug tacacs [session | user username]

Syntax Description

session

Displays session-related TACACS+ debug messages.

user

Displays user-specific TACACS+ debug messages. You can display TACACS+ debug messages for only one user at a time.

username

Specifies the user whose TACACS+ debug messages you want to view.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables TACACS+ debug messages. The show debug command reveals that TACACS+ debug messages are enabled.

hostname# debug tacacs user admin342
hostname# show debug
debug tacacs user admin342
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug tcp-map

To show debug messages for TCP application inspection maps, use the debug tcp-map command in privileged EXEC mode. To stop showing debug messages for TCP application inspection, use the no form of this command.

debug tcp-map

no debug tcp-map

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables debug messages for TCP application inspection maps. The show debug command reveals that debug messages for TCP application inspection maps are enabled.

hostname# debug tcp-map
debug tcp-map enabled at level 1.
hostname# show debug
debug tcp-map enabled at level 1.
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug timestamps

To add timestamp information to the beginning of all debug messages, use the debug timestamps command in privileged EXEC mode. To disable the use of debug timestamps, use the no form of this command.

debug timestamps [level]

no debug timestamps

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The defaults are as follows:

Debug timestamp information is disabled.

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables timestamps in debug messages. The debug parser cache command enables CLI parser debug messages. The show debug command reveals the current debug configuration. The CLI parser debug messages shown include timestamps before each message.

hostname# debug timestamps
debug timestamps  enabled at level 1
hostname# debug parser cache
debug parser cache enabled at level 1
hostname# show debug
1982769.770000000: parser cache: try to match 'show debug' in exec mode
1982769.770000000: parser cache: hit at index 8
hostname# 

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug vpn-sessiondb

To display VPN-session database debug information, use the debug vpn-sessiondb command in privileged EXEC mode. To disable the display of VPN-session database debug information, use the no form of this command.

debug vpn-sessiondb [level]

no debug vpn-sessiondb

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables VPN-session database debug messages. The show debug command reveals that VPN-session database debug messages are enabled.

hostname# debug vpn-sessiondb
debug vpn-sessiondb  enabled at level 1
hostname# show debug
debug vpn-sessiondb  enabled at level 1
hostname#

Related Commands

Command
Description

show debug

Displays current debug configuration.


debug xdmcp

To show debug messages for XDMCP application inspection, use the debug xdmcp command in privileged EXEC mode. To stop showing debug messages for XDMCP application inspection, use the no form of this command.

debug xdmcp [level]

no debug xdmcp [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.


Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.


Note Enabling the debug xdmcp command may slow down traffic on busy networks.


Examples

The following example enables debug messages at the default level (1) for XDMCP application inspection:

hostname# debug xdmcp

Related Commands

Command
Description

class-map

Defines the traffic class to which to apply security actions.

inspect xdmcp

Enables XDMCP application inspection.

policy-map

Associates a class map with specific security actions.

service-policy

Applies a policy map to one or more interfaces.


default

To restore default settings for the time-range command absolute and periodic keywords, use the default command in time-range configuration mode.

default {absolute | periodic days-of-the-week time to [days-of-the-week] time}

Syntax Description

absolute

Defines an absolute time when a time range is in effect.

days-of-the-week

(Optional) The first occurrence of this argument is the starting day or day of the week that the associated time range is in effect. The second occurrence is the ending day or day of the week the associated statement is in effect.

This argument is any single day or combinations of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are:

daily—Monday through Sunday

weekdays—Monday through Friday

weekend—Saturday and Sunday

If the ending days of the week are the same as the starting days of the week, you can omit them.

periodic

Specifies a recurring (weekly) time range for functions that support the time-range feature.

time

Specifies the time in the format HH:MM. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.

to

Entry of the to keyword is required to complete the range "from start-time to end-time."


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Time-range configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If the end days-of-the-week value is the same as the start value, you can omit them.

If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.

The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.

Examples

The following example shows how to restore the default behavior of the absolute keyword:

hostname(config-time-range)# default absolute

Related Commands

Command
Description

absolute

Defines an absolute time when a time range is in effect.

periodic

Specifies a recurring (weekly) time range for functions that support the time-range feature.

time-range

Defines access control to the security appliance based on time.


default (crl configure)

To return all CRL parameters to their system default values, use the default command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. These parameters are used only when the LDAP server requires them.

default

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crl configure configuration

·

 

·

   

Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Invocations of this command do not become part of the active configuration.

Examples

The following example enters ca-crl configuration mode, and returns CRL command values to their defaults:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# crl configure
hostname(ca-crl)# default
hostname(ca-crl)# 

Related Commands

Command
Description

crl configure

Enters crl configure configuration mode.

crypto ca trustpoint

Enters trustpoint configuration mode.

protocol ldap

Specifies LDAP as a retrieval method for CRLs.


default (time-range)

To restore default settings for the absolute and periodic commands, use the default command in time-range configuration mode.

default {absolute | periodic days-of-the-week time to [days-of-the-week] time}

Syntax Description

absolute

Defines an absolute time when a time range is in effect.

days-of-the-week

The first occurrence of this argument is the starting day or day of the week that the associated time range is in effect. The second occurrence is the ending day or day of the week the associated statement is in effect.

This argument is any single day or combinations of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are:

daily—Monday through Sunday

weekdays—Monday through Friday

weekend—Saturday and Sunday

If the ending days of the week are the same as the starting days of the week, you can omit them.

periodic

Specifies a recurring (weekly) time range for functions that support the time-range feature.

time

Specifies the time in the format HH:MM. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.

to

Entry of the to keyword is required to complete the range "from start-time to end-time."


Defaults

There are no default settings for this command.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Time-range configuration

·

·

·

·

 

Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If the end days-of-the-week value is the same as the start value, you can omit them.

If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.

The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.

Examples

The following example shows how to restore the default behavior of the absolute keyword:

hostname(config-time-range)# default absolute

Related Commands

Command
Description

absolute

Defines an absolute time when a time range is in effect.

periodic

Specifies a recurring (weekly) time range for functions that support the time-range feature.

time-range

Defines access control to the security appliance based on time.


default enrollment

To return all enrollment parameters to their system default values, use the default enrollment command in crypto ca trustpoint configuration mode.

default enrollment

Syntax Description

This command has no arguments or keywords.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration

·

·

·

·

·


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Invocations of this command do not become part of the active configuration.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and returns all enrollment parameters to their default values within trustpoint central:

hostname<config># crypto ca trustpoint central
hostname<ca-trustpoint># default enrollment
hostname<ca-trustpoint># 

Related Commands

Command
Description

clear configure crypto ca trustpoint

Removes all trustpoints.

crl configure

Enters crl configuration mode.

crypto ca trustpoint

Enters trustpoint configuration mode.


default-domain

To set a default domain name for users of the group policy, use the default-domain command in group-policy configuration mode. To delete a domain name, use the no form of this command.

To prevent users from inheriting a domain name, use the default-domain none command.

The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. When there are no default domain names, users inherit the default domain name in the default group policy.

default-domain {value domain-name | none}

no default-domain [domain-name]

Syntax Description

none

Indicates that there is no default domain name. Sets a default domain name with a null value, thereby disallowing a default domain name. Prevents inheriting a default domain name from a default or specified group policy.

value domain-name

Identifies the default domain name for the group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You can use only alphanumeric characters, hyphens (-), and periods (.) in default domain names.

Examples

The following example shows how to set a default domain name of FirstDomain for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# default-domain value FirstDomain

Related Commands

Command
Description

split-dns

Provides a list of domains to be resolved through the split tunnel.

split-tunnel-network-list

Identifies the access list the security appliance uses to distinguish networks that require tunneling and those that do not.

split-tunnel-policy

Lets an IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form


default-group-policy

To specify the set of attributes that the user inherits by default, use the default-group-policy command in tunnel-group general-attributes configuration mode. To eliminate a default group policy name, use the no form of this command.

default-group-policy group-name

no default-group-policy group-name

Syntax Description

group-name

Specifies the name of the default group.


Defaults

The default group name is DfltGrpPolicy.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group general attributes configuration

 

   

Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The default group policy DfltGrpPolicy comes with the initial configuration of the security appliance. You can apply this attribute to all tunnel-group types.

Examples

The following example entered in config-general configuration mode, specifies a set of attributes for users to inherit by default for an IPSec LAN-to-LAN tunnel group named standard-policy. This set of commands defines the accounting server, the authentication server, the authorization server and the address pools.

hostname(config)# tunnel-group standard-policy type ipsec-ra
hostname(config)# tunnel-group standard-policy general-attributes
hostname(config-general)# default-group-policy first-policy
hostname(config-general)# accounting-server-group aaa-server123
hostname(config-general)# address-pool (inside) addrpool1 addrpool2 addrpool3
hostname(config-general)# authentication-server-group aaa-server456
hostname(config-general)# authorization-server-group aaa-server78
hostname(config-general)# 

Related Commands

Command
Description

clear-configure tunnel-group

Clears all configured tunnel groups.

group-policy

Creates or edits a group policy

show running-config tunnel group

Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.

tunnel-group-map default group

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


default-group-policy (webvpn)

To specify the name of the group policy to use when the WebVPN or e-mail proxy configuration does not specify a group policy, use the default-group-policy command. WebVPN, IMAP4S, POP3S, and SMTPS sessions require either a specified or a default group policy. For WebVPN, use this command in webvpn mode. For e-mail proxy, use this command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command.

default-group-policy groupname

no default-group-policy

Syntax Description

groupname

Identifies the previously configured group policy to use as the default group policy. Use the group-policy command in configuration mode to configure a group policy.


Defaults

A default group policy, named DfltGrpPolicy, always exists on the security appliance. This default-group-policy command lets you substitute a group policy that you create as the default group policy for WebVPN and e-mail proxy sessions. An alternative is to edit the DfltGrpPolicy.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn

Imap4s

Pop3s

Smtps


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You can edit, but not delete the system DefaultGroupPolicy. It has the following AVPs:

Attribute
Default Value

wins-server

none

dns-server

none

dhcp-network-scope

none

vpn-access-hours

unrestricted

vpn-simultaneous-logins

3

vpn-idle-timeout

30 minutes

vpn-session-timeout

none

vpn-filter

none

vpn-tunnel-protocol

WebVPN

ip-comp

disable

re-xauth

disable

group-lock

none

pfs

disable

client-access-rules

none

banner

none

password-storage

disabled

ipsec-udp

disabled

ipsec-udp-port

0

backup-servers

keep-client-config

split-tunnel-policy

tunnelall

split-tunnel-network-list

none

default-domain

none

split-dns

none

intercept-dhcp

disable

client-firewall

none

secure-unit-authentication

disabled

user-authentication

disabled

user-authentication-idle-timeout

none

ip-phone-bypass

disabled

leap-bypass

disabled

nem

disabled

webvpn attributes:

 

filter

none

functions

disabled

homepage

none

html-content-filter

none

port-forward

disabled

port-forward-name

none

url-list

mpme


Examples

The following example shows how to specify a default group policy called WebVPN7 for WebVPN:

hostname(config)# webvpn
hostname(config-webvpn)# default-group-policy WebVPN7

default-idle-timeout

To set a default idle timeout value for WebVPN users, use the default-idle-timeout command in webvpn mode. To remove the default idle timeout value from the configuration and reset the default, use the no form of this command.

The default idle timeout prevents stale sessions.

default-idle-timeout seconds

no default-idle-timeout

Syntax Description

seconds

Specifies the number of seconds for the idle time out. The minimum is 60 seconds, maximum is 1 day (86400 seconds).


Defaults

1800 seconds (30 minutes).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The security appliance uses the value you set here if there is no idle timeout defined for a user, if the value is 0, or if the value does not fall into the valid range.

We recommend that you set this command to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the sessions database. If the maximum number of connections permitted is set to one (vpn-simultaneous-logins command), the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again.

Examples

The following example shows how to set the default idle timeout to 1200 seconds (20 minutes):

hostname(config)# webvpn
hostname(config-webvpn)# default-idle-timeout 1200

Related Commands

Command
Description

vpn-simultaneous-logins

Sets the maximum number of simultaneous VPN sessions permitted. Use in group-policy or username mode.


default-information originate

To generate a default external route into an OSPF routing domain, use the default-information originate command in router configuration mode. To disable this feature, use the no form of this command.

default-information originate [always] [metric value] [metric-type {1 | 2}] [route-map name]

no default-information originate [[always] [metric value] [metric-type {1 | 2}] [route-map name]]

Syntax Description

always

(Optional) Always advertises the default route regardless of whether the software has a default route.

metric value

(Optional) Specifies the OSPF default metric value from 0 to 16777214.

metric-type {1 | 2}

(Optional) External link type associated with the default route advertised into the OSPF routing domain. Valid values are as follows:

1—Type 1 external route.

2—Type 2 external route.

route-map name

(Optional) Name of the route map to apply.


Defaults

The default values are as follows:

metric value is 1.

metric-type is 2.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Using the no form of this command with optional keywords and arguments only removes the optional information from the command. For example, entering no default-information originate metric 3 removes the metric 3 option from the command in the running configuration. To remove the complete command from the running configuration, use the no form of the command without any options: no default-information originate.

Examples

The following example shows how to use the default-information originate command with an optional metric and metric type:

hostname(config-router)# default-information originate always metric 3 metric-type 2
hostname(config-router)#

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show running-config router

Displays the commands in the global router configuration.


delete

To delete a file in the disk partition, use the delete command in privileged EXEC mode.

delete [/noconfirm] [/recursive] [disk0: | disk1: | flash:]filename

Syntax Description

/noconfirm

(Optional) Specifies not to prompt for confirmation.

/recursive

(Optional) Deletes the specified file recursively in all subdirectories.

disk0:

(Optional) Specifies the internal Flash memory, followed by a colon.

disk1:

(Optional) Specifies the external Flash memory card, followed by a colon.

filename

Specifies the name of the file to delete.

flash:

Specifies the nonremovable internal Flash, followed by a colon. In the ASA 5500 series, the flash keyword is aliased to disk0.


Defaults

If you do not specify a directory, the directory is the current working directory by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The file is deleted from the current working directory if a path is not specified. Wildcards are supported when deleting files. When deleting files, you are prompted with the filename and you must confirm the deletion.

The following example shows how to delete a file named test.cfg in the current working directory:

hostname# delete test.cfg

Related Commands

Command
Description

cd

Changes the current working directory to the one specified.

rmdir

Removes a file or directory.

show file

Displays the specified file.


deny version

To deny a specific version of SNMP traffic, use the deny version command in SNMP map configuration mode, which is accessible by entering the snmp-map command from global configuration mode. To disable this command, use the no version of the command.

deny version version

deny version version

Syntax Description

version

Specifies the version of SNMP traffic that the security appliance drops. The permitted values are 1, 2, 2c, and 3.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

SNMP map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use the deny version command to restrict SNMP traffic to specific versions of SNMP. Earlier versions of SNMP were less secure so restricting SNMP traffic to Version 2 may be specified by your security policy. You use the deny version command within an SNMP map, which you configure using the snmp-map command. After creating the SNMP map, you enable the map using the inspect snmp command and then apply it to one or more interfaces using the service-policy command.

Examples

The following example shows how to identify SNMP traffic, define a SNMP map, define a policy, and apply the policy to the outside interface:

hostname(config)# access-list snmp-acl permit tcp any any eq 161 
hostname(config)# access-list snmp-acl permit tcp any any eq 162
hostname(config)# class-map snmp-port 
hostname(config-cmap)# match access-list snmp-acl
hostname(config-cmap)# exit
hostname(config)# snmp-map inbound_snmp
hostname(config-snmp-map)# deny version 1
hostname(config-snmp-map)# exit
hostname(config)# policy-map inbound_policy 
hostname(config-pmap)# class snmp-port
hostname(config-pmap-c)# inspect snmp inbound_snmp 
hostname(config-pmap-c)# exit
hostname(config-pmap)# exit
hostname(config)# service-policy inbound_policy interface outside

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

inspect snmp

Enable SNMP application inspection.

policy-map

Associates a class map with specific security actions.

snmp-map

Defines an SNMP map and enables SNMP map configuration mode.

service-policy

Applies a policy map to one or more interfaces.


description

To add a description for a named configuration unit (for example, for a context or for an object group), use the description command in various configuration modes. To remove the description, use the no form of this command. The description adds helpful notes in your configuration.

description text

no description

Syntax Description

text

Sets the description as a text string up to 200 characters in length. If you want to include a question mark (?) in the string, you must type Ctrl-V before typing the question mark so you do not inadvertently invoke CLI help.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration

Context configuration

Gtp-map configuration

Interface configuration

Object-group configuration

Policy-map configuration


Command History

Release
Modification

7.0

This command was added to several new configuration modes.


Examples

The following example adds a description to the "Administration" context configuration:

hostname(config)# context administrator
hostname(config-context)# description This is the admin context.
hostname(config-context)# allocate-interface gigabitethernet0/0.1
hostname(config-context)# allocate-interface gigabitethernet0/1.1
hostname(config-context)# config-url flash://admin.cfg

Related Commands

Command
Description

class-map

Identifies traffic to which you apply actions in the policy-map command.

context

Creates a security context in the system configuration and enters context configuration mode.

gtp-map

Controls parameters for the GTP inspection engine.

interface

Configures an interface and enters interface configuration mode.

object-group

Identifies traffic to include in the access-list command.

policy-map

Identifies actions to apply to traffic identified by the class-map command.


dhcp-network-scope

To specify the range of IP addresses the security appliance DHCP server should use to assign addresses to users of this group policy, use the dhcp-network-scope command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. To prevent inheriting a value, use the dhcp-network-scope none command.

dhcp-network-scope {ip_address} | none

no dhcp-network-scope

Syntax Description

ip_address

Specifies the IP subnetwork the DHCP server should use to assign IP addresses to users of this group policy.

none

Sets the DHCP subnetwork to a null value, thereby allowing no IP addresses. Prevents inheriting a value from a default or specified group policy.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set an IP subnetwork of 10.10.85.0 for the group policy named First Group:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# dhcp-network-scope 10.10.85.0

dhcp-server

To configure support for DHCP servers that assign IP addresses to clients as a VPN tunnel is established, use the dhcp-server command in tunnel-group general-attributes configuration mode. To return this command to the default, use the no form of this command.

dhcp-server hostname1 [...hostname10]

no dhcp-server hostname

Syntax Description

hostname1 ...hostname10

Specifies the IP address of the DHCP server. You can specify up to 10 DHCP servers.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group general attributes configuration

 

   

Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You can apply this attribute to IPSec remote access tunnel-group types only.

Examples

The following command entered in config-general configuration mode, adds three DHCP servers (dhcp1, dhcp2, and dhcp3) to the IPSec remote-access tunnel group remotegrp:

hostname(config)# tunnel-group remotegrp type ipsec_ra
hostname(config)# tunnel-group remotegrp general
hostname(config-general)# default-group-policy remotegrp
hostname(config-general)# dhcp-server dhcp1 dhcp2 dhcp3
hostname(config-general)

Related Commands

Command
Description

clear-configure tunnel-group

Clears all configured tunnel groups.

show running-config tunnel group

Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.

tunnel-group-map default group

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


dhcpd address

To define the IP address pool used by the DHCP server, use the dhcpd address command in global configuration mode. To remove an existing DHCP address pool, use the no form of this command.

dhcpd address IP_address1[-IP_address2] interface_name

no dhcpd address interface_name

Syntax Description

interface_name

Interface the address pool is assigned to.

IP_address1

Start address of the DHCP address pool.

IP_address2

End address of the DHCP address pool.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The dhcpd address ip1[-ip2] interface_name command specifies the DHCP server address pool. The address pool of a security appliance DHCP server must be within the same subnet of the security appliance interface on which it is enabled, and you must specify the associated security appliance interface using interface_name.

The size of the address pool is limited to 256 addresses per pool on the security appliance. If the address pool range is larger than 253 addresses, the netmask of the security appliance interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0.

DHCP clients must be physically connected to the subnet of the security appliance DCHP server interface.

The dhcpd address command cannot use interface names with a "-" (dash) character because the "-" character is interpreted as a range specifier instead of as part of the object name.

The no dhcpd address interface_name command removes the DHCP server address pool that you configured for the specified interface.

Refer to the Cisco Security Appliance Command Line Configuration Guide for information on how to implement the DHCP server feature into the security appliance.

Examples

The following example shows how to use the dhcpd address, dhcpd dns, and dhcpd enable interface_name commands to configure an address pool and DNS server for the DHCP clients on the dmz interface of the security appliance:

hostname(config)# dhcpd address 10.0.1.100-10.0.1.108 dmz
hostname(config)# dhcpd dns 209.165.200.226
hostname(config)# dhcpd enable dmz

The following example shows how to configure a DHCP server on the inside interface. It uses the dhcpd address command to assign a pool of 10 IP addresses to the DHCP server on that interface.

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 198.162.1.2 198.162.1.3
hostname(config)# dhcpd wins 198.162.1.4
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd ping_timeout 1000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside

Related Commands

Command
Description

clear configure dhcpd

Removes all DHCP server settings.

dhcpd enable

Enables the DHCP server on the specified interface.

show dhcpd

Displays DHCP binding, statistic, or state information.

show running-config dhcpd

Displays the current DHCP server configuration.


dhcpd auto_config

To enable the security appliance to automatically configure DNS, WINS and domain name values for the DHCP server based on the values obtained from an interface running a DHCP client, use the dhcpd auto_config command in global configuration mode. To discontinue the automatic configuration of DHCP parameters, use the no form of this command.

dhcpd auto_config client_if_name

no dhcpd auto_config client_if_name

Syntax Description

client_if_name

Specifies the interface running the DHCP client that supplies the DNS, WINS, and domain name parameters.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If you specify DNS, WINS, or domain name parameters using the CLI commands, then the CLI-configured parameters overwrite the parameters obtained by automatic configuration.

Examples

The following example shows how to configure DHCP on the inside interface. The dhcpd auto_config command is used to pass DNS, WINS, and domain information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface.

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd autoconfig outside
hostname(config)# dhcpd enable inside

Related Commands

Command
Description

clear configure dhcpd

Removes all DHCP server settings.

dhcpd enable

Enables the DHCP server on the specified interface.

show ip address dhcp server

Displays detailed information about the DHCP options provided by a DHCP server to an interface acting as a DHCP client.

show running-config dhcpd

Displays the current DHCP server configuration.


dhcpd dns

To define the DNS servers for DHCP clients, use the dhcpd dns command in global configuration mode. To clear defined servers, use the no form of this command.

dhcpd dns dnsip1 [dnsip2]

no dhcpd dns [dnsip1 [dnsip2]]

Syntax Description

dnsip1

IP address of the primary DNS server for the DHCP client.

dnsip2

(Optional) IP address of the alternate DNS server for the DHCP client.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The dhcpd dns command lets you specify the IP address or addresses of the DNS server(s) for the DHCP client. You can specify two DNS servers. The no dhcpd dns command lets you remove the DNS IP address(es) from the configuration.

Examples

The following example shows how to use the dhcpd address, dhcpd dns, and dhcpd enable interface_name commands to configure an address pool and DNS server for the DHCP clients on the dmz interface of the security appliance.

hostname(config)# dhcpd address 10.0.1.100-10.0.1.108 dmz
hostname(config)# dhcpd dns 192.168.1.2
hostname(config)# dhcpd enable dmz

Related Commands

Command
Description

clear configure dhcpd

Removes all DHCP server settings.

dhcpd address

Specifies the address pool used by the DHCP server on the specified interface.

dhcpd enable

Enables the DHCP server on the specified interface.

dhcpd wins

Defines the WINS servers for DHCP clients.

show running-config dhcpd

Displays the current DHCP server configuration.


dhcpd domain

To define the DNS domain name for DHCP clients, use the dhcpd domain command in global configuration mode. To clear the DNS domain name, use the no form of this command.

dhcpd domain domain_name

no dhcpd domain [domain_name]

Syntax Description

domain_name

The DNS domain name, for example example.com.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The dhcpd domain command lets you specify the DNS domain name for the DHCP client. The no dhcpd domain command lets you remove the DNS domain server from the configuration.

Examples

The following example shows how to use the dhcpd domain command to configure the domain name supplied to DHCP clients by the DHCP server on the security appliance:

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 198.162.1.2 198.162.1.3
hostname(config)# dhcpd wins 198.162.1.4
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd ping_timeout 1000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside

Related Commands

Command
Description

clear configure dhcpd

Removes all DHCP server settings.

show running-config dhcpd

Displays the current DHCP server configuration.


dhcpd enable

To enable the DHCP server, use the dhcpd enable command in global configuration mode. To disable the DHCP server, use the no form of this command. The DHCP server provides network configuration parameters to DHCP clients. Support for the DHCP server within the security appliance means that the security appliance can use DHCP to configure connected clients.

dhcpd enable interface

no dhcpd enable interface

Syntax Description

interface

Specifies the interface on which to enable the DHCP server.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The dhcpd enable interface command lets you enable the DHCP daemon to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface.


Note For multiple context mode, you cannot enable the DHCP server on an interface that is used by more than one context (a shared VLAN).


When the security appliance responds to a DHCP client request, it uses the IP address and subnet mask of the interface where the request was received as the IP address and subnet mask of the default gateway in the response.


Note The security appliance DHCP server daemon does not support clients that are not directly connected to a security appliance interface.


Refer to the Cisco Security Appliance Command Line Configuration Guide for information on how to implement the DHCP server feature into the security appliance.

Examples

The following example shows how to use the dhcpd enable command to enable the DHCP server on the inside interface:

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 198.162.1.2 198.162.1.3
hostname(config)# dhcpd wins 198.162.1.4
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd ping_timeout 1000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside

Related Commands

Command
Description

debug dhcpd

Displays debug information for the DHCP server.

dhcpd address

Specifies the address pool used by the DHCP server on the specified interface.

show dhcpd

Displays DHCP binding, statistic, or state information.

show running-config dhcpd

Displays the current DHCP server configuration.


dhcpd lease

To specify the DHCP lease length, use the dhcpd lease command in global configuration mode. To restore the default value for the lease, use the no form of this command.

dhcpd lease lease_length

no dhcpd lease [lease_length]

Syntax Description

lease_length

Length of the IP address lease, in seconds, granted to the DHCP client from the DHCP server; valid values are from 300 to 1048575 seconds.


Defaults

The default lease_length is 3600 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The dhcpd lease command lets you specify the length of the lease, in seconds, that is granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address that the DHCP server granted.

The no dhcpd lease command lets you remove the lease length that you specified from the configuration and replaces this value with the default value of 3600 seconds.

Examples

The following example shows how to use the dhcpd lease command to specify the length of the lease of DHCP information for DHCP clients:

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 198.162.1.2 198.162.1.3
hostname(config)# dhcpd wins 198.162.1.4
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd ping_timeout 1000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside

Related Commands

Command
Description

clear configure dhcpd

Removes all DHCP server settings.

show running-config dhcpd

Displays the current DHCP server configuration.


dhcpd option

To configure DHCP options, use the dhcpd option command in global configuration mode. To clear the option, use the no form of this command. You can use the dhcpd option command to provide TFTP server information to Cisco IP Phones and routers.

dhcpd option code {ascii string} | {ip IP_address [IP_address]} | {hex hex_string}

no dhcpd option code

Syntax Description

ascii

Specifies that the option parameter is an ASCII character string.

code

A number representing the DHCP option being set. Valid values are 0 to 255.

hex

Specifies that the option parameter is a hexadecimal string.

hex_string

Specifies a hexadecimal string with an even number of digits and no spaces. You do not need to use a 0x prefix.

ip

Specifies that the option parameter is an IP address. You can specify a maximum of two IP addresses with the ip keyword.

IP_address

Specifies a dotted-decimal IP address.

string

Specifies an ASCII character string without spaces.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

When a DHCP option request arrives at the security appliance DHCP server, the security appliance places the value or values that are specified by the dhcpd option command in the response to the client.

The dhcpd option 66 and dhcpd option 150 commands specify TFTP servers that Cisco IP Phones and routers can use to download configuration files. Use the commands as follows:

dhcpd option 66 ascii string, where string is either the IP address or hostname of the TFTP server. Only one TFTP server can be specified for option 66.

dhcpd option 150 ip IP_address [IP_address], where IP_address is the IP address of the TFTP server. You can specify a maximum of two IP addresses for option 150.


Note The dhcpd option 66 command only takes an ascii parameter, and the dhcpd option 150 only takes an ip parameter.


Use the following guidelines when specifying an IP address for the dhcpd option 66 | 150 commands:

If the TFTP server is located on the DHCP server interface, use the local IP address of the TFTP server.

If the TFTP server is located on a less secure interface than the DHCP server interface, then general outbound rules apply. Create a group of NAT, global, and access-list entries for the DHCP clients, and use the actual IP address of the TFTP server.

If the TFTP server is located on a more secure interface, then general inbound rules apply. Create a group of static and access-list statements for the TFTP server and use the global IP address of the TFTP server.

For information about other DHCP options, refer to RFC2132.

Examples

The following example shows how to specify a TFTP server for DHCP option 66:

hostname(config)# dhcpd option 66 ascii MyTftpServer

Related Commands

Command
Description

clear configure dhcpd

Removes all DHCP server settings.

show running-config dhcpd

Displays the current DHCP server configuration.


dhcpd ping_timeout

To change the default timeout for DHCP ping, use the dhcpd ping_timeout command in global configuration mode. To return to the default value, use the no form of this command. To avoid address conflicts, the DHCP server sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the ping timeout in milliseconds.

dhcpd ping_timeout number

no dhcpd ping_timeout

Syntax Description

number

The timeout value of the ping, in milliseconds. The minimum value is 10, the maximum is 10000. The default is 50.


Defaults

The default number of milliseconds for number is 50.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The security appliance waits for both ICMP ping packets to time out before assigning an IP address to a DHCP client. For example, if the default value is used, the security appliance waits for 1500 milliseconds (750 milliseconds for each ICMP ping packet) before assigning an IP address.

A long ping timeout value can adversely affect the performance of the DHCP server.

Examples

The following example shows how to use the dhcpd ping_timeout command to change the ping timeout value for the DHCP server:

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 198.162.1.2 198.162.1.3
hostname(config)# dhcpd wins 198.162.1.4
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd ping_timeout 1000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside

Related Commands

Command
Description

clear configure dhcpd

Removes all DHCP server settings.

show running-config dhcpd

Displays the current DHCP server configuration.


dhcpd wins

To define the WINS servers for DHCP clients, use the dhcpd wins command in global configuration mode. To remove the WINS servers from the DHCP server, use the no form of this command.

dhcpd wins server1 [server2]

no dhcpd wins [server1 [server2]]

Syntax Description

server1

Specifies the IP address of the primary Microsoft NetBIOS name server (WINS server).

server2

(Optional) Specifies the IP address of the alternate Microsoft NetBIOS name server (WINS server).


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The dhcpd wins command lets you specify the addresses of the WINS servers for the DHCP client. The no dhcpd wins command removes the WINS server IP addresses from the configuration.

Examples

The following example shows how to use the dhcpd wins command to specify WINS server information that is sent to DHCP clients:

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 198.162.1.2 198.162.1.3
hostname(config)# dhcpd wins 198.162.1.4
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd ping_timeout 1000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside

Related Commands

Command
Description

clear configure dhcpd

Removes all DHCP server settings.

dhcpd address

Specifies the address pool used by the DHCP server on the specified interface.

dhcpd dns

Defines the DNS servers for DHCP clients.

show dhcpd

Displays DHCP binding, statistic, or state information.

show running-config dhcpd

Displays the current DHCP server configuration.


dhcprelay enable

To enable the DHCP relay agent, use the dhcprelay enable command in global configuration mode. To disable DHCP relay agent, use the no form of this command. The DHCP relay agent allows DHCP requests to be forwarded from a specified security appliance interface to a specified DHCP server.

dhcprelay enable interface_name

no dhcprelay enable interface_name

Syntax Description

interface_name

Name of the interface on which the DHCP relay agent accepts client requests.


Defaults

The DHCP relay agent is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

For the security appliance to start the DHCP relay agent with the dhcprelay enable interface_name command, you must have a dhcprelay server command already in the configuration. Otherwise, the security appliance displays an error message similar to the following:

DHCPRA: Warning - There are no DHCP servers configured!
No relaying can be done without a server!
Use the 'dhcprelay server <server_ip> <server_interface>' command

You cannot enable DHCP relay under the following conditions:

You cannot enable DHCP relay and the DHCP relay server on the same interface.

You cannot enable DCHP relay and a DHCP server (dhcpd enable) on the same interface.

You cannot enable DHCP relay in a context at the same time as the DHCP server.

For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context (a shared VLAN).

The no dhcprelay enable interface_name command removes the DHCP relay agent configuration for the interface that is specified by interface_name only.

Examples

The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the security appliance, client requests on the inside interface of the security appliance, and a timeout value up to 90 seconds:

hostname(config)# dhcprelay server 10.1.1.1 outside
hostname(config)# dhcprelay timeout 90
hostname(config)# dhcprelay enable inside
hostname(config)# show running-config dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay enable inside
dhcprelay timeout 90

The following example shows how to disable the DHCP relay agent:

hostname(config)# no dhcprelay enable inside
hostname(config)# show running-config dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay timeout 90

Related Commands

Command
Description

clear configure dhcprelay

Removes all DHCP relay agent settings.

debug dhcp relay

Displays debug information for the DHCP relay agent.

dhcprelay server

Specifies the DHCP server that the DHCP relay agent forwards DHCP requests to.

dhcprelay setroute

Defines IP address that the DHCP relay agent uses as the default router address in DHCP replies.

show running-config dhcprelay

Displays the current DHCP relay agent configuration.


dhcprelay server

To specify the DHCP server that DHCP requests are forwarded to, use the dhcpreplay server command in global configuration mode. To remove the DHCP server from the DHCP relay configuration, use the no form of this command. The DHCP relay agent allows DHCP requests to be forwarded from a specified security appliance interface to a specified DHCP server.

dhcprelay server IP_address interface_name

no dhcprelay server IP_address [interface_name]

Syntax Description

interface_name

Name of the security appliance interface on which the DHCP server resides.

IP_address

The IP address of the DHCP server to which the DHCP relay agent forwards client DHCP requests.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the security appliance configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.

The dhcprelay server command opens UDP port 67 on the specified interface and starts the DHCP relay task as soon as the dhcprelay enable command is added to the configuration. If there is no dhcprelay enable command in the configuration, then the sockets are not opened and the DHCP relay task does not start.

When you use the no dhcprelay server IP_address [interface_name] command, the interface stops forwarding DHCP packets to that server.

The no dhcprelay server IP_address [interface_name] command removes the DHCP relay agent configuration for the DHCP server that is specified by IP_address [interface_name] only.

Examples

The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the security appliance, client requests on the inside interface of the security appliance, and a timeout value up to 90 seconds:

hostname(config)# dhcprelay server 10.1.1.1 outside
hostname(config)# dhcprelay timeout 90
hostname(config)# dhcprelay enable inside
hostname(config)# show running-config dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay enable inside
dhcprelay timeout 90

Related Commands

Command
Description

clear configure dhcprelay

Removes all DHCP relay agent settings.

dhcprelay enable

Enables the DHCP relay agent on the specified interface.

dhcprelay setroute

Defines IP address that the DHCP relay agent uses as the default router address in DHCP replies.

dhcprelay timeout

Specifies the timeout value for the DHCP relay agent.

show running-config dhcprelay

Displays the current DHCP relay agent configuration.


dhcprelay setroute

To set the default gateway address in the DHCP reply, use the dhcprelay setroute command in global configuration mode. To remove the default router, use the no form of this command. This command causes the default IP address of the DHCP reply to be substituted with the address of the specified security appliance interface.

dhcprelay setroute interface

no dhcprelay setroute interface

Syntax Description

interface

Configures the DHCP relay agent to change the first default IP address (in the packet sent from the DHCP server) to the address of interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The dhcprelay setroute interface command lets you enable the DHCP relay agent to change the first default router address (in the packet sent from the DHCP server) to the address of interface.

If there is no default router option in the packet, the security appliance adds one containing the address of interface. This action allows the client to set its default route to point to the security appliance.

When you do not configure the dhcprelay setroute interface command (and there is a default router option in the packet), it passes through the security appliance with the router address unaltered.

Examples

The following example shows how to use the dhcprelay setroute command to set the default gateway in the DHCP reply from the external DHCP server to the inside interface of the security appliance:

hostname(config)# dhcprelay server 10.1.1.1 outside
hostname(config)# dhcprelay timeout 90
hostname(config)# dhcprelay setroute inside
hostname(config)# dhcprelay enable inside

Related Commands

Command
Description

clear configure dhcprelay

Removes all DHCP relay agent settings.

dhcprelay enable

Enables the DHCP relay agent on the specified interface.

dhcprelay server

Specifies the DHCP server that the DHCP relay agent forwards DHCP requests to.

dhcprelay timeout

Specifies the timeout value for the DHCP relay agent.

show running-config dhcprelay

Displays the current DHCP relay agent configuration.


dhcprelay timeout

To set the DHCP relay agent timeout value, use the dhcprelay timeout command in global configuration mode. To restore the timeout value to its default value, use the no form of this command.

dhcprelay timeout seconds

no dhcprelay timeout

Syntax Description

seconds

Specifies the number of seconds that are allowed for DHCP relay address negotiation.


Defaults

The default value for the dhcprelay timeout is 60 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The dhcprelay timeout command lets you set the amount of time, in seconds, allowed for responses from the DHCP server to pass to the DHCP client through the relay binding structure.

Examples

The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the security appliance, client requests on the inside interface of the security appliance, and a timeout value up to 90 seconds:

hostname(config)# dhcprelay server 10.1.1.1 outside
hostname(config)# dhcprelay timeout 90
hostname(config)# dhcprelay enable inside
hostname(config)# show running-config dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay enable inside
dhcprelay timeout 90

Related Commands

Command
Description

clear configure dhcprelay

Removes all DHCP relay agent settings.

dhcprelay enable

Enables the DHCP relay agent on the specified interface.

dhcprelay server

Specifies the DHCP server that the DHCP relay agent forwards DHCP requests to.

dhcprelay setroute

Defines IP address that the DHCP relay agent uses as the default router address in DHCP replies.

show running-config dhcprelay

Displays the current DHCP relay agent configuration.


dir

To display the directory contents, use the dir command in privileged EXEC mode.

dir [/all] [all-filesystems] [/recursive] [disk0: | disk1: | flash: | system:] [path]

Syntax Description

/all

(Optional) Displays all files.

all-filesystems

(Optional) Displays the files of all filesystems

disk0:

(Optional) Specifies the internal Flash memory, followed by a colon.

disk1:

(Optional) Specifies the external Flash memory card, followed by a colon.

/recursive

(Optional) Displays the directory contents recursively.

system:

(Optional) Displays the directory contents of the file system.

flash:

(Optional) Displays the directory contents of the default Flash partition.

path

(Optional) Specifies a specific path.


Defaults

If you do not specify a directory, the directory is the current working directory by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The dir command without keywords or arguments displays the directory contents of the current directory.

Examples

The following example shows how to display the directory contents:

hostname# dir
Directory of disk0:/

1      -rw-  1519        10:03:50 Jul 14 2003    my_context.cfg
2      -rw-  1516        10:04:02 Jul 14 2003    my_context.cfg
3      -rw-  1516        10:01:34 Jul 14 2003    admin.cfg
60985344 bytes total (60973056 bytes free)

This example shows how to display recursively the contents of the entire file system:

hostname# dir /recursive disk0:
Directory of disk0:/*
1      -rw-  1519        10:03:50 Jul 14 2003    my_context.cfg
2      -rw-  1516        10:04:02 Jul 14 2003    my_context.cfg
3      -rw-  1516        10:01:34 Jul 14 2003    admin.cfg
60985344 bytes total (60973056 bytes free)

This example shows how display the contents of the Flash partition:

hostname# dir flash:
Directory of disk0:/*
1      -rw-  1519        10:03:50 Jul 14 2003    my_context.cfg
2      -rw-  1516        10:04:02 Jul 14 2003    my_context.cfg
3      -rw-  1516        10:01:34 Jul 14 2003    admin.cfg
60985344 bytes total (60973056 bytes free)

Related Commands

Command
Description

cd

Changes the current working directory to the one specified.

pwd

Displays the current working directory.

mkdir

Creates a directory.

rmdir

Removes a directory.


disable

To exit privileged EXEC mode and return to unprivileged EXEC mode, use the disable command in privileged EXEC mode.

disable

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Use the enable command to enter privileged mode. The disable command allows you to exit privileged mode and returns you to unprivileged mode.

Examples

The following example shows how to enter privileged mode:

hostname> enable
hostname#

The following example shows how to exit privileged mode:

hostname# disable
hostname>

Related Commands

Command
Description

enable

Enables privileged EXEC mode.


distance ospf

To define OSPF route administrative distances based on route type, use the distance ospf command in router configuration mode. To restore the default values, use the no form of this command.

distance ospf [intra-area d1] [inter-area d2] [external d3]

no distance ospf

Syntax Description

d1, d2, and d3

Distance for each route types. Valid values range from 1 to 255.

external

(Optional) Sets the distance for routes from other routing domains that are learned by redistribution.

inter-area

(Optional) Sets the distance for all routes from one area to another area.

intra-area

(Optional) Sets the distance for all routes within an area.


Defaults

The default values for d1, d2, and d3 are 110.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

You must specify at least one keyword and argument. You can enter the commands for each type of administrative distance separately, however they appear as a single command in the configuration. If you reenter an administrative distance, the administrative distance for only that route type changes; the administrative distances for any other route types remain unaffected.

The no form of the command does not take any keywords or arguments. Using the no form of the command restores the default administrative distance for all of the route types. If you want to restore the default administrative distance for a single route type when you have multiple route types configured, you can do one of the following:

Manually set that route type to the default value.

Use the no form of the command to remove the entire configuration and then re-enter the configurations for the route types you want to keep.

Examples

The following example sets the administrative distance of external routes to 150:

hostname(config-router)# distance ospf external 105 
hostname(config-router)#

The following example shows how entering separate commands for each route type appears as a single command in the router configuration:

hostname(config-router)# distance ospf intra-area 105 inter-area 105
hostname(config-router)# distance ospf intra-area 105
hostname(config-router)# distance ospf external 105
hostname(config-router)# exit
hostname(config)# show running-config router ospf 1
!
router ospf 1
 distance ospf intra-area 105 inter-area 105 external 105
!
hostname(config)#

The following example shows how to set each administrative distance to 105, and then change only the external administrative distance to 150. The show running-config router ospf command shows how only the external route type value changed, while the other route types retained the value previously set.

hostname(config-router)# distance ospf external 105 intra-area 105 inter-area 105
hostname(config-router)# distance ospf external 150
hostname(config-router)# exit
hostname(config)# show running-config router ospf 1
!
router ospf 1
 distance ospf intra-area 105 inter-area 105 external 150
!
hostname(config)#

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show running-config router

Displays the commands in the global router configuration.


dns domain-lookup

To enable the security appliance to send DNS requests to a DNS server to perform a name lookup for supported commands, use the dns domain-lookup command in global configuration mode. To disable DNS lookup, use the no form of this command.

dns domain-lookup interface_name

no dns domain-lookup interface_name

Syntax Description

interface_name

Specifies the interface on which you want to enable DNS lookup. If you enter this command multiple times to enable DNS lookup on multiple interfaces, the security appliance tries each interface in order until it receives a response.


Defaults

DNS lookup is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use the dns name-server command to configure the DNS server addresses to which you want to send DNS requests. See the dns name-server command for a list of commands that support DNS lookup.

The security appliance maintains a cache of name resolutions that consists of dynamically learned entries. Instead of making queries to external DNS servers each time an hostname-to-IP-address translation is needed, the security appliance caches information returned from external DNS requests. The security appliance only makes requests for names that are not in the cache. The cache entries time out automatically according to the DNS record expiration, or after 72 hours, whichever comes first.

Examples

The following example enables DNS lookup on the inside interface:

hostname(config)# dns domain-lookup inside

Related Commands

Command
Description

dns name-server

Configures a DNS server address.

dns retries

Specifies the number of times to retry the list of DNS servers when the security appliance does not receive a response.

dns timeout

Specifies the amount of time to wait before trying the next DNS server.

domain-name

Sets the default domain name.

show dns-hosts

Shows the DNS cache.


dns-guard

To enable the DNS guard function, use the dns-guard command in global configuration mode. To disable the DNS guard feature, use the no form of this command.

dns-guard

no dns-guard

Defaults

This command is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(5)

This command was introduced.


Usage Guidelines

DNS guard tears down the DNS session associated with a DNS request as soon as the DNS response is forwarded by the security appliance. DNS guard also monitors the message exchange to ensure that the ID of the DNS response matches the ID of the DNS request.

The dns-guard command provides the capability to turn on or off the DNS guard function when DNS inspection is not enabled (when the inspect dns command is not configured). This command is only effective on the interfaces without DNS inspection. When DNS inspection is effective, the DNS guard function is always performed.

DNS guard is enabled together with the inspect dns command or the fixup protocol dns in earlier versions, and remains active when the inspection is disabled. This is still the default behavior, but now you have the option to disable this function.

Examples

The following example shows how to enable DNS guard:

hostname(config)# dns-guard

The following example shows how to disable DNS guard:

hostname(config)# no dns-guard 

Related Commands

Commands
Description

inspect dns

Enables the DNS inspection.

class-map

Defines the traffic class to which to apply security actions.

policy-map

Associates a class map with specific security actions.

service-policy

Applies a policy map to one or more interfaces.


dns name-server

To identify one or more DNS servers, use the dns name-server command in global configuration mode. To remove a server, use the no form of this command. The security appliance uses DNS to resolve server names in your WebVPN configuration or certificate configuration (see "Usage Guidelines" for a list of supported commands). Other features that define server names (such as AAA) do not support DNS resolution. You must enter the IP address or manually resolve the name to an IP address by using the name command.

dns name-server ip_address [ip_address2] [...] [ip_address6]

no dns name-server ip_address [ip_address2] [...] [ip_address6]

Syntax Description

ip_address

Specifies the DNS server IP address. You can specify up to six addresses as separate commands, or for convenience, up to six addresses in one command separated by spaces. If you enter multiple servers in one command, the security appliance saves each server in a separate command in the configuration. The security appliance tries each DNS server in order until it receives a response.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

To enable DNS lookup, configure the dns domain-lookup command. If you do not enable DNS lookup, the DNS servers are not used.

WebVPN commands that support DNS resolution include the following:

server (pop3s)

server (imap4s)

server (smtps)

port-forward

url-list

Certificate commands that support DNS resolution include the following:

enrollment url

url

You can manually enter names and IP addresses using the name command.

See the dns retries command to set how many times the security appliance tries the list of DNS servers.

Examples

The following example adds three DNS servers:

hostname(config)# dns name-server 10.1.1.1 10.2.3.4 192.168.5.5

The security appliance saves the configuration as separate commands, as follows:

dns name-server 10.1.1.1
dns name-server 10.2.3.4
dns name-server 192.168.5.5

To add two additional servers, you can enter them as one command:

hostname(config)# dns name-server 10.5.1.1 10.8.3.8
hostname(config)# show running-config dns
dns name-server 10.1.1.1
dns name-server 10.2.3.4
dns name-server 192.168.5.5
dns name-server 10.5.1.1
dns name-server 10.8.3.8
...

Or you can enter them as two commands:

hostname(config)# dns name-server 10.5.1.1
hostname(config)# dns name-server 10.8.3.8

To delete multiple servers you can enter them as multiple commands or as one command, as follows:

hostname(config)# no dns name-server 10.5.1.1 10.8.3.8

Related Commands

Command
Description

dns domain-lookup

Enables the security appliance to perform a name lookup.

dns retries

Specifies the number of times to retry the list of DNS servers when the security appliance does not receive a response.

dns timeout

Specifies the amount of time to wait before trying the next DNS server.

domain-name

Sets the default domain name.

show dns-hosts

Shows the DNS cache.


dns retries

To specify the number of times to retry the list of DNS servers when the security appliance does not receive a response, use the dns retries command in global configuration mode. To restore the default setting, use the no form of this command.

dns retries number

no dns retries [number]

Syntax Description

number

Specifies the number of retries between 0 and 10. The default is 2.


Defaults

The default number of retries is 2.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Add DNS servers using the dns name-server command.

Examples

The following example sets the number of retries to 0. The security appliance only tries each server one time.

hostname(config)# dns retries 0

Related Commands

Command
Description

dns domain-lookup

Enables the security appliance to perform a name lookup.

dns name-server

Configures a DNS server address.

dns timeout

Specifies the amount of time to wait before trying the next DNS server.

domain-name

Sets the default domain name.

show dns-hosts

Shows the DNS cache.


dns timeout

To specify the amount of time to wait before trying the next DNS server, use the dns timeout command in global configuration mode. To restore the default timeout, use the no form of this command.

dns timeout seconds

no dns timeout [seconds]

Syntax Description

seconds

Specifies the timeout in seconds between 1 and 30. The default is 2 seconds. Each time the security appliance retries the list of servers, this timeout doubles. See the dns retries command to configure the number of retries.


Defaults

The default timeout is 2 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example sets the timeout to 1 second:

hostname(config)# dns timeout 1

Related Commands

Command
Description

dns name-server

Configures a DNS server address.

dns retries

Specifies the number of times to retry the list of DNS servers when the security appliance does not receive a response.

dns domain-lookup

Enables the security appliance to perform a name lookup.

domain-name

Sets the default domain name.

show dns-hosts

Shows the DNS cache.


dns-server

To set the IP address of the primary and secondary DNS servers, use the dns-server command in group-policy mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a DNS server from another group policy. To prevent inheriting a server, use the dns-server none command.

dns-server {value ip_address [ip_address] | none}

no dns-server

Syntax Description

none

Sets dns-servers to a null value, thereby allowing no DNS servers. Prevents inheriting a value from a default or specified group policy.

value ip_address

Specifies the IP address of the primary and secondary DNS servers.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Every time you issue the dns-server command you overwrite the existing setting. For example, if you configure DNS server x.x.x.x and then configure DNS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole DNS server. The same holds true for multiple servers. To add a DNS server rather than overwrite previously configured servers, include the IP addresses of all DNS servers when you enter this command.

Examples

The following example shows how to configure DNS servers with the IP addresses 10.10.10.15, 10.10.10.30, and 10.10.10.45 for the group policy named FirstGroup.

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# dns-server value 10.10.10.15 10.10.10.30 10.10.10.45

domain-name

To set the default domain name, use the domain-name command in global configuration mode. To remove the domain name, use the no form of this command. The security appliance appends the domain name as a suffix to unqualified names. For example, if you set the domain name to "example.com," and specify a syslog server by the unqualified name of "jupiter," then the security appliance qualifies the name to "jupiter.example.com."

domain-name name

no domain-name [name]

Syntax Description

name

Sets the domain name, up to 63 characters.


Defaults

The default domain name is default.domain.invalid.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

For multiple context mode, you can set the domain name for each context, as well as within the system execution space.

Examples

The following example sets the domain as example.com:


hostname(config)# domain-name example.com

Related Commands

Command
Description

dns domain-lookup

Enables the security appliance to perform a name lookup.

dns name-server

Configures a DNS server address.

hostname

Sets the security appliance hostname.

show running-config domain-name

Shows the domain name configuration.


downgrade

To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode.


Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. Loading a software image from monitor mode, on a PIX security appliance that has a PIX Version 7.0 file system, results in unpredictable behavior and is not supported. We strongly recommend that you use the downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.

downgrade image_url [activation-key [flash | 4-part_key | file]] [config start_config_url]

Syntax Description

4-part_key

(Optional) Specifies the four-part activation key to write to the image.

If you are using a five-part key, a warning with the list of features that might be lost by going back to the four-part key is generated.

If the system Flash has been reformatted or erased, no default key is available for the downgrade. In that case, the CLI prompts you to enter an activation key at the command line. This is the default behavior if the activation-key keyword is not specified at the command line.

activation-key

(Optional) Specifies the activation key to use with the downgraded software image.

config

(Optional) Specifies the startup configuration file.

file

(Optional) Specifies the path/URL and name of the activation key file to use after the downgrade procedure completes. If the source image file is the one saved in Flash during the upgrade process, the activation key in this file is used with the downgrade.

flash

(Optional) Specifies to look in Flash memory for the four-part activation key that was used on the device prior to using a five-part activation key. This is the default behavior if the activation-key keyword is not specified at the command line.

image_url

Specifies the path/URL and name of the software image to downgrade to. The software image must be a version prior to 7.0.

start_config_url

(Optional) Specifies the path/URL and name of the configuration file to use after the downgrade procedure completes.


Defaults

If the activation-key keyword is not specified, the security appliance tries to use the last four-part activation key used. If the security appliance cannot find a four-part activation key in Flash, the command is rejected and an error message displays. In this case, a valid four-part activation-key must be specified at the command line next time. The default activation key or the user specified activation key is compared with the activation key currently in effect. If there is a potential loss of features by using the chosen activation key, a warning displays with the list of features that could be lost after downgrade.

The security appliance uses downgrade.cfg by default if the startup configuration file is not specified.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

   

Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command is not supported on Cisco ASA 5500 series security appliances.


Caution A power failure during the downgrade process might corrupt the Flash memory. As a precaution, backup all data on the Flash memory to an external device prior to starting the downgrade process.

Recovering corrupt Flash memory requires direct console access. See the format command for more information.

Examples

The following example downgrades the software to Release 6.3.3:

hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 activation-key 
32c261f3 062afe24 c94ef2ea 0e299a3f
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] 
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!

Buffering startup config

All items have been buffered successfully. 
If the flash reformat is interrupted or fails, data in flash will be lost 
and the system might drop to monitor mode. 
Do you wish to continue? [confirm]
Installing the correct file system for the image and saving the buffered data 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
Flash downgrade succeeded







Rebooting....

Enter zero actkey:


The following example shows what happens if you enter an invalid activation key:

hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 activation-key 
0 0 0 0 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] 
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! 
Error: activation key entered is invalid.
 
Enter the file option when there is no actkey in the source image (happens if the source 
is in tftp server). 


The following example shows what happens if you specify the activation key in the source image and it does not exist:

hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 activation-key file 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] 
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! 
Activation key does not exist in the source image. 
Please use the activation-key option to specify an activation key.



The following example shows how to abort the downgrade procedure at the final prompt:

hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] 
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!

Buffering startup config

All items have been buffered successfully. 
If the flash reformat is interrupted or fails, data in flash will be lost 
and the system might drop to monitor mode. 
Do you wish to continue? [confirm] ===<typed n here> 
Downgrade process terminated.

To downgrade, the software version must be less than 7.0. The following example shows a failed attempt at downgrading the software:

hostname# downgrade tftp://17.13.2.25//scratch/views/test/target/sw/cdisk 
This command will reformat the flash and automatically reboot the system. 
Do you wish to continue? [confirm] 
Buffering image 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!