Cisco Security Appliance Command Reference, Version 7.0
S Commands
Downloads: This chapterpdf (PDF - 4.62MB) The complete bookPDF (PDF - 18.73MB) | Feedback

S Commands

Table Of Contents

S Commands

same-security-traffic

sdi-pre-5-slave

sdi-version

secondary

secondary-color

secondary-color

secure-unit-authentication

security-level

serial-number

server

server-port

server-separator

service

service password-recovery

service-policy

session

set connection

set connection advanced-options

set connection timeout

set metric

set metric-type

setup

show aaa local user

show aaa-server

show access-list

show activation-key

show admin-context

show arp

show arp-inspection

show arp statistics

show asdm history

show asdm image

show asdm log_sessions

show asdm sessions

show asp drop

show asp table arp

show asp table classify

show asp table interfaces

show asp table routing

show asp table vpn-context

show blocks

show bootvar

show capture

show chardrop

show checkheaps

show checksum

show chunkstat

show clock

show conn

show console-output

show context

show counters

show cpu

show crashinfo

show crashinfo console

show crypto accelerator statistics

show crypto ca certificates

show crypto ca crls

show crypto ipsec df-bit

show crypto ipsec fragmentation

show crypto key mypubkey

show crypto protocol statistics

show ctiqbe

show curpriv

show debug

show dhcpd

show dhcprelay state

show dhcprelay statistics

show disk

show dns-hosts

show failover

show file

show firewall

show flash

show fragment

show gc

show h225

show h245

show h323-ras

show history

show icmp

show idb

show igmp groups

show igmp interface

show igmp traffic

show interface

show interface ip brief

show inventory

show ip address

show ip address dhcp

show ip audit count

show ip verify statistics

show ipsec sa

show ipsec sa summary

show ipsec stats

show ipv6 access-list

show ipv6 interface

show ipv6 neighbor

show ipv6 route

show ipv6 routers

show ipv6 traffic

show isakmp sa

show isakmp stats

show local-host

show logging

show logging rate-limit

show mac-address-table

show management-access

show memory

show memory binsize

show memory delayed-free-poisoner

show memory profile

show memory tracking

show memory-caller address

show mfib

show mfib active

show mfib count

show mfib interface

show mfib reserved

show mfib status

show mfib summary

show mfib verbose

show mgcp

show mode

show module

show mrib client

show mrib route

show mroute

show nameif

show ntp associations

show ntp status

show ospf

show ospf border-routers

show ospf database

show ospf flood-list

show ospf interface

show ospf neighbor

show ospf request-list

show ospf retransmission-list

show ospf summary-address

show ospf virtual-links

show perfmon

show pim df

show pim group-map

show pim interface

show pim join-prune statistic

show pim neighbor

show pim range-list

show pim topology

show pim topology reserved

show pim topology route-count

show pim traffic

show pim tunnel

show priority-queue statistics

show processes

show reload

show resource types

show resource usage

show route

show run fips

show running-config

show running-config aaa

show running-config aaa-server

show running-config aaa-server host

show running-config access-group

show running-config access-list

show running-config alias

show running-config arp

show running-config arp timeout

show running-config arp-inspection

show running-config asdm

show running-config auth-prompt

show running-config banner

show running-config class-map

show running-config clock

show running-config command-alias

show running-config console timeout

show running-config context

show running-config crypto

show running-config crypto dynamic-map

show running-config crypto ipsec

show running-config crypto isakmp

show running-config crypto map

show running-config dhcpd

show running-config dhcprelay

show running-config dns

show running-config domain-name

show running-config enable

show running-config established

show running-config failover

show running-config filter

show running-config fips

show running-config fragment

show running-config ftp-map

show running-config ftp mode

show running-config global

show running-config group-delimiter

show running-config group-policy

show running-config gtp-map

show running-config http

show running-config http-map

show running-config icmp

show running-config imap4s

show running-config interface

show running-config ip address

show running-config ip audit attack

show running-config ip audit info

show running-config ip audit interface

show running-config ip audit name

show running-config ip audit signature

show running-config ip local pool

show running-config ip verify reverse-path

show running-config ipv6

show running-config isakmp

show running-config logging

show logging rate-limit

show running-config mac-address-table

show running-config mac-learn

show running-config mac-list

show running-config management-access

show running-config mgcp-map

show running-config mroute

show running-config mtu

show running-config multicast-routing

show running-config name

show running-config nameif

show running-config names

show running-config nat

show running-config nat-control

show running-config ntp

show running-config object-group

show running-config passwd

show running-config pim

show running-config policy-map

show running-config pop3s

show running-config port-forward

show running-config prefix-list

show running-config priority-queue

show running-config privilege

show running-config rip

show running-config route

show running-config route-map

show running-config router

show running-config same-security-traffic

show running-config service

show running-config service-policy

show running-configuration smtps

show running-config snmp-map

show running-config snmp-server

show running-config ssh

show running-config ssl

show running-config static

show running-config sunrpc-server

show running-config sysopt

show running-config tcp-map

show running-config telnet

show running-config terminal

show running-config tftp-server

show running-config timeout

show running-config tunnel-group

show running-config url-block

show running-config url-cache

show running-configuration url-list

show running-config url-server

show running-config username

show running-config virtual

show running-config vpn load-balancing

show running-configuration vpn-sessiondb

show running-configuration webvpn

show service-policy

show service-policy inspect gtp

show shun

show sip

show skinny

show snmp-server statistics

show ssh sessions

show startup-config

show sunrpc-server active

show tcpstat

show tech-support

show traffic

show uauth

show url-block

show url-cache statistics

show url-server

show version

show vpn load-balancing

show vpn-sessiondb

show vpn-sessiondb ratio

show vpn-sessiondb summary

show xlate

shun

shutdown

smtps

smtp-server

snmp-server

snmp-map

snmp-server enable trap remote-access

speed

split-dns

split-tunnel-network-list

split-tunnel-policy

ssh

ssh disconnect

ssh scopy enable

ssh timeout

ssh version

ssl client-version

ssl encryption

ssl server-version

ssl trust-point

static

strict-http

strip-group

strip-realm

subject-name (crypto ca certificate map)

subject-name (crypto ca trustpoint)

summary-address

sunrpc-server

support-user-cert-validation

syn-data

sysopt connection permit-ipsec

sysopt connection tcpmss

sysopt connection timewait

sysopt nodnsalias

sysopt noproxyarp

sysopt radius ignore-secret

sysopt uauth allow-http-cache


S Commands


same-security-traffic

To permit communication between interfaces with equal security levels, use the same-security-traffic command in global configuration mode. To disable the same-security interfaces, use the no forms of this command.

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}

Syntax Description

inter-interface

Permits communication between different interfaces that have the same security level.

intra-interface

Permits communication in and out of the same interface when traffic is IPSec protected.


Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Allowing communication between same security interfaces provides the following benefits:

You can configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).

You can allow traffic to flow freely between all same security interfaces without access lists.

You can also redirect incoming client VPN traffic back out through the same interface unencrypted as well as encrypted. If you send VPN traffic back out through the same interface unencrypted, you must enable NAT for the interface so that publically routable addresses replace your private ip addresses (unless you already use public ip addresses in your local ip address pool). The following example commands apply an interface PAT rule to traffic sourced from the client ip pool:

hostname(config)# ip local pool clientpool 192.168.0.10-192.168.0.100
hostname(config)# global (outside) 1 interface
hostname config)# nat (outside) 1 192.168.0.0 255.255.255.0


When the security appliance sends encrypted VPN traffic back out this same interface, however, NAT is optional. To apply NAT to all outgoing traffic, implement only the commands above. To exempt the VPN-to-VPN traffic from NAT, add commands (to the example above) that implement NAT exemption for VPN-to-VPN traffic, such as:

hostname(config)# access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 
255.255.255.0 
hostname(config)# nat (outside) 0 access-list nonat

See the nat command for more information.

Examples

The following example shows how to enable the same-security interface communication:

hostname(config)# same-security-traffic permit inter-interface

Related Commands

Command
Description

show running-config same-security-traffic

Displays the same-security-traffic configuration.


sdi-pre-5-slave

To specify the IP address or name of an optional SDI AAA "slave" server to use for this host connection that uses a version of SDI prior to SDI version 5, use the sdi-pre-5-slave command in AAA-server host configuration mode. To remove this specification, use the no form of this command:

sdi-pre-5-slave host

no sdi-pre-5-slave

Syntax Description

host

Specify the name or IP address of the slave server host.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

AAA-server Host


Command History

Release
Modification

7.0

This command was introduced


Usage Guidelines

This command is available for any host in an SDI AAA servergroup, but it is relevant only if the SDI version for the host is set to sdi-pre-5 in the sdi-version command. Prior to using this command, you must have configured the AAA server to use the SDI protocol.

The sdi-pre-5-slave command lets you identify an optional secondary server that is to be used if the primary server fails. The address specified by this command must be that of a server that is configured as a "slave" to the primary SDI server. In this situation, if you are using a pre-5 version, you must configure the sdi-pre-5-slave command so that the security appliance can access the appropriate SDI configuration record that is downloaded from the server. This is not an issue with version 5 and later versions.

Examples

The following example configures the AAA SDI server group "svrgrp1" that uses an SDI version prior to SDI version 5.

hostname(config)# aaa-server svrgrp1 protocol sdi
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.10.10
hostname(config-aaa-server-host)# sdi-version sdi-pre-5
hostname(config-aaa-server-host)# sdi-pre-5-slave 209.165.201.31
hostname(config-aaa-server-host)# exit
hostname(config)# 

Related Commands

Command
Description

aaa-server host

Enter AAA server host configuration mode so you can configure AAA server parameters that are host-specific.

clear configure aaa-server

Removes all AAA server configurations.

sdi-version

Specifies the version of SDI to use for this host connection.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol.


sdi-version

To specify the version of SDI to use for this host connection, use the sdi-version command in AAA-server host configuration mode. To remove this specification, use the no form of this command:

sdi-version version

no sdi-version

Syntax Description

version

Specify the version of SDI to use.Valid values are:

sdi-5 - SDI version 5.0 (default)

sdi-pre-5 - SDI versions prior to 5.0


Defaults

The default version is sdi-5.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

AAA-server host


Command History

Release
Modification

7.0

This command was introduced


Usage Guidelines

This command is valid only for SDI AAA servers. If you configure a secondary (failover) SDI AAA server, and if the SDI version for that server is earlier than version 5, you must also specify the sdi-pre-5-slave command

Examples

hostname(config)# aaa-server svrgrp1 protocol sdi
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
hostname(config-aaa-server-host)# timeout 6
hostname(config-aaa-server-host)# retry-interval 7
hostname(config-aaa-server-host)# sdi-version sdi-5
hostname(config-aaa-server)# exit
hostname(config)# 

Related Commands

Command
Description

aaa-server host

Enter AAA server host configuration mode so you can configure AAA server parameters that are host-specific.

clear configure aaa-server

Remove all AAA configurations.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol


secondary

To give the secondary unit higher priority in a failover group, use the secondary command in failover group configuration mode. To restore the default, use the no form of this command.

secondary

no secondary

Syntax Description

This command has no arguments or keywords.

Defaults

If primary or secondary is not specified for a failover group, the failover group defaults to primary.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Failover group configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simulataneously (within a unit polltime). If one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the second unit as a priority do not become active on the second unit unless the failover group is configured with the preempt command or is manually forced to the other unit with the no failover active command.

Examples

The following example configures failover group 1 with the primary unit as the higher priority and failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with the preempt command, so the groups will automatically become active on their preferred unit as the units become available.

hostname(config)# failover group 1 
hostname(config-fover-group)# primary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012 
hostname(config-fover-group)# exit
hostname(config)#

Related Commands

Command
Description

failover group

Defines a failover group for Active/Active failover.

preempt

Forces the failover group to become active on its preferred unit when the unit becomes available.

primary

Gives the primary unit a higher priority than the secondary unit.


secondary-color

To set a secondary color for the WebVPN login, home page, and file access page, use the secondary-color command in webvpn mode. To remove a color from the configuration and reset the default, use the no form of this command.

secondary-color [color]

no secondary-color

Syntax Description

color

(Optional) Specifies the color. You can use a comma separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

Name length maximum is 32 characters


Defaults

The default secondary color is HTML #CCCCFF, a lavender shade.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The number of RGB values recommended for use is 216, many fewer than the mathematical possibilities. Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best results, check published RGB tables. To find RGB tables online, enter RGB in a search engine.

Examples

The following example shows how to set an HTML color value of #5F9EAO, which is a teal shade:

hostname(config)# webvpn
hostname(config-webvpn)# secondary-color #5F9EAO

Related Commands

Command
Description

title-color

Sets a color for the WebVPN title bar on the login, home page, and file access page


secondary-color

To set a secondary color for the WebVPN login, home page, and file access page, use the secondary-color command in webvpn mode. To remove a color from the configuration and reset the default, use the no form of this command.

secondary-color [color]

no secondary-color

Syntax Description

color

(Optional) Specifies the color. You can use a comma separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

Name length maximum is 32 characters


Defaults

The default secondary color is HTML #CCCCFF, a lavender shade.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The number of RGB values recommended for use is 216, many fewer than the mathematical possibilities. Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best results, check published RGB tables. To find RGB tables online, enter RGB in a search engine.

Examples

The following example shows how to set an HTML color value of #5F9EAO, which is a teal shade:

hostname(config)# webvpn
hostname(config-webvpn)# secondary-color #5F9EAO

Related Commands

Command
Description

title-color

Sets a color for the WebVPN title bar on the login, home page, and file access page


secure-unit-authentication

To enable secure unit authentication, use the secure-unit-authentication enable command in group-policy configuration mode. To disable secure unit authentication, use the secure-unit-authentication disable command. To remove the secure unit authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for secure unit authentication from another group policy.

Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password.


Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password.


secure-unit-authentication {enable | disable}

no secure-unit-authentication

Syntax Description

disable

Disables secure unit authentication.

enable

Enables secure unit authentication.


Defaults

Secure unit authentication is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group policy


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware client(s) use.

If you require secure unit authentication on the primary security appliance, be sure to configure it on any backup servers as well.

Examples

The following example shows how to enable secure unit authentication for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# secure-unit-authentication enable

Related Commands

Command
Description

ip-phone-bypass

Lets IP phones connect without undergoing user authentication. Secure unit authentication remains in effect.

leap-bypass

Lets LEAP packets from wireless devices behind a VPN hardware client travel across a VPN tunnel prior to user authentication, when enabled. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per user authentication.

user-authentication

Requires users behind a hardware client to identify themselves to the security appliance before connecting.


security-level

To set the security level of an interface, use the security-level command in interface configuration mode. To set the security level to the default, use the no form of this command. The security level protects higher security networks from lower security networks by imposing additional protection between the two.

security-level number

no security-level

Syntax Description

number

An integer between 0 (lowest) and 100 (highest).


Defaults

By default, the security level is 0.

If you name an interface "inside" and you do not set the security level explicitly, then the security appliance sets the security level to 100 (see the nameif command). You can change this level if desired.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0

This command was moved from a keyword of the nameif command to an interface configuration mode command.


Usage Guidelines

The level controls the following behavior:

Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.

For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

NetBIOS inspection engine—Applied only for outbound connections.

OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, see the same-security-traffic command. You might want to assign two interfaces to the same level and allow them to communicate if you want to create more than 101 communicating interfaces, or you want protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.

If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.

Examples

The following example configures the security levels for two interfaces to be 100 and 0:

hostname(config)# interface gigabitethernet0/0
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0/1
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown

Related Commands

Command
Description

clear local-host

Resets all connections.

interface

Configures an interface and enters interface configuration mode.

nameif

Sets the interface name.

vlan

Assigns a VLAN ID to a subinterface.


serial-number

To include the security appliance serial number in the certificate during enrollment, use the serial-number command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.

serial-number

no serial-number

Syntax Description

This command has no arguments or keywords.


Defaults

The default setting is to not include the serial number.

Command Modes

The following table shows the modes in which you can enter the command

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


:

Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the security appliance serial number in the enrollment request for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# serial-number
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.


server

To specify a default e-mail proxy server, use the server command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command. The security appliance sends requests to the default e-mail server when the user connects to the e-mail proxy without specifying a server. If you do not configure a default server, and a user does not specify a server, the security appliance returns an error.

server {ipaddr or hostname}

no server

Syntax Description

hostname

The DNS name of the default e-mail proxy server.

ipaddr

The IP address of the default e-mail proxy server.


Defaults

There is no default e-mail proxy server by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Pop3s

Imap4s

Smtps


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set a default POP3S e-mail server with an IP address. of 10.1.1.7:

hostname(config)# pop3s
hostname(config-pop3s)# server 10.1.1.7

server-port

To configure a AAA server port for a host, use the server-port command in AAA-server host mode. To remove the designated server port, use the no form of this command:

server-port port-number

no server-port

Syntax Description

port-number

A port number in the range 0 through 65535.


Defaults

The default server ports are as follows:

SDI—5500

LDAP—389

Kerberos—88

NT—139

TACACS+—49

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

AAA-server group


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example configures an SDI AAA server named "srvgrp1" to use server port number 8888:

hostname(config)# aaa-server srvgrp1 protocol sdi
hostname(config-aaa-server-group)# aaa-server srvgrp1 host 192.168.10.10
hostname(config-aaa-server-host)# server-port 8888
hostname(config-aaa-server-host)# exit
hostname(config)#

Related Commands

Command
Description

aaa-server host

Configures host-specific AAA server parameters.

clear configure aaa-server

Removes all AAA-server configuration.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol


server-separator

To specify a character as a delimiter between the e-mail and VPN server names, use server-separator command in the applicable e-mail proxy mode. To revert to the default, ":", use the no form of this command.

server-separator {symbol}

no server-separator

Syntax Description

symbol

The character that separates the e-mail and VPN server names. Choices are "@," (at) "|" (pipe), ":"(colon), "#" (hash), "," (comma), and ";" (semi-colon).


Defaults

The default is "@" (at).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Pop3s

Imap4s

Smtps


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The server separator must be different from the name separator.

Examples

The following example shows how to set a pipe (|) as the server separator for IMAP4S:

hostname(config)# imap4s
hostname(config-imap4s)# server-separator |

Related Commands

Command
Description

name-separator

Separates the e-mail and VPN usernames and passwords.


service

To enable system services, use the service command in global configuration mode. To disable system services, use the no form of this command.

service {resetinbound | resetoutbound} [interface intf]

no service {resetinbound | resetoutbound}[interface intf]

Syntax Description

resetinbound

Sends a reset to a denied inbound TCP packet.

resetoutbound

Sends a reset to a denied TCP packet to the outside interface.

interface

(Optional) Specifies a specific interface.

intf

Name of interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.

7.0(5)

This command was modified to include the interface keyword.


Usage Guidelines

The service command works with all inbound TCP connections to static interfaces whose access lists or uauth (user authorization) do not allow inbound connections. One use is for resetting identity request (IDENT) connections. If an inbound TCP connection is attempted and denied, you can use the service resetinbound command to return an RST (reset flag in the TCP header) to the source. Without the keyword, the security appliance drops the packet without returning an RST.

By default a RST is always sent to the inside host when outbound TCP traffic is denied. The keyword resetoutbound is used to change this default. For example, if traffic is outbound through the security appliance, and the no service resetoutbound command is configured globally or on that interface, we do not send RST.

With the optional interface keyword, the TCP reset is sent only when outbound packets are denied on that interface.

The security appliance sends a TCP RST to the host connecting inbound and stops the incoming IDENT process so that outbound e-mail can be transmitted without having to wait for IDENT to time out. The security appliance sends a syslog message stating that the incoming connection was denied. Without entering the service resetinbound command, the security appliance drops packets that are denied and generates a syslog message stating that the SYN was denied. However, outside hosts keep retransmitting the SYN until the IDENT times out.

When an IDENT connection times out, the connections slow down. Perform a trace to determine that IDENT is causing the delay and then enter the service command.

Use the service resetinbound command to handle an IDENT connection through the security appliance. These methods for handling IDENT connections are ranked from most secure to the least secure:

1. Use the service resetinbound command.

2. Use the established command with the permitto tcp 113 keyword.

3. Enter the static and access-list commands to open TCP port 113.

When using the aaa command, if the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet is as follows:

Unable to connect to remote host: Connection timed out

The following is the expected behavior of traffic on the security appliance in regards to the reset flag.

1. If resetinbound is configured and if denied traffic flows from a low security interface to high security interface, then a reset is sent.

2. If resetinbound is configured and if denied traffic flows from an interface to another interface with the same security, then a reset is sent.

3. If resetinbound is not configured and if denied traffic flows from high security interface to low security interface, then a reset is sent.

If you use the resetoutside command, the security appliance actively resets denied TCP packets that terminate at the security appliances least-secure interface. By default, these packets are silently discarded. We recommend that you use the resetoutside keyword with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with security appliance version 6.0 and higher. This keyword allows the security appliance to terminate the IDENT from an external SMTP or FTP server. Actively resetting these connections avoids the 30-second timeout delay.

Examples

The following example shows how to enable system services:

hostname/context_name(config)# service resetinbound

This example shows how to enable system services on an interface called dmz1:

hostname/context_name(config)# service resetinbound interface dmz1

Related Commands

Command
Description

show running-config service

Displays the system services.


service password-recovery

To enable password recovery, use the service password-recovery command in global configuration mode. To disable password recovery, use the no form of this command. Password recovery is enabled by default, but you might want to disable it to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance.

service password-recovery

no service password-recovery

Syntax Description

This command has no arguments or keywords.

Defaults

Password recovery is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

On the ASA 5500 series adaptive security appliance, if you forget the passwords, you can boot the security appliance into ROMMON by pressing the Escape key on the terminal keyboard when prompted during startup. Then set the security appliance to ignore the startup configuration by changing the configuration register (see the config-register command). For example if your configuration register is the default 0x1, then change the value to 0x41 by entering the confreg 0x41 command. After reloading the security appliance, it loads a default configuration, and you can enter privileged EXEC mode using the default passwords. Then load the startup configuration by copying it to the running configuration and reset the passwords. Finally, set the security appliance to boot as before by setting the configuration register to the original setting. For example, enter the config-register 0x1 command in global configuration mode.

On the PIX 500 series security appliance, boot the security appliance into monitor mode by pressing the Escape key on the terminal keyboard when prompted during startup. Then download the PIX password tool to the security appliance, which erases all passwords and aaa authentication commands.

On the ASA 5500 series adaptive security appliance, the no service password-recovery command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the security appliance prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the security appliance is configured to ignore the startup configuration at startup (in preparation for password recovery), then the security appliance changes the setting to boot the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.

On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available.

Examples

The following example disables password recovery for the ASA 5500 series adaptive security appliance:

hostname(config)# no service password-recovery
WARNING: Executing "no service password-recovery" has disabled the password recovery 
mechanism and disabled access to ROMMON.  The only means of recovering from lost or 
forgotten passwords will be for ROMMON to erase all file systems including configuration 
files and images.  You should make a backup of your configuration and have a mechanism to 
restore images from the ROMMON command line.

The following example disables password recovery for the PIX 500 series security appliance:

hostname(config)# no service password-recovery
WARNING: Saving "no service password-recovery" in the startup-config will disable password 
recovery via the npdisk application.  The only means of recovering from lost or forgotten 
passwords will be for npdisk to erase all file systems including configuration files and 
images.  You should make a backup of your configuration and have a mechanism to restore 
images from the Monitor Mode command line.

The following example for the ASA 5500 series adaptive security appliance shows when to enter ROMMON at startup and how to complete a password recovery operation.

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.                              
 

Use ? for help.
rommon #0> confreg
 
Current Configuration Register: 0x00000001
Configuration Summary:
  boot default image from Flash
 
Do you wish to change this configuration? y/n [n]: n
 
rommon #1> confreg 0x41
 
Update Config Register (0x41) in NVRAM...
 
rommon #2> boot
Launching BootLoader...
Boot configuration file contains 1 entry.
 

Loading disk0:/ASA_7.0.bin... Booting...
###################
...
Ignoring startup configuration as instructed by configuration register.
Type help or '?' for a list of available commands.
hostname> enable
Password:
hostname# configure terminal
hostname(config)# copy startup-config running-config
 
Destination filename [running-config]?
Cryptochecksum(unchanged): 7708b94c e0e3f0d5 c94dde05 594fbee9
 
892 bytes copied in 6.300 secs (148 bytes/sec)
hostname(config)# enable password NewPassword
hostname(config)# config-register 0x1

Related Commands

Command
Description

config-register

Sets the security appliance to ignore the startup configuration when it reloads.

enable password

Sets the enable password.

password

Sets the login password.


service-policy

To activate a policy map globally on all interfaces or on a targeted interface, use the service-policy command in privileged EXEC mode. To disable, use the no form of this command. Use the service-policy command to enable a set of policies on an interface. In general, a service-policy command can be applied to any interface that can be defined by the nameif command.

service-policy policymap_name [ global | interface intf ]

no service-policy policymap_name [ global | interface intf ]

Syntax Description

policymap_name

A unique alphanumeric policy map identifier.

global

Applies the policy map to all interfaces.

interface

Applies the policy map to a specific interface

intf

The interface name defined in the nameif command.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If an interface name is specified, the policy-map only applies to the interface. The interface name is defined in the nameif command, and an interface policy-map overrides a global policy-map. Only one policy-map is allowed per interface.

Only one global policy is allowed.

Examples

The following example shows the syntax of the service-policy command:

hostname(config)# service-policy outside_security_map outside

Related Commands

Command
Description

show service-policy

Displays the service policy.

show running-config service-policy

Displays the service policies configured in the running configuration.

clear service-policy

Clears service policy statistics.

clear configure service-policy

Clears service policy configurations.


session

To establish a Telnet session to an AIP SSM, use the session command in privileged EXEC mode.

session 1

Syntax Description

1

Specifies the slot number, which is always 1.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command is only available when the AIP SSM is in the Up state. See the show module command for state information.

To end a session, enter exit or Ctrl-Shift-6 then the X key.

Examples

The following example sessions to an SSM in slot 1:

hostname# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Related Commands

Command
Description

debug session-command

Shows debug messages for sessions.


set connection

To specify connection values within a policy-map for a traffic class, use the set connection command in class mode. Use this command to specify the maximum number of simultaneous connections and to specify whether to enable or disable TCP sequence number randomization. To remove these specifications, thereby allowing unlimited connections, use the no form of this command.

set connection {conn-max | embryonic-conn-max} n random-seq# {enable | disable}

no set connection {conn-max | embryonic-conn-max} n random-seq# {enable | disable}

Syntax Description

conn-max n

The maximum number of simultaneous TCP and/or UDP connections that are allowed.

disable

Turns off TCP sequence number randomization.

enable

Turns on TCP sequence number randomization.

embryonic-conn-max n

The maximum number of simultaneous embryonic connections allowed.

random-seq#

Enable or disable TCP sequence number randomization. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.

Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.

TCP initial sequence number randomization can be disabled if required. For example:

If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.

If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.

You use a WAAS device that requires the security appliance not to randomize the sequence numbers of connections.


Defaults

For both the conn-max and embryonic-conn-max parameters, the default value of n is 0, which allows unlimited connections.

Sequence number randomization is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You must have configured the policy-map command and the class command before issuing this command.


Note The set connection command parameters (conn-max, embryonic-conn-max, random-seq#) can co-exist with any nat or static command; that is, you can configure connection parameters either through the nat/static commands using max-conn, emb_limit, or noramdomseq parameters, or through the MPC set connection command using conn-max, embryonic-conn-max, or random-seq# parameters. A mixed configuration is not recommended, but if one exists, it behaves in the following ways:

When a traffic class is subject to a connection limit or embryonic connection limit from both the MPC set connection command and the nat/static command, then whichever limit is reached, that limit is applied.

When a TCP traffic class is configured to have sequence number randomization disabled by either the MPC set connection command or the nat/static command, then sequence number randomization is disabled.


Examples

The following is an example of the use of the set connection command in class mode to configure the maximum number of simultaneous connections as 256 and to disable TCP sequence number randomization:

hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class local_server
hostname(config-pmap-c)# set connection conn-max 256 random-seq# disable
hostname(config-pmap-c)# exit

Related Commands

Command
Description

class

Specifies a class-map to use for traffic classification.

clear configure policy-map

Remove all policy-map configuration, except that if a policy-map is in use in a service-policy command, that policy-map is not removed.

help policy-map

Shows syntax help for the policy-map command.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

show running-config policy-map

Display all current policy-map configurations.


set connection advanced-options

To specify advanced TCP connection options within a policy-map for a traffic class, use the set connection advanced-options command in class mode. To remove advanced TCP connection options for a traffic class within a policy map, use the no form of this command.

set connection advanced-options tcp-mapname

no set connection advanced-options tcp-mapname

Syntax Description

tcp-mapname

Name of a TCP map in which advanced TCP connection options are configured.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You must have configured the policy-map command and the class command, as well as the TCP map name, before issuing this command. See the description of the tcp-map command for detailed information.

Examples

The following example shows the use of the set connection advanced-options command to specify the use of a TCP map named localmap:

hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config-cmap)# exit
hostname(config)# tcp-map localmap
hostname(config)# policy-map global_policy global
hostname(config-pmap)# description This policy map defines a policy concerning connection 
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection advanced-options localmap

Related Commands

Command
Description

class

Specifies a class-map to use for traffic classification.

class-map

Configures a traffic class by issuing at most one (with the exception of tunnel-group and default-inspection-traffic) match command, specifying match criteria, in the class-map mode.

clear configure policy-map

Remove all policy-map configuration, except that if a policy-map is in use in a service-policy command, that policy-map is not removed.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

show running-config policy-map

Display all current policy-map configurations.


set connection timeout

To configure the timeout period, after which an idle TCP connection is disconnected, use the set connection timeout command in class mode. To remove the timeout, use the no form of this command.

set connection timeout tcp hh[:mm[:ss]] [reset]

no set connection timeout tcp

set connection timeout embryonic hh[:mm[:ss]]

no set connection timeout embryonic

set connection timeout half-closed hh[:mm[:ss]]

no set connection timeout half-closed

Syntax Description

embryonic hh[:mm[:ss]]

Timeout period after which a TCP embryonic (half-opened) connection is closed.

half-closed hh[:mm[:ss]]

The timeout period until a TCP half-closed connection is freed.

reset

Sends a TCP RST packet to both end systems after TCP idle connections are removed.

tcp hh[:mm[:ss]]

The idle time after which an established connection closes.


Defaults

The default embryonic connection timeout value is 30 seconds.

The default half-closed connection timeout value is 10 minutes.

The default tcp connection timeout value is 1 hour.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You must have configured the policy-map command and the class command before issuing this command.

A TCP connection for which a three-way handshake is not complete is an embryonic connection. For the embryonic connection timeout value, use 0:0:0 to specify that the connection never times out. Otherwise, the timeout duration must be at least 5 seconds.

When the TCP connection is in the closing state, use the half-closed parameter to configure the length of time until the connection is freed. Use 0:0:0 to specify that the connection never times out. The minimum timeout duration is 5 minutes.

The tcp inactive connection timeout configures the period after which an idle TCP connection in the established state is disconnected. Use 0:0:0 to specify that the connection never times out. The minimum timeout duration is 5 minutes.

The reset keyword is used to send a TCP RST packet to both end systems once an idle TCP connection has timed out. Some applications require a TCP RST after a timeout to perform properly.

Examples

The following is an example of a set connection timeout command that specifies an embryonic connection timeout of two minutes:

hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server

hostname(config-cmap)# match access-list http-server
hostname(config-cmap)# exit

hostname(config)# policy-map global_policy global
hostname(config-pmap)# description This policy map defines a policy concerning connection 
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection timeout embryonic 00:2:00

Related Commands

Command
Description

class

Specifies a class-map to use for traffic classification.

clear configure policy-map

Remove all policy-map configuration, except that if a policy-map is in use in a service-policy command, that policy-map is not removed.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configure connection values.

show running-config policy-map

Display all current policy-map configurations.


set metric

To set the metric value for a routing protocol, use the set metric command in route-map configuration mode. To return to the default metric value, use the no form of this command.

set metric value

no set metric value

Syntax Description

value

Metric value.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Route-map configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The no set metric value command allows you to return to the default metric value. In this context, the value is an integer from 0 to 4294967295.

Examples

The following example shows how to configure a route map for OSPF routing:

hostname(config)# route-map maptag1 permit 8
hostname(config-route-map)# set metric 5
hostname(config-route-map)# match metric 5
hostname(config-route-map)# show route-map
route-map maptag1 permit 8
set metric 5
match metric 5
hostname(config-route-map)# exit
hostname(config)# 

Related Commands

Command
Description

match interface

Distributes any routes that have their next hop out one of the interfaces specified,

match ip next-hop

Distributes any routes that have a next-hop router address that is passed by one of the access lists specified.

route-map

Defines the conditions for redistributing routes from one routing protocol into another.


set metric-type

To specify the type of OSPF metric routes, use the set metric-type command in route-map configuration mode. To return to the default setting, use the no form of this command.

set metric-type {type-1 | type-2}

no set metric-type

Syntax Description

type-1

Specifies the type of OSPF metric routes that are external to a specified autonomous system.

type-2

Specifies the type of OSPF metric routes that are external to a specified autonomous system.


Defaults

The default is type-2.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Route-map configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example shows how to configure a route map for OSPF routing:

hostname(config)# route-map maptag1 permit 8
hostname(config-route-map)# set metric 5
hostname(config-route-map)# match metric 5
hostname(config-route-map)# set metric-type type-2
hostname(config-route-map)# show route-map
route-map maptag1 permit 8
  set metric 5
  set metric-type type-2
  match metric 5
hostname(config-route-map)# exit
hostname(config)# 

Related Commands

Command
Description

match interface

Distributes any routes that have their next hop out one of the interfaces specified,

route-map

Defines the conditions for redistributing routes from one routing protocol into another.

set metric

Specifies the metric value in the destination routing protocol for a route map.


setup

To configure a minimal configuration for the security appliance using interactive prompts, enter the setup command in global configuration mode. This configuration provides connectivity to use ASDM. See also the configure factory-default command to restore the default configuration.

setup

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The setup dialog automatically appears at boot time if there is no startup configuration in Flash memory.

Before you can use the setup command, you must have an inside interface already configured. The PIX 500 series default configuration includes an inside interface (Ethernet 1), but the ASA 550 series default configuration does not. Before using the setup command, enter the interface command for the interface you want to make inside, and then the nameif inside command.

In multiple context mode, you can use the setup command in the system execution space and for each context.

When you enter the setup command, you are asked for the information in Table 7-1. The system setup command includes a subset of these prompts. If there is already a configuration for the prompted parameter, it appears in barckets so you can either accept it as the default or override it by entering something new.

Table 7-1 Setup Prompts 

Prompt
Description
Pre-configure Firewall 
now through 
interactive prompts 
[yes]?

Enter yes or no. If you enter yes, the setup dialog continues. If no, the setup dialog stops and the global configuration prompt (hostname(config)#) appears.

Firewall Mode 
[Routed]:

Enter routed or transparent.

Enable password:

Enter an enable password. (The password must have at least three characters.)

Allow password 
recovery [yes]?

Enter yes or no.

Clock (UTC):

You cannot enter anything in this field. UTC time is used by default.

Year:

Enter the year using four digits, for example, 2005. The year range is 1993 to 2035.

Month:

Enter the month using the first three characters of the month; for example, Sep for September.

Day:

Enter the day of the month, from 1 to 31.

Time:

Enter the hour, minutes, and seconds in 24-hour time format. For example, enter 20:54:44 for 8:54 p.m and 44 seconds.

Inside IP address:

Enter the IP address for the inside interface.

Inside network mask:

Enter the network mask that applies to the inside IP address. You must specify a valid network mask, such as 255.0.0.0 or 255.255.0.0.

Host name:

Enter the hostname that you want to display in the command line prompt.

Domain name:

Enter the domain name of the network on which the security appliance runs.

IP address of host 
running Device 
Manager:

Enter the IP address of the host that needs to access ASDM.

Use this configuration 
and write to flash?

Enter yes or no. If you enter yes, the inside interface is enabled and the requested configuration is written to the Flash partition.

If you enter no, the setup dialog repeats, beginning with the first question:

Pre-configure Firewall now through interactive prompts [yes]?

Enter no to exit the setup dialog or yes to repeat it.


Examples

This example shows how to complete the setup command prompts:

hostname(config)# setup
Pre-configure Firewall now through interactive prompts [yes]? yes 
Firewall Mode [Routed]: routed
Enable password [<use current password>]: writer
Allow password recovery [yes]? yes
Clock (UTC):
   Year: 2005
   Month: Nov
   Day: 15
   Time: 10:0:0
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: tech_pubs
Domain name: your_company.com
IP address of host running Device Manager: 10.1.1.1

The following configuration will be used:
Enable password: writer
Allow password recovery: yes
Clock (UTC): 20:54:44 Sep 17 2005
Firewall Mode: Routed
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: tech_pubs
Domain name: your_company.com
IP address of host running Device Manager: 10.1.1.1

Use this configuration and write to flash? yes

Related Commands

Command
Description

configure factory-default

Restores the default configuration.


show aaa local user

To show the list of usernames that are currently locked, or to show details about the username, use the show aaa local user command in global configuration mode.

show aaa local user [locked]

Syntax Description

locked

(Optional) Shows the list of usernames that are currently locked.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If you omit the optional keyword locked, the security appliance displays the failed-attempts and lockout status details for all AAA local users.

You can specify a single user by using the username option or all users with the all option.

This command affects only the status of users that are locked out.

The administrator cannot be locked out of the device.

Examples

The following example shows use of the show aaa local user command to display the lockout status of all usernames:

This example shows the use of the show aaa local user command to display the number of failed authentication attempts and lockout status details for all AAA local users, after the limit has been set to 5:

hostname(config)# aaa local authentication attempts max-fail 5
hostname(config)# show aaa local user
Lock-time  Failed-attempts      Locked  User
    -                   6       Y       test
    -                   2       N       mona
    -                   1       N       cisco
    -                   4       N       newuser
hostname(config)# 

This example shows the use of the show aaa local user command with the lockout keyword to display the number of failed authentication attempts and lockout status details only for any locked-out AAA local users, after the limit has been set to 5:

hostname(config)# aaa local authentication attempts max-fail 5
hostname(config)# show aaa local user
Lock-time  Failed-attempts      Locked  User
    -                   6       Y       test
hostname(config)# 

Related Commands

Command
Description

aaa local authentication attempts max-fail

Configures the maximum number of times a user can enter a wrong password before being locked out.

clear aaa local user fail-attempts

Resets the number of failed attempts to 0 without modifying the lockout status.

clear aaa local user lockout

Clears th e lockout status of the specified user or all users and sets their failed attempts counters to 0.


show aaa-server

To display AAA server statistics for AAA servers, use the show aaa-server command in privileged EXEC mode:

show aaa-server [LOCAL | groupname [host hostname] | protocol protocol]

Syntax Description

LOCAL

(Optional) Shows statistics for the LOCAL user database.

groupname

(Optional) Shows statistics for servers in a group.

host hostname

(Optional) Shows statistics for a particular server in the group.

protocol protocol

(Optional) Shows statistics for servers of the specificed protocol:

kerberos

ldap

nt

radius

sdi

tacacs+


Defaults

By default, all AAA server statistics display.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

This example shows the use of the show aaa-server command to display statistics for a particular host in server group group1:

hostname(config)# show aaa-server group1 host 192.68.125.60
Server Group:          			group1
Server Protocol:       			RADIUS
Server Address:       			192.68.125.60
Server port:        			1645      
Server status:     			ACTIVE/FAILED. Last transaction (success) at 11:10:08 UTC  Fri Aug 22
Number of pending requests 20
Average round trip time					4ms
Number of authentication requests					20
Number of authorization requests					 0
Number of accounting requests					 0
Number of retransmissions					1
Number of accepts					16
Number of rejects					4
Number of challenges						5
Number of malformed responses					0
Number of bad authenticators						0
Number of pending requests					0
Number of timeouts					0
Number of unrecognized responses					0
hostname(config)# 

This example shows the use of the show aaa-server command to show the statistics for all servers in a small, inactive system:

hostname(config)# show aaa-server
Server Group: 					LOCAL
Server Protocol:			 		Local database
Server Address: 					None
Server port:					None
Server status:					ACTIVE, Last transaction at unknown
Number of pending requests									0
Average round trip time									0ms
Number of authentication requests									0
Number of authorization requests									0
Number of accounting requests									0
Number of retransmissions									0
Number of accepts									0
Number of rejects									0
Number of challenges									0
Number of malformed responses									0
Number of bad authenticators 									0
Number of timeouts									0
Number of unrecognized responses									0
hostname(config)#

Related Commands

show running-config aaa-server

Display statistics for all servers in the indicated server group or for a particular server.

clear aaa-server statistics

Clear the AAA server statistics.


show access-list

To display the counters for an access list, use the show access-list command in privileged EXEC mode.

show access-list id

Syntax Description

id

Identifies the access list.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following is sample output from the show access-list command:

hostname# show access-list ac
access-list ac; 2 elements
access-list ac line 1 permit ip any any (hitcnt=0)
access-list ac line 2 permit tcp any any (hitcnt=0)

Related Commands

Command
Description

access-list ethertype

Configures an access list that controls traffic based on its EtherType.

access-list extended

Adds an access list to the configuration and configures policy for IP traffic through the firewall.

clear access-list

Clears an access list counter.

clear configure access-list

Clears an access list from the running configuration.

show running-config access-list

Displays the current running access-list configuration.


show activation-key

To display the commands in the configuration for features that are enabled by your activation key, including the number of contexts allowed, use the show activation-key command in privileged EXEC mode.

show activation-key

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

·

·

·

·

·


Command History

Release
Modification

PIX Version 7.0

Support for this command was introduced on the security appliance.


Usage Guidelines

The show activation-key command output indicates the status of the activation key as follows:

If the activation key in the security appliance Flash file system is the same as the activation key running on the security appliance, then the show activation-key output reads as follows:

The flash activation key is the SAME as the running key.

If the activation key in the security appliance Flash file system is different from the activation key running on the security appliance, then the show activation-key output reads as follows:

The flash activation key is DIFFERENT from the running key.
The flash activation key takes effect after the next reload.

If you downgrade your activation key, the display shows that the running key (the old key) differs from the key that is stored in the Flash (the new key). When you restart, the security appliance uses the new key.

If you upgrade your key to enable extra features, the new key starts running immediately without a restart.

For the PIX Firewall platform, if there is any change in the failover feature (R/UR/FO) between the new key and the oldkey, it prompts for confimation. If the user enters n, it aborts the change; otherwise it updates the key in the Flash file system. When you restart the security appliance uses the new key.

Examples

This example shows how to display the commands in the configuration for features that are enabled by your activation key:

hostname(config)# show activation-key 
Serial Number:  P3000000134 Running Activation Key: 0xyadayada 0xyadayada 0xyadayada 
0xyadayada 0xyadayada

License Features for this Platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 50
Inside Hosts                : Unlimited
Failover                    : Enabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Disabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL-filtering               : Enabled
Security Contexts           : 20
GTP/GPRS                    : Disabled
VPN Peers                   : 5000

The flash activation key is the SAME as the running key.
hostname(config)#

Related Commands

Command
Description

activation-key

Changes the activation key.


show admin-context

To display the context name currently assigned as the admin context, use the show admin-context command in privileged EXEC mode.

show admin-context

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following is sample output from the show admin-context command. The following example shows the admin context called "admin" and stored in the root directory of flash:

hostname# show admin-context
Admin: admin flash:/admin.cfg

Related Commands

Command
Description

admin-context

Sets the admin context.

changeto

Changes between contexts or the system execution space.

clear configure context

Removes all contexts.

mode

Sets the context mode to single or multiple.

show context

Shows a list of contexts (system execution space) or information about the current context.


show arp

To view the ARP table, use the show arp command in privileged EXEC mode.

show arp

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(8)

Added dynamic ARP age to the display.


Usage Guidelines

The display output shows dynamic, static, and proxy ARP entries. Dynamic ARP entries include the age of the ARP entry in seconds. Static ARP entries include a dash (-) instead of the age, and proxy ARP entries state "alias."

Examples

The following is sample output from the show arp command. The first entry is a dynamic entry aged 2 seconds. The second entry is a static entry, and the third entry is from proxy ARP.

hostname# show arp
        outside 10.86.194.61 0011.2094.1d2b 2
        outside 10.86.194.1 001a.300c.8000 -
        outside 10.86.195.2 00d0.02a8.440a alias

Related Commands

Command
Description

arp

Adds a static ARP entry.

arp-inspection

For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.

clear arp statistics

Clears ARP statistics.

show arp statistics

Shows ARP statistics.

show running-config arp

Shows the current configuration of the ARP timeout.


show arp-inspection

To view the ARP inspection setting for each interface, use the show arp-inspection command in privileged EXEC mode.

show arp-inspection

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following is sample output from the show arp-inspection command:

hostname# show arp-inspection
interface                arp-inspection         miss
----------------------------------------------------
inside1                  enabled                flood
outside                  disabled                -

The miss column shows the default action to take for non-matching packets when ARP inspection is enabled, either "flood" or "no-flood."

Related Commands

Command
Description

arp

Adds a static ARP entry.

arp-inspection

For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.

clear arp statistics

Clears ARP statistics.

show arp statistics

Shows ARP statistics.

show running-config arp

Shows the current configuration of the ARP timeout.


show arp statistics

To view ARP statistics, use the show arp statistics command in privileged EXEC mode.

show arp statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following is sample output from the show arp statistics command:

hostname# show arp statistics
        Number of ARP entries:
        ASA : 6
        Dropped blocks in ARP: 6
        Maximum Queued blocks: 3
        Queued blocks: 1
        Interface collision ARPs Received: 5
        ARP-defense Gratuitous ARPS sent: 4
        Total ARP retries: 15
        Unresolved hosts: 1
        Maximum Unresolved hosts: 2

Table 2 shows each field description.

Table 7-2 show arp statistics Fields 

Field
Description

Number of ARP entries

The total number of ARP table entries.

Dropped blocks in ARP

The number of blocks that were dropped while IP addresses were being resolved to their corresponding hardware addresses.

Maximum queued blocks

The maximum number of blocks that were ever queued in the ARP module, while waiting for the IP address to be resolved.

Queued blocks

The number of blocks currently queued in the ARP module.

Interface collision ARPs received

The number of ARP packets received at all security appliance interfaces that were from the same IP address as that of a security appliance interface.

ARP-defense gratuitous ARPs sent

The number of gratuitous ARPs sent by the security appliance as part of the ARP-Defense mechanism.

Total ARP retries

The total number of ARP requests sent by the ARP module when the address was not resolved in response to first ARP request.

Unresolved hosts

The number of unresolved hosts for which ARP requests are still being sent out by the ARP module.

Maximum unresolved hosts

The maximum number of unresolved hosts that ever were in the ARP module since it was last cleared or the security appliance booted up.


Related Commands

Command
Description

arp-inspection

For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.

clear arp statistics

Clears ARP statistics and resets the values to zero.

show arp

Shows the ARP table.

show running-config arp

Shows the current configuration of the ARP timeout.


show asdm history

To display the contents of the ASDM history buffer, use the show asdm history command in privileged EXEC mode.

show asdm history [view timeframe] [snapshot] [feature feature] [asdmclient]

Syntax Description

asdmclient

(Optional) Displays the ASDM history data formatted for the ASDM client.

feature feature

(Optional) Limits the history display to the specified feature. The following are valid values for the feature argument:

all—Displays the history for all features (default).

blocks—Displays the history for the system buffers.

cpu—Displays the history for CPU usage.

failover—Displays the history for failover.

ids—Displays the history for IDS.

interface if_name—Displays the history for the specified interface. The if_name argument is the name of the interface as specified by the nameif command.

memory—Displays memory usage history.

perfmon—Displays performance history.

sas—Displays the history for Security Associations.

tunnels—Displays the history for tunnels.

xlates—Displays translation slot history.

snapshot

(Optional) Displays only the last ASDM history data point.

view timeframe

(Optional) Limits the history display to the specified time period. Valid values for the timeframe argument are:

all—all contents in the history buffer (default).

12h—12 hours

5d—5 days

60m—60 minutes

10m—10 minutes


Defaults

If no arguments or keywords are specified, all history information for all features is displayed.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was changed from the show pdm history command to the show asdm history command.


Usage Guidelines

The show asdm history command displays the contents of the ASDM history buffer. Before you can view ASDM history information, you must enable ASDM history tracking using the asdm history enable command.

Examples

The following is sample output from the show asdm history command. It limits the output to data for the outside interface collected during the last 10 minutes.

hostname# show asdm history view 10m feature interface outside

Input KByte Count:
        [  10s:12:46:41 Mar 1 2005  ] 62640 62636 62633 62628 62622 62616 62609 
Output KByte Count:
        [  10s:12:46:41 Mar 1 2005  ] 25178 25169 25165 25161 25157 25151 25147 
Input KPacket Count:
        [  10s:12:46:41 Mar 1 2005  ]   752   752   751   751   751   751   751 
Output KPacket Count:
        [  10s:12:46:41 Mar 1 2005  ]    55    55    55    55    55    55    55 
Input Bit Rate:
        [  10s:12:46:41 Mar 1 2005  ]  3397  2843  3764  4515  4932  5728  4186 
Output Bit Rate:
        [  10s:12:46:41 Mar 1 2005  ]  7316  3292  3349  3298  5212  3349  3301 
Input Packet Rate:
        [  10s:12:46:41 Mar 1 2005  ]     5     4     6     7     6     8     6 
Output Packet Rate:
        [  10s:12:46:41 Mar 1 2005  ]     1     0     0     0     0     0     0 
Input Error Packet Count:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
No Buffer:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Received Broadcasts:
        [  10s:12:46:41 Mar 1 2005  ] 375974 375954 375935 375902 375863 375833 375794 
Runts:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Giants:       
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
CRC:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Frames:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Overruns:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Underruns:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Output Error Packet Count:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Collisions:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
LCOLL:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Reset:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Deferred:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Lost Carrier:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Hardware Input Queue:
        [  10s:12:46:41 Mar 1 2005  ]   128   128   128   128   128   128   128 
Software Input Queue:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Hardware Output Queue:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Software Output Queue:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
Drop KPacket Count:
        [  10s:12:46:41 Mar 1 2005  ]     0     0     0     0     0     0     0 
hostname#  

The following is sample output from the show asdm history command. Like the previous example, it limits the output to data for the outside interface collected during the last 10 minutes. However, in this example the output is formatted for the ASDM client.

hostname# show asdm history view 10m feature interface outside asdmclient

MH|IBC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|62439|62445|62453|62457|62464|6
2469|62474|62486|62489|62496|62501|62506|62511|62518|62522|62530|62534|62539|62542|62547|6
2553|62556|62562|62568|62574|62581|62585|62593|62598|62604|62609|62616|62622|62628|62633|6
2636|62640|62653|62657|62665|62672|62678|62681|62686|62691|62695|62700|62704|62711|62718|6
2723|62728|62733|62738|62742|62747|62751|62761|62770|62775|
MH|OBC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|25023|25023|25025|25025|25025|2
5026|25026|25032|25038|25044|25052|25056|25060|25064|25070|25076|25083|25087|25091|25096|2
5102|25106|25110|25114|25118|25122|25128|25133|25137|25143|25147|25151|25157|25161|25165|2
5169|25178|25321|25327|25332|25336|25341|25345|25349|25355|25359|25363|25367|25371|25375|2
5381|25386|25390|25395|25399|25403|25410|25414|25418|25422|
MH|IPC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|749|749|749|749|749|750|750|750
|750|750|750|750|750|750|750|750|750|750|750|750|751|751|751|751|751|751|751|751|751|751|7
51|751|751|751|751|752|752|752|752|752|752|752|752|752|752|752|752|752|752|753|753|753|753
|753|753|753|753|753|753|753|
MH|OPC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|55|55|55|55|55|55|55|55|55|55|5
5|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|5
5|55|55|56|56|56|56|56|56|56|56|56|56|56|56|56|56|56|56|56|
MH|IBR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|7127|5155|6202|3545|5408|3979|4
381|9492|3033|4962|4571|4226|3760|5923|3265|6494|3441|3542|3162|4076|4744|2726|4847|4292|5
401|5166|3735|6659|3837|5260|4186|5728|4932|4515|3764|2843|3397|10768|3080|6309|5969|4472|
2780|4492|3540|3664|3800|3002|6258|5567|4044|4059|4548|3713|3265|4159|3630|8235|6934|4298|
MH|OBR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|82791|57|1410|588|57|639|0|4698
|5068|4992|6495|3292|3292|3352|5061|4808|5205|3931|3298|3349|5064|3439|3356|3292|3343|3349
|5067|3883|3356|4500|3301|3349|5212|3298|3349|3292|7316|116896|5072|3881|3356|3931|3298|33
49|5064|3292|3349|3292|3292|3349|5061|3883|3356|3931|3452|3356|5064|3292|3349|3292|
MH|IPR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|12|8|6|5|7|5|6|14|5|7|7|5|6|9|5
|8|6|5|5|7|6|5|6|5|6|7|6|8|6|6|6|8|6|7|6|4|5|19|5|8|7|6|4|7|5|6|6|5|7|8|6|6|7|5|5|7|6|9|7|
6|
MH|OPR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|12|0|1|0|0|0|0|4|0|2|2|0|0|0|0|
1|1|0|0|0|0|0|0|0|0|0|0|0|0|1|0|0|0|0|0|0|1|28|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|
MH|IERR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|NB|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|RB|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|374874|374911|374943|374967|3750
10|375038|375073|375113|375140|375160|375181|375211|375243|375289|375316|375350|375373|375
395|375422|375446|375481|375498|375535|375561|375591|375622|375654|375701|375738|375761|37
5794|375833|375863|375902|375935|375954|375974|375999|376027|376075|376115|376147|376168|3
76200|376224|376253|376289|376315|376365|376400|376436|376463|376508|376530|376553|376583|
376614|376668|376714|376749|
MH|RNT|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|GNT|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|CRC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|FRM|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|OR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|UR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|OERR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|COLL|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|LCOLL|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|
MH|RST|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|DEF|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|LCR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|HIQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|128|128|128|128|128|128|128|128
|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|1
28|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128
|128|128|128|128|128|128|128|
MH|SIQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|HOQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|SOQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|DPC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
hostname# 

The following is sample output from the show asdm history command using the snapshot keyword:

hostname# show asdm history view 10m snapshot

Available 4 byte Blocks:  [  10s] : 100
Used 4 byte Blocks:  [  10s] : 0
Available 80 byte Blocks:  [  10s] : 100
Used 80 byte Blocks:  [  10s] : 0
Available 256 byte Blocks:  [  10s] : 2100
Used 256 byte Blocks:  [  10s] : 0
Available 1550 byte Blocks:  [  10s] : 7425
Used 1550 byte Blocks:  [  10s] : 1279
Available 2560 byte Blocks:  [  10s] : 40
Used 2560 byte Blocks:  [  10s] : 0
Available 4096 byte Blocks:  [  10s] : 30
Used 4096 byte Blocks:  [  10s] : 0
Available 8192 byte Blocks:  [  10s] : 60
Used 8192 byte Blocks:  [  10s] : 0
Available 16384 byte Blocks:  [  10s] : 100
Used 16384 byte Blocks:  [  10s] : 0
Available 65536 byte Blocks:  [  10s] : 10
Used 65536 byte Blocks:  [  10s] : 0
CPU Utilization:  [  10s] : 31
Input KByte Count:  [  10s] : 62930
Output KByte Count:  [  10s] : 26620
Input KPacket Count:  [  10s] : 755
Output KPacket Count:  [  10s] : 58
Input Bit Rate:  [  10s] : 24561
Output Bit Rate:  [  10s] : 518897
Input Packet Rate:  [  10s] : 48
Output Packet Rate:  [  10s] : 114
Input Error Packet Count:  [  10s] : 0
No Buffer:  [  10s] : 0
Received Broadcasts:  [  10s] : 377331
Runts:  [  10s] : 0
Giants:  [  10s] : 0
CRC:  [  10s] : 0
Frames:  [  10s] : 0
Overruns:  [  10s] : 0
Underruns:  [  10s] : 0
Output Error Packet Count:  [  10s] : 0
Collisions:  [  10s] : 0
LCOLL:  [  10s] : 0
Reset:  [  10s] : 0
Deferred:  [  10s] : 0
Lost Carrier:  [  10s] : 0
Hardware Input Queue:  [  10s] : 128
Software Input Queue:  [  10s] : 0
Hardware Output Queue:  [  10s] : 0
Software Output Queue:  [  10s] : 0
Drop KPacket Count:  [  10s] : 0
Input KByte Count:  [  10s] : 3672
Output KByte Count:  [  10s] : 4051
Input KPacket Count:  [  10s] : 19
Output KPacket Count:  [  10s] : 20
Input Bit Rate:  [  10s] : 0
Output Bit Rate:  [  10s] : 0
Input Packet Rate:  [  10s] : 0
Output Packet Rate:  [  10s] : 0
Input Error Packet Count:  [  10s] : 0
No Buffer:  [  10s] : 0
Received Broadcasts:  [  10s] : 1458
Runts:  [  10s] : 1
Giants:  [  10s] : 0
CRC:  [  10s] : 0
Frames:  [  10s] : 0
Overruns:  [  10s] : 0
Underruns:  [  10s] : 0
Output Error Packet Count:  [  10s] : 0
Collisions:  [  10s] : 63
LCOLL:  [  10s] : 0
Reset:  [  10s] : 0
Deferred:  [  10s] : 15
Lost Carrier:  [  10s] : 0
Hardware Input Queue:  [  10s] : 128
Software Input Queue:  [  10s] : 0
Hardware Output Queue:  [  10s] : 0
Software Output Queue:  [  10s] : 0
Drop KPacket Count:  [  10s] : 0
Input KByte Count:  [  10s] : 0
Output KByte Count:  [  10s] : 0
Input KPacket Count:  [  10s] : 0
Output KPacket Count:  [  10s] : 0
Input Bit Rate:  [  10s] : 0
Output Bit Rate:  [  10s] : 0
Input Packet Rate:  [  10s] : 0
Output Packet Rate:  [  10s] : 0
Input Error Packet Count:  [  10s] : 0
No Buffer:  [  10s] : 0
Received Broadcasts:  [  10s] : 0
Runts:  [  10s] : 0
Giants:  [  10s] : 0
CRC:  [  10s] : 0
Frames:  [  10s] : 0
Overruns:  [  10s] : 0
Underruns:  [  10s] : 0
Output Error Packet Count:  [  10s] : 0
Collisions:  [  10s] : 0
LCOLL:  [  10s] : 0
Reset:  [  10s] : 0
Deferred:  [  10s] : 0
Lost Carrier:  [  10s] : 0
Hardware Input Queue:  [  10s] : 128
Software Input Queue:  [  10s] : 0
Hardware Output Queue:  [  10s] : 0
Software Output Queue:  [  10s] : 0
Drop KPacket Count:  [  10s] : 0
Input KByte Count:  [  10s] : 0
Output KByte Count:  [  10s] : 0
Input KPacket Count:  [  10s] : 0
Output KPacket Count:  [  10s] : 0
Input Bit Rate:  [  10s] : 0
Output Bit Rate:  [  10s] : 0
Input Packet Rate:  [  10s] : 0
Output Packet Rate:  [  10s] : 0
Input Error Packet Count:  [  10s] : 0
No Buffer:  [  10s] : 0
Received Broadcasts:  [  10s] : 0
Runts:  [  10s] : 0
Giants:  [  10s] : 0
CRC:  [  10s] : 0
Frames:  [  10s] : 0
Overruns:  [  10s] : 0
Underruns:  [  10s] : 0
Output Error Packet Count:  [  10s] : 0
Collisions:  [  10s] : 0
LCOLL:  [  10s] : 0
Reset:  [  10s] : 0
Deferred:  [  10s] : 0
Lost Carrier:  [  10s] : 0
Hardware Input Queue:  [  10s] : 128
Software Input Queue:  [  10s] : 0
Hardware Output Queue:  [  10s] : 0
Software Output Queue:  [  10s] : 0
Drop KPacket Count:  [  10s] : 0
Available Memory:  [  10s] : 205149944
Used Memory:  [  10s] : 63285512
Xlate Count:  [  10s] : 0
Connection Count:  [  10s] : 0
TCP Connection Count:  [  10s] : 0
UDP Connection Count:  [  10s] : 0
URL Filtering Count:  [  10s] : 0
URL Server Filtering Count:  [  10s] : 0
TCP Fixup Count:  [  10s] : 0
TCP Intercept Count:  [  10s] : 0
HTTP Fixup Count:  [  10s] : 0
FTP Fixup Count:  [  10s] : 0
AAA Authentication Count:  [  10s] : 0
AAA Authorzation Count:  [  10s] : 0
AAA Accounting Count:  [  10s] : 0
Current Xlates:  [  10s] : 0
Max Xlates:  [  10s] : 0
ISAKMP SAs:  [  10s] : 0
IPSec SAs:  [  10s] : 0
L2TP Sessions:  [  10s] : 0
L2TP Tunnels:  [  10s] : 0
hostname# 

Related Commands

Command
Description

asdm history enable

Enables ASDM history tracking.


show asdm image

To the current ASDM software image file, use the show asdm image command in privileged EXEC mode.

show asdm image

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was changed from the show pdm image command to the show asdm image command.


Examples

The following is sample output from the show asdm image command:

hostname# show asdm image

Device Manager image file, flash:/ASDM

Related Commands

Command
Description

asdm image

Specifies the current ASDM image file.


show asdm log_sessions

To display a list of active ASDM logging sessions and their associated session IDs, use the show asdm log_sessions command in privileged EXEC mode.

show asdm log_sessions

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Each active ASDM session has one or more associated ASDM logging sessions. ASDM uses the logging session to retrieve syslog messages from the security appliance. Each ASDM logging session is assigned a unique session ID. You can use this session ID with the asdm disconnect log_session command to terminate the specified session.


Note Because each ASDM session has at least one ASDM logging session, the output for the show asdm sessions and show asdm log_sessions may appear to be the same.


Examples

The following is sample output from the show asdm log_sessions command:

hostname# show asdm log_sessions

0 192.168.1.1
1 192.168.1.2

Related Commands

Command
Description

asdm disconnect log_session

Terminates an active ASDM logging session.


show asdm sessions

To display a list of active ASDM sessions and their associated session IDs, use the show asdm sessions command in privileged EXEC mode.

show asdm sessions

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was changed from the show pdm sessions command to the show asdm sessions command.


Usage Guidelines

Each active ASDM session is assigned a unique session ID. You can use this session ID with the asdm disconnect command to terminate the specified session.

Examples

The following is sample output from the show asdm sessions command:

hostname# show asdm sessions

0 192.168.1.1
1 192.168.1.2

Related Commands

Command
Description

asdm disconnect

Terminates an active ASDM session.


show asp drop

To debug the accelerated security path dropped packets or connections, use the show asp drop command in privileged EXEC mode.

show asp drop [flow [flow_drop_reason] | frame [frame_drop_reason]]

Syntax Description

flow [flow_drop_reason]

(Optional) Shows the dropped flows (connections). You can specify a particular reason by using the flow_drop_reason argument. Valid values for the flow_drop_reason argument are listed in the "Usage Guidelines" section, below.

frame [frame_drop_reason]

(Optional) Shows the dropped packets. You can specify a particular reason by using the frame_drop_reason argument. Valid values for the frame_drop_reason argument are listed in the "Usage Guidelines" section, below.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.

7.0(8)

Added a timestamp indicating when the counters were last cleared (see the clear asp drop command). It also displays the drop reason keywords next to the description, so you can easily use the capture asp-drop command with that keyword.


Usage Guidelines

The show asp drop command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Table 7-3 lists valid values for the flow_drop_reason argument for dropped flows. Table 7-4 lists valid values for the frame_drop_reason argument for dropped frames.

Table 7-3 Flow Drop Reasons 

Flow Drop Reason Keyword
Flow Drop Reason Display
Description

acl-drop

Flow is denied by access rule

This counter is incremented when a packet is denied by the security appliance, and flow creation is denied. The deny rule could be a default rule created when the security appliance comes up, when various features are turned on or off, when an access list is applied to an interface, or any other feature. Apart from default rule drops, a flow could be denied because of:

An access list configured on an interface

An access list configured for AAA, and AAA denied the user

Through traffic arriving at a management-only interface

Unencrypted traffic arriving on a IPSec-enabled interface

Implicit deny at the end of an access list

Recommendation: Observe if one of system messages related to packet drop display. Flow drop results in the corresponding packet drop that would trigger the requisite system message.

System messages: None.

audit-failure

Audit failure

A flow was freed after matching an ip audit signature that had reset as the associated action.

Recommendation: If removing the flow is not the desired outcome of matching this signature, then remove the reset action from the ip audit command.

System messages: None.

closed-by-inspection

Flow closed by inspection

This reason is given for closing a flow due to an error detected during application inspection. For example, if an error is detected during inspecting an H323 message, the corresponding H323 flow is closed with this reason.

Recommendation: None.

System messages: None.

conn-limit-exceeded

Connection limit exceeded

This reason is given for closing a flow when the connection limit has been exceeded. The connection limit is configured using the set connection conn-max command.

Recommendation: None.

System messages: 201011

fin-timeout

FIN Timeout

This reason is given for closing a TCP flow due to expiry of half-closed timer.

Recommendation: If these are valid sessions which take longer to close a TCP flow, increase the half-closed timeout.

System messages: 302014

flow-reclaimed

Non-tcp/udp flow reclaimed for new request

This counter is incremented when a reclaimable flow is removed to make room for a new flow. This occurs only when the number of flows through the security appliance equals the maximum number permitted by the software imposed limit, and a new flow request is received. When this occurs, if the number of reclaimable flows exceeds the number of VPN tunnels permitted by the security appliance, then the oldest reclaimable flow is removed to make room for the new flow. All flows except the following are deemed to be reclaimable:

TCP, UDP, GRE and failover flows

ICMP flows if ICMP stateful inspection is enabled

ESP flows to the security appliance

Recommendation: No action is required if this counter is incrementing slowly. If this counter is incrementing rapidly, it could mean that the security appliance is under attack and the security appliance is spending more time reclaiming and rebuilding flows.

System messages: 302021

fo-primary-closed

Failover primary closed

The standby unit received a flow delete message from the active unit and terminated the flow.

Recommendation: If the security appliance is running stateful failover, then this counter should increment for every replicated connection that is torn down on the standby appliance.

System messages: 302014, 302016, 302018

fo-standby

Flow closed by failover standby

If a through-the-box packet arrives at the security appliance or a context that is in a standby state, then a flow is created, the packet is dropped, and the flow removed. This counter will increment each time a flow is removed in this manner.

Recommendation: This counter should never be incrementing on the active security appliance or context. However, it is normal to see it increment on the standby security appliance or context.

System messages: 302014, 302016, 302018

fo_rep_err

Standby flow replication error

The standby unit failed to replicate a flow.

Recommendation: If the security appliance is processing VPN traffic, then this counter could be constantly increasing on the standby unit because the flow could be replicated before the IKE SA information. No action is required in this case. If the appliance is not processing VPN traffic, then this indicates a software detect; turn on the debug fover fail command on the standby unit, collect the debug output, and report the problem to Cisco TAC.

System messages: 302014, 302016, 302018

host-removed

Host is removed

The flow was removed in response to the clear local-host command.

Recommendation: This is an information counter.

System messages: 302014, 302016, 302018, 302021, 305010, 305012, 609002

inspect-fail

Inspection failure

This counter will increment when the security appliance fails to enable protocol inspection carried out by the NP for the connection. Currently, ICMP and DNS inspections are carried out by the NP. The cause could be memory allocation failure, or for ICMP error message, the security appliance not being able to find any established connection related to the frame embedded in the ICMP error message.

Recommendation: Check system memory usage. For the ICMP error message, if the cause is an attack, you can deny the host using the access lists.

System messages: 313005 for ICMP error.

ips-fail-close

IPS fail-close

This reason is given for terminating a flow because the AIP SSM is down and the fail-close option was used with IPS inspection.

Recommendation: Check and bring up the AIP SSM.

System messages: 420001

ips-request

Flow terminated by IPS

This reason is given for terminating a flow as requested by the AIP SSM.

Recommendation: Check system messages and alerts on the AIP SSM.

System messages: 420002

ipsec-spoof-detect

IPsec spoof packet detected

This counter will increment when the security appliance receives a packet that should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.

Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.

System messages: 402117

loopback

Flow is a loopback

This reason is given for closing a flow due to the following conditions:

U-turn traffic is present on the flow.

same-security-traffic permit intra-interface is not configured.

Recommendation: To allow U-turn traffic on an interface, configure the interface with the same-security-traffic permit intra-interface command.

System messages: None.

mcast-entry-removed

Multicast entry removed

This reason is given for one of the following cases:

A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built.

Recommendation: Reenable multicast if it is disabled.

System messages: None.

The multicast entry has been deleted so the flow is being cleaned up, but the packet will be reinjected into the data path.

Recommendation: None.

System messages: None.

mcast-intrf-removed

Multicast interface removed

This reason is given for one of the following cases:

An output interface has been removed from the multicast entry.

Recommendation: None.

System messages: None.

All output interfaces have been removed from the multicast entry.

Recommendation: Verify that there are no longer any receivers for this group.

System messages: None.

nat-failed

NAT failed

Failed to create an xlate to translate an IP or transport header.

Recommendation: If NAT is not desired, disable nat-control. Otherwise, use the static, nat, or global command to configure NAT policy for the dropped flow. For dynamic NAT, ensure that each nat command is paired with at least one global command. Use show running-config nat and debug pix process to verify NAT rules.

System messages: 305005, 305006, 305009, 305010, 305011, 305012

nat-rpf-failed

NAT reverse path failed

Rejected attempt to connect to a mapped host using the mapped host's real address.

Recommendation: When not on the same interface as the host undergoing NAT, use the mapped address instead of the real address to connect to the host. Also, enable the appropriate inspect command if the application embeds the IP address.

System messages: 305005

need-ike

Need to start IKE negotiation

This counter will increment when the security appliance receives a packet that requires encryption but has no established IPSec security association. This is generally a normal condition for LAN-to-LAN IPSec configurations. This indication will cause the security appliance to begin ISAKMP negotiations with the destination peer.

Recommendation: If you have configured IPSec LAN-to-LANs on your security appliance, this indication is normal and does not indicate a problem. However, if this counter increments rapidly, it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing.

Verify that you can communicate with the destination peer and verify your crypto configuration using the show running-config command.

System messages: None.

no-ipv6-ipsec

IPsec over IPv6 unsupported

This counter will increment when the security appliance receives an IPSec ESP packet, IPSec NAT-T ESP packet, or an IPSec over UDP ESP packet encapsulated in an IPv6 header. The security appliance does not currently support any IPSec sessions encapsulated in IPv6.

Recommendation: None.

System messages: None.

non_tcp_syn

non-syn TCP

This reason is given for terminating a TCP flow when the first packet is not a SYN packet.

Recommendation: None.

System messages: None.

out-of-memory

No memory to complete flow

This counter is incremented when the security appliance is unable to create a flow because of insufficient memory.

Recommendation: Verify that the security appliance is not under attack by checking the current connections. Also verify if the configured timeout values are too large resulting in idle flows residing in memory longer. Check the free memory available by issuing the show memory command. If free memory is low, issue the show processes memory command to determine which processes are utilizing most of the memory.

System messages: None.

parent-closed

Parent flow is closed

When the parent flow of a subordinating flow is closed, the subordinating flow is also closed. For example, an FTP data flow (subordinating flow) will be closed with this specific reason when its control flow (parent flow) is terminated. This reason is also given when a secondary flow (pin-hole) is closed by its controlling application. For example, when the BYE messaged is received, the SIP inspection engine (controlling application) will close the corresponding SIP RTP flows (secondary flow).

Recommendation: None.

System messages: None.

pinhole-timeout

Pinhole timeout

This counter is incremented to report that the security appliance opened a secondary flow, but no packets passed through this flow within the timeout interval, and hence it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.

Recommendation: None.

System messages: 302014, 302016

recurse

Close recursive flow

A flow was recursively freed. This reason applies to pair flows and multicast slave flows, and serves to prevent system messages being issued for each of these subordinate flows.

Recommendation: None.

System messages: None.

reinject-punt

Flow terminated by punt action

This counter is incremented when a packet is punted to the exception path for processing by one of the enhanced services such as inspection or AAA. The servicing routine, having detected a violation in the traffic flowing on the flow, requests that the flow be dropped. The flow is immediately dropped.

Recommendation: Please watch for system messages triggered by a servicing routine. Flow drop terminates the corresponding connection.

System messages: None.

reset-by-ips

Flow reset by IPS

This reason is given for terminating a TCP flow as requested by the AIP SSM.

Recommendation: Check system messages and alerts on the AIP SSM.

System messages: 420003

reset-in

TCP Reset-I

This reason is given for closing an outbound flow (from a low-security interface to a same- or high-security interface) when a TCP reset is received on the flow.

Recommendation: None.

System messages: 302014

reset-out

TCP Reset-O

This reason is given for closing an inbound flow (from a high-security interface to low-security interface) when a TCP reset is received on the flow.

Recommendation: None.

System messages: 302014

shunned

Flow shunned

This counter will increment when a packet is received that has a source IP address that matches a host in the shun database. When a shun command is applied, it will be incremented for each existing flow that matches the shun command.

Recommendation: None.

System messages: 401004

syn-timeout

SYN Timeout

This reason is given for closing a TCP flow due to expiry of embryonic timer.

Recommendation: If these are valid sessions that take longer to establish a connection, then increase the embryonic timeout.

System messages: 302014

tcp-fins

TCP FINs

This reason is given for closing a TCP flow when TCP FIN packets are received.

Recommendation: This counter will increment for each TCP connection that is terminated normally with FINs.

System messages: 302014

tcp-intercept-no-response

TCP intercept server no respond

SYN retransmission timeout after trying three times, once every second. Server unreachable, tearing down connection.

Recommendation: Check if the server is reachable from the security appliance.

System messages: None.

tcp-intercept-kill

Flow terminated by TCP Intercept

TCP intercept tore down the connection for the following reasons:

1. This is the first SYN

2. A connection is created for the SYN

3. TCP intercept replied with a SYN cookie; or TCP intercept sends a SYN to the server and the server replies with a RST after seeing a valid ACK from the client.

Recommendation: TCP intercept normally does not create a connection for the first SYN, except when there are nailed rules, the packet comes over a VPN tunnel, or the next hop gateway address to reach the client is not resolved. So for the first SYN, this indicates that a connection was created. When TCP intercept receives a RST from server, it is likely that the corresponding port is closed on the server.

System messages: None.

tcp-intercept-unexpected

TCP intercept unexpected state

Logic error in the TCP intercept module; this should never happen.

Recommendation: Indicates memory corruption or some other logic error in the TCP intercept module.

System messages: None.

tcpnorm-invalid-syn

TCP invalid SYN

This reason is given for closing a TCP flow when the SYN packet is invalid.

Recommendation: The SYN packet could be invalid for a number of reasons, such as an invalid checksum or an invalid TCP header. Please use the packet capture feature to understand why the SYN packet is invalid. If you would like to allow these connections, use the tcp-map configuration to bypass checks.

System messages: 302014

tcpnorm-rexmit-bad

TCP bad retransmission

This reason is given for closing a TCP flow when the check-retransmission feature is enabled, and the TCP endpoint sent a retransmission with different data from the original packet.

Recommendation: The TCP endpoint may be attacking by sending different data in TCP retransmits. Please use the packet capture feature to learn more about the origin of the packet.

System messages: 302014

tcpnorm-win-variation

TCP unexpected window size variation

This reason is given for closing a TCP flow when the window size advertised by the TCP endpoint is drastically changed without accepting that much data.

Recommendation: In order to allow this connection, use the window-variation command.

System messages: 302014

timeout

Conn-timeout

This counter is incremented when a flow is closed because of the expiration of its inactivity timer.

Recommendation: None.

System messages: 302014, 302016, 302018, 302021

tunnel-pending

Tunnel being brought up or torn down

This counter will increment when the security appliance receives a packet matching an entry in the security policy database (i.e. crypto map) but the security association is in the process of being negotiated; its not complete yet.

This counter will also increment when the security appliance receives a packet matching an entry in the security policy database but the security association has been or is in the process of being deleted. The difference between this indication and the "'Tunnel has been torn down" indication is that the "Tunnel has been torn down" indication is for established flows.

Recommendation: This is a normal condition when the IPSec tunnel is in the process of being negotiated or deleted.

System messages: None.

tunnel-torn-down

Tunnel has been torn down

This counter will increment when the security appliance receives a packet associated with an established flow whose IPSec security association is in the process of being deleted.

Recommendation: This is a normal condition when the IPSec tunnel is torn down for any reason.

System messages: None

xlate-removed

Xlate Clear

The flow was removed in response to the clear xlate command or clear local-host command.

Recommendation: This is an information counter.

System messages: 302014, 302016, 302018, 302021, 305010, 305012, 609002


Table 7-4 lists valid values for the frame_drop_reason argument for dropped frames.

Table 7-4 Frame Drop Reasons 

Frame Drop Reason Keyword
Frame Drop Reason Display
Description

acl-drop

Flow is denied by access rule

This counter is incremented when a packet is denied by the security appliance. The deny rule could be a default rule created when the security appliance comes up, when various features are turned on or off, when an access list is applied to an interface, or any other feature. Apart from default rule drops, a flow could be denied because of:

An access list configured on an interface

An access list configured for AAA, and AAA denied the user

Through traffic arriving at a management-only interface

Unencrypted traffic arriving on a IPSec-enabled interface

Recommendation: Check the access lists referenced by the following system log messages.

System messages: 106023, 106100, 106004

bad-crypto

Bad crypto return in packet

This counter will increment when the security appliance attempts to perform a crypto operation on a packet, and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the security appliance.

Recommendation: If you are receiving many bad crypto indications, your security appliance may need servicing. You should enable system message 402123 to determine whether the crypto errors are hardware or software errors. You can also check the error counter in the global IPSec statistics with the show ipsec stats command. If the IPSec SA that is triggering these errors is known, the SA statistics from the show ipsec sa detail command will also be useful in diagnosing the problem.

System messages: 402123

bad-ipsec-natt

Bad IPSEC NATT packet

This counter will increment when the security appliance receives a packet on an IPSec connection that has negotiated NAT-T, but the packet is not addressed to the NAT-T UDP destination port of 4500 or had an invalid payload length.

Recommendation: Analyze your network traffic to determine the source of the NAT-T traffic.

System messages: None.

bad-ipsec-prot

IPSEC not AH or ESP

This counter will increment when the security appliance receives a packet on an IPSec connection that is not an AH or ESP protocol packet. This is not a normal condition.

Recommendation: If you are receiving many IPSec not AH or ESP indications on your security appliance, analyze your network traffic to determine the source of the traffic.

System messages: 402115

bad-ipsec-udp

Bad IPSEC UDP packet

This counter will increment when the security appliance receives a packet on an IPSec connection that has negotiated IPSec over UDP, but the packet has an invalid payload length.

Recommendation: Analyze your network traffic to determine the source of the NAT-T traffic.

System messages: None.

bad-tcp-cksum

Bad TCP checksum

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet whose computed TCP checksum does not match the recorded checksum in TCP header.

Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets, and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. To allow packets with an incorrect TCP checksum, disable the checksum-verification feature.

System messages: None

bad-tcp-flags

Bad TCP flags

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with invalid TCP flags in the TCP header. For example, a packet with both SYN and FIN TCP flags set will be dropped.

Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.

System messages: None.

conn-limit

Connection limit reached

This reason is given for dropping a packet when the connection limit or host connection limit has been exceeded. If this is a TCP packet which is dropped during TCP connection establishment phase due to connection limit, the drop reason "TCP connection limit reached" is also reported.

Recommendation: If this is incrementing rapidly, check the system messages to determine which host's connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack.

System messages: 201011

ctm-error

CTM returned error

This counter will increment when the security appliance attempts to perform a crypto operation on a packet and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the security appliance.

Recommendation: If you are receiving many bad crypto indications, your security appliance may need servicing. You should enable system message 402123 to determine whether the crypto errors are hardware or software errors. You can also check the error counter in the global IPSec statistics with the show ipsec stats command. If the IPSec SA that is triggering these errors is known, the SA statistics from the show ipsec sa detail command will also be useful in diagnosing the problem.

System messages: 402123

dns-guard-id-not-matched

DNS Guard id not matched

This counter will increment when the identification of the DNS response message does not match any DNS queries that passed across the appliance earlier on the same connection. This counter will increment by the DNS Guard function.

Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.

System messages: None.

dns-guard-out-of-app-id

DNS Guard out of app id

This counter will increment when the DNS Guard function fails to allocate a data structure to store the identification of the DNS message.

Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory.

System messages: None.

dst-l2_lookup-fail

Dst MAC L2 Lookup Failed

This counter will increment when the security appliance is configured for transparent mode, and the security appliance does a Layer 2 destination MAC address lookup that fails. Upon the lookup failure, the security appliance will begin the destination MAC discovery process and attempt to find the location of the host via ARP and/or ICMP messages.

Recommendation: This is a normal condition when the security appliance is configured for transparent mode. You can also execute the show mac-address-table command to list the L2 MAC address locations currently discovered by the security appliance.

System messages: None.

flow-expired

Expired flow

This counter is incremented when the security appliance tries to inject a new or cached packet belonging to a flow that has already expired. It is also incremented when the security appliance attempts to send an RST on a TCP flow that has already expired, or when a packet returns from the AIP SSM but the flow had already expired. The packet is dropped.

Recommendation: If valid applications are getting preempted, investigate if a longer timeout is needed.

System messages: None.

fo-standby

Dropped by standby unit

If a through-the-box packet arrives at security appliance or context in a standby state, and a flow is created, then the packet is dropped and the flow removed. This counter will increment each time a packet is dropped in this manner.

Recommendation: This counter should never be incrementing on the active security appliance or context. However, it is normal to see it increment on the standby appliance or security appliance.

System messages: 302014, 302016, 302018

fragment-reassembly-failed

Fragment reassembly failed

This counter is incremented when the security appliance fails to reassemble a chain of fragmented packets into a single packet. All the fragment packets in the chain are dropped. This is probably because of a failure while allocating memory for the reassembled packet.

Recommendation: Use the show blocks command to monitor the current block memory.

System messages: None.

host-move-pkt

FP host move packet

This counter will increment when the security appliance or context is configured for transparent mode, and the source interface of a known Layer 2 MAC address is detected on a different interface.

Recommendation: This indicates that a host has been moved from one interface (i.e. LAN segment) to another. This condition is normal while in transparent mode if the host has in fact been moved. However, if the host move toggles back and forth between interfaces, a network loop may be present.

System messages: 412001, 412002, 322001

ifc-classify

Virtual firewall classification failed

A packet arrived on a shared interface, but failed to classify to any specific context interface.

Recommendation: Use the global or static command to specify the IPv4 addresses that belong to each context interface.

System messages: None.

inspect-dns-id-not-matched

DNS Inspect id not matched

This counter will increment when the identification of the DNS response message does not match any DNS queries that passed across the security appliance earlier on the same connection.

Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.

System messages: None.

inspect-dns-invalid-domain-
label

DNS Inspect invalid domain label

This counter will increment when the security appliance detects an invalid DNS domain name or label. DNS domain name and label is checked per RFC 1035.

Recommendation: None.

System messages: None.

inspect-dns-invalid-pak

DNS Inspect invalid packet

This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.

Recommendation: None.

System messages: None.

inspect-dns-out-of-app-id

DNS Inspect out of app id

This counter will increment when the DNS inspection engine fails to allocate a data structure to store the identification of the DNS message.

Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory.

System messages: None.

inspect-dns-pak-too-long

DNS Inspect packet too long

This counter is incremented when the length of the DNS message exceeds the configured maximum allowed value.

Recommendation: No action required. If DNS message length checking is not desired, enable DNS inspection without the inspect dns maximum-length option.

System messages: 410001

inspect-icmp-error-different-
embedded-conn

ICMP Error Inspect different embedded conn

This counter will increment when the frame embedded in the ICMP error message does not match the established connection that has been identified when the ICMP connection is created.

Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.

System messages: 313005

inspect-icmp-error-no-existing-
conn

ICMP Error Inspect no existing conn

This counter will increment when the security appliance is not able to find any established connection related to the frame embedded in the ICMP error message.

Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.

System messages: 313005

inspect-icmp-out-of-app-id

ICMP Inspect out of app id

This counter will increment when the ICMP inspection engine fails to allocate an App ID data structure. The structure is used to store the sequence number of the ICMP packet.

Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory.

System messages: None.

inspect-icmp-seq-num-not-
matched

ICMP Inspect seq num not matched

This counter will increment when the sequence number in the ICMP echo reply message does not match any ICMP echo message that passed across the security appliance earlier on the same connection.

Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.

System messages: 313004

inspect-icmpv6-error-invalid-
pak

ICMPv6 Error Inspect invalid packet

This counter will increment when the security appliance detects an invalid frame embedded in the ICMPv6 packet. This check is the same as that on IPv6 packets. For example, an incomplete IPv6 header, a malformed IPv6 Next Header, etc.

Recommendation: None.

System messages: None.

inspect-icmpv6-error-no-
existing-conn

ICMPv6 Error Inspect no existing conn

This counter will increment when the security appliance is not able to find any established connection related to the frame embedded in the ICMPv6 error message.

Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.

System messages: 313005

intercept-unexpected

Intercept unexpected packet

The security appliance either received data from a client while waiting for a SYNACK from a server, or it received a packet that cannot be handled in a particular state of TCP intercept.

Recommendation: If this drop is causing the connection to fail, please have a sniffer trace of the client- and server-side of the connection while reporting the issue. The security appliance could be under attack, and the sniffer traces or capture would help narrow down the culprit.

System messages: None.

interface-down

Interface is down

This counter will increment for each packet received on an interface that is shutdown using the shutdown command. For ingress traffic, the packet is dropped after security context classification and if the interface associated with the context is shut down. For egress traffic, the packet is dropped when the egress interface is shut down.

Recommendation: None.

System messages: None.

invalid-app-length

Invalid app length

This counter will increment when the security appliance detects an invalid length of the Layer 7 payload in the packet. Currently, it counts the drops by the DNS Guard function only. For example, an incomplete DNS header.

Recommendation: None.

System messages: None.

invalid-encap

Invalid encapsulation

This counter is incremented when the security appliance receives a frame belonging to an unsupported link-level protocol or if the L3 type specified in the frame is not supported by the security appliance. The packet is dropped.

Recommendation: Verify that directly-connected hosts have proper link-level protocol settings.

System messages: None.

invalid-ethertype

Invalid ethertype

This counter is incremented when the fragmentation module on the security appliance receives or tries to send a fragmented packet that does not belong to IP version 4 or version 6. The packet is dropped.

Recommendation: Verify the MTU of the security appliance and other devices on the connected network to determine why the security appliance is processing such fragments.

System messages: None.

invalid-ip-header

Invalid IP header

This counter is incremented and the packet is dropped when the security appliance receives an IP packet whose computed checksum of the IP header does not match the recorded checksum in the header.

Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a peer is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.

System messages: None

invalid-ip-length

Invalid IP length

This counter is incremented when the security appliance receives an IPv4 or IPv6 packet in which the header length or total length fields in the IP header are not valid or do not conform to the received packet length.

Recommendation: None.

System messages: None.

invalid-ip-option

IP option configured drop

This counter is incremented when any unicast packet with IP options or a multicast packet with IP options that have not been configured to be accepted, is received by the security appliance. The packet is dropped.

Recommendation: Investigate why a packet with IP options is being sent by the sender.

System messages: None.

invalid-tcp-hdr-length

Invalid tcp length

This counter is incremented when the security appliance receives a TCP packet whose size is smaller than the minimum-allowed header length or does not conform to the received packet length.

Recommendation: The invalid packet could be a bogus packet being sent by an attacker. Investigate the traffic from the source in the following system message.

System messages: 500003.

invalid-udp-length

Invalid udp length

This counter is incremented when the security appliance receives a UDP packet whose size as calculated from the fields in the header is different from the measured size of the packet as received from the network.

Recommendation: The invalid packet could be a bogus packet being sent by an attacker.

System messages: None.

ips-fail-close

IPS card is down

This counter is incremented and the packet is dropped when the AIP SSM is down and the fail-close option was used in IPS inspection.

Recommendation: Check and bring up the AIP SSM.

System messages: 420001

ips-request

IPS Module requested drop

This counter is incremented and the packet is dropped as requested by the AIP SSM when the packet matches a signature on the IPS engine.

Recommendation: Check system messages and alerts on the AIP SSM.

System messages: 420002

ipsec-clearpkt-notun

IPSEC Clear Pkt w/no tunnel

This counter will increment when the security appliance receives a packet that should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.

Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.

System messages: 402117

ipsec-ipv6

IPSEC via IPV6

This counter will increment when the security appliance receives an IPSec ESP packet, IPSec NAT-T ESP packet, or an IPSec over UDP ESP packet encapsulated in an IPv6 header. The security appliance does not currently support any IPSec sessions encapsulated in IPv6.

Recommendation: None.

System messages: None.

ipsec-need-sa

IPSEC SA Not negotiated yet

This counter will increment when the security appliance receives a packet that requires encryption but has no established IPSec security association. This is generally a normal condition for LAN-to-LAN IPSec configurations. This indication will cause the security appliance to begin ISAKMP negotiations with the destination peer.

Recommendation: If you have configured IPSec LAN-to-LAN on your security appliance, this indication is normal and does not indicate a problem. However, if this counter increments rapidly it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing. Verify that you can communicate with the destination peer and verify your crypto configuration using the show running-config command.

System messages: None.

ipsec-spoof

IPSEC Spoof detected

This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.

Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.

System messages: 402117

ipsec-tun-down

IPSEC tunnel is down

This counter will increment when the security appliance receives a packet associated with an IPSec connection which is in the process of being deleted.

Recommendation: This is a normal condition when the IPSec tunnel is torn down for any reason.

System messages: None.

ipsecudp-keepalive

IPSEC/UDP keepalive message

This counter will increment when the security appliance receives an IPSec over UDP keepalive message. IPSec over UDP keepalive messages are sent from the IPSec peer to the security appliance to keep NAT/PAT flow information current in network devices between the IPSec over UDP peer and the security appliance.

Note These are not industry-standard NAT-T keepalive messages that are also carried over UDP and addressed to UDP port 4500.

Recommendation: If you have configured IPSec over UDP on your security appliance, this indication is normal and does not indicate a problem. If IPSec over UDP is not configured on your security appliance, analyze your network traffic to determine the source of the IPSec over UDP traffic.

System messages: None.

ipv6_sp-security-failed

IPv6 slowpath security checks failed

This counter is incremented and the packet is dropped for one of the following reasons:

An IPv6 through-the-box packet has the identical source and destination address.

An IPv6 through-the-box packet has a linklocal source or destination address.

An IPv6 through-the-box packet has a multicast destination address.

Recommendation: These packets could indicate malicious activity, or could be the result of a misconfigured IPv6 host. Use the packet capture feature to capture type asp packets, and use the source MAC address to identify the source.

System messages: For identical source and destination address, system message 106016.

l2_acl

FP L2 rule drop

This counter increments when the security appliance denies a packet due to an EtherType access list. The transparent mode security appliance permits the following traffic by default:

IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list.

Note For Layer 3 traffic travelling from a low to a high security interface, an extended access list is required on the low security interface.

ARPs are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection.

In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).

Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported.

Packets permitted by EtherType access lists might still be dropped by an extended access list.

The EtherType access list only supports EtherTypes and not Layer 2 destination MAC addresses.

The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.

TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF

IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF

BPDU multicast address equal to 0100.0CCC.CCCD

Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

Recommendation: If your non-IP packets are dropped by the security appliance, you can configure an EtherType access list to permit the Layer 2 traffic.

System log messages: 106026, 106027

l2_same-lan-port

L2 Src/Dst same LAN port

This counter will increment when the security appliance or context is configured for transparent mode, and the security appliance determines that the destination interface's L2 MAC address is the same as its ingress interface.

Recommendation: This is a normal condition when the security appliance or context is configured for transparent mode. Since the security appliance interface is operating in promiscuous mode, the security appliance or context receives all packets on the local LAN segment.

System messages: None.

loopback-buffer-full

Loopback buffer full

This counter is incremented and the packet is dropped when packets are sent from one context of the security appliance to another context through a shared interface, and there is no buffer space in the loopback queue.

Recommendation: Check the system CPU to make sure it is not overloaded.

System messages: None.

lu-invalid-pkt

Invalid LU packet

The standby unit received a corrupted Logical Update packet.

Recommendation: The packet corruption could be caused by a bad cable, interface card, line noise, or software defect. If the interface appears to be functioning properly, then report the problem to Cisco TAC.

System messages: None.

natt-keepalive

NAT-T keepalive message

This counter will increment when the security appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the security appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the security appliance.

Recommendation: If you have configured IPSec NAT-T on your security appliance, this indication is normal and does not indicate a problem. If NAT-T is not configured on your security appliance, analyze your network traffic to determine the source of the NAT-T traffic.

System messages: None

no-adjacency

No valid adjacency

This counter is incremented when the security appliance has tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.

Recommendation: Configure a capture for this drop reason and check if a host with the specified destination address exists on the connected network or is routable from the security appliance.

System messages: None.

no-mcast-entry

FP no mcast entry

This counter increments because of one of the following reasons:

A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built.

Recommendation: Reenable multicast if it is disabled.

System messages: None.

A multicast entry change has been detected after a packet was punted to the CP, and the NP can no longer forward the packet since no entry is present.

Recommendation: None.

System messages: None.

no-mcast-intrf

FP no mcast output intrf

This counter increments because of one of the following reasons:

All output interfaces have been removed from the multicast entry.

Recommendation: Verify that there are no longer any receivers for this group.

System messages: None.

The multicast packet could not be forwarded.

Recommendation: Verify that a flow exists for this packet.

System messages: None.

no-route

No route to host

This counter is incremented when the security appliance tries to send a packet out of an interface and does not find a route for it in the routing table.

Recommendation: Verify that a route exists for the destination address obtained from the generated system message.

System messages: 110001

non-ip-pkt-in-routed-mode

Non-IP packet received in routed mode

This counter will increment when the security appliance receives a packet that is not an IPv4, IPv6, or ARP packet, and the security appliance or context is configured for routed mode. In normal operation such packets should be dropped.

Recommendation: This indicates that a software error should be reported to the Cisco TAC.

System messages: 106026, 106027

np-sp-invalid-spi

Invalid SPI

This counter increments when the security appliance receives an IPSec ESP packet addressed to the security appliance that specifies an SPI (security parameter index) not currently known by the security appliance.

Recommendation: Occasional invalid SPI indications are common, especially during rekey processing. Many invalid SPI indications may suggest a problem or DoS attack. If you are experiencing a high rate of invalid SPI indications, analyze your network traffic to determine the source of the ESP traffic.

System messages: 402114

punt-rate-limit

Punt rate limit exceeded

This counter will increment when the security appliance attempts to forward a Layer 2 packet to a rate-limited control point service routine, and the rate limit (per/second) is now being exceeded. Currently, the only Layer 2 packets destined for a control point service routine that are rate limited are ARP packets. The ARP packet rate limit is 500 ARPs per second per interface.

Recommendation: Analyze your network traffic to determine the reason behind the high rate of ARP packets.

System messages: 322002, 322003

queue-removed

Queued packet dropped

When the QoS configuration is changed or removed, the existing packets in the output queues awaiting transmission are dropped and this counter is incremented.

Recommendation: Under normal conditions, this may be seen when the QoS configuration has been changed by the user. If this occurs when no changes to the QoS configuration were performed, please contact Cisco TAC.

System messages: None.

rate-exceeded

QoS rate exceeded

This counter is incremented when rate-limiting (policing) is configured on an egress interface, and the egress traffic rate exceeds the burst rate configured. The counter is incremented fo each packet dropped.

Recommendation: Investigate and determine why the rate of traffic leaving the interface is higher than the configured rate. This may be normal, or could be an indication of virus or attempted attack.

System messages: None.

rpf-violated

Reverse-path verify failed

This counter is incremented when ip verify reverse-path is configured on an interface and the security appliance receives a packet for which the route lookup of the source IP did not yield the same interface as the one on which the packet was received.

Recommendation: Trace the source of traffic based on the source IP printed in the system message below, and investigate why it is sending spoofed traffic.

System messages: 106021

security-failed

Early security checks failed

This counter is incremented and the packet is dropped when the security appliance:

Receives an IPv4 multicast packet when the packet multicast MAC address does not match the packet multicast destination IP address

Receives an IPv6 or IPv4 teardrop fragment containing either small offset or fragment overlapping

Receives an IPv4 packet that matches an IP audit signature

Recommendation: Contact the remote peer administrator or escalate this issue according to your security policy. For detailed description and system messages for IP audit attack checks please refer the ip audit signature command.

System messages: 106020, 400xx in case of IP audit checks

send-ctm-error

Send to CTM returned error

This counter is obsolete in the security appliance and should never increment.

Recommendation: None.

System messages: None.

sp-security-failed

Slowpath security checks failed

This counter is incremented and the packet is dropped when the security appliance:

Is in routed mode and receives a through-the-box:

L2 broadcast packet

IPv4 packet with destination IP address equal to 0.0.0.0

IPv4 packet with source IP address equal to 0.0.0.0

Recommendation: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

System messages: 106016

Is in routed or transparent mode and receives a through-the-box IPv4 packet with:

The first octet of the source IP address is equal to zero

The source IP address is equal to the loopback IP address

Network part of the source IP address is equal to all 0s

The network part of the source IP address is equal to all 1s

The source IP address host part is equal to all 0s or all 1s

Recommendation: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

System messages: 106016

In routed or transparent mode and receives an IPv4 or IPv6 packet with the same source and destination IP addresses

Recommendation: If this message counter is incrementing rapidly, an attack may be in progress. Use the packet capture feature to capture type asp packets, and check the source MAC address in the packet to see where they are coming from.

System messages: 106017

tcp-3whs-failed

TCP failed 3 way handshake

This counter is incremented and the packet is dropped when security appliance receives an invalid TCP packet during the three-way handshake. For example, the SYN-ACK from a client will be dropped for this reason.

Recommendation: None.

System messages: None.

tcp-ack-syn-diff

TCP ACK in SYNACK invalid

This counter is incremented and the packet is dropped when the security appliance receives a SYN-ACK packet during the three-way handshake with an incorrect TCP acknowledgement number.

Recommendation: None.

System messages: None.

tcp-acked

TCP DUP and has been ACKed

This counter is incremented and the packet is dropped when the security appliance receives a retransmitted data packet and the data has been acknowledged by the peer TCP endpoint.

Recommendation: None.

System messages: None.

tcp-bad-option-len

Bad option length in TCP

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a TCP option set, but the option length does not match the length defined for that option in the TCP RFC.

Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.

System messages: None.

tcp-bad-option-list

TCP option list invalid

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a non-standard TCP header option.

Recommendation: To allow such TCP packets or clear non-standard TCP header options and then allow the packet, use the tcp-options command.

System messages: None.

tcp-bad-sack-allow

Bad TCP SACK ALLOW option

This counter is incremented and the packet is dropped when the appliance receives a TCP packet with the selective acknowledgement option, but the SYN flag is not set.

Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.

System messages: None.

tcp-bad-winscale

Bad TCP window scale value

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with the window-scale option greater than 14.

Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.

System messages: None.

tcp-buffer-full

TCP packet buffer full

This counter is incremented and the packet is dropped when the security appliance receives an out-of-order TCP packet on a connection, and there is no buffer space to store this packet. Typically TCP packets are put into order on connections that are inspected by the security appliance or when packets are sent to an SSM for inspection. There is a default queue size, and when packets in excess of this default queue size are received they will be dropped.

Recommendation: On ASA platforms the queue size could be increased using the queue-size command.

System messages: None.

tcp-conn-limit

TCP Connection limit reached

This reason is given for dropping a TCP packet during the TCP connection establishment phase when the connection limit has been exceeded. The connection limit is configured using the set connection conn-max command.

Recommendation: If this is incrementing rapidly, check the system messages to determine which host's connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack.

System messages: 201011

tcp-data-past-fin

TCP data send after FIN

This counter is incremented and the packet is dropped when the security appliance receives new a TCP data packet from an endpoint which had sent a FIN to close the connection.

Recommendation: None.

System messages: None.

tcp-discarded-ooo

TCP ACK in 3 way handshake invalid

This counter is incremented and the packet is dropped when the security appliance receives a TCP ACK packet from a client during the three-way-handshake and the sequence number is not the next expected sequence number.

Recommendation: None.

System messages: None.

tcp-dual-open

TCP Dual open denied

This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet from the server and an embryonic TCP connection is already open.

Recommendation: None.

System messages: None.

tcp-fo-drop

TCP replicated flow pak drop

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a control flag like SYN, FIN, or RST on an established connection just after the security appliance has taken over as active unit.

Recommendation: None.

System messages: None.

tcp-invalid-ack

TCP invalid ACK

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with an acknowledgement number greater than the data sent by the peer TCP endpoint.

Recommendation: None.

System messages: None.

tcp-mss-exceeded

TCP data exceeded MSS

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a data length greater than the MSS advertized by the peer TCP endpoint.

Recommendation: To allow such TCP packets, use the exceed-mss command.

System messages: 4419001

tcp-not-syn

First TCP packet not SYN

The security appliance received a non-SYN packet as the first packet of a non-intercepted and non-nailed connection.

Recommendation: Under normal conditions, this may be seen when the security appliance has already closed a connection, and the client or server still believe the connection is open, and continue to transmit data. Some examples where this may occur is just after a clear local-host or clear xlate command is issued. Also, if connections have not been recently removed, and the counter is incrementing rapidly, the security appliance may be under attack. Capture a sniffer trace to help isolate the cause.

System messages: 6106015

tcp-paws-fail

TCP packet failed PAWS test

This counter is incremented and the packet is dropped when a TCP packet with a timestamp header option fails the PAWS (Protect Against Wrapped Sequences) test.

Recommendation: To allow such connections to proceed, use the tcp-options command to clear the timestamp option.

System messages: None.

tcp-reserved-set

TCP reserved flags set

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with reserved flags set in TCP header.

Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. To allow such TCP packets or clear reserved flags and then pass the packet, use the reserved-bits command.

System messages: None

tcp-rst-syn-in-win

TCP RST/SYN in window

This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN or TCP RST packet on an established connection with a sequence number within the window, but not as the next expected sequence number.

Recommendation: None.

System messages: None.

tcp-rstfin-ooo

TCP RST/FIN out of order

This counter is incremented and the packet is dropped when the security appliance receives a RST or a FIN packet with the incorrect TCP sequence number.

Recommendation: None.

System messages: None.

tcp-seq-past-win

TCP packet SEQ past window

This counter is incremented and the packet is dropped when the security appliance receives a TCP data packet with a sequence number beyond the window allowed by the peer TCP endpoint.

Recommendation: None.

System messages: None.

tcp-seq-syn-diff

TCP SEQ in SYN/SYNACK invalid

This counter is incremented and the packet is dropped when the security appliance receives a SYN or SYN-ACK packet during the three-way handshake with an incorrect TCP sequence number.

Recommendation: None.

System messages: None.

tcp-syn-data

TCP SYN with data

This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet with data.

Recommendation: To allow such TCP packets use the syn-data command.

System messages: None.

tcp-syn-ooo

TCP SYN on established conn

This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet on an established TCP connection.

Recommendation: None.

System messages: None.

tcp-synack-data

TCP SYNACK with data

This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN-ACK packet with data.

Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.

System messages: None.

tcp-synack-ooo

TCP SYNACK on established conn

This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN-ACK packet on an established TCP connection.

Recommendation: None.

System messages: None.

tcp-winscale-no-syn

TCP Window scale on non-SYN

This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with the window-scale TCP option without SYN flag set.

Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.

System messages: None.

tcp_xmit_partial

TCP retransmission partial

This counter is incremented and the packet is dropped when the check-retransmission feature is enabled, and a partial TCP retransmission was received.

Recommendation: None.

System messages: None.

tcpnorm-rexmit-bad

TCP bad retransmission

This counter is incremented and the packet is dropped when the check-retransmission feature is enabled, and a TCP retransmission with different data from the original packet was received.

Recommendation: None.

System messages: None.

tcpnorm-win-variation

TCP unexpected window size variation

This counter is incremented and the packet is dropped when the window size advertised by the TCP endpoint is drastically changed without accepting that much data.

Recommendation: To allow such packet, use the window-variation command.

System messages: None.

tfw-no-mgmt-ip-config

No management IP address configured for TFW

This counter is incremented when the security appliance receives an IP packet in transparent mode and has no management IP address defined. The packet is dropped.

Recommendation: Configure the security appliance with a management IP address and mask values.

System messages: 322004

unable-to-add-flow

Flow hash full

This counter is incremented when a newly created flow is inserted into the flow hash table, and the insertion failed because the hash table was full. The flow and the packet are dropped. This is different from the counter that increments when the maximum connection limit is reached.

Recommendation: This message signifies a lack of resources on the security appliance to support an operation that should have been successful. Please check if the connections in the show conn output have exceeded their configured idle timeout values. If so, contact Cisco TAC.

System messages: None.

unable-to-create-flow

Flow denied due to resource limitation

This counter is incremented and the packet is dropped when flow creation fails due to a system resource limitation. The resource limit may be either:

System memory

Packet block extension memory

System connection limit

The first two causes occur simultaneously with flow drop reason "No memory to complete flow."

Recommendation:

Observe if free system memory is low.

Observe if flow drop reason "No memory to complete flow" occurs.

Observe if the connection count reaches the system connection limit using the show resource usage command.

System messages: None.

unexpected-packet

Unexpected packet

This counter is incremented when the security appliance in transparent mode receives a non-IP packet destined to its MAC address, but there is no corresponding service running on the security appliance to process the packet.

Recommendation: Verify if the security appliance is under attack. If there are no suspicious packets, or the security appliance is not in transparent mode, this counter is most likely being incremented due to a software error. Attempt to capture the traffic that is causing the counter to increment and contact the Cisco TAC.

System messages: None.

unsupport-ipv6-hdr

Unsupported IPV6 header

This counter is incremented and the packet is dropped if an IPv6 packet is received with an unsupported IPv6 extension header. The supported IPv6 extension headers are: TCP, UDP, ICMPv6, ESP, AH, Hop Options, Destination Options, and Fragment. The IPv6 routing extension header is not supported, and any extension header not listed above is not supported. IPv6 ESP and AH headers are supported only if the packet is through-the-box. To-the-box IPv6 ESP and AH packets are not supported and will be dropped.

Recommendation: This error may be due to a misconfigured host. If this error occurs repeatedly or in large numbers, it could also indicate spurious or malicious activity such as an attempted DoS attack.

System messages: None.

unsupported-ip-version

Unsupported IP version

This counter is incremented when the security appliance receives an IP packet that has an unsupported version in the version field of the IP header. Specifically, if the packet does not belong to version 4 or version 6, the packet is dropped.

Recommendation: Verify that other devices on the connected network are configured to send IP packets belonging to versions 4 or 6 only.

System messages: None.


Examples

The following is sample output from the show asp drop command, with the timestamp indicating when the last time the counters were cleared:

hostname# show asp drop

Frame drop:
  Flow is denied by configured rule (acl-drop)                                 3
  Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                             4110
  L2 Src/Dst same LAN port (l2_same-lan-port)                                760
  Expired flow (flow-expired)                                                  1

Last clearing: Never

Flow drop:
  Flow is denied by access rule (acl-drop)                                    24
  NAT failed (nat-failed)                                                  28739
  NAT reverse path failed (nat-rpf-failed)                                 22266
  Inspection failure (inspect-fail)                                        19433

Last clearing: 17:02:12 UTC Jan 17 2008 by enable_15

Related Commands

Command
Description

clear asp drop

Clears drop statistics for the accelerated security path.

show conn

Shows information about connections.


show asp table arp

To debug the accelerated security path ARP tables, use the show asp table arp command in privileged EXEC mode.

show asp table arp [interface interface_name] [address ip_address [netmask mask]]

Syntax Description

address ip_address

(Optional) Identifies an IP address for which you want to view ARP table entries.

interface interface_name

(Optional) Identifies a specific interface for which you want to view the ARP table.

netmask mask

(Optional) Sets the subnet mask for the IP address.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The show arp command shows the contents of the control plane, while the show asp table arp command shows the contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table arp command:

hostname# show asp table arp

Context: single_vf, Interface: inside
  10.86.194.50                            Active   000f.66ce.5d46 hits 0
  10.86.194.1                             Active   00b0.64ea.91a2 hits 638
  10.86.194.172                           Active   0001.03cf.9e79 hits 0
  10.86.194.204                           Active   000f.66ce.5d3c hits 0
  10.86.194.188                           Active   000f.904b.80d7 hits 0

Context: single_vf, Interface: identity
  ::                                      Active   0000.0000.0000 hits 0
  0.0.0.0                                 Active   0000.0000.0000 hits 50208

Related Commands

Command
Description

show arp

Shows the ARP table.

show arp statistics

Shows ARP statistics.


show asp table classify

To debug the accelerated security path classifier tables, use the show asp table classify command in privileged EXEC mode. The classifier examines properties of incoming packets, such as protocol, and source and destination address, to match each packet to an appropriate classification rule. Each rule is labeled with a classification domain that determines what types of actions are performed, such as dropping a packet or allowing it through.

show asp table classify [hit | crypto | domain domain_name | interface interface_name]

Syntax Description

crypto

(Optional) Shows the encrypt, decrypt, and ipsec tunnel flow domains only.

domain domain_name

(Optional) Shows entries for a specific classifier domain. See "Usage Guidelines" for a list of domains.

hits

(Optional) Shows classifier entries which have non-zero hits values

interface interface_name

(Optional) Identifies a specific interface for which you want to view the classifier table.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.

7.2(4)

Added the hits option, and the timestamp indicating when the last time the asp table counters were cleared.


Usage Guidelines

The show asp table classifier command shows the classifier contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Classifier domains include the following:

aaa-acct
aaa-auth
aaa-user
accounting
arp
capture
capture
conn-nailed
conn-set
ctcp
decrypt
encrypt
established
filter-activex
filter-ftp
filter-https
filter-java
filter-url
host
ids
inspect
inspect-ctiqbe
inspect-dns
inspect-dns-ids
inspect-ftp
inspect-ftp-data
inspect-gtp
inspect-h323
inspect-http
inspect-icmp
inspect-icmp-error
inspect-ils
inspect-mgcp
inspect-netbios
inspect-pptp
inspect-rsh
inspect-rtsp
inspect-sip
inspect-skinny
inspect-smtp
inspect-snmp
inspect-sqlnet
inspect-sqlnet-plus
inspect-sunrpc
inspect-tftp
inspect-xdmcp
ipsec-natt
ipsec-tunnel-flow
ipsec-user
limits
lu
mac-permit
mgmt-lockdown
mgmt-tcp-intercept
multicast
nat
nat-exempt
nat-exempt-reverse
nat-reverse
null
permit
permit-ip-option
permit-log
pim
ppp
priority-q
punt
punt-l2
punt-root
qos
qos-per-class
qos-per-dest
qos-per-flow
qos-per-source
shun
tcp-intercept

Examples

The following is sample output from the show asp table classify command:

hostname# show asp table classify

Interface test:
in  id=0x36f3800, priority=10, domain=punt, deny=false
        hits=0, user_data=0x0, flags=0x0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.86.194.60, mask=255.255.255.255, port=0
in  id=0x33d3508, priority=99, domain=inspect, deny=false
        hits=0, user_data=0x0, use_real_addr, flags=0x0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x33d3978, priority=99, domain=inspect, deny=false
        hits=0, user_data=0x0, use_real_addr, flags=0x0
        src ip=0.0.0.0, mask=0.0.0.0, port=53
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
...

The following is sample output from the show asp table classify hits command with a record of the last clearing hits counters:

Interface mgmt: 
in id=0x494cd88, priority=210, domain=permit, deny=true 
hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, 
mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, 
dscp=0x0 
in id=0x494d1b8, priority=112, domain=permit, deny=false 
hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0, 
mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 

Interface inside: 
in id=0x48f1580, priority=210, domain=permit, deny=true 
hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, 
mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, 
dscp=0x0 
in id=0x48f09e0, priority=1, domain=permit, deny=false 
hits=101, user_data=0x0, cs_id=0x0, l3_type=0x608 src mac=0000.0000.0000, 
mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 
Interface outside: 
in id=0x48c0970, priority=210, domain=permit, deny=true 
hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, 
mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, 
dscp=0x0 

Related Commands

Command
Description

show asp drop

Shows the accelerated security path counters for dropped packets.


show asp table interfaces

To debug the accelerated security path interface tables, use the show asp table interfaces command in privileged EXEC mode.

show asp table interfaces

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The show asp table interfaces command shows the interface table contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table interfaces command:

hostname# show asp table interfaces

** Flags: 0x0001-DHCP, 0x0002-VMAC, 0x0010-Ident Ifc, 0x0020-HDB Initd,
   0x0040-RPF Enabled
Soft-np interface 'dmz' is up
    context single_vf, nicnum 0, mtu 1500
        vlan 300, Not shared, seclvl 50
        0 packets input, 1 packets output
        flags 0x20

Soft-np interface 'foo' is down
    context single_vf, nicnum 2, mtu 1500
        vlan <None>, Not shared, seclvl 0
        0 packets input, 0 packets output
        flags 0x20

Soft-np interface 'outside' is down
    context single_vf, nicnum 1, mtu 1500
        vlan <None>, Not shared, seclvl 50
        0 packets input, 0 packets output
        flags 0x20

Soft-np interface 'inside' is up
    context single_vf, nicnum 0, mtu 1500
        vlan <None>, Not shared, seclvl 100
        680277 packets input, 92501 packets output
        flags 0x20
...

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.


show asp table routing

To debug the accelerated security path routing tables, use the show asp table routing command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show asp table routing [input | output] [address ip_address [netmask mask] | interface interface_name]

Syntax Description

address ip_address

Sets the IP address for which you want to view routing entries. For IPv6 addresses, you can include the subnet mask as a slash (/) followed by the prefix (0 to 128). For example, enter the following:

fe80::2e0:b6ff:fe01:3b7a/128

input

Shows the entries from the input route table.

interface interface_name

(Optional) Identifies a specific interface for which you want to view the routing table.

netmask mask

For IPv4 addresses, specifies the subnet mask.

output

Shows the entries from the output route table.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The show asp table routing command shows the routing table contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table routing command:

hostname# show asp table routing

in   255.255.255.255 255.255.255.255 identity
in   224.0.0.9       255.255.255.255 identity
in   10.86.194.60    255.255.255.255 identity
in   10.86.195.255   255.255.255.255 identity
in   10.86.194.0     255.255.255.255 identity
in   209.165.202.159 255.255.255.255 identity
in   209.165.202.255 255.255.255.255 identity
in   209.165.201.30  255.255.255.255 identity
in   209.165.201.0   255.255.255.255 identity
in   10.86.194.0     255.255.254.0   inside
in   224.0.0.0       240.0.0.0       identity
in   0.0.0.0         0.0.0.0         inside
out  255.255.255.255 255.255.255.255 foo
out  224.0.0.0       240.0.0.0       foo
out  255.255.255.255 255.255.255.255 test
out  224.0.0.0       240.0.0.0       test
out  255.255.255.255 255.255.255.255 inside
out  10.86.194.0     255.255.254.0   inside
out  224.0.0.0       240.0.0.0       inside
out  0.0.0.0         0.0.0.0         via 10.86.194.1, inside
out  0.0.0.0         0.0.0.0         via 0.0.0.0, identity
out  ::              ::              via 0.0.0.0, identity

Related Commands

Command
Description

show route

Shows the routing table in the control plane.


show asp table vpn-context

To debug the accelerated security path VPN context tables, use the show asp table vpn-context command in privileged EXEC mode.

show asp table vpn-context [detail]

Syntax Description

detail

(Optional) Shows additional detail for the VPN context tables.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The show asp table vpn-context command shows the VPN context contents of the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table vpn-context command:

hostname# show asp table vpn-context

VPN ID=0058070576, DECR+ESP, UP, pk=0000000000, rk=0000000000, gc=0
VPN ID=0058193920, ENCR+ESP, UP, pk=0000000000, rk=0000000000, gc=0
VPN ID=0058168568, DECR+ESP, UP, pk=0000299627, rk=0000000061, gc=2
VPN ID=0058161168, ENCR+ESP, UP, pk=0000305043, rk=0000000061, gc=1
VPN ID=0058153728, DECR+ESP, UP, pk=0000271432, rk=0000000061, gc=2
VPN ID=0058150440, ENCR+ESP, UP, pk=0000285328, rk=0000000061, gc=1
VPN ID=0058102088, DECR+ESP, UP, pk=0000268550, rk=0000000061, gc=2
VPN ID=0058134088, ENCR+ESP, UP, pk=0000274673, rk=0000000061, gc=1
VPN ID=0058103216, DECR+ESP, UP, pk=0000252854, rk=0000000061, gc=2
...

The following is sample output from the show asp table vpn-context detail command:

hostname# show asp table vpn-context detail

VPN Ctx  = 0058070576 [0x03761630]
State    = UP
Flags    = DECR+ESP
SA       = 0x037928F0
SPI      = 0xEA0F21F0
Group    = 0
Pkts     = 0
Bad Pkts = 0
Bad SPI  = 0
Spoof    = 0
Bad Crypto = 0
Rekey Pkt  = 0
Rekey Call = 0
 
VPN Ctx  = 0058193920 [0x0377F800]
State    = UP
Flags    = ENCR+ESP
SA       = 0x037B4B70
SPI      = 0x900FDC32
Group    = 0
Pkts     = 0
Bad Pkts = 0
Bad SPI  = 0
Spoof    = 0
Bad Crypto = 0
Rekey Pkt  = 0
Rekey Call = 0
...

Related Commands

Command
Description

show asp drop

Shows the accelerated security path counters for dropped packets.


show blocks

To show the packet buffer utilization, use the show blocks command in privileged EXEC mode.

show blocks [{address hex | all | assigned | free | old | pool size [summary]} [diagnostics | dump | header | packet] | queue history [detail]]

Syntax Description

address hex

(Optional) Shows a block corresponding to this address, in hexadecimal.

all

(Optional) Shows all blocks.

assigned

(Optional) Shows blocks that are assigned and in use by an application.

detail

(Optional) Shows a portion (128 bytes) of the first block for each unique queue type.

dump

(Optional) Shows the entire block contents, including the header and packet information. The difference between dump and packet is that dump includes additional information between the header and the packet.

diagnostics

(Optional) Shows block diagnostics.

free

(Optional) Shows blocks that are available for use.

header

(Optional) Shows the header of the block.

old

(Optional) Shows blocks that were assigned more than a minute ago.

packet

(Optional) Shows the header of the block as well as the packet contents.

pool size

(Optional) Shows blocks of a specific size.

queue history

(Optional) Shows where blocks are assigned when the security appliance runs out of blocks. Sometimes, a block is allocated from the pool but never assigned to a queue. In that case, the location is the code address that allocated the block.

summary

(Optional) Shows detailed information about block usage sorted by the program addresses of applications that allocated blocks in this class, program addresses of applications that released blocks in this class, and the queues to which valid blocks in this class belong.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

The pool summary option was added.


Usage Guidelines

The show blocks command helps you determine if the security appliance is overloaded. This command lists preallocated system buffer utilization. A full memory condition is not a problem as long as traffic is moving through the security appliance. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is full, there may be a problem.

You can also view this information using SNMP.

The information shown in a security context includes the system-wide information as well as context-specific information about the blocks in use and the high water mark for block usage.

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show blocks command in single mode:

hostname# show blocks
SIZE    MAX    LOW    CNT
     4   1600   1598   1599
    80    400    398    399
   256   3600   3540   3542
  1550   4716   3177   3184
 16384     10     10     10
  2048   1000   1000   1000

Table 7-5 shows each field description.

Table 7-5 show blocks Fields 

Field
Description

SIZE

Size, in bytes, of the block pool. Each size represents a particular type. Examples are shown below.

4

Duplicates existing blocks in applications such as DNS, ISAKMP, URL filtering, uauth, TFTP, and TCP modules.

80

Used in TCP intercept to generate acknowledgment packets and for failover hello messages.

256

Used for Stateful Failover updates, syslogging, and other TCP functions.

These blocks are mainly used for Stateful Failover messages. The active security appliance generates and sends packets to the standby security appliance to update the translation and connection table. In bursty traffic, where high rates of connections are created or torn down, the number of available blocks might drop to 0. This situation indicates that one or more connections were not updated to the standby security appliance. The Stateful Failover protocol catches the missing translation or connection the next time. If the CNT column for 256-byte blocks stays at or near 0 for extended periods of time, then the security appliance is having trouble keeping the translation and connection tables synchronized because of the number of connections per second that the security appliance is processing.

Syslog messages sent out from the security appliance also use the 256-byte blocks, but they are generally not released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows that the number of 256-byte blocks is near 0, ensure that you are not logging at Debugging (level 7) to the syslog server. This is indicated by the logging trap line in the security appliance configuration. We recommend that you set logging at Notification (level 5) or lower, unless you require additional information for debugging purposes.

1550

Used to store Ethernet packets for processing through the security appliance.

When a packet enters a security appliance interface, it is placed on the input interface queue, passed up to the operating system, and placed in a block. The security appliance determines whether the packet should be permitted or denied based on the security policy and processes the packet through to the output queue on the outbound interface. If the security appliance is having trouble keeping up with the traffic load, the number of available blocks will hover close to 0 (as shown in the CNT column of the command output). When the CNT column is zero, the security appliance attempts to allocate more blocks, up to a maximum of 8192. If no more blocks are available, the security appliance drops the packet.

16384

Only used for the 64-bit, 66-MHz Gigabit Ethernet cards (i82543).

See the description for 1550 for more information about Ethernet packets.

2048

Control or guided frames used for control updates.

MAX

Maximum number of blocks available for the specified byte block pool. The maximum number of blocks are carved out of memory at bootup. Typically, the maximum number of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the security appliance can dynamically create more when needed, up to a maximum of 8192.

LOW

Low-water mark. This number indicates the lowest number of this size blocks available since the security appliance was powered up, or since the last clearing of the blocks (with the clear blocks command). A zero in the LOW column indicates a previous event where memory was full.

CNT

Current number of blocks available for that specific size block pool. A zero in the CNT column means memory is full now.


The following is sample output from the show blocks all command:

hostname# show blocks all
Class 0, size 4
     Block   allocd_by    freed_by  data size    alloccnt     dup_cnt  oper location
0x01799940  0x00000000  0x00101603          0           0           0 alloc not_specified
0x01798e80  0x00000000  0x00101603          0           0           0 alloc not_specified
0x017983c0  0x00000000  0x00101603          0           0           0 alloc not_specified

...

    Found 1000 of 1000 blocks
    Displaying 1000 of 1000 blocks

Table 7-6 shows each field description.

Table 7-6 show blocks all Fields

Field
Description

Block

The block address.

allocd_by

The program address of the application that last used the block (0 if not used).

freed_by

The program address of the application that last released the block.

data size

The size of the application buffer/packet data that is inside the block.

alloccnt

The number of times this block has been used since the block came into existence.

dup_cnt

The current number of references to this block if used: 0 means 1 reference, 1 means 2 references.

oper

One of the four operations that was last performed on the block: alloc, get, put, or free.

location

The application that uses the block, or the program address of the application that last allocated the block (same as the allocd_by field).


The following is sample output from the show blocks command in a context:

hostname/contexta# show blocks
  SIZE    MAX    LOW    CNT  INUSE   HIGH
     4   1600   1599   1599      0      0
    80    400    400    400      0      0
   256   3600   3538   3540      0      1
  1550   4616   3077   3085      0      0

The following is sample output from the show blocks queue history command:

hostname# show blocks queue history
Each Summary for User and Queue_type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
    186     1 put                                 contexta
     15     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
     21     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
    200     1 alloc   ip_rx             tcp       contexta
    108     1 get     ip_rx             udp       contexta
     85     1 free    fixup             h323_ras  contextb
     42     1 put     fixup             skinny    contextb

Block Size: 1550
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1000
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
    186     1 put                                 contexta
     15     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
...

The following is sample output from the show blocks queue history detail command:

hostname# show blocks queue history detail
History buffer memory usage: 2136 bytes (default)
Each Summary for User and Queue type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue_Type "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
    186     1 put                                 contexta
     15     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
 First Block information for Block at 0x.....
  dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
  start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
  urgent_addr 0xefb118c, end_addr 0xefb17b2
  0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00  |  ....G.a....8v...
  0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3  |  ....E...........
  0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62  |  .......P...=..`b
  0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49  |  ~sU.P...E...-- I
  0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09  |  P --..10.7.13.1.
  0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d  |  ==>.10.7.0.80...

Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
     21     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
 First Block information for Block at 0x.....
  dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
  start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
  urgent_addr 0xefb118c, end_addr 0xefb17b2
  0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00  |  ....G.a....8v...
  0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3  |  ....E...........
  0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62  |  .......P...=..`b
  0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49  |  ~sU.P...E...-- I
  0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09  |  P --..10.7.13.1.
  0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d  |  ==>.10.7.0.80...
...

total_count: total buffers in this class

The following is sample output from the show blocks pool summary command:

hostname# show blocks pool 1550 summary
Class 3, size 1550

=================================================
         total_count=1531    miss_count=0
Alloc_pc        valid_cnt       invalid_cnt
0x3b0a18        00000256        00000000
         0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000
0x3a8f6b        00001275        00000012
         0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000 
0x00000000

=================================================
         total_count=9716    miss_count=0
Freed_pc        valid_cnt       invalid_cnt
0x9a81f3        00000104        00000007
         0x05006140 0x05000380 0x04fffa20 0x04ffde00 00000000 0x00000000
0x9a0326        00000053        00000033
         0x05006aa0 0x050057e0 0x05004e80 0x05003260 00000000 0x00000000
0x4605a2        00000005        00000000
         0x04ff5ac0 0x01e8e2e0 0x01e2eac0 0x01e17d20 00000000 0x00000000
...
=================================================
         total_count=1531    miss_count=0
Queue   valid_cnt       invalid_cnt
0x3b0a18        00000256        00000000  Invalid Bad qtype
         0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000
0x3a8f6b        00001275        00000000  Invalid Bad qtype
         0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000 
0x00000000

=================================================
free_cnt=8185  fails=0  actual_free=8185  hash_miss=0
   03a8d3e0  03a8b7c0  03a7fc40  03a6ff20  03a6f5c0  03a6ec60 kao-f1#

Table 7-7 shows each field description.

Table 7-7 show blocks pool summary Fields

Field
Description

total_count

The number of blocks for a given class.

miss_count

The number of blocks not reported in the specified category due to technical reasons.

Freed_pc

The program addresses of applications that released blocks in this class.

Alloc_pc

The program addresses of applications that allocated blocks in this class.

Queue

The queues to which valid blocks in this class belong.

valid_cnt

The number of blocks that are currently allocated.

invalid_cnt

The number of blocks that are not currently allocated.

Invalid Bad qtype

Either this queue has been freed and the contents are invalid or this queue was never initialized.

Valid tcp_usr_conn_inp

The queue is valid.


Related Commands

Command
Description

blocks

Increases the memory assigned to block diagnostics

clear blocks

Clears the system buffer statistics.

show conn

Shows active connections.


show bootvar

To show the boot file and configuration properties, use the show boot command in privileged configuration mode.

show bootvar

Syntax Description

show bootvar

The system boot properties.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged Mode

·

·

·

·

·


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The BOOT variable specifies a list of bootable images on various devices. The CONFIG_FILE variable specifies the configuration file used during system initialization. Set these variables with the boot system command, and boot config command, respectively.

Examples

The following example, the BOOT variable contains disk0:/f1_image, which is the image booted when the system reloads. The current value of BOOT is disk0:/f1_image; disk0:/f1_backupimage. This meansboot variable has been modified with the boot system command, but the running configuration has notbeen saved with the write memory command. When the running config is saved, the BOOT variable and current BOOT variable will both be disk0:/f1_image; disk0:/f1_backupimage. Assuming the running configuration is saved the boot loader will attempt to load the contents of the BOOT variable, starting with disk0:/f1image, but if that is not present or invalid, it will attempt to boot disk0:1/f1_backupimage.

The CONFIG_FILE variable points to the system startup configuration. In this example it is not set, so the startup configuration file is the default specified with the boot config command. The current CONFIG_FILE variable may be modified with the boot config command and saved with the write memory command.

hostname# show bootvar
BOOT variable = disk0:/f1_image
Current BOOT variable = disk0:/f1_image; disk0:/f1_backupimage
CONFIG_FILE variable = 
Current CONFIG_FILE variable = 
hostname# 

Related Commands

Command
Description

boot

Specifies the configuration file or image file used at startup.


show capture

To display the capture configuration when no options are specified, use the show capture command.

show capture [capture_name] [access-list access_list_name] [count number] [decode] [detail] [dump] [packet-number number]

Syntax Description

capture_name

(Optional) Name of the packet capture.

access-list access_list_name

(Optional) Displays information for packets that are based on IP or higher fields for the specific access list identification.

count number

(Optional) Displays the number of packets specified data.

decode

This option is useful when a capture of type isakmp is applied to an interface. All isakmp data flowing through that interface will be captured after decryption and shown with more information after decoding the fields.

detail

(Optional) Displays additional protocol information for each packet.

dump

(Optional) Displays a hexadecimal dump of the packets that are transported over the data link transport.

packet-number number

Starts the display at the specified packet number.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

PIX Version 7.0

Support for this command was introduced on the security appliance.


Usage Guidelines

If you specify the capture_name, then the capture buffer contents for that capture are displayed.

The dump keyword does not display MAC information in the hexadecimal dump.

The decoded output of the packets depend on the protocol of the packet. In Table 7-8, the bracketed output is displayed when you specify the detail keyword.

Table 7-8 Packet Capture Output Formats 

Packet Type
Capture Output Format

802.1Q

HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet

ARP

HH:MM:SS.ms [ether-hdr] arp-type arp-info

IP/ICMP

HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure]

IP/UDP

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: [checksum-info] udp payload-len

IP/TCP

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

IP/Other

HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length

Other

HH:MM:SS.ms ether-hdr: hex-dump


Examples

This example shows how to display the capture configuration:

hostname(config)# show capture
capture arp ethernet-type arp interface outside
capture http access-list http packet-length 74 interface inside

This example shows how to display the packets that are captured by an ARP capture:

hostname(config)# show capture arp
2 packets captured
19:12:23.478429 arp who-has 171.69.38.89 tell 171.69.38.10
19:12:26.784294 arp who-has 171.69.38.89 tell 171.69.38.10
2 packets shown

Related Commands

Command
Description

capture

Enables packet capture capabilities for packet sniffing and network fault isolation.

clear capture

Clears the capture buffer.

copy capture

Copies a capture file to a server.


show chardrop

To display the count of characters dropped from the serial console, use the show chardrop command in privileged EXEC mode.

show chardrop

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following is sample output from the show chardrop command:

hostname# show chardrop

Chars dropped pre-TxTimeouts: 0, post-TxTimeouts: 0

Related Commands

Command
Description

show running-config

Shows the current operating configuration.


show checkheaps

To show the checkheaps statistics, use the show checkheaps command in privileged EXEC mode. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.

show checkheaps

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following is sample output from the show checkheaps command:

hostname# show checkheaps

Checkheaps stats from buffer validation runs
--------------------------------------------
Time elapsed since last run     : 42 secs
Duration of last run            : 0 millisecs
Number of buffers created       : 8082
Number of buffers allocated     : 7808
Number of buffers free          : 274
Total memory in use             : 43570344 bytes
Total memory in free buffers    : 87000 bytes
Total number of runs            : 310

Related Commands

Command
Description

checkheaps

Sets the checkheap verification intervals.


show checksum

To display the configuration checksum, use the show checksum command in privileged EXEC mode.

show checksum

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

·

·

·

·

 

Command History

Release
Modification

7.0

Support for this command was introduced on the security appliance.


Usage Guidelines

The show checksum command allows you to display four groups of hexadecimal numbers that act as a digital summary of the configuration contents. This checksum is calculated only when you store the configuration in Flash memory.

If a dot (".") appears before the checksum in the show config or show checksum command output, the output indicates a normal configuration load or write mode indicator (when loading from or writing to the security appliance Flash partition). The "." shows that the security appliance is preoccupied with the operation but is not "hung up." This message is similar to a "system processing, please wait" message.

Examples

This example shows how to display the configuration or the checksum:

hostname(config)# show checksum
Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81

show chunkstat

To display the chunk statistics, use the show chunkstat command in privileged EXEC mode.

show chunkstat

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

This example shows how to display the chunk statistics:

hostname# show chunkstat
Global chunk statistics: created 181, destroyed 34, siblings created 94, siblings 
destroyed 34

Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01edb4cc, name "Managed Chunk Queue Elements", data start @ 01edbd24, end 
@ 01eddc54
next: 01eddc8c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 499, elt size: 16, index first free 498
# chunks in use: 1, HWM of total used: 1, alignment: 0
Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01eddc8c, name "Registry Function List", data start @ 01eddea4, end @ 
01ede348
next: 01ede37c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 99, elt size: 12, index first free 42
# chunks in use: 57, HWM of total used: 57, alignment: 0

Related Commands

Command
Description

show counters

Displays the protocol stack counters.

show cpu

Displays the CPU utilization information.


show clock

To view the time on the security appliance, use the show clock command in user EXEC mode.

show clock [detail]

Syntax Description

detail

(Optional) Indicates the clock source (NTP or user configuration) and the current summer-time setting (if any).


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following is sample output from the show clock command:

hostname> show clock
12:35:45.205 EDT Tue Jul 27 2004

The following is sample output from the show clock detail command:

hostname> show clock detail
12:35:45.205 EDT Tue Jul 27 2004
Time source is user configuration
Summer time starts 02:00:00 EST Sun Apr 4 2004
Summer time ends 02:00:00 EDT Sun Oct 31 2004

Related Commands

Command
Description

clock set

Manually sets the clock on the security appliance.

clock summer-time

Sets the date range to show daylight saving time.

clock timezone

Sets the time zone.

ntp server

Identifies an NTP server.

show ntp status

Shows the status of the NTP association.


show conn

To display the connection state for the designated connection type, use the show conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show conn [count | [all] [detail] [long] [state state_type] [protocol {tcp | udp}] [address src_ip[-src_ip] [netmask mask]] [port src_port[-src_port]] [address dest_ip[-dest_ip] [netmask mask]] [port dest_port[-dest_port]]]

Syntax Description

address

(Optional) Displays connections with the specified source or destination IP address.

all

(Optional) Displays connections that are to the device or from the device, in addition to through-traffic connections.

count

(Optional) Displays the number of active connections.

dest_ip

(Optional) Specifies the destination IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-), For example:

10.1.1.1-10.1.1.5

dest_port

(Optional) Specifies the destination port number. To specify a range, separate the port numbers with a dash (-), For example:

1000-2000

detail

(Optional) Displays connections in detail, including translation type and interface information.

long

(Optional) Displays connections in long format.

netmask mask

(Optional) Specifies a subnet mask for use with the given IP address.

port

(Optional) Displays connections with the specified source or destination port.

protocol {tcp | udp}

(Optional) Specifies the connection protocol, tcp or udp.

src_ip

(Optional) Specifies the source IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-), For example:

10.1.1.1-10.1.1.5

src_port

(Optional) Specifies the source port number. To specify a range, separate the port numbers with a dash (-), For example:

1000-2000

state state_type

(Optional) Specifies the connection state type. See Table 7-9 for a list of the keywords available for connection state types.


Defaults

All through connections are shown by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(8)

The syntax was simplified to use source and destination concepts instead of "local" and "foreign." In the new syntax, the source address is the first address entered and the destination is the second address. The old syntax used keywords like foreign and fport to determine the destination address and port.


Usage Guidelines

The show conn command displays the number of active TCP and UDP connections, and provides information about connections of various types. Use the show conn all command to see the entire table of connections.


Note When the security appliance creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear conn command.


The connection types that you can specify using the show conn state command are defined in Table 7-9. When specifying multiple connection types, use commas without spaces to separate the keywords.

Table 7-9 Connection State Types 

Keyword
Connection Type Displayed

up

Connections in the up state.

conn_inbound

Inbound connections.

ctiqbe

CTIQBE connections

data_in

Inbound data connections.

data_out

Outbound data connections.

finin

FIN inbound connections.

finout

FIN outbound connections.

h225

H.225 connections

h323

H.323 connections

http_get

HTTP get connections.

mgcp

MGCP connections.

nojava

Connections that deny access to Java applets.

rpc

RPC connections.

sip

SIP connections.

skinny

SCCP connections.

smtp_data

SMTP mail data connections.

sqlnet_fixup_data

SQL*Net data inspection engine connections.


When you use the detail option, the system displays information about the translation type and interface information using the connection flags defined in Table 7-10.

Table 7-10 Connection Flags 

Flag
Description

a

awaiting outside ACK to SYN

A

awaiting inside ACK to SYN

B

initial SYN from outside

C

Computer Telephony Interface Quick Buffer Encoding (CTIQBE) media connection

d

dump

D

DNS

E

outside back connection

f

inside FIN

F

outside FIN

g

Media Gateway Control Protocol (MGCP) connection

G

connection is part of a group1

h

H.225

H

H.323

i

incomplete TCP or UDP connection

I

inbound data

k

Skinny Client Control Protocol (SCCP) media connection

m

SIP media connection

M

SMTP data

O

outbound data

p

replicated (unused)

P

inside back connection

q

SQL*Net data

r

inside acknowledged FIN

R

outside acknowledged FIN for TCP connection

R

UDP RPC2

s

awaiting outside SYN

S

awaiting inside SYN

t

SIP transient connection3

T

SIP connection4

U

up

1 The G flag indicates the connection is part of a group. It is set by the GRE and FTP Strict fixups to designate the control connection and all its associated secondary connections. If the control connection terminates, then all associated secondary connections are also terminated.

2 Because each row of show conn command output represents one connection (TCP or UDP ), there will be only one R flag per row.

3 For UDP connections, the value t indicates that it will timeout after one minute.

4 For UDP connections, the value T indicates that the connection will timeout according to the value specified using the timeout sip command.



Note For connections using a DNS server, the source port of the connection may be replaced by the IP address of DNS server in the show conn command output.


A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Because the app_id expires independently, a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource build-up. However, when you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.


Note When there is no TCP traffic for the period of inactivity defined by the timeout conn command (by default, 1:00:00), the connection is closed and the corresponding conn flag entries are no longer displayed.


Examples

When specifying multiple connection types, use commas without spaces to separate the keywords. The following example displays information about RPC, H.323, and SIP connections in the Up state:

hostname# show conn state up,rpc,h323,sip

The following is sample output from the show conn count command:

ciscoasa(config)# show conn count
22 in use, 27775 most used

The following is sample output from the show conn command. This example shows a TCP session connection from inside host 10.1.1.15 to the outside Telnet server at 10.2.49.10. Because there is no B flag, the connection is initiated from the inside. The "U", "I", and "O" flags denote that the connection is active and has received inbound and outbound data.

hostname# show conn
22 in use, 27775 most used
TCP out 10.2.49.10:23 in 10.1.1.15:1026 idle 0:00:22 bytes 1774 flags UIO
UDP out 10.2.49.10:31649 in 10.1.1.15:1028 idle 0:00:14 bytes 0 flags D-
TCP out 10.30.2.2:1500 in 10.1.1.7:1000 idle 0:00:00 bytes 0 flags saA
TCP out 10.30.2.2:1500 in 10.1.1.14:1000 idle 0:00:00 bytes 0 flags saA
TCP out 10.30.2.2:1500 in 10.1.1.1:1000 idle 0:00:00 bytes 0 flags saA
TCP out 10.30.2.2:1500 in 10.1.1.3:1000 idle 0:00:00 bytes 0 flags saA
TCP out 10.30.2.2:80 in 10.30.1.1:45804 idle 0:01:26 bytes 7918 flags UFRIO
TCP out 10.30.2.2:80 in 10.30.1.1:45003 idle 0:02:17 bytes 7918 flags UFRIO

The following is sample output from the show conn detail command. This example shows many connections, including a UDP connection from outside host 192.168.49.10 to inside host 10.1.1.15. The D flag denotes that this is a DNS connection. The number 1028 is the DNS ID over the connection.

hostname# show conn detail
22 in use, 27775 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
       E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, O - outbound data,
       P - inside back connection, q - SQL*Net data, R - outside acknowledged FI
N,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
TCP outside:10.30.2.2/1500 inside:10.1.1.7/1000 flags saA
TCP outside:10.30.2.2/1500 inside:10.1.1.14/1000 flags saA
TCP outside:10.30.2.2/1500 inside:10.1.1.1/1000 flags saA
TCP outside:10.30.2.2/1500 inside:10.1.1.3/1000 flags saA
TCP outside:10.30.2.2/80 inside:10.30.1.1/45804 flags UFRIO
TCP outside:10.30.2.2/80 inside:10.30.1.1/45003 flags UFRIO
TCP outside:192.168.49.10/23 inside:10.1.1.15/1026 flags UIO
UDP outside:192.168.49.10/31649 inside:10.1.1.15/1028 flags dD

Related Commands

Commands
Description

clear conn

Clears connections.

inspect ctiqbe

Enables CTIQBE application inspection.

inspect h323

Enables H.323 application inspection.

inspect mgcp

Enables MGCP application inspection.

inspect sip

Removes java applets from HTTP traffic.

inspect skinny

Enables SCCP application inspection.


show console-output

To display the currently captured console output, use the show console-output command in privileged EXEC mode.

show console-output

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

·

·

·

·

·


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example shows the message that displays when there is no console output:

hostname# show console-output
Sorry, there are no messages to display

Related Commands

Command
Description

show console-output

Displays the captured console output.


show context

To show context information including allocated interfaces and the configuration file URL, the number of contexts configured, or from the system execution space, a list of all contexts, use the show context command in privileged EXEC mode.

show context [name | detail | count]

Syntax Description

count

(Optional) Shows the number of contexts configured.

detail

(Optional) Shows additional detail about the context(s) including the running state and information for internal use.

name

(Optional) Sets the context name. If you do not specify a name, the security appliance displays all contexts. Within a context, you can only enter the current context name.


Defaults

In the system execution space, the security appliance displays all contexts if you do not specify a name.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show context command. The following sample display shows three contexts:

hostname# show context

Context Name      Interfaces                    URL
*admin            GigabitEthernet0/1.100        flash:/admin.cfg
                  GigabitEthernet0/1.101
contexta          GigabitEthernet0/1.200        flash:/contexta.cfg
                  GigabitEthernet0/1.201
contextb          GigabitEthernet0/1.300        flash:/contextb.cfg
                  GigabitEthernet0/1.301
Total active Security Contexts: 3

Table 7-11 shows each field description.

Table 7-11 show context Fields

Field
Description

Context Name

Lists all context names. The context name with the asterisk (*) is the admin context.

Interfaces

The interfaces assigned to the context.

URL

The URL from which the security appliance loads the context configuration.


The following is sample output from the show context detail command:

hostname# show context detail

Context "admin", has been created, but initial ACL rules not complete
  Config URL: flash:/admin.cfg
  Real Interfaces: Management0/0
  Mapped Interfaces: Management0/0
  Flags: 0x00000013, ID: 1

Context "ctx", has been created, but initial ACL rules not complete
  Config URL: ctx.cfg
  Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
     GigabitEthernet0/2.30
  Mapped Interfaces: int1, int2, int3
  Flags: 0x00000011, ID: 2

Context "system", is a system resource
  Config URL: startup-config
  Real Interfaces:
  Mapped Interfaces: Control0/0, GigabitEthernet0/0,
     GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
     GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
     GigabitEthernet0/3, Management0/0, Management0/0.1
  Flags: 0x00000019, ID: 257

Context "null", is a system resource
  Config URL: ... null ...
  Real Interfaces:
  Mapped Interfaces:
  Flags: 0x00000009, ID: 258

Table 7-12 shows each field description.

Table 7-12 Context States

Field
Description

Context

The context name. The null context information is for internal use only. The system context represents the system execution space.

State Message:

The context state. See the possible messages below.

Has been created, but initial ACL rules not complete

The security appliance parsed the configuration but has not yet downloaded the default ACLs to establish the default security policy. The default security policy applies to all contexts initially, and includes disallowing traffic from lower security levels to higher security levels, enabling application inspection, and other parameters. This security policy ensures that no traffic can pass through the security appliance after the configuration is parsed but before the configuration ACLs are compiled. You are unlikely to see this state because the configuration ACLs are compiled very quickly.

Has been created, but not initialized

You entered the context name command, but have not yet entered the config-url command.

Has been created, but the config hasn't been parsed

The default ACLs were downloaded, but the security appliance has not parsed the configuration. This state might exist because the configuration download might have failed because of network connectivity issues, or you have not yet entered the config-url command. To reload the configuration, from within the context, enter copy startup-config running-config. From the system, reenter the config-url command. Alternatively, you can start configuring the blank running configuration.

Is a system resource

This state applies only to the system execution space and to the null context. The null context is used by the system, and the information is for internal use only.

Is a zombie

You deleted the context using the no context or clear context command, but the context information persists in memory until the security appliance reuses the context ID for a new context, or you restart.

Is active

This context is currently running and can pass traffic according to the context configuration security policy.

Is ADMIN and active

This context is the admin context and is currently running.

Was a former ADMIN, but is now a zombie

You deleted the admin context using the clear configure context command, but the context information persists in memory until the security appliance reuses the context ID for a new context, or you restart.

Real Interfaces

The interfaces assigned to the context. If you mapped the interface IDs in the allocate-interface command, this display shows the real name of the interface. The system execution space includes all interfaces.

Mapped Interfaces

If you mapped the interface IDs in the allocate-interface command, this display shows the mapped names. If you did not map the interfaces, the display lists the real names again.

Flag

For internal use only.

ID

An internal ID for this context.


The following is sample output from the show context count command:

hostname# show context count
Total active contexts: 2

Related Commands

Command
Description

admin-context

Sets the admin context.

allocate-interface

Assigns interfaces to a context.

changeto

Changes between contexts or the system execution space.

config-url

Specifies the location of the context configuration.

context

Creates a security context in the system configuration and enters context configuration mode.


show counters

To display the protocol stack counters, use the show counters command in privileged EXEC mode.

show counters [all | context context-name | summary | top N ] [detail] [protocol protocol_name [:counter_name]] [ threshold N]

Syntax Description

all

Displays the filter details.

context context-name

Specifies the context name.

:counter_name

Specifies a counter by name.

detail

Displays additional counters information.

protocol protocol_name

Displays the counters for the specified protocol.

summary

Displays a counter summary.

threshold N

Displays only those counters at or above the specified threshold. The range is 1 through 4294967295.

top N

Displays the counters at or above the specified threshold. The range is 1 through 4294967295.


Defaults

show counters summary detail threshold 1

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to display all counters:

hostname# show counters all
Protocol     Counter           Value   Context
IOS_IPC      IN_PKTS               2   single_vf
IOS_IPC      OUT_PKTS              2   single_vf

hostname# show counters
Protocol     Counter           Value   Context
NPCP         IN_PKTS            7195   Summary
NPCP         OUT_PKTS           7603   Summary
IOS_IPC      IN_PKTS             869   Summary
IOS_IPC      OUT_PKTS            865   Summary
IP           IN_PKTS             380   Summary
IP           OUT_PKTS            411   Summary
IP           TO_ARP              105   Summary
IP           TO_UDP                9   Summary
UDP          IN_PKTS               9   Summary
UDP          DROP_NO_APP           9   Summary
FIXUP        IN_PKTS             202   Summary

The following example shows how to display a summary of counters:

hostname# show counters summary
Protocol     Counter           Value   Context
IOS_IPC      IN_PKTS               2   Summary
IOS_IPC      OUT_PKTS              2   Summary

The following example shows how to display counters for a context:

hostname# show counters context single_vf
Protocol     Counter           Value   Context
IOS_IPC      IN_PKTS               4   single_vf
IOS_IPC      OUT_PKTS              4   single_vf

Related Commands

Command
Description

clear counters

Clears the protocol stack counters.


show cpu

To display the CPU utilization information, use the show cpu usage command in privileged EXEC mode.

show cpu [usage]

From the system configuration in multiple context mode:

show cpu [usage] [context {all | context_name}]

Syntax Description

all

Specifies that the display show all contexts.

context

Specifies that the display show a context.

context_name

Specifies the name of the context to display.

usage

(Optional) Displays the CPU usage.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The cpu usage is computed using an approximation of the load every five seconds, and by further feeding this approximation into two, following moving averages.

You can use the show cpu command to find process related loads (that is, activity on behalf of items listed by the output of the show process command in both single mode and from the system configuration in multiple context mode).

Further, you can request, when in multiple context mode, a breakdown of the process related load to CPU consumed by any configured contexts by changing to each context and entering the show cpu command or by entering the show cpu context variant of this command.

While process related load is rounded to the nearest whole number, context related loads include one additional decimal digit of precision. For example, entering show cpu from the system context produces a different number than from entering the show cpu context system command. The former is an approximate summary of everything in show cpu context all, and the latter is only a portion of that summary.

Examples

The following example shows how to display the CPU utilization:

hostname# show cpu usage
CPU utilization for 5 seconds = 18%; 1 minute: 18%; 5 minutes: 18%

This example shows how to display the CPU utilization for the system context in multiple mode:

hostname# show cpu context system
CPU utilization for 5 seconds = 9.1%; 1 minute: 9.2%; 5 minutes: 9.1%

The following shows how to display the CPU utilization for all contexts:

hostname# show cpu usage context all
5 sec  1 min  5 min  Context Name
9.1%   9.2%   9.1%  system
0.0%   0.0%   0.0%  admin
5.0%   5.0%   5.0%  one
4.2%   4.3%   4.2%  two

This example shows how to display the CPU utilization for a context named "one":

hostname/one# show cpu usage
CPU utilization for 5 seconds = 5.0%; 1 minute: 5.0%; 5 minutes: 5.0%

Related Commands

Command
Description

show counters

Displays the protocol stack counters.


show crashinfo

To display the contents of the crash file stored in Flash memory, enter the show crashinfo command in privileged EXEC mode.

show crashinfo [save]

Syntax Description

save

(Optional) Displays if the security appliance is configured to save crash information to Flash memory or not.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If the crash file is from a test crash (generated from the crashinfo test command), the first string of the crash file is ": Saved_Test_Crash" and the last string is ": End_Test_Crash". If the crash file is from a real crash, the first string of the crash file is ": Saved_Crash" and the last string is ": End_Crash". (This includes crashes from use of the crashinfo force page-fault or crashinfo force watchdog commands).

If there is no crash data saved in flash, or if the crash data has been cleared by entering the clear crashinfo command, the show crashinfo command displays an error message.

Examples

The following example shows how to display the current crash information configuration:

hostname# show crashinfo save
crashinfo save enable

The following example shows the output for a crash file test. (However, this test does not actually crash the security appliance. It provides a simulated example file.)

hostname(config)# crashinfo test
hostname(config)# exit
hostname# show crashinfo
: Saved_Test_Crash

Thread Name: ci/console (Old pc 0x001a6ff5 ebp 0x00e88920)

Traceback:
0: 00323143
1: 0032321b
2: 0010885c
3: 0010763c
4: 001078db
5: 00103585
6: 00000000
    vector 0x000000ff (user defined)
       edi 0x004f20c4
       esi 0x00000000
       ebp 0x00e88c20
       esp 0x00e88bd8
       ebx 0x00000001
       edx 0x00000074
       ecx 0x00322f8b
       eax 0x00322f8b
error code n/a
       eip 0x0010318c
        cs 0x00000008
    eflags 0x00000000
       CR2 0x00000000
Stack dump: base:0x00e8511c size:16384, active:1476
0x00e89118: 0x004f1bb4
0x00e89114: 0x001078b4
0x00e89110-0x00e8910c: 0x00000000
0x00e89108-0x00e890ec: 0x12345678
0x00e890e8: 0x004f1bb4
0x00e890e4: 0x00103585
0x00e890e0: 0x00e8910c
0x00e890dc-0x00e890cc: 0x12345678
0x00e890c8: 0x00000000
0x00e890c4-0x00e890bc: 0x12345678
0x00e890b8: 0x004f1bb4
0x00e890b4: 0x001078db
0x00e890b0: 0x00e890e0
0x00e890ac-0x00e890a8: 0x12345678
0x00e890a4: 0x001179b3
0x00e890a0: 0x00e890b0
0x00e8909c-0x00e89064: 0x12345678
0x00e89060: 0x12345600
0x00e8905c: 0x20232970
0x00e89058: 0x616d2d65
0x00e89054: 0x74002023
0x00e89050: 0x29676966
0x00e8904c: 0x6e6f6328
0x00e89048: 0x31636573
0x00e89044: 0x7069636f
0x00e89040: 0x64786970
0x00e8903c-0x00e88e50: 0x00000000
0x00e88e4c: 0x000a7473
0x00e88e48: 0x6574206f
0x00e88e44: 0x666e6968
0x00e88e40: 0x73617263
0x00e88e3c-0x00e88e38: 0x00000000
0x00e88e34: 0x12345600
0x00e88e30-0x00e88dfc: 0x00000000
0x00e88df8: 0x00316761
0x00e88df4: 0x74706100
0x00e88df0: 0x12345600
0x00e88dec-0x00e88ddc: 0x00000000
0x00e88dd8: 0x00000070
0x00e88dd4: 0x616d2d65
0x00e88dd0: 0x74756f00
0x00e88dcc: 0x00000000
0x00e88dc8: 0x00e88e40
0x00e88dc4: 0x004f20c4
0x00e88dc0: 0x12345600
0x00e88dbc: 0x00000000
0x00e88db8: 0x00000035
0x00e88db4: 0x315f656c
0x00e88db0: 0x62616e65
0x00e88dac: 0x0030fcf0
0x00e88da8: 0x3011111f
0x00e88da4: 0x004df43c
0x00e88da0: 0x0053fef0
0x00e88d9c: 0x004f1bb4
0x00e88d98: 0x12345600
0x00e88d94: 0x00000000
0x00e88d90: 0x00000035
0x00e88d8c: 0x315f656c
0x00e88d88: 0x62616e65
0x00e88d84: 0x00000000
0x00e88d80: 0x004f20c4
0x00e88d7c: 0x00000001
0x00e88d78: 0x01345678
0x00e88d74: 0x00f53854
0x00e88d70: 0x00f7f754
0x00e88d6c: 0x00e88db0
0x00e88d68: 0x00e88d7b
0x00e88d64: 0x00f53874
0x00e88d60: 0x00e89040
0x00e88d5c-0x00e88d54: 0x12345678
0x00e88d50-0x00e88d4c: 0x00000000
0x00e88d48: 0x004f1bb4
0x00e88d44: 0x00e88d7c
0x00e88d40: 0x00e88e40
0x00e88d3c: 0x00f53874
0x00e88d38: 0x004f1bb4
0x00e88d34: 0x0010763c
0x00e88d30: 0x00e890b0
0x00e88d2c: 0x00e88db0
0x00e88d28: 0x00e88d88
0x00e88d24: 0x0010761a
0x00e88d20: 0x00e890b0
0x00e88d1c: 0x00e88e40
0x00e88d18: 0x00f53874
0x00e88d14: 0x0010166d
0x00e88d10: 0x0000000e
0x00e88d0c: 0x00f53874
0x00e88d08: 0x00f53854
0x00e88d04: 0x0048b301
0x00e88d00: 0x00e88d30
0x00e88cfc: 0x0000000e
0x00e88cf8: 0x00f53854
0x00e88cf4: 0x0048a401
0x00e88cf0: 0x00f53854
0x00e88cec: 0x00f53874
0x00e88ce8: 0x0000000e
0x00e88ce4: 0x0048a64b
0x00e88ce0: 0x0000000e
0x00e88cdc: 0x00f53874
0x00e88cd8: 0x00f7f96c
0x00e88cd4: 0x0048b4f8
0x00e88cd0: 0x00e88d00
0x00e88ccc: 0x0000000f
0x00e88cc8: 0x00f7f96c
0x00e88cc4-0x00e88cc0: 0x0000000e
0x00e88cbc: 0x00e89040
0x00e88cb8: 0x00000000
0x00e88cb4: 0x00f5387e
0x00e88cb0: 0x00f53874
0x00e88cac: 0x00000002
0x00e88ca8: 0x00000001
0x00e88ca4: 0x00000009
0x00e88ca0-0x00e88c9c: 0x00000001
0x00e88c98: 0x00e88cb0
0x00e88c94: 0x004f20c4
0x00e88c90: 0x0000003a
0x00e88c8c: 0x00000000
0x00e88c88: 0x0000000a
0x00e88c84: 0x00489f3a
0x00e88c80: 0x00e88d88
0x00e88c7c: 0x00e88e40
0x00e88c78: 0x00e88d7c
0x00e88c74: 0x001087ed
0x00e88c70: 0x00000001
0x00e88c6c: 0x00e88cb0
0x00e88c68: 0x00000002
0x00e88c64: 0x0010885c
0x00e88c60: 0x00e88d30
0x00e88c5c: 0x00727334
0x00e88c58: 0xa0ffffff
0x00e88c54: 0x00e88cb0
0x00e88c50: 0x00000001
0x00e88c4c: 0x00e88cb0
0x00e88c48: 0x00000002
0x00e88c44: 0x0032321b
0x00e88c40: 0x00e88c60
0x00e88c3c: 0x00e88c7f
0x00e88c38: 0x00e88c5c
0x00e88c34: 0x004b1ad5
0x00e88c30: 0x00e88c60
0x00e88c2c: 0x00e88e40
0x00e88c28: 0xa0ffffff
0x00e88c24: 0x00323143
0x00e88c20: 0x00e88c40
0x00e88c1c: 0x00000000
0x00e88c18: 0x00000008
0x00e88c14: 0x0010318c
0x00e88c10-0x00e88c0c: 0x00322f8b
0x00e88c08: 0x00000074
0x00e88c04: 0x00000001
0x00e88c00: 0x00e88bd8
0x00e88bfc: 0x00e88c20
0x00e88bf8: 0x00000000
0x00e88bf4: 0x004f20c4
0x00e88bf0: 0x000000ff
0x00e88bec: 0x00322f87
0x00e88be8: 0x00f5387e
0x00e88be4: 0x00323021
0x00e88be0: 0x00e88c10
0x00e88bdc: 0x004f20c4
0x00e88bd8: 0x00000000 *
0x00e88bd4: 0x004eabb0
0x00e88bd0: 0x00000001
0x00e88bcc: 0x00f5387e
0x00e88bc8-0x00e88bc4: 0x00000000
0x00e88bc0: 0x00000008
0x00e88bbc: 0x0010318c
0x00e88bb8-0x00e88bb4: 0x00322f8b
0x00e88bb0: 0x00000074
0x00e88bac: 0x00000001
0x00e88ba8: 0x00e88bd8
0x00e88ba4: 0x00e88c20
0x00e88ba0: 0x00000000
0x00e88b9c: 0x004f20c4
0x00e88b98: 0x000000ff
0x00e88b94: 0x001031f2
0x00e88b90: 0x00e88c20
0x00e88b8c: 0xffffffff
0x00e88b88: 0x00e88cb0
0x00e88b84: 0x00320032
0x00e88b80: 0x37303133
0x00e88b7c: 0x312f6574
0x00e88b78: 0x6972772f
0x00e88b74: 0x342f7665
0x00e88b70: 0x64736666
0x00e88b6c: 0x00020000
0x00e88b68: 0x00000010
0x00e88b64: 0x00000001
0x00e88b60: 0x123456cd
0x00e88b5c: 0x00000000
0x00e88b58: 0x00000008

Cisco XXX Firewall Version X.X
Cisco XXX Device Manager Version X.X

Compiled on Fri 15-Nov-04 14:35 by root

hostname up 10 days 0 hours

Hardware:   XXX-XXX, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.e300.73fd, irq 10
1: ethernet1: address is 0003.e300.73fe, irq 7
2: ethernet2: address is 00d0.b7c8.139e, irq 9
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Disabled
Maximum Interfaces: 3
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

This XXX has a Restricted (R) license.

Serial Number: 480430455 (0x1ca2c977)
Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734 
Configuration last modified by enable_15 at 13:49:42.148 UTC Wed Nov 20 2004

------------------ show clock ------------------

15:34:28.129 UTC Sun Nov 24 2004

------------------ show memory ------------------

Free memory:        50444824 bytes
Used memory:        16664040 bytes
-------------     ----------------
Total memory:       67108864 bytes

------------------ show conn count ------------------

0 in use, 0 most used

------------------ show xlate count ------------------

0 in use, 0 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4   1600   1600   1600
    80    400    400    400
   256    500    499    500
  1550   1188    795    927

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0003.e300.73fd
  IP address 172.23.59.232, subnet mask 255.255.0.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        6139 packets input, 830375 bytes, 0 no buffer
        Received 5990 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        90 packets output, 6160 bytes, 0 underruns
        0 output errors, 13 collisions, 0 interface resets
        0 babbles, 0 late collisions, 47 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (5/128) software (0/2)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is down
  Hardware is i82559 ethernet, address is 0003.e300.73fe
  IP address 10.1.1.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        1 packets output, 60 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        1 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet2 "intf2" is administratively down, line protocol is down
  Hardware is i82559 ethernet, address is 00d0.b7c8.139e
  IP address 127.0.0.1, subnet mask 255.255.255.255
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/0) software (0/0)

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

------------------ show process ------------------


    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001e3329 00763e7c 0053e5c8          0 00762ef4 3784/4096 arp_timer
Lsi 001e80e9 00807074 0053e5c8          0 008060fc 3792/4096 FragDBGC
Lwe 00117e3a 009dc2e4 00541d18          0 009db46c 3704/4096 dbgtrace
Lwe 003cee95 009de464 00537718          0 009dc51c 8008/8192 Logger
Hwe 003d2d18 009e155c 005379c8          0 009df5e4 8008/8192 tcp_fast
Hwe 003d2c91 009e360c 005379c8          0 009e1694 8008/8192 tcp_slow
Lsi 002ec97d 00b1a464 0053e5c8          0 00b194dc 3928/4096 xlate clean
Lsi 002ec88b 00b1b504 0053e5c8          0 00b1a58c 3888/4096 uxlate clean
Mrd 002e3a17 00c8f8d4 0053e600          0 00c8d93c 7908/8192 tcp_intercept_times
Lsi 00423dd5 00d3a22c 0053e5c8          0 00d392a4 3900/4096 route_process
Hsi 002d59fc 00d3b2bc 0053e5c8          0 00d3a354 3780/4096 PIX Garbage Collecr
Hwe 0020e301 00d5957c 0053e5c8          0 00d55614 16048/16384 isakmp_time_keepr
Lsi 002d377c 00d7292c 0053e5c8          0 00d719a4 3928/4096 perfmon
Hwe 0020bd07 00d9c12c 0050bb90          0 00d9b1c4 3944/4096 IPSec
Mwe 00205e25 00d9e1ec 0053e5c8          0 00d9c274 7860/8192 IPsec timer handler
Hwe 003864e3 00db26bc 00557920          0 00db0764 6904/8192 qos_metric_daemon
Mwe 00255a65 00dc9244 0053e5c8          0 00dc8adc 1436/2048 IP Background
Lwe 002e450e 00e7bb94 00552c30          0 00e7ad1c 3704/4096 pix/trace
Lwe 002e471e 00e7cc44 00553368          0 00e7bdcc 3704/4096 pix/tconsole
Hwe 001e5368 00e7ed44 00730674          0 00e7ce9c 7228/8192 pix/intf0
Hwe 001e5368 00e80e14 007305d4          0 00e7ef6c 7228/8192 pix/intf1
Hwe 001e5368 00e82ee4 00730534       2470 00e8103c 4892/8192 pix/intf2
H*  001a6ff5 0009ff2c 0053e5b0       4820 00e8511c 12860/16384 ci/console
Csi 002dd8ab 00e8a124 0053e5c8          0 00e891cc 3396/4096 update_cpu_usage
Hwe 002cb4d1 00f2bfbc 0051e360          0 00f2a134 7692/8192 uauth_in
Hwe 003d17d1 00f2e0bc 00828cf0          0 00f2c1e4 7896/8192 uauth_thread
Hwe 003e71d4 00f2f20c 00537d20          0 00f2e294 3960/4096 udp_timer
Hsi 001db3ca 00f30fc4 0053e5c8          0 00f3004c 3784/4096 557mcfix
Crd 001db37f 00f32084 0053ea40  508286220 00f310fc 3688/4096 557poll
Lsi 001db435 00f33124 0053e5c8          0 00f321ac 3700/4096 557timer
Hwe 001e5398 00f441dc 008121e0          0 00f43294 3912/4096 fover_ip0
Cwe 001dcdad 00f4523c 00872b48        120 00f44344 3528/4096 ip/0:0
Hwe 001e5398 00f4633c 008121bc         10 00f453f4 3532/4096 icmp0
Hwe 001e5398 00f47404 00812198          0 00f464cc 3896/4096 udp_thread/0
Hwe 001e5398 00f4849c 00812174          0 00f475a4 3456/4096 tcp_thread/0
Hwe 001e5398 00f495bc 00812150          0 00f48674 3912/4096 fover_ip1
Cwe 001dcdad 00f4a61c 008ea850          0 00f49724 3832/4096 ip/1:1
Hwe 001e5398 00f4b71c 0081212c          0 00f4a7d4 3912/4096 icmp1
Hwe 001e5398 00f4c7e4 00812108          0 00f4b8ac 3896/4096 udp_thread/1
Hwe 001e5398 00f4d87c 008120e4          0 00f4c984 3832/4096 tcp_thread/1
Hwe 001e5398 00f4e99c 008120c0          0 00f4da54 3912/4096 fover_ip2
Cwe 001e542d 00f4fa6c 00730534          0 00f4eb04 3944/4096 ip/2:2
Hwe 001e5398 00f50afc 0081209c          0 00f4fbb4 3912/4096 icmp2
Hwe 001e5398 00f51bc4 00812078          0 00f50c8c 3896/4096 udp_thread/2
Hwe 001e5398 00f52c5c 00812054          0 00f51d64 3832/4096 tcp_thread/2
Hwe 003d1a65 00f78284 008140f8          0 00f77fdc  300/1024 listen/http1
Mwe 0035cafa 00f7a63c 0053e5c8          0 00f786c4 7640/8192 Crypto CA

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:
        received (in 865565.090 secs):
                6139 packets    830375 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                90 packets      6160 bytes
                0 pkts/sec      0 bytes/sec
inside:
        received (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                1 packets       60 bytes
                0 pkts/sec      0 bytes/sec
intf2:
        received (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec

------------------ show perfmon ------------------


PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup            0/s          0/s
TCPIntercept         0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
: End_Test_Crash

Related Commands

Command
Description

clear crashinfo

Deletes the contents of the crash file.

crashinfo force

Forces a crash of the security appliance.

crashinfo save disable

Disables crash information from writing to Flash memory.

crashinfo test

Tests the ability of the security appliance to save crash information to a file in Flash memory.


show crashinfo console

To display the configuration setting of the crashinfo console command, enter the show crashinfo console command in privileged EXEC mode.

show crashinfo console

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(4)

This command was introduced.


Usage Guidelines

Compliance with FIPS 140-2 prohibits the distribution of Critical Secu rity Parameters (keys, passwords, etc.) outside of the crypto boundary (chassis). When the device crashes, due to an assert or checkheaps failure, it is possible that the stack or memory regions dumped to the console contain sensitive data. This output must be suppressed in FIPS-mode.

Examples

sw8-5520(config)# show crashinfo console
crashinfo console enable

Related Commands

Command
Description

clear configure fips

Clears the system or module FIPS configuration information stored in NVRAM.

crashinfo console disable

Disables the reading, writing and configuration of crash write info to flash.

fips enable

Enables or disablea policy-checking to enforce FIPS compliance on the system or module.

fips self-test poweron

Executes power-on self-tests.

show running-config fips

Displays the FIPS configuration that is running on the security appliance.


show crypto accelerator statistics

To display the global and accelerator-specific statistics from the hardware crypto accelerator MIB, use the show crypto accelerator statistics command in global configuration or privileged EXEC mode.

show crypto accelerator statistics

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example entered in global configuration mode, displays global crypto accelerator statistics:

hostname # show crypto accelerator statistics

Crypto Accelerator Status
-------------------------
[Capacity]
   Supports hardware crypto: True
   Supports modular hardware crypto: False
   Max accelerators: 1
   Max crypto throughput: 100 Mbps
   Max crypto connections: 750
[Global Statistics]
   Number of active accelerators: 1
   Number of non-operational accelerators: 0
   Input packets: 700
   Input bytes: 753488
   Output packets: 700
   Output error packets: 0
   Output bytes: 767496
[Accelerator 0]
   Status: Active
   Software crypto engine
   Slot: 0
   Active time: 167 seconds
   Total crypto transforms: 7
   Total dropped packets: 0
   [Input statistics]
      Input packets: 0
      Input bytes: 0
      Input hashed packets: 0
      Input hashed bytes: 0
      Decrypted packets: 0
      Decrypted bytes: 0
   [Output statistics]
      Output packets: 0
      Output bad packets: 0
      Output bytes: 0
      Output hashed packets: 0
      Output hashed bytes: 0
      Encrypted packets: 0
      Encrypted bytes: 0
   [Diffie-Hellman statistics]
      Keys generated: 0
      Secret keys derived: 0
   [RSA statistics]
      Keys generated: 0
      Signatures: 0
      Verifications: 0
      Encrypted packets: 0
      Encrypted bytes: 0
      Decrypted packets: 0
      Decrypted bytes: 0
   [DSA statistics]
      Keys generated: 0
      Signatures: 0
      Verifications: 0
   [SSL statistics]
      Outbound records: 0
      Inbound records: 0
   [RNG statistics]
      Random number requests: 98
      Random number request failures: 0
[Accelerator 1]
   Status: Active
   Encryption hardware device : Cisco ASA-55x0 on-board accelerator 
(revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.03
   Slot: 1
   Active time: 170 seconds
   Total crypto transforms: 1534
   Total dropped packets: 0
   [Input statistics]
      Input packets: 700
      Input bytes: 753544
      Input hashed packets: 700
      Input hashed bytes: 736400
      Decrypted packets: 700
      Decrypted bytes: 719944
   [Output statistics]
      Output packets: 700
      Output bad packets: 0
      Output bytes: 767552
      Output hashed packets: 700
      Output hashed bytes: 744800
      Encrypted packets: 700
      Encrypted bytes: 728352
   [Diffie-Hellman statistics]
      Keys generated: 97
      Secret keys derived: 1
   [RSA statistics]
      Keys generated: 0
      Signatures: 0
      Verifications: 0
      Encrypted packets: 0
      Encrypted bytes: 0
      Decrypted packets: 0
      Decrypted bytes: 0
   [DSA statistics]
      Keys generated: 0
      Signatures: 0
      Verifications: 0
   [SSL statistics]
      Outbound records: 0
      Inbound records: 0
   [RNG statistics]
      Random number requests: 1
      Random number request failures: 0
hostname # 

Related Commands

Command
Description

clear crypto accelerator statistics

Clears the global and accelerator-specific statistics in the crypto accelerator MIB.

clear crypto protocol statistics

Clears the protocol-specific statistics in the crypto accelerator MIB.

show crypto protocol statistics

Displays the protocol-specific statistics from the crypto accelerator MIB.


show crypto ca certificates

To display the certificates associated with a specific trustpoint or to display all the certificates installed on the system, use the show crypto ca certificates command in global configuration or privileged EXEC mode.

show crypto ca certificates [trustpointname]

Syntax Description

trustpointname

(Optional) The name of a trustpoint. If you do not specify a name, this command displays all certificates installed on the system.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example entered in global configuration mode, displays a CA certificate for a trustpoint named tp1:

hostname(config)# show crypto ca certificates tp1
CA Certificate
Status: Available
Certificate Serial Number 2957A3FF296EF854FD0D6732FE25B45
Certificate Usage: Signature
Issuer:
CN = ms-root-sha-06-2004
OU = rootou
O = cisco
L = franklin
ST - massachusetts
C = US
EA = a@b.con
Subject: 
CN = ms-root-sha-06-2004
OU = rootou
O = cisco
L = franklin
ST = massachusetts
C = US
EA = a@b.com
CRL Distribution Point
ldap://w2kadvancedsrv/CertEnroll/ms-root-sha-06-2004.crl
Validity Date:
start date: 14:11:40 UTC Jun 26 2004
end date: 14:01:30 UTC Jun 4 2022
Associated Trustpoints: tp2 tp1
hostname(config)# 

Related Commands

Command
Description

crypto ca authenticate

Obtains a CA certificate for a specified trustpoint.

crypto ca crl request

Requests a CRL based on the configuration parameters of a specified trustpoint.

crypto ca enroll

Initiates the enrollment process with a CA.

crypto ca import

Imports a certificate to a specified trustpoint.

crypto ca trustpoint

Enters trustpoint mode for a specified trustpoint.


show crypto ca crls

To display all cached CRLs or to display all CRLs cached for a specified trustpoint, use the show crypto ca crls command in global configuration or privileged EXEC mode.

show crypto ca crls [trustpointname]

Syntax Description

trustpointname

(Optional) The name of a trustpoint. If you do not specify a name, this command displays all CRLs cached on the system.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 

Privileged EXEC

 

Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example entered in global configuration mode, displays a CRL for a trustpoint named tp1:

hostname(config)# show crypto ca crls tp1
CRL Issuer Name:
    cn=ms-sub1-ca-5-2004,ou=Franklin DevTest,o=Cisco
Systems,l=Franklin,st=MA,c=US,ea=user@cisco.com
    LastUpdate: 19:45:53 UTC Dec 24 2004
    NextUpdate: 08:05:53 UTC Jan 1 2005
    Retrieved from CRL Distribution Point:
      http://win2k-ad2.frk-ms-pki.cisco.com/CertEnroll/ms-sub1-ca-5-2004.crl
    Associated Trustpoints: tp1
hostname(config)# 

Related Commands

Command
Description

crypto ca authenticate

Obtains a CA certificate for a specified trustpoint.

crypto ca crl request

Requests a CRL based on the configuration parameters of a specified trustpoint.

crypto ca enroll

Initiates the enrollment process with a CA.

crypto ca import

Imports a certificate to a specified trustpoint.

crypto ca trustpoint

Enters trustpoint mode for a specified trustpoint.


show crypto ipsec df-bit

To display the IPSec DF-bit policy for IPSec packets for a specified interface, use the show crypto ipsec df-bit command in global configuration mode and privileged EXEC mode.

show crypto ipsec df-bit interface

Syntax Description

interface

Specifies an interface name.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example displays the IPSec DF-bit policy for interface named inside:

hostname(config)# show crypto ipsec df-bit inside
df-bit inside copy
hostname(config)#

Related Commands

Command
Description

crypto ipsec df-bit

Configures the IPSec DF-bit policy for IPSec packets.

crypto ipsec fragmentation

Configures the fragmentation policy for IPSec packets.

show crypto ipsec fragmentation

Displays the fragmentation policy for IPSec packets.


show crypto ipsec fragmentation

To display the fragmentation policy for IPSec packets, use the show crypto ipsec fragmentation command in global configuration or privileged EXEC modes.

show crypto ipsec fragmentation interface

Syntax Description

interface

Specifies an interface name.


Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example, entered in global configuration mode, displays the IPSec fragmentation policy for an interface named inside:

hostname(config)# show crypto ipsec fragmentation inside
fragmentation inside before-encryption
hostname(config)#

Related Commands

Command
Description

crypto ipsec fragmentation

Configures the fragmentation policy for IPSec packets.

crypto ipsec df-bit

Configures the DF-bit policy for IPSec packets.

show crypto ipsec df-bit

Displays the DF-bit policy for a specified interface.


show crypto key mypubkey

To display key pairs of the indicated type, use the show crypto key mypubkey command in global configuration or privileged EXEC mode.

show crypto key mypubkey {rsa | dsa}

Syntax Description

dsa

Displays DSA key pairs.

rsa

Displays RSA key pairs.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example entered in global configuration mode, displays RSA key pairs:

hostname(config)# show crypto key mypubkey rsa
[Display]
hostname(config)# 

Related Commands

Command
Description

crypto key generate dsa

Generates DSA key pairs.

crypto key generate rsa

Generates RSA key pairs.

crypto key zeroize

Removes all key pairs of the indicated type.


show crypto protocol statistics

To display the protocol-specific statistics in the crypto accelerator MIB, use the show crypto protocol statistics command in global configuration or privileged EXEC mode.

show crypto protocol statistics protocol

Syntax Description

protocol

Specifies the name of the protocol for which to display statistics. Protocol choices are as follows:

ikev1—Internet Key Exchange version 1.

ipsec—IP Security Phase-2 protocols.

ssl—Secure Socket Layer.

other—Reserved for new protocols.

all—All protocols currently supported.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following examples entered in global configuration mode, display crypto accelerator statistics for specified protocols:

hostname # show crypto protocol statistics ikev1
[IKEv1 statistics]
   Encrypt packet requests: 39
   Encapsulate packet requests: 39
   Decrypt packet requests: 35
   Decapsulate packet requests: 35
   HMAC calculation requests: 84
   SA creation requests: 1
   SA rekey requests: 3
   SA deletion requests: 2
   Next phase key allocation requests: 2
   Random number generation requests: 0
   Failed requests: 0

hostname # show crypto protocol statistics ipsec
[IPsec statistics]
   Encrypt packet requests: 700
   Encapsulate packet requests: 700
   Decrypt packet requests: 700
   Decapsulate packet requests: 700
   HMAC calculation requests: 1400
   SA creation requests: 2
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0

hostname # show crypto protocol statistics ssl 
[SSL statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0

hostname # show crypto protocol statistics other
[Other statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 99
   Failed requests: 0

hostname # show crypto protocol statistics all 
[IKEv1 statistics]
   Encrypt packet requests: 46
   Encapsulate packet requests: 46
   Decrypt packet requests: 40
   Decapsulate packet requests: 40
   HMAC calculation requests: 91
   SA creation requests: 1
   SA rekey requests: 3
   SA deletion requests: 3
   Next phase key allocation requests: 2
   Random number generation requests: 0
   Failed requests: 0
[IKEv2 statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[IPsec statistics]
   Encrypt packet requests: 700
   Encapsulate packet requests: 700
   Decrypt packet requests: 700
   Decapsulate packet requests: 700
   HMAC calculation requests: 1400
   SA creation requests: 2
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[SSL statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics are not supported]
[Other statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 99
   Failed requests: 0
hostname # 

Related Commands

Command
Description

clear crypto accelerator statistics

Clears the global and accelerator-specific statistics in the crypto accelerator MIB.

clear crypto protocol statistics

Clears the protocol-specific statistics in the crypto accelerator MIB.

show crypto accelerator statistics

Displays the global and accelerator-specific statistics from the crypto accelerator MIB.


show ctiqbe

To display information about CTIQBE sessions established across the security appliance, use the show ctiqbe command in privileged EXEC mode.

show ctiqbe

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show ctiqbe command displays information of CTIQBE sessions established across the security appliance. Along with debug ctiqbe and show local-host, this command is used for troubleshooting CTIQBE inspection engine issues.


Note We recommend that you have the pager command configured before using the show ctiqbe command. If there are a lot of CTIQBE sessions and the pager command is not configured, it can take a while for the show ctiqbe command output to reach the end.


Examples

The following is sample output from the show ctiqbe command under the following conditions. There is only one active CTIQBE session setup across the security appliance. It is established between an internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco Call Manager at 172.29.1.77, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the session is 120 seconds.

hostname# | show ctiqbe

Total: 1
 | LOCAL | FOREIGN | STATE | HEARTBEAT
---------------------------------------------------------------
1 | 10.0.0.99/1117  172.29.1.77/2748 | 1 | 120
 | RTP/RTCP: PAT xlates: mapped to 172.29.1.99(1028 | 1029)
 | MEDIA: Device ID 27 | Call ID 0
 | Foreign 172.29.1.99 | (1028 | 1029)
 | Local | 172.29.1.88 | (26822 | 26823)
 | ----------------------------------------------

The CTI device has already registered with the CallManager. The device internal address and RTP listening port is PATed to 172.29.1.99 UDP port 1028. Its RTCP listening port is PATed to UDP 1029.

The line beginning with RTP/RTCP: PAT xlates: appears only if an internal CTI device has registered with an external CallManager and the CTI device address and ports are PATed to that external interface. This line does not appear if the CallManager is located on an internal interface, or if the internal CTI device address and ports are NATed to the same external interface that is used by the CallManager.

The output indicates a call has been established between this CTI device and another phone at 172.29.1.88. The RTP and RTCP listening ports of the other phone are UDP 26822 and 26823. The other phone locates on the same interface as the CallManager because the security appliance does not maintain a CTIQBE session record associated with the second phone and CallManager. The active call leg on the CTI device side can be identified with Device ID 27 and Call ID 0.

The following is the xlate information for these CTIBQE connections:

hostname# show xlate debug
3 in use, 3 most used
Flags: D | DNS, d | dump, I | identity, i | inside, n | no random,
 | o | outside, r | portmap, s | static
TCP PAT from inside:10.0.0.99/1117 to outside:172.29.1.99/1025 flags ri idle 0:00:22 
timeout 0:00:30
UDP PAT from inside:10.0.0.99/16908 to outside:172.29.1.99/1028 flags ri idle 0:00:00 
timeout 0:04:10
UDP PAT from inside:10.0.0.99/16909 to outside:172.29.1.99/1029 flags ri idle 0:00:23 
timeout 0:04:10

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

inspect ctiqbe

Enables CTIQBE application inspection.

service-policy

Applies a policy map to one or more interfaces.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.


show curpriv

To display the current user privileges, use the show curpriv command:

show curpriv

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

Unprivileged


Command History

Release
Modification

7.0

Modified to conform to CLI guidelines.


Usage Guidelines

The show curpriv command displays the current privilege level. Lower privilege level numbers indicate lower privilege levels.

Examples


These examples show output from the show curpriv command when a user named enable_15 is at different privilege levels. The username indicates the name that the user entered when the user logged in, P_PRIV indicates that the user has entered the enable command, and P_CONF indicates that the user has entered the config terminal command.

hostname(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF
hostname(config)# exit

hostname(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
hostname(config)# exit

hostname(config)# show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
hostname(config)# 

Related Commands

Command
Description

clear configure privilege

Remove privilege command statements from the configuration.

show running-config privilege

Display privilege levels for commands.


show debug

To show the current debugging configuration, use the show debug command.

show debug [command [keywords]]

Syntax Description

command

(Optional) Specifies the debug command whose current configuration you want to view. For each command, the syntax following command is identical to the syntax supported by the associated debug command. For example, valid keywords following show debug aaa are the same as the valid keywords for the debug aaa command. Thus, show debug aaa supports an accounting keyword, which allows you to specify that you want to see the debugging configuration for that portion of AAA debugging.


Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The valid command values follow. For information about valid syntax after command, see the entry for debug command, as applicable.


Note The availability of each command value depends upon the command modes that support the applicable debug command.


aaa

appfw

arp

asdm

context

crypto

ctiqbe

ctm

dhcpc

dhcpd

dhcprelay

disk

dns

email

entity

fixup

fover

fsm

ftp

generic

gtp

h323

http

http-map

icmp

igmp

ils

imagemgr

ipsec-over-tcp

ipv6

iua-proxy

kerberos

ldap

mfib

mgcp

mrib

ntdomain

ntp

ospf

parser

pim

pix

pptp

radius

rip

rtsp

sdi

sequence

sip

skinny

smtp

sqlnet

ssh

ssl

sunrpc

tacacs

timestamps

vpn-sessiondb

webvpn

xdmcp

Examples

The following commands enable debugging for authentication, accounting, and Flash memory. The show debug command is used in three ways to demonstrate how you can use it to view all debugging configuration, debugging configuration for a specific feature, and even debugging configuration for a subset of a feature.

hostname# debug aaa authentication 
debug aaa authentication enabled at level 1
hostname# debug aaa accounting
debug aaa accounting enabled at level 1
hostname# debug disk filesystem
debug disk filesystem enabled at level 1
hostname# show debug
debug aaa authentication enabled at level 1
debug aaa accounting enabled at level 1
debug disk filesystem enabled at level 1
hostname# show debug aaa
debug aaa authentication enabled at level 1
debug aaa authorization is disabled.
debug aaa accounting enabled at level 1
debug aa