Cisco ASA 5500 Series Command Reference, 8.2
show ddns -- show ipv6 traffic
Downloads: This chapterpdf (PDF - 1.23MB) The complete bookPDF (PDF - 29.05MB) | Feedback

show ddns update interface through show ipv6 traffic Commands

Table Of Contents

show ddns update interface through show ipv6 traffic Commands

show ddns update interface

show ddns update method

show debug

show debug mmp

show dhcpd

show dhcprelay state

show dhcprelay statistics

show disk

show dns-hosts

show dynamic-filter data

show dynamic-filter dns-snoop

show dynamic-filter reports infected-hosts

show dynamic-filter reports top

show dynamic-filter statistics

show dynamic-filter updater-client

show eigrp events

show eigrp interfaces

show eigrp neighbors

show eigrp topology

show eigrp traffic

show environment

show failover

show failover exec

show file

show firewall

show flash

show flow-export counters

show fragment

show gc

show h225

show h245

show h323-ras

show history

show icmp

show idb

show igmp groups

show igmp interface

show igmp traffic

show import webvpn

show interface

show interface ip brief

show inventory

show ip address

show ip address dhcp

show ip address pppoe

show ip audit count

show ip verify statistics

show ips

show ipsec sa

show ipsec sa summary

show ipsec stats

show ipv6 access-list

show ipv6 interface

show ipv6 mld traffic

show ipv6 neighbor

show ipv6 route

show ipv6 routers

show ipv6 traffic


show ddns update interface through show ipv6 traffic Commands


show ddns update interface

To display the DDNS methods assigned to adaptive security appliance interfaces, use the show ddns update interface command in privileged EXEC mode.

show ddns update interface [interface-name]

Syntax Description

interface-name

(Optional) The name of a network interface.


Defaults

Omitting the interface-name string displays the DDNS method assigned to each interface.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following example displays the DDNS method assigned to the inside interface:

hostname# show ddns update interface inside
Dynamic DNS Update on inside:
  Update Method Name            Update Destination
  ddns-2                        not available
hostname#

Related Commands

Command
Description

ddns (DDNS-update-

method mode)

Specifies a DDNS update method type for a created DDNS method.

ddns update (interface config mode)

Associates a adaptive security appliance interface with a DDNS update method or a DDNS update hostname.

ddns update method (global config mode)

Creates a method for dynamically updating DNS resource records.

show ddns update method

Displays the type and interval for each configured DDNS method. a DHCP server to perform DDNS updates.

show running-config ddns

Displays the type and interval of all configured DDNS methods in the running configuration.


show ddns update method

To display the DDNS update methods in the running configuration, use the show ddns update method command in privileged EXEC mode.

show ddns update method [method-name]

Syntax Description

method-name

(Optional) The name of a configured DDNS update method.


Defaults

Omitting the method-name string displays all configured DDNS update methods.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following example displays the DDNS method named ddns-2:

hostname(config)# show ddns update method ddns-2
 
   

Dynamic DNS Update Method: ddns-2

IETF standardized Dynamic DNS 'A' and 'PTR' records update

Maximum update interval: 0 days 0 hours 10 minutes 0 seconds

hostname(config)#

Related Commands

Command
Description

ddns (DDNS-update-

method mode)

Specifies a DDNS update method type for a created DDNS method.

ddns update (interface config mode)

Associates a adaptive security appliance interface with a Dynamic DNS (DDNS) update method or a DDNS update hostname.

ddns update method (global config mode)

Creates a method for dynamically updating DNS resource records.

show ddns update interface

Displays the interfaces associated with each configured DDNS method.

show running-config ddns

Displays the type and interval of all configured DDNS methods in the running configuration.


show debug

To show the current debugging configuration, use the show debug command.

show debug [command [keywords]]

Syntax Description

command

(Optional) Specifies the debug command whose current configuration you want to view. For each command, the syntax following command is identical to the syntax supported by the associated debug command. For example, valid keywords following show debug aaa are the same as the valid keywords for the debug aaa command. Thus, show debug aaa supports an accounting keyword, which allows you to specify that you want to see the debugging configuration for that portion of AAA debugging.


Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.

8.0(2)

The eigrp keyword was added to the list of possible command values.


Usage Guidelines

The valid command values follow. For each command, the syntax following command is identical to the syntax supported by the associated debug command. Refer to the associated debug command for information about the supported syntax.


Note The availability of each command value depends upon the command modes that support the applicable debug command.


aaa

appfw

arp

asdm

context

crypto

ctiqbe

ctm

dhcpc

dhcpd

dhcprelay

disk

dns

eigrp

email

entity

fixup

fover

fsm

ftp

generic

gtp

h323

http

http-map

icmp

igmp

ils

imagemgr

ipsec-over-tcp

ipv6

iua-proxy

kerberos

ldap

mfib

mgcp

mrib

ntdomain

ntp

ospf

parser

pim

pix

pptp

radius

rip

rtsp

sdi

sequence

sip

skinny

smtp

sqlnet

ssh

ssl

sunrpc

tacacs

timestamps

vpn-sessiondb

webvpn

xdmcp

xml

Examples

The following commands enable debugging for authentication, accounting, and Flash memory. The show debug command is used in three ways to demonstrate how you can use it to view all debugging configuration, debugging configuration for a specific feature, and even debugging configuration for a subset of a feature.

hostname# debug aaa authentication 
debug aaa authentication enabled at level 1
hostname# debug aaa accounting
debug aaa accounting enabled at level 1
hostname# debug disk filesystem
debug disk filesystem enabled at level 1
hostname# show debug
debug aaa authentication enabled at level 1
debug aaa accounting enabled at level 1
debug disk filesystem enabled at level 1
hostname# show debug aaa
debug aaa authentication enabled at level 1
debug aaa authorization is disabled.
debug aaa accounting enabled at level 1
debug aaa internal is disabled.
debug aaa vpn is disabled.
hostname# show debug aaa accounting
debug aaa accounting enabled at level 1
hostname# 
 
   

Related Commands

Command
Description

debug

See all debug commands.


show debug mmp

To display current debug settings for the MMP inspection module, use the show debug mmp command in privileged EXEC mode.

show debug mmp

Syntax Description 

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History 

Release
Modification

8.0(4)

The command was introduced.


Examples

The following example shows the use of the show debug mmp command to displaythe current debug settings for the MMP inspection module:

hostname# show debug mmp
debug mmp  enabled at level 1
 
   

Related Commands 

Command
Description

debug mmp

Display inspect MMP events.

inspect mmp

Configures the MMP inspection engine.


show dhcpd

To view DHCP binding, state, and statistical information, use the show dhcpd command in privileged EXEC or global configuration mode.

show dhcpd {binding [IP_address] | state | statistics}

Syntax Description

binding

Displays binding information for a given server IP address and its associated client hardware address and lease length.

IP_address

Shows the binding information for the specified IP address.

state

Displays the state of the DHCP server, such as whether it is enabled in the current context and whether it is enabled on each of the interfaces.

statistics

Displays statistical information, such as the number of address pools, bindings, expired bindings, malformed messages, sent messages, and received messages.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If you include the optional IP address in the show dhcpd binding command, only the binding for that IP address is shown.

The show dhcpd binding | state | statistics commands are also available in global configuration mode.

Examples

The following is sample output from the show dhcpd binding command:

hostname# show dhcpd binding
IP Address Client-ed							 Lease Expiration Type
10.0.1.100 0100.a0c9.868e.43 84985 seconds automatic
 
   

The following is sample output from the show dhcpd state command:

hostname# show dhcpd state
Context Not Configured for DHCP
Interface outside, Not Configured for DHCP
Interface inside, Not Configured for DHCP
 
   

The following is sample output from the show dhcpd statistics command:

hostname# show dhcpd statistics
 
   
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
 
   
Address pools        1
Automatic bindings   1
Expired bindings     1
Malformed messages   0
 
   
Message              Received
BOOTREQUEST          0
DHCPDISCOVER         1
DHCPREQUEST          2
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0
 
   
Message              Sent
BOOTREPLY            0
DHCPOFFER            1
DHCPACK              1
DHCPNAK              1
 
   

Related Commands

Command
Description

clear configure dhcpd

Removes all DHCP server settings.

clear dhcpd

Clears the DHCP server bindings and statistic counters.

dhcpd lease

Defines the lease length for DHCP information granted to clients.

show running-config dhcpd

Displays the current DHCP server configuration.


show dhcprelay state

To view the state of the DHCP relay agent, use the show dhcprelay state command in privileged EXEC or global configuration mode.

show dhcprelay state

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

This command displays the DHCP relay agent state information for the current context and each interface.

Examples

The following is sample output from the show dhcprelay state command:

hostname# show dhcprelay state
 
   
Context  Configured as DHCP Relay
Interface outside, Not Configured for DHCP
Interface infrastructure, Configured for DHCP RELAY SERVER
Interface inside, Configured for DHCP RELAY
 
   

Related Commands

Command
Description

show dhcpd

Displays DHCP server statistics and state information.

show dhcprelay statistics

Displays the DHCP relay statistics.

show running-config dhcprelay

Displays the current DHCP relay agent configuration.


show dhcprelay statistics

To display the DHCP relay statistics, use the show dhcprelay statistics command in privileged EXEC mode.

show dhcprelay statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The output of the show dhcprelay statistics command increments until you enter the clear dhcprelay statistics command.

Examples

The following shows sample output for the show dhcprelay statistics command:

hostname# show dhcprelay statistics
 
   
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
 
   
Packets Relayed
BOOTREQUEST          0
DHCPDISCOVER         7
DHCPREQUEST          3
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0
 
   
BOOTREPLY            0
DHCPOFFER            7
DHCPACK              3
DHCPNAK              0
hostname# 
 
   

Related Commands

Command
Description

clear configure dhcprelay

Removes all DHCP relay agent settings.

clear dhcprelay statistics

Clears the DHCP relay agent statistic counters.

debug dhcprelay

Displays debug information for the DHCP relay agent.

show dhcprelay state

Displays the state of the DHCP relay agent.

show running-config dhcprelay

Displays the current DHCP relay agent configuration.


show disk

To display the contents of the flash memory for the adaptive security appliance only, use the show disk command in privileged EXEC mode.

show disk[0 | 1] [filesys | all] controller

Syntax Description

0 | 1

Specifies the internal flash memory (0, the default) or the external flash memory (1).

controller

Specifies the flash controller model number.

filesys

Shows information about the compact flash card.

all

Shows the contents of flash memory plus the file system information,


Defaults

Shows the internal flash memory by default.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following is sample output from the show disk command:

hostname# show disk
-#- --length-- -----date/time------ path
 11 1301       Feb 21 2005 18:01:34 test.cfg
 12 1949       Feb 21 2005 20:13:36 test1.cfg
 13 2551       Jan 06 2005 10:07:36 test2.cfg
 14 609223     Jan 21 2005 07:14:18 test3.cfg
 15 1619       Jul 16 2004 16:06:48 test4.cfg
 16 3184       Aug 03 2004 07:07:00 old_running.cfg
 17 4787       Mar 04 2005 12:32:18 test5.cfg
 20 1792       Jan 21 2005 07:29:24 test6.cfg
 21 7765184    Mar 07 2005 19:38:30 test7.cfg
 22 1674       Nov 11 2004 02:47:52 test8.cfg
 23 1863       Jan 21 2005 07:29:18 test9.cfg
 24 1197       Jan 19 2005 08:17:48 test10.cfg
 25 608554     Jan 13 2005 06:20:54 backupconfig.cfg
 26 5124096    Feb 20 2005 08:49:28 cdisk1
 27 5124096    Mar 01 2005 17:59:56 cdisk2
 28 2074       Jan 13 2005 08:13:26 test11.cfg
 29 5124096    Mar 07 2005 19:56:58 cdisk3
 30 1276       Jan 28 2005 08:31:58 lead
 31 7756788    Feb 24 2005 12:59:46 asdmfile.dbg
 32 7579792    Mar 08 2005 11:06:56 asdmfile1.dbg
 33 7764344    Mar 04 2005 12:17:46 asdmfile2.dbg
 34 5124096    Feb 24 2005 11:50:50 cdisk4
 35 15322      Mar 04 2005 12:30:24 hs_err.log
 
   
10170368 bytes available (52711424 bytes used)
 
   

The following is sample output from the show disk filesys command:

hostname# show disk filesys
******** Flash Card Geometry/Format Info ********
 
   
COMPACT FLASH CARD GEOMETRY
   Number of Heads:            4
   Number of Cylinders       978
   Sectors per Cylinder       32
   Sector Size               512
   Total Sectors          125184
 
   
COMPACT FLASH CARD FORMAT
   Number of FAT Sectors      61
   Sectors Per Cluster         8
   Number of Clusters      15352
   Number of Data Sectors 122976
   Base Root Sector          123
   Base FAT Sector             1
   Base Data Sector          155
 
   

The following is sample output from the show disk controller command:

hostname# show disk:1 controller
Flash Model: TOSHIBA THNCF064MBA
 
   

Related Commands

Command
Description

dir

Displays the directory contents.


show dns-hosts

To show the DNS cache, use the show dns-hosts command in privileged EXEC mode.The DNS cache includes dynamically learned entries from a DNS server as well as manually entered name and IP addresses.

show dns-hosts

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following is sample output from the show dns-hosts command:

hostname# show dns-hosts
Host                       Flags      Age Type   Address(es)
ns2.example.com            (temp, OK) 0    IP    10.102.255.44
ns1.example.com            (temp, OK) 0    IP    192.168.241.185
snowmass.example.com       (temp, OK) 0    IP    10.94.146.101
server.example.com         (temp, OK) 0    IP    10.94.146.80
 
   

Table 11 shows each field description.

Table 25-1 show dns-hosts Fields 

Field
Description

Host

Shows the hostname.

Flags

Shows the entry status, as a combination of the following:

temp—This entry is temporary because it comes from a DNS server. The adaptive security appliance removes this entry after 72 hours of inactivity.

perm—This entry is permanent because it was added with the name command.

OK—This entry is valid.

??—This entry is suspect and needs to be revalidated.

EX—This entry is expired.

Age

Shows the number of hours since this entry was last referenced.

Type

Shows the type of DNS record; this value is always IP.

Address(es)

The IP addresses.


Related Commands

Command
Description

clear dns-hosts

Clears the DNS cache.

dns domain-lookup

Enables the adaptive security appliance to perform a name lookup.

dns name-server

Configures a DNS server address.

dns retries

Specifies the number of times to retry the list of DNS servers when the adaptive security appliance does not receive a response.

dns timeout

Specifies the amount of time to wait before trying the next DNS server.


show dynamic-filter data

To show information about the Botnet Traffic Filter dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries, use the show dynamic-filter data command in privileged EXEC mode.

show dynamic-filter data

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.2(1)

This command was introduced.


Usage Guidelines

To view dynamic database information, first enable use and download of the database with the dynamic-filter use-database and dynamic-filter updater-client enable commands.

Examples

The following is sample output from the show dynamic-filter data command:

hostname# show dynamic-filter data
 
   
Traffic filter is using downloaded database version '907'
Fetched at 18:00:16 UTC Jan 22 2009, size: 674381
Sample names from downloaded database:
  example.com, example.net, example.org,
cisco.example, cisco.invalid, bad.example.com
bad.example.net, bad.example.org, bad.cisco.example
bad.cisco.ivalid
Total entries in Dynamic Filter database:
  Dynamic data: 40909 domain names , 1080 IPv4 addresses
  Local data: 0 domain names , 0 IPv4 addresses
Active rules in Dynamic Filter asp table:
  Dynamic data: 0 domain names , 1080 IPv4 addresses
  Local data: 0 domain names , 0 IPv4 addresses

Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the adaptive security appliance to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the adaptive security appliance.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the adaptive security appliance will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.


show dynamic-filter dns-snoop

To show the Botnet Traffic Filter DNS snooping summary, or the actual IP addresses and names, use the show dynamic-filter dns-snoop command in privileged EXEC mode.

show dynamic-filter dns-snoop [detail]

Syntax Description

detail

(Optional) Shows the IP addresses and names snooped from DNS responses.


Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.2(1)

This command was introduced.


Usage Guidelines

All inspected DNS data is included in this output, and not just matching names in the blacklist. DNS data from static entries are not included.

To clear the DNS snooping data, enter the clear dynamic-filter dns-snoop command.

Examples

The following is sample output from the show dynamic-filter dns-snoop command:

hostname# show dynamic-filter dns-snoop
 
   
DNS Reverse Cache Summary Information:
75 addresses, 124 names, 997 dnsrc address buckets
 
   

The following is sample output from the show dynamic-filter dns-snoop detail command:

hostname# show dynamic-filter dns-snoop detail
 
   
DNS Reverse Cache Summary Information:
75 addresses, 124 names, 997 dnsrc address buckets
DNS reverse Cache Information:
[10.67.22.34] flags=0x22, cat=2, unit=0 b:g:w=3:0:0, cookie=0xda148218
    [www3.example.com] cat=2, ttl=3
    [www.bad.example.com] cat=2, ttl=3
    [www.example.com] cat=2, ttl=3
[10.6.68.133] flags=0x2, cat=2, unit=0 b:g:w=1:0:0, cookie=0xda13ed60
    [cisco.example] cat=2, ttl=73
[10.166.226.25] flags=0x2, cat=2, unit=0 b:g:w=1:0:0, cookie=0xda608cb8
    [cisco.invalid] cat=2, ttl=2

Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the adaptive security appliance to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the adaptive security appliance.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the adaptive security appliance will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.


show dynamic-filter reports infected-hosts

To generate reports about infected hosts classified by the Botnet Traffic Filter, use the show dynamic-filter reports infected-hosts command in privileged EXEC mode.

show dynamic-filter reports infected-hosts {max-connections | latest-active | highest-threat | subnet ip_address netmask | all}

Syntax Description

all

Shows all buffered infected-hosts information. This display might include thousands of entries. You might want to use ASDM to generate a PDF file instead of using the CLI.

highest-threat

Shows the 20 hosts that connected to the malware sites with the highest threat level.

latest-active

Shows the 20 hosts with the most recent activity. For each host, the display shows detailed information about 5 visited malware sites.

max-connections

Shows the 20 infected hosts with the most number of connections.

subnet ip_address netmask

Shows up to 20 hosts within the specified subnet.


Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(2)

This command was introduced.


Usage Guidelines

These reports contain detailed history about infected hosts, showing the correlation between infected hosts, visited malware sites, and malware ports.

To clear the report data, enter the clear dynamic-filter reports infected-hosts command.

Examples

The following is sample output from the show dynamic-filter reports infected hosts all command:

hostname# show dynamic-filter reports infected-hosts all
 
   
Total 2 infected-hosts in buffer
Host (interface)                        Latest malicious conn time, filter action  Conn logged, dropped
=======================================================================================================
192.168.1.4 (internal)                  15:39:40 UTC Sep 17 2009, dropped                    3      3
Malware-sites connected to (not ordered)
Site                       Latest conn port, time, filter action   Conn logged, dropped Threat-level Category
-------------------------------------------------------------------------------------------------------
10.73.210.27 (bad.example.com)     80, 15:39:31 UTC Sep 17 2009, dropped      2   2     very-high Malware
10.65.2.119 (bad2.example.com)     0, 15:39:40 UTC Sep 17 2009, dropped       1   1     very-high admin-added
=======================================================================================================
192.168.1.2 (internal)                  15:39:01 UTC Sep 17 2009, dropped                    5      5
Malware-sites connected to (not ordered)
Site                       Latest conn port, time, filter action   Conn logged, dropped Threat-level Category
-------------------------------------------------------------------------------------------------------
10.131.36.158 (bad.example.com)    0, 15:37:46 UTC Sep 17 2009, dropped      1    1    very-high admin-added
10.65.2.119 (bad2.example.com)     0, 15:37:53 UTC Sep 17 2009, dropped      1    1   very-high  admin-added
20.73.210.27 (bad3.example.com)   80, 15:39:01 UTC Sep 17 2009, dropped      3    3   very-high  Malware
=======================================================================================================
 
   
Last clearing of the infected-hosts report: Never
 
   

Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the adaptive security appliance to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the adaptive security appliance.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the adaptive security appliance will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.


show dynamic-filter reports top

To generate reports of the top 10 malware sites, ports, and infected hosts classified by the Botnet Traffic Filter, use the show dynamic-filter reports top command in privileged EXEC mode.

show dynamic-filter reports top [malware-sites | malware-ports | infected-hosts]

Syntax Description

malware-ports

(Optional) Shows a report for the top 10 malware ports.

malware-sites

(Optional) Shows a report for the top 10 malware sites.

infected-hosts

(Optional) Shows a report for the top 10 infected hosts.


Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.

8.2(2)

The botnet-sites and botnet-ports keywords were changed to malware-sites and malware-ports. The malware-sites report now includes the number of connections dropped, and the threat level and category of each site. A last clear timestamp was added. For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Usage Guidelines

This report is a snapshot of the data, and may not match the top 10 items since the statistics started to be collected.

To clear the report data, enter the clear dynamic-filter reports top command.

Examples

The following is sample output from the show dynamic-filter reports top malware-sites command:

hostname# show dynamic-filter reports top malware-sites
Site                                 Connections logged dropped Threat Level Category
--------------------------------------------------------------------------------------
bad1.example.com (10.67.22.34)                      11     0          2      Botnet
bad2.example.com (209.165.200.225)                   8     8          3      Virus
bad1.cisco.example(10.131.36.158)                    6     6          3      Virus
bad2.cisco.example(209.165.201.1)                    2     2          3      Trojan
horrible.example.net(10.232.224.2)                   2     2          3      Botnet
nono.example.org(209.165.202.130)                    1     1          3      Virus
 
   
Last clearing of the top sites report: at 13:41:06 UTC Jul 15 2009
 
   

The following is sample output from the show dynamic-filter reports top malware-ports command:

hostname# show dynamic-filter reports top malware-ports
Port                                       Connections logged
----------------------------------------------------------------------
tcp 1000                                           617
tcp 2001                                           472
tcp 23                                              22
tcp 1001                                            19
udp 2000                                            17
udp 2001                                            17
tcp 8080                                             9
tcp 80                                               3
tcp >8192                                            2
 
   
Last clearing of the top ports report: at 13:41:06 UTC Jul 15 2009
 
   

The following is sample output from the show dynamic-filter reports top infected-hosts command:

hostname# show dynamic-filter reports top infected-hosts
Host                                       Connections logged
----------------------------------------------------------------------
10.10.10.51(inside)                               1190
10.12.10.10(inside)                                10             
10.10.11.10(inside)                                 5 
 
   
Last clearing of the top infected-hosts report: at 13:41:06 UTC Jul 15 2009

Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the adaptive security appliance to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the adaptive security appliance.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the adaptive security appliance will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.


show dynamic-filter statistics

To show how many connections were classified as whitelist, blacklist, and greylist connections using the Botnet Traffic Filter, use the show dynamic-filter statistics command in privileged EXEC mode.

show dynamic-filter statistics [interface name] [detail]

Syntax Description

detail

(Optional) Shows how many packets at each threat level were classified or dropped.

interface name

(Optional) Shows statistics for a particular interface.


Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.

8.2(2)

The detail keyword was added to show how many packets at each threat level were classified or dropped. For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Usage Guidelines

The greylist includes addresses that are associated with multiple domain names, but not all of these domain names are on the blacklist.

To clear the statistics, enter the clear dynamic-filter statistics command.

Examples

The following is sample output from the show dynamic-filter statistics command:

hostname# show dynamic-filter statistics
Enabled on interface outside 
 Total conns classified 11, ingress 11, egress 0
 Total whitelist classified 0, ingress 0, egress 0
 Total greylist classified 0, dropped 0, ingress 0, egress 0
 Total blacklist classified 11, dropped 5, ingress 11, egress 0
Enabled on interface inside 
 Total conns classified 1182, ingress 1182, egress 0
 Total whitelist classified 3, ingress 3, egress 0
 Total greylist classified 0, dropped 0, ingress 0, egress 0
 Total blacklist classified 1179, dropped 1000, ingress 1179, egress 0 
 
   

The following is sample output from the show dynamic-filter statistics interface outside detail command:

hostname# show dynamic-filter statistics interface outside detail 
Enabled on interface outside 
 Total conns classified 2108, ingress 2108, egress 0
 Total whitelist classified 0, ingress 0, egress 0
 Total greylist classified 1, dropped 1, ingress 0, egress 0
   Threat level 5 classified 1, dropped 1, ingress 0, egress 0
   Threat level 4 classified 0, dropped 0, ingress 0, egress 0
   ...
Total blacklist classified 30, dropped 20, ingress 11, egress 2
   Threat level 5 classified 6, dropped 6, ingress 4, egress 2
   Threat level 4 classified 5, dropped 5, ingress 5, egress 0
 
   

Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the adaptive security appliance to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the adaptive security appliance.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the adaptive security appliance will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.


show dynamic-filter updater-client

To show information about the Botnet Traffic Filter updater server, including the server IP address, the next time the adaptive security appliance will connect with the server, and the database version last installed, use the show dynamic-filter updater-client command in privileged EXEC mode.

show dynamic-filter updater-client

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.2(1)

This command was introduced.


Examples

The following is sample output from the show dynamic-filter updater-client command:

hostname# show dynamic-filter updater-client
 
   
Traffic Filter updater client is enabled
Updater server url is https://10.15.80.240:446
Application name: trafmon, version: 1.0
Encrypted UDI:
0bb93985f42d941e50dc8f022350d1a8de96ba6c1f6d45f4bc0ead02a7d5990be32f483b
5715cd80a215cedadd4e5ffe
Next update is in 00:02:00
Database file version is '907' fetched at 22:51:41 UTC Oct 16 2006,
size: 521408

Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the adaptive security appliance to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the adaptive security appliance.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.


show eigrp events

To display the EIGRP event log, use the show eigrp events command in privileged EXEC mode.

show eigrp [as-number] events [{start end} | type]

Syntax Description

as-number

(Optional) Specifies the autonomous system number of the EIGRP process for which you are viewing the event log. Because the adaptive security appliance only supports one EIGRP routing process, you do not need to specify the autonomous system number.

end

(Optional) Limits the output to the entries with starting with the start index number and ending with the end index number.

start

(Optional) A number specifying the log entry index number. Specifying a start number causes the output to start with the specified event and end with the event specified by the end argument. Valid values are from 1 to 4294967295.

type

(Optional) Displays the events that are being logged.


Defaults

If a start and end is not specified, all log entries are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

The show eigrp events output displays up to 500 events. Once the maximum number of events has been reached, new events are added to the bottom of the output and old events are removed from the top of the output.

You can use the clear eigrp events command to clear the EIGRP event log.

The show eigrp events type command displays the logging status of EIGRP events. By default, neighbor changes, neighbor warning, and DUAL FSM messages are logged. You can disable neighbor change event logging using the no eigrp log-neighbor-changes command. You can disable neighbor warning event logging using the no eigrp log-neighbor-warnings command. You cannot disable the logging of DUAL FSM events.

Examples

The following is sample output from the show eigrp events command:

hostname# show eigrp events
 
   
Event information for AS 100:
1    12:11:23.500 Change queue emptied, entries: 4 
2    12:11:23.500 Metric set: 10.1.0.0/16 53760 
3    12:11:23.500 Update reason, delay: new if 4294967295 
4    12:11:23.500 Update sent, RD: 10.1.0.0/16 4294967295 
5    12:11:23.500 Update reason, delay: metric chg 4294967295 
6    12:11:23.500 Update sent, RD: 10.1.0.0/16 4294967295 
7    12:11:23.500 Route install: 10.1.0.0/16 10.130.60.248 
8    12:11:23.500 Find FS: 10.1.0.0/16 4294967295 
9    12:11:23.500 Rcv update met/succmet: 53760 28160 
10   12:11:23.500 Rcv update dest/nh: 10.1.0.0/16 10.130.60.248 
11   12:11:23.500 Metric set: 10.1.0.0/16 4294967295
 
   

The following is sample output from the show eigrp events command with a start and stop number defined:

hostname# show eigrp events 3 8
 
   
Event information for AS 100:
3    12:11:23.500 Update reason, delay: new if 4294967295 
4    12:11:23.500 Update sent, RD: 10.1.0.0/16 4294967295 
5    12:11:23.500 Update reason, delay: metric chg 4294967295 
6    12:11:23.500 Update sent, RD: 10.1.0.0/16 4294967295 
7    12:11:23.500 Route install: 10.1.0.0/16 10.130.60.248 
8    12:11:23.500 Find FS: 10.1.0.0/16 4294967295 
 
   

The following is sample output from the show eigrp events command when there are no entries in the EIGRP event log:

hostname# show eigrp events
 
   
Event information for AS 100:  Event log is empty.
 
   

The following is sample output from the show eigrp events type command:

hostname# show eigrp events type
 
   
EIGRP-IPv4 Event Logging for AS 100:
      Log Size          500
      Neighbor Changes  Enable
      Neighbor Warnings Enable
      Dual FSM          Enable
 
   

Related Commands

Command
Description

clear eigrp events

Clears the EIGRP event logging buffer.

eigrp log-neighbor-changes

Enables the logging of neighbor change events.

eigrp log-neighbor-warnings

Enables the logging of neighbor warning events.


show eigrp interfaces

To display the interfaces participating in EIGRP routing, use the show eigrp interfaces command in privileged EXEC mode.

show eigrp [as-number] interfaces [if-name] [detail]

Syntax Description

as-number

(Optional) Specifies the autonomous system number of the EIGRP process for which you are displaying active interfaces. Because the adaptive security appliance only supports one EIGRP routing process, you do not need to specify the autonomous system number.

detail

(Optional) Displays detail information.

if-name

(Optional) The name of an interface as specified by the nameif command. Specifying an interface name limits the display to the specified interface.


Defaults

If you do not specify an interface name, information for all EIGRP interfaces is displayed.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

Use the show eigrp interfaces command to determine on which interfaces EIGRP is active, and to learn information about EIGRP relating to those interfaces.

If an interface is specified, only that interface is displayed. Otherwise, all interfaces on which EIGRP is running are displayed.

If an autonomous system is specified, only the routing process for the specified autonomous system is displayed. Otherwise, all EIGRP processes are displayed.

Examples

The following is sample output from the show eigrp interfaces command:

hostname# show eigrp interfaces
 
   
EIGRP-IPv4 interfaces for process 100
 
   
                    Xmit Queue    Mean   Pacing Time   Multicast   Pending
Interface   Peers   Un/Reliable   SRTT   Un/Reliable   Flow Timer  Routes
mgmt          0         0/0          0      11/434          0          0
outside       1         0/0        337       0/10           0          0
inside        1         0/0         10       1/63         103          0
 
   

Table 25-2 describes the significant fields shown in the display.

Table 25-2 show eigrp interfaces Field Descriptions

Field
Description

process

Autonomous system number for the EIGRP routing process.

Peers

Number of directly-connected peers.

Xmit Queue Un/Reliable

Number of packets remaining in the Unreliable and Reliable transmit queues.

Mean SRTT

Mean smooth round-trip time interval (in seconds).

Pacing Time Un/Reliable

Pacing time (in seconds) used to determine when EIGRP packets should be sent out the interface (unreliable and reliable packets).

Multicast Flow Timer

Maximum number of seconds in which the adaptive security appliance will send multicast EIGRP packets.

Pending Routes

Number of routes in the packets in the transmit queue waiting to be sent.


Related Commands

Command
Description

network

Defines the networks and interfaces that participate in the EIGRP routing process.


show eigrp neighbors

To display the EIGRP neighbor table, use the show eigrp neighbors command in privileged EXEC mode.

show eigrp [as-number] neighbors [detail | static] [if-name]

Syntax Description

as-number

(Optional) Specifies the autonomous system number of the EIGRP process for which you are deleting neighbor entries. Because the adaptive security appliance only supports one EIGRP routing process, you do not need to specify the autonomous system number.

detail

(Optional) Displays detail neighbor information.

if-name

(Optional) The name of an interface as specified by the nameif command. Specifying an interface name displays all neighbor table entries that were learned through that interface.

static

(Optional) Displays EIGRP neighbors that are statically defined using the neighbor command.


Defaults

If you do not specify an interface name, the neighbors learned through all interfaces are displayed.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

You can use the clear eigrp neighbors command to clear the dynamically-learned neighbors from the EIGRP neighbor table.

Static neighbors are not included in the output unless you use the static keyword.

Examples

The following is sample output from the show eigrp neighbors command:

hostname# show eigrp neighbors
 
   
EIGRP-IPv4 Neighbors for process 100
Address                 Interface     Holdtime Uptime   Q      Seq  SRTT  RTO
                                      (secs)   (h:m:s)  Count  Num  (ms)  (ms)
172.16.81.28            Ethernet1     13       0:00:41  0      11   4     20
172.16.80.28            Ethernet0     14       0:02:01  0      10   12    24
172.16.80.31            Ethernet0     12       0:02:02  0      4    5     20 
 
   

Table 25-2 describes the significant fields shown in the display.

Table 25-3 show eigrp neighbors Field Descriptions

Field
Description

process

Autonomous system number for the EIGRP routing process.

Address

IP address of the EIGRP neighbor.

Interface

Interface on which the adaptive security appliance receives hello packets from the neighbor.

Holdtime

Length of time (in seconds) that the adaptive security appliance waits to hear from the neighbor before declaring it down. This hold time is received from the neighbor in the hello packet, and begins decreasing until another hello packet is received from the neighbor.

If the neighbor is using the default hold time, this number will be less than 15. If the peer configures a non-default hold time, the non-default hold time will be displayed.

If this value reaches 0, the adaptive security appliance considers the neighbor unreachable.

Uptime

Elapsed time (in hours:minutes: seconds) since the adaptive security appliance first heard from this neighbor.

Q Count

Number of EIGRP packets (update, query, and reply) that the adaptive security appliance is waiting to send.

Seq Num

Sequence number of the last update, query, or reply packet that was received from the neighbor.

SRTT

Smooth round-trip time. This is the number of milliseconds required for an EIGRP packet to be sent to this neighbor and for the adaptive security appliance to receive an acknowledgment of that packet.

RTO

Retransmission timeout (in milliseconds). This is the amount of time the adaptive security appliance waits before resending a packet from the retransmission queue to a neighbor.


The following is sample output from the show eigrp neighbors static command:

hostname# show eigrp neighbors static
 
   
EIGRP-IPv4 neighbors for process 100
Static Address                 Interface
192.168.1.5                    management
 
   

Table 25-4 describes the significant fields shown in the display.

Table 25-4 show ip eigrp neighbors static Field Descriptions

Field
Description

process

Autonomous system number for the EIGRP routing process.

Static Address

IP address of the EIGRP neighbor.

Interface

Interface on which the adaptive security appliance receives hello packets from the neighbor.


The following is sample output from the show eigrp neighbors detail command:

 
   
hostname# show eigrp neighbors detail
 
   
EIGRP-IPv4 neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q Seq Tye
                                            (sec)         (ms)       Cnt Num
3   1.1.1.3                 Et0/0             12 00:04:48 1832  5000  0  14
   Version 12.2/1.2, Retrans: 0, Retries: 0
   Restart time 00:01:05
0   10.4.9.5                Fa0/0             11 00:04:07  768  4608  0  4   S
   Version 12.2/1.2, Retrans: 0, Retries: 0
2   10.4.9.10               Fa0/0             13 1w0d        1  3000  0  6   S
   Version 12.2/1.2, Retrans: 1, Retries: 0
1   10.4.9.6                Fa0/0             12 1w0d        1  3000  0  4   S
   Version 12.2/1.2, Retrans: 1, Retries: 0
 
   

Table 25-5 describes the significant fields shown in the display.

Table 25-5 show ip eigrp neighbors details Field Descriptions

Field
Description

process

Autonomous system number for the EIGRP routing process.

H

This column lists the order in which a peering session was established with the specified neighbor. The order is specified with sequential numbering starting with 0.

Address

IP address of the EIGRP neighbor.

Interface

Interface on which the adaptive security appliance receives hello packets from the neighbor.

Holdtime

Length of time (in seconds) that the adaptive security appliance waits to hear from the neighbor before declaring it down. This hold time is received from the neighbor in the hello packet, and begins decreasing until another hello packet is received from the neighbor.

If the neighbor is using the default hold time, this number will be less than 15. If the peer configures a non-default hold time, the non-default hold time will be displayed.

If this value reaches 0, the adaptive security appliance considers the neighbor unreachable.

Uptime

Elapsed time (in hours:minutes: seconds) since the adaptive security appliance first heard from this neighbor.

SRTT

Smooth round-trip time. This is the number of milliseconds required for an EIGRP packet to be sent to this neighbor and for the adaptive security appliance to receive an acknowledgment of that packet.

RTO

Retransmission timeout (in milliseconds). This is the amount of time the adaptive security appliance waits before resending a packet from the retransmission queue to a neighbor.

Q Count

Number of EIGRP packets (update, query, and reply) that the adaptive security appliance is waiting to send.

Seq Num

Sequence number of the last update, query, or reply packet that was received from the neighbor.

Version

The software version that the specified peer is running.

Retrans

The number of times that a packet has been retransmitted.

Retries

The number of times an attempt was made to retransmit a packet.

Restart time

Elapsed time (in hours:minutes: seconds) since the specified neighbor has restarted.


Related Commands

Command
Description

clear eigrp neighbors

Clear the EIGRP neighbor table.

debug eigrp neighbors

Display EIGRP neighbor debug messages.

debug ip eigrp

Display EIGRP packet debug messages.


show eigrp topology

To display the EIGRP topology table, use the show eigrp topology command in privileged EXEC mode.

show eigrp [as-number] topology [ip-addr [mask] | active | all-links | pending | summary | zero-successors]

Syntax Description

active

(Optional) Displays only active entries in the EIGRP topology table.

all-links

(Optional) Displays all routes in the EIGRP topology table, even those that are not feasible successors.

as-number

(Optional) Specifies the autonomous system number of the EIGRP process. Because the adaptive security appliance only supports one EIGRP routing process, you do not need to specify the autonomous system number.

ip-addr

(Optional) The IP address from the topology table to display. When specified with a mask, a detailed description of the entry is provided.

mask

(Optional) The network mask to apply to the ip-addr argument.

pending

(Optional) Displays all entries in the EIGRP topology table that are waiting for an update from a neighbor or are waiting to reply to a neighbor.

summary

(Optional) Displays a summary of the EIGRP topology table.

zero-successors

(Optional) Displays available routes in the EIGRP topology table.


Defaults

Only routes that are feasible successors are displayed. Use the all-links keyword to display all routes, including those that are not feasible successors.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

You can use the clear eigrp topology command to remove the dynamic entries from the topology table.

Examples

The following is sample output from the show eigrp topology command:

hostname# show eigrp topology
 
   
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.1.1)
 
   
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - Reply status
 
   
P 10.16.90.0 255.255.255.0, 2 successors, FD is 0
          via 10.16.80.28 (46251776/46226176), Ethernet0
          via 10.16.81.28 (46251776/46226176), Ethernet1
P 10.16.81.0 255.255.255.0, 1 successors, FD is 307200
          via Connected, Ethernet1
          via 10.16.81.28 (307200/281600), Ethernet1
          via 10.16.80.28 (307200/281600), Ethernet0
 
   

Table 25-6 describes the significant fields shown in the displays.

Table 25-6 show eigrp topology Field Information

Field
Description

Codes

State of this topology table entry. Passive and Active refer to the EIGRP state with respect to this destination; Update, Query, and Reply refer to the type of packet that is being sent.

P - Passive

The route is known to be good and no EIGRP computations are being performed for this destination.

A - Active

EIGRP computations are being performed for this destination.

U - Update

Indicates that an update packet was sent to this destination.

Q - Query

Indicates that a query packet was sent to this destination.

R - Reply

Indicates that a reply packet was sent to this destination.

r - Reply status

Flag that is set after the software has sent a query and is waiting for a reply.

address mask

Destination IP address and mask.

successors

Number of successors. This number corresponds to the number of next hops in the IP routing table. If "successors" is capitalized, then the route or next hop is in a transition state.

FD

Feasible distance. The feasible distance is the best metric to reach the destination or the best metric that was known when the route went active. This value is used in the feasibility condition check. If the reported distance of the router (the metric after the slash) is less than the feasible distance, the feasibility condition is met and that path is a feasible successor. Once the software determines it has a feasible successor, it need not send a query for that destination.

via

IP address of the peer that told the software about this destination. The first n of these entries, where n is the number of successors, is the current successors. The remaining entries on the list are feasible successors.

(cost/adv_cost)

The first number is the EIGRP metric that represents the cost to the destination. The second number is the EIGRP metric that this peer advertised.

interface

The interface from which the information was learned.


The following is sample output from the show eigrp topology used with an IP address. The output shown is for an internal route.

hostname# show eigrp topology 10.2.1.0 255.255.255.0
 
   
EIGRP-IPv4 (AS 100): Topology Default-IP-Routing-Table(0) entry for entry for 10.2.1.0 
255.255.255.0
 
   
	State is Passive, Query origin flag is 1, 1 Successor(s), FD is 281600 
	Routing Descriptor Blocks:
		0.0.0.0 (Ethernet0/0), from Connected, Send flag is 0x0 
			Composite metric is (281600/0), Route is Internal 
			Vector metric: 
				Minimum bandwidth is 10000 Kbit
				Total delay is 1000 microseconds
				Reliability is 255/255
				Load is 1/255 
				Minimum MTU is 1500
				Hop count is 0
 
   

The following is sample output from the show eigrp topology used with an IP address. The output shown is for an external route.

hostname# show eigrp topology 10.4.80.0 255.255.255.0
 
   
 
   
EIGRP-IPv4 (AS 100): Topology Default-IP-Routing-Table(0) entry for entry for 10.4.80.0 
255.255.255.0
 
   
	State is Passive, Query origin flag is 1, 1 Successor(s), FD is 409600
	Routing Descriptor Blocks:
		10.2.1.1 (Ethernet0/0), from 10.2.1.1, Send flag is 0x0
			Composite metric is (409600/128256), Route is External 
			Vector metric:
				Minimum bandwidth is 10000 Kbit
				Total delay is 6000 microseconds
				Reliability is 255/255
				Load is 1/255
				Minimum MTU is 1500
				Hop count is 1
			External data:
				Originating router is 10.89.245.1 
				AS number of route is 0
				External protocol is Connected, external metric is 0
				Administrator tag is 0 (0x00000000)
 
   

Related Commands

Command
Description

clear eigrp topology

Clears the dynamically discovered entries from the EIGRP topology table.


show eigrp traffic

To display the number of EIGRP packets sent and received, use the show eigrp traffic command in privileged EXEC mode.

show eigrp [as-number] traffic

Syntax Description

as-number

(Optional) Specifies the autonomous system number of the EIGRP process for which you are viewing the event log. Because the adaptive security appliance only supports one EIGRP routing process, you do not need to specify the autonomous system number.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

You can use the clear eigrp traffic command to clear the EIGRP traffic statistics.

Examples

The following is sample output from the show eigrp traffic command:

hostname# show eigrp traffic
 
   
EIGRP-IPv4 Traffic Statistics for AS 100
  Hellos sent/received: 218/205
  Updates sent/received: 7/23
  Queries sent/received: 2/0
  Replies sent/received: 0/2
  Acks sent/received: 21/14 
  Input queue high water mark 0, 0 drops
  SIA-Queries sent/received: 0/0
  SIA-Replies sent/received: 0/0
  Hello Process ID: 1719439416
  PDM Process ID: 1719439824
 
   

Table 25-4 describes the significant fields shown in the display.

Table 25-7 show eigrp traffic Field Descriptions

Field
Description

process

Autonomous system number for the EIGRP routing process.

Hellos sent/received

Number of hello packets sent and received.

Updates sent/received

Number of update packets sent and received.

Queries sent/received

Number of query packets sent and received.

Replies sent/received

Number of reply packets sent and received.

Acks sent/received

Number of acknowledgment packets sent and received.

Input queue high water mark/drops

Number of received packets that are approaching the maximum receive threshold and number of dropped packets.

SIA-Queries sent/received

Stuck in active queries sent and received.

SIA-Replies sent/received

Stuck in active replies sent and received.


Related Commands

Command
Description

debug eigrp packets

Displays debug information for EIGRP packets sent and received.

debug eigrp transmit

Displays debug information for EIGRP messages sent.


show environment

To display system environment information for system components, use the show environment command in privileged EXEC mode.

show environment [driver | fans | power-supply | temperature [chassis | cpu | voltage | io-hub]]

Syntax Description

chassis

(Optional) Limits the temperature display to the chassis.

cpu

(Optional) Limits the temperature display to the processors. The ASA 5580-40 displays information for four processors. The ASA 5580-20 displays information for two processors. The ASA 5585-SSP-10 and ASA 5585-SSP-20 display information for one processor. The ASA 5585-SSP-40 and ASA 5585-SSP-60 display information for two processors.

driver

(Optional) Display the IPMI driver status, which can be one of the following:

RUNNING—The driver is operational.

STOPPED—An error has caused the driver to stop.

The ASA 5585-X adaptive security appliances use standard drivers instead of IPMI drivers. A standard driver outputs a specific error type and error count.

fans

(Optional) Displays the operational status of the cooling fans. The status can be one of the following:

OK—The fan is operating normally.

Failed—The fan has failed and should be replaced.

io-hub

(Optional) Displays the input-output hub temperature status for the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X only.

power-supply

(Optional) Displays the operational status of the power supplies. The status for each power supply can be one of the following:

OK—The power supply is operating normally.

Failed—The power supply has failed and should be replaced.

Not Present—The specified power supply is not installed.

The power supply redundancy status also displays, and can be one of the following:

OK—The unit is operating normally with full resources.

Lost—The unit has lost redundancy but is operating normally with minimum resources. Any additional failures will result in a system shutdown.

N/A—The unit is not configured for power supply redundancy.

The ASA 5585-X adaptive security appliance shows OK for power supply redundancy and N/A when redundancy is not available. Lost is not used.

temperature

(Optional) Displays the temperature and status of the processors and chassis. The temperature is given in celsius. The status can be one of the following:

OK—The temperature is within normal operating range.

Critical—The temperature is outside of normal operating range.

In addition to OK and Critical, Warm is also displayed to indicate a higher than normal temperature, but still within the operating range. Critical indicates an imminent thermal issue.

For the ASA 5585-X adaptive security appliances, the power supply also displays the temperature and cooling fan RPMs.

voltage

(Optional) Displays the values for CPU voltage channels 1-24. Excludes the operational status.


Defaults

All operational information, except drivers, is displayed if no keywords are specified.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.1(1)

This command was introduced.

8.2(3)

The command output has been updated to add the ASA 5585-X adaptive security appliances.


Usage Guidelines

You can display operating environment information for the ASA 5580 and ASA 5585-X adaptive security appliances. This information includes the operational status of the fans and power supplies, and temperature and status of the CPUs and chassis. The ASA 5580-40 displays information for four CPUs; the ASA 5580-20 displays information for two CPUs. The ASA 5585-SSP-10 and ASA 5585-SSP-20 display information for one CPU. The ASA 5585-SSP-40 and ASA 5585-SSP-60 display information for two CPUs.

The ASA 5580 and the ASA 5585-X adaptive security appliances have different hardware sensors to monitor the environment. As a result, the information displayed for them will be different.

The ASA 5585-X adaptive security appliance output includes the following:

The description of a failed component.

Failure status of a power supply or a fan can be one of the following:

Not properly seated

Fan not OK

Over temperature

PS0 not present

PS0 failed

PS0 Fan failed

PS1 not present

PS1 failed

PS1 Fan failed

The power supply redundancy sensor status. The value appears as OK when the power supply redundancy is present, and as N/A when the power supply redundancy is not present.

The insertion status for power supplies and fan modules,

The voltage sensor status.

The description and location for the ambient temperature sensor.

The cooling fan RPMs and temperature for the power supply sensor. If an error occurs, an error message appears.


Note When facing the back of the ASA 5585-X (that is, when you are facing the power supply and fan slots), the power supply slot 0 is on the left, and the power supply slot 1 is on the right.


Examples

The following is sample output of the show environment command for the ASA 5585-X SSP-20, which includes two power supplies:

hostname# show environment 
Cooling Fans:
-----------------------------------
   Power Supplies:
   --------------------------------
   Left Slot (PS0): 6900 RPM - OK  (Power Supply Fan)
   Right Slot (PS1): 7000 RPM - OK  (Power Supply Fan) Power Supplies:
-----------------------------------
   Power Supply Unit Redundancy: OK
   Temperature:
   --------------------------------
   Left Slot (PS0): 26 C - OK  (Power Supply Temperature)
   Right Slot (PS1): 27 C - OK  (Power Supply Temperature)
   Cooling Fans:
   --------------------------------
   Left Slot (PS0): 6900 RPM - OK  (Power Supply Fan)
   Right Slot (PS1): 7000 RPM - OK  (Power Supply Fan)
Temperature:
-----------------------------------
   Processors:
   --------------------------------
   Processor 1: 44.0 C - OK  (CPU1 Core Temperature)
   Processor 2: 45.0 C - OK  (CPU2 Core Temperature)
   Chassis:
   --------------------------------
   Ambient 1: 28.0 C - OK  (Chassis Front Temperature)
   Ambient 2: 40.5 C - OK  (Chassis Back Temperature)
   Ambient 3: 28.0 C - OK  (CPU1 Front Temperature)
   Ambient 4: 36.50 C - OK  (CPU1 Back Temperature)
   Ambient 5: 34.50 C - OK  (CPU2 Front Temperature)
   Ambient 6: 43.25 C - OK  (CPU2 Back Temperature)
   Power Supplies:
   --------------------------------
   Left Slot (PS0): 26 C - OK  (Power Supply Temperature)
   Right Slot (PS1): 27 C - OK  (Power Supply Temperature)
 
   
---------------------Voltage Omitted--------------------------
 
   

The following is sample output of the show environment command for the ASA 5585-X SSP-60:

hostname# show environment
 
   
Cooling Fans:
-----------------------------------
 
   
   Power Supplies:
   --------------------------------
   Right Slot (PS0): 5900 RPM - OK  (Power Supply Fan)
   Left Slot (PS1): 5900 RPM - OK  (Fan Module Fan)
 
   
Power Supplies:
-----------------------------------
   Power Supply Unit Redundancy: N/A
 
   
   Power Supplies:
   --------------------------------
   Right Slot (PS0): 64 C - OK  (Power Supply Temperature)
   Left Slot (PS1): 63 C - OK  (Fan Module Temperature)
 
   
   Power Supplies:
   --------------------------------
   Right Slot (PS0): 5900 RPM - OK  (Power Supply Fan)
   Left Slot (PS1): 5900 RPM - OK  (Fan Module Fan)
 
   
Temperature:
-----------------------------------
 
   
   Processors:
   --------------------------------
   Processor 1: 47.0 C - OK  (CPU1 Core Temperature)
   Processor 2: 50.0 C - OK  (CPU2 Core Temperature)
 
   
   Chassis:
   --------------------------------
   Ambient 1: 28.0 C - OK  (Chassis Front Temperature)
   Ambient 2: 35.0 C - OK  (Chassis Back Temperature)
   Ambient 3: 34.25 C - OK  (CPU1 Back Temperature)
   Ambient 4: 28.0 C - OK  (CPU1 Front Temperature)
   Ambient 5: 44.0 C - OK  (CPU2 Back Temperature)
   Ambient 6: 36.0 C - OK  (CPU2 Front Temperature)
 
   
   Power Supplies:
   --------------------------------
   Right Slot (PS0): 64 C - OK  (Power Supply Temperature)
   Left Slot (PS1): 63 C - OK  (Fan Module Temperature)
 
   
Voltage:
-----------------------------------
   Channel 1:  3.317 V -  (3.3V (U142 VX1))
   Channel 2:  1.494 V -  (1.5V (U142 VX2))
   Channel 3:  1.045 V -  (1.05V (U142 VX3))
   Channel 4:  3.335 V -  (3.3V_STDBY (U142 VP1))
   Channel 5: 11.959 V -  (12V (U142 VP2))
   Channel 6:  4.971 V -  (5.0V (U142 VP3))
   Channel 7:  6.835 V -  (7.0V (U142 VP4))
   Channel 8:  9.742 V -  (IBV (U142 VH))
   Channel 9:  1.044 V -  (1.05VB (U209 VX2))
   Channel 10:  1.207 V -  (1.2V (U209 VX3))
   Channel 11:  1.107 V -  (1.1V (U209 VX4))
   Channel 12:  1.003 V -  (1.0V (U209 VX5))
   Channel 13:  3.335 V -  (3.3V STDBY (U209 VP1))
   Channel 14:  2.502 V -  (2.5V (U209 VP2))
   Channel 15:  1.800 V -  (1.8V (U209 VP3))
   Channel 16:  1.905 V -  (1.9V (U209 VP4))
   Channel 17:  9.752 V -  (IBV (U209 VH))
   Channel 18:  2.048 V -  (VTT CPU0 (U83 VX2))
   Channel 19:  2.048 V -  (VTT CPU1 (U83 VX3))
   Channel 20:  2.048 V -  (VCC CPU0 (U83 VX4))
   Channel 21:  2.048 V -  (VCC CPU1 (U83 VX5))
   Channel 22:  1.513 V -  (1.5VA (U83 VP1))
   Channel 23:  1.512 V -  (1.5VB (U83 VP2))
   Channel 24:  8.937 V -  (IBV (U83 VH))
 
   

The following is sample output from the show environment command if the adaptive security appliance was shut down because of a CPU thermal event:

hostname# show environment
 
   
WARNING: The system was last shut down due to a CPU running above the safe thermal 
operating temperature. It is important that the device and CPU be inspected for proper 
ventilation to prevent permanent damage.
 
   
Cooling Fans:
-----------------------------------
   Power Supplies:
 
   
   --------------------------------
   Power Supply 1 Fan: 7000 RPM - OK
   Power Supply 2 Fan: 6900 RPM - OK
 
   
Power Supplies:
-----------------------------------
....
 
   

The following is sample output from the show environment driver command when no errors occur:

hostname# show environment driver
 
   
Driver Information:
--------------------
Status: RUNNING
 
   
Driver Error Statistics:
-------------------------
Timeout I/O Errors      : 0
Try Again I/O Errors    : 0
Invalid Addr I/O Errors : 0
Message Size I/O Errors : 0
Memory I/O Errors       : 0
Unknown I/O Errors      : 0
Receive Msg ID Errors   : 0
Receive Type Errors     : 0
Sensor Update Failures  : 0
 
   
Last 5 Errors:
---------------
 
   

The following is sample output from the show environment driver command when a driver error occurs:

hostname# show environment driver
 
   
Driver Information:
--------------------
Status: STOPPED
 
   
Driver Error Statistics:
-------------------------
Timeout I/O Errors      : 0
Try Again I/O Errors    : 0
Invalid Addr I/O Errors : 0
Message Size I/O Errors : 0
Memory I/O Errors       : 0
Unknown I/O Errors      : 0
PECI Errors             : 0
Receive Msg ID Errors   : 0
Receive Type Errors     : 0
Sensor Update Failures  : 1
 
   
Last 5 Errors:
---------------
1.)	IPMI driver stopped responding
	Time: 03:27:21 UTC Apr 16 2007
 
   

The following is sample output from the show environment command that displays multiple failures of a power supply and a fan:

hostname# show environment
 
   
Cooling Fans:
-----------------------------------
 
   
   Power Supplies:
   --------------------------------
   Power Supply 1 Fan: 0 RPM - CRITICAL
   Power Supply 2 Fan: 6900 RPM - OK
   Power Supply 1 Error: CRITICAL
                         -> Fan not OK 				<<<<<<
                         -> PS1 failed     <<<<<<
 
   
Power Supplies:
-----------------------------------
 
   
   Power Supplies:
   --------------------------------
   Power Supply 1 Temperature: 65 C - OK
   Power Supply 2 Temperature: 69 C - OK
 
   
   Power Supplies:
   --------------------------------
   Power Supply 1 Fan: 0 RPM - CRITICAL
   Power Supply 2 Fan: 6900 RPM - OK
   Power Supply 1 Error: CRITICAL
                         -> Fan not OK
                         -> PS1 failed
 
   
Temperature: 
-----------------------------------
 
   
   Processors:
   --------------------------------
   CPU1 Core Temp: 66.0 C - OK
   CPU2 Core Temp: 69.0 C - OK
 
   
   Chassis: 
   --------------------------------
   Chassis Temperature 1: 33.5 C - OK
   Chassis Temperature 2: 46.5 C - OK
   CPU1 External Temperature 1: 52.25 C - OK
   CPU1 External Temperature 2: 35.75 C - OK
   CPU2 External Temperature 1: 55.75 C - OK
   CPU2 External Temperature 2: 50.25 C - OK
 
   
   Power Supplies:
....................
 
   

The following is sample output from the show environment command that displays a single failure of a power supply:

hostname# show environment
 
   
Cooling Fans:
-----------------------------------
 
   
   Power Supplies:
   --------------------------------
   Power Supply 1 Fan: 0 RPM - CRITICAL
   Power Supply 2 Fan: 6900 RPM - OK
   Power Supply 1 Error: CRITICAL
                         -> PS1 failed   <<<<<<
 
   
Power Supplies:
-----------------------------------
 
   
   Power Supplies:
   --------------------------------
   Power Supply 1 Temperature: 65 C - OK
   Power Supply 2 Temperature: 69 C - OK
 
   
   Power Supplies:
   --------------------------------
   Power Supply 1 Fan: 0 RPM - CRITICAL
   Power Supply 2 Fan: 6900 RPM - OK
   Power Supply 1 Error: CRITICAL
                         -> PS1 failed
.........
 
   

The following is sample output from the show environment temperature io-hub command for an ASA 5512-X, 5525-X, 5545-X, and 5555-X:

hostname(config)# show environment temperature io-hub
 
   
Temperature:
-----------------------------------
 
   
   IO Hub:
   --------------------------------
   Circuit Die: 43.0 C - OK  (Circuit Die Temperature)
 
   

Related Commands

Command
Description

show version

Displays the hardware and software versions.


show failover

To display information about the failover status of the unit, use the show failover command in privileged EXEC mode.

show failover [group num | history | interface | state | statistics]

Syntax Description

group

Displays the running state of the specified failover group.

history

Displays failover history. The failover history displays past failover state changes and the reason for the state change. History information is cleared with the device is rebooted.

interface

Displays failover and stateful link information.

num

Failover group number.

state

Displays the failover state of both failover units. The information displayed includes the primary or secondary status of the unit, the Active/Standby status of the unit, and the last reported reason for failover. The fail reason remains in the output even when the reason for failure is cleared.

statistics

Displays transmit and receive packet count of failover command interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was modified. The output includes additional information.

8.2(2)

This command was modified. The output includes IPv6 addresses for firewall and failover interfaces. The Stateful Failover statitistics outpt includes information for the IPv6 neighbor discover table (IPv6 ND tbl) updates.


Usage Guidelines

The show failover command displays the dynamic failover information, interface status, and Stateful Failover statistics.

If both IPv4 and IPv6 addresses are configured on an interface, both addresses appear in the output. Because an interface can have more than one IPv6 address configured on it, only the link-local address is displayed. If there is no IPv4 address configured on the interface, the IPv4 address in the output appears as 0.0.0.0. If there is no IPv6 address configured on an interface, the address is simply omitted from the output.

The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled. The "xerr" and "rerr" values do not indicate errors in failover, but rather the number of packet transmit or receive errors.


Note Stateful Failover, and therefore Stateful Failover statistics output, is not available on the ASA 5505 adaptive adaptive security appliance.


In the show failover command output, the stateful failover fields have the following values:

Stateful Obj has these values:

xmit—Indicates the number of packets transmitted.

xerr—Indicates the number of transmit errors.

rcv—Indicates the number of packets received.

rerr—Indicates the number of receive errors.

Each row is for a particular object static count as follows:

General—Indicates the sum of all stateful objects.

sys cmd—Refers to the logical update system commands, such as login or stay alive.

up time—Indicates the value for the adaptive security appliance up time, which the active adaptive security appliance passes on to the standby adaptive security appliance.

RPC services—Remote Procedure Call connection information.

TCP conn—Dynamic TCP connection information.

UDP conn—Dynamic UDP connection information.

ARP tbl—Dynamic ARP table information.

Xlate_Timeout—Indicates connection translation timeout information.

IPv6 ND tbl—The IPv6 neighbor discovery table information.

VPN IKE upd—IKE connection information.

VPN IPSEC upd—IPSec connection information.

VPN CTCP upd—cTCP tunnel connection information.

VPN SDI upd—SDI AAA connection information.

VPN DHCP upd—Tunneled DHCP connection information.

SIP Session—SIP signalling session information.

If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address, and monitoring of the interfaces remain in a "waiting" state. You must set a failover IP address for failover to work.

Table 25-8 describes the interface states for failover.

Table 25-8 Failover Interface States 

State
Description

Normal

The interface is up and receiving hello packets from the corresponding interface on the peer unit.

Normal (Waiting)

The interface is up but has not yet received a hello packet from the corresponding interface on the peer unit. Verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces.

Normal (Not-Monitored)

The interface is up but is not monitored by the failover process. The failure of an interface that is not monitored does not trigger failover.

No Link

The physical link is down.

No Link (Waiting)

The physical link is down and the interface has not yet received a hello packet from the corresponding interface on the peer unit. After restoring the link, verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces.

No Link (Not-Monitored)

The physical link is down but is not monitored by the failover process. The failure of an interface that is not monitored does not trigger failover.

Link Down

The physical link is up, but the interface is administratively down.

Link Down (Waiting)

The physical link is up, but the interface is administratively down and the interface has not yet received a hello packet from the corresponding interface on the peer unit. After bringing the interface up (using the no shutdown command in interface configuration mode), verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces.

Link Down (Not-Monitored)

The physical link is up, but the interface is administratively down but is not monitored by the failover process. The failure of an interface that is not monitored does not trigger failover.

Testing

The interface is in testing mode due to missed hello packets from the corresponding interface on the peer unit.

Failed

Interface testing has failed and the interface is marked as failed. If the interface failure causes the failover criteria to be met, then the interface failure causes a failover to the secondary unit or failover group.


In multiple configuration mode, only the show failover command is available in a security context; you cannot enter the optional keywords.

Examples

The following is sample output from the show failover command for Active/Standby Failover. The adaptive security appliances are ASA 5500 series adaptive adaptive security appliances, each equipped with a CSC SSM as shown in the details for slot 1 of each adaptive security appliance. The security appliances use IPv6 addresses on the failover link (folink) and the inside interface.

hostname# show failover
 
   
Failover On
Cable status: N/A - LAN-based failover enabled 
Failover unit Primary 
Failover LAN Interface: folink Ethernet2 (up) 
Unit Poll frequency 1 seconds, holdtime 3 seconds 
Interface Poll frequency 15 seconds 
Interface Policy 1 
Monitored Interfaces 2 of 250 maximum 
failover replication http 
Last Failover at: 22:44:03 UTC Dec 8 2004
        This host: Primary - Active 
                Active time: 13434 (sec)
                slot 0: ASA5520 hw/sw rev (1.0/7.1(0)10) status (Up Sys)
                  Interface inside (10.130.9.3/FE80::20d:29ff:fe1d:69f0): Normal 
                  Interface outside (10.132.9.3): Normal 
                  Interface folink (0.0.0.0/fe80::2a0:c9ff:fe03:101): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC-SSM 5.0 (Build#1176)) status (Up/Up)
                  Logging port IP: 10.0.0.3/24
                  CSC-SSM, 5.0 (Build#1176)
        Other host: Secondary - Standby Ready 
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (1.0/7.1(0)10) status (Up Sys)
                  Interface inside (10.130.9.4/FE80::20d:29ff:fe2b:7ba6): Normal 
                  Interface outside (10.132.9.4): Normal 
                  Interface folink (0.0.0.0/fe80::2e0:b6ff:fe07:3096): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC-SSM 5.0 (Build#1176)) status (Up/Up)
                  Logging port IP: 10.0.0.4/24
                  CSC-SSM, 5.0 (Build#1176)
 
   
Stateful Failover Logical Update Statistics
        Link : fover Ethernet2 (up)
        Stateful Obj    xmit       xerr       rcv        rerr      
        General         0          0          0          0         
        sys cmd         1733       0          1733       0         
        up time         0          0          0          0         
        RPC services    0          0          0          0         
        TCP conn        6          0          0          0         
        UDP conn        0          0          0          0         
        ARP tbl         106        0          0          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     22         0          0          0
        VPN IKE upd     15         0          0          0
        VPN IPSEC upd   90         0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
		SIP Session				0          0          0          0
 
   
        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       2       1733
        Xmit Q:         0       2       15225
 
   

The following is sample output from the show failover command for Active/Active Failover. In this example, only the admin context has IPv6 addresses assigned to the interfaces.

hostname# show failover
 
   
Failover On
Failover unit Primary
Failover LAN Interface: folink GigabitEthernet0/2 (up) 
Unit Poll frequency 1 seconds, holdtime 15 seconds 
Interface Poll frequency 4 seconds 
Interface Policy 1 
Monitored Interfaces 8 of 250 maximum 
failover replication http 
Group 1 last failover at: 13:40:18 UTC Dec 9 2004 
Group 2 last failover at: 13:40:06 UTC Dec 9 2004
 
   
  This host:    Primary
  Group 1       State:          Active
                Active time:    2896 (sec)
  Group 2       State:          Standby Ready
                Active time:    0 (sec)
 
   
                slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
                slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.11)S91(0.11)) status (Up)
                admin Interface outside (10.132.8.5): Normal 
                admin Interface folink (10.132.9.5/fe80::2a0:c9ff:fe03:101): Normal 
                admin Interface inside (10.130.8.5/fe80::2a0:c9ff:fe01:101): Normal 
                admin Interface fourth (10.130.9.5/fe80::3eff:fe11:6670): Normal 
                ctx1 Interface outside (10.1.1.1): Normal 
                ctx1 Interface inside (10.2.2.1): Normal 
                ctx2 Interface outside (10.3.3.2): Normal 
                ctx2 Interface inside (10.4.4.2): Normal 
 
   
  Other host:   Secondary
  Group 1       State:          Standby Ready
                Active time:    190 (sec)
  Group 2       State:          Active
                Active time:    3322 (sec)
 
   
                slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
                slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.1)S91(0.1)) status (Up)
                admin Interface outside (10.132.8.6): Normal 
                admin Interface folink (10.132.9.6/fe80::2a0:c9ff:fe03:102): Normal 
                admin Interface inside (10.130.8.6/fe80::2a0:c9ff:fe01:102): Normal 
                admin Interface fourth (10.130.9.6/fe80::3eff:fe11:6671): Normal 
                ctx1 Interface outside (10.1.1.2): Normal 
                ctx1 Interface inside (10.2.2.2): Normal 
                ctx2 Interface outside (10.3.3.1): Normal 
                ctx2 Interface inside (10.4.4.1): Normal 
 
   
Stateful Failover Logical Update Statistics
        Link : third GigabitEthernet0/2 (up)
        Stateful Obj    xmit       xerr       rcv        rerr      
        General         0          0          0          0         
        sys cmd         380        0          380        0         
        up time         0          0          0          0         
        RPC services    0          0          0          0         
        TCP conn        1435       0          1450       0         
        UDP conn        0          0          0          0         
        ARP tbl         124        0          65         0 
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     22         0          0          0
        VPN IKE upd     15         0          0          0
        VPN IPSEC upd   90         0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
		SIP Session				0          0          0          0
 
   
        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       1       1895
        Xmit Q:         0       0       1940
 
   

The following is sample output from the show failover command on the ASA 5505 series adaptive adaptive security appliance:

Failover On 
Failover unit Primary
Failover LAN Interface: fover Vlan150 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(0)55, Mate 7.2(0)55
Last Failover at: 19:59:58 PST Apr 6 2006
 
   
        This host: Primary - Active 
                Active time: 34 (sec)
                slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55) status (Up Sys)
                  Interface inside (192.168.1.1): Normal
                  Interface outside (192.168.2.201): Normal 
                  Interface dmz (172.16.0.1): Normal
                  Interface test (172.23.62.138): Normal
                slot 1: empty
 
   
        Other host: Secondary - Standby Ready 
                Active time: 0 (sec)
                slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55) status (Up Sys)
                  Interface inside (192.168.1.2): Normal
                  Interface outside (192.168.2.211): Normal 
                  Interface dmz (172.16.0.2): Normal
                  Interface test (172.23.62.137): Normal
                slot 1: empty
 
   

The following is sample output from the show failover state command for an active-active setup:

 
   
hostname(config)# show failover state
 
   
               State          Last Failure Reason      Date/Time
This host  -   Secondary
    Group 1    Failed         Backplane Failure        03:42:29 UTC Apr 17 2009
    Group 2    Failed         Backplane Failure        03:42:29 UTC Apr 17 2009
Other host -   Primary
    Group 1    Active         Comm Failure             03:41:12 UTC Apr 17 2009
    Group 2    Active         Comm Failure             03:41:12 UTC Apr 17 2009
 
   
====Configuration State===
        Sync Done
====Communication State===
        Mac set
 
   

The following is sample output from the show failover state command for an active-standby setup:

 
   
hostname(config)# show failover state
 
               State          Last Failure Reason      Date/Time
This host  -   Primary
               Negotiation    Backplane Failure        15:44:56 UTC Jun 20 2009
Other host -   Secondary
               Not Detected   Comm Failure             15:36:30 UTC Jun 20 2009
 
====Configuration State===
        Sync Done
====Communication State===
        Mac set
 
   

Table 25-9 describes the output of the show failover state command.

Table 25-9 show failover state Output Description 

Field
Description

Configuration State

Displays the state of configuration synchronization.

The following are possible configuration states for the standby unit:

Config Syncing - STANDBY—Set while the synchronized configuration is being executed.

Interface Config Syncing - STANDBY

Sync Done - STANDBY—Set when the standby unit has completed a configuration synchronization from the active unit.

The following are possible configuration states for the active unit:

Config Syncing—Set on the active unit when it is performing a configuration synchronization to the standby unit.

Interface Config Syncing

Sync Done—Set when the active unit has completed a successful configuration synchronization to the standby unit.

Ready for Config Sync—Set on the active unit when the standby unit signals that it is ready to receive a configuration synchronization.

Communication State

Displays the status of the MAC address synchronization.

Mac set—The MAC addresses have been synchronized from the peer unit to this unit.

Updated Mac—Used when a MAC address is updated and needs to be synchronized to the other unit. Also used during the transition period where the unit is updating the local MAC addresses synchronized from the peer unit.

Date/Time

Displays a date and timestamp for the failure.

Last Failure Reason

Displays the reason for the last reported failure. This information is not cleared, even if the failure condition is cleared. This information changes only when a failover occurs.

The following are possible fail reasons:

Ifc Failure—The number of interfaces that failed met the failover criteria and caused failover.

Comm Failure—The failover link failed or peer is down.

Backplane Failure

State

Displays the Primary/Secondary and Active/Standby status for the unit.

This host/Other host

This host indicates information for the device upon which the command was executed. Other host indicates information for the other device in the failover pair.


The following is sample output from the show failover history command:

hostname(config)# show failover history
==========================================================================
Group     From State                 To State                   Reason
==========================================================================
. . . 
03:42:29 UTC Apr 17 2009
    0     Sync Config                Failed
Backplane failed
 
   
03:42:29 UTC Apr 17 2009
    1     Standby Ready              Failed
Backplane failed
 
   
03:42:29 UTC Apr 17 2009
    2     Standby Ready              Failed
Backplane failed
 
   
03:44:39 UTC Apr 17 2009
    0     Failed                     Negotiation
Backplane operational
 
   
03:44:40 UTC Apr 17 2009
    1     Failed                     Negotiation
Backplane operational
 
   
03:44:40 UTC Apr 17 2009
    2     Failed                     Negotiation
Backplane operational
 
   
==========================================================================
 
   

Each entry provides the time and date the state change occurred, the beginning state, the resulting state, and the reason for the state change. The newest entries are located at the bottom of the display. Older entries appear at the top. A maximum of 60 entries can be displayed. Once the maximum number of entries has been reached, the oldest entries are removed from the top of the output as new entries are added to the bottom.

Table 25-10 shows the failover states. There are two types of states—stable and transient. Stable states are states that the unit can remain in until some occurrence, such as a failure, causes a state change. A transient state is a state that the unit passes through while reaching a stable state.

Table 25-10 Failover States

States
Description

Disabled

Failover is disabled. This is a stable state.

Failed

The unit is in the failed state. This is a stable state.

Negotiation

The unit establishes the connection with peer and negotiates with peer to determine software version compatibility and Active/Standby role. Depending upon the role that is negotiated, the unit will go through the Standby Unit States or the Active Unit States or enter the failed state. This is a transient state.

Not Detected

 
Standby Unit States

Cold Standby

The unit waits for the peer to reach the Active state. When the peer unit reaches the Active state, this unit progresses to the Standby Config state. This is a transient state.

Sync Config

The unit requests the running configuration from the peer unit. If an error occurs during the configuration synchronization, the unit returns to the Initialization state. This is a transient state.

Sync File System

The unit synchronizes the file system with the peer unit. This is a transient state.

Bulk Sync

The unit receives state information from the peer. This state only occurs when Stateful Failover is enabled. This is a transient state.

Standby Ready

The unit is ready to take over if the active unit fails. This is a stable state.

Active Unit States

Just Active

The first state the unit enters when becoming the active unit. During this state a message is sent to the peer alerting the peer that the unit is becoming active and the IP and MAC addresses are set for the interfaces. This is a transient state.

Active Drain

Queues messages from the peer are discarded. This is a transient state.

Active Applying Config

The unit is applying the system configuration. This is a transient state.

Active Config Applied

The unit has finished applying the system configuration. This is a transient state.

Active

The unit is active and processing traffic. This is a stable state.


Each state change is followed by a reason for the state change. The reason typically remains the same as the unit progresses through the transient states to the stable state. The following are the possible state change reasons:

No Error

Set by the CI config cmd

Failover state check

Failover interface become OK

HELLO not heard from mate

Other unit has different software version

Other unit operating mode is different

Other unit license is different

Other unit chassis configuration is different

Other unit card configuration is different

Other unit want me Active

Other unit want me Standby

Other unit reports that I am failed

Other unit reports that it is failed

Configuration mismatch

Detected an Active mate

No Active unit found

Configuration synchronization done

Recovered from communication failure

Other unit has different set of vlans configured

Unable to verify vlan configuration

Incomplete configuration synchronization

Configuration synchronization failed

Interface check

My communication failed

ACK not received for failover message

Other unit got stuck in learn state after sync

No power detected from peer

No failover cable

HA state progression failed

Detect service card failure

Service card in other unit has failed

My service card is as good as peer

LAN Interface become un-configured

Peer unit just reloaded

Switch from Serial Cable to LAN-Based fover

Unable to verify state of config sync

Auto-update request

Unknown reason

The following is sample output from the show failover interface command. The device has an IPv6 address configured on the failover interface.

hostname(config)# sh fail int
        interface folink GigabitEthernet0/2
                System IP Address: 2001:a0a:b00::a0a:b70/64
                My IP Address    : 2001:a0a:b00::a0a:b70
                Other IP Address : 2001:a0a:b00::a0a:b71
 
   

Related Commands

Command
Description

show running-config failover

Displays the failover commands in the current configuration.


show failover exec

To display the failover exec command mode for the specified unit, use the show failover exec command in privileged EXEC mode.

show failover exec {active | standby | mate}

Syntax Description

active

Displays the failover exec command mode for the active unit.

mate

Displays the failover exec command mode for the peer unit.

standby

Displays the failover exec command mode for the standby unit.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

The failover exec command creates a session with the specified device. By default, that session is in global configuration mode. You can change the command mode of that session by sending the appropriate command (such as the interface command) using the failover exec command. Changing failover exec command modes for the specified device does not change the command mode for the session you are using to access the device. Changing commands modes for your current session to the device does not affect the command mode used by the failover exec command.

The show failover exec command displays the command mode on the specified device in which commands sent with the failover exec command are executed.

Examples

The following is sample output from the show failover exec command. This example demonstrates that the command mode for the unit where the failover exec commands are being entered does not have to be the same as the failover exec command mode where the commands are being executed.

In this example, an administrator logged into the standby unit adds a name to an interface on the active unit. The second time the show failover exec mate command is entered in this example shows the peer device in interface configuration mode. Commands sent to the device with the failover exec command are executed in that mode.

hostname(config)# show failover exec mate
 
   
Active unit Failover EXEC is at config mode
 
   
! The following command changes the standby unit failover exec mode 
! to interface configuration mode.
hostname(config)# failover exec mate interface GigabitEthernet0/1
hostname(config)# show failover exec mate
 
   
Active unit Failover EXEC is at interface sub-command mode
 
   
! Because the following command is sent to the active unit, it is replicated 
! back to the standby unit.
hostname(config)# failover exec mate nameif test
 
   

Related Commands

Command
Description

failover exec

Executes the supplied command on the designated unit in a failover pair.


show file

To display information about the file system, use the show file command in privileged EXEC mode.

show file descriptors | system | information filename

Syntax Description

descriptors

Displays all open file descriptors.

filename

Specifies the filename.

information

Displays information about a specific file, including partner application package files.

system

Displays the size, bytes available, type of media, flags, and prefix information about the disk file system.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.

8.2(1)

The capability to view information about partner application package files was added.


Examples

The following is sample output from the show file descriptors command:

hostname# show file descriptors
No open file descriptors
hostname# show file system
File Systems:
   Size(b)     Free(b)    Type  Flags  Prefixes
* 60985344    60973056    disk    rw     disk:
 
   

The following is sample output fromthe show file info command:

hostname# show file info disk0:csc_embd1.0.1000.pkg
type is package (csc)
file size is 17204149 bytes version 1

Related Commands

Command
Description

dir

Displays the directory contents.

pwd

Displays the current working directory.


show firewall

To show the current firewall mode (routed or transparent), use the show firewall command in privileged EXEC mode.

show firewall

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following is sample output from the show firewall command:

hostname# show firewall
Firewall mode: Router
 
   

Related Commands

Command
Description

firewall transparent

Sets the firewall mode.

show mode

Shows the current context mode, either single or multiple.


show flash

To display the contents of the internal Flash memory, use the show flash: command in privileged EXEC mode.

show flash: all | controller | filesys


Note In the adaptive security appliance, the flash keyword is aliased to disk0.


Syntax Description

all

Displays all Flash information.

controller

Displays file system controller information.

filesys

Displays file system information.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following is sample output from the show flash: command:

hostname# show flash:
-#- --length-- -----date/time------ path
 11 1301       Feb 21 2005 18:01:34 test.cfg
 12 1949       Feb 21 2005 20:13:36 pepsi.cfg
 13 2551       Jan 06 2005 10:07:36 Leo.cfg
 14 609223     Jan 21 2005 07:14:18 rr.cfg
 15 1619       Jul 16 2004 16:06:48 hackers.cfg
 16 3184       Aug 03 2004 07:07:00 old_running.cfg
 17 4787       Mar 04 2005 12:32:18 admin.cfg
 20 1792       Jan 21 2005 07:29:24 Marketing.cfg
 21 7765184    Mar 07 2005 19:38:30 asdmfile-RLK
 22 1674       Nov 11 2004 02:47:52 potts.cfg
 23 1863       Jan 21 2005 07:29:18 r.cfg
 24 1197       Jan 19 2005 08:17:48 tst.cfg
 25 608554     Jan 13 2005 06:20:54 500kconfig
 26 5124096    Feb 20 2005 08:49:28 cdisk70102
 27 5124096    Mar 01 2005 17:59:56 cdisk70104
 28 2074       Jan 13 2005 08:13:26 negateACL
 29 5124096    Mar 07 2005 19:56:58 cdisk70105
 30 1276       Jan 28 2005 08:31:58 steel
 31 7756788    Feb 24 2005 12:59:46 asdmfile.50074.dbg
 32 7579792    Mar 08 2005 11:06:56 asdmfile.gusingh
 33 7764344    Mar 04 2005 12:17:46 asdmfile.50075.dbg
 34 5124096    Feb 24 2005 11:50:50 cdisk70103
 35 15322      Mar 04 2005 12:30:24 hs_err_pid2240.log
 
   
10170368 bytes available (52711424 bytes used)

Related Commands

Command
Description

dir

Displays the directory contents.

show disk0:

Displays the contents of the internal Flash memory.

show disk1:

Displays the contents of the external Flash memory card.


show flow-export counters

To display runtime counters associated with NetFlow data, use the show flow-export counters command in privileged EXEC mode.

show flow-export counters

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.1(1)

This command was introduced.


Usage Guidelines

The runtime counters include statistical data as well as error data.

Examples

The following is sample output from the show flow-export counters command that shows runtime counters that are associated with NetFlow data:

hostname# show flow-export counters
 
   
destination: inside 209.165.200.224 2055
 Statistics:
  packets sent                      1000
 Errors:
  block allocation failure             0
  invalid interface                    0
  template send failure                0
 
   

Related Commands

Commands 
Description 

clear flow-export counters

Resets all runtime counters in NetFlow to zero.

flow-export destination interface-name ipv4-address | hostname udp-port

Specifies the IP address or hostname of the NetFlow collector, and the UDP port on which the NetFlow collector is listening.

flow-export template timeout-rate minutes

Controls the interval at which the template information is sent to the NetFlow collector.

logging flow-export-syslogs enable

Enables syslog messages after you have entered the logging flow-export-syslogs disable command, and the syslog messages that are associated with NetFlow data.


show fragment

To display the operational data of the IP fragment reassembly module, enter the show fragment command in privileged EXEC mode.

show fragment [interface]

Syntax Description

interface

(Optional) Specifies the adaptive security appliance interface.


Defaults

If an interface is not specified, the command applies to all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC mode


Command History

Release
Modification

7.0(1)

The command was separated into two commands, show fragment and show running-config fragment, to separate the configuration data from the operational data.


Examples

This example shows how to display the operational data of the IP fragment reassembly module:

hostname# show fragment 
Interface: inside
    Size: 200, Chain: 24, Timeout: 5, Threshold: 133
    Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
Interface: outside1
    Size: 200, Chain: 24, Timeout: 5, Threshold: 133
    Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
Interface: test1
    Size: 200, Chain: 24, Timeout: 5, Threshold: 133
    Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
Interface: test2
    Size: 200, Chain: 24, Timeout: 5, Threshold: 133
    Queue: 0, Assembled: 0, Fail: 0, Overflow: 0

Related Commands

Command
Description

clear configure fragment

Clears the IP fragment reassembly configuration and resets the defaults.

clear fragment

Clears the operational data of the IP fragment reassembly module.

fragment

Provides additional management of packet fragmentation and improves compatibility with NFS.

show running-config fragment

Displays the IP fragment reassembly configuration.


show gc

To display the garbage collection process statistics, use the show gc command in privileged EXEC mode.

show gc

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following is sample output from the show gc command:

hostname# show gc
 
   
Garbage collection process stats:
Total tcp conn delete response             :            0
Total udp conn delete response             :            0
Total number of zombie cleaned             :            0
Total number of embryonic conn cleaned     :            0
Total error response                       :            0
Total queries generated                    :            0
Total queries with conn present response   :            0
Total number of sweeps                     :          946
Total number of invalid vcid               :            0
Total number of zombie vcid                :            0

Related Commands

Command
Description

clear gc

Removes the garbage collection process statistics.


show h225

To display information for H.225 sessions established across the adaptive security appliance, use the show h225 command in privileged EXEC mode.

show h225

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show h225 command displays information for H.225 sessions established across the adaptive security appliance. Along with the debug h323 h225 event, debug h323 h245 event, and show local-host commands, this command is used for troubleshooting H.323 inspection engine issues.

Before using the show h225, show h245, or show h323-ras commands, we recommend that you configure the pager command. If there are a lot of session records and the pager command is not configured, it may take a while for the show output to reach its end. If there is an abnormally large number of connections, check that the sessions are timing out based on the default timeout values or the values set by you. If they are not, then there is a problem that needs to be investigated.

Examples

The following is sample output from the show h225 command:

hostname# show h225
Total H.323 Calls: 1
1 Concurrent Call(s) for
 | Local: | 10.130.56.3/1040 | Foreign: 172.30.254.203/1720
 | 1. CRV 9861
 | Local: | 10.130.56.3/1040 | Foreign: 172.30.254.203/1720
0 Concurrent Call(s) for
 | Local: | 10.130.56.4/1050 | Foreign: 172.30.254.205/1720
 
   

This output indicates that there is currently 1 active H.323 call going through the adaptive security appliance between the local endpoint 10.130.56.3 and foreign host 172.30.254.203, and for these particular endpoints, there is 1 concurrent call between them, with a CRV (Call Reference Value) for that call of 9861.

For the local endpoint 10.130.56.4 and foreign host 172.30.254.205, there are 0 concurrent Calls. This means that there is no active call between the endpoints even though the H.225 session still exists. This could happen if, at the time of the show h225 command, the call has already ended but the H.225 session has not yet been deleted. Alternately, it could mean that the two endpoints still have a TCP connection opened between them because they set "maintainConnection" to TRUE, so the session is kept open until they set it to FALSE again, or until the session times out based on the H.225 timeout value in your configuration.

Related Commands

Commands
Description

debug h323

Enables the display of debug information for H.323.

inspect h323

Enables H.323 application inspection.

show h245

Displays information for H.245 sessions established across the adaptive security appliance by endpoints using slow start.

show h323-ras

Displays information for H.323 RAS sessions established across the adaptive security appliance.

timeout h225 | h323

Configures idle time after which an H.225 signalling connection or an H.323 control connection will be closed.


show h245

To display information for H.245 sessions established across the adaptive security appliance by endpoints using slow start, use the show h245 command in privileged EXEC mode.

show h245

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show h245 command displays information for H.245 sessions established across the adaptive security appliance by endpoints using slow start. (Slow start is when the two endpoints of a call open another TCP control channel for H.245. Fast start is where the H.245 messages are exchanged as part of the H.225 messages on the H.225 control channel.) Along with the debug h323 h245 event, debug h323 h225 event, and show local-host commands, this command is used for troubleshooting H.323 inspection engine issues.

Examples

The following is sample output from the show h245 command:

hostname# show h245
Total: 1
 | LOCAL | TPKT | FOREIGN | TPKT
1 | 10.130.56.3/1041 | 0 | 172.30.254.203/1245 | 0
 | MEDIA: LCN 258 Foreign 172.30.254.203 RTP 49608 RTCP 49609
 | Local | 10.130.56.3 RTP 49608 RTCP 49609
 | MEDIA: LCN 259 Foreign 172.30.254.203 RTP 49606 RTCP 49607
 | Local | 10.130.56.3 RTP 49606 RTCP 49607
 
   

There is currently one H.245 control session active across the adaptive security appliance. The local endpoint is 10.130.56.3, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0. (The TKTP header is a 4-byte header preceding each H.225/H.245 message. It gives the length of the message, including the 4-byte header.) The foreign host endpoint is 172.30.254.203, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0.

The media negotiated between these endpoints have a LCN (logical channel number) of 258 with the foreign RTP IP address/port pair of 172.30.254.203/49608 and a RTCP IP address/port of 172.30.254.203/49609 with a local RTP IP address/port pair of 10.130.56.3/49608 and a RTCP port of 49609.

The second LCN of 259 has a foreign RTP IP address/port pair of 172.30.254.203/49606 and a RTCP IP address/port pair of 172.30.254.203/49607 with a local RTP IP address/port pair of 10.130.56.3/49606 and RTCP port of 49607.

Related Commands

Commands
Description

debug h323

Enables the display of debug information for H.323.

inspect h323

Enables H.323 application inspection.

show h245

Displays information for H.245 sessions established across the adaptive security appliance by endpoints using slow start.

show h323-ras

Displays information for H.323 RAS sessions established across the adaptive security appliance.

timeout h225 | h323

Configures idle time after which an H.225 signalling connection or an H.323 control connection will be closed.


show h323-ras

To display information for H.323 RAS sessions established across the adaptive security appliance between a gatekeeper and its H.323 endpoint, use the show h323-ras command in privileged EXEC mode.

show h323-ras

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show h323-ras command displays information for H.323 RAS sessions established across the adaptive security appliance between a gatekeeper and its H.323 endpoint. Along with the debug h323 ras event and show local-host commands, this command is used for troubleshooting H.323 RAS inspection engine issues.

The show h323-ras command displays connection information for troubleshooting H.323 inspection engine issues, and is described in the inspect protocol h323 {h225 | ras} command page.

Examples

The following is sample output from the show h323-ras command:

hostname# show h323-ras
Total: 1
 | GK | Caller
 | 172.30.254.214 10.130.56.14
hostname# 
 
   

This output shows that there is one active registration between the gatekeeper 172.30.254.214 and its client 10.130.56.14.

Related Commands

Commands
Description

debug h323

Enables the display of debug information for H.323.

inspect h323

Enables H.323 application inspection.

show h245

Displays information for H.245 sessions established across the adaptive security appliance by endpoints using slow start.

show h323-ras

Displays information for H.323 RAS sessions established across the adaptive security appliance.

timeout h225 | h323

Configures idle time after which an H.225 signalling connection or an H.323 control connection will be closed.


show history

To display the previously entered commands, use the show history command in user EXEC mode.

show history

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

User EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.

8.2(4)

Changes were made to output based on user privilege levels.


Usage Guidelines

The show history command lets you display previously entered commands. You can examine commands individually with the up and down arrows, enter ^p to display previously entered lines, enter ^n to display the next line, or enter Ctrl + r to search the previously entered commands.

Entering the show history command displays filtered results, based on the current privilege level of the user performing the action. The show history command output is based on privilege level, which means the following:

Users with lower privileges cannot see the history from users with higher privileges.

Users with higher privileges can see the history from users with lower prvileges, however.

Privilege level determines what is shown during scrolling of previous lines and applies to what history can be matched during a search.

When invoked from the show tech command, the show history command output displays previously entered commands at privilege level 15 to avoid losing history during a crash or during a troubleshooting session.

Examples

The following example shows sample output from the show history command in user EXEC mode:

hostname> show history
show history
help
show history
 
   

The following example shows sample output from the show history command in privileged EXEC mode:

hostname# show history
show history
help
show history
enable
show history
 
   

The following example shows sample output from the show history command in global configuration mode:

hostname(config)# show history
show history
help
show history
enable
show history
config t 
show history
 
   

Related Commands

Command
Description

help

Displays help information for the command specified.


show icmp

To display the ICMP configuration, use the show icmp command in privileged EXEC mode.

show icmp

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was previously existing.


Usage Guidelines

The show icmp command displays the ICMP configuration.

Examples

The following example shows the ICMP configuration:

hostname# show icmp
 
   

Related Commands

clear configure icmp

Clears the ICMP configuration.

debug icmp

Enables the display of debug information for ICMP.

icmp

Configures access rules for ICMP traffic that terminates at a adaptive security appliance interface.

inspect icmp

Enables or disables the ICMP inspection engine.

timeout icmp

Configures the idle timeout for ICMP.


show idb

To display information about the status of interface descriptor blocks, use the show idb command in privileged EXEC mode.

show idb

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

IDBs are the internal data structure representing interface resources. See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show idb command:

hostname# show idb
Maximum number of Software IDBs 280.  In use 23.
 
   
                   HWIDBs     SWIDBs
            Active 6          21
          Inactive 1          2
        Total IDBs 7          23
 Size each (bytes) 116        212
       Total bytes 812        4876
 
   
HWIDB#  1 0xbb68ebc  Control0/0
HWIDB#  2 0xcd47d84  GigabitEthernet0/0
HWIDB#  3 0xcd4c1dc  GigabitEthernet0/1
HWIDB#  4 0xcd5063c  GigabitEthernet0/2
HWIDB#  5 0xcd54a9c  GigabitEthernet0/3
HWIDB#  6 0xcd58f04  Management0/0
 
   
SWIDB#  1 0x0bb68f54 0x01010001 Control0/0
SWIDB#  2 0x0cd47e1c 0xffffffff GigabitEthernet0/0
SWIDB#  3 0x0cd772b4 0xffffffff GigabitEthernet0/0.1
  PEER IDB#  1 0x0d44109c 0xffffffff     3  GigabitEthernet0/0.1
  PEER IDB#  2 0x0d2c0674 0x00020002     2  GigabitEthernet0/0.1
  PEER IDB#  3 0x0d05a084 0x00010001     1  GigabitEthernet0/0.1
SWIDB#  4 0x0bb7501c 0xffffffff GigabitEthernet0/0.2
SWIDB#  5 0x0cd4c274 0xffffffff GigabitEthernet0/1
SWIDB#  6 0x0bb75704 0xffffffff GigabitEthernet0/1.1
  PEER IDB#  1 0x0cf8686c 0x00020003     2  GigabitEthernet0/1.1
SWIDB#  7 0x0bb75dec 0xffffffff GigabitEthernet0/1.2
  PEER IDB#  1 0x0d2c08ac 0xffffffff     2  GigabitEthernet0/1.2
SWIDB#  8 0x0bb764d4 0xffffffff GigabitEthernet0/1.3
  PEER IDB#  1 0x0d441294 0x00030001     3  GigabitEthernet0/1.3
SWIDB#  9 0x0cd506d4 0x01010002 GigabitEthernet0/2
SWIDB# 10 0x0cd54b34 0xffffffff GigabitEthernet0/3
  PEER IDB#  1 0x0d3291ec 0x00030002     3  GigabitEthernet0/3
  PEER IDB#  2 0x0d2c0aa4 0x00020001     2  GigabitEthernet0/3
  PEER IDB#  3 0x0d05a474 0x00010002     1  GigabitEthernet0/3
SWIDB# 11 0x0cd58f9c 0xffffffff Management0/0
  PEER IDB#  1 0x0d05a65c 0x00010003     1  Management0/0
 
   

Table 25-1 shows each field description.

Table 25-11 show idb stats Fields 

Field
Description

HWIDBs

Shows the statistics for all HWIDBs. HWIDBs are created for each hardware port in the system.

SWIDBs

Shows the statistics for all SWIDBs. SWIDBs are created for each main and subinterface in the system, and for each interface that is allocated to a context.

Some other internal software modules also create IDBs.

HWIDB#

Specifies a hardware interface entry. The IDB sequence number, address, and interface name is displayed in each line.

SWIDB#

Specifies a software interface entry. The IDB sequence number, address, corresponding vPif id, and interface name are displayed in each line.

PEER IDB#

Specifies an interface allocated to a context. The IDB sequence number, address, corresponding vPif id, context id and interface name are displayed in each line.


Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.


show igmp groups

To display the multicast groups with receivers that are directly connected to the adaptive security appliance and that were learned through IGMP, use the show igmp groups command in privileged EXEC mode.

show igmp groups [[reserved | group] [if_name] [detail]] | summary]

Syntax Description

detail

(Optional) Provides a detailed description of the sources.

group

(Optional) The address of an IGMP group. Including this optional argument limits the display to the specified group.

if_name

(Optional) Displays group information for the specified interface.

reserved

(Optional) Displays information about reserved groups.

summary

(Optional) Displays group joins summary information.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

If you omit all optional arguments and keywords, the show igmp groups command displays all directly connected multicast groups by group address, interface type, and interface number.

Examples

The following is sample output from the show igmp groups command:

hostname#show igmp groups
 
   
IGMP Connected Group Membership
Group Address    Interface            Uptime    Expires   Last Reporter
224.1.1.1        inside               00:00:53  00:03:26  192.168.1.6

Related Commands

Command
Description

show igmp interface

Displays multicast information for an interface.


show igmp interface

To display multicast information for an interface, use the show igmp interface command in privileged EXEC mode.

show igmp interface [if_name]

Syntax Description

if_name

(Optional) Displays IGMP group information for the selected interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was modified. The detail keyword was removed.


Usage Guidelines

If you omit the optional if_name argument, the show igmp interface command displays information about all interfaces.

Examples

The following is sample output from the show igmp interface command:

hostname# show igmp interface inside
 
   
inside is up, line protocol is up
 Internet address is 192.168.37.6, subnet mask is 255.255.255.0
 IGMP is enabled on interface
 IGMP query interval is 60 seconds
 Inbound IGMP access group is not set
 Multicast routing is enabled on interface
 Multicast TTL threshold is 0
 Multicast designated router (DR) is 192.168.37.33
 No multicast groups joined
 
   

Related Commands

Command
Description

show igmp groups

Displays the multicast groups with receivers that are directly connected to the adaptive security appliance and that were learned through IGMP.


show igmp traffic

To display IGMP traffic statistics, use the show igmp traffic command in privileged EXEC mode.

show igmp traffic

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following is sample output from the show igmp traffic command:

hostname# show igmp traffic
 
   
IGMP Traffic Counters
Elapsed time since counters cleared: 00:02:30
                             Received     Sent
Valid IGMP Packets              3           6
Queries                         2           6
Reports                         1           0
Leaves                          0           0
Mtrace packets                  0           0
DVMRP packets                   0           0
PIM packets                     0           0
 
   
Errors:
Malformed Packets               0
Martian source                  0
Bad Checksums                   0

Related Commands

Command
Description

clear igmp counters

Clears all IGMP statistic counters.

clear igmp traffic

Clear the IGMP traffic counters.


show import webvpn

To list the files, customization objects, translation tables, or plug-ins in flash memory that customize and localize the adaptive security appliance or the AnyConnect Secure Mobility Client, use the show import webvpn command in privileged EXEC mode.

show import webvpn {AnyConnect-customization | customization | mst-translation | plug-in | translation-table | url-list | webcontent}[detailed | xml-output]

Syntax Description

AnyConnect-customization

Displays resource files, executable files, and MS transforms in the adaptive security appliance flash memory that customize the AnyConnect client GUI.

customization

Displays XML customization objects in the adaptive security appliance flash memory that customize the clientless VPN portal (filenames base64 decoded).

mst-translation

Displays MS transforms in the adaptive security appliance flash memory that translate the AnyConnect client installer program.

plug-in

Displays plug-in modules in the adaptive security appliance flash memory (third-party Java-based client applications, including SSH, VNC, and RDP).

translation-table

Displays translation tables in the adaptive security appliance flash memory that translate the language of user messages displayed by the clientless portal, Secure Desktop, and plug-ins.

url-list

Displays URL lists in the adaptive security appliance flash memory used by the clientless portal (filenames base64 decoded).

webcontent

Displays content in adaptive security appliance flash memory used by the clientless portal, clientless applications, and plugins for online help visible to end users.

detailed

Displays the path in flash memory of the file(s) and the hash.

xml-output

Displays the XML of the file(s).


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC mode


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The AnyConnect-customization keyword was added.


Usage Guidelines

Use the show import webvpn command to identify the custom data and the Java-based client applications available to clientless SSL VPN users. The displayed list itemizes all of the requested data types that are in flash memory on the adaptive security appliance.

Example

The following illustrates the WebVPN data displayed by various show import webvpn command:

hostname# show import webvpn plug
ssh
rdp
vnc
hostname#
 
   
hostname#		show import webvpn plug detail
post GXN2BIGGOAOkBMibDQsMu2GWZ3Q= Tue, 29 Apr 2008 19:57:03 GMT
rdp fHeyReIOUwDCgAL9HdTsPnjdBOo= Tue, 15 Sep 2009 23:23:56 GMT
rdp2 shw8c22T2SsILLk6zyCd6H6VOz8= Wed, 11 Feb 2009 21:17:54 GMT
hostname# show import webvpn customization  
Template
DfltCustomization
hostname#
 
   
hostname# show import webvpn translation-table
Translation Tables' Templates:
  AnyConnect
  PortForwarder
  banners
  csd
  customization
  url-list
  webvpn
Translation Tables:
  ru                                              customization
  ua                                              customization
hostname# 
 
   
hostname# show import webvpn url-list                    
Template
No bookmarks are currently defined
hostname# 
 
   
hostname# show import webvpn webcontent
No custom webcontent is loaded
hostname# 
 
   

Related Commands

Command
Description

revert webvpn all

Removes all WebVPN data and plug-in current on the adaptive security appliance.


show interface

To view interface statistics, use the show interface command in privileged EXEC mode.

show interface [{physical_interface | redundant number}[.subinterface] | mapped_name | interface_name | vlan number] [stats | detail]

Syntax Description

detail

(Optional) Shows detailed interface information, including the order in which the interface was added, the configured state, the actual state, and asymmetrical routing statistics, if enabled by the asr-group command. If you show all interfaces, then information about the internal interfaces for SSMs displays, if installed on the ASA 5500 series adaptive security appliance. The internal interface is not user-configurable, and the information is for debugging purposes only.

interface_name

(Optional) Identifies the interface name set with the nameif command.

mapped_name

(Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

(Optional) Identifies the interface ID, such as gigabitethernet 0/1. See the interface command for accepted values.

redundant number

(Optional) Identifies the redundant interface ID, such as redundant1.

stats

(Default) Shows interface information and statistics. This keyword is the default, so it is optional.

subinterface

(Optional) Identifies an integer between 1 and 4294967293, designating a logical subinterface.

vlan number

(Optional) For models with a built-in switch, such as the ASA 5505 adaptive security appliance, specifies the VLAN interface.


Defaults

If you do not identify any options, this command shows basic statistics for all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was modified to include the new interface numbering scheme, and to add the stats keyword for clarity, and the detail keyword.

7.0(4)

This command added support for the 4GE SSM interfaces.

7.2(1)

This command added support for switch interfaces.

8.0(2)

This command added support for redundant interfaces. Also, the delay is added for subinterfaces. Two new counters were added: input reset drops and output reset drops.

8.2(1)

The no buffer number was changed to show the number of failures from block allocations.

8.2(3)

The following information was added to the show interface command output: license status for 10-Gigabit Ethernet interfaces on the ASA 5585-X; pause input and resume input for 10-Gigabit Ethernet interfaces, and pause output and resume output for 10-Gigabit Ethernet interfaces on the ASA 5580 and the ASA 5585-X; pause/resume input and pause/resume output for external interfaces on the ASA 5585-X.

The following information was added to the show interface detail command output: per queue overruns for internal interfaces on the ASA 5580 and the ASA 5585-X; output decode drops for 10-Gigabit Ethernet interfaces on the ASA 5580 and the ASA 5585-X.


Usage Guidelines

If an interface is shared among contexts, and you enter this command within a context, the adaptive security appliance shows only statistics for the current context. When you enter this command in the system execution space for a physical interface, the adaptive security appliance shows the combined statistics for all contexts.

The number of statistics shown for subinterfaces is a subset of the number of statistics shown for a physical interface.

You cannot use the interface name in the system execution space, because the nameif command is only available within a context. Similarly, if you mapped the interface ID to a mapped name using the allocate-interface command, you can only use the mapped name in a context. If you set the visible keyword in the allocate-interface command, the adaptive security appliance shows the interface ID in the output of the show interface command.


Note The number of bytes transmitted or received in the Hardware count and the Traffic Statistics count are different.

In the hardware count, the amount is retrieved directly from hardware, and reflects the Layer 2 packet size. While in traffic statistics, it reflects the Layer 3 packet size.

The count difference is varied based upon the design of the interface card hardware.

For example, for a Fast Ethernet card, the Layer 2 count is 14 bytes greater than the traffic count, because it includes the Ethernet header. On the Gigabit Ethernet card, the Layer 2 count is 18 bytes greater than the traffic count, because it includes both the Ethernet header and the CRC.


See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show interface command:

hostname# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address 000b.fcf8.c44e, MTU 1500
        IP address 10.86.194.60, subnet mask 255.255.254.0
        1328522 packets input, 124426545 bytes, 0 no buffer
        Received 1215464 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        9 L2 decode drops
        124606 packets output, 86803402 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 hash code drops
        input queue (curr/max packets): hardware (0/7)
        output queue (curr/max packets): hardware (0/13)
  Traffic Statistics for "outside":
        1328509 packets input, 99873203 bytes
        124606 packets output, 84502975 bytes
        524605 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/1 "inside", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
        Auto-Duplex, Auto-Speed
        MAC address 000b.fcf8.c44f, MTU 1500
        IP address 10.10.0.1, subnet mask 255.255.0.0
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (curr/max packets): hardware (0/0)
        output queue (curr/max packets): hardware (0/0)
  Traffic Statistics for "inside":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/2 "faillink", is administratively down, line protocol is down
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
        Auto-Duplex, Auto-Speed
        Description: LAN/STATE Failover Interface
        MAC address 000b.fcf8.c450, MTU 1500
        IP address 192.168.1.1, subnet mask 255.255.255.0
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (curr/max packets): hardware (0/0)
        output queue (curr/max packets): hardware (0/0)
  Traffic Statistics for "faillink":
        0 packets input, 0 bytes
        1 packets output, 28 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/3 "", is administratively down, line protocol is down
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
        Auto-Duplex, Auto-Speed
        Active member of Redundant5
        MAC address 000b.fcf8.c451, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (curr/max packets): hardware (0/0)
        output queue (curr/max packets): hardware (0/0)
Interface Management0/0 "", is administratively down, line protocol is down
  Hardware is i82557, BW 100 Mbps, DLY 1000 usec
        Auto-Duplex, Auto-Speed
        Available but not configured via nameif
        MAC address 000b.fcf8.c44d, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max packets): hardware (128/128) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)
Interface Redundant1 "", is down, line protocol is down
  Redundancy Information:
        Members unassigned
Interface Redundant5 "redundant", is administratively down, line protocol is down
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
        Auto-Duplex, Auto-Speed
        MAC address 000b.fcf8.c451, MTU 1500
        IP address 10.2.3.5, subnet mask 255.255.255.0
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (curr/max packets): hardware (0/0) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)
  Traffic Statistics for "redundant":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
  Redundancy Information:
        Member GigabitEthernet0/3(Active), GigabitEthernet0/2
        Last switchover at 15:15:26 UTC Oct 24 2006
Interface Redundant5.1 "", is down, line protocol is down
        VLAN identifier none
        Available but not configured with VLAN or via namei
 
   

The following is sample output from the show interface command for a 10-Gigabit Ethernet interface on the ASA 5580, which includes license status, pause and resume input, and pause and resume output statistics:

hostname# show interface t8/0
Interface TenGigabitEthernet8/0 "test", is down, line protocol is down
 Link is down as 10Gbps support is not licensed
  Hardware is i82598af rev01, BW 10000 Mbps, DLY 10 usec
        Input flow control is unsupported, output flow control is on
        MAC address 001b.2104.c047, MTU 1500
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        0 pause input, 0 resume input
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 2 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 hash decode drops
  Traffic Statistics for "test":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
 
   

The following is sample output from the show interface command for a 1-Gigabit Ethernet interface on the ASA 5585-X, which includes an external interface:

hostname# show interface
Interface GigabitEthernet0/0 "", is administratively down, line protocol is down
  Hardware is bcm56800 rev 01, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex, Auto-Speed
        Input flow control is unsupported, output flow control is off
        Available but not configured via nameif
        MAC address 5475.d029.7b06, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause/resume input
        0 L2 decode drops
        0 switch ingress policy drops
        0 packets output, 0 bytes, 0 underruns
        0 pause/resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops
Interface GigabitEthernet0/1 "inside", is up, line protocol is up
  Hardware is bcm56800 rev 01, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is off
        MAC address 5475.d029.7b07, MTU 1500
        IP address 10.130.4.254, subnet mask 255.255.255.0
        49380 packets input, 4435690 bytes, 0 no buffer
        Received 36679 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause/resume input
        0 L2 decode drops
        0 switch ingress policy drops
        11262 packets output, 968630 bytes, 0 underruns
        0 pause/resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops
  Traffic Statistics for "inside":
        47932 packets input, 2508306 bytes
        11263 packets output, 765964 bytes
        281 packets dropped
      1 minute input rate 0 pkts/sec,  42 bytes/sec
      1 minute output rate 0 pkts/sec,  13 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  45 bytes/sec
      5 minute output rate 0 pkts/sec,  13 bytes/sec
      5 minute drop rate, 0 pkts/sec
 
   

Table 25-12 shows each field description.

Table 25-12 show interface Fields 

Field
Description

Interface ID

The interface ID. Within a context, the adaptive security appliance shows the mapped name (if configured), unless you set the allocate-interface command visible keyword.

"interface_name"

The interface name set with the nameif command. In the system execution space, this field is blank because you cannot set the name in the system. If you do not configure a name, the following message appears after the Hardware line:

Available but not configured via nameif

is state

The administrative state, as follows:

up—The interface is not shut down.

administratively down—The interface is shut down with the shutdown command.

Line protocol is state

The line status, as follows:

up—A working cable is plugged into the network interface.

down—Either the cable is incorrect or not plugged into the interface connector.

VLAN identifier

For subinterfaces, the VLAN ID.

Hardware

The interface type, maximum bandwidth, delay, duplex, and speed. When the link is down, the duplex and speed show the configured values. When the link is up, these fields show the configured values with the actual settings in parentheses. The following list describes the common hardware types:

i82546GB - Intel PCI-X Copper Gigabit used on ASA platforms

i82547GI - Intel CSA Copper Gigabit used as backplane on ASA platforms

i82557 - Intel PCI Copper Fast Ethernet used on ASA platforms

VCS7380 - Vitesse Four Port Gigabit Switch used in SSM-4GE

I82574 Four Port GE interface on ASA platforms

i82598 10GE interface on ASA platforms

i82599_xaui 10GE internal interface on ASA platforms

bcm5680x Broadcom 10GE Switch on ASA platforms

Media-type

(For 4GE SSM interfaces only) Shows if the interface is set as RJ-45 or SFP.

message area

A message might be displayed in some circumstances. See the following examples:

In the system execution space, you might see the following message:

Available for allocation to a context
 
        

If you do not configure a name, you see the following message:

Available but not configured via nameif
 
        

If an interface is a member of a redundant interface, you see the following message:

Active member of Redundant5

MAC address

The interface MAC address.

MTU

The maximum size, in bytes, of packets allowed on this interface. If you do not set the interface name, this field shows "MTU not set."

IP address

The interface IP address set using the ip address command or received from a DHCP server. In the system execution space, this field shows "IP address unassigned" because you cannot set the IP address in the system.

Subnet mask

The subnet mask for the IP address.

Packets input

The number of packets received on this interface.

Bytes

The number of bytes received on this interface.

No buffer

The number of failures from block allocations.

Received:

Broadcasts

The number of broadcasts received.

Input errors

The number of total input errors, including the types listed below. Other input-related errors can also cause the input error count to increase, and some datagrams might have more than one error; therefore, this sum might exceed the number of errors listed for the types below.

Runts

The number of packets that are discarded because they are smaller than the minimum packet size, which is 64 bytes. Runts are usually caused by collisions. They might also be caused by poor wiring and electrical interference.

Giants

The number of packets that are discarded because they exceed the maximum packet size. For example, any Ethernet packet that is greater than 1518 bytes is considered a giant.

CRC

The number of Cyclical Redundancy Check errors. When a station sends a frame, it appends a CRC to the end of the frame. This CRC is generated from an algorithm based on the data in the frame. If the frame is altered between the source and destination, the adaptive security appliance notes that the CRC does not match. A high number of CRCs is usually the result of collisions or a station transmitting bad data.

Frame

The number of frame errors. Bad frames include packets with an incorrect length or bad frame checksums. This error is usually the result of collisions or a malfunctioning Ethernet device.

Overrun

The number of times that the adaptive security appliance was incapable of handing received data to a hardware buffer because the input rate exceeded the adaptive security appliance capability to handle the data.

Ignored

This field is not used. The value is always 0.

Abort

This field is not used. The value is always 0.

L2 decode drops

The number of packets dropped because the name is not configured (nameif command) or a frame with an invalid VLAN id is received.

Packets output

The number of packets sent on this interface.

Bytes

The number of bytes sent on this interface.

Underruns

The number of times that the transmitter ran faster than the adaptive security appliance could handle.

Output Errors

The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.

Collisions

The number of messages retransmitted due to an Ethernet collision (single and multiple collisions). This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.

Interface resets

The number of times an interface has been reset. If an interface is unable to transmit for three seconds, the adaptive security appliance resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down.

Babbles

Unused. (The transmitter has been on the interface longer than the time taken to transmit the largest frame.)

Late collisions

The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait.

If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet while the adaptive security appliance is partly finished sending the packet. The adaptive security appliance does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.

Deferred

The number of frames that were deferred before transmission due to activity on the link.

Input reset drops

Counts the number of packets dropped in the RX ring when a reset occurs.

Output reset drops

Counts the number of packets dropped in the TX ring when a reset occurs.

Rate limit drops

(For 4GE SSM interfaces only) The number of packets dropped if you configured the interface at non-Gigabit speeds and attempted to transmit more than 10 Mbps or 100 Mbps, depending on configuration.

Lost carrier

The number of times the carrier signal was lost during transmission.

No carrier

Unused.

Input queue (curr/max packets):

The number of packets in the input queue, the current and the maximum.

Hardware

The number of packets in the hardware queue.

Software

The number of packets in the software queue. Not available for Gigabit Ethernet interfaces.

Output queue (curr/max packets):

The number of packets in the output queue, the current and the maximum.

Hardware

The number of packets in the hardware queue.

Software

The number of packets in the software queue.

Traffic Statistics:

The number of packets received, transmitted, or dropped.

Packets input

The number of packets received and the number of bytes.

Packets output

The number of packets transmitted and the number of bytes.

Packets dropped

The number of packets dropped. Typically this counter increments for packets dropped on the accelerated security path (ASP), for example, if a packet is dropped due to an access list deny.

See the show asp drop command for reasons for potential drops on an interface.

1 minute input rate

The number of packets received in packets/sec and bytes/sec over the last minute.

1 minute output rate

The number of packets transmitted in packets/sec and bytes/sec over the last minute.

1 minute drop rate

The number of packets dropped in packets/sec over the last minute.

5 minute input rate

The number of packets received in packets/sec and bytes/sec over the last 5 minutes.

5 minute output rate

The number of packets transmitted in packets/sec and bytes/sec over the last 5 minutes.

5 minute drop rate

The number of packets dropped in packets/sec over the last 5 minutes.

Redundancy Information

For redundant interfaces, shows the member physical interfaces. The active interface has "(Active)" after the interface ID.

If you have not yet assigned members, you see the following output:

Members unassigned

Last switchover

For redundant interfaces, shows the last time the active interface failed over to the standby interface.

License status

A message displays indicating that an interface is down because a 10-Gigabit Ethernet license requirement was not met on the ASA 5585-X.

Pause input, resume input

The internal interfaces that have both receive and transmit flow control configuration enabled for 10-Gigabit Ethernet interfaces.

Pause output, resume output

The receive and transmit flow control statistics for 1- Gigabit Ethernet interfaces on the ASA 5580 and the ASA 5585-X.

Pause/Resume input

The external interface displays both pause and resume frames input together for 10-Gigabit Ethernet interfaces on the ASA 5585-X.

Pause/Resume output

The external interface displays both pause and resume frames output together for 10-Gigabit Ethernet interfaces on the ASA 5585-X.


The following is sample output from the show interface command on the ASA 5505 adaptive security appliance, which includes switch ports:

hostname# show interface
Interface Vlan1 "inside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address 00d0.2bff.449f, MTU 1500
        IP address 1.1.1.1, subnet mask 255.0.0.0
  Traffic Statistics for "inside":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
 
   
    Interface Ethernet0/0 "", is up, line protocol is up
      Hardware is 88E6095, BW 100 Mbps, DLY 1000 usec
            Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
            Available but not configured via nameif
            MAC address 00d0.2bfd.6ec5, MTU not set
            IP address unassigned
            407 packets input, 53587 bytes, 0 no buffer
            Received 103 broadcasts, 0 runts, 0 giants
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
            0 L2 decode drops
            43 switch ingress policy drops
            0 packets output, 0 bytes, 0 underruns
            0 output errors, 0 collisions, 0 interface resets
            0 babbles, 0 late collisions, 0 deferred
            0 lost carrier, 0 no carrier
            0 rate limit drops
            0 switch egress policy drops
 
   

Table 25-13 shows each field description for the show interface command for switch interfaces, such as those for the ASA 5505 adaptive security appliance. See Table 25-12 for fields that are also shown for the show interface command.

Table 25-13 show interface for Switch Interfaces Fields 

Field
Description

switch ingress policy drops

This drop is usually seen when a port is not configured correctly. This drop is incremented when a packet cannot be successfully forwarded within switch ports as a result of the default or user configured switch port settings. The following configurations are the likely reasons for this drop:

The nameif command was not configured on the VLAN interface.

Note For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment.

The VLAN is shut down.

An access port received an 802.1Q-tagged packet.

A trunk port received a tag that is not allowed or an untagged packet.

The adaptive security appliance is connected to another Cisco device that has Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback packets to ensure interface health. This packet is not intended to be received by any other device; the health is ensured just by being able to send the packet. These types of packets are dropped at the switch port, and the counter increments.

The VLAN only has one physical interface, but the DEST of the packet does not match the MAC address of the VLAN, and it is not the broadcast address.

switch egress policy drops

Not currently in use.


The following is sample output from the show interface detail command. The following example shows detailed interface statistics for all interfaces, including the internal interfaces (if present for your platform) and asymmetrical routing statistics, if enabled by the asr-group command:

hostname# show interface detail
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address 000b.fcf8.c44e, MTU 1500
        IP address 10.86.194.60, subnet mask 255.255.254.0
        1330214 packets input, 124580214 bytes, 0 no buffer
        Received 1216917 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        9 L2 decode drops
        124863 packets output, 86956597 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        input queue (curr/max packets): hardware (0/7)
        output queue (curr/max packets): hardware (0/13)
  Traffic Statistics for "outside":
        1330201 packets input, 99995120 bytes
        124863 packets output, 84651382 bytes
        525233 packets dropped
  Control Point Interface States:
        Interface number is 1
        Interface config status is active
        Interface state is active
Interface Internal-Data0/0 "", is up, line protocol is up
  Hardware is i82547GI rev00, BW 1000 Mbps, DLY 1000 usec
        (Full-duplex), (1000 Mbps)
        MAC address 0000.0001.0002, MTU not set
        IP address unassigned
        6 packets input, 1094 bytes, 0 no buffer
        Received 6 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops, 0 demux drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        input queue (curr/max packets): hardware (0/2) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)
   Control Point Interface States:
        Interface number is unassigned
...
 
   

The following is sample output from the show interface detail command for internal data interfaces on the ASA 5585-X, which includes per queue overrun statistics and output decode drops:

hostname# show interface detail
Interface Internal-Data0/0 "", is up, line protocol is up
  Hardware is i82599_xaui rev01, BW 10000 Mbps, DLY 10 usec
        (Full-duplex), (10000 Mbps)
        Input flow control is on, output flow control is off
        MAC address 0000.0001.0001, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 58978 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops, 0 demux drops
        241022 packets output, 362497088 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 1 interface resets
        0 late collisions, 0 deferred
        0 output decode drops
        0 input reset drops, 0 output reset drops
        0 hash decode drops 
        Queue stats:
          RX[00]: 18000 packets, 27072000 bytes, 0 overrun
                  Blocks free curr/low: 511/509
          RX[01]: 15000 packets, 22560000 bytes, 0 overrun
                  Blocks free curr/low: 511/509
          RX[02]: 36000 packets, 54144000 bytes, 0 overrun
                  Blocks free curr/low: 511/507
          RX[03]: 511 packets, 768544 bytes, 35489 overrun 
                  Blocks free curr/low: 0/1
          RX[04]: 36000 packets, 54144000 bytes, 0 overrun
                  Blocks free curr/low: 511/507
          RX[05]: 36000 packets, 54144000 bytes, 0 overrun
                  Blocks free curr/low: 511/506
          RX[06]: 511 packets, 768544 bytes, 23489 overrun 
                  Blocks free curr/low: 0/1
 
   

Table 25-14 shows each field description for the show interface detail command. See Table 25-12 for fields that are also shown for the show interface command.

Table 25-14 show interface detail Fields 

Field
Description

Demux drops

(On Internal-Data interface only) The number of packets dropped because the adaptive security appliance was unable to demultiplex packets from SSM interfaces. SSM interfaces communicate with the native interfaces across the backplane, and packets from all SSM interfaces are multiplexed on the backplane.

Control Point Interface States:

Interface number

A number used for debugging that indicates in what order this interface was created, starting with 0.

Interface config status

The administrative state, as follows:

active—The interface is not shut down.

not active—The interface is shut down with the shutdown command.

Interface state

The actual state of the interface. In most cases, this state matches the config status above. If you configure high availability, it is possible there can be a mismatch because the adaptive security appliance brings the interfaces up or down as needed.

Asymmetrical Routing Statistics:

Received X1 packets

Number of ASR packets received on this interface.

Transmitted X2 packets

Number of ASR packets sent on this interfaces.

Dropped X3 packets

Number of ASR packets dropped on this interface. The packets might be dropped if the interface is down when trying to forward the packet.

Per queue overrun

The number of packets dropped when the destination RX queue is full for internal interfaces on the ASA 5580 and the ASA 5585-X. This counter indicates that either the application reading packets is behind and must catch up, or the remote end is sending packets too quickly and must be slowed down.

Output decode drops

The number of packets dropped because the packet could not be correctly decoded for hashing to occur in the transmit path. This condition may occur if the encapsulation of the packet is incorrect. This counter appears for 10-Gigabit Ethernet interfaces on the ASA 5580 and the ASA 5585-X.


Related Commands

Command
Description

allocate-interface

Assigns interfaces and subinterfaces to a security context.

clear interface

Clears counters for the show interface command.

delay

Changes the delay metric for an interface.

interface

Configures an interface and enters interface configuration mode.

nameif

Sets the interface name.

show interface ip brief

Shows the interface IP address and status.


show interface ip brief

To view interface IP addresses and status, use the show interface ip brief command in privileged EXEC mode.

show interface [physical_interface[.subinterface] | mapped_name | interface_name | vlan number] ip brief

Syntax Description

interface_name

(Optional) Identifies the interface name set with the nameif command.

mapped_name

(Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

(Optional) Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values.

subinterface

(Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface.

vlan number

(Optional) For models with a built-in switch, such as the ASA 5505 adaptive security appliance, specifies the VLAN interface.


Defaults

If you do not specify an interface, the adaptive security appliance shows all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent 1
Single
Multiple
Context
System

Privileged EXEC

1 Available for the Management 0/0 interface or subinterface only.


Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command added support for VLAN interfaces, and for the Management 0/0 interface or subinterface in transparent mode.


Usage Guidelines

In multiple context mode, if you mapped the interface ID in the allocate-interface command, you can only specify the mapped name or the interface name in a context.

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show ip brief command:

hostname# show interface ip brief
    Interface                  IP-Address      OK? Method  Status                Protocol
    Control0/0                 127.0.1.1       YES CONFIG  up                    up
    GigabitEthernet0/0         209.165.200.226 YES CONFIG  up                    up
    GigabitEthernet0/1         unassigned      YES unset   administratively down down
    GigabitEthernet0/2         10.1.1.50       YES manual  administratively down down
    GigabitEthernet0/3         192.168.2.6     YES DHCP    administratively down down
    Management0/0              209.165.201.3   YES CONFIG  up
 
   

Table 25-14 shows each field description.

Table 25-15 show interface ip brief Fields 

Field
Description

Interface

The interface ID or, in multiple context mode, the mapped name if you configured it using the allocate-interface command. If you show all interfaces, then information about the internal interface for the AIP SSM displays, if installed on the ASA adaptive security appliance. The internal interface is not user-configurable, and the information is for debugging purposes only.

IP-Address

The interface IP address.

OK?

This column is not currently used, and always shows "Yes."

Method

The method by which the interface received the IP address. Values include the following:

unset—No IP address configured.

manual—Configured the running configuration.

CONFIG—Loaded from the startup configuration.

DHCP—Received from a DHCP server.

Status

The administrative state, as follows:

up—The interface is not shut down.

administratively down—The interface is shut down with the shutdown command.

Protocol

The line status, as follows:

up—A working cable is plugged into the network interface.

down—Either the cable is incorrect or not plugged into the interface connector.


Related Commands

Command
Description

allocate-interface

Assigns interfaces and subinterfaces to a security context.

interface

Configures an interface and enters interface configuration mode.

ip address

Sets the IP address for the interface or sets the management IP address for a transparent firewall.

nameif

Sets the interface name.

show interface

Displays the runtime status and statistics of interfaces.


show inventory

To display information about all of the Cisco products installed in the networking device that are assigned a product identifier (PID), a version identifier (VID), anda serial number (SN), use the show inventory command in user EXEC or privileged EXEC mode.

show inventory [module number]

Syntax Description

module number

(Optional) Specifies the SSM or SSP module number.


Defaults

If you do not specify a module number to show inventory for an item, the inventory information of all SSMs or SSPs (including the power supply) appears.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

User EXEC


Command History

Release
Modification

7.0(1)

Minor editorial changes were made.

8.2(3)

The command output has been updated to add inventory information for the ASA 5585-X adaptive security appliances.


Usage Guidelines

The show inventory command retrieves and displays inventory information about each Cisco product in the form of a UDI, which is a combination of three separate data elements: the PID, the VID, and the SN.

The PID is the name by which the product can be ordered; it has been historically called the Product Name or Part Number and is the identifier that you would use to order an exact replacement part.

The VID is the version of the product. Whenever a product has been revised, the VID will be incremented according to a rigorous process derived from Telcordia GR-209-CORE, an industry guideline that governs product change notices.

The SN is the vendor-unique serialization of the product. Each manufactured product will carry a unique SN assigned at the factory, which cannot be changed in the field. The SN is the means by which to identify an individual, specific instance of a product.

The UDI refers to each product as an entity. Some entities, such as a chassis, will have subentities such as modules. Each entity will display on a separate line in a logically ordered presentation that is arranged hierarchically by Cisco entities.

Use the show inventory command without options to display a list of Cisco entities installed in the networking device that are assigned a PID.

If a Cisco entity is not assigned a PID, that entity is not retrieved or displayed.

Examples

The following is sample output from the show inventory command without any keywords or arguments, which displays a list of Cisco entities installed in an adaptive security appliance that are assigned PIDs:

hostname# show inventory
Name: module 0, DESCR: ASA 5585-X Security Services Processor-40 w 6GE,4 SFP+
PID: ASA5585-SSP-40    , VID: V01     , SN: JAF1417BDNT
 
   
Name: module 1, DESCR: ASA 5585-X IPS Security Services Processor-40 with 6GE,4SFP+
PID: ASA5585-SSP-IPS40 , VID: V01     , SN: JAF1350BBDP
 
   
Name: Chassis, DESCR: ASA5585-X
PID: ASA5585           , VID: V01     , SN: 123456789AB
 
   
Name: TenGigabitEthernet0/8, DESCR: 10G Based-SR
PID: SFP-10G-SR        , VID: V02 , SN: AGD135130HL
 
   
Name: TenGigabitEthernet0/9, DESCR: 1000Based-SX
PID: SFBR-5766PZ-CS1   , VID:     , SN: AGA134916V5
 
   
Name: power supply 1, DESCR: ASA 5585-X AC Power Supply
PID: ASA5585-PWR-AC    , VID: V01     , SN: POV14109924
 
   
Name: fan, DESCR: ASA 5585-X Fan Module
PID: ASA5585-FAN       , VID: V01     , SN: POV14121013
 
   

Table 25-16 describes the fields shown in the output.

Table 25-16 Field Descriptions for show inventory  

Field
Description

Name

Physical name (text string) assigned to the Cisco entity (for example, console or a simple component number (port or module number), such as 1, depending on the physical component naming syntax of the device). Equivalent to the entPhysicalName MIB variable in RFC 4133.

DESCR

Physical description of the Cisco entity that characterizes the object. Equivalent to the entPhysicalDesc MIB variable in RFC 4133.

PID

Entity product identifier. Equivalent to the entPhysicalModelName MIB variable in RFC 4133.

VID

Entity version identifier. Equivalent to the entPhysicalHardwareRev MIB variable in RFC 4133.

SN

Entity serial number. Equivalent to the entPhysicalSerialNum MIB variable in RFC 4133.


Related Commands

Command
Description

show diag

Displays diagnostic information about the controller, interface processor, and port adapters for a networking device.

show tech-support

Displays general information about the adaptive security appliance when it reports a problem.


show ip address

To view interface IP addresses or, for transparent mode, the management IP address, use the show ip address command in privileged EXEC mode.

show ip address [physical_interface[.subinterface] | mapped_name | interface_name | vlan number]

Syntax Description

interface_name

(Optional) Identifies the interface name set with the nameif command.

mapped_name

(Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

(Optional) Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values.

subinterface

(Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface.

vlan number

(Optional) For models with a built-in switch, such as the ASA 5505 adaptive security appliance, specifies the VLAN interface.


Defaults

If you do not specify an interface, the adaptive security appliance shows all interface IP addresses.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command added support for VLAN interfaces.


Usage Guidelines

This command shows the primary IP addresses (called "System" in the display) for when you configure high availability as well as the current IP addresses. If the unit is active, then the system and current IP addresses match. If the unit is standby, then the current IP addresses show the standby addresses.

Examples

The following is sample output from the show ip address command:

hostname# show ip address
System IP Addresses:
Interface                Name         IP address      Subnet mask       Method 
GigabitEthernet0/0       mgmt         10.7.12.100     255.255.255.0     CONFIG 
GigabitEthernet0/1       inside       10.1.1.100      255.255.255.0     CONFIG 
GigabitEthernet0/2.40    outside      209.165.201.2   255.255.255.224   DHCP
GigabitEthernet0/3       dmz          209.165.200.225 255.255.255.224   manual
Current IP Addresses:
Interface                Name         IP address      Subnet mask       Method 
GigabitEthernet0/0       mgmt         10.7.12.100     255.255.255.0     CONFIG 
GigabitEthernet0/1       inside       10.1.1.100      255.255.255.0     CONFIG 
GigabitEthernet0/2.40    outside      209.165.201.2   255.255.255.224   DHCP
GigabitEthernet0/3       dmz          209.165.200.225 255.255.255.224   manual
 
   

Table 25-14 shows each field description.

Table 25-17 show ip address Fields 

Field
Description

Interface

The interface ID or, in multiple context mode, the mapped name if you configured it using the allocate-interface command.

Name

The interface name set with the nameif command.

IP address

The interface IP address.

Subnet mask

The IP address subnet mask.

Method

The method by which the interface received the IP address. Values include the following:

unset—No IP address configured.

manual—Configured the running configuration.

CONFIG—Loaded from the startup configuration.

DHCP—Received from a DHCP server.


Related Commands

Command
Description

allocate-interface

Assigns interfaces and subinterfaces to a security context.

interface

Configures an interface and enters interface configuration mode.

nameif

Sets the interface name.

show interface

Displays the runtime status and statistics of interfaces.

show interface ip brief

Shows the interface IP address and status.


show ip address dhcp

To view detailed information about the DHCP lease or server for an interface, use the show ip address dhcp command in privileged EXEC mode.

show ip address {physical_interface[.subinterface] | mapped_name | interface_name} dhcp {lease | server}

Syntax Description

interface_name

Identifies the interface name set with the nameif command.

lease

Shows information about the DHCP lease.

mapped_name

In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values.

server

Shows information about the DHCP server.

subinterface

Identifies an integer between 1 and 4294967293 designating a logical subinterface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent 1
Single
Multiple
Context
System

Privileged EXEC

1 Available for the Management 0/0 interface or subinterface only.


Command History

Release
Modification

7.0(1)

This command was changed to include the lease and server keywords to accommodate the new server functionality.

7.2(1)

This command added support for VLAN interfaces, and for the Management 0/0 interface or subinterface in transparent mode.


Usage Guidelines

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show ip address dhcp lease command:

hostname# show ip address outside dhcp lease
Temp IP Addr:209.165.201.57 for peer on interface:outside
Temp sub net mask:255.255.255.224
   DHCP Lease server:209.165.200.225, state:3 Bound
   DHCP Transaction id:0x4123
   Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs
   Temp default-gateway addr:209.165.201.1
   Temp ip static route0: dest 10.9.0.0 router 10.7.12.255
   Next timer fires after:111797 secs
   Retry count:0, Client-ID:cisco-0000.0000.0000-outside
   Proxy: TRUE  Proxy Network: 10.1.1.1
   Hostname: device1
 
   

Table 25-14 shows each field description.

Table 25-18 show ip address dhcp lease Fields 

Field
Description

Temp IP Addr

The IP address assigned to the interface.

Temp sub net mask

The subnet mask assigned to the interface.

DHCP Lease server

The DHCP server address.

state

The state of the DHCP lease, as follows:

Initial—The initialization state, where the adaptive security appliance begins the process of acquiring a lease. This state is also shown when a lease ends or when a lease negotiation fails.

Selecting—The adaptive security appliance is waiting to receive DHCPOFFER messages from one or more DHCP servers, so it can choose one.

Requesting—The adaptive security appliance is waiting to hear back from the server to which it sent its request.

Purging—The adaptive security appliance is removing the lease because the client has released the IP address or there was some other error.

Bound—The adaptive security appliance has a valid lease and is operating normally.

Renewing—The adaptive security appliance is trying to renew the lease. It regularly sends DHCPREQUEST messages to the current DHCP server, and waits for a reply.

Rebinding—The adaptive security appliance failed to renew the lease with the original server, and now sends DHCPREQUEST messages until it gets a reply from any server or the lease ends.

Holddown—The adaptive security appliance started the process to remove the lease.

Releasing—The adaptive security appliance sends release messages to the server indicating that the IP address is no longer needed.

DHCP transaction id

A random number chosen by the client, used by the client and server to associate the request messages.

Lease

The length of time, specified by the DHCP server, that the interface can use this IP address.

Renewal

The length of time until the interface automatically attempts to renew this lease.

Rebind

The length of time until the adaptive security appliance attempts to rebind to a DHCP server. Rebinding occurs if the adaptive security appliance cannot communicate with the original DHCP server, and 87.5 percent of the lease time has expired. The adaptive security appliance then attempts to contact any available DHCP server by broadcasting DHCP requests.

Temp default-gateway addr

The default gateway address supplied by the DHCP server.

Temp ip static route0

The default static route.

Next timer fires after

The number of seconds until the internal timer triggers.

Retry count

If the adaptive security appliance is attempting to establish a lease, this field shows the number of times the adaptive security appliance tried sending a DHCP message. For example, if the adaptive security appliance is in the Selecting state, this value shows the number of times the adaptive security appliance sent discover messages. If the adaptive security appliance is in the Requesting state, this value shows the number of times the adaptive security appliance sent request messages.

Client-ID

The client ID used in all communication with the server.

Proxy

Specifies if this interface is a proxy DHCP client for VPN clients, True or False.

Proxy Network

The requested network.

Hostname

The client hostname.


The following is sample output from the show ip address dhcp server command:

hostname# show ip address outside dhcp server
 
   
   DHCP server: ANY (255.255.255.255)
    Leases:   0
    Offers:   0      Requests: 0     Acks: 0     Naks: 0
    Declines: 0      Releases: 0     Bad:  0
 
   
   DHCP server: 40.7.12.6
    Leases:   1
    Offers:   1      Requests: 17     Acks: 17     Naks: 0
    Declines: 0      Releases: 0     Bad:  0
    DNS0:   171.69.161.23,   DNS1:  171.69.161.24
    WINS0:  172.69.161.23,   WINS1: 172.69.161.23
    Subnet: 255.255.0.0   DNS Domain: cisco.com
 
   

Table 25-19 shows each field description.

Table 25-19 show ip address dhcp server Fields 

Field
Description

DHCP server

The DHCP server address from which this interface obtained a lease. The top entry ("ANY") is the default server and is always present.

Leases

The number of leases obtained from the server. For an interface, the number of leases is typically 1. If the server is providing address for an interface that is running proxy for VPN, there will be several leases.

Offers

The number of offers from the server.

Requests

The number of requests sent to the server.

Acks

The number of acknowledgements received from the server.

Naks

The number of negative acknowledgements received from the server.

Declines

The number of declines received from the server.

Releases

The number of releases sent to the server.

Bad

The number of bad packets received from the server.

DNS0

The primary DNS server address obtained from the DHCP server.

DNS1

The secondary DNS server address obtained from the DHCP server.

WINS0

The primary WINS server address obtained from the DHCP server.

WINS1

The secondary WINS server address obtained from the DHCP server.

Subnet

The subnet address obtained from the DHCP server.

DNS Domain

The domain obtained from the DHCP server.


Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

ip address dhcp

Sets the interface to obtain an IP address from a DHCP server.

nameif

Sets the interface name.

show interface ip brief

Shows the interface IP address and status.

show ip address

Displays the IP addresses of interfaces.


show ip address pppoe

To view detailed information about the PPPoE connection, use the show ip address pppoe command in privileged EXEC mode.

show ip address {physical_interface[.subinterface] | mapped_name | interface_name | vlan number} pppoe

Syntax Description

interface_name

Identifies the interface name set with the nameif command.

mapped_name

In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values.

subinterface

Identifies an integer between 1 and 4294967293 designating a logical subinterface.

vlan number

(Optional) For models with a built-in switch, such as the ASA 5505 adaptive security appliance, specifies the VLAN interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent 1
Single
Multiple
Context
System

Privileged EXEC

1 Available for the Management 0/0 interface or subinterface only.


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show ip address pppoe command:

hostname# show ip address outside pppoe
 
   

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

ip address ppoe

Sets the interface to obtain an IP address from a PPPoE server.

nameif

Sets the interface name.

show interface ip brief

Shows the interface IP address and status.

show ip address

Displays the IP addresses of interfaces.


show ip audit count

To show the number of signature matches when you apply an audit policy to an interface, use the show ip audit count command in privileged EXEC mode.

show ip audit count [global | interface interface_name]

Syntax Description

global

(Default) Shows the number of matches for all interfaces.

interface interface_name

(Optional) Shows the number of matches for the specified interface.


Defaults

If you do not specify a keyword, this command shows the matches for all interfaces (global).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To create an audit policy, use the ip audit name command, and to apply the policy, use the ip audit interface command.

Examples

The following is sample output from the show ip audit count command:

hostname# show ip audit count
IP AUDIT GLOBAL COUNTERS
 
   
1000 I Bad IP Options List        0
1001 I Record Packet Route        0
1002 I Timestamp                  0
1003 I Provide s,c,h,tcc          0
1004 I Loose Source Route         0
1005 I SATNET ID                  0
1006 I Strict Source Route        0
1100 A IP Fragment Attack         0
1102 A Impossible IP Packet       0
1103 A IP Teardrop                0
2000 I ICMP Echo Reply            0
2001 I ICMP Unreachable           0
2002 I ICMP Source Quench         0
2003 I ICMP Redirect              0
2004 I ICMP Echo Request          10
2005 I ICMP Time Exceed           0
2006 I ICMP Parameter Problem     0
2007 I ICMP Time Request          0
2008 I ICMP Time Reply            0
2009 I ICMP Info Request          0
2010 I ICMP Info Reply            0
2011 I ICMP Address Mask Request  0
2012 I ICMP Address Mask Reply    0
2150 A Fragmented ICMP            0
2151 A Large ICMP                 0
2154 A Ping of Death              0
3040 A TCP No Flags               0
3041 A TCP SYN & FIN Flags Only   0
3042 A TCP FIN Flag Only          0
3153 A FTP Improper Address       0
3154 A FTP Improper Port          0
4050 A Bomb                       0
4051 A Snork                      0
4052 A Chargen                    0
6050 I DNS Host Info              0
6051 I DNS Zone Xfer              0
6052 I DNS Zone Xfer High Port    0
6053 I DNS All Records            0
6100 I RPC Port Registration      0
6101 I RPC Port Unregistration    0
6102 I RPC Dump                   0
6103 A Proxied RPC                0
6150 I ypserv Portmap Request     0
6151 I ypbind Portmap Request     0
6152 I yppasswdd Portmap Request  0
6153 I ypupdated Portmap Request  0
6154 I ypxfrd Portmap Request     0
6155 I mountd Portmap Request     0
6175 I rexd Portmap Request       0
6180 I rexd Attempt               0
6190 A statd Buffer Overflow      0
 
   
IP AUDIT INTERFACE COUNTERS: inside
...

Related Commands

Command
Description

clear ip audit count

Clears the count of signature matches for an audit policy.

ip audit interface

Assigns an audit policy to an interface.

ip audit name

Creates a named audit policy that identifies the actions to take when a packet matches an attack signature or an informational signature.

show running-config ip audit attack

Shows the configuration for the ip audit attack command.


show ip verify statistics

To show the number of packets dropped because of the Unicast RPF feature, use the show ip verify statistics command in privileged EXEC mode. Use the ip verify reverse-path command to enable Unicast RPF.

show ip verify statistics [interface interface_name]

Syntax Description

interface interface_name

(Optional) Shows statistics for the specified interface.


Defaults

This command shows statistics for all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following is sample output from the show ip verify statistics command:

hostname# show ip verify statistics
interface outside: 2 unicast rpf drops
interface inside: 1 unicast rpf drops
interface intf2: 3 unicast rpf drops
 
   

Related Commands

Command
Description

clear configure ip verify reverse-path

Clears the ip verify reverse-path configuration.

clear ip verify statistics

Clears the Unicast RPF statistics.

ip verify reverse-path

Enables the Unicast Reverse Path Forwarding feature to prevent IP spoofing.

show running-config ip verify reverse-path

Shows the ip verify reverse-path configuration.


show ips

To show all available IPS virtual sensors that are configured on the AIP SSM, use the show ips command in privileged EXEC mode.

show ips [detail]

Syntax Description

detail

(Optional) Shows the sensor ID number as well as the name.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

In multiple context mode, this command shows all virtual sensors when entered in the system execution space, but only shows the virtual sensors assigned to the context in the context execution space. See the allocate-ips command to assign virtual sensors to contexts.

Virtual sensors are available in IPS Version 6.0 and above.

Examples

The following is sample output from the show ips command:

hostname# show ips
Sensor name
------------
ips1
ips2
 
   

The following is sample output from the show ips detail command:

hostname# show ips detail
Sensor name              Sensor ID
------------             ---------
ips1                     1
ips2                     2
 
   

Related Commands

Command
Description

allocate-ips

Assigns a virtual sensor to a security context.

ips

Diverts traffic to the AIP SSM.


show ipsec sa

To display a list of IPSec SAs, use the show ipsec sa command in global configuration mode or privileged EXEC mode. You can also use the alternate form of this command: show crypto ipsec sa.

show ipsec sa [entry | identity | map map-name | peer peer-addr] [detail]

Syntax Description

detail

(Optional) Displays detailed error information on what is displayed.

entry

(Optional) Displays IPSec SAs sorted by peer address

identity

(Optional) Displays IPSec SAs for sorted by identity, not including ESPs. This is a condensed form.

map map-name

(Optional) Displays IPSec SAs for the specified crypto map.

peer peer-addr

(Optional) Displays IPSec SAs for specified peer IP addresses.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example, entered in global configuration mode, displays IPSec SAs.

hostname(config)# show ipsec sa
interface: outside2
    Crypto map tag: def, local addr: 10.132.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0)
      current_peer: 172.20.0.21
      dynamic allocated peer ip: 10.135.1.5
 
   
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10
      #PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1
      #send errors: 0, #recv errors: 0
 
   
      local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: DC15BF68
 
   
    inbound esp sas:
      spi: 0x1E8246FC (511854332)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 548
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xDC15BF68 (3692412776)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 548
         IV size: 8 bytes
         replay detection support: Y
 
   
    Crypto map tag: def, local addr: 10.132.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
hostname(config)# 

Note Fragmentation statistics are pre-fragmentation statistics if the IPSec SA policy states that fragmentation occurs before IPSec processing. Post-fragmentation statistics appear if the SA policy states that fragmentation occurs after IPSec processing.


The following example, entered in global configuration mode, displays IPSec SAs for a crypto map named def.

hostname(config)# show ipsec sa map def
cryptomap: def
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
      current_peer: 10.132.0.21
      dynamic allocated peer ip: 90.135.1.5
 
   
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1146, #pkts decrypt: 1146, #pkts verify: 1146
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: DC15BF68
 
   
    inbound esp sas:
      spi: 0x1E8246FC (511854332)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 480
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xDC15BF68 (3692412776)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 480
         IV size: 8 bytes
         replay detection support: Y
 
   
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
      current_peer: 10.135.1.8
      dynamic allocated peer ip: 0.0.0.0
 
   
      #pkts encaps: 73672, #pkts encrypt: 73672, #pkts digest: 73672
      #pkts decaps: 78824, #pkts decrypt: 78824, #pkts verify: 78824
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 73672, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 3B6F6A35
 
   
    inbound esp sas:
      spi: 0xB32CF0BD (3006066877)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4, crypto-map: def
         sa timing: remaining key lifetime (sec): 263
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x3B6F6A35 (997157429)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4, crypto-map: def
         sa timing: remaining key lifetime (sec): 263
         IV size: 8 bytes
         replay detection support: Y
hostname(config)#
 
   

The following example, entered in global configuration mode, shows IPSec SAs for the keyword entry.

hostname(config)# show ipsec sa entry
peer address: 10.132.0.21
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
      current_peer: 10.132.0.21
      dynamic allocated peer ip: 90.135.1.5
 
   
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: DC15BF68
 
   
    inbound esp sas:
      spi: 0x1E8246FC (511854332)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 429
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xDC15BF68 (3692412776)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 429
         IV size: 8 bytes
         replay detection support: Y
 
   
peer address: 10.135.1.8
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
      current_peer: 10.135.1.8
      dynamic allocated peer ip: 0.0.0.0
 
   
      #pkts encaps: 73723, #pkts encrypt: 73723, #pkts digest: 73723
      #pkts decaps: 78878, #pkts decrypt: 78878, #pkts verify: 78878
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 73723, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 3B6F6A35
 
   
    inbound esp sas:
      spi: 0xB32CF0BD (3006066877)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4, crypto-map: def
         sa timing: remaining key lifetime (sec): 212
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x3B6F6A35 (997157429)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4, crypto-map: def
         sa timing: remaining key lifetime (sec): 212
         IV size: 8 bytes
         replay detection support: Y
hostname(config)#
 
   

The following example, entered in global configuration mode, shows IPSec SAs with the keywords entry detail.

hostname(config)# show ipsec sa entry detail
peer address: 10.132.0.21
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
      current_peer: 10.132.0.21
      dynamic allocated peer ip: 90.135.1.5
 
   
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1148, #pkts decrypt: 1148, #pkts verify: 1148
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: DC15BF68
 
   
    inbound esp sas:
      spi: 0x1E8246FC (511854332)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 322
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xDC15BF68 (3692412776)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 322
         IV size: 8 bytes
         replay detection support: Y
 
   
peer address: 10.135.1.8
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
      current_peer: 10.135.1.8
      dynamic allocated peer ip: 0.0.0.0
 
   
      #pkts encaps: 73831, #pkts encrypt: 73831, #pkts digest: 73831
      #pkts decaps: 78989, #pkts decrypt: 78989, #pkts verify: 78989
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 73831, #pkts comp failed: 0, #pkts decomp failed: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 3B6F6A35
 
   
    inbound esp sas:
      spi: 0xB32CF0BD (3006066877)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4, crypto-map: def
         sa timing: remaining key lifetime (sec): 104
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x3B6F6A35 (997157429)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4, crypto-map: def
         sa timing: remaining key lifetime (sec): 104
         IV size: 8 bytes
         replay detection support: Y
hostname(config)#
 
   

The following example shows IPSec SAs with the keyword identity.

hostname(config)# show ipsec sa identity
interface: outside2
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
      current_peer: 10.132.0.21
      dynamic allocated peer ip: 90.135.1.5
 
   
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: DC15BF68
 
   
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
      current_peer: 10.135.1.8
      dynamic allocated peer ip: 0.0.0.0
 
   
      #pkts encaps: 73756, #pkts encrypt: 73756, #pkts digest: 73756
      #pkts decaps: 78911, #pkts decrypt: 78911, #pkts verify: 78911
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 73756, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 3B6F6A35
 
   

The following example shows IPSec SAs with the keywords identity and detail.

hostname(config)# show ipsec sa identity detail
interface: outside2
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
      current_peer: 10.132.0.21
      dynamic allocated peer ip: 90.135.1.5
 
   
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: DC15BF68
 
   
    Crypto map tag: def, local addr: 172.20.0.17
 
   
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
      current_peer: 10.135.1.8
      dynamic allocated peer ip: 0.0.0.0
 
   
      #pkts encaps: 73771, #pkts encrypt: 73771, #pkts digest: 73771
      #pkts decaps: 78926, #pkts decrypt: 78926, #pkts verify: 78926
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 73771, #pkts comp failed: 0, #pkts decomp failed: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0
 
   
      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
   
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 3B6F6A35
 
   

Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

isakmp enable

Enables ISAKMP negotiation on the interface on which the IPSec peer communicates with the adaptive security appliance.

show running-config isakmp

Displays all the active ISAKMP configuration.


show ipsec sa summary

To display a summary of IPSec SAs, use the show ipsec sa summary command in global configuration mode or privileged EXEC mode.

show ipsec sa summary

Syntax Description

This command has no arguments or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following example, entered in global configuration mode, displays a summary of IPSec SAs by the following connection types:

IPSec

IPSec over UDP

IPSec over NAT-T

IPSec over TCP

IPSec VPN load balancing

hostname(config)# show ipsec sa summary
 
   
Current IPSec SA's:            Peak IPSec SA's:
IPSec            :     2         Peak Concurrent SA  :    14
IPSec over UDP   :     2         Peak Concurrent L2L :     0
IPSec over NAT-T :     4         Peak Concurrent RA  :    14
IPSec over TCP   :     6
IPSec VPN LB     :     0
Total            :    14
hostname(config)# 

Related Commands

Command
Description

clear ipsec sa

Removes IPSec SAs entirely or based on specific parameters.

show ipsec sa

Displays a list of IPSec SAs.

show ipsec stats

Displays a list of IPSec statistics.


show ipsec stats

To display a list of IPSec statistics, use the show ipsec stats command in global configuration mode or privileged EXEC mode.

show ipsec stats

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The following table describes what the output entries indicate.

Output  
Description  

IPsec Global Statistics

This section pertains to the total number of IPsec tunnels that the adaptive security appliance supports.

Active tunnels

The number of IPsec tunnels that are currently connected.

Previous tunnels

The number of IPsec tunnels that have been connected, including the active ones.

Inbound

This section pertains to inbound encrypted traffic that is received through IPsec tunnels.

Bytes

The number of bytes of encrypted traffic that has been received.

Decompressed bytes

The number of bytes of encrypted traffic that were received after decompression was performed, if applicable. This counter should always be equal to the previous one if compression is not enabled.

Packets

The number of encrypted IPsec packets that were received.

Dropped packets

The number of encrypted IPsec packets that were received and dropped because of errors.

Replay failures

The number of anti-replay failure that were detected on received, encrypted IPsec packets.

Authentications

The number of successful authentications performed on received, encrypted IPsec packets.

Authentication failures

The number of authentications failure detected on received, encrypted IPsec packets.

Decryptions

The number of successful decryptions performed on received, encrypted IPsec packets.

Decryption failures

The number of decryptions failures detected on received, encrypted IPsec packets.

Decapsulated fragments needing reassembly

The number of decryption IPsec packets that include IP fragments to be reassembled.

Outbound

This section pertains to outbound cleartext traffic to be transmitted through IPsec traffic.

Bytes

The number of bytes of cleartext traffic to be encrypted and transmitted through IPsec tunnels.

Uncompressed bytes

The number of bytes of uncompressed cleartext traffic to be encrypted and transmitted through IPsec tunnels. The counter should always be equal to the previous one if compression is not enabled

Packets

The number of cleartext packets to be encrypted and transmitted through IPsec tunnels.

Dropped packets

The number of cleartext packets to be encrypted and transmitted through IPsec tunnels that have been dropped because of errors.

Authentications

The number of successful authentications performed on packets to be transmitted through IPsec tunnels.

Authentication failures

The number of authentication failures that were detected on packets to be transmitted through IPsec tunnels.

Encryptions

The number of successful encryptions that were performed on packets to be transmitted through IPsec tunnels.

Encryption failures

The number of encryption failures that were detected on packets to be transmitted through IPsec tunnels.

Fragmentation successes

The number of successful fragmentation operations that were performed as part of outbound IPsec packet transformation.

Pre-fragmentation successes

The number of successful prefragmentation operations that were performed as part of outbound IPsec packet transformation. Prefragmentation occurs before the cleartext packet is encrypted and encapsulated as one or more IPsec packets.

Post-fragmentation successes

The number of successful prefragmentation operations that were performed as part of outbound IPsec packet transformation. Post-fragmentation occurs after the cleartext packet is encrypted and encapsulated as an IPsec packet, which results in multiple IP fragments. These fragments must be reassembled before decryption.

Fragmentation failures

The number of fragmentation failures that have occurred during outbound IPsec packet transformation.

Pre-fragmentation failures

The number of prefragmentation failures that have occurred during outbound IPsec packet transformation. Prefragmentation occurs before the cleartext packet is encrypted and encapsulated as one or more IPsec packets.

Post-fragmentation failure

The number of post-fragmentation failure that have occurred during outbound IPsec packet transformation. Post-fragmentation occurs after the cleartext packet is encrypted and encapsulated as an IPsec packet, which results in multiple IP fragments. These fragments must be reassembled before decryption.

Fragments created

The number of fragments that were created as part of IPsec transformation.

PMTUs sent

The number of path MTU messages that were sent by the IPsec system. IPsec will send a PMTU message to an inside host that is sending packets that are too large to be transmitted through an IPsec tunnel after encapsulation. The PMTU message is a request for the host to lower its MTU and send smaller packets for transmission through the IPsec tunnel.

PMTUs recvd

The number of path MTU messages that were received by the IPsec system. IPsec will receive a path MTU message from a downstream network element if the packets it is sending through the tunnel are too large to traverse that network element. IPsec will usually lower its tunnel MTU when a path MTU message is received.

Protocol failures

The number of malformed IPsec packets that have been received.

Missing SA failures

The number of IPsec operations that have been requested for which the specified IPsec security association does not exist.

System capacity failures

The number of IPsec operations that cannot be completed because the capacity of the IPsec system is not high enough to support the data rate.


Examples

The following example, entered in global configuration mode, displays IPSec statistics:

hostname(config)# show ipsec stats
 
   
IPsec Global Statistics
-----------------------
Active tunnels: 2
Previous tunnels: 9
Inbound
    Bytes: 4933013
    Decompressed bytes: 4933013
    Packets: 80348
    Dropped packets: 0
    Replay failures: 0
    Authentications: 80348
    Authentication failures: 0
    Decryptions: 80348
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
Outbound
    Bytes: 4441740
    Uncompressed bytes: 4441740
    Packets: 74029
    Dropped packets: 0
    Authentications: 74029
    Authentication failures: 0
    Encryptions: 74029
    Encryption failures: 0
	Fragmentation successes: 3
		Pre-fragmentation successes:2
		Post-fragmentation successes: 1
	Fragmentation failures: 2
		Pre-fragmentation failures:1
		Post-fragmentation failures: 1
	Fragments created: 10
	PMTUs sent: 1
	PMTUs recvd: 2
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
hostname(config)# 

Related Commands

Command
Description

clear ipsec sa

Clears IPSec SAs or counters based on specified parameters.

crypto ipsec transform-set

Defines a transform set.

show ipsec sa

Displays IPSec SAs based on specified parameters.

show ipsec sa summary

Displays a summary of IPSec SAs.


show ipv6 access-list

To display the IPv6 access list, use the show ipv6 access-list command in privileged EXEC mode. The IPv6 access list determines what IPv6 traffic can pass through the adaptive security appliance.

show ipv6 access-list [id [source-ipv6-prefix/prefix-length | any | host source-ipv6-address]]

Syntax Description

any

(Optional) An abbreviation for the IPv6 prefix ::/0.

host source-ipv6-address

(Optional) IPv6 address of a specific host. When provided, only the access rules for the specified host are displayed.

id

(Optional) The access list name. When provided, only the specified access list is displayed.

source-ipv6-prefix /prefix-length

(Optional) IPv6 network address and prefix. When provided, only the access rules for the specified IPv6 network are displayed.


Defaults

Displays all IPv6 access lists.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The show ipv6 access-list command provides output similar to the show ip access-list command, except that it is IPv6-specific.

Examples

The following is sample output from the show ipv6 access-list command. It shows IPv6 access lists named inbound, tcptraffic, and outbound.

hostname# show ipv6 access-list
IPv6 access list inbound
    permit tcp any any eq bgp reflect tcptraffic (8 matches) sequence 10
    permit tcp any any eq telnet reflect tcptraffic (15 matches) sequence 20
    permit udp any any reflect udptraffic sequence 30
IPv6 access list tcptraffic (reflexive) (per-user)
    permit tcp host 2001:0DB8:1::1 eq bgp host 2001:0DB8:1::2 eq 11000 timeout 300 (time 
        left 243) sequence 1
    permit tcp host 2001:0DB8:1::1 eq telnet host 2001:0DB8:1::2 eq 11001 timeout 300 
        (time left 296) sequence 2
IPv6 access list outbound
    evaluate udptraffic
    evaluate tcptraffic
 
   

Related Commands

Command
Description

ipv6 access-list

Creates an IPv6 access list.


show ipv6 interface

To display the status of interfaces configured for IPv6, use the show ipv6 interface command in privileged EXEC mode.

show ipv6 interface [brief] [if_name [prefix]]

Syntax Description

brief

Displays a brief summary of IPv6 status and configuration for each interface.

if_name

(Optional) The internal or external interface name, as designated by the nameif command. The status and configuration for only the designated interface is shown.

prefix

(Optional) Prefix generated from a local IPv6 prefix pool. The prefix is the network portion of the IPv6 address.


Defaults

Displays all IPv6 interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The show ipv6 interface command provides output similar to the show interface command, except that it is IPv6-specific. If the interface hardware is usable, the interface is marked up. If the interface can provide two-way communication, the line protocol is marked up.

When an interface name is not specified, information on all IPv6 interfaces is displayed. Specifying an interface name displays information about the specified interface.

Examples

The following is sample output from the show ipv6 interface command:

hostname# show ipv6 interface outside
interface ethernet0 "outside" is up, line protocol is up
  IPv6 is enabled, link-local address is 2001:0DB8::/29 [TENTATIVE]
  Global unicast address(es):
    2000::2, subnet is 2000::/64
  Joined group address(es):
    FF02::1
    FF02::1:FF11:6770
  MTU is 1500 bytes
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 0 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
 
   

The following is sample output from the show ipv6 interface command when entered with the brief keyword:

hostname# show ipv6 interface brief
outside [up/up]
    unassigned
inside [up/up]
    fe80::20d:29ff:fe1d:69f0
    fec0::a:0:0:a0a:a70
vlan101 [up/up]
    fe80::20d:29ff:fe1d:69f0
    fec0::65:0:0:a0a:6570
dmz-ca [up/up]
    unassigned
 
   

The following is sample output from the show ipv6 interface command. It shows the characteristics of an interface which has generated a prefix from an address.

hostname# show ipv6 interface inside prefix
IPv6 Prefix Advertisements inside
Codes: A - Address, P - Prefix-Advertisement, O - Pool
       U - Per-user prefix, D - Default       N - Not advertised, C - Calendar
 
   
AD      fec0:0:0:a::/64 [LA] Valid lifetime 2592000, preferred lifetime 604800
 
   

show ipv6 mld traffic

To display the Multicast Listener Discovery (MLD) traffic counter information, use the show ipv6 mld traffic command in privileged EXEC mode.

show ipv6 mld traffic

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(4)

This command was introduced.


Usage Guidelines

The show ipv6 mld traffic command allows you to check if the expected number of MLD messages have been received and sent.

The following information is provided by the show ipv6 mld traffic command:

Elapsed time since counters cleared—the amount of time since the counters were cleared.

Valid MLD Packets—the number of valid MLD packets that are received and sent.

Queries—the number of valid queries that are received and sent.

Reports—the number of valid reports that are received and sent.

Leaves—the number of valid leaves received and sent.

Mtraee packets—the number of multicast trace packets that are received and sent.

Errors—the types of errors and the numberof errors that have occurred.

Examples

The following is sample output from the show ipv6 mld traffic command:

hostname# show ipv6 mld traffic
show ipv6 mld traffic
MLD Traffic Counters
Elapsed time since counters cleared: 00:01:19
					Received 					Sent
Valid MLD Packets 					1 					3
Queries 					1 					0
Reports 		 			0 					3
Leaves 					0 					0
Mtrace packets 					0 				0
Errors:
Malformed Packets 					0
Martian source 					0
Non link-local source 0
Hop limit is not equal to 1 0

Related Commands

Command
Description

clear ipv6 mld traffic

Resets all MLD traffic counters.


 
   

Related Commands

show ipv6 neighbor

To display the IPv6 neighbor discovery cache information, use the show ipv6 neighbor command in privileged EXEC mode.

show ipv6 neighbor [if_name | address]

Syntax Description

address

(Optional) Displays neighbor discovery cache information for the supplied IPv6 address only.

if_name

(Optional) Displays cache information for the supplied interface name, as configure by the nameif command, only.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The following information is provided by the show ipv6 neighbor command:

IPv6 Address—the IPv6 address of the neighbor or interface.

Age—the time (in minutes) since the address was confirmed to be reachable. A hyphen (-) indicates a static entry.

Link-layer AddrMAC address. If the address is unknown, a hyphen (-) is displayed.

State—The state of the neighbor cache entry.


Note Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache; therefore, the descriptions for the INCMP (Incomplete) and REACH (Reachable) states are different for dynamic and static cache entries.


The following are possible states for dynamic entries in the IPv6 neighbor discovery cache:

INCMP—(Incomplete) Address resolution is being performed on the entry. A neighbor solicitation message has been sent to the solicited-node multicast address of the target, but the corresponding neighbor advertisement message has not yet been received.

REACH—(Reachable) Positive confirmation was received within the last ReachableTime milliseconds that the forward path to the neighbor was functioning properly. While in REACH state, the device takes no special action as packets are sent.

STALE—More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. While in STALE state, the device takes no action until a packet is sent.

DELAY—More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. A packet was sent within the last DELAY_FIRST_PROBE_TIME seconds. If no reachability confirmation is received within DELAY_FIRST_PROBE_TIME seconds of entering the DELAY state, send a neighbor solicitation message and change the state to PROBE.

PROBE—A reachability confirmation is actively sought by resending neighbor solicitation messages every RetransTimer milliseconds until a reachability confirmation is received.

????—Unknown state.

The following are possible states for static entries in the IPv6 neighbor discovery cache:

INCMP—(Incomplete) The interface for this entry is down.

REACH—(Reachable) The interface for this entry is up.

· Interface
Interface from which the address was reachable.

Examples

The following is sample output from the show ipv6 neighbor command when entered with an interface:

hostname# show ipv6 neighbor inside
IPv6 Address                             Age Link-layer Addr State Interface
2000:0:0:4::2                              0 0003.a0d6.141e  REACH inside
FE80::203:A0FF:FED6:141E                   0 0003.a0d6.141e  REACH inside
3001:1::45a                                - 0002.7d1a.9472  REACH inside
 
   

The following is sample output from the show ipv6 neighbor command when entered with an IPv6 address:

hostname# show ipv6 neighbor 2000:0:0:4::2
IPv6 Address                             Age Link-layer Addr State Interface
2000:0:0:4::2                              0 0003.a0d6.141e  REACH inside
 
   

Related Commands

Command
Description

clear ipv6 neighbors

Deletes all entries in the IPv6 neighbor discovery cache, except static entries.

ipv6 neighbor

Configures a static entry in the IPv6 neighbor discovery cache.


show ipv6 route

To display the contents of the IPv6 routing table, use the show ipv6 route command in privileged EXEC mode.

show ipv6 route

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

CodesIndicates the protocol that derived the route. Values are as follows:

CConnected

LLocal

SStatic

RRIP derived

BBGP derived

I1ISIS L1—Integrated IS-IS Level 1 derived

I2ISIS L2—Integrated IS-IS Level 2 derived

IAISIS interarea—Integrated IS-IS interarea derived

fe80::/10Indicates the IPv6 prefix of the remote network.

[0/0]The first number in the brackets is the administrative distance of the information source; the second number is the metric for the route.

via ::Specifies the address of the next router to the remote network.

insideSpecifies the interface through which the next router to the specified network can be reached.

Examples

The following is sample output from the show ipv6 route command:

hostname# show ipv6 route
 
   
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
L   fe80::/10 [0/0]
     via ::, inside
     via ::, vlan101
L   fec0::a:0:0:a0a:a70/128 [0/0]
     via ::, inside
C   fec0:0:0:a::/64 [0/0]
     via ::, inside
L   fec0::65:0:0:a0a:6570/128 [0/0]
     via ::, vlan101
C   fec0:0:0:65::/64 [0/0]
     via ::, vlan101
L   ff00::/8 [0/0]
     via ::, inside
     via ::, vlan101
S   ::/0 [0/0]
     via fec0::65:0:0:a0a:6575, vlan101
 
   

Related Commands

Command
Description

debug ipv6 route

Displays debug messages for IPv6 routing table updates and route cache updates.

ipv6 route

Adds a static entry to the IPv6 routing table.


show ipv6 routers

To display IPv6 router advertisement information received from on-link routers, use the show ipv6 routers command in privileged EXEC mode.

show ipv6 routers [if_name]

Syntax Description

if_name

(Optional) The internal or external interface name, as designated by the nameif command, that you want to display information about.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

When an interface name is not specified, information on all IPv6 interfaces is displayed. Specifying an interface name displays information about the specified interface.

Examples

The following is sample output from the show ipv6 routers command when entered without an interface name:

hostname# show ipv6 routers
Router FE80::83B3:60A4 on outside, last update 3 min
  Hops 0, Lifetime 6000 sec, AddrFlag=0, OtherFlag=0
  Reachable time 0 msec, Retransmit time 0 msec
  Prefix 3FFE:C00:8007::800:207C:4E37/96 autoconfig
    Valid lifetime -1, preferred lifetime -1
Router FE80::290:27FF:FE8C:B709 on inside, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0
  Reachable time 0 msec, Retransmit time 0 msec
 
   

Related Commands

Command
Description

ipv6 route

Adds a static entry to the IPv6 routing table.


show ipv6 traffic

To display statistics about IPv6 traffic, use the show ipv6 traffic command in privileged EXEC mode.

show ipv6 traffic

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Use the clear ipv6 traffic command to clear the traffic counters.

Examples

The following is sample output from the show ipv6 traffic command:

hostname# show ipv6 traffic
IPv6 statistics:
  Rcvd:  545 total, 545 local destination
         0 source-routed, 0 truncated
         0 format errors, 0 hop count exceeded
         0 bad header, 0 unknown option, 0 bad source
         0 unknown protocol, 0 not a router
         218 fragments, 109 total reassembled
         0 reassembly timeouts, 0 reassembly failures
  Sent:  228 generated, 0 forwarded
         1 fragmented into 2 fragments, 0 failed
         0 encapsulation failed, 0 no route, 0 too big
  Mcast: 168 received, 70 sent
 
   
ICMP statistics:
  Rcvd: 116 input, 0 checksum errors, 0 too short
        0 unknown info type, 0 unknown error type
        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
        parameter: 0 error, 0 header, 0 option
        0 hopcount expired, 0 reassembly timeout,0 too big
        0 echo request, 0 echo reply
        0 group query, 0 group report, 0 group reduce
        0 router solicit, 60 router advert, 0 redirects
        31 neighbor solicit, 25 neighbor advert
  Sent: 85 output, 0 rate-limited
        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
        parameter: 0 error, 0 header, 0 option
        0 hopcount expired, 0 reassembly timeout,0 too big
        0 echo request, 0 echo reply
        0 group query, 0 group report, 0 group reduce
        0 router solicit, 18 router advert, 0 redirects
        33 neighbor solicit, 34 neighbor advert
 
   
UDP statistics:
  Rcvd: 109 input, 0 checksum errors, 0 length errors
        0 no port, 0 dropped
  Sent: 37 output
 
   
TCP statistics:
  Rcvd: 85 input, 0 checksum errors
  Sent: 103 output, 0 retransmitted
 
   

Related Commands

Command
Description

clear ipv6 traffic

Clears ipv6 traffic counters.