Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Troubleshooting
Downloads: This chapterpdf (PDF - 213.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Troubleshooting

Table Of Contents

Troubleshooting

Testing Your Configuration

Pinging Adaptive Security Appliance Interfaces

Passing Traffic Through the Adaptive Security Appliance

Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping

Pinging From an Adaptive Security Appliance Interface

Pinging to an Adaptive Security Appliance Interface

Pinging Through the Adaptive Security Appliance Interface

Troubleshooting the Ping Tool

Using the Ping Tool

Determining Packet Routing with Traceroute

Tracing Packets with Packet Tracer

Other Troubleshooting Tools

Configuring and Running Captures with the Packet Capture Wizard

Ingress Traffic Selector

Egress Traffic Selector

Buffers

Summary

Run Captures

Save Captures

Sending an Administrator's Alert to Clientless SSL VPN Users

Saving an Internal Log Buffer to Flash

Viewing and Copying Logged Entries with the ASDM Java Console

Common Problems


Troubleshooting


This chapter describes how to troubleshoot the adaptive security appliance, and includes the following sections:

Testing Your Configuration

Other Troubleshooting Tools

Common Problems

Testing Your Configuration

This section describes how to test connectivity for the single mode adaptive security appliance or for each security context, how to ping the adaptive security appliance interfaces, and how to allow hosts on one interface to ping through to hosts on another interface.

This section includes the following topics:

Pinging Adaptive Security Appliance Interfaces

Passing Traffic Through the Adaptive Security Appliance

Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping

Determining Packet Routing with Traceroute

Tracing Packets with Packet Tracer

Pinging Adaptive Security Appliance Interfaces

To test whether the adaptive security appliance interfaces are up and running and that the adaptive security appliance and connected routers are operating correctly, you can ping the adaptive security appliance interfaces. To ping the adaptive security appliance interfaces, perform the following steps:


Step 1 Draw a diagram of your single-mode adaptive security appliance or security context that shows the interface names, security levels, and IP addresses.


Note Although this procedure uses IP addresses, the ping command also supports DNS names and names that are assigned to a local IP address with the name command.


The diagram should also include any directly connected routers, and a host on the other side of the router from which you will ping the adaptive security appliance. You will use this information in this procedure and in the procedure in the "Passing Traffic Through the Adaptive Security Appliance" section. For example:

Figure 77-1 Network Diagram with Interfaces, Routers, and Hosts

Step 2 Ping each adaptive security appliance interface from the directly connected routers. For transparent mode, ping the management IP address. This test ensures that the adaptive security appliance interfaces are active and that the interface configuration is correct.

A ping might fail if the adaptive security appliance interface is not active, the interface configuration is incorrect, or if a switch between the adaptive security appliance and a router is down (see Figure 77-2). In this case, no debug messages or syslog messages appear, because the packet never reaches the adaptive security appliance.

Figure 77-2 Ping Failure at the Adaptive Security Appliance Interface

If the ping reaches the adaptive security appliance, and it responds, debugging messages similar to the following appear:

ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
 
   

If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist (see Figure 77-3).

Figure 77-3 Ping Failure Because of IP Addressing Problems

Step 3 Ping each adaptive security appliance interface from a remote host. For transparent mode, ping the management IP address. This test checks whether the directly connected router can route the packet between the host and the adaptive security appliance, and whether the adaptive security appliance can correctly route the packet back to the host.

A ping might fail if the adaptive security appliance does not have a return route to the host through the intermediate router (see Figure 77-4). In this case, the debugging messages show that the ping was successful, but syslog message 110001 appears, indicating a routing failure.

Figure 77-4 Ping Failure Because the Security Appliance has No Return Route


Passing Traffic Through the Adaptive Security Appliance

After you successfully ping the adaptive security appliance interfaces, make sure traffic can pass successfully through the adaptive security appliance. For routed mode, this test shows that NAT is operating correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the adaptive security appliance is operating correctly. If the ping fails in transparent mode, contact Cisco TAC.

Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping

The Ping tool is useful for verifying the configuration and operation of the adaptive security appliance and surrounding communications links, as well as for testing other network devices.

This section includes the following topics:

Pinging From an Adaptive Security Appliance Interface

Pinging to an Adaptive Security Appliance Interface

Pinging Through the Adaptive Security Appliance Interface

Troubleshooting the Ping Tool

Using the Ping Tool

A ping is sent to an IP address and it returns a reply. This process enables network devices to discover, identify, and test each other.

The Ping tool uses ICMP (as described in RFC 777 and RFC 792) to define an echo request-and-reply transaction between two network devices. The echo request packet is sent to the IP address of a network device. The receiving device reverses the source and destination address and sends the packet back as the echo reply.

Administrators can use the ASDM Ping interactive diagnostic tool in these ways:

Loopback testing of two interfaces—A ping may be initiated from one interface to another on the same adaptive security appliance, as an external loopback test to verify basic "up" status and operation of each interface.

Pinging to an adaptive security appliance—The Ping tool can ping an interface on another adaptive security appliance to verify that it is up and responding.

Pinging through an adaptive security appliance—Ping packets originating from the Ping tool may pass through an intermediate adaptive security appliance on their way to a device. The echo packets will also pass through two of its interfaces as they return. This procedure can be used to perform a basic test of the interfaces, operation, and response time of the intermediate unit.

Pinging to test questionable operation of a network device—A ping may be initiated from an adaptive security appliance interface to a network device that is suspected of functioning incorrectly. If the interface is configured correctly and an echo is not received, there may be problems with the device.

Pinging to test intermediate communications—A ping may be initiated from an adaptive security appliance interface to a network device that is known to be functioning correctly and returning echo requests. If the echo is received, the correct operation of any intermediate devices and physical connectivity is confirmed.

Pinging From an Adaptive Security Appliance Interface

For basic testing of an interface, you can initiate a ping from an adaptive security appliance interface to a network device that you know is functioning correctly and returning replies through the intermediate communications path. For basic testing, make sure you do the following:

Verify receipt of the ping from the adaptive security appliance interface by the "known good" device. If the ping is not received, a problem with the transmitting hardware or interface configuration may exist.

If the adaptive security appliance interface is configured correctly and it does not receive an echo reply from the "known good" device, problems with the interface hardware receiving function may exist. If a different interface with "known good" receiving capability can receive an echo after pinging the same "known good" device, the hardware receiving problem of the first interface is confirmed.

Pinging to an Adaptive Security Appliance Interface

When you try to ping to an adaptive security appliance interface, verify that the pinging response (ICMP echo reply) is enabled for that interface by choosing Tools > Ping. When pinging is disabled, the adaptive security appliance cannot be detected by other devices or software applications, and does not respond to the ASDM Ping tool.

Pinging Through the Adaptive Security Appliance Interface

To verify that other types of network traffic from "known good" sources are being passed through the adaptive security appliance, choose Monitoring > Interfaces > Interface Graphs or an SNMP management station.

To enable internal hosts to ping external hosts, configure ICMP access correctly for both the inside and outside interfaces by choosing Configuration > Firewall > Objects > IP Names.

Troubleshooting the Ping Tool

When pings fail to receive an echo, it may be the result of a configuration or operational error in a adaptive security appliance, and not necessarily because of no response from the IP address being pinged. Before using the Ping tool to ping from, to, or through an adaptive security appliance interface, perform the following basic checks:

Verify that interfaces are configured by choosing Configuration > Device Setup > Interfaces.

Verify that devices in the intermediate communications path, such as switches or routers, are correctly delivering other types of network traffic.

Make sure that traffic of other types from "known good" sources is being passed by choosing Monitoring > Interfaces > Interface Graphs.

Using the Ping Tool

To use the Ping tool, perform the following steps:


Step 1 In the main ASDM application window, choose Tools > Ping.

The Ping dialog box appears.

Step 2 Enter the destination IP address for the ICMP echo request packets in the IP Address field.

Ping can also accept IPv6 addresses.


Note If a hostname has been assigned in the Configuration > Firewall > Objects > IP Names pane, you can use the hostname in place of the IP address.


Step 3 (Optional) Choose the adaptive security appliance interface that transmits the echo request packets from the drop-down list. If it is not specified, the adaptive security appliance checks the routing table to find the destination address and uses the required interface.

Step 4 Click Ping to send an ICMP echo request packet from the specified or default interface to the specified IP address and start the response timer.

The response appears in the Ping Output area. Three attempts are made to ping the IP address, and results display the following fields:

The IP address of the device pinged or a device name, if available. The name of the device, if assigned Hosts/Networks, may be displayed, even if NO response is the result.

When the ping is transmitted, a millisecond timer starts with a specified maximum, or timeout value. This timer is useful for testing the relative response times of different routes or activity levels.

Example Ping output:

Sending 5, 100-byte ICMP Echos to out-pc, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
If the ping fails, the output is as follows:
Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
 
   

Step 5 To enter a new IP address, click Clear Screen to remove the previous response from the Ping output area.


Determining Packet Routing with Traceroute

The Traceroute tool helps you to determine the route that packets will take to their destination. The tool prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. The following table lists the output symbols printed by this tool.

Output Symbol 
Description 

*

No response was received for the probe within the timeout period.

nn msec

For each node, the round-trip time (in milliseconds) for the specified number of probes.

!N.

ICMP network unreachable.

!H

ICMP host unreachable.

!P

ICMP unreachable.

!A

ICMP administratively prohibited.

?

Unknown ICMP error.


To use the Traceroute tool, perform the following steps:


Step 1 In the main ASDM application window, choose Tools > Traceroute.

The Traceroute dialog box appears.

Step 2 Enter the name of the host to which the route is traced. If the hostname is specified, define it by choosing Configuration > Firewall > Objects > IP Names, or configure a DNS server to enable this tool to resolve the hostname to an IP address.

Step 3 Enter the amount of time in seconds to wait for a response before the connection times out. The default is three seconds.

Step 4 Type the destination port used by the UDP probe messages. The default is 33434.

Step 5 Enter the number of probes to be sent at each TTL level. The default is three.

Step 6 Specify the minimum and maximum TTL values for the first probes. The minimum default is one, but it can be set to a higher value to suppress the display of known hops. The maximum default is 30. The traceroute terminates when the packet reaches the destination or when the maximum value is reached.

Step 7 Check the Specify source interface or IP address check box. Choose the source interface or IP address for the packet trace from the drop-down list. This IP address must be the IP address of one of the interfaces. In transparent mode, it must be the management IP address of the adaptive security appliance.

Step 8 Check the Reverse Resolve check box to have the output display the names of hops encountered if name resolution is configured. Leave this check box unchecked to have the output display IP addresses.

Step 9 Check the Use ICMP check box to specify the use of ICMP probe packets instead of UDP probe packets.

Step 10 Click Trace Route to start the traceroute.

The Traceroute Output area displays detailed messages about the traceroute results.

Step 11 Click Clear Output to start a new traceroute.


Tracing Packets with Packet Tracer

The packet tracer tool provides packet tracing for packet sniffing and network fault isolation, as well as detailed information about the packets and how they are processed by the adaptive security appliance. If a configuration command did not cause the packet to drop, the packet tracer tool provides information about the cause in an easily readable manner.

In addition, you can trace the lifespan of a packet through the adaptive security appliance to see whether the packet is operating correctly with the packet tracer tool. This tool lets you do the following:

Debug all packet drops in a production network.

Verify the configuration is working as intended.

Show all rules applicable to a packet, along with the CLI commands that caused the rule addition.

Show a time line of packet changes in a data path.

Inject tracer packets into the data path.

To open the packet tracer, perform the following steps:


Step 1 In the main ASDM application window, choose Tools > Packet Tracer.

The Cisco ASDM Packet Tracer dialog box appears.

Step 2 Choose the source interface for the packet trace from the drop-down list.

Step 3 Specify the protocol type for the packet trace. Available protocol types include ICMP, IP, TCP, and UDP.

Step 4 Enter the source address for the packet trace in the Source IP Address field.

Step 5 Choose the source port for the packet trace from the drop-down list.

Step 6 Enter the destination IP address for the packet trace in the Destination IP Address field.

Step 7 Choose the destination port for the packet trace from the drop-down list.

Step 8 Click Start to trace the packet.

The Information Display Area shows detailed messages about the packet trace.


Note To display a graphical representation of the packet trace, check the Show animation check box.




Other Troubleshooting Tools

The adaptive security appliance provides other troubleshooting tools that you can use. This section includes the following topics:

Configuring and Running Captures with the Packet Capture Wizard

Sending an Administrator's Alert to Clientless SSL VPN Users

Saving an Internal Log Buffer to Flash

Viewing and Copying Logged Entries with the ASDM Java Console

Configuring and Running Captures with the Packet Capture Wizard

You can use the Packet Capture Wizard to configure and run captures for troubleshooting errors. The captures can use access lists to limit the type of traffic captured, the source and destination addresses and ports, and one or more interfaces. The wizard runs one capture on each of the ingress and egress interfaces. You can save the captures on your PC to examine them in a packet analyzer.


Note This tool does not support clientless SSL VPN capture.


To configure and run captures, perform the following steps:


Step 1 In the main ASDM application window, choose Wizards > Packet Capture Wizard.

The Overview of Packet Capture screen appears, with a list of the tasks through which the wizard will guide you to complete.

Step 2 Click Next to display the Ingress Traffic Selector screen.

Step 3 Choose the ingress interface from the drop-down list.

Step 4 In the Packet Match Criteria area, do one of the following:

To specify the access list to use for matching packets, click the Specify access-list radio button, and then choose the access list from the Select access list drop-down list. To add a previously configured access list to the current drop-down list, click Manage to display the ACL Manager pane. Choose an access list, and click OK.

To specify packets parameters, click the Specify Packet Parameters radio button.

Step 5 Click Next to display the Ingress Traffic Selector screen. For more information, see the "Ingress Traffic Selector" section.

Step 6 Enter the source host IP address and choose the network IP address from the drop-down list.

Step 7 Enter the destination host IP address and choose the network IP address from the drop-down list.

Step 8 Choose the protocol type to capture from the drop-down list. Available protocol types to capture are ah, eigrp, esp, gre, icmp, icmp6, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, snp, tcp, or udp.

Step 9 Click Next to display the Egress Traffic Selector screen. For more information, see the "Egress Traffic Selector" section.

Step 10 Choose the egress interface from the drop-down list.

Step 11 Enter the source host IP address and choose the network IP address from the drop-down list.

Step 12 Enter the destination host IP address and choose the network IP address from the drop-down list.


Note The source port services, destination port services, and ICMP type are read-only and are based on the choices that you made in the Ingress Traffic Selector screen.


Step 13 Click Next to display the Buffers & Captures screen. For more information, see the "Buffers" section.

Step 14 In the Capture Parameters area, to obtain the latest capture every 10 seconds automatically, check the Get capture every 10 seconds check box. By default, this capture uses the circular buffer.

Step 15 In the Buffer Parameters area, you specify the buffer size and packet size. The buffer size is the maximum amount of memory that the capture can use to store packets. The packet size is the longest packet that the capture can hold. We recommend that you use the longest packet size to capture as much information as possible.

a. Enter the packet size. The valid size ranges from 14 - 1522 bytes.

b. Enter the buffer size. The valid size ranges from 1534 - 33554432 bytes.

c. Check the Use circular buffer check box to store captured packets.


Note When you choose this setting, if all the buffer storage is used, the capture starts overwriting the oldest packets.


Step 16 Click Next to display the Summary screen, which shows the traffic selectors and buffer parameters that you have entered. For more information, see the "Summary" section.

Step 17 Click Next to display the Run Captures screen, and then click Start to begin capturing packets. Click Stop to end the capture. For more information, see the "Run Captures" section.

Step 18 Click Get Capture Buffer to determine how much buffer space you have remaining. Click Clear Buffer on Device to remove the current content and allow room in the buffer to capture more packets.

Step 19 Click Save captures to display the Save Capture dialog box. Choose the format in which you want to include the captures: ASCII or PCAP. You have the option of saving either the ingress capture, the egress capture, or both.

Step 20 To save the ingress packet capture, click Save Ingress Capture to display the Save capture file dialog box. Specify the storage location on your PC, and click Save.

Step 21 Click Launch Network Sniffer Application to start the packet analysis application specified in Tools > Preferences for analyzing the ingress capture.

Step 22 To save the egress packet capture, click Save Egress Capture to display the Save capture file dialog box. Specify the storage location on your PC, and click Save.

Step 23 Click Launch Network Sniffer Application to start the packet analysis application specified in Tools > Preferences for analyzing the egress capture.

Step 24 Click Close, and then click Finish to exit the wizard.


Ingress Traffic Selector

To configure the ingress interface, source and destination hosts/networks, and the protocol for packet capture, perform the following steps:


Step 1 Enter the ingress interface name.

Step 2 Enter the ingress source host and network.

Step 3 Enter the ingress destination host and network.

Step 4 Enter the protocol type to capture. Available protocols are ah, eigrp, esp, gre, icmp, icmp6, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, snp, tcp, or udp.

a. Enter the ICMP type for ICMP only. Available types include all, alternate address, conversion-error, echo, echo-reply, information-reply, information-request, mask-reply, mask-request, mobile-redirect, parameter-problem, redirect, router-advertisement, router-solicitation, source-quench, time-exceeded, timestamp-reply, timestamp-request, traceroute, or unreachable.

b. Specify the source and destination port services for the TCP and UDP protocols only. Available options include the following:

To include all services, choose All Services.

To include a service group, choose Service Groups.

To include a specific service, choose one of the following: aol, bgp, chargen, cifx, citrix-ica, ctiqbe, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, hostname, http, https, ident, imap4, irc, kerberos, klogin, kshell, ldap, ldaps, login, lotusnotes, lpd, netbios-ssn, nntp, pcanywhere-data, pim-auto-rp, pop2, pop3, pptp, rsh, rtsp, sip, smtp, sqlnet, ssh, sunrpc, tacacs, talk, telnet, uucp, or whois.


Egress Traffic Selector

To configure the egress interface, source and destination hosts/networks, and source and destination port services for packet capture, perform the following steps:


Step 1 Enter the egress interface name.

Step 2 Enter the egress source host and network.

Step 3 Enter the egress destination host and network.

The protocol type selected during the ingress configuration is already listed.


Buffers

To configure the packet size, buffer size, and use of the circular buffer for packet capture, perform the following steps.


Step 1 Enter the longest packet that the capture can hold. Use the longest size available to capture as much information as possible.

Step 2 Enter the maximum amount of memory that the capture can use to store packets.

Step 3 Use the circular buffer to store packets. When the circular buffer has used all of the buffer storage, the capture will overwrite the oldest packets first.


Summary

The Summary screen shows the traffic selectors and the buffer parameters for the packet capture selected in the previous wizard screens.

Run Captures

To start and stop the capture session, view the capture buffer, launch a network analyzer application, save packet captures, and clear the buffer, perform the following steps:


Step 1 To begin the packet capture session on a selected interface, click Start.

Step 2 To stop the packet capture session on a selected interface, click Stop.

Step 3 To obtain a snapshot of the captured packets on the interface, click Get Capture Buffer.

Step 4 To show the capture buffer on the ingress interface, click Ingress.

Step 5 To show the capture buffer on the egress interface, click Egress.

Step 6 To clear the buffer on the device, click Clear Buffer on Device.

Step 7 To start the packet analysis application for analyzing the ingress capture or the egress capture specified in Tools > Preferences, click Launch Network Sniffer Application.

Step 8 To save the ingress and egress captures in either ASCII or PCAP format, click Save Captures.


Save Captures

To save the ingress and egress packet captures to ASCII or PCAP file format for further packet analysis, perform the following steps:


Step 1 To save the capture buffer in ASCII format, click ASCII.

Step 2 To save the capture buffer in PCAP format, click PCAP.

Step 3 To specify a file in which to save the ingress packet capture, click Save ingress capture.

Step 4 To specify a file in which to save the egress packet capture, click Save egress capture.


Sending an Administrator's Alert to Clientless SSL VPN Users

This feature lets you send an alert message to clientless SSL VPN users (for example, about connection status).

To send an alert message, perform the following steps:


Step 1 In the main ASDM application window, choose Tools > Administrator's Alert Message to Clientless SSL VPN Users.

The Administrator's Alert Message to Clientless SSL VPN Users dialog box appears.

Step 2 Enter the new or edited alert content that you want to send, and then click Post Alert.

Step 3 To remove current alert content and enter new alert content, click Cancel Alert.


Saving an Internal Log Buffer to Flash

This feature lets you save the internal log buffer to flash memory.

To save the internal log buffer to flash memory, perform the following steps:


Step 1 In the main ASDM application window, choose File > Save Internal Log Buffer to Flash.

The Enter Log File Name dialog box appears.

Step 2 Choose the first option to save the log buffer with the default filename, LOG-YYYY-MM-DD-hhmmss.txt.

Step 3 Choose the second option to specify a filename for the log buffer.

Step 4 Enter the filename for the log buffer, and then click OK.


Viewing and Copying Logged Entries with the ASDM Java Console

You can use the ASDM Java console to view and copy logged entries in a text format, which can help you troubleshoot ASDM errors.

To access the ASDM Java Console, perform the following steps:


Step 1 In the main ASDM application window, choose Tools > ASDM Java Console.

Step 2 To show the virtual machine memory statistics, enter m in the console.

Step 3 To perform garbage collection, enter g in the console.

Step 4 To monitor memory usage, open the Windows Task Manager and double-click the asdm_launcher.exe file.


Note The maximum memory allocation allowed is 256 MB.



Common Problems

This section describes common problems with the adaptive security appliance, and how you might resolve them.

Symptom    The context configuration was not saved, and was lost when you reloaded.

Possible Cause    You did not save each context within the context execution space. If you are configuring contexts at the command line, you did not save the current context before you changed to the next context.

Recommended Action    Save each context within the context execution space using the copy run start command. You cannot save contexts from the system execution space.

Symptom    You cannot make a Telnet or SSH connection to the adaptive security appliance interface.

Possible Cause    You did not enable Telnet or SSH to the adaptive security appliance.

Recommended Action    Enable Telnet or SSH to the adaptive security appliance according to the instructions in "Configuring Device Access for ASDM, Telnet, or SSH" section.

Symptom    You cannot ping the adaptive security appliance interface.

Possible Cause    You disabled ICMP to the adaptive security appliance.

Recommended Action    Enable ICMP to the adaptive security appliance for your IP address using the icmp command.

Symptom    You cannot ping through the adaptive security appliance, although the access list allows it.

Possible Cause    You did not enable the ICMP inspection engine or apply access lists on both the ingress and egress interfaces.

Recommended Action    Because ICMP is a connectionless protocol, the adaptive security appliance does not automatically allow returning traffic through. In addition to an access list on the ingress interface, you either need to apply an access list to the egress interface to allow replying traffic, or enable the ICMP inspection engine, which treats ICMP connections as stateful connections.

Symptom    Traffic does not pass between two interfaces on the same security level.

Possible Cause    You did not enable the feature that allows traffic to pass between interfaces at the same security level.

Recommended Action    Enable this feature according to the instructions in "Allowing Same Security Level Communication" section.

Symptom    IPSec tunnels do not duplicate during a failover to the standby device.

Possible Cause    The switch port that the adaptive security appliance is plugged into is set to 10/100 instead of 1000.

Recommended Action    Set the switch port that the adaptive security appliance is plugged into to 1000.