Cisco ASA Series Command Reference
show blocks -- show cpu
Downloads: This chapterpdf (PDF - 589.0KB) The complete bookPDF (PDF - 31.85MB) | The complete bookePub (ePub - 2.33MB) | The complete bookMobi (Mobi - 9.5MB) | Feedback

Table of Contents

show blocks through show cpu Commands

s how blocks

show boot device (IOS)

s how bootvar

show bridge-group

s how call-home

s how call-home registered-module status

show capture

s how chardrop

s how checkheaps

s how checksum

s how chunkstat

s how class

s how clock

show cluster

show cluster info

show cluster user-identity

s how compression svc

show configuration

s how conn

s how console-output

s how context

s how controller

show coredump filesystem

show coredump log

s how counters

s how cpu

show blocks through show cpu Commands

show blocks

To show the packet buffer utilization, use the show blocks command in privileged EXEC mode.

show blocks [{ address hex | all | assigned | free | old | pool size [ summary ]} [ diagnostics | dump | header | packet ] | queue history | [ exhaustion snapshot | history ] [ detail ]]

 
Syntax Description

address hex

(Optional) Shows a block corresponding to this address, in hexadecimal.

all

(Optional) Shows all blocks.

assigned

(Optional) Shows blocks that are assigned and in use by an application.

detail

(Optional) Shows a portion (128 bytes) of the first block for each unique queue type.

dump

(Optional) Shows the entire block contents, including the header and packet information. The difference between dump and packet is that dump includes additional information between the header and the packet.

diagnostics

(Optional) Shows block diagnostics.

exhaustion snapshot | history

(Optional) Prints the last x number (x is currently 10) of snapshots that were taken. After a snapshot is taken, another snapshot is not taken if less than 5 minutes have passed.

The history option repeats the snapshot output x times (currently 10), filled in with the different snapshot information.

free

(Optional) Shows blocks that are available for use.

header

(Optional) Shows the header of the block.

old

(Optional) Shows blocks that were assigned more than a minute ago.

packet

(Optional) Shows the header of the block as well as the packet contents.

pool size

(Optional) Shows blocks of a specific size.

queue history

(Optional) Shows where blocks are assigned when the ASA runs out of blocks. Sometimes, a block is allocated from the pool but never assigned to a queue. In that case, the location is the code address that allocated the block.

summary

(Optional) Shows detailed information about block usage sorted by the program addresses of applications that allocated blocks in this class, program addresses of applications that released blocks in this class, and the queues to which valid blocks in this class belong.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

The pool summary option was added.

8.0(2)

The dupb block uses 0 length blocks now instead of 4 byte blocks. An additional line was added for 0 byte blocks.

9.1(5)

The exhaustion snapshot | history options were added.

 
Usage Guidelines

The show blocks command helps you determine if the ASA is overloaded. This command lists preallocated system buffer utilization. A full memory condition is not a problem as long as traffic is moving through the ASA. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is full, there may be a problem.

You can also view this information using SNMP.

The information shown in a security context includes the system-wide information as well as context-specific information about the blocks in use and the high water mark for block usage.

See the “Examples” section for a description of the display output.

Examples

The following is sample output from the show blocks command in single mode:

ciscoasa# show blocks
SIZE MAX LOW CNT
0 100 99 100
4 1600 1598 1599
80 400 398 399
256 3600 3540 3542
1550 4716 3177 3184
16384 10 10 10
2048 1000 1000 1000
 

Table 47-1 shows each field description.

 

Table 47-1 show blocks Fields

Field
Description

SIZE

Size, in bytes, of the block pool. Each size represents a particular type. Examples are shown below.

0

Used by dupb blocks.

4

Duplicates existing blocks in applications such as DNS, ISAKMP, URL filtering, uauth, TFTP, and TCP modules. Also, this sized block can be used normally by code to send packets to drivers, etc.

80

Used in TCP intercept to generate acknowledgment packets and for failover hello messages.

256

Used for Stateful Failover updates, syslogging, and other TCP functions.

These blocks are mainly used for Stateful Failover messages. The active ASA generates and sends packets to the standby ASA to update the translation and connection table. In bursty traffic, where high rates of connections are created or torn down, the number of available blocks might drop to 0. This situation indicates that one or more connections were not updated to the standby ASA. The Stateful Failover protocol catches the missing translation or connection the next time. If the CNT column for 256-byte blocks stays at or near 0 for extended periods of time, then the ASA is having trouble keeping the translation and connection tables synchronized because of the number of connections per second that the ASA is processing.

Syslog messages sent out from the ASA also use the 256-byte blocks, but they are generally not released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows that the number of 256-byte blocks is near 0, ensure that you are not logging at Debugging (level 7) to the syslog server. This is indicated by the logging trap line in the ASA configuration. We recommend that you set logging at Notification (level 5) or lower, unless you require additional information for debugging purposes.

1550

Used to store Ethernet packets for processing through the ASA.

When a packet enters an ASA interface, it is placed on the input interface queue, passed up to the operating system, and placed in a block. The ASA determines whether the packet should be permitted or denied based on the security policy and processes the packet through to the output queue on the outbound interface. If the ASA is having trouble keeping up with the traffic load, the number of available blocks will hover close to 0 (as shown in the CNT column of the command output). When the CNT column is zero, the ASA attempts to allocate more blocks, up to a maximum of 8192. If no more blocks are available, the ASA drops the packet.

16384

Only used for the 64-bit, 66-MHz Gigabit Ethernet cards (i82543).

See the description for 1550 for more information about Ethernet packets.

2048

Control or guided frames used for control updates.

MAX

Maximum number of blocks available for the specified byte block pool. The maximum number of blocks are carved out of memory at bootup. Typically, the maximum number of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the ASA can dynamically create more when needed, up to a maximum of 8192.

LOW

Low-water mark. This number indicates the lowest number of this size blocks available since the ASA was powered up, or since the last clearing of the blocks (with the clear blocks command). A zero in the LOW column indicates a previous event where memory was full.

CNT

Current number of blocks available for that specific size block pool. A zero in the CNT column means memory is full now.

The following is sample output from the show blocks all command:

ciscoasa# show blocks all
Class 0, size 4
Block allocd_by freed_by data size alloccnt dup_cnt oper location
0x01799940 0x00000000 0x00101603 0 0 0 alloc not_specified
0x01798e80 0x00000000 0x00101603 0 0 0 alloc not_specified
0x017983c0 0x00000000 0x00101603 0 0 0 alloc not_specified
 
...
 
Found 1000 of 1000 blocks
Displaying 1000 of 1000 blocks
 

Table 47-2 shows each field description.

 

Table 47-2 show blocks all Fields

Field
Description

Block

The block address.

allocd_by

The program address of the application that last used the block (0 if not used).

freed_by

The program address of the application that last released the block.

data size

The size of the application buffer/packet data that is inside the block.

alloccnt

The number of times this block has been used since the block came into existence.

dup_cnt

The current number of references to this block if used: 0 means 1 reference, 1 means 2 references.

oper

One of the four operations that was last performed on the block: alloc, get, put, or free.

location

The application that uses the block, or the program address of the application that last allocated the block (same as the allocd_by field).

The following is sample output from the show blocks command in a context:

ciscoasa/contexta# show blocks
SIZE MAX LOW CNT INUSE HIGH
4 1600 1599 1599 0 0
80 400 400 400 0 0
256 3600 3538 3540 0 1
1550 4616 3077 3085 0 0
 

The following is sample output from the show blocks queue history command:

ciscoasa# show blocks queue history
Each Summary for User and Queue_type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type User Context
186 1 put contexta
15 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type User Context
21 1 put contexta
1 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
Blk_cnt Q_cnt Last_Op Queue_Type User Context
200 1 alloc ip_rx tcp contexta
108 1 get ip_rx udp contexta
85 1 free fixup h323_ras contextb
42 1 put fixup skinny contextb
 
Block Size: 1550
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1000
Blk_cnt Q_cnt Last_Op Queue_Type User Context
186 1 put contexta
15 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
...
 

The following is sample output from the show blocks queue history detail command:

ciscoasa# show blocks queue history detail
History buffer memory usage: 2136 bytes (default)
Each Summary for User and Queue type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue_Type "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type User Context
186 1 put contexta
15 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
First Block information for Block at 0x.....
dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
urgent_addr 0xefb118c, end_addr 0xefb17b2
0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00 | ....G.a....8v...
0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3 | ....E...........
0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62 | .......P...=..`b
0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49 | ~sU.P...E...-- I
0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09 | P --..10.7.13.1.
0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d | ==>.10.7.0.80...
 
Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type User Context
21 1 put contexta
1 1 put contexta
1 1 put contexta
1 1 put contextb
1 1 put contextc
First Block information for Block at 0x.....
dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
urgent_addr 0xefb118c, end_addr 0xefb17b2
0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00 | ....G.a....8v...
0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3 | ....E...........
0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62 | .......P...=..`b
0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49 | ~sU.P...E...-- I
0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09 | P --..10.7.13.1.
0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d | ==>.10.7.0.80...
...
 
total_count: total buffers in this class
 

The following is sample output from the show blocks pool summary command:

ciscoasa# show blocks pool 1550 summary
Class 3, size 1550
 
=================================================
total_count=1531 miss_count=0
Alloc_pc valid_cnt invalid_cnt
0x3b0a18 00000256 00000000
0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000
0x3a8f6b 00001275 00000012
0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000
0x00000000
 
=================================================
total_count=9716 miss_count=0
Freed_pc valid_cnt invalid_cnt
0x9a81f3 00000104 00000007
0x05006140 0x05000380 0x04fffa20 0x04ffde00 00000000 0x00000000
0x9a0326 00000053 00000033
0x05006aa0 0x050057e0 0x05004e80 0x05003260 00000000 0x00000000
0x4605a2 00000005 00000000
0x04ff5ac0 0x01e8e2e0 0x01e2eac0 0x01e17d20 00000000 0x00000000
...
=================================================
total_count=1531 miss_count=0
Queue valid_cnt invalid_cnt
0x3b0a18 00000256 00000000 Invalid Bad qtype
0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000
0x3a8f6b 00001275 00000000 Invalid Bad qtype
0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000
0x00000000
 
=================================================
free_cnt=8185 fails=0 actual_free=8185 hash_miss=0
03a8d3e0 03a8b7c0 03a7fc40 03a6ff20 03a6f5c0 03a6ec60 kao-f1#
 

The following is sample output from the show blocks exhaustion snapshot command:

ciscoasa# show blocks exhaustion snapshot
Snaphot created at 10:58:17 EST Feb 22 2010:
Snapshot created due to 1550 blocks running out
 
LOW, CNT columns indicate interface pool blocks
GLB prefixed columns indicate global pool blocks
TXQLEN column indicates number of blocks in transmit ring
Memory Pool SIZE LIMIT/MAX LOW CNT GLB:HELD GLB:TOTAL
DMA 2048 1024 708 768 0 0
Memory Pool SIZE LIMIT/MAX LOW CNT GLB:HELD GLB:TOTAL
DMA 1550 4352 0 0 19740 7929576
Interface TXQLEN
Gi0/0 0
Gi0/1 1
Gi0/2 0
Gi0/3 0
Ma0/0 1
In0/0 1
 
Core local blocks information:
CORE LIMIT ALLOC HIGH CNT FAILED
0 24576 23074 23074 1 0
 
Histogram of 'ASP load balancer queue sizes'
64 buckets sampling from 1 to 65 (1 per bucket)
0 samples within range (average=0)
<no data for 'ASP load balancer queue sizes' histogram>
 
Data points:
bucket[1-1] = 0 samples
bucket[2-2] = 0 samples
bucket[3-3] = 0 samples
bucket[4-4] = 0 samples
bucket[5-5] = 0 samples
bucket[6-6] = 0 samples
bucket[7-7] = 0 samples
bucket[8-8] = 0 samples
bucket[9-9] = 0 samples
bucket[10-10] = 0 samples
bucket[11-11] = 0 samples
bucket[12-12] = 0 samples
bucket[13-13] = 0 samples
bucket[14-14] = 0 samples
bucket[15-15] = 0 samples
bucket[16-16] = 0 samples
bucket[17-17] = 0 samples
bucket[18-18] = 0 samples
bucket[19-19] = 0 samples
bucket[20-20] = 0 samples
bucket[21-21] = 0 samples
bucket[22-22] = 0 samples
bucket[23-23] = 0 samples
bucket[24-24] = 0 samples
bucket[25-25] = 0 samples
bucket[26-26] = 0 samples
bucket[27-27] = 0 samples
bucket[28-28] = 0 samples
bucket[29-29] = 0 samples
bucket[30-30] = 0 samples
bucket[31-31] = 0 samples
bucket[32-32] = 0 samples
bucket[33-33] = 0 samples
bucket[34-34] = 0 samples
bucket[35-35] = 0 samples
bucket[36-36] = 0 samples
bucket[37-37] = 0 samples
bucket[38-38] = 0 samples
bucket[39-39] = 0 samples
bucket[40-40] = 0 samples
bucket[41-41] = 0 samples
bucket[42-42] = 0 samples
bucket[43-43] = 0 samples
bucket[44-44] = 0 samples
bucket[45-45] = 0 samples
bucket[46-46] = 0 samples
bucket[47-47] = 0 samples
bucket[48-48] = 0 samples
bucket[49-49] = 0 samples
bucket[50-50] = 0 samples
bucket[51-51] = 0 samples
bucket[52-52] = 0 samples
bucket[53-53] = 0 samples
bucket[54-54] = 0 samples
bucket[55-55] = 0 samples
bucket[56-56] = 0 samples
bucket[57-57] = 0 samples
bucket[58-58] = 0 samples
bucket[59-59] = 0 samples
bucket[60-60] = 0 samples
bucket[61-61] = 0 samples
bucket[62-62] = 0 samples
bucket[63-63] = 0 samples
bucket[64-64] = 0 samples
 
DP-CP EVENT QUEUE QUEUE-LEN HIGH-WATER
Punt Event Queue 0 0
Identity-Traffic Event Queue 0 0
General Event Queue 0 0
Syslog Event Queue 0 0
Non-Blocking Event Queue 0 0
Midpath High Event Queue 0 0
Midpath Norm Event Queue 0 0
SRTP Event Queue 0 0
 

Table 47-3 shows each field description.

 

Table 47-3 show blocks pool summary Fields

Field
Description

total_count

The number of blocks for a given class.

miss_count

The number of blocks not reported in the specified category due to technical reasons.

Freed_pc

The program addresses of applications that released blocks in this class.

Alloc_pc

The program addresses of applications that allocated blocks in this class.

Queue

The queues to which valid blocks in this class belong.

valid_cnt

The number of blocks that are currently allocated.

invalid_cnt

The number of blocks that are not currently allocated.

Invalid Bad qtype

Either this queue has been freed and the contents are invalid or this queue was never initialized.

Valid tcp_usr_conn_inp

The queue is valid.

 
Related Commands

Command
Description

blocks

Increases the memory assigned to block diagnostics

clear blocks

Clears the system buffer statistics.

show conn

Shows active connections.

show boot device (IOS)

To view the default boot partition, use the show boot device command.

show boot device [ mod_num ]

 
Syntax Description

mod_num

(Optional) Specifies the module number. Use the show module command to view installed modules and their numbers.

 
Defaults

The default boot partition is cf:4.

 
Command Modes

Privileged EXEC.

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show boot device command that shows the boot partitions for each installed ASA on Cisco IOS software:

Router# show boot device
[mod:1 ]:
[mod:2 ]:
[mod:3 ]:
[mod:4 ]: cf:4
[mod:5 ]: cf:4
[mod:6 ]:
[mod:7 ]: cf:4
[mod:8 ]:
[mod:9 ]:
 

 
Related Commands

Command
Description

boot device (IOS)

Sets the default boot partition.

show module (IOS)

Shows all installed modules.

show bootvar

To show the boot file and configuration properties, use the show bootvar command in privileged EXEC mode.

show bootvar

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

ASAv

This command was introduced.

 
Usage Guidelines

The BOOT variable specifies a list of bootable images on various devices. The CONFIG_FILE variable specifies the configuration file used during system initialization. Set these variables with the boot system command and boot config command, respectively.

Examples

The BOOT variable contains disk0:/f1_image, which is the image booted when the system reloads. The current value of BOOT is disk0:/f1_image; disk0:/f1_backupimage. This value means that the BOOT variable has been modified with the boot system command, but the running configuration has not been saved with the write memory command. When the running configuration is saved, the BOOT variable and current BOOT variable will both be disk0:/f1_image; disk0:/f1_backupimage. Assuming that the running configuration is saved, the boot loader will try to load the contents of the BOOT variable, starting with disk0:/f1image, but if that is not present or invalid, the boot loader will try to boot disk0:1/f1_backupimage.

The CONFIG_FILE variable points to the system startup configuration. In this example it is not set, so the startup configuration file is the default specified with the boot config command. The current CONFIG_FILE variable may be modified with the boot config command and saved with the write memory command.

The following is sample output from the show bootvar command:

ciscoasa# show bootvar
BOOT variable = disk0:/f1_image
Current BOOT variable = disk0:/f1_image; disk0:/f1_backupimage
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa#
 

 
Related Commands

Command
Description

boot

Specifies the configuration file or image file used at startup.

show bridge-group

To show bridge group information such as interfaces assigned, MAC addresses, and IP addresses, use the show bridge-group command in privileged EXEC mode.

show bridge-group bridge-group-number

 
Syntax Description

bridge-group-number

Specifies the bridge group number as an integer between 1 and 100.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

8.4(1)

We introduced this command.

Examples

The following is sample output from the show bridge-group command with IPv4 addresses:

ciscoasa# show bridge-group 1
Interfaces: GigabitEthernet0/0.101, GigabitEthernet0/0.201
Management System IP Address: 10.0.1.1 255.255.255.0
Management Current IP Address: 10.0.1.1 255.255.255.0
Management IPv6 Global Unicast Address(es):
N/A
Static mac-address entries: 0
Dynamic mac-address entries: 2
 

The following is sample output from the show bridge-group command with IPv4 and IPv6 addresses:

ciscoasa# show bridge-group 1
Interfaces: GigabitEthernet0/0.101, GigabitEthernet0/0.201
Management System IP Address: 10.0.1.1 255.255.255.0
Management Current IP Address: 10.0.1.1 255.255.255.0
Management IPv6 Global Unicast Address(es):
2000:100::1, subnet is 2000:100::/64
2000:101::1, subnet is 2000:101::/64
2000:102::1, subnet is 2000:102::/64
Static mac-address entries: 0
Dynamic mac-address entries: 2
 

 
Related Commands

Command
Description

bridge-group

Groups transparent firewall interfaces into a bridge group.

clear configure interface bvi

Clears the bridge group interface configuration.

interface

Configures an interface.

interface bvi

Creates a bridge virtual interface.

ip address

Sets the management IP address for a bridge group.

show running-config interface bvi

Shows the bridge group interface configuration.

show call-home

To display the configured Call Home information, use the show call-home command in privileged EXEC mode.

[ cluster exec ] show call-home [ alert-group | detail | events | mail-server status | profile { profile _name | all } | statistics ]

 
Syntax Description

alert-group

(Optional) Displays the available alert group.

cluster exec

(Optional) In a clustering environment, enables you to issue the show call-home command in one unit and run the command in all the other units at the same time.

detail

(Optional) Displays the Call Home configuration in detail.

events

(Optional) Displays current detected events.

mail-server status

(Optional) Displays the Call Home mail server status information.

profile profile _name all

(Optional) Displays configuration information for all existing profiles.

statistics

(Optional) Displays the Call Home statistics.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

8.2(2)

This command was introduced.

9.1(3)

A new type of Smart Call Home message has been added to include the output of the show cluster history command and show cluster info command.

Examples

The following is sample output from the show call-home command and displays the configured Call Home settings:

hostname# show call-home
Current Smart Call-Home settings:
Smart Call-Home feature : enable
Smart Call-Home message's from address: from@example.com
Smart Call-Home message's reply-to address: reply-to@example.com
contact person's email address: example@example.com
contact person's phone: 111-222-3333
street address: 1234 Any Street, Any city, Any state, 12345
customer ID: ExampleCorp
contract ID: X123456789
site ID: SantaClara
Mail-server[1]: Address: smtp.example.com Priority: 1
Mail-server[2]: Address: 192.168.0.1 Priority: 10
Rate-limit: 60 message(s) per minute
Available alert groups:
Keyword State
------------------------ -------
Syslog Enable
diagnostic Enable
environmental Enable
inventory Enable
configuration Enable
firewall Enable
troubleshooting Enable
report Enable
Profiles:
Profile Name: CiscoTAC-1
Profile Name: prof1
Profile Name: prof2
 

The following is sample output from the show call-home detail command and displays detailed Call Home configuration information:

hostname# show call-home detail
Description: Show smart call-home configuration in detail.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Current Smart Call-Home settings:
Smart Call-Home feature : enable
Smart Call-Home message's from address: from@example.example.com
Smart Call-Home message's reply-to address: reply-to@example.example.com
contact person's email address: abc@example.com
contact person's phone: 111-222-3333
street address: 1234 Any Street, Any city, Any state, 12345
customer ID: 111111
contract ID: 123123
site ID: SantaClara
Mail-server[1]: Address: example.example.com Priority: 1
Mail-server[2]: Address: example.example.com Priority: 10
Rate-limit: 60 message(s) per minute
Available alert groups:
Keyword State
------------------------ -------
syslog Enable
diagnostic Enable
environmental Enable
inventory Enable
configuration Enable
firewall Enable
troubleshooting Enable
report Enable
Profiles:
Profile Name: CiscoTAC-1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): anstage@cisco.com
HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService
Periodic inventory message is scheduled monthly at 01:00
Alert-group Severity
------------------------ ------------
inventory n/a
Profile Name: prof1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): example@example.com
HTTP address(es): https://kafan-lnx-01.cisco.com:8443/sch/sch.jsp
Periodic configuration message is scheduled daily at 01:00
Periodic inventory message is scheduled every 60 minutes
Alert-group Severity
------------------------ ------------
configuration n/a
inventory n/a
Profile Name: prof2
Profile status: ACTIVE Preferred Message Format: short-text
Message Size Limit: 1048576 Bytes
Email address(es): example@example.com
HTTP address(es): https://example.example.com:8443/sch/sch.jsp
Periodic configuration message is scheduled every 1 minutes
Periodic inventory message is scheduled every 1 minutes
Alert-group Severity
------------------------ ------------
configuration n/a
inventory n/a
 

The following is sample output from the show call-home events command and displays available Call Home events:

hostname# show call-home events
Description: Show current detected events.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Active event list:
Event client alert-group severity active (sec)
--------------------------------------------------------------------
Configuration Client configuration none 5
Inventory inventory none 15
 

The following is sample output from the show call-home mail-server status command and displays available Call Home mail-server status:

hostname# show call-home mail-server status
Description: Show smart call-home configuration, status, and statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Mail-server[1]: Address: example.example.com Priority: 1 [Available]
Mail-server[2]: Address: example.example.com Priority: 10 [Not Available]

The following is sample output from the show call-home alert-group comand and displays the available alert groups:

hostname# show call-home alert-group
Description: Show smart call-home alert-group states.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Available alert groups:
Keyword State
------------------------ -------
syslog Enable
diagnostic Enable
environmental Enable
inventory Enable
configuration Enable
firewall Enable
troubleshooting Enable
report Enable
 

The following is sample output from the show call-home profile profile-name | all command and displays information for all predefined and user-defined profiles:

hostname# show call-home profile {profile-name | all}
Description: Show smart call-home profile configuration.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Profiles:
Profile Name: CiscoTAC-1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): anstage@cisco.com
HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService
Periodic inventory message is scheduled monthly at 01:00
Alert-group Severity
------------------------ ------------
inventory n/a
Profile Name: prof1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): example@example.com
HTTP address(es): https://example.example.com:8443/sch/sch.jsp
Periodic configuration message is scheduled daily at 01:00
Periodic inventory message is scheduled every 60 minutes
Alert-group Severity
------------------------ ------------
configuration n/a
inventory n/a
Profile Name: prof2
Profile status: ACTIVE Preferred Message Format: short-text
Message Size Limit: 1048576 Bytes
Email address(es): example@example.com
HTTP address(es): https://example.example.com:8443/sch/sch.jsp
Periodic configuration message is scheduled every 1 minutes
Periodic inventory message is scheduled every 1 minutes
Alert-group Severity
------------------------ ------------
configuration n/a
inventory n/a
 

The following is sample output from the show call-home statistics command and displays the call-home statistics:

hostname# show call-home statistics
Description: Show smart call-home statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 0 0 0
Total In-Queue 0 0 0
Total Dropped 5 4 1
Tx Failed 5 4 1
inventory 3 2 1
configuration 2 2 0
Event Types Total
-------------------- ----------------
Total Detected 2
inventory 1
configuration 1
Total In-Queue 0
Total Dropped 0
Last call-home message sent time: 2009-06-17 14:22:09 GMT-07:00
 

The following is sample output from the show call-home status command and displays the call-home status:

 
hostname# show call-home mail-server status
Description: Show smart call-home configuration, status, and statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Mail-server[1]: Address: kafan-lnx-01.cisco.com Priority: 1 [Available]
Mail-server[2]: Address: kafan-lnx-02.cisco.com Priority: 10 [Not Available]

37. ciscoasa# show call-home events
Description: Show current detected events.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Active event list:
Event client alert-group severity active (sec)
--------------------------------------------------------------------
Configuration Client configuration none 5
Inventory inventory none 15
 

The following is sample output from the cluster exec show call-home statistics command and displays call-home statistics for a cluster:

ciscoasa(config)# cluster exec show call-home statistics
A(LOCAL):*************************************************************
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 3 3 0
test 3 3 0
 
Total In-Delivering 0 0 0
 
Total In-Queue 0 0 0
 
Total Dropped 8 8 0
Tx Failed 8 8 0
configuration 2 2 0
test 6 6 0
 
 
Event Types Total
-------------------- ----------------
Total Detected 10
configuration 1
test 9
 
Total In-Processing 0
 
Total In-Queue 0
 
Total Dropped 0
 
Last call-home message sent time: 2013-04-15 05:37:16 GMT+00:00
 
B:********************************************************************
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 1 1 0
test 1 1 0
 
Total In-Delivering 0 0 0
 
Total In-Queue 0 0 0
 
Total Dropped 2 2 0
Tx Failed 2 2 0
configuration 2 2 0
 
Event Types Total
-------------------- ----------------
Total Detected 2
configuration 1
test 1
 
Total In-Processing 0
 
Total In-Queue 0
 
Total Dropped 0
 
Last call-home message sent time: 2013-04-15 05:36:16 GMT+00:00
 
C:********************************************************************
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 0 0 0
 
Total In-Delivering 0 0 0
 
Total In-Queue 0 0 0
 
Total Dropped 2 2 0
Tx Failed 2 2 0
configuration 2 2 0
 
Event Types Total
-------------------- ----------------
Total Detected 1
configuration 1
 
Total In-Processing 0
 
Total In-Queue 0
 
Total Dropped 0
 
Last call-home message sent time: n/a
 
D:********************************************************************
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ----------------
Total Success 1 1 0
test 1 1 0
 
Total In-Delivering 0 0 0
 
Total In-Queue 0 0 0
 
Total Dropped 2 2 0
Tx Failed 2 2 0
configuration 2 2 0
 
Event Types Total
-------------------- ----------------
Total Detected 2
configuration 1
test 1
 
Total In-Processing 0
 
Total In-Queue 0
 
Total Dropped 0
 
Last call-home message sent time: 2013-04-15 05:35:34 GMT+00:00
 
ciscoasa(config)#
 

 
Related Commands

Command
Description

call-home

Enters call home configuration mode.

call-home send alert-group

Sends a specific alert group message.

service call-home

Enables or disables Call Home.

show call-home registered-module status

To display the registered module status, use the show call-home registered-module status command in privileged EXEC mode.

show call-home registered-module status [ all ]


Note The [all] option is only valid in system context mode.


 
Syntax Description

all

Displays module status based on the device, not per context. In multiple context mode, if a module is enabled in at least one context, it is displayed as enabled if the “ all ” option is included.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

8.2(2)

This command was introduced.

Examples

The following example displays the show call-home registered-module status all output:

Output:
Module Name Status
---------------------------------------- --------------------
Smart Call-Home enabled
Failover Standby/Active

 
Related Commands36. ciscoasa# show call-home mail-server status
Description: Show smart call-home configuration, status, and statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Mail-server[1]: Address: kafan-lnx-01.cisco.com Priority: 1 [Available]
Mail-server[2]: Address: kafan-lnx-02.cisco.com Priority: 10 [Not Available]

37. ciscoasa# show call-home events
Description: Show current detected events.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Active event list:
Event client alert-group severity active (sec)
--------------------------------------------------------------------
Configuration Client configuration none 5
Inventory inventory none 15

Command
Description

call-home

Enters call-home configuration mode.

call-home send alert-group

Sends a specific alert group message.

service call-home

Enables or disables Call Home.

show capture

To display the capture configuration when no options are specified, use the show capture command in privileged EXEC mode.

[ cluster exec ] show capture [ capture_name ] [ access-list access_list_name ] [ count number ] [ decode ] [ detail ] [ dump ] [ packet-number number ]

 
Syntax Description

access-list access_list_name

(Optional) Displays information for packets that are based on IP or higher fields for the specific access list identification .

capture_name

(Optional) Specifies the name of the packet capture.

cluster exec

(Optional) In a clustering environment, enables you to issue the show capture command in one unit and run the command in all the other units at the same time.

count number

(Optional) Displays the number of packets specified data.

decode

This option is useful when a capture of type isakmp is applied to an interface. All ISAKMP data flowing through that interface will be captured after decryption and shown with more information after decoding the fields.

detail

(Optional) Displays additional protocol information for each packet.

dump

(Optional) Displays a hexadecimal dump of the packets that are transported over the data link.

packet-number number

Starts the display at the specified packet number.

 
Defaults

This command has no default settings.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.4(2)

Added detailed information in the output for IDS.

9.0(1)

The cluster exec option was added.

 
Usage Guidelines

If you specify the capture_name , then the capture buffer contents for that capture are displayed.

The dump keyword does not display MAC information in the hexadecimal dump.

The decoded output of the packets depend on the protocol of the packet. In Table 47-4 , the bracketed output is displayed when you specify the detail keyword.

 

Table 47-4 Packet Capture Output Formats

Packet Type
Capture Output Format

802.1Q

HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet

ARP

HH:MM:SS.ms [ether-hdr] arp-type arp-info

IP/ICMP

HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure]

IP/UDP

HH:MM:SS.ms [ether-hdr] src-addr . src-port dest-addr . dst-port : [checksum-info] udp payload-len

IP/TCP

HH:MM:SS.ms [ether-hdr] src-addr . src-port d est-addr . dst-port : tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

IP/Other

HH:MM:SS.ms [ether-hdr] src-addr dest-addr : ip-protocol ip-length

Other

HH:MM:SS.ms ether-hdr : hex-dump

Examples

This example shows how to display the capture configuration:

ciscoasa(config)# show capture
capture arp ethernet-type arp interface outside
capture http access-list http packet-length 74 interface inside
 

This example shows how to display the packets that are captured by an ARP capture:

ciscoasa(config)# show capture arp
2 packets captured
19:12:23.478429 arp who-has 171.69.38.89 tell 171.69.38.10
19:12:26.784294 arp who-has 171.69.38.89 tell 171.69.38.10
2 packets shown
 

The following example shows how to display the packets that are captured on a single unit in a clustering environment:

ciscoasa(config)# show capture
capture 1 cluster type raw-data interface primary interface cluster [Buffer Full - 524187 bytes]
capture 2 type raw-data interface cluster [Capturing - 232354 bytes]
 

The following example shows how to display the packets that are captured on all units in a clustering environment:

ciscoasa(config)# cluster exec show capture
mycapture (LOCAL):----------------------------------------------------------
 
capture 1 type raw-data interface primary [Buffer Full - 524187 bytes]
capture 2 type raw-data interface cluster [Capturing - 232354 bytes]
 
yourcapture:----------------------------------------------------------------
capture 1 type raw-data interface primary [Capturing - 191484 bytes]
capture 2 type raw-data interface cluster [Capturing - 532354 bytes]
 

The following example shows the packets that are captured on the cluster control link in a clustering environment after the following commands are entered:

ciscoasa (config)# capture a interface cluster
ciscoasa (config)# capture cp interface cluster match udp any eq 49495 any
ciscoasa (config)# capture cp interface cluster match udp any any eq 49495
ciscoasa (config)# access-list cc1 extended permit udp any any eq 4193
ciscoasa (config)# access-list cc1 extended permit udp any eq 4193 any
ciscoasa (config)# capture dp interface cluster access-list cc1
ciscoasa (config)# capture lacp type lacp interface gigabitEthernet 0/0
 
ciscoasa(config)# show capture
capture a type raw-data interface cluster [Capturing - 970 bytes]
capture cp type raw-data interface cluster [Capturing - 26236 bytes]
match udp any eq 49495 any
capture dp type raw-data access-list cc1 interface cluster [Capturing - 4545230 bytes]
capture lacp type lacp interface gigabitEthernet0/0 [Capturing - 140 bytes]
 

 
Related Commands

Command
Description

capture

Enables packet capture capabilities for packet sniffing and network fault isolation.

clear capture

Clears the capture buffer.

copy capture

Copies a capture file to a server.

show chardrop

To display the count of characters dropped from the serial console, use the show chardrop command in privileged EXEC mode.

show chardrop

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  
  •  
  •  
  •  

 
Command History

Release
Modification

ASAv

This command was introduced.

Examples

The following is sample output from the show chardrop command:

ciscoasa# show chardrop
Chars dropped pre-TxTimeouts: 0, post-TxTimeouts: 0
 

 
Related Commands

Command
Description

show running-config

Shows the current operating configuration.

show checkheaps

To show the checkheaps statistics, use the show checkheaps command in privileged EXEC mode. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.

show checkheaps

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show checkheaps command:

ciscoasa# show checkheaps
 
Checkheaps stats from buffer validation runs
--------------------------------------------
Time elapsed since last run : 42 secs
Duration of last run : 0 millisecs
Number of buffers created : 8082
Number of buffers allocated : 7808
Number of buffers free : 274
Total memory in use : 43570344 bytes
Total memory in free buffers : 87000 bytes
Total number of runs : 310

 
Related Commands

Command
Description

checkheaps

Sets the checkheap verification intervals.

show checksum

To display the configuration checksum, use the show checksum command in privileged EXEC mode.

show checksum

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

This command has no default settings.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

ASAv

We introduced this command.

 
Usage Guidelines

The show checksum command allows you to display four groups of hexadecimal numbers that act as a digital summary of the configuration contents. This checksum is calculated only when you store the configuration in flash memory.

If a dot (“.”) appears before the checksum in the show config or show checksum command output, the output indicates a normal configuration load or write mode indicator (when loading from or writing to the ASA flash partition). The “.” shows that the ASA is preoccupied with the operation but is not “hung up.” This message is similar to a “system processing, please wait” message.

Examples

This example shows how to display the configuration or the checksum:

ciscoasa(config)# show checksum
Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81
 

show chunkstat

To display the chunk statistics, use the show chunkstat command in privileged EXEC mode.

show chunkstat

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

This example shows how to display the chunk statistics:

ciscoasa# show chunkstat
Global chunk statistics: created 181, destroyed 34, siblings created 94, siblings destroyed 34
 
Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01edb4cc, name "Managed Chunk Queue Elements", data start @ 01edbd24, end @ 01eddc54
next: 01eddc8c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 499, elt size: 16, index first free 498
# chunks in use: 1, HWM of total used: 1, alignment: 0
Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01eddc8c, name "Registry Function List", data start @ 01eddea4, end @ 01ede348
next: 01ede37c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 99, elt size: 12, index first free 42
# chunks in use: 57, HWM of total used: 57, alignment: 0
 

 
Related Commands

Command
Description

show counters

Displays the protocol stack counters.

show cpu

Displays the CPU utilization information.

show class

To show the contexts assigned to a class, use the show class command in privileged EXEC mode.

show class name

 
Syntax Description

name

Specifies the name as a string up to 20 characters long. To show the default class, enter default for the name.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following is sample output from the show class default command:

ciscoasa# show class default
 
Class Name Members ID Flags
default All 1 0001
 

 
Related Commands

Command
Description

class

Configures a resource class.

clear configure class

Clears the class configuration.

context

Configures a security context.

limit-resource

Sets the resource limit for a class.

member

Assigns a context to a resource class.

show clock

To view the time on the ASA, use the show clock command in user EXEC mode.

show clock [ detail ]

 
Syntax Description

detail

(Optional) Indicates the clock source (NTP or user configuration) and the current summer-time setting (if any).

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show clock command:

ciscoasa> show clock
12:35:45.205 EDT Tue Jul 27 2004
 

The following is sample output from the show clock detail command:

ciscoasa> show clock detail
12:35:45.205 EDT Tue Jul 27 2004
Time source is user configuration
Summer time starts 02:00:00 EST Sun Apr 4 2004
Summer time ends 02:00:00 EDT Sun Oct 31 2004
 

 
Related Commands

Command
Description

clock set

Manually sets the clock on the ASA.

clock summer-time

Sets the date range to show daylight saving time.

clock timezone

Sets the time zone.

ntp server

Identifies an NTP server.

show ntp status

Shows the status of the NTP association.

show cluster

To view aggregated data for the entire cluster or other information, use the show cluster command in privileged EXEC mode.

show cluster { access-list [ acl_name ] | conn [ count ] | cpu [ usage ] | history | interface-mode | memory | resource usage | traffic | xlate count }

 
Syntax Description

access-list [ acl_name ]

Shows hit counters for access policies. To see the counters for a specific ACL, enter the acl_name .

conn [ count ]

Shows the aggregated count of in-use connections for all units. If you enter the count keyword, only the connection count is shown.

cpu [ usage ]

Shows CPU usage information.

history

Shows cluster switching history.

interface-mode

Shows the cluster interface mode, either spanned or individual.

memory

Shows system memory utilization and other information.

resource usage

Shows system resources and usage.

traffic

Shows traffic statistics.

xlate count

Shows current translation information.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

See also the show cluster info and show cluster user-identity commands.

Examples

The following is sample output from the show cluster access-list command:

ciscoasa# show cluster access-list
hitcnt display order: cluster-wide aggregated result, unit-A, unit-B, unit-C, unit-D
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300
access-list 101; 122 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit tcp 192.168.143.0 255.255.255.0 any eq www (hitcnt=0, 0, 0, 0, 0) 0x207a2b7d
access-list 101 line 2 extended permit tcp any 192.168.143.0 255.255.255.0 (hitcnt=0, 0, 0, 0, 0) 0xfe4f4947
access-list 101 line 3 extended permit tcp host 192.168.1.183 host 192.168.43.238 (hitcnt=1, 0, 0, 0, 1) 0x7b521307
access-list 101 line 4 extended permit tcp host 192.168.1.116 host 192.168.43.238 (hitcnt=0, 0, 0, 0, 0) 0x5795c069
access-list 101 line 5 extended permit tcp host 192.168.1.177 host 192.168.43.238 (hitcnt=1, 0, 0, 1, 0) 0x51bde7ee
access list 101 line 6 extended permit tcp host 192.168.1.177 host 192.168.43.13 (hitcnt=0, 0, 0, 0, 0) 0x1e68697c
access-list 101 line 7 extended permit tcp host 192.168.1.177 host 192.168.43.132 (hitcnt=2, 0, 0, 1, 1) 0xc1ce5c49
access-list 101 line 8 extended permit tcp host 192.168.1.177 host 192.168.43.192 (hitcnt=3, 0, 1, 1, 1) 0xb6f59512
access-list 101 line 9 extended permit tcp host 192.168.1.177 host 192.168.43.44 (hitcnt=0, 0, 0, 0, 0) 0xdc104200
access-list 101 line 10 extended permit tcp host 192.168.1.112 host 192.168.43.44 (hitcnt=429, 109, 107, 109, 104)
0xce4f281d
access-list 101 line 11 extended permit tcp host 192.168.1.170 host 192.168.43.238 (hitcnt=3, 1, 0, 0, 2) 0x4143a818
access-list 101 line 12 extended permit tcp host 192.168.1.170 host 192.168.43.169 (hitcnt=2, 0, 1, 0, 1) 0xb18dfea4
access-list 101 line 13 extended permit tcp host 192.168.1.170 host 192.168.43.229 (hitcnt=1, 1, 0, 0, 0) 0x21557d71
access-list 101 line 14 extended permit tcp host 192.168.1.170 host 192.168.43.106 (hitcnt=0, 0, 0, 0, 0) 0x7316e016
access-list 101 line 15 extended permit tcp host 192.168.1.170 host 192.168.43.196 (hitcnt=0, 0, 0, 0, 0) 0x013fd5b8
access-list 101 line 16 extended permit tcp host 192.168.1.170 host 192.168.43.75 (hitcnt=0, 0, 0, 0, 0) 0x2c7dba0d
 

To display the aggregated count of in-use connections for all units, enter:

ciscoasa# show cluster conn count
Usage Summary In Cluster:*********************************************
200 in use (cluster-wide aggregated)
cl2(LOCAL):***********************************************************
100 in use, 100 most used
 
cl1:******************************************************************
100 in use, 100 most used
 

 
Related Commands

Command
Description

show cluster info

Shows cluster information.

show cluster user-identity

Shows cluster user identity information and statistics.

show cluster info

To view cluster information, use the show cluster info command in privileged EXEC mode.

show cluster info [ clients | conn-distribution | goid [ options ] | health | incompatible-config | loadbalance | old-members | packet-distribution | trace [ options ] | transport { asp | cp }]

 
Syntax Description

clients

(Optional) Shows the version of register clients.

conn-distribution

(Optional) Shows the connection distribution in the cluster.

goid [ options ]

(Optional) Shows the global object ID database. Options include:

  • classmap
  • conn-set
  • hwidb
  • idfw-domain
  • idfw-group
  • interface
  • policymap
  • virtual-context

health

(Optional) Shows health monitoring information.

incompatible-config

(Optional) Shows commands that are incompatible with clustering in the current running configuration. This command is useful before you enable clustering.

loadbalance

(Optional) Shows load balancing information.

old-members

(Optional) Shows former members of the cluster.

packet-distribution

(Optional) Shows packet distribution in the cluster.

trace [ options ]

(Optional) Shows the clustering control module event trace. Options include:

  • latest [ number ]—Displays the latest number events, where the number is from 1 to 2147483647. The default is to show all.
  • level level —Filters events by level where the level is one of the following: all , critical , debug , informational , or warning .
  • module module —Filters events by module where the module is one of the following: ccp , datapath , fsm , general , hc , license , rpc , or transport .
  • time {[ month day ] [ hh : mm : ss ]}—Shows events before the specified time or date.

transport { asp | cp }

(Optional) Show transport related statistics for the following:

  • asp —Data plane transport statistics.
  • cp —Control plane transport statistics.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

If you do not specify any options, the show cluster info command shows general cluster information including the cluster name and status, the cluster members, the member states, and so on.

Clear statistics using the clear cluster info command.

See also the show cluster and show cluster user-identity commands.

Examples

The following is sample output from the show cluster info command:

ciscoasa# show cluster info
Cluster stbu: On
This is "C" in state SLAVE
ID : 0
Version : 100.8(0.52)
Serial No.: P3000000025
CCL IP : 10.0.0.3
CCL MAC : 000b.fcf8.c192
Last join : 17:08:59 UTC Sep 26 2011
Last leave: N/A
Other members in the cluster:
Unit "D" in state SLAVE
ID : 1
Version : 100.8(0.52)
Serial No.: P3000000001
CCL IP : 10.0.0.4
CCL MAC : 000b.fcf8.c162
Last join : 19:13:11 UTC Sep 23 2011
Last leave: N/A
Unit "A" in state MASTER
ID : 2
Version : 100.8(0.52)
Serial No.: JAB0815R0JY
CCL IP : 10.0.0.1
CCL MAC : 000f.f775.541e
Last join : 19:13:20 UTC Sep 23 2011
Last leave: N/A
Unit "B" in state SLAVE
ID : 3
Version : 100.8(0.52)
Serial No.: P3000000191
CCL IP : 10.0.0.2
CCL MAC : 000b.fcf8.c61e
Last join : 19:13:50 UTC Sep 23 2011
Last leave: 19:13:36 UTC Sep 23 2011
 

The following is sample output from the show cluster info incompatible-config command:

ciscoasa(cfg-cluster)# show cluster info incompatible-config
INFO: Clustering is not compatible with following commands which given a user's confirmation upon enabling clustering, can be removed automatically from running-config.
policy-map global_policy
class scansafe-http
inspect scansafe http-map fail-close
policy-map global_policy
class scansafe-https
inspect scansafe https-map fail-close
 
INFO: No manually-correctable incompatible configuration is found.
 

The following is sample output from the show cluster info trace command:

ciscoasa# show cluster info trace
Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE
Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE
Feb 02 14:19:47.456 [DBUG]Send CCP message to all: CCP_MSG_KEEPALIVE from 80-1 at MASTER
 

 
Related Commands

Command
Description

show cluster

Displays aggregated data for the entire cluster.

show cluster user-identity

Shows cluster user identity information and statistics.

show cluster user-identity

To view cluster-wide user identity information and statistics, use the show cluster user-identity command in privileged EXEC mode.

show cluster user-identity { statistics [ user name | user-group group_name ] | user [ active [ domain name ] | user name | user-group group_name ] [ list [ detail ] | all [ list [ detail ] | inactive { domain name | user-group group_name ] [ list [ detail ]]}

 
Syntax Description

active

Shows users with active IP-user mappings.

all

Shows all users in the user database.

domain name

Shows user info for a domain.

inactive

Shows users with inactive IP-user mappings.

list [ detail ]

Shows a list of users.

statistics

Shows cluster user identity statistics.

user

Shows the user database.

user name

Show information for a specific user.

user-group group_name

Shows information for each user of a specific group.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

See also the show cluster info and show cluster commands.

 
Related Commands

Command
Description

show cluster

Displays aggregated data for the entire cluster.

show cluster info

Shows cluster information.

show compression svc

To view compression statistics for SVC connections on the ASA, use the show compression svc command from privileged EXEC mode.

show compression svc

 
Defaults

There is no default behavior for this command.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 
Command History

Release
Modification

7.1(1)

This command was introduced.

Examples

The following example shows the output of the show compression svc command:

hostname# show compression svc
Compression SVC Sessions 1
Compressed Frames 249756
Compressed Data In (bytes) 0048042
Compressed Data Out (bytes) 4859704
Expanded Frames 1
Compression Errors 0
Compression Resets 0
Compression Output Buf Too Small 0
Compression Ratio 2.06
Decompressed Frames 876687
Decompressed Data In 279300233
 

 
Related Commands

Command
Description

compression

Enables compression for all SVC and WebVPN connections.

svc compression

Enables compression of http data over an SVC connection for a specific group or user.

show configuration

To display the configuration that is saved in flash memory on the ASA, use the show configuration command in privileged EXEC mode.

show configuration

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

This command was modified.

 
Usage Guidelines

The show configuration command displays the saved configuration in flash memory on the ASA. Unlike the show running-config command, the show configuration command does not use many CPU resources to run.

To display the active configuration in memory (including saved configuration changes) on the ASA, use the show running-config command.

Examples

The following is sample output from the show configuration command:

ciscoasa# show configuration
: enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.2.5 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.132.12.6 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.0.5 255.255.0.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/newImage
ftp mode passive
access-list acl1 extended permit ip any any
access-list mgcpacl extended permit udp any any eq 2727
access-list mgcpacl extended permit udp any any eq 2427
access-list mgcpacl extended permit udp any any eq tftp
access-list mgcpacl extended permit udp any any eq 1719
access-list permitIp extended permit ip any any
pager lines 25
logging enable
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/pdm
no asdm history enable
arp timeout 14400
global (outside) 1 10.132.12.50-10.132.12.52
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group permitIp in interface inside
access-group permitIp in interface outside
access-group mgcpacl in interface dmz
!
router ospf 1
network 10.0.0.0 255.255.0.0 area 192.168.2.0
network 192.168.2.0 255.255.255.0 area 192.168.2.0
log-adj-changes
redistribute static subnets
default-information originate
!
route outside 0.0.0.0 0.0.0.0 10.132.12.1 1
route outside 10.129.0.0 255.255.0.0 10.132.12.1 1
route outside 88.0.0.0 255.0.0.0 10.132.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.132.12.0 255.255.255.0 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.2.0 255.255.255.0 inside
telnet 10.132.12.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect mgcp
policy-map type inspect mgcp mgcpapp
parameters
call-agent 150.0.0.210 101
gateway 50.0.0.201 101
gateway 100.0.0.201 101
command-queue 150
!
service-policy global_policy global
webvpn
memory-size percent 25
enable inside
internal-password enable
onscreen-keyboard logon
username snoopy password /JcYsjvxHfBHc4ZK encrypted
prompt hostname context
Cryptochecksum:62bf8f5de9466cdb64fe758079594635:
end

 
Related Commands

Command
Description

configure

Configures the ASA from the terminal.

show conn

To display the connection state for the designated connection type, use the show conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show conn [ count | [ all ] [ detail ] [ long ] [ state state_type ] [ protocol { tcp | udp }] [ scansafe ] [ address src_ip [ - src_ip ] [ netmask mask ]] [ port src_port [ - src_port ]] [ address dest_ip [ - dest_ip ] [ netmask mask ]] [ port dest_port [ - dest_port ]]
[ user-identity | user [ domain_nickname \ ] user_name | user-group [ domain_nickname \\ ] user_group_name ] | security-group ]

 
Syntax Description

address

(Optional) Displays connections with the specified source or destination IP address.

all

(Optional) Displays connections that are to the device or from the device, in addition to through-traffic connections.

count

(Optional) Displays the number of active connections.

dest_ip

(Optional) Specifies the destination IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-). For example:

10.1.1.1-10.1.1.5

dest_port

(Optional) Specifies the destination port number. To specify a range, separate the port numbers with a dash (-). For example:

1000-2000

detail

(Optional) Displays connections in detail, including translation type and interface information.

long

(Optional) Displays connections in long format.

netmask mask

(Optional) Specifies a subnet mask for use with the given IP address.

port

(Optional) Displays connections with the specified source or destination port.

protocol { tcp | udp }

(Optional) Specifies the connection protocol, which can be tcp or udp .

scansafe

(Optional) Shows connections being forwarded to the Cloud Web Security server.

security-group

(Optional) Specifies that all connections displayed belong to the specified security group.

src_ip

(Optional) Specifies the source IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-). For example:

10.1.1.1-10.1.1.5

src_port

(Optional) Specifies the source port number. To specify a range, separate the port numbers with a dash (-). For example:

1000-2000

state state_type

(Optional) Specifies the connection state type. See Table 47-5 for a list of the keywords available for connection state types.

user [ domain_nickname \ ]
user_name

(Optional) Specifies that all connections displayed belong to the specified user. When you do not include the domain_nickname argument, the ASA displays information for the user in the default domain.

user-group [ domain_nickname \\ ]
user_group_name

(Optional) Specifies that all connections displayed belong to the specified user group. When you do not include the domain_nickname argument, the ASA displays information for the user group in the default domain.

user-identity

(Optional) Specifies that the ASA display all connections for the Identity Firewall feature. When displaying the connections, the ASA displays the user name and IP address when it identifies a matching user. Similarly, the ASA displays the host name and an IP address when it identifies a matching host.

 
Defaults

All through connections are shown by default. You need to use the all keyword to also view management connections to the device.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

 
Command History

Release
Modification

7.0(8)/7.2(4)/8.0(4)

The syntax was simplified to use source and destination concepts instead of “local” and “foreign.” In the new syntax, the source address is the first address entered and the destination is the second address. The old syntax used keywords like foreign and fport to determine the destination address and port.

7.2(5)/8.0(5)/8.1(2)/8.2(4)/8.3(2)

The tcp_embryonic state type was added. This type shows all TCP connections with the i flag (incomplete connections); i flag connections for UDP are not shown.

8.2(1)

The b flag was added for TCP state bypass.

8.4(2)

Added the user-identity , user , and user-group keywords to support the Identity Firewall.

9.0(1)

Support for clustering was added. We added the scansafe and security-group keywords.

 
Usage Guidelines

The show conn command displays the number of active TCP and UDP connections, and provides information about connections of various types. Use the show conn all command to see the entire table of connections.


Note When the ASA creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear conn command.


The connection types that you can specify using the show conn state command are defined in Table 47-5 . When specifying multiple connection types, use commas without spaces to separate the keywords.

 

Table 47-5 Connection State Types

Keyword
Connection Type Displayed

up

Connections in the up state.

conn_inbound

Inbound connections.

ctiqbe

CTIQBE connections

data_in

Inbound data connections.

data_out

Outbound data connections.

finin

FIN inbound connections.

finout

FIN outbound connections.

h225

H.225 connections

h323

H.323 connections

http_get

HTTP get connections.

mgcp

MGCP connections.

nojava

Connections that deny access to Java applets.

rpc

RPC connections.

service_module

Connections being scanned by an SSM.

sip

SIP connections.

skinny

SCCP connections.

smtp_data

SMTP mail data connections.

sqlnet_fixup_data

SQL*Net data inspection engine connections.

tcp_embryonic

TCP embryonic connections.

vpn_orphan

Orphaned VPN tunneled flows.

When you use the detail option, the system displays information about the translation type and interface information using the connection flags defined in Table 47-6 .

 

Table 47-6 Connection Flags

Flag
Description

a

awaiting outside ACK to SYN

A

awaiting inside ACK to SYN

b

TCP state bypass

B

initial SYN from outside

C

Computer Telephony Interface Quick Buffer Encoding (CTIQBE) media connection

d

dump

D

DNS

E

outside back connection. This is a secondary data connection that must be initiated from the inside host. For example, using FTP, after the inside client issues the PASV command and the outside server accepts, the ASA preallocates an outside back connection with this flag set. If the inside client attempts to connect back to the server, then the ASA denies this connection attempt. Only the outside server can use the preallocated secondary connection.

f

inside FIN

F

outside FIN

g

Media Gateway Control Protocol (MGCP) connection

G

connection is part of a group1

h

H.225

H

H.323

i

incomplete TCP or UDP connection

I

inbound data

k

Skinny Client Control Protocol (SCCP) media connection

K

GTP t3-response

m

SIP media connection

M

SMTP data

O

outbound data

p

replicated (unused)

P

inside back connection. This is a secondary data connection that must be initiated from the inside host. For example, using FTP, after the inside client issues the PORT command and the outside server accepts, the ASA preallocates an inside back connection with this flag set. If the outside server attempts to connect back to the client, then the ASA denies this connection attempt. Only the inside client can use the preallocated secondary connection.

q

SQL*Net data

r

inside acknowledged FIN

R

outside acknowledged FIN for TCP connection

R

UDP RPC2

s

awaiting outside SYN

S

awaiting inside SYN

t

SIP transient connection3

T

SIP connection4

U

up

V

VPN orphan

W

WAAS

X

Inspected by the service module, such as a CSC SSM.

y

For clustering, identifies a backup owner flow.

Y

For clustering, identifies a director flow.

z

For clustering, identifies a forwarder flow.

Z

Cloud Web Security

1.The G flag indicates the connection is part of a group. It is set by the GRE and FTP Strict fixups to designate the control connection and all its associated secondary connections. If the control connection terminates, then all associated secondary connections are also terminated.

2.Because each row of show conn command output represents one connection (TCP or UDP ), there will be only one R flag per row.

3.For UDP connections, the value t indicates that it will timeout after one minute.

4.For UDP connections, the value T indicates that the connection will timeout according to the value specified using the timeout sip command.


Note For connections using a DNS server, the source port of the connection may be replaced by the IP address of DNS server in the show conn command output.


A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Because the app_id expires independently, a legitimate DNS response can only pass through the ASA within a limited period of time and there is no resource build-up. However, when you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.


Note When there is no TCP traffic for the period of inactivity defined by the timeout conn command (by default, 1:00:00), the connection is closed and the corresponding conn flag entries are no longer displayed.


If a LAN-to-LAN/Network-Extension Mode tunnel drops and does not come back, there might be a number of orphaned tunnel flows. These flows are not torn down as a result of the tunnel going down, but all the data attempting to flow through them is dropped. The show conn command output shows these orphaned flows with the V flag.

When the following TCP connection directionality flags are applied to connections between same-security interfaces (see the same-security permit command), the direction in the flag is not relevant because for same-security interfaces, there is no “inside” or “outside.” Because the ASA has to use these flags for same-security connections, the ASA may choose one flag over another (for example, f vs. F) based on other connection characteristics, but you should ignore the directionality chosen.

  • B—Initial SYN from outside
  • a—Awaiting outside ACK to SYN
  • A—Awaiting inside ACK to SYN
  • f—Inside FIN
  • F—Outside FIN
  • s—Awaiting outside SYN
  • S—Awaiting inside SYN

To display information for a specific connection, include the security-group keyword and specify a security group table value or security group name for both the source and destination of the connection. The ASA displays the connection matching the specific security group table values or security group names.

When you specify the security-group keyword without specifying a source and destination security group table value or a source and destination security group name, the ASA displays data for all SXP connections.

The ASA displays the connection data in the format security_group_name ( SGT_value ) or just as the SGT_value when the security group name is unknown.


Note Security group data is not available for stub connections because stub connection do not go through the slow path. Stub connections maintain only the information necessary to forward packets to the owner of the connection.


You can specify a single security group name to display all connections in a cluster; for example, the following example displays connections matching security-group mktg in all units of the cluster:

ciscoasa# show cluster conn security-group name mktg
 

Examples

When specifying multiple connection types, use commas without spaces to separate the keywords. The following example displays information about RPC, H.323, and SIP connections in the Up state:

ciscoasa# show conn state up,rpc,h323,sip
 

The following is sample output from the show conn count command:

ciscoasa# show conn count
54 in use, 123 most used
 

The following is sample output from the show conn command. This example shows a TCP session connection from inside host 10.1.1.15 to the outside Telnet server at 10.10.49.10. Because there is no B flag, the connection is initiated from the inside. The “U”, “I”, and “O” flags denote that the connection is active and has received inbound and outbound data.

ciscoasa# show conn
54 in use, 123 most used
TCP out 10.10.49.10:23 in 10.1.1.15:1026 idle 0:00:22, bytes 1774, flags UIO
UDP out 10.10.49.10:31649 in 10.1.1.15:1028 idle 0:00:14, bytes 0, flags D-
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:5060, idle 0:00:24, bytes 1940435, flags UTIOB
TCP dmz 10.10.10.50:49764 inside 192.168.1.21:5060, idle 0:00:42, bytes 2328346, flags UTIOB
TCP dmz 10.10.10.51:50196 inside 192.168.1.22:2000, idle 0:00:04, bytes 31464, flags UIB
TCP dmz 10.10.10.51:52738 inside 192.168.1.21:2000, idle 0:00:09, bytes 129156, flags UIOB
TCP dmz 10.10.10.50:49764 inside 192.168.1.21:0, idle 0:00:42, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):49736 inside 192.168.1.21:0, idle 0:01:32, bytes 0, flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:00:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:01:34, bytes 0, flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:02:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:03:34, bytes 0, flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:04:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:05:34, bytes 0, flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:06:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:07:34, bytes 0, flags Ti
 

The following is sample output from the show conn command, whcih includes the “X” flag to indicate that the connection is being scanned by the SSM.

ciscoasa# show conn address 10.0.0.122 state service_module
TCP out 10.1.0.121:22 in 10.0.0.122:34446 idle 0:00:03, bytes 2733, flags UIOX
 

The following is sample output from the show conn detail command. This example shows a UDP connection from outside host 10.10.49.10 to inside host 10.1.1.15. The D flag denotes that this is a DNS connection. The number 1028 is the DNS ID over the connection.

ciscoasa# show conn detail
54 in use, 123 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
TCP outside:10.10.49.10/23 inside:10.1.1.15/1026,
flags UIO, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435
UDP outside:10.10.49.10/31649 inside:10.1.1.15/1028,
flags dD, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435
TCP dmz:10.10.10.50/50026 inside:192.168.1.22/5060,
flags UTIOB, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435
TCP dmz:10.10.10.50/49764 inside:192.168.1.21/5060,
flags UTIOB, idle 56s, uptime 1D19h, timeout 1h0m, bytes 2328346
TCP dmz:10.10.10.51/50196 inside:192.168.1.22/2000,
flags UIB, idle 18s, uptime 1D19h, timeout 1h0m, bytes 31464
TCP dmz:10.10.10.51/52738 inside:192.168.1.21/2000,
flags UIOB, idle 23s, uptime 1D19h, timeout 1h0m, bytes 129156
TCP outside:10.132.64.166/52510 inside:192.168.1.35/2000,
flags UIOB, idle 3s, uptime 1D21h, timeout 1h0m, bytes 357405
TCP outside:10.132.64.81/5321 inside:192.168.1.22/5060,
flags UTIOB, idle 1m48s, uptime 1D21h, timeout 1h0m, bytes 2083129
TCP outside:10.132.64.81/5320 inside:192.168.1.21/5060,
flags UTIOB, idle 1m46s, uptime 1D21h, timeout 1h0m, bytes 2500529
TCP outside:10.132.64.81/5319 inside:192.168.1.22/2000,
flags UIOB, idle 31s, uptime 1D21h, timeout 1h0m, bytes 32718
TCP outside:10.132.64.81/5315 inside:192.168.1.21/2000,
flags UIOB, idle 14s, uptime 1D21h, timeout 1h0m, bytes 358694
TCP outside:10.132.64.80/52596 inside:192.168.1.22/2000,
flags UIOB, idle 8s, uptime 1D21h, timeout 1h0m, bytes 32742
TCP outside:10.132.64.80/52834 inside:192.168.1.21/2000,
flags UIOB, idle 6s, uptime 1D21h, timeout 1h0m, bytes 358582
TCP outside:10.132.64.167/50250 inside:192.168.1.35/2000,
flags UIOB, idle 26s, uptime 1D21h, timeout 1h0m, bytes 375617
 

The following is sample output from the show conn command when an orphan flow exists, as indicated by the V flag:

ciscoasa# show conn
16 in use, 19 most used
TCP out 192.168.110.251:7393 in 192.168.150.252:21 idle 0:00:00, bytes 1048, flags UOVB
TCP out 192.168.110.251:21137 in 192.168.150.252:21 idle 0:00:00, bytes 1048, flags UIOB
 

To limit the report to those connections that have orphan flows, add the vpn_orphan option to the show conn state command, as in the following example:

ciscoasa# show conn state vpn_orphan
14 in use, 19 most used
TCP out 192.168.110.251:7393 in 192.168.150.252:5013, idle 0:00:00, bytes 2841019, flags UOVB
 

For clustering, to troubleshoot the connection flow, first see connections on all units by entering the cluster exec show conn command on the master unit. Look for flows that have the following flags: director (Y), backup (y), and forwarder (z). The following example shows an SSH connection from 172.18.124.187:22 to 192.168.103.131:44727 on all three ASAs; ASA 1 has the z flag showing it is a forwarder for the connection, ASA3 has the Y flag showing it is the director for the connection, and ASA2 has no special flags showing it is the owner. In the outbound direction, the packets for this connection enter the inside interface on ASA2 and exit the outside interface. In the inbound direction, the packets for this connection enter the outside interface on ASA 1 and ASA3, are forwarded over the cluster control link to ASA2, and then exit the inside interface on ASA2.

ciscoasa/ASA1/master# cluster exec show conn
ASA1(LOCAL):**********************************************************
18 in use, 22 most used
Cluster stub connections: 0 in use, 5 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes 37240828, flags z
 
 
ASA2:*****************************************************************
12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes 37240828, flags UIO
 
 
ASA3:*****************************************************************
10 in use, 12 most used
Cluster stub connections: 2 in use, 29 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:03, bytes 0, flags Y
 

The output of show conn detail on ASA2 shows that the most recent forwarder was ASA1:

 
ciscoasa/ASA2/slave# show conn detail
12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS, Z - Scansafe redirection,
X - inspected by service module
Y - director stub flow
y - backup stub flow
z - forwarder stub flow
TCP outside: 172.18.124.187/22 inside: 192.168.103.131/44727,
flags UIO , idle 0s, uptime 25s, timeout 1h0m, bytes 1036044, cluster sent/rcvd bytes 0/1032983, cluster sent/rcvd total bytes 0/1080779, owners (1,255)
Traffic received at interface outside
Locally received: 0 (0 byte/s)
From most recent forwarder ASA1: 1032983 (41319 byte/s)
Traffic received at interface inside
Locally received: 3061 (122 byte/s)
 

The following examples show how to display connections for the Identity Firewall feature:

hostname# show conn user-identity ?
exec mode commands/options:
all Enter this keyword to show conns including to-the-box and from-the-box
detail Enter this keyword to show conn in detail
long Enter this keyword to show conn in long format
port Enter this keyword to specify port
protocol Enter this keyword to specify conn protocol
state Enter this keyword to specify conn state
| Output modifiers
 
hostname# show conn user-identity
1219 in use, 1904 most used
UDP inside (www.yahoo.com))10.0.0.2:1587 outside (user1)192.0.0.2:30000, idle 0:00:00, bytes 10, flags -
UDP inside (www.yahoo.com)10.0.0.2:1586 outside (user2)192.0.0.1:30000, idle 0:00:00, bytes 10, flags –
UDP inside 10.0.0.34:1586 outside 192.0.0.25:30000, idle 0:00:00, bytes 10, flags –
hostname# show conn user user1
2 in use
UDP inside (www.yahoo.com))10.0.0.2:1587 outside (user1)192.0.0.2:30000, idle 0:00:00, bytes 10, flags –
 

 
Related Commands

Commands
Description

clear conn

Clears connections.

inspect ctiqbe

Enables CTIQBE application inspection.

inspect h323

Enables H.323 application inspection.

inspect mgcp

Enables MGCP application inspection.

inspect sip

Removes Java applets from HTTP traffic.

inspect skinny

Enables SCCP application inspection.

show console-output

To display the currently captured console output, use the show console-output command in privileged EXEC mode.

show console-output

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following is sample output from the show console-output command, which displays the following message when there is no console output:

ciscoasa# show console-output
Sorry, there are no messages to display
 

 
Related Commands

Command
Description

clear configure console

Restores the default console connection settings.

clear configure timeout

Restores the default idle time durations in the configuration.

console timeout

Sets the idle timeout for a console connection to the ASA.

show running-config console timeout

Displays the idle timeout for a console connection to the ASA.

show context

To show context information including allocated interfaces and the configuration file URL, the number of contexts configured, or from the system execution space, a list of all contexts, use the show context command in privileged EXEC mode.

show context [ name | detail | count ]

 
Syntax Description

count

(Optional) Shows the number of contexts configured.

detail

(Optional) Shows additional detail about the context(s) including the running state and information for internal use.

name

(Optional) Sets the context name. If you do not specify a name, the ASA displays all contexts. Within a context, you can only enter the current context name.

 
Defaults

In the system execution space, the ASA displays all contexts if you do not specify a name.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.0(2)

Information about assigned IPS virtual sensors was added.

 
Usage Guidelines

See the “Examples” section for a description of the display output.

Examples

The following is sample output from the show context command. The following sample display shows three contexts:

ciscoasa# show context
 
Context Name Interfaces URL
*admin GigabitEthernet0/1.100 flash:/admin.cfg
GigabitEthernet0/1.101
contexta GigabitEthernet0/1.200 flash:/contexta.cfg
GigabitEthernet0/1.201
contextb GigabitEthernet0/1.300 flash:/contextb.cfg
GigabitEthernet0/1.301
Total active Security Contexts: 3
 

Table 47-7 shows each field description.

 

Table 47-7 show context Fields

Field
Description

Context Name

Lists all context names. The context name with the asterisk (*) is the admin context.

Interfaces

The interfaces assigned to the context.

URL

The URL from which the ASA loads the context configuration.

The following is sample output from the show context detail command in the system execution space:

ciscoasa# show context detail
 
Context "admin", has been created, but initial ACL rules not complete
Config URL: flash:/admin.cfg
Real Interfaces: Management0/0
Mapped Interfaces: Management0/0
Real IPS Sensors: ips1, ips2
Mapped IPS Sensors: highsec, lowsec
Flags: 0x00000013, ID: 1
 
Context "ctx", has been created, but initial ACL rules not complete
Config URL: ctx.cfg
Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
GigabitEthernet0/2.30
Mapped Interfaces: int1, int2, int3
Real IPS Sensors: ips1, ips3
Mapped IPS Sensors: highsec, lowsec
Flags: 0x00000011, ID: 2
 
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Control0/0, GigabitEthernet0/0,
GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
GigabitEthernet0/3, Management0/0, Management0/0.1
Flags: 0x00000019, ID: 257
 
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Flags: 0x00000009, ID: 258
 

Table 47-8 shows each field description.

 

Table 47-8 Context States

Field
Description

Context

The context name. The null context information is for internal use only. The system context represents the system execution space.

State Message:

The context state. See the possible messages below.

Has been created, but initial ACL rules not complete

The ASA parsed the configuration but has not yet downloaded the default ACLs to establish the default security policy. The default security policy applies to all contexts initially, and includes disallowing traffic from lower security levels to higher security levels, enabling application inspection, and other parameters. This security policy ensures that no traffic can pass through the ASA after the configuration is parsed but before the configuration ACLs are compiled. You are unlikely to see this state because the configuration ACLs are compiled very quickly.

Has been created, but not initialized

You entered the context name command, but have not yet entered the config-url command.

Has been created, but the config hasn’t been parsed

The default ACLs were downloaded, but the ASA has not parsed the configuration. This state might exist because the configuration download might have failed because of network connectivity issues, or you have not yet entered the config-url command. To reload the configuration, from within the context, enter copy startup-config running-config . From the system, reenter the config-url command. Alternatively, you can start configuring the blank running configuration.

Is a system resource

This state applies only to the system execution space and to the null context. The null context is used by the system, and the information is for internal use only.

Is a zombie

You deleted the context using the no context or clear context command, but the context information persists in memory until the ASA reuses the context ID for a new context, or you restart.

Is active

This context is currently running and can pass traffic according to the context configuration security policy.

Is ADMIN and active

This context is the admin context and is currently running.

Was a former ADMIN, but is now a zombie

You deleted the admin context using the clear configure context command, but the context information persists in memory until the ASA reuses the context ID for a new context, or you restart.

Real Interfaces

The interfaces assigned to the context. If you mapped the interface IDs in the allocate-interface command, this display shows the real name of the interface.

Mapped Interfaces

If you mapped the interface IDs in the allocate-interface command, this display shows the mapped names. If you did not map the interfaces, the display lists the real names again.

Real IPS Sensors

The IPS virtual sensors assigned to the context if you have an AIP SSM installed. If you mapped the sensor names in the allocate-ips command, this display shows the real name of the sensor.

Mapped IPS Sensors

If you mapped the sensor names in the allocate-ips command, this display shows the mapped names. If you did not map the sensor names, the display lists the real names again.

Flag

For internal use only.

ID

An internal ID for this context.

The following is sample output from the show context count command:

ciscoasa# show context count
Total active contexts: 2
 

 
Related Commands

Command
Description

admin-context

Sets the admin context.

allocate-interface

Assigns interfaces to a context.

changeto

Changes between contexts or the system execution space.

config-url

Specifies the location of the context configuration.

context

Creates a security context in the system configuration and enters context configuration mode.

show controller

To view controller-specific information of all interfaces present, use the show controller command in privileged EXEC mode.

show controller [ slot ] [ physical_interface ] [ pci [ bridge [ bridge-id [ port-num ]]]] [ detail ]

 
Syntax Description

bridge

(Optional) Displays PCI bridge-specific information for the ASA 5585-X.

bridge-id

(Optional) Displays each unique PCI bridge identifier for the ASA 5585-X.

detail

(Optional) Shows additional detail about the controller.

pci

(Optional) Displays a summary of PCI devices along with their first 256 bytes of PCI configuration space for the ASA 5585-X.

physical_interface

(Optional) Identifies the interface ID.

port-num

(Optional) Displays the unique port number within each PCI bridge for the ASA 5585-X adaptive ASA.

slot

(Optional) Displays PCI-e bus and slot information for the ASA 5580 only.

 
Defaults

If you do not identify an interface, this command shows information for all interfaces.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

7.2(1)

This command was introduced.

8.0(2)

This command now applies to all platforms, and not just the ASA 5505. The detail keyword was added.

8.1(1)

The slot keyword was added for the ASA 5580.

8.2(5)

The pci , bridge , bridge-id, and port-num options were added for the ASA 5585-X with an IPS SSP installed. In addition, support for sending pause frames to enable flow control on 1 GigabitEthernet interfaces has been added for all ASA models.

8.6(1)

Support was added for the detail keyword for the ASA 5512-X through ASA 5555-X Internal-Control0/0 interface, used for control traffic between the ASA and the software module, and for the Internal-Data0/1 interface used for data traffic to the ASA and the software module.

 
Usage Guidelines

This command helps Cisco TAC gather useful debug information about the controller when investigating internal and customer found defects. The actual output depends on the model and Ethernet controller. The command also displays information about all the PCI bridges of interest in the ASA 5585-X with an IPS SSP installed. For the ASA Services Module, the show controller command output does not show any PCIe slot information.

Examples

The following is sample output from the show controller command:

ciscoasa# show controller
 
Ethernet0/0:
Marvell 88E6095 revision 2, switch port 7
PHY Register:
Control: 0x3000 Status: 0x786d
Identifier1: 0x0141 Identifier2: 0x0c85
Auto Neg: 0x01e1 LP Ability: 0x40a1
Auto Neg Ex: 0x0005 PHY Spec Ctrl: 0x0130
PHY Status: 0x4c00 PHY Intr En: 0x0400
Int Port Sum: 0x0000 Rcv Err Cnt: 0x0000
Led select: 0x1a34
Reg 29: 0x0003 Reg 30: 0x0000
Port Registers:
Status: 0x0907 PCS Ctrl: 0x0003
Identifier: 0x0952 Port Ctrl: 0x0074
Port Ctrl-1: 0x0000 Vlan Map: 0x077f
VID and PRI: 0x0001 Port Ctrl-2: 0x0cc8
Rate Ctrl: 0x0000 Rate Ctrl-2: 0x3000
Port Asc Vt: 0x0080
In Discard Lo: 0x0000 In Discard Hi: 0x0000
In Filtered: 0x0000 Out Filtered: 0x0000
 
Global Registers:
Control: 0x0482
 
---------------------------------------------------------------------
Number of VLANs: 1
---------------------------------------------------------------------
Vlan[db]\Port| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
---------------------------------------------------------------------
<0001[01]> | EUT| EUT| EUT| EUT| EUT| EUT| EUT| EUT| EUM| NM | NM |
---------------------------------------------------------------------
 
....
 
Ethernet0/6:
Marvell 88E6095 revision 2, switch port 1
PHY Register:
Control: 0x3000 Status: 0x7849
Identifier1: 0x0141 Identifier2: 0x0c85
Auto Neg: 0x01e1 LP Ability: 0x0000
Auto Neg Ex: 0x0004 PHY Spec Ctrl: 0x8130
PHY Status: 0x0040 PHY Intr En: 0x8400
Int Port Sum: 0x0000 Rcv Err Cnt: 0x0000
Led select: 0x1a34
Reg 29: 0x0003 Reg 30: 0x0000
Port Registers:
Status: 0x0007 PCS Ctrl: 0x0003
Identifier: 0x0952 Port Ctrl: 0x0077
Port Ctrl-1: 0x0000 Vlan Map: 0x07fd
VID and PRI: 0x0001 Port Ctrl-2: 0x0cc8
Rate Ctrl: 0x0000 Rate Ctrl-2: 0x3000
Port Asc Vt: 0x0002
In Discard Lo: 0x0000 In Discard Hi: 0x0000
In Filtered: 0x0000 Out Filtered: 0x0000
----Inline power related counters and registers----
Power on fault: 0 Power off fault: 0
Detect enable fault: 0 Detect disable fault: 0
Faults: 0
Driver counters:
I2C Read Fail: 0 I2C Write Fail: 0
Resets: 1 Initialized: 1
PHY reset error: 0
LTC4259 registers:
INTRPT STATUS = 0x88 INTRPT MASK = 0x00 POWER EVENT = 0x00
DETECT EVENT = 0x03 FAULT EVENT = 0x00 TSTART EVENT = 0x00
SUPPLY EVENT = 0x02 PORT1 STATUS = 0x06 PORT2 STATUS = 0x06
PORT3 STATUS = 0x00 PORT4 STATUS = 0x00 POWER STATUS = 0x00
OPERATE MODE = 0x0f DISC. ENABLE = 0x30 DT/CLASS ENBL = 0x33
TIMING CONFIG = 0x00 MISC. CONFIG = 0x00
 
...
 
Internal-Data0/0:
Y88ACS06 Register settings:
rap 0xe0004000 = 0x00000000
ctrl_status 0xe0004004 = 0x5501064a
irq_src 0xe0004008 = 0x00000000
irq_msk 0xe000400c = 0x00000000
irq_hw_err_src 0xe0004010 = 0x00000000
irq_hw_err_msk 0xe0004014 = 0x00001000
bmu_cs_rxq 0xe0004060 = 0x002aaa80
bmu_cs_stxq 0xe0004068 = 0x01155540
bmu_cs_atxq 0xe000406c = 0x012aaa80
 
Bank 2: MAC address registers:
....
 

The following is sample output from the show controller detail command:

ciscoasa# show controller gigabitethernet0/0 detail
 
GigabitEthernet0/0:
Intel i82546GB revision 03
 
Main Registers:
Device Control: 0xf8260000 = 0x003c0249
Device Status: 0xf8260008 = 0x00003347
Extended Control: 0xf8260018 = 0x000000c0
RX Config: 0xf8260180 = 0x0c000000
TX Config: 0xf8260178 = 0x000001a0
RX Control: 0xf8260100 = 0x04408002
TX Control: 0xf8260400 = 0x000400fa
TX Inter Packet Gap: 0xf8260410 = 0x00602008
RX Filter Cntlr: 0xf8260150 = 0x00000000
RX Chksum: 0xf8265000 = 0x00000300
 
RX Descriptor Registers:
RX Descriptor 0 Cntlr: 0xf8262828 = 0x00010000
RX Descriptor 0 AddrLo: 0xf8262800 = 0x01985000
RX Desccriptor 0 AddrHi: 0xf8262804 = 0x00000000
RX Descriptor 0 Length: 0xf8262808 = 0x00001000
RX Descriptor 0 Head: 0xf8262810 = 0x00000000
RX Descriptor 0 Tail: 0xf8262818 = 0x000000ff
RX Descriptor 1 Cntlr: 0xf8262828 = 0x00010000
RX Descriptor 1 AddrLo: 0xf8260138 = 0x00000000
RX Descriptor 1 AddrHi: 0xf826013c = 0x00000000
RX Descriptor 1 Length: 0xf8260140 = 0x00000000
RX Descriptor 1 Head: 0xf8260148 = 0x00000000
RX Descriptor 1 Tail: 0xf8260150 = 0x00000000
 
TX Descriptor Registers:
TX Descriptor 0 Cntlr: 0xf8263828 = 0x00000000
TX Descriptor 0 AddrLo: 0xf8263800 = 0x01987000
TX Descriptor 0 AddrHi: 0xf8263804 = 0x00000000
TX Descriptor 0 Length: 0xf8263808 = 0x00001000
TX Descriptor 0 Head: 0xf8263810 = 0x00000000
TX Descriptor 0 Tail: 0xf8263818 = 0x00000000
 
RX Address Array:
Ethernet Address 0: 0012.d948.ef58
Ethernet Address 1: Not Valid!
Ethernet Address 2: Not Valid!
Ethernet Address 3: Not Valid!
Ethernet Address 4: Not Valid!
Ethernet Address 5: Not Valid!
Ethernet Address 6: Not Valid!
Ethernet Address 7: Not Valid!
Ethernet Address 8: Not Valid!
Ethernet Address 9: Not Valid!
Ethernet Address a: Not Valid!
Ethernet Address b: Not Valid!
Ethernet Address c: Not Valid!
Ethernet Address d: Not Valid!
Ethernet Address e: Not Valid!
Ethernet Address f: Not Valid!
 
PHY Registers:
Phy Control: 0x1140
Phy Status: 0x7969
Phy ID 1: 0x0141
Phy ID 2: 0x0c25
Phy Autoneg Advertise: 0x01e1
Phy Link Partner Ability: 0x41e1
Phy Autoneg Expansion: 0x0007
Phy Next Page TX: 0x2801
Phy Link Partnr Next Page: 0x0000
Phy 1000T Control: 0x0200
Phy 1000T Status: 0x4000
Phy Extended Status: 0x3000
 
Detailed Output - RX Descriptor Ring:
 
rx_bd[000]: baddr = 0x019823A2, length = 0x0000, status = 0x00
pkt chksum = 0x0000, errors = 0x00, special = 0x0000
rx_bd[001]: baddr = 0x01981A62, length = 0x0000, status = 0x00
pkt chksum = 0x0000, errors = 0x00, special = 0x0000
........

The following is sample output from the show controller detail command for the Internal interfaces on the ASA 5512-X through ASA 5555-X:

ciscoasa# show controller detail
 
Internal-Control0/0:
ASA IPS/VM Back Plane TunTap Interface , port id 9
Major Configuration Parameters
Device Name : en_vtun
Linux Tun/Tap Device : /dev/net/tun/tap1
Num of Transmit Rings : 1
Num of Receive Rings : 1
Ring Size : 128
Max Frame Length : 1550
Out of Buffer : 0
Reset : 0
Drop : 0
Transmit Ring [0]:
tx_pkts_in_queue : 0
tx_pkts : 176
tx_bytes : 9664
Receive Ring [0]:
rx_pkts_in_queue : 0
rx_pkts : 0
rx_bytes : 0
rx_drops : 0
 
Internal-Data0/1:
ASA IPS/VM Management Channel TunTap Interface , port id 9
Major Configuration Parameters
Device Name : en_vtun
Linux Tun/Tap Device : /dev/net/tun/tap2
Num of Transmit Rings : 1
Num of Receive Rings : 1
Ring Size : 128
Max Frame Length : 1550
Out of Buffer : 0
Reset : 0
Drop : 0
Transmit Ring [0]:
tx_pkts_in_queue : 0
tx_pkts : 176
tx_bytes : 9664
Receive Ring [0]:
rx_pkts_in_queue : 0
rx_pkts : 0
rx_bytes : 0
rx_drops : 0
 

The following is sample output from the show controller slot command:

Slot Card Description PCI-e Bandwidth Cap.
---- ---------------- ----------------------
3. ASA 5580 2 port 10GE SR Fiber Interface Card Bus: x4, Card: x8
 
4. ASA 5580 4 port GE Copper Interface Card Bus: x4, Card: x4
 
5. ASA 5580 2 port 10GE SR Fiber Interface Card Bus: x8, Card: x8
 
6. ASA 5580 4 port GE Fiber Interface Card Bus: x4, Card: x4
 
7. empty Bus: x8
 
8. empty Bus: x8
 

The following is sample output from the show controller pci command:

ciscoasa# show controller pci
 
PCI Evaluation Log:
---------------------------------------------------------------------------
Empty
 
PCI Bus:Device.Function (hex): 00:00.0 Vendor ID: 0x8086 Device ID: 0x3406
---------------------------------------------------------------------------
 
PCI Configuration Space (hex):
0x00: 86 80 06 34 00 00 10 00 22 00 00 06 10 00 00 00
0x10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x20: 00 00 00 00 00 00 00 00 00 00 00 00 86 80 00 00
0x30: 00 00 00 00 60 00 00 00 00 00 00 00 05 01 00 00
0x40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x60: 05 90 02 01 00 00 00 00 00 00 00 00 00 00 00 00
0x70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x90: 10 e0 42 00 20 80 00 00 00 00 00 00 41 3c 3b 00
0xa0: 00 00 41 30 00 00 00 00 c0 07 00 01 00 00 00 00
0xb0: 00 00 00 00 3e 00 00 00 09 00 00 00 00 00 00 00
0xc0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0xd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0xe0: 01 00 03 c8 08 00 00 00 00 00 00 00 00 00 00 00
0xf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Link Capabilities: x4, Gen1
Link Status: x4, Gen1
 

 
Related Commands

Command
Description

show interface

Shows the interface statistics.

show tech-support

Shows information so Cisco TAC can diagnose problems.

show coredump filesystem

To show the contents of the coredump filesystem, enter the show coredump filesystem command.

show coredump filesystem

 
Syntax Description no coredump enable [filesystem < disk0: | disk1:>] [size <default | <size_in_MB>]

This command has no arguments or keywords.

 
Defaults

By default, coredumps are not enabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

This command shows the contents of the coredump filesystem.

Examples

To show the contents of any recent coredumps generated, enter the show coredump filesystem command.

hostname(config)# show coredump filesystem
Coredump Filesystem Size is 100 MB
Filesystem type is FAT for disk0
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/loop0 102182 75240 26942 74% /mnt/disk0/coredumpfsys
Directory of disk0:/coredumpfsys/
246 -rwx 20205386 19:14:53 Nov 26 2008 core_lina.2008Nov26_191244.203.11.gz
247 -rwx 36707919 19:17:27 Nov 26 2008 core_lina.2008Nov26_191456.203.6.gz

 
Related Commands248 -rwx 20130838 19:26:36 Nov 26 2008 core_lina.2008Nov26_192407.203.11.gz

Command
Description

coredump enable

Enables the coredump feature.

clear configure coredump

Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change or affect the coredump configuration.

clear coredump

Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change/effect the coredump configuration.

show coredump log

Shows the coredump log.

show coredump log

To show the contents of the coredump log, newest first, enter the show coredump log command. To show the contents of the coredump log, oldest first, enter the show coredump log reverse command.

show coredump log

show coredump log [ reverse ]

 
Syntax Description

reverse

Shows the oldest coredump log.

 
Defaults

By default, coredumps are not enabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

This command displays the contents of the coredump log. The logs should reflect what is currently on the disk.

Examples

The following example shows the output from these commands:

hostname(config)# show coredump log
[ 1 ] Wed Feb 18 22:12:09 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_221032.203.6.gz', size 971722752 bytes, compressed size 21293688
[ 2 ] Wed Feb 18 22:11:01 2009: Filesystem full on 'disk0', removing module coredump record 'core_lina.2009Feb18_213558.203.11.gz'
[ 3 ] Wed Feb 18 22:10:32 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_221032.203.6.gz' on 'disk0'
[ 4 ] Wed Feb 18 21:37:35 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_213558.203.11.gz', size 971722752 bytes, compressed size 21286383
[ 5 ] Wed Feb 18 21:35:58 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_213558.203.11.gz' on 'disk0'

Note The older coredump file is deleted to make room for the new coredump. This is done automatically by the ASA in the event the coredump filesystem fills and room is needed for the current coredump. This is why it is imperative to archive coredumps as soon as possible, to insure they don’t get overwritten in the event of a crash.


hostname(config)# show coredump log reverse

[ 1 ] Wed Feb 18 21:35:58 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_213558.203.11.gz' on 'disk0''
[ 2 ] Wed Feb 18 21:37:35 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_213558.203.11.gz', size 971722752 bytes, compressed size 21286383
[ 3 ] Wed Feb 18 22:10:32 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_221032.203.6.gz' on 'disk0'
[ 4 ] Wed Feb 18 22:11:01 2009: Filesystem full on 'disk0', removing module coredump record 'core_lina.2009Feb18_213558.203.11.gz'
[ 5 ] Wed Feb 18 22:12:09 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_221032.203.6.gz', size 971722752 bytes, compressed size 21293688
 

 
Related Commands

Command
Description

coredump enable

Enables the coredump feature.

clear configure coredump

Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change/effect the coredump configuration.

clear coredump

Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change or affect the coredump configuration.

show coredump filesystem

Shows the contents of the coredump filesystem.

show counters

To display the protocol stack counters, use the show counters command in privileged EXEC mode.

show counters [all | context context-name | summary | top N ] [ detail ] [protocol protocol_name [: counter_name ]] [ threshold N ]

 
Syntax Description

all

Displays the filter details.

context context-name

Specifies the context name.

: counter_name

Specifies a counter by name.

detail

Displays additional counters information.

protocol protocol_name

Displays the counters for the specified protocol.

summary

Displays a counter summary.

threshold N

Displays only those counters at or above the specified threshold. The range is 1 through 4294967295.

top N

Displays the counters at or above the specified threshold. The range is 1 through 4294967295.

 
Defaults

show counters summary detail threshold 1

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  
  •  

 
Command History

Release
Modification

ASAv

This command was introduced.

Examples

The following example shows how to display all counters:

ciscoasa# show counters all
Protocol Counter Value Context
IOS_IPC IN_PKTS 2 single_vf
IOS_IPC OUT_PKTS 2 single_vf
 
ciscoasa# show counters
Protocol Counter Value Context
NPCP IN_PKTS 7195 Summary
NPCP OUT_PKTS 7603 Summary
IOS_IPC IN_PKTS 869 Summary
IOS_IPC OUT_PKTS 865 Summary
IP IN_PKTS 380 Summary
IP OUT_PKTS 411 Summary
IP TO_ARP 105 Summary
IP TO_UDP 9 Summary
UDP IN_PKTS 9 Summary
UDP DROP_NO_APP 9 Summary
FIXUP IN_PKTS 202 Summary
UAUTH IPV6_UNSUPPORTED 27 Summary
IDFW HIT_USER_LIMIT 2 Summary
 

The following example shows how to display a summary of counters:

ciscoasa# show counters summary
Protocol Counter Value Context
IOS_IPC IN_PKTS 2 Summary
IOS_IPC OUT_PKTS 2 Summary
 

The following example shows how to display counters for a context:

ciscoasa# show counters context single_vf
Protocol Counter Value Context
IOS_IPC IN_PKTS 4 single_vf
IOS_IPC OUT_PKTS 4 single_vf
 

 
Related Commands

Command
Description

clear counters

Clears the protocol stack counters.

show cpu

To display the CPU utilization information, use the show cpu command in privileged EXEC mode.

[ cluster exec ] show cpu [ usage core-id | profile | dump | detailed ]

From the system configuration in multiple context mode:

[ cluster exec ] show cpu [ usage ] [ context { all | context_name }]

 
Syntax Description

all

Specifies that the display show all contexts.

cluster exec

(Optional) In a clustering environment, enables you to issue the show cpu command in one unit and run the command in all the other units at the same time.

context

Specifies that the display show a context.

context_name

Specifies the name of the context to display.

core-id

Specifies the number of the processor core.

detailed

(Optional) Displays the CPU usage internal details.

dump

(Optional) Displays the dump profiling data to the TTY.

profile

(Optional) Displays the CPU profiling data.

usage

(Optional) Displays the CPU usage.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  
  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

8.6(1)

The core-id option was added to support the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X.

9.1(2)

The output was updated for the show cpu profile and show cpu profile dump commands.

 
Usage Guidelines

The CPU usage is computed using an approximation of the load every five seconds, and by further feeding this approximation into two, following moving averages.

You can use the show cpu command to find process related loads (that is, activity on behalf of items listed by the output of the show process command in both single mode and from the system configuration in multiple context mode).

Further, you can request, when in multiple context mode, a breakdown of the process related load to CPU consumed by any configured contexts by changing to each context and entering the show cpu command or by entering the show cpu context command.

While process related load is rounded to the nearest whole number, context related loads include one additional decimal digit of precision. For example, entering the show cpu command from the system context produces a different number than from entering the show cpu context system command. The former is an approximate summary of everything that appears in the show cpu context all command, and the latter is only a portion of that summary.

You can use the show cpu profile dump command in conjunction with the cpu profile activate command to collect information for TAC use in troubleshooting CPU issues. The show cpu profile dump command output is in hexadecimal format.

If the CPU profiler is waiting for a starting condition to occur, the show cpu profile command displays the following output:

CPU profiling started: 12:45:57.209 UTC Wed Nov 14 2012
CPU Profiling waiting on starting condition.
Core 0: 0 out of 10 samples collected.
Core 1: 0 out of 10 samples collected.
Core 2: 0 out of 10 samples collected.
Core 3: 0 out of 10 samples collected.
CP
0 out of 10 samples collected.
 

Examples

The following example shows how to display the CPU utilization:

ciscoasa# show cpu usage
CPU utilization for 5 seconds = 18%; 1 minute: 18%; 5 minutes: 18%
 

The following example shows how to display detailed CPU utilization information:

ciscoasa# show cpu detailed
Break down of per-core data path versus control point cpu usage:
Core 5 sec 1 min 5 min
Core 0 0.0 (0.0 + 0.0) 3.3 (0.0 + 3.3) 2.4 (0.0 + 2.4)
 
Current control point elapsed versus the maximum control point elapsed for:
5 seconds = 99.0%; 1 minute: 99.8%; 5 minutes: 95.9%
 
CPU utilization of external processes for:
5 seconds = 0.2%; 1 minute: 0.0%; 5 minutes: 0.0%
 
Total CPU utilization for:
5 seconds = 0.2%; 1 minute: 3.3%; 5 minutes: 2.5%
 

Note The “Current control point elapsed versus the maximum control point elapsed for” statement means that the current control point load is compared to the maximum load seen within the defined time period. This is a ratio instead of an absolute number. The figure of 99% for the 5-second interval means that the current control point load is at 99% of the maximum load that is visible over this 5-second interval. If the load continues to increase all the time, then it will always remain at 100%. However, the actual CPU may still have a lot of free capacity because the maximum absolute value has not been defined.


The following example shows how to display the CPU utilization for the system context in multiple mode:

ciscoasa# show cpu context system
CPU utilization for 5 seconds = 9.1%; 1 minute: 9.2%; 5 minutes: 9.1%
 

The following example shows how to display the CPU utilization for all contexts:

ciscoasa# show cpu usage context all
5 sec 1 min 5 min Context Name
9.1% 9.2% 9.1% system
0.0% 0.0% 0.0% admin
5.0% 5.0% 5.0% one
4.2% 4.3% 4.2% two
 

The following example shows how to display the CPU utilization for a context named “one”:

ciscoasa/one# show cpu usage
CPU utilization for 5 seconds = 5.0%; 1 minute: 5.0%; 5 minutes: 5.0%
 

The following example activates the profiler and instructs it to store 1000 samples.

 
ciscoasa# cpu profile activate
Activated CPU profiling for 1000 samples.
Use "show cpu profile" to display the progress or "show cpu profile dump" to interrupt profiling and display the incomplete results.
 

The following examples show the status of the profiling (in-progress and completed):

ciscoasa# show cpu profile
CPU profiling started: 13:45:10.400 PST Fri Nov 16 2012
CPU profiling currently in progress:
Core 0: 209 out of 1000 samples collected.
Use "show cpu profile dump" to see the results after it is complete or to interrupt profiling and display the incomplete results.
 
ciscoasa# show cpu profile dump
Cisco Adaptive Security Appliance Software Version 9.1(2)
Hardware: ASA5555
CPU profiling started: 09:13:32.079 UTC Wed Jan 30 2013
No CPU profiling process specified.
No CPU profiling trigger specified.
cores: 2
 
Process virtual address map:
---------------------------
---------------------------
End of process map
Samples for core 0 - stopped
{0x00000000007eadb6,0x000000000211ee7e} ...
 

Copy this information and provide it to the TAC for decoding.

 
Related Commands

Command
Description

show counters

Displays the protocol stack counters.

cpu profile activate

Activates CPU profiling.