Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.2
show asp drop -- show curpriv
Downloads: This chapterpdf (PDF - 852.0KB) The complete bookPDF (PDF - 41.41MB) | Feedback

show asp drop through show curpriv Commands

Table Of Contents

show asp drop through show curpriv Commands

show asp drop

show asp table arp

show asp table classify

show asp table interfaces

show asp table mac-address-table

show asp table routing

show asp table vpn-context

show asr

show auto-update

show blocks

show capture

show checkheaps

show checksum

show chunkstat

show class

show conn

show console-output

show context

show counters

show counters description

show cpu

show cpu threshold

show crashinfo

show crypto accelerator statistics

show crypto ca certificates

show crypto ca crls

show crypto ipsec df-bit

show crypto ipsec fragmentation

show crypto key mypubkey

show crypto protocol statistics

show ctiqbe

show curpriv


show asp drop through show curpriv Commands


show asp drop

To debug dropped packets or connections that take place in the control plane path, use the show asp drop command in privileged EXEC mode. This command only shows packet and flow drops for traffic that passes through the control plane path, including most inspected traffic, traffic destined directly to the FWSM, and all IPv6 traffic. Packets and flows that are processed and dropped in the FWSM hardware do not appear in the output.

show asp drop [flow drop_reason | frame drop_reason]

Syntax Description

flow

(Optional) Shows the dropped flows (connections).

frame

(Optional) Shows the dropped packets.

drop_reason

(Optional) Shows the flows or packets dropped by a particular process.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp drop command might help you troubleshoot a problem with the control plane. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Related Commands

Command
Description

clear asp drop

Clears drop statistics for the accelerated security path.

show conn

Shows information about connections.


show asp table arp

To debug the accelerated security path ARP tables, use the show asp table arp command in privileged EXEC mode.

show asp table arp [interface interface_name] [address ip_address [netmask mask]]

Syntax Description

address ip_address

(Optional) Identifies an IP address for which you want to view ARP table entries.

interface interface_name

(Optional) Identifies a specific interface for which you want to view the ARP table.

netmask mask

(Optional) Sets the subnet mask for the IP address.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show arp command shows the contents of the control plane, while the show asp table arp command shows the contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table arp command:

hostname# show asp table arp

Context: single_vf, Interface: inside
  10.86.194.50                            Active   000f.66ce.5d46 hits 0
  10.86.194.1                             Active   00b0.64ea.91a2 hits 638
  10.86.194.172                           Active   0001.03cf.9e79 hits 0
  10.86.194.204                           Active   000f.66ce.5d3c hits 0
  10.86.194.188                           Active   000f.904b.80d7 hits 0

Context: single_vf, Interface: identity
  ::                                      Active   0000.0000.0000 hits 0
  0.0.0.0                                 Active   0000.0000.0000 hits 50208

Related Commands

Command
Description

show arp

Shows the ARP table.

show arp statistics

Shows ARP statistics.


show asp table classify

To debug the accelerated security path classifier tables, use the show asp table classify command in privileged EXEC mode. The classifier examines properties of incoming packets, such as protocol, and source and destination address, to match each packet to an appropriate classification rule. Each rule is labeled with a classification domain that determines what types of actions are performed, such as dropping a packet or allowing it through.

show asp table classify [crypto | domain domain_name | interface interface_name]

Syntax Description

domain domain_name

(Optional) Shows entries for a specific classifier domain. See "Usage Guidelines" for a list of domains.

interface interface_name

(Optional) Identifies a specific interface for which you want to view the classifier table.

crypto

(Optional) Shows the encrypt, decrypt, and ipsec tunnel flow domains only.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table classifier command shows the classifier contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Classifier domains include the following:

aaa-acct
aaa-auth
aaa-user
accounting
arp
capture
capture
conn-nailed
conn-set
ctcp
decrypt
encrypt
established
filter-activex
filter-ftp
filter-https
filter-java
filter-url
host
inspect
inspect-ctiqbe
inspect-dns
inspect-dns-ids
inspect-ftp
inspect-ftp-data
inspect-gtp
inspect-h323
inspect-http
inspect-icmp
inspect-icmp-error
inspect-ils
inspect-mgcp
inspect-netbios
inspect-pptp
inspect-rsh
inspect-rtsp
inspect-sip
inspect-skinny
inspect-smtp
inspect-snmp
inspect-sqlnet
inspect-sqlnet-plus
inspect-sunrpc
inspect-tftp
inspect-xdmcp
ipsec-natt
ipsec-tunnel-flow
ipsec-user
limits
lu
mac-permit
mgmt-lockdown
mgmt-tcp-intercept
multicast
nat
nat-exempt
nat-exempt-reverse
nat-reverse
null
permit
permit-ip-option
permit-log
pim
ppp
punt
punt-l2
punt-root
shun
tcp-intercept

Examples

The following is sample output from the show asp table classify command:

hostname# show asp table classify

Interface test:
in  id=0x36f3800, priority=10, domain=punt, deny=false
        hits=0, user_data=0x0, flags=0x0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.86.194.60, mask=255.255.255.255, port=0
in  id=0x33d3508, priority=99, domain=inspect, deny=false
        hits=0, user_data=0x0, use_real_addr, flags=0x0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x33d3978, priority=99, domain=inspect, deny=false
        hits=0, user_data=0x0, use_real_addr, flags=0x0
        src ip=0.0.0.0, mask=0.0.0.0, port=53
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
...

Related Commands

Command
Description

show asp drop

Shows the accelerated security path counters for dropped packets.


show asp table interfaces

To debug the accelerated security path interface tables, use the show asp table interfaces command in privileged EXEC mode.

show asp table interfaces

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table interfaces command shows the interface table contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table interfaces command:

hostname# show asp table interfaces

** Flags: 0x0001-DHCP, 0x0002-VMAC, 0x0010-Ident Ifc, 0x0020-HDB Initd,
   0x0040-RPF Enabled
Soft-np interface 'dmz' is up
    context single_vf, nicnum 0, mtu 1500
        vlan 300, Not shared, seclvl 50
        0 packets input, 1 packets output
        flags 0x20

Soft-np interface 'foo' is down
    context single_vf, nicnum 2, mtu 1500
        vlan 301, Not shared, seclvl 0
        0 packets input, 0 packets output
        flags 0x20

Soft-np interface 'outside' is down
    context single_vf, nicnum 1, mtu 1500
        vlan 302, Not shared, seclvl 50
        0 packets input, 0 packets output
        flags 0x20

Soft-np interface 'inside' is up
    context single_vf, nicnum 0, mtu 1500
        vlan 303, Not shared, seclvl 100
        680277 packets input, 92501 packets output
        flags 0x20
...

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.


show asp table mac-address-table

To debug the accelerated security path MAC address tables, use the show asp table mac-address-table command in privileged EXEC mode.

show asp table mac-address-table [interface interface_name]

Syntax Description

interface interface_name

(Optional) Shows MAC address tables for a specific interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table mac-address-table command shows the MAC address table contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table mac-address-table command:

hostname# show asp table mac-address-table

interface                 mac  address       flags
--------------------------------------------------------
    inside1                   0009.b74d.3800     None
    inside1                   0007.e903.ad6e     None
    inside1                   0007.e950.2067     None
    inside1                   0050.0499.3749     None
    inside1                   0012.d96f.e200     None
    inside1                   0001.02a7.f4ec     None
    inside1                   0001.032c.6477     None
    inside1                   0004.5a2d.a1c8     None
    inside1                   0003.4773.c87b     None
    inside1                   000d.88ef.5d1c     None
    inside1                   00c0.b766.adce     None
    inside1                   0050.5640.450d     None
    inside1                   0001.03cf.0431     None
...

Related Commands

Command
Description

show mac-address-table

Shows the MAC address table, including dynamic and static entries.


show asp table routing

To debug the accelerated security path routing tables, use the show asp table routing command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show asp table routing [input | output] [address ip_address [netmask mask] | interface interface_name]

Syntax Description

address ip_address

Sets the IP address for which you want to view routing entries. For IPv6 addresses, you can include the subnet mask as a slash (/) followed by the prefix (0 to 128). For example, enter the following:

fe80::2e0:b6ff:fe01:3b7a/128

input

Shows the entries from the input route table.

interface interface_name

(Optional) Identifies a specific interface for which you want to view the routing table.

netmask mask

For IPv4 addresses, specifies the subnet mask.

output

Shows the entries from the output route table.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table routing command shows the routing table contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table routing command:

hostname# show asp table routing

in   255.255.255.255 255.255.255.255 identity
in   224.0.0.9       255.255.255.255 identity
in   10.86.194.60    255.255.255.255 identity
in   10.86.195.255   255.255.255.255 identity
in   10.86.194.0     255.255.255.255 identity
in   209.165.202.159 255.255.255.255 identity
in   209.165.202.255 255.255.255.255 identity
in   209.165.201.30  255.255.255.255 identity
in   209.165.201.0   255.255.255.255 identity
in   10.86.194.0     255.255.254.0   inside
in   224.0.0.0       240.0.0.0       identity
in   0.0.0.0         0.0.0.0         inside
out  255.255.255.255 255.255.255.255 foo
out  224.0.0.0       240.0.0.0       foo
out  255.255.255.255 255.255.255.255 test
out  224.0.0.0       240.0.0.0       test
out  255.255.255.255 255.255.255.255 inside
out  10.86.194.0     255.255.254.0   inside
out  224.0.0.0       240.0.0.0       inside
out  0.0.0.0         0.0.0.0         via 10.86.194.1, inside
out  0.0.0.0         0.0.0.0         via 0.0.0.0, identity
out  ::              ::              via 0.0.0.0, identity

Related Commands

Command
Description

show route

Shows the routing table in the control plane.


show asp table vpn-context

To debug the accelerated security path VPN context tables, use the show asp table vpn-context command in privileged EXEC mode.

show asp table vpn-context [detail]

Syntax Description

detail

(Optional) Shows additional detail for the VPN context tables.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show asp table vpn-context command shows the VPN context contents of the accelerated security path, which might help you troubleshoot a problem. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table vpn-context command:

hostname# show asp table vpn-context

VPN ID=0058070576, DECR+ESP, UP, pk=0000000000, rk=0000000000, gc=0
VPN ID=0058193920, ENCR+ESP, UP, pk=0000000000, rk=0000000000, gc=0
VPN ID=0058168568, DECR+ESP, UP, pk=0000299627, rk=0000000061, gc=2
VPN ID=0058161168, ENCR+ESP, UP, pk=0000305043, rk=0000000061, gc=1
VPN ID=0058153728, DECR+ESP, UP, pk=0000271432, rk=0000000061, gc=2
VPN ID=0058150440, ENCR+ESP, UP, pk=0000285328, rk=0000000061, gc=1
VPN ID=0058102088, DECR+ESP, UP, pk=0000268550, rk=0000000061, gc=2
VPN ID=0058134088, ENCR+ESP, UP, pk=0000274673, rk=0000000061, gc=1
VPN ID=0058103216, DECR+ESP, UP, pk=0000252854, rk=0000000061, gc=2
...

The following is sample output from the show asp table vpn-context detail command:

hostname# show asp table vpn-context detail

VPN Ctx  = 0058070576 [0x03761630]
State    = UP
Flags    = DECR+ESP
SA       = 0x037928F0
SPI      = 0xEA0F21F0
Group    = 0
Pkts     = 0
Bad Pkts = 0
Bad SPI  = 0
Spoof    = 0
Bad Crypto = 0
Rekey Pkt  = 0
Rekey Call = 0
 
VPN Ctx  = 0058193920 [0x0377F800]
State    = UP
Flags    = ENCR+ESP
SA       = 0x037B4B70
SPI      = 0x900FDC32
Group    = 0
Pkts     = 0
Bad Pkts = 0
Bad SPI  = 0
Spoof    = 0
Bad Crypto = 0
Rekey Pkt  = 0
Rekey Call = 0
...

Related Commands

Command
Description

show asp drop

Shows the accelerated security path counters for dropped packets.


show asr

To display the members of ASR groups, use the show asr command in privileged EXEC mode.

show asr {group_id | all}

Syntax Description

group_id

Displays the VLANs that are members of the specified ASR group. Valid values are 1 through 32.

all

Displays the membership for all 32 ASR groups.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

An ASR group can contain up to 8 members. A "0" (zero) in the output indicates an empty slot.

The show asr command provides the same output as the show np asr command.

Examples

The following is sample output from the show asr command. It limits the display to VLANs that are members of ASR group 1.

hostname# sh asr 1

ASR Group |    Vlan Entries in ASR Group (0 denotes empty slot)
----------|----------------------------------------------------
        1 |    10   20   0    0    0    0    0    0

The following is sample output from the show asr command. It displays VLAN membership for all possible ASR groups. In this example, only ASR group 1 has member VLANs.

hostname# sh asr all
ASR Group |    Vlan Entries in ASR Group (0 denotes empty slot)
----------|----------------------------------------------------
        1 |    10   20   0    0    0    0    0    0
        2 |    0    0    0    0    0    0    0    0
        3 |    0    0    0    0    0    0    0    0
        4 |    0    0    0    0    0    0    0    0
        5 |    0    0    0    0    0    0    0    0
        6 |    0    0    0    0    0    0    0    0
        7 |    0    0    0    0    0    0    0    0
        8 |    0    0    0    0    0    0    0    0
        9 |    0    0    0    0    0    0    0    0
       10 |    0    0    0    0    0    0    0    0
       11 |    0    0    0    0    0    0    0    0
       12 |    0    0    0    0    0    0    0    0
       13 |    0    0    0    0    0    0    0    0
       14 |    0    0    0    0    0    0    0    0
       15 |    0    0    0    0    0    0    0    0
       16 |    0    0    0    0    0    0    0    0
       17 |    0    0    0    0    0    0    0    0
       18 |    0    0    0    0    0    0    0    0
       19 |    0    0    0    0    0    0    0    0
       20 |    0    0    0    0    0    0    0    0
       21 |    0    0    0    0    0    0    0    0
       22 |    0    0    0    0    0    0    0    0
       23 |    0    0    0    0    0    0    0    0
       24 |    0    0    0    0    0    0    0    0
       25 |    0    0    0    0    0    0    0    0
       26 |    0    0    0    0    0    0    0    0
       27 |    0    0    0    0    0    0    0    0
       28 |    0    0    0    0    0    0    0    0
       29 |    0    0    0    0    0    0    0    0
       30 |    0    0    0    0    0    0    0    0
       31 |    0    0    0    0    0    0    0    0
       32 |    0    0    0    0    0    0    0    0

Related Commands

Command
Description

asr-group

Specifies an interface as a member of an ASR group.


show auto-update

To view the Auto Update Server configfuration, use the show auto-update command in privileged EXEC mode.

show auto-update

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following is sample output from the show auto-update command:

hostname# show arp-inspection
Poll period: 1 minutes, retry count: 1, retry period: 5 minutes
Timeout: none
Device ID: host name [farscape]

Related Commands

Command
Description

auto-update device-id

Sets the FWSM device ID for use with an Auto Update Server.

auto-update poll-period

Sets how often the FWSM checks for updates from an Auto Update Server.

auto-update server

Identifies the Auto Update Server.

auto-update timeout

Stops traffic from passing through the FWSM if the Auto Update Server is not contacted within the timeout period.

clear configure auto-update

Clears the Auto Update Server configuration


show blocks

To show the packet buffer utilization, use the show blocks command in privileged EXEC mode.

show blocks [{address hex | all | assigned | free | old | pool size [summary]} [diagnostics | dump | header | packet] | queue history [detail]]

Syntax Description

address hex

(Optional) Shows a block corresponding to this address, in hexadecimal.

all

(Optional) Shows all blocks.

assigned

(Optional) Shows blocks that are assigned and in use by an application.

detail

(Optional) Shows a portion (128 bytes) of the first block for each unique queue type.

dump

(Optional) Shows the entire block contents, including the header and packet information. The difference between dump and packet is that dump includes additional information between the header and the packet.

diagnostics

(Optional) Shows block diagnostics.

free

(Optional) Shows blocks that are available for use.

header

(Optional) Shows the header of the block.

old

(Optional) Shows blocks that were assigned more than a minute ago.

packet

(Optional) Shows the header of the block as well as the packet contents.

pool size

(Optional) Shows blocks of a specific size.

queue history

(Optional) Shows where blocks are assigned when the FWSM runs out of blocks. Sometimes, a block is allocated from the pool but never assigned to a queue. In that case, the location is the code address that allocated the block.

summary

(Optional) Shows detailed information about block usage sorted by the program addresses of applications that allocated blocks in this class, program addresses of applications that released blocks in this class, and the queues to which valid blocks in this class belong.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

The pool summary option was added.


Usage Guidelines

The show blocks command helps you determine if the FWSM is overloaded. This command lists preallocated system buffer utilization. A full memory condition is not a problem as long as traffic is moving through the FWSM. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is full, there may be a problem.

You can also view this information using SNMP.

The information shown in a security context includes the system-wide information as well as context-specific information about the blocks in use and the high water mark for block usage.

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show blocks command in single mode:

hostname# show blocks
SIZE    MAX    LOW    CNT
     4   1600   1598   1599
    80    400    398    399
   256   3600   3540   3542
  1550   4716   3177   3184
 16384     10     10     10
  2048   1000   1000   1000

Table 3 shows each field description.

Table 25-1 show blocks Fields 

Field
Description

SIZE

Size, in bytes, of the block pool. Each size represents a particular type. Examples are shown below.

4

Duplicates existing blocks in applications such as DNS, ISAKMP, URL filtering, uauth, TFTP, and TCP modules.

80

Used in TCP intercept to generate acknowledgment packets and for failover hello messages.

256

Used for Stateful Failover updates, syslogging, and other TCP functions.

These blocks are mainly used for Stateful Failover messages. The active FWSM generates and sends packets to the standby FWSM to update the translation and connection table. In bursty traffic, where high rates of connections are created or torn down, the number of available blocks might drop to 0. This situation indicates that one or more connections were not updated to the standby FWSM. The Stateful Failover protocol catches the missing translation or connection the next time. If the CNT column for 256-byte blocks stays at or near 0 for extended periods of time, then the FWSM is having trouble keeping the translation and connection tables synchronized because of the number of connections per second that the FWSM is processing.

Syslog messages sent out from the FWSM also use the 256-byte blocks, but they are generally not released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows that the number of 256-byte blocks is near 0, ensure that you are not logging at Debugging (level 7) to the syslog server. This is indicated by the logging trap line in the FWSM configuration. We recommend that you set logging at Notification (level 5) or lower, unless you require additional information for debugging purposes.

1550

Used to store Ethernet packets for processing through the FWSM.

When a packet enters a FWSM interface, it is placed on the input interface queue, passed up to the operating system, and placed in a block. The FWSM determines whether the packet should be permitted or denied based on the security policy and processes the packet through to the output queue on the outbound interface. If the FWSM is having trouble keeping up with the traffic load, the number of available blocks will hover close to 0 (as shown in the CNT column of the command output). When the CNT column is zero, the FWSM attempts to allocate more blocks, up to a maximum of 8192. If no more blocks are available, the FWSM drops the packet.

16384

Only used for the 64-bit, 66-MHz Gigabit Ethernet cards (i82543).

See the description for 1550 for more information about Ethernet packets.

2048

Control or guided frames used for control updates.

MAX

Maximum number of blocks available for the specified byte block pool. The maximum number of blocks are carved out of memory at bootup. Typically, the maximum number of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the FWSM can dynamically create more when needed, up to a maximum of 8192.

LOW

Low-water mark. This number indicates the lowest number of this size blocks available since the FWSM was powered up, or since the last clearing of the blocks (with the clear blocks command). A zero in the LOW column indicates a previous event where memory was full.

CNT

Current number of blocks available for that specific size block pool. A zero in the CNT column means memory is full now.


The following is sample output from the show blocks all command:

hostname# show blocks all
Class 0, size 4
     Block   allocd_by    freed_by  data size    alloccnt     dup_cnt  oper location
0x01799940  0x00000000  0x00101603          0           0           0 alloc not_specified
0x01798e80  0x00000000  0x00101603          0           0           0 alloc not_specified
0x017983c0  0x00000000  0x00101603          0           0           0 alloc not_specified

...

    Found 1000 of 1000 blocks
    Displaying 1000 of 1000 blocks

Table 4 shows each field description.

Table 25-2 show blocks all Fields

Field
Description

Block

The block address.

allocd_by

The program address of the application that last used the block (0 if not used).

freed_by

The program address of the application that last released the block.

data size

The size of the application buffer/packet data that is inside the block.

alloccnt

The number of times this block has been used since the block came into existence.

dup_cnt

The current number of references to this block if used: 0 means 1 reference, 1 means 2 references.

oper

One of the four operations that was last performed on the block: alloc, get, put, or free.

location

The application that uses the block, or the program address of the application that last allocated the block (same as the allocd_by field).


The following is sample output from the show blocks command in a context:

hostname/contexta# show blocks
  SIZE    MAX    LOW    CNT  INUSE   HIGH
     4   1600   1599   1599      0      0
    80    400    400    400      0      0
   256   3600   3538   3540      0      1
  1550   4616   3077   3085      0      0

The following is sample output from the show blocks queue history command:

hostname# show blocks queue history
Each Summary for User and Queue_type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
    186     1 put                                 contexta
     15     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
     21     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
    200     1 alloc   ip_rx             tcp       contexta
    108     1 get     ip_rx             udp       contexta
     85     1 free    fixup             h323_ras  contextb
     42     1 put     fixup             skinny    contextb

Block Size: 1550
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1000
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
    186     1 put                                 contexta
     15     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
...

The following is sample output from the show blocks queue history detail command:

hostname# show blocks queue history detail
History buffer memory usage: 2136 bytes (default)
Each Summary for User and Queue type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue_Type "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
    186     1 put                                 contexta
     15     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
 First Block information for Block at 0x.....
  dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
  start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
  urgent_addr 0xefb118c, end_addr 0xefb17b2
  0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00  |  ....G.a....8v...
  0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3  |  ....E...........
  0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62  |  .......P...=..`b
  0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49  |  ~sU.P...E...-- I
  0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09  |  P --..10.7.13.1.
  0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d  |  ==>.10.7.0.80...

Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type        User      Context
     21     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contexta
      1     1 put                                 contextb
      1     1 put                                 contextc
 First Block information for Block at 0x.....
  dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
  start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
  urgent_addr 0xefb118c, end_addr 0xefb17b2
  0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00  |  ....G.a....8v...
  0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3  |  ....E...........
  0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62  |  .......P...=..`b
  0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49  |  ~sU.P...E...-- I
  0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09  |  P --..10.7.13.1.
  0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d  |  ==>.10.7.0.80...
...

total_count: total buffers in this class

The following is sample output from the show blocks pool summary command:

hostname# show blocks pool 1550 summary
Class 3, size 1550

=================================================
         total_count=1531    miss_count=0
Alloc_pc        valid_cnt       invalid_cnt
0x3b0a18        00000256        00000000
         0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000
0x3a8f6b        00001275        00000012
         0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000 
0x00000000

=================================================
         total_count=9716    miss_count=0
Freed_pc        valid_cnt       invalid_cnt
0x9a81f3        00000104        00000007
         0x05006140 0x05000380 0x04fffa20 0x04ffde00 00000000 0x00000000
0x9a0326        00000053        00000033
         0x05006aa0 0x050057e0 0x05004e80 0x05003260 00000000 0x00000000
0x4605a2        00000005        00000000
         0x04ff5ac0 0x01e8e2e0 0x01e2eac0 0x01e17d20 00000000 0x00000000
...
=================================================
         total_count=1531    miss_count=0
Queue   valid_cnt       invalid_cnt
0x3b0a18        00000256        00000000  Invalid Bad qtype
         0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000
0x3a8f6b        00001275        00000000  Invalid Bad qtype
         0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000 
0x00000000

=================================================
free_cnt=8185  fails=0  actual_free=8185  hash_miss=0
   03a8d3e0  03a8b7c0  03a7fc40  03a6ff20  03a6f5c0  03a6ec60 kao-f1#

Table 5 shows each field description.

Table 25-3 show blocks pool summary Fields

Field
Description

total_count

The number of blocks for a given class.

miss_count

The number of blocks not reported in the specified category due to technical reasons.

Freed_pc

The program addresses of applications that released blocks in this class.

Alloc_pc

The program addresses of applications that allocated blocks in this class.

Queue

The queues to which valid blocks in this class belong.

valid_cnt

The number of blocks that are currently allocated.

invalid_cnt

The number of blocks that are not currently allocated.

Invalid Bad qtype

Either this queue has been freed and the contents are invalid or this queue was never initialized.

Valid tcp_usr_conn_inp

The queue is valid.


Related Commands

Command
Description

blocks

Increases the memory assigned to block diagnostics

clear blocks

Clears the system buffer statistics.

show conn

Shows active connections.


show capture

To display the capture configuration when no options are specified, use the show capture command.

show capture [capture_name] [access-list access_list_name] [count number] [detail] [dump] [packet-number number]

Syntax Description

capture_name

(Optional) Name of the packet capture.

access-list access_list_name

(Optional) Displays information for packets that are based on IP or higher fields for the specific access list identification.

count number

(Optional) Displays the number of packets specified data.

detail

(Optional) Displays additional protocol information for each packet.

dump

(Optional) Displays a hexadecimal dump of the packets that are transported over the data link transport.

packet-number number

Starts the display at the specified packet number.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Usage Guidelines

If you specify the capture_name, then the capture buffer contents for that capture are displayed.

The dump keyword does not display MAC information in the hexadecimal dump.

The decoded output of the packets depend on the protocol of the packet. In Table 25-4, the bracketed output is displayed when you specify the detail keyword.

Table 25-4 Packet Capture Output Formats 

Packet Type
Capture Output Format

IP/ICMP

HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure]

IP/UDP

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: [checksum-info] udp payload-len

IP/TCP

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

IP/Other

HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length

Other

HH:MM:SS.ms ether-hdr: hex-dump


Examples

The following is sample output from the show capture command. It displays the captures configured on the FWSM.

hostname(config)# sh capture

capture cap_out type raw-data access-list capture interface outside[Capturing - 504 bytes]
capture cap_in type raw-data access-list capture interface inside[Capturing - 504 bytes]

The following is sample output from the show capture command for a specific capture:

hostname(config)# sh capture cap_in

6 packets seen, 6 packets captured
   1: 22:46:15.235410840 802.1Q vlan#3 P0 10.2.1.1 > 10.1.1.1: icmp: echo request
   2: 22:46:15.235410840 802.1Q vlan#3 P0 10.1.1.1 > 10.2.1.1: icmp: echo reply
   3: 22:46:16.235411840 802.1Q vlan#3 P0 10.2.1.1 > 10.1.1.1: icmp: echo request
   4: 22:46:16.235411840 802.1Q vlan#3 P0 10.1.1.1 > 10.2.1.1: icmp: echo reply
   5: 22:46:17.235412840 802.1Q vlan#3 P0 10.2.1.1 > 10.1.1.1: icmp: echo request
   6: 22:46:17.235412850 802.1Q vlan#3 P0 10.1.1.1 > 10.2.1.1: icmp: echo reply
6 packets shown

The following is sample output for the show capture command with the detail keyword:

hostname(config)# sh capture cap_out detail

6 packets seen, 6 packets captured
   1: 22:46:15.235410840 0016.c873.9300 0001.0310.f4c5 0x8100 102: 802.1Q vlan#2 P0 
10.2.1.1 > 10.1.1.1: icmp: echo request (DF) (ttl 64, id 0)
   2: 22:46:15.235410840 0001.0310.f4c5 0016.c873.9300 0x8100 102: 802.1Q vlan#2 P0 
10.1.1.1 > 10.2.1.1: icmp: echo reply (ttl 64, id 26957)
   3: 22:46:16.235411840 0016.c873.9300 0001.0310.f4c5 0x8100 102: 802.1Q vlan#2 P0 
10.2.1.1 > 10.1.1.1: icmp: echo request (DF) (ttl 64, id 0)
   4: 22:46:16.235411840 0001.0310.f4c5 0016.c873.9300 0x8100 102: 802.1Q vlan#2 P0 
10.1.1.1 > 10.2.1.1: icmp: echo reply (ttl 64, id 26958)
   5: 22:46:17.235412840 0016.c873.9300 0001.0310.f4c5 0x8100 102: 802.1Q vlan#2 P0 
10.2.1.1 > 10.1.1.1: icmp: echo request (DF) (ttl 64, id 0)
   6: 22:46:17.235412850 0001.0310.f4c5 0016.c873.9300 0x8100 102: 802.1Q vlan#2 P0 
10.1.1.1 > 10.2.1.1: icmp: echo reply (ttl 64, id 26959)
6 packets shown
hostname(config)#

Related Commands

Command
Description

capture

Enables packet capture capabilities for packet sniffing and network fault isolation.

clear capture

Clears the capture buffer.

copy capture

Copies a capture file to a server.


show checkheaps

To show the checkheaps statistics, use the show checkheaps command in privileged EXEC mode. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.

show checkheaps

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Examples

The following is sample output from the show checkheaps command:

hostname# show checkheaps

Checkheaps stats from buffer validation runs
--------------------------------------------
Time elapsed since last run     : 42 secs
Duration of last run            : 0 millisecs
Number of buffers created       : 8082
Number of buffers allocated     : 7808
Number of buffers free          : 274
Total memory in use             : 43570344 bytes
Total memory in free buffers    : 87000 bytes
Total number of runs            : 310

Related Commands

Command
Description

checkheaps

Sets the checkheap verification intervals.


show checksum

To display the configuration checksum, use the show checksum command in privileged EXEC mode.

show checksum

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

·

·

·

·

 

Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Usage Guidelines

The show checksum command allows you to display four groups of hexadecimal numbers that act as a digital summary of the configuration contents. This checksum is calculated only when you store the configuration in Flash memory.

If a dot (".") appears before the checksum in the show config or show checksum command output, the output indicates a normal configuration load or write mode indicator (when loading from or writing to the FWSM Flash partition). The "." shows that the FWSM is preoccupied with the operation but is not "hung up." This message is similar to a "system processing, please wait" message.

Examples

This example shows how to display the configuration or the checksum:

hostname(config)# show checksum
Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81

show chunkstat

To display the chunk statistics, use the show chunkstat command in privileged EXEC mode.

show chunkstat

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.


Examples

The following example shows how to display the chunk statistics:

hostname# show chunkstat
Global chunk statistics: created 181, destroyed 34, siblings created 94, siblings 
destroyed 34

Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01edb4cc, name "Managed Chunk Queue Elements", data start @ 01edbd24, end 
@ 01eddc54
next: 01eddc8c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 499, elt size: 16, index first free 498
# chunks in use: 1, HWM of total used: 1, alignment: 0
Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01eddc8c, name "Registry Function List", data start @ 01eddea4, end @ 
01ede348
next: 01ede37c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 99, elt size: 12, index first free 42
# chunks in use: 57, HWM of total used: 57, alignment: 0

Related Commands

Command
Description

show counters

Displays the protocol stack counters.

show cpu

Displays the CPU utilization information.


show class

To show the contexts assigned to a class, use the show class command in privileged EXEC mode.

show class name

Syntax Description

name

Specifies the name as a string up to 20 characters long. To show the default class, enter default for the name.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

N/A

N/A


Command History

Release
Modification

2.2(1)

This command was introduced.


Examples

The following is sample output from the show class default command:

hostname# show class default

Class Name           Members    ID   Flags
default                All       1    0001

Related Commands

Command
Description

class

Configures a resource class.

clear configure class

Clears the class configuration.

context

Configures a security context.

limit-resource

Sets the resource limit for a class.

member

Assigns a context to a resource class.


show conn

To display the connection state for the designated connection type, use the show conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show conn [all | count] [state state_type] | [{{foreign | local} ip [-ip2] netmask mask}] | [long | detail] | [{{lport | fport} port1} [-port2]] | [protocol {tcp | udp}]

Syntax Description

all

Display connections that are to the device or from the device, in addition to through-traffic connections.

count

(Optional) Displays the number of active connections.

detail

Displays connections in detail, including translation type and interface information.

foreign

Displays connections with the specified foreign IP address.

fport

Displays connections with the specified foreign port.

ip

IP address in dotted-decimal format or beginning address in a range of IP addresses.

-ip2

(Optional) Ending IP address in a range of IP addresses.

local

Displays connections with the specified local IP address.

long

(Optional) Displays connections in long format.

lport

Displays connections with the specified local port.

netmask

Specifies a subnet mask for use with the given IP address.

mask

Subnet mask in dotted-decimal format.

port1

Port number or beginning port number in a range of port numbers.

-port2

(Optional) Ending port number in a range of port numbers.

protocol

(Optional) Specifies the connection protocol.

state

(Optional) Displays the state of specified connections.

state_type

Specifies the connection state type. See Table 7 for a list of the keywords available for connection state types.

tcp

Displays TCP protocol connections.

udp

Displays UDP protocol connections.


Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.

3.2(1)

The b state for TCP state bypass and X state for xlate bypass were added.


Usage Guidelines

The show conn command displays the number of active TCP connections, and provides information about connections of various types. Use the show conn all command to see the entire table of connections.


Note When the FWSM creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear local command.


The connection types that you can specify using the show conn state command are defined in Table 7. When specifying multiple connection types, use commas without spaces to separate the keywords.

Table 25-5 Connection State Types 

Keyword
Connection Type Displayed

up

Connections in the up state.

conn_inbound

Inbound connections.

ctiqbe

CTIQBE connections

data_in

Inbound data connections.

data_out

Outbound data connections.

finin

FIN inbound connections.

finout

FIN outbound connections.

h225

H.225 connections

h323

H.323 connections

http_get

HTTP get connections.

mgcp

MGCP connections.

nojava

Connections that deny access to Java applets.

rpc

RPC connections.

sip

SIP connections.

skinny

SCCP connections.

smtp_data

SMTP mail data connections.

sqlnet_fixup_data

SQL*Net data inspection engine connections.


When you use the detail option, the system displays information about the translation type and interface information using the connection flags defined in Table 8.

Table 25-6 Connection Flags 

Flag
Description

a

awaiting outside ACK to SYN

A

awaiting inside ACK to SYN

b

State bypass

B

initial SYN from outside

C

Computer Telephony Interface Quick Buffer Encoding (CTIQBE) media connection

d

dump

D

DNS

E

outside back connection

f

inside FIN

F

outside FIN

g

Media Gateway Control Protocol (MGCP) connection

G

connection is part of a group1

h

H.225

H

H.323

i

incomplete TCP or UDP connection

I

inbound data

k

Skinny Client Control Protocol (SCCP) media connection

m

SIP media connection

M

SMTP data

n

GUP

O

outbound data

p

replicated (unused)

P

inside back connection

q

SQL*Net data

r

inside acknowledged FIN

R

outside acknowledged FIN for TCP connection

R

UDP RPC2

s

awaiting outside SYN

S

awaiting inside SYN

t

SIP transient connection3

T

SIP connection4

U

up

X

xlate creation bypassed

1 The G flag indicates the connection is part of a group. It is set by the GRE and FTP Strict fixups to designate the control connection and all its associated secondary connections. If the control connection terminates, then all associated secondary connections are also terminated.

2 Because each row of show conn command output represents one connection (TCP or UDP ), there will be only one R flag per row.

3 For UDP connections, the value t indicates that it will timeout after one minute.

4 For UDP connections, the value T indicates that the connection will timeout according to the value specified using the timeout sip command.



Note For connections using a DNS server, the source port of the connection may be replaced by the IP address of DNS server in the show conn command output.


A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Because the app_id expires independently, a legitimate DNS response can only pass through the FWSM within a limited period of time and there is no resource build-up. However, when you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.


Note When there is no TCP traffic for the period of inactivity defined by the conn timeout command (by default, 1:00:00), the connection is closed and the corresponding conn flag entries are no longer displayed.


Examples

When specifying multiple connection types, use commas without spaces to separate the keywords. The following is sample output including RPC, H.323, and SIP connection information in the Up state from the show conn command:

hostname# show conn state up,rpc,h323,sip

The following is sample output that shows a TCP session connection from inside host 10.1.1.15 to the outside Telnet server at 192.168.49.10. Because there is no B flag, the connection is initiated from the inside. The "U", "I", and "O" flags denote that the connection is active and has received inbound and outbound data.

hostname# show conn
2 in use, 2 most used
TCP out 192.168.49.10:23 in 10.1.1.15:1026 idle 0:00:22
Bytes 1774 flags UIO
UDP out 192.168.49.10:31649 in 10.1.1.15:1028 idle 0:00:14
flags D-

The following sample output that shows a UDP connection from outside host 192.168.49.10 to inside host 10.1.1.15. The D flag denotes that this is a DNS connection. The number 1028 is the DNS ID over the connection.

hostname(config)# show conn detail
2 in use, 2 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - State bypass, C - CTIQBE media,
        D - DNS, d - dump, E - outside back connection, F - outside FIN,
        f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0,
        I - inbound data, i - incomplete, J - GTP, j - GTP data, k - Skinny media,
        M - SMTP data, m - SIP media, n - GUP, O - outbound data,
        P - inside back connection, q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
       X - xlate creation bypassed
TCP outside:192.168.49.10/23 inside:10.1.1.15/1026 flags UIO
UDP outside:192.168.49.10/31649 inside:10.1.1.15/1028 flags dD

The following is sample output from a GRE session connection (PROT:47) from host 172.16.2.1 to host 172.16.112.2. Because it is a non TCP connection, it is unidirectional and there are no flags.

hostname# show conn
2 in use, 2 most used
Network Processor 1 connections
PROT:47 out 172.16.112.2 in 172.16.2.1 idle 0:00:08
Bytes 18

The following is sample output from the show conn all command:

hostname# show conn all
6 in use, 6 most used
             TCP out 209.165.201.1:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391 
             TCP out 209.165.201.1:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709 
             TCP out 209.165.201.1:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685 
             TCP out 209.165.201.1:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683 
             TCP out 209.165.201.1:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199 
             TCP out 209.165.201.1:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688 
             UDP out 209.165.201.7:24 in 10.3.3.4:1402 idle 0:01:30 
             UDP out 209.165.201.7:23 in 10.3.3.4:1397 idle 0:01:30 
             UDP out 209.165.201.7:22 in 10.3.3.4:1395 idle 0:01:30 

In this example, host 10.3.3.4 on the inside has accessed a website at 209.165.201.1. The global address on the outside interface is 209.165.201.7.

The following is sample output from the show conn detail command:

hostname# show conn detail
0 in use, 26152 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - State bypass, C - CTIQBE media,
        D - DNS, d - dump, E - outside back connection, F - outside FIN,
        f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0,
        I - inbound data, i - incomplete, J - GTP, j - GTP data, k - Skinny media,
        M - SMTP data, m - SIP media, n - GUP, O - outbound data,
        P - inside back connection, q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
       X - xlate creation bypassed
Network Processor 1 connections 

Related Commands

Commands
Description

inspect ctiqbe

Enables CTIQBE application inspection.

inspect h323

Enables H.323 application inspection.

inspect mgcp

Enables MGCP application inspection.

inspect sip

Removes java applets from HTTP traffic.

inspect skinny

Enables SCCP application inspection.


show console-output

To display the currently captured console output, use the show console-output command in privileged EXEC mode. The FWSM automatically captures output destined for the internal console port. Do not use the internal console port unless you are advised to do so by Cisco TAC. This command allows you to view console output on your Telnet or SSH session.

show console-output

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

·

·

·

·

·


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

Information that displays only on a console port includes output from the perfmon command, startup messages, and some debug messages. The console buffer is a maximum of 1 K, and is not user configurable.

Examples

The following example shows the message that displays when there is no console output:

hostname# show console-output
Sorry, there are no messages to display

Related Commands

Command
Description

clear configure console

Restores the default console connection settings.


show context

To show context information including allocated interfaces and the configuration file URL, the number of contexts configured, or from the system execution space, a list of all contexts, use the show context command in privileged EXEC mode.

show context [name | detail | count]

Syntax Description

count

(Optional) Shows the number of contexts configured.

detail

(Optional) Shows additional detail about the context(s) including the running state and information for internal use.

name

(Optional) Sets the context name. If you do not specify a name, the FWSM displays all contexts. Within a context, you can only enter the current context name.


Defaults

In the system execution space, the FWSM displays all contexts if you do not specify a name.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

2.2(1)

This command was introduced.


Usage Guidelines

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show context command. The following sample display shows three contexts:

Context Name      Class       Interfaces         Mode          URL
*admin            default     Vlan100,101        Routed        disk:/admin.cfg
contexta          Gold        Vlan200,201        Transparent   disk:/contexta.cfg
contextb          Silver      Vlan300,301        Routed        disk:/contextb.cfg
Total active Security Contexts: 3

Table 25-7 shows each field description.

Table 25-7 show context Fields

Field
Description

Context Name

Lists all context names. The context name with the asterisk (*) is the admin context.

Class

Shows the resource class to which the context belongs.

Interfaces

Shows the interfaces assigned to the context.

Mode

Shows the firewall mode for each context, either Routed or Transparent.

URL

Shows the URL from which the FWSM loads the context configuration.


The following is sample output from the show context detail command:

hostname# show context detail

Context "admin", has been created, but initial ACL rules not complete
  Config URL: disk:/admin.cfg
  Real Interfaces: Vlan100
  Mapped Interfaces: Vlan100
  Class: default, Flags: 0x00000013, ID: 1

Context "ctx", has been created, but initial ACL rules not complete
  Config URL: disk:/ctx.cfg
  Real Interfaces: Vlan10,20,30
  Mapped Interfaces: int1, int2, int3
  Class: default, Flags: 0x00000011, ID: 2

Context "system", is a system resource
  Config URL: startup-config
  Real Interfaces:
  Mapped Interfaces: Vlan100,10,20,30
  Class: default, Flags: 0x00000019, ID: 257

Context "null", is a system resource
  Config URL: ... null ...
  Real Interfaces:
  Mapped Interfaces:
  Class: default, Flags: 0x00000009, ID: 258

Table 25-8 shows each field description.

Table 25-8 Context States

Field
Description

Context

The context name. The null context information is for internal use only. The system context represents the system execution space.

State Message:

The context state. See the possible messages below.

Has been created, but initial ACL rules not complete

The FWSM parsed the configuration but has not yet downloaded the default ACLs to establish the default security policy. The default security policy applies to all contexts initially, and includes disallowing traffic from lower security levels to higher security levels, enabling application inspection, and other parameters. This security policy ensures that no traffic can pass through the FWSM after the configuration is parsed but before the configuration ACLs are compiled. You are unlikely to see this state because the configuration ACLs are compiled very quickly.

Has been created, but not initialized

You entered the context name command, but have not yet entered the config-url command.

Has been created, but the config hasn't been parsed

The default ACLs were downloaded, but the FWSM has not parsed the configuration. This state might exist because the configuration download might have failed because of network connectivity issues, or you have not yet entered the config-url command. To reload the configuration, from within the context, enter copy startup-config running-config. From the system, reenter the config-url command. Alternatively, you can start configuring the blank running configuration.

Is a system resource

This state applies only to the system execution space and to the null context. The null context is used by the system, and the information is for internal use only.

Is a zombie

You deleted the context using the no context or clear context command, but the context information persists in memory until the FWSM reuses the context ID for a new context, or you restart.

Is active

This context is currently running and can pass traffic according to the context configuration security policy.

Is ADMIN and active

This context is the admin context and is currently running.

Was a former ADMIN, but is now a zombie

You deleted the admin context using the clear configure context command, but the context information persists in memory until the FWSM reuses the context ID for a new context, or you restart.

Real Interfaces

The interfaces assigned to the context. If you mapped the interface IDs in the allocate-interface command, this display shows the real name of the interface. The system execution space includes all interfaces.

Mapped Interfaces

If you mapped the interface IDs in the allocate-interface command, this display shows the mapped names. If you did not map the interfaces, the display lists the real names again.

Class

The resource class to which the context belongs.

Flag

For internal use only.

ID

An internal ID for this context.


The following is sample output from the show context count command:

hostname# show context count
Total active contexts: 2

Related Commands

Command
Description

admin-context

Sets the admin context.

allocate-interface

Assigns interfaces to a context.

changeto

Changes between contexts or the system execution space.

config-url

Specifies the location of the context configuration.

context

Creates a security context in the system configuration and enters context configuration mode.


show counters

To display the protocol stack counters, use the show counters command in privileged EXEC mode.

show counters [all | context context-name | summary | top n ] [detail] [protocol protocol_name[:counter_name]] [threshold n]

Syntax Description

all

(Multiple mode only) Displays counters for all contexts.

context context-name

(Multiple mode only) Specifies the context name for which to show counters.

:counter_name

Specifies a counter by name.

detail

Displays additional counter information.

protocol protocol_name

Displays the counters for the specified protocol.

summary

(Multiple mode only) Shows all context counters combined.

threshold n

Displays only those counters at or above the specified threshold. The range is 1 through 4294967295.

top n

(Multiple mode only) Shows the contexts that are the top n users of the specified counter. You must specify a counter name with this option. The range is 1 through 4294967295.


Defaults

For multiple context mode, the default context is summary, which shows counters for every context. For single mode, the context name is ignored and the output shows the "context" as "single_vf."

The default count threshold is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

2.2(1)

This command was introduced.


Examples

The following example shows how to display all counters:

hostname# show counters all
Protocol     Counter           Value   Context
IOS_IPC      IN_PKTS               2   admin
IOS_IPC      OUT_PKTS              2   admin
IOS_IPC      IN_PKTS               15  customera
IOS_IPC      OUT_PKTS              6   customera

The following example shows how to display a summary of counters:

hostname# show counters
Protocol     Counter           Value   Context
NPCP         IN_PKTS            7195   Summary
NPCP         OUT_PKTS           7603   Summary
IOS_IPC      IN_PKTS             869   Summary
IOS_IPC      OUT_PKTS            865   Summary
IP           IN_PKTS             380   Summary
IP           OUT_PKTS            411   Summary
IP           TO_ARP              105   Summary
IP           TO_UDP                9   Summary
UDP          IN_PKTS               9   Summary
UDP          DROP_NO_APP           9   Summary
FIXUP        IN_PKTS             202   Summary

The following example shows how to display counters for a context:

hostname# show counters context admin
Protocol     Counter           Value   Context
IOS_IPC      IN_PKTS               4   admin
IOS_IPC      OUT_PKTS              4   admin

Related Commands

Command
Description

clear counters

Clears the protocol stack counters.

show counters description

Shows a list of protocol counters.


show counters description

To display the protocol stack counter descriptions, use the show counters description command in privileged EXEC mode.

show counters description

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

2.2(1)

This command was introduced.


Examples

The following is sample output from the show counters description command:

hostname# show counters description
Protocol     Counter              Description
NPCP         IN_PKTS              Packets from network processors
NPCP         OUT_PKTS             Packets to network processors
NPCP         DROP_LIMIT1          Gigamac packets dropped due to IP protocol que
ue limiter
NPCP         DROP_LIMIT2          Gigamac packets dropped due to ARP protocol qu
eue limiter
NPCP         DROP_LIMIT3          Gigamac packets dropped due to Fixup queue lim
iter
...

Related Commands

Command
Description

clear counters

Clears the protocol stack counters.

show counters

Shows the protocol stack counters.


show cpu

To display the CPU utilization information, use the show cpu usage command in privileged EXEC mode.

show cpu [usage]

From the system configuration in multiple context mode:

show cpu [usage] [context {all | context_name}]

Syntax Description

all

Specifies that the display show all contexts.

context

Specifies that the display show a context.

context_name

Specifies the name of the context to display.

usage

(Optional) Displays the CPU usage.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The cpu usage is computed using an approximation of the load every five seconds, and by further feeding this approximation into two, following moving averages.

You can use the show cpu command to find process related loads (that is, activity on behalf of items listed by the output of the show process command in both single mode and from the system configuration in multiple context mode).

Further, you can request, when in multiple context mode, a breakdown of the process related load to CPU consumed by any configured contexts by changing to each context and entering the show cpu command or by entering the show cpu context variant of this command.

While process related load is rounded to the nearest whole number, context related loads include one additional decimal digit of precision. For example, entering show cpu from the system context produces a different number than from entering the show cpu context system command. The former is an approximate summary of everything in show cpu context all, and the latter is only a portion of that summary.

Examples

The following example shows how to display the CPU utilization:

hostname# show cpu usage
CPU utilization for 5 seconds = 18%; 1 minute: 18%; 5 minutes: 18%

This example shows how to display the CPU utilization for the system context in multiple mode:

hostname# show cpu context system
CPU utilization for 5 seconds = 9.1%; 1 minute: 9.2%; 5 minutes: 9.1%

The following shows how to display the CPU utilization for all contexts:

hostname# show cpu usage context all
5 sec  1 min  5 min  Context Name
9.1%   9.2%   9.1%  system
0.0%   0.0%   0.0%  admin
5.0%   5.0%   5.0%  one
4.2%   4.3%   4.2%  two

This example shows how to display the CPU utilization for a context named "one":

hostname/one# show cpu usage
CPU utilization for 5 seconds = 5.0%; 1 minute: 5.0%; 5 minutes: 5.0%

Related Commands

Command
Description

show counters

Displays the protocol stack counters.


show cpu threshold

To display the CPU usage information when the configured rising threshold is reached and remains for the configured monitoring interval period, use the show cpu threshold command in privileged EXEC mode.

show cpu threshold

Syntax Description

This command has no keywords and no arguments.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.2(1)

This command was introduced.


Usage Guidelines

The CPU usage threshold is computed using an approximation of the load for the configured monitoring period, and then by feeding this approximation into two moving averages.

Examples

The following example shows how to display the CPU usage threshold:

hostname# show cpu threshold
CPU utilization RisingThresholdValue = 60%; RisingThresholdPeriod = 300secs

Related Commands

Command
Description

show cpu usage

Displays the CPU usage information.


show crashinfo

To display the contents of the crash file stored in Flash memory, enter the show crashinfo command in privileged EXEC mode.

show crashinfo [save]

Syntax Description

save

(Optional) Displays if the FWSM is configured to save crash information to Flash memory or not.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1

This command was introduced.


Usage Guidelines

If the crash file is from a test crash (generated from the crashinfo test command), the first string of the crash file is ": Saved_Test_Crash" and the last string is ": End_Test_Crash". If the crash file is from a real crash, the first string of the crash file is ": Saved_Crash" and the last string is ": End_Crash". (This includes crashes from use of the crashinfo force page-fault or crashinfo force watchdog commands).

If there is no crash data saved in flash, or if the crash data has been cleared by entering the clear crashinfo command, the show crashinfo command displays an error message.

Examples

The following example shows how to display the current crash information configuration:

hostname# show crashinfo save
crashinfo save enable

The following example shows the output for a crash file test. (However, this test does not actually crash the FWSM. It provides a simulated example file.)

hostname(config)# crashinfo test
hostname(config)# exit
hostname# show crashinfo
: Saved_Test_Crash

Thread Name: ci/console (Old pc 0x001a6ff5 ebp 0x00e88920)

Traceback:
0: 00323143
1: 0032321b
2: 0010885c
3: 0010763c
4: 001078db
5: 00103585
6: 00000000
    vector 0x000000ff (user defined)
       edi 0x004f20c4
       esi 0x00000000
       ebp 0x00e88c20
       esp 0x00e88bd8
       ebx 0x00000001
       edx 0x00000074
       ecx 0x00322f8b
       eax 0x00322f8b
error code n/a
       eip 0x0010318c
        cs 0x00000008
    eflags 0x00000000
       CR2 0x00000000
Stack dump: base:0x00e8511c size:16384, active:1476
0x00e89118: 0x004f1bb4
0x00e89114: 0x001078b4
0x00e89110-0x00e8910c: 0x00000000
0x00e89108-0x00e890ec: 0x12345678
0x00e890e8: 0x004f1bb4
0x00e890e4: 0x00103585
0x00e890e0: 0x00e8910c
0x00e890dc-0x00e890cc: 0x12345678
0x00e890c8: 0x00000000
0x00e890c4-0x00e890bc: 0x12345678
0x00e890b8: 0x004f1bb4
0x00e890b4: 0x001078db
0x00e890b0: 0x00e890e0
0x00e890ac-0x00e890a8: 0x12345678
0x00e890a4: 0x001179b3
0x00e890a0: 0x00e890b0
0x00e8909c-0x00e89064: 0x12345678
0x00e89060: 0x12345600
0x00e8905c: 0x20232970
0x00e89058: 0x616d2d65
0x00e89054: 0x74002023
0x00e89050: 0x29676966
0x00e8904c: 0x6e6f6328
0x00e89048: 0x31636573
0x00e89044: 0x7069636f
0x00e89040: 0x64786970
0x00e8903c-0x00e88e50: 0x00000000
0x00e88e4c: 0x000a7473
0x00e88e48: 0x6574206f
0x00e88e44: 0x666e6968
0x00e88e40: 0x73617263
0x00e88e3c-0x00e88e38: 0x00000000
0x00e88e34: 0x12345600
0x00e88e30-0x00e88dfc: 0x00000000
0x00e88df8: 0x00316761
0x00e88df4: 0x74706100
0x00e88df0: 0x12345600
0x00e88dec-0x00e88ddc: 0x00000000
0x00e88dd8: 0x00000070
0x00e88dd4: 0x616d2d65
0x00e88dd0: 0x74756f00
0x00e88dcc: 0x00000000
0x00e88dc8: 0x00e88e40
0x00e88dc4: 0x004f20c4
0x00e88dc0: 0x12345600
0x00e88dbc: 0x00000000
0x00e88db8: 0x00000035
0x00e88db4: 0x315f656c
0x00e88db0: 0x62616e65
0x00e88dac: 0x0030fcf0
0x00e88da8: 0x3011111f
0x00e88da4: 0x004df43c
0x00e88da0: 0x0053fef0
0x00e88d9c: 0x004f1bb4
0x00e88d98: 0x12345600
0x00e88d94: 0x00000000
0x00e88d90: 0x00000035
0x00e88d8c: 0x315f656c
0x00e88d88: 0x62616e65
0x00e88d84: 0x00000000
0x00e88d80: 0x004f20c4
0x00e88d7c: 0x00000001
0x00e88d78: 0x01345678
0x00e88d74: 0x00f53854
0x00e88d70: 0x00f7f754
0x00e88d6c: 0x00e88db0
0x00e88d68: 0x00e88d7b
0x00e88d64: 0x00f53874
0x00e88d60: 0x00e89040
0x00e88d5c-0x00e88d54: 0x12345678
0x00e88d50-0x00e88d4c: 0x00000000
0x00e88d48: 0x004f1bb4
0x00e88d44: 0x00e88d7c
0x00e88d40: 0x00e88e40
0x00e88d3c: 0x00f53874
0x00e88d38: 0x004f1bb4
0x00e88d34: 0x0010763c
0x00e88d30: 0x00e890b0
0x00e88d2c: 0x00e88db0
0x00e88d28: 0x00e88d88
0x00e88d24: 0x0010761a
0x00e88d20: 0x00e890b0
0x00e88d1c: 0x00e88e40
0x00e88d18: 0x00f53874
0x00e88d14: 0x0010166d
0x00e88d10: 0x0000000e
0x00e88d0c: 0x00f53874
0x00e88d08: 0x00f53854
0x00e88d04: 0x0048b301
0x00e88d00: 0x00e88d30
0x00e88cfc: 0x0000000e
0x00e88cf8: 0x00f53854
0x00e88cf4: 0x0048a401
0x00e88cf0: 0x00f53854
0x00e88cec: 0x00f53874
0x00e88ce8: 0x0000000e
0x00e88ce4: 0x0048a64b
0x00e88ce0: 0x0000000e
0x00e88cdc: 0x00f53874
0x00e88cd8: 0x00f7f96c
0x00e88cd4: 0x0048b4f8
0x00e88cd0: 0x00e88d00
0x00e88ccc: 0x0000000f
0x00e88cc8: 0x00f7f96c
0x00e88cc4-0x00e88cc0: 0x0000000e
0x00e88cbc: 0x00e89040
0x00e88cb8: 0x00000000
0x00e88cb4: 0x00f5387e
0x00e88cb0: 0x00f53874
0x00e88cac: 0x00000002
0x00e88ca8: 0x00000001
0x00e88ca4: 0x00000009
0x00e88ca0-0x00e88c9c: 0x00000001
0x00e88c98: 0x00e88cb0
0x00e88c94: 0x004f20c4
0x00e88c90: 0x0000003a
0x00e88c8c: 0x00000000
0x00e88c88: 0x0000000a
0x00e88c84: 0x00489f3a
0x00e88c80: 0x00e88d88
0x00e88c7c: 0x00e88e40
0x00e88c78: 0x00e88d7c
0x00e88c74: 0x001087ed
0x00e88c70: 0x00000001
0x00e88c6c: 0x00e88cb0
0x00e88c68: 0x00000002
0x00e88c64: 0x0010885c
0x00e88c60: 0x00e88d30
0x00e88c5c: 0x00727334
0x00e88c58: 0xa0ffffff
0x00e88c54: 0x00e88cb0
0x00e88c50: 0x00000001
0x00e88c4c: 0x00e88cb0
0x00e88c48: 0x00000002
0x00e88c44: 0x0032321b
0x00e88c40: 0x00e88c60
0x00e88c3c: 0x00e88c7f
0x00e88c38: 0x00e88c5c
0x00e88c34: 0x004b1ad5
0x00e88c30: 0x00e88c60
0x00e88c2c: 0x00e88e40
0x00e88c28: 0xa0ffffff
0x00e88c24: 0x00323143
0x00e88c20: 0x00e88c40
0x00e88c1c: 0x00000000
0x00e88c18: 0x00000008
0x00e88c14: 0x0010318c
0x00e88c10-0x00e88c0c: 0x00322f8b
0x00e88c08: 0x00000074
0x00e88c04: 0x00000001
0x00e88c00: 0x00e88bd8
0x00e88bfc: 0x00e88c20
0x00e88bf8: 0x00000000
0x00e88bf4: 0x004f20c4
0x00e88bf0: 0x000000ff
0x00e88bec: 0x00322f87
0x00e88be8: 0x00f5387e
0x00e88be4: 0x00323021
0x00e88be0: 0x00e88c10
0x00e88bdc: 0x004f20c4
0x00e88bd8: 0x00000000 *
0x00e88bd4: 0x004eabb0
0x00e88bd0: 0x00000001
0x00e88bcc: 0x00f5387e
0x00e88bc8-0x00e88bc4: 0x00000000
0x00e88bc0: 0x00000008
0x00e88bbc: 0x0010318c
0x00e88bb8-0x00e88bb4: 0x00322f8b
0x00e88bb0: 0x00000074
0x00e88bac: 0x00000001
0x00e88ba8: 0x00e88bd8
0x00e88ba4: 0x00e88c20
0x00e88ba0: 0x00000000
0x00e88b9c: 0x004f20c4
0x00e88b98: 0x000000ff
0x00e88b94: 0x001031f2
0x00e88b90: 0x00e88c20
0x00e88b8c: 0xffffffff
0x00e88b88: 0x00e88cb0
0x00e88b84: 0x00320032
0x00e88b80: 0x37303133
0x00e88b7c: 0x312f6574
0x00e88b78: 0x6972772f
0x00e88b74: 0x342f7665
0x00e88b70: 0x64736666
0x00e88b6c: 0x00020000
0x00e88b68: 0x00000010
0x00e88b64: 0x00000001
0x00e88b60: 0x123456cd
0x00e88b5c: 0x00000000
0x00e88b58: 0x00000008

Cisco XXX Firewall Version X.X
Cisco XXX Device Manager Version X.X

Compiled on Fri 15-Nov-04 14:35 by root

hostname up 10 days 0 hours

Hardware:   XXX-XXX, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.e300.73fd, irq 10
1: ethernet1: address is 0003.e300.73fe, irq 7
2: ethernet2: address is 00d0.b7c8.139e, irq 9
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Disabled
Maximum Interfaces: 3
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

This XXX has a Restricted (R) license.

Serial Number: 480430455 (0x1ca2c977)
Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734 
Configuration last modified by enable_15 at 13:49:42.148 UTC Wed Nov 20 2004

------------------ show clock ------------------

15:34:28.129 UTC Sun Nov 24 2004

------------------ show memory ------------------

Free memory:        50444824 bytes
Used memory:        16664040 bytes
-------------     ----------------
Total memory:       67108864 bytes

------------------ show conn count ------------------

0 in use, 0 most used

------------------ show xlate count ------------------

0 in use, 0 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4   1600   1600   1600
    80    400    400    400
   256    500    499    500
  1550   1188    795    927

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0003.e300.73fd
  IP address 172.23.59.232, subnet mask 255.255.0.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        6139 packets input, 830375 bytes, 0 no buffer
        Received 5990 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        90 packets output, 6160 bytes, 0 underruns
        0 output errors, 13 collisions, 0 interface resets
        0 babbles, 0 late collisions, 47 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (5/128) software (0/2)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is down
  Hardware is i82559 ethernet, address is 0003.e300.73fe
  IP address 10.1.1.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        1 packets output, 60 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        1 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet2 "intf2" is administratively down, line protocol is down
  Hardware is i82559 ethernet, address is 00d0.b7c8.139e
  IP address 127.0.0.1, subnet mask 255.255.255.255
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/0) software (0/0)

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

------------------ show process ------------------


    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001e3329 00763e7c 0053e5c8          0 00762ef4 3784/4096 arp_timer
Lsi 001e80e9 00807074 0053e5c8          0 008060fc 3792/4096 FragDBGC
Lwe 00117e3a 009dc2e4 00541d18          0 009db46c 3704/4096 dbgtrace
Lwe 003cee95 009de464 00537718          0 009dc51c 8008/8192 Logger
Hwe 003d2d18 009e155c 005379c8          0 009df5e4 8008/8192 tcp_fast
Hwe 003d2c91 009e360c 005379c8          0 009e1694 8008/8192 tcp_slow
Lsi 002ec97d 00b1a464 0053e5c8          0 00b194dc 3928/4096 xlate clean
Lsi 002ec88b 00b1b504 0053e5c8          0 00b1a58c 3888/4096 uxlate clean
Mrd 002e3a17 00c8f8d4 0053e600          0 00c8d93c 7908/8192 tcp_intercept_times
Lsi 00423dd5 00d3a22c 0053e5c8          0 00d392a4 3900/4096 route_process
Hsi 002d59fc 00d3b2bc 0053e5c8          0 00d3a354 3780/4096 PIX Garbage Collecr
Hwe 0020e301 00d5957c 0053e5c8          0 00d55614 16048/16384 isakmp_time_keepr
Lsi 002d377c 00d7292c 0053e5c8          0 00d719a4 3928/4096 perfmon
Hwe 0020bd07 00d9c12c 0050bb90          0 00d9b1c4 3944/4096 IPSec
Mwe 00205e25 00d9e1ec 0053e5c8          0 00d9c274 7860/8192 IPsec timer handler
Hwe 003864e3 00db26bc 00557920          0 00db0764 6904/8192 qos_metric_daemon
Mwe 00255a65 00dc9244 0053e5c8          0 00dc8adc 1436/2048 IP Background
Lwe 002e450e 00e7bb94 00552c30          0 00e7ad1c 3704/4096 pix/trace
Lwe 002e471e 00e7cc44 00553368          0 00e7bdcc 3704/4096 pix/tconsole
Hwe 001e5368 00e7ed44 00730674          0 00e7ce9c 7228/8192 pix/intf0
Hwe 001e5368 00e80e14 007305d4          0 00e7ef6c 7228/8192 pix/intf1
Hwe 001e5368 00e82ee4 00730534       2470 00e8103c 4892/8192 pix/intf2
H*  001a6ff5 0009ff2c 0053e5b0       4820 00e8511c 12860/16384 ci/console
Csi 002dd8ab 00e8a124 0053e5c8          0 00e891cc 3396/4096 update_cpu_usage
Hwe 002cb4d1 00f2bfbc 0051e360          0 00f2a134 7692/8192 uauth_in
Hwe 003d17d1 00f2e0bc 00828cf0          0 00f2c1e4 7896/8192 uauth_thread
Hwe 003e71d4 00f2f20c 00537d20          0 00f2e294 3960/4096 udp_timer
Hsi 001db3ca 00f30fc4 0053e5c8          0 00f3004c 3784/4096 557mcfix
Crd 001db37f 00f32084 0053ea40  508286220 00f310fc 3688/4096 557poll
Lsi 001db435 00f33124 0053e5c8          0 00f321ac 3700/4096 557timer
Hwe 001e5398 00f441dc 008121e0          0 00f43294 3912/4096 fover_ip0
Cwe 001dcdad 00f4523c 00872b48        120 00f44344 3528/4096 ip/0:0
Hwe 001e5398 00f4633c 008121bc         10 00f453f4 3532/4096 icmp0
Hwe 001e5398 00f47404 00812198          0 00f464cc 3896/4096 udp_thread/0
Hwe 001e5398 00f4849c 00812174          0 00f475a4 3456/4096 tcp_thread/0
Hwe 001e5398 00f495bc 00812150          0 00f48674 3912/4096 fover_ip1
Cwe 001dcdad 00f4a61c 008ea850          0 00f49724 3832/4096 ip/1:1
Hwe 001e5398 00f4b71c 0081212c          0 00f4a7d4 3912/4096 icmp1
Hwe 001e5398 00f4c7e4 00812108          0 00f4b8ac 3896/4096 udp_thread/1
Hwe 001e5398 00f4d87c 008120e4          0 00f4c984 3832/4096 tcp_thread/1
Hwe 001e5398 00f4e99c 008120c0          0 00f4da54 3912/4096 fover_ip2
Cwe 001e542d 00f4fa6c 00730534          0 00f4eb04 3944/4096 ip/2:2
Hwe 001e5398 00f50afc 0081209c          0 00f4fbb4 3912/4096 icmp2
Hwe 001e5398 00f51bc4 00812078          0 00f50c8c 3896/4096 udp_thread/2
Hwe 001e5398 00f52c5c 00812054          0 00f51d64 3832/4096 tcp_thread/2
Hwe 003d1a65 00f78284 008140f8          0 00f77fdc  300/1024 listen/http1
Mwe 0035cafa 00f7a63c 0053e5c8          0 00f786c4 7640/8192 Crypto CA

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:
        received (in 865565.090 secs):
                6139 packets    830375 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                90 packets      6160 bytes
                0 pkts/sec      0 bytes/sec
inside:
        received (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                1 packets       60 bytes
                0 pkts/sec      0 bytes/sec
intf2:
        received (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec

------------------ show perfmon ------------------


PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup            0/s          0/s
TCPIntercept         0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
: End_Test_Crash

Related Commands

Command
Description

clear crashinfo

Deletes the contents of the crash file.

crashinfo force

Forces a crash of the FWSM.

crashinfo save disable

Disables crash information from writing to Flash memory.

crashinfo test

Tests the ability of the FWSM to save crash information to a file in Flash memory.


show crypto accelerator statistics

To display the global and accelerator-specific statistics from the hardware crypto accelerator MIB, use the show crypto accelerator statistics command in global configuration or privileged EXEC mode.

show crypto accelerator statistics

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example entered in global configuration mode, displays global crypto accelerator statistics:

hostname # show crypto accelerator statistics

Crypto Accelerator Status
-------------------------
[Capacity]
   Supports hardware crypto: True
   Supports modular hardware crypto: False
   Max accelerators: 1
   Max crypto throughput: 100 Mbps
   Max crypto connections: 750
[Global Statistics]
   Number of active accelerators: 1
   Number of non-operational accelerators: 0
   Input packets: 700
   Input bytes: 753488
   Output packets: 700
   Output error packets: 0
   Output bytes: 767496
[Accelerator 0]
   Status: Active
   Software crypto engine
   Slot: 0
   Active time: 167 seconds
   Total crypto transforms: 7
   Total dropped packets: 0
   [Input statistics]
      Input packets: 0
      Input bytes: 0
      Input hashed packets: 0
      Input hashed bytes: 0
      Decrypted packets: 0
      Decrypted bytes: 0
   [Output statistics]
      Output packets: 0
      Output bad packets: 0
      Output bytes: 0
      Output hashed packets: 0
      Output hashed bytes: 0
      Encrypted packets: 0
      Encrypted bytes: 0
   [Diffie-Hellman statistics]
      Keys generated: 0
      Secret keys derived: 0
   [RSA statistics]
      Keys generated: 0
      Signatures: 0
      Verifications: 0
      Encrypted packets: 0
      Encrypted bytes: 0
      Decrypted packets: 0
      Decrypted bytes: 0
   [DSA statistics]
      Keys generated: 0
      Signatures: 0
      Verifications: 0
   [SSL statistics]
      Outbound records: 0
      Inbound records: 0
   [RNG statistics]
      Random number requests: 98
      Random number request failures: 0
[Accelerator 1]
   Status: Active
   Encryption hardware device : Cisco ASA-55x0 on-board accelerator 
(revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.03
   Slot: 1
   Active time: 170 seconds
   Total crypto transforms: 1534
   Total dropped packets: 0
   [Input statistics]
      Input packets: 700
      Input bytes: 753544
      Input hashed packets: 700
      Input hashed bytes: 736400
      Decrypted packets: 700
      Decrypted bytes: 719944
   [Output statistics]
      Output packets: 700
      Output bad packets: 0
      Output bytes: 767552
      Output hashed packets: 700
      Output hashed bytes: 744800
      Encrypted packets: 700
      Encrypted bytes: 728352
   [Diffie-Hellman statistics]
      Keys generated: 97
      Secret keys derived: 1
   [RSA statistics]
      Keys generated: 0
      Signatures: 0
      Verifications: 0
      Encrypted packets: 0
      Encrypted bytes: 0
      Decrypted packets: 0
      Decrypted bytes: 0
   [DSA statistics]
      Keys generated: 0
      Signatures: 0
      Verifications: 0
   [SSL statistics]
      Outbound records: 0
      Inbound records: 0
   [RNG statistics]
      Random number requests: 1
      Random number request failures: 0
hostname # 

Related Commands

Command
Description

clear crypto accelerator statistics

Clears the global and accelerator-specific statistics in the crypto accelerator MIB.

clear crypto protocol statistics

Clears the protocol-specific statistics in the crypto accelerator MIB.

show crypto protocol statistics

Displays the protocol-specific statistics from the crypto accelerator MIB.


show crypto ca certificates

To display the certificates associated with a specific trustpoint or to display all the certificates installed on the system, use the show crypto ca certificates command in privileged EXEC mode.

show crypto ca certificates [trustpointname]

Syntax Description

trustpointname

(Optional) Specifies the name of a trustpoint. If you do not specify a name, this command displays all certificates installed on the system.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example entered in global configuration mode, displays a CA certificate for a trustpoint named tp1:

hostname# show crypto ca certificates tp1
CA Certificate
Status: Available
Certificate Serial Number 2957A3FF296EF854FD0D6732FE25B45
Certificate Usage: Signature
Issuer:
CN = ms-root-sha-06-2004
OU = rootou
O = cisco
L = franklin
ST - massachusetts
C = US
EA = a@b.con
Subject: 
CN = ms-root-sha-06-2004
OU = rootou
O = cisco
L = franklin
ST = massachusetts
C = US
EA = a@b.com
CRL Distribution Point
ldap://w2kadvancedsrv/CertEnroll/ms-root-sha-06-2004.crl
Validity Date:
start date: 14:11:40 UTC Jun 26 2004
end date: 14:01:30 UTC Jun 4 2022
Associated Trustpoints: tp2 tp1
hostname# 

Related Commands

Command
Description

crypto ca authenticate

Obtains a CA certificate for a specified trustpoint.

crypto ca crl request

Requests a CRL based on the configuration parameters of a specified trustpoint.

crypto ca enroll

Initiates the enrollment process with a CA.

crypto ca import

Imports a certificate to a specified trustpoint.

crypto ca trustpoint

Enters trustpoint mode for a specified trustpoint.


show crypto ca crls

To display all cached CRLs or to display all CRLs cached for a specified trustpoint, use the show crypto ca crls command in privileged EXEC mode.

show crypto ca crls [trustpointname]

Syntax Description

trustpointname

(Optional) Specifies the name of a trustpoint. If you do not specify a name, this command displays all CRLs cached on the system.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example entered in global configuration mode, displays a CRL for a trustpoint named tp1:

hostname# show crypto ca crls tp1
CRL Issuer Name:
    cn=ms-sub1-ca-5-2004,ou=Franklin DevTest,o=Cisco
Systems,l=Franklin,st=MA,c=US,ea=user@cisco.com
    LastUpdate: 19:45:53 UTC Dec 24 2004
    NextUpdate: 08:05:53 UTC Jan 1 2005
    Retrieved from CRL Distribution Point:
      http://win2k-ad2.frk-ms-pki.cisco.com/CertEnroll/ms-sub1-ca-5-2004.crl
    Associated Trustpoints: tp1

Related Commands

Command
Description

crypto ca authenticate

Obtains a CA certificate for a specified trustpoint.

crypto ca crl request

Requests a CRL based on the configuration parameters of a specified trustpoint.

crypto ca enroll

Initiates the enrollment process with a CA.

crypto ca import

Imports a certificate to a specified trustpoint.

crypto ca trustpoint

Enters trustpoint mode for a specified trustpoint.


show crypto ipsec df-bit

To display the IPSec DF-bit policy for IPSec packets for a specified interface, use the show crypto ipsec df-bit command in global configuration mode and privileged EXEC mode.

show crypto ipsec df-bit interface

Syntax Description

interface

Specifies an interface name.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.

3.1(1)

This command was changed from show crypto ipsec.


Examples

The following example displays the IPSec DF-bit policy for interface named inside:

hostname(config)# show crypto ipsec df-bit inside
df-bit inside copy
hostname(config)#

Related Commands

Command
Description

crypto ipsec df-bit

Configures the IPSec DF-bit policy for IPSec packets.

crypto ipsec fragmentation

Configures the fragmentation policy for IPSec packets.

show crypto ipsec fragmentation

Displays the fragmentation policy for IPSec packets.


show crypto ipsec fragmentation

To display the fragmentation policy for IPSec packets, use the show crypto ipsec fragmentation command in global configuration or privileged EXEC modes.

show crypto ipsec fragmentation interface

Syntax Description

interface

Specifies an interface name.


Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.

3.1(1)

This command was changed from show crypto ipsec.


Examples

The following example, entered in global configuration mode, displays the IPSec fragmentation policy for an interface named inside:

hostname(config)# show crypto ipsec fragmentation inside
fragmentation inside before-encryption
hostname(config)#

Related Commands

Command
Description

crypto ipsec fragmentation

Configures the fragmentation policy for IPSec packets.

crypto ipsec df-bit

Configures the DF-bit policy for IPSec packets.

show crypto ipsec df-bit

Displays the DF-bit policy for a specified interface.


show crypto key mypubkey

To display key pairs of the indicated type, use the show crypto key mypubkey command in privileged EXEC mode.

show crypto key mypubkey {rsa | dsa}

Syntax Description

dsa

Displays DSA key pairs.

rsa

Displays RSA key pairs.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example entered in global configuration mode, displays RSA key pairs:

hostname(config)# show crypto key mypubkey rsa
...

Related Commands

Command
Description

crypto key generate dsa

Generates DSA key pairs.

crypto key generate rsa

Generates RSA key pairs.

crypto key zeroize

Removes all key pairs of the indicated type.


show crypto protocol statistics

To display the protocol-specific statistics in the crypto accelerator MIB, use the show crypto protocol statistics command in global configuration or privileged EXEC mode.

show crypto protocol statistics protocol

Syntax Description

protocol

Specifies the name of the protocol for which to display statistics. Protocol choices are as follows:

ikev1—Internet Key Exchange version 1.

ipsec—IP Security Phase-2 protocols.

ssl—Secure Socket Layer.

other—Reserved for new protocols.

all—All protocols currently supported.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following examples entered in global configuration mode, display crypto accelerator statistics for specified protocols:

hostname # show crypto protocol statistics ikev1
[IKEv1 statistics]
   Encrypt packet requests: 39
   Encapsulate packet requests: 39
   Decrypt packet requests: 35
   Decapsulate packet requests: 35
   HMAC calculation requests: 84
   SA creation requests: 1
   SA rekey requests: 3
   SA deletion requests: 2
   Next phase key allocation requests: 2
   Random number generation requests: 0
   Failed requests: 0

hostname # show crypto protocol statistics ipsec
[IPsec statistics]
   Encrypt packet requests: 700
   Encapsulate packet requests: 700
   Decrypt packet requests: 700
   Decapsulate packet requests: 700
   HMAC calculation requests: 1400
   SA creation requests: 2
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0

hostname # show crypto protocol statistics ssl 
[SSL statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0

hostname # show crypto protocol statistics other
[Other statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 99
   Failed requests: 0

hostname # show crypto protocol statistics all 
[IKEv1 statistics]
   Encrypt packet requests: 46
   Encapsulate packet requests: 46
   Decrypt packet requests: 40
   Decapsulate packet requests: 40
   HMAC calculation requests: 91
   SA creation requests: 1
   SA rekey requests: 3
   SA deletion requests: 3
   Next phase key allocation requests: 2
   Random number generation requests: 0
   Failed requests: 0
[IKEv2 statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[IPsec statistics]
   Encrypt packet requests: 700
   Encapsulate packet requests: 700
   Decrypt packet requests: 700
   Decapsulate packet requests: 700
   HMAC calculation requests: 1400
   SA creation requests: 2
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[SSL statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics are not supported]
[Other statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 99
   Failed requests: 0
hostname # 

Related Commands

Command
Description

clear crypto accelerator statistics

Clears the global and accelerator-specific statistics in the crypto accelerator MIB.

clear crypto protocol statistics

Clears the protocol-specific statistics in the crypto accelerator MIB.

show crypto accelerator statistics

Displays the global and accelerator-specific statistics from the crypto accelerator MIB.


show ctiqbe

To display information about CTIQBE sessions established across the FWSM, use the show ctiqbe command in privileged EXEC mode.

show ctiqbe

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The show ctiqbe command displays information of CTIQBE sessions established across the FWSM. Along with debug ctiqbe and show local-host, this command is used for troubleshooting CTIQBE inspection engine issues.


Note We recommend that you have the pager command configured before using the show ctiqbe command. If there are a lot of CTIQBE sessions and the pager command is not configured, it can take a while for the show ctiqbe command output to reach the end.


Examples

The following is sample output from the show ctiqbe command under the following conditions. There is only one active CTIQBE session setup across the FWSM. It is established between an internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco CallManager at 172.29.1.77, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the session is 120 seconds.

hostname# show ctiqbe

Total: 1
LOCAL          FOREIGN          STATE HEARTBEAT
---------------------------------------------------------------
1 10.0.0.99/1117 172.29.1.77/2748 1     120
  RTP/RTCP: PAT xlates: mapped to 172.29.1.99(1028 1029)
  MEDIA: Device ID 27   Call ID 0
  Foreign 172.29.1.99   (1028 1029)
  Local   172.29.1.88   (26822 26823)
  ----------------------------------------------

The CTI device has already registered with the CallManager. The device internal address and RTP listening port is PATed to 172.29.1.99 UDP port 1028. Its RTCP listening port is PATed to UDP 1029.

The line beginning with RTP/RTCP: PAT xlates: appears only if an internal CTI device has registered with an external CallManager and the CTI device address and ports are PATed to that external interface. This line does not appear if the CallManager is located on an internal interface, or if the internal CTI device address and ports are NATed to the same external interface that is used by the CallManager.

The output indicates a call has been established between this CTI device and another phone at 172.29.1.88. The RTP and RTCP listening ports of the other phone are UDP 26822 and 26823. The other phone locates on the same interface as the CallManager because the FWSM does not maintain a CTIQBE session record associated with the second phone and CallManager. The active call leg on the CTI device side can be identified with Device ID 27 and Call ID 0.

The following is the xlate information for these CTIBQE connections:

hostname# show xlate debug
3 in use, 3 most used
Flags: D | DNS, d | dump, I | identity, i | inside, n | no random,
 | o | outside, r | portmap, s | static
TCP PAT from inside:10.0.0.99/1117 to outside:172.29.1.99/1025 flags ri idle 0:00:22 
timeout 0:00:30
UDP PAT from inside:10.0.0.99/16908 to outside:172.29.1.99/1028 flags ri idle 0:00:00 
timeout 0:04:10
UDP PAT from inside:10.0.0.99/16909 to outside:172.29.1.99/1029 flags ri idle 0:00:23 
timeout 0:04:10

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

inspect ctiqbe

Enables CTIQBE application inspection.

service-policy

Applies a policy map to one or more interfaces.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.


show curpriv

To display the current user privileges, use the show curpriv command:

show curpriv

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

Unprivileged


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The show curpriv command displays the current privilege level. Lower privilege level numbers indicate lower privilege levels.

Examples


These examples show output from the show curpriv command when a user named enable_15 is at different privilege levels. The username indicates the name that the user entered when the user logged in, P_PRIV indicates that the user has entered the enable command, and P_CONF indicates that the user has entered the config terminal command.

hostname(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF
hostname(config)# exit

hostname(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
hostname(config)# exit

hostname(config)# show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
hostname(config)# 

Related Commands

Command
Description

clear configure privilege

Remove privilege command statements from the configuration.

show running-config privilege

Display privilege levels for commands.