Table Of Contents
S Commands
same-security-traffic
sdi-pre-5-slave
sdi-version
secondary
secondary-color
secondary-color
secure-unit-authentication
security-level
serial-number
server
server-port
server-separator
service
service password-recovery
service-policy
session
set connection
set connection advanced-options
set connection timeout
set metric
set metric-type
setup
show aaa local user
show aaa-server
show access-list
show activation-key
show admin-context
show arp
show arp-inspection
show arp statistics
show asdm history
show asdm image
show asdm log_sessions
show asdm sessions
show asp drop
show asp table arp
show asp table classify
show asp table interfaces
show asp table routing
show asp table vpn-context
show blocks
show bootvar
show capture
show chardrop
show checkheaps
show checksum
show chunkstat
show clock
show conn
show console-output
show context
show counters
show cpu
show crashinfo
show crashinfo console
show crypto accelerator statistics
show crypto ca certificates
show crypto ca crls
show crypto ipsec df-bit
show crypto ipsec fragmentation
show crypto key mypubkey
show crypto protocol statistics
show ctiqbe
show curpriv
show debug
show dhcpd
show dhcprelay state
show dhcprelay statistics
show disk
show dns-hosts
show failover
show file
show firewall
show flash
show fragment
show gc
show h225
show h245
show h323-ras
show history
show icmp
show idb
show igmp groups
show igmp interface
show igmp traffic
show interface
show interface ip brief
show inventory
show ip address
show ip address dhcp
show ip audit count
show ip verify statistics
show ipsec sa
show ipsec sa summary
show ipsec stats
show ipv6 access-list
show ipv6 interface
show ipv6 neighbor
show ipv6 route
show ipv6 routers
show ipv6 traffic
show isakmp sa
show isakmp stats
show local-host
show logging
show logging rate-limit
show mac-address-table
show management-access
show memory
show memory binsize
show memory delayed-free-poisoner
show memory profile
show memory tracking
show memory-caller address
show mfib
show mfib active
show mfib count
show mfib interface
show mfib reserved
show mfib status
show mfib summary
show mfib verbose
show mgcp
show mode
show module
show mrib client
show mrib route
show mroute
show nameif
show ntp associations
show ntp status
show ospf
show ospf border-routers
show ospf database
show ospf flood-list
show ospf interface
show ospf neighbor
show ospf request-list
show ospf retransmission-list
show ospf summary-address
show ospf virtual-links
show perfmon
show pim df
show pim group-map
show pim interface
show pim join-prune statistic
show pim neighbor
show pim range-list
show pim topology
show pim topology reserved
show pim topology route-count
show pim traffic
show pim tunnel
show priority-queue statistics
show processes
show reload
show resource types
show resource usage
show route
show run fips
show running-config
show running-config aaa
show running-config aaa-server
show running-config aaa-server host
show running-config access-group
show running-config access-list
show running-config alias
show running-config arp
show running-config arp timeout
show running-config arp-inspection
show running-config asdm
show running-config auth-prompt
show running-config banner
show running-config class-map
show running-config clock
show running-config command-alias
show running-config console timeout
show running-config context
show running-config crypto
show running-config crypto dynamic-map
show running-config crypto ipsec
show running-config crypto isakmp
show running-config crypto map
show running-config dhcpd
show running-config dhcprelay
show running-config dns
show running-config domain-name
show running-config enable
show running-config established
show running-config failover
show running-config filter
show running-config fips
show running-config fragment
show running-config ftp-map
show running-config ftp mode
show running-config global
show running-config group-delimiter
show running-config group-policy
show running-config gtp-map
show running-config http
show running-config http-map
show running-config icmp
show running-config imap4s
show running-config interface
show running-config ip address
show running-config ip audit attack
show running-config ip audit info
show running-config ip audit interface
show running-config ip audit name
show running-config ip audit signature
show running-config ip local pool
show running-config ip verify reverse-path
show running-config ipv6
show running-config isakmp
show running-config logging
show logging rate-limit
show running-config mac-address-table
show running-config mac-learn
show running-config mac-list
show running-config management-access
show running-config mgcp-map
show running-config mroute
show running-config mtu
show running-config multicast-routing
show running-config name
show running-config nameif
show running-config names
show running-config nat
show running-config nat-control
show running-config ntp
show running-config object-group
show running-config passwd
show running-config pim
show running-config policy-map
show running-config pop3s
show running-config port-forward
show running-config prefix-list
show running-config priority-queue
show running-config privilege
show running-config rip
show running-config route
show running-config route-map
show running-config router
show running-config same-security-traffic
show running-config service
show running-config service-policy
show running-configuration smtps
show running-config snmp-map
show running-config snmp-server
show running-config ssh
show running-config ssl
show running-config static
show running-config sunrpc-server
show running-config sysopt
show running-config tcp-map
show running-config telnet
show running-config terminal
show running-config tftp-server
show running-config timeout
show running-config tunnel-group
show running-config url-block
show running-config url-cache
show running-configuration url-list
show running-config url-server
show running-config username
show running-config virtual
show running-config vpn load-balancing
show running-configuration vpn-sessiondb
show running-configuration webvpn
show service-policy
show service-policy inspect gtp
show shun
show sip
show skinny
show snmp-server statistics
show ssh sessions
show startup-config
show sunrpc-server active
show tcpstat
show tech-support
show traffic
show uauth
show url-block
show url-cache statistics
show url-server
show version
show vpn load-balancing
show vpn-sessiondb
show vpn-sessiondb ratio
show vpn-sessiondb summary
show xlate
shun
shutdown
smtps
smtp-server
snmp-server
snmp-map
snmp-server enable trap remote-access
speed
split-dns
split-tunnel-network-list
split-tunnel-policy
ssh
ssh disconnect
ssh scopy enable
ssh timeout
ssh version
ssl client-version
ssl encryption
ssl server-version
ssl trust-point
static
strict-http
strip-group
strip-realm
subject-name (crypto ca certificate map)
subject-name (crypto ca trustpoint)
summary-address
sunrpc-server
support-user-cert-validation
syn-data
sysopt connection permit-ipsec
sysopt connection tcpmss
sysopt connection timewait
sysopt nodnsalias
sysopt noproxyarp
sysopt radius ignore-secret
sysopt uauth allow-http-cache
S Commands
same-security-traffic
To permit communication between interfaces with equal security levels, use the same-security-traffic command in global configuration mode. To disable the same-security interfaces, use the no forms of this command.
same-security-traffic permit {inter-interface | intra-interface}
no same-security-traffic permit {inter-interface | intra-interface}
Syntax Description
inter-interface
|
Permits communication between different interfaces that have the same security level.
|
intra-interface
|
Permits communication in and out of the same interface when traffic is IPSec protected.
|
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Global configuration
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
Allowing communication between same security interfaces provides the following benefits:
•You can configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).
•You can allow traffic to flow freely between all same security interfaces without access lists.
You can also redirect incoming client VPN traffic back out through the same interface unencrypted as well as encrypted. If you send VPN traffic back out through the same interface unencrypted, you must enable NAT for the interface so that publically routable addresses replace your private ip addresses (unless you already use public ip addresses in your local ip address pool). The following example commands apply an interface PAT rule to traffic sourced from the client ip pool:
hostname(config)# ip local pool clientpool 192.168.0.10-192.168.0.100
hostname(config)# global (outside) 1 interface
hostname config)# nat (outside) 1 192.168.0.0 255.255.255.0
When the security appliance sends encrypted VPN traffic back out this same interface, however, NAT is optional. To apply NAT to all outgoing traffic, implement only the commands above. To exempt the VPN-to-VPN traffic from NAT, add commands (to the example above) that implement NAT exemption for VPN-to-VPN traffic, such as:
hostname(config)# access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0
255.255.255.0
hostname(config)# nat (outside) 0 access-list nonat
See the nat command for more information.
Examples
The following example shows how to enable the same-security interface communication:
hostname(config)# same-security-traffic permit inter-interface
Related Commands
Command
|
Description
|
show running-config same-security-traffic
|
Displays the same-security-traffic configuration.
|
sdi-pre-5-slave
To specify the IP address or name of an optional SDI AAA "slave" server to use for this host connection that uses a version of SDI prior to SDI version 5, use the sdi-pre-5-slave command in AAA-server host configuration mode. To remove this specification, use the no form of this command:
sdi-pre-5-slave host
no sdi-pre-5-slave
Syntax Description
host
|
Specify the name or IP address of the slave server host.
|
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
AAA-server Host
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced
|
Usage Guidelines
This command is available for any host in an SDI AAA servergroup, but it is relevant only if the SDI version for the host is set to sdi-pre-5 in the sdi-version command. Prior to using this command, you must have configured the AAA server to use the SDI protocol.
The sdi-pre-5-slave command lets you identify an optional secondary server that is to be used if the primary server fails. The address specified by this command must be that of a server that is configured as a "slave" to the primary SDI server. In this situation, if you are using a pre-5 version, you must configure the sdi-pre-5-slave command so that the security appliance can access the appropriate SDI configuration record that is downloaded from the server. This is not an issue with version 5 and later versions.
Examples
The following example configures the AAA SDI server group "svrgrp1" that uses an SDI version prior to SDI version 5.
hostname(config)# aaa-server svrgrp1 protocol sdi
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.10.10
hostname(config-aaa-server-host)# sdi-version sdi-pre-5
hostname(config-aaa-server-host)# sdi-pre-5-slave 209.165.201.31
hostname(config-aaa-server-host)# exit
Related Commands
Command
|
Description
|
aaa-server host
|
Enter AAA server host configuration mode so you can configure AAA server parameters that are host-specific.
|
clear configure aaa-server
|
Removes all AAA server configurations.
|
sdi-version
|
Specifies the version of SDI to use for this host connection.
|
show running-config aaa-server
|
Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol.
|
sdi-version
To specify the version of SDI to use for this host connection, use the sdi-version command in AAA-server host configuration mode. To remove this specification, use the no form of this command:
sdi-version version
no sdi-version
Syntax Description
version
|
Specify the version of SDI to use.Valid values are:
sdi-5 - SDI version 5.0 (default)
sdi-pre-5 - SDI versions prior to 5.0
|
Defaults
The default version is sdi-5.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
AAA-server host
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced
|
Usage Guidelines
This command is valid only for SDI AAA servers. If you configure a secondary (failover) SDI AAA server, and if the SDI version for that server is earlier than version 5, you must also specify the sdi-pre-5-slave command
Examples
hostname(config)# aaa-server svrgrp1 protocol sdi
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
hostname(config-aaa-server-host)# timeout 6
hostname(config-aaa-server-host)# retry-interval 7
hostname(config-aaa-server-host)# sdi-version sdi-5
hostname(config-aaa-server)# exit
Related Commands
Command
|
Description
|
aaa-server host
|
Enter AAA server host configuration mode so you can configure AAA server parameters that are host-specific.
|
clear configure aaa-server
|
Remove all AAA configurations.
|
show running-config aaa-server
|
Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol
|
secondary
To give the secondary unit higher priority in a failover group, use the secondary command in failover group configuration mode. To restore the default, use the no form of this command.
secondary
no secondary
Syntax Description
This command has no arguments or keywords.
Defaults
If primary or secondary is not specified for a failover group, the failover group defaults to primary.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Failover group configuration
|
•
|
•
|
—
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simulataneously (within a unit polltime). If one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the second unit as a priority do not become active on the second unit unless the failover group is configured with the preempt command or is manually forced to the other unit with the no failover active command.
Examples
The following example configures failover group 1 with the primary unit as the higher priority and failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with the preempt command, so the groups will automatically become active on their preferred unit as the units become available.
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012
hostname(config-fover-group)# exit
Related Commands
Command
|
Description
|
failover group
|
Defines a failover group for Active/Active failover.
|
preempt
|
Forces the failover group to become active on its preferred unit when the unit becomes available.
|
primary
|
Gives the primary unit a higher priority than the secondary unit.
|
secondary-color
To set a secondary color for the WebVPN login, home page, and file access page, use the secondary-color command in webvpn mode. To remove a color from the configuration and reset the default, use the no form of this command.
secondary-color [color]
no secondary-color
Syntax Description
color
|
(Optional) Specifies the color. You can use a comma separated RGB value, an HTML color value, or the name of the color if recognized in HTML.
•RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.
•HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.
•Name length maximum is 32 characters
|
Defaults
The default secondary color is HTML #CCCCFF, a lavender shade.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Webvpn
|
•
|
•
|
—
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
The number of RGB values recommended for use is 216, many fewer than the mathematical possibilities. Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best results, check published RGB tables. To find RGB tables online, enter RGB in a search engine.
Examples
The following example shows how to set an HTML color value of #5F9EAO, which is a teal shade:
hostname(config-webvpn)# secondary-color #5F9EAO
Related Commands
Command
|
Description
|
title-color
|
Sets a color for the WebVPN title bar on the login, home page, and file access page
|
secondary-color
To set a secondary color for the WebVPN login, home page, and file access page, use the secondary-color command in webvpn mode. To remove a color from the configuration and reset the default, use the no form of this command.
secondary-color [color]
no secondary-color
Syntax Description
color
|
(Optional) Specifies the color. You can use a comma separated RGB value, an HTML color value, or the name of the color if recognized in HTML.
•RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.
•HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.
•Name length maximum is 32 characters
|
Defaults
The default secondary color is HTML #CCCCFF, a lavender shade.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Webvpn
|
•
|
•
|
—
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
The number of RGB values recommended for use is 216, many fewer than the mathematical possibilities. Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best results, check published RGB tables. To find RGB tables online, enter RGB in a search engine.
Examples
The following example shows how to set an HTML color value of #5F9EAO, which is a teal shade:
hostname(config-webvpn)# secondary-color #5F9EAO
Related Commands
Command
|
Description
|
title-color
|
Sets a color for the WebVPN title bar on the login, home page, and file access page
|
secure-unit-authentication
To enable secure unit authentication, use the secure-unit-authentication enable command in group-policy configuration mode. To disable secure unit authentication, use the secure-unit-authentication disable command. To remove the secure unit authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for secure unit authentication from another group policy.
Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password.
Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password.
secure-unit-authentication {enable | disable}
no secure-unit-authentication
Syntax Description
disable
|
Disables secure unit authentication.
|
enable
|
Enables secure unit authentication.
|
Defaults
Secure unit authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Group policy
|
•
|
—
|
•
|
—
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware client(s) use.
If you require secure unit authentication on the primary security appliance, be sure to configure it on any backup servers as well.
Examples
The following example shows how to enable secure unit authentication for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# secure-unit-authentication enable
Related Commands
Command
|
Description
|
ip-phone-bypass
|
Lets IP phones connect without undergoing user authentication. Secure unit authentication remains in effect.
|
leap-bypass
|
Lets LEAP packets from wireless devices behind a VPN hardware client travel across a VPN tunnel prior to user authentication, when enabled. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per user authentication.
|
user-authentication
|
Requires users behind a hardware client to identify themselves to the security appliance before connecting.
|
security-level
To set the security level of an interface, use the security-level command in interface configuration mode. To set the security level to the default, use the no form of this command. The security level protects higher security networks from lower security networks by imposing additional protection between the two.
security-level number
no security-level
Syntax Description
number
|
An integer between 0 (lowest) and 100 (highest).
|
Defaults
By default, the security level is 0.
If you name an interface "inside" and you do not set the security level explicitly, then the security appliance sets the security level to 100 (see the nameif command). You can change this level if desired.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Interface configuration
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was moved from a keyword of the nameif command to an interface configuration mode command.
|
Usage Guidelines
The level controls the following behavior:
•Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.
For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.
•Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.
–NetBIOS inspection engine—Applied only for outbound connections.
–OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.
•Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).
For same security interfaces, you can filter traffic in either direction.
•NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.
•established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.
For same security interfaces, you can configure established commands for both directions.
Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, see the same-security-traffic command. You might want to assign two interfaces to the same level and allow them to communicate if you want to create more than 101 communicating interfaces, or you want protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.
If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
Examples
The following example configures the security levels for two interfaces to be 100 and 0:
hostname(config)# interface gigabitethernet0/0
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0/1
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
Related Commands
Command
|
Description
|
clear local-host
|
Resets all connections.
|
interface
|
Configures an interface and enters interface configuration mode.
|
nameif
|
Sets the interface name.
|
vlan
|
Assigns a VLAN ID to a subinterface.
|
serial-number
To include the security appliance serial number in the certificate during enrollment, use the serial-number command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.
serial-number
no serial-number
Syntax Description
This command has no arguments or keywords.
|
Defaults
The default setting is to not include the serial number.
Command Modes
The following table shows the modes in which you can enter the command
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Crypto ca trustpoint configuration
|
•
|
•
|
•
|
•
|
•
|
:
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the security appliance serial number in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# serial-number
Related Commands
Command
|
Description
|
crypto ca trustpoint
|
Enters trustpoint configuration mode.
|
server
To specify a default e-mail proxy server, use the server command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command. The security appliance sends requests to the default e-mail server when the user connects to the e-mail proxy without specifying a server. If you do not configure a default server, and a user does not specify a server, the security appliance returns an error.
server {ipaddr or hostname}
no server
Syntax Description
hostname
|
The DNS name of the default e-mail proxy server.
|
ipaddr
|
The IP address of the default e-mail proxy server.
|
Defaults
There is no default e-mail proxy server by default.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Pop3s
|
•
|
•
|
—
|
—
|
•
|
Imap4s
|
•
|
•
|
—
|
—
|
•
|
Smtps
|
•
|
•
|
—
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Examples
The following example shows how to set a default POP3S e-mail server with an IP address. of 10.1.1.7:
hostname(config-pop3s)# server 10.1.1.7
server-port
To configure a AAA server port for a host, use the server-port command in AAA-server host mode. To remove the designated server port, use the no form of this command:
server-port port-number
no server-port
Syntax Description
port-number
|
A port number in the range 0 through 65535.
|
Defaults
The default server ports are as follows:
•SDI—5500
•LDAP—389
•Kerberos—88
•NT—139
•TACACS+—49
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
AAA-server group
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Examples
The following example configures an SDI AAA server named "srvgrp1" to use server port number 8888:
hostname(config)# aaa-server srvgrp1 protocol sdi
hostname(config-aaa-server-group)# aaa-server srvgrp1 host 192.168.10.10
hostname(config-aaa-server-host)# server-port 8888
hostname(config-aaa-server-host)# exit
Related Commands
Command
|
Description
|
aaa-server host
|
Configures host-specific AAA server parameters.
|
clear configure aaa-server
|
Removes all AAA-server configuration.
|
show running-config aaa-server
|
Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol
|
server-separator
To specify a character as a delimiter between the e-mail and VPN server names, use server-separator command in the applicable e-mail proxy mode. To revert to the default, ":", use the no form of this command.
server-separator {symbol}
no server-separator
Syntax Description
symbol
|
The character that separates the e-mail and VPN server names. Choices are "@," (at) "|" (pipe), ":"(colon), "#" (hash), "," (comma), and ";" (semi-colon).
|
Defaults
The default is "@" (at).
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Pop3s
|
•
|
—
|
•
|
—
|
—
|
Imap4s
|
•
|
—
|
•
|
—
|
—
|
Smtps
|
•
|
—
|
•
|
—
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
The server separator must be different from the name separator.
Examples
The following example shows how to set a pipe (|) as the server separator for IMAP4S:
hostname(config-imap4s)# server-separator |
Related Commands
Command
|
Description
|
name-separator
|
Separates the e-mail and VPN usernames and passwords.
|
service
To enable system services, use the service command in global configuration mode. To disable system services, use the no form of this command.
service {resetinbound | resetoutbound} [interface intf]
no service {resetinbound | resetoutbound}[interface intf]
Syntax Description
resetinbound
|
Sends a reset to a denied inbound TCP packet.
|
resetoutbound
|
Sends a reset to a denied TCP packet to the outside interface.
|
interface
|
(Optional) Specifies a specific interface.
|
intf
|
Name of interface.
|
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Global configuration
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
Preexisting
|
This command was preexisting.
|
7.0(5)
|
This command was modified to include the interface keyword.
|
Usage Guidelines
The service command works with all inbound TCP connections to static interfaces whose access lists or uauth (user authorization) do not allow inbound connections. One use is for resetting identity request (IDENT) connections. If an inbound TCP connection is attempted and denied, you can use the service resetinbound command to return an RST (reset flag in the TCP header) to the source. Without the keyword, the security appliance drops the packet without returning an RST.
By default a RST is always sent to the inside host when outbound TCP traffic is denied. The keyword resetoutbound is used to change this default. For example, if traffic is outbound through the security appliance, and the no service resetoutbound command is configured globally or on that interface, we do not send RST.
With the optional interface keyword, the TCP reset is sent only when outbound packets are denied on that interface.
The security appliance sends a TCP RST to the host connecting inbound and stops the incoming IDENT process so that outbound e-mail can be transmitted without having to wait for IDENT to time out. The security appliance sends a syslog message stating that the incoming connection was denied. Without entering the service resetinbound command, the security appliance drops packets that are denied and generates a syslog message stating that the SYN was denied. However, outside hosts keep retransmitting the SYN until the IDENT times out.
When an IDENT connection times out, the connections slow down. Perform a trace to determine that IDENT is causing the delay and then enter the service command.
Use the service resetinbound command to handle an IDENT connection through the security appliance. These methods for handling IDENT connections are ranked from most secure to the least secure:
1. Use the service resetinbound command.
2. Use the established command with the permitto tcp 113 keyword.
3. Enter the static and access-list commands to open TCP port 113.
When using the aaa command, if the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet is as follows:
Unable to connect to remote host: Connection timed out
The following is the expected behavior of traffic on the security appliance in regards to the reset flag.
1. If resetinbound is configured and if denied traffic flows from a low security interface to high security interface, then a reset is sent.
2. If resetinbound is configured and if denied traffic flows from an interface to another interface with the same security, then a reset is sent.
3. If resetinbound is not configured and if denied traffic flows from high security interface to low security interface, then a reset is sent.
If you use the resetoutside command, the security appliance actively resets denied TCP packets that terminate at the security appliances least-secure interface. By default, these packets are silently discarded. We recommend that you use the resetoutside keyword with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with security appliance version 6.0 and higher. This keyword allows the security appliance to terminate the IDENT from an external SMTP or FTP server. Actively resetting these connections avoids the 30-second timeout delay.
Examples
The following example shows how to enable system services:
hostname/context_name(config)# service resetinbound
This example shows how to enable system services on an interface called dmz1:
hostname/context_name(config)# service resetinbound interface dmz1
Related Commands
Command
|
Description
|
show running-config service
|
Displays the system services.
|
service password-recovery
To enable password recovery, use the service password-recovery command in global configuration mode. To disable password recovery, use the no form of this command. Password recovery is enabled by default, but you might want to disable it to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance.
service password-recovery
no service password-recovery
Syntax Description
This command has no arguments or keywords.
Defaults
Password recovery is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Global configuration
|
•
|
•
|
•
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
On the ASA 5500 series adaptive security appliance, if you forget the passwords, you can boot the security appliance into ROMMON by pressing the Escape key on the terminal keyboard when prompted during startup. Then set the security appliance to ignore the startup configuration by changing the configuration register (see the config-register command). For example if your configuration register is the default 0x1, then change the value to 0x41 by entering the confreg 0x41 command. After reloading the security appliance, it loads a default configuration, and you can enter privileged EXEC mode using the default passwords. Then load the startup configuration by copying it to the running configuration and reset the passwords. Finally, set the security appliance to boot as before by setting the configuration register to the original setting. For example, enter the config-register 0x1 command in global configuration mode.
On the PIX 500 series security appliance, boot the security appliance into monitor mode by pressing the Escape key on the terminal keyboard when prompted during startup. Then download the PIX password tool to the security appliance, which erases all passwords and aaa authentication commands.
On the ASA 5500 series adaptive security appliance, the no service password-recovery command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the security appliance prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the security appliance is configured to ignore the startup configuration at startup (in preparation for password recovery), then the security appliance changes the setting to boot the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.
On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available.
Examples
The following example disables password recovery for the ASA 5500 series adaptive security appliance:
hostname(config)# no service password-recovery
WARNING: Executing "no service password-recovery" has disabled the password recovery
mechanism and disabled access to ROMMON. The only means of recovering from lost or
forgotten passwords will be for ROMMON to erase all file systems including configuration
files and images. You should make a backup of your configuration and have a mechanism to
restore images from the ROMMON command line.
The following example disables password recovery for the PIX 500 series security appliance:
hostname(config)# no service password-recovery
WARNING: Saving "no service password-recovery" in the startup-config will disable password
recovery via the npdisk application. The only means of recovering from lost or forgotten
passwords will be for npdisk to erase all file systems including configuration files and
images. You should make a backup of your configuration and have a mechanism to restore
images from the Monitor Mode command line.
The following example for the ASA 5500 series adaptive security appliance shows when to enter ROMMON at startup and how to complete a password recovery operation.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Current Configuration Register: 0x00000001
boot default image from Flash
Do you wish to change this configuration? y/n [n]: n
Update Config Register (0x41) in NVRAM...
Boot configuration file contains 1 entry.
Loading disk0:/ASA_7.0.bin... Booting...
Ignoring startup configuration as instructed by configuration register.
Type help or '?' for a list of available commands.
hostname# configure terminal
hostname(config)# copy startup-config running-config
Destination filename [running-config]?
Cryptochecksum(unchanged): 7708b94c e0e3f0d5 c94dde05 594fbee9
892 bytes copied in 6.300 secs (148 bytes/sec)
hostname(config)# enable password NewPassword
hostname(config)# config-register 0x1
Related Commands
Command
|
Description
|
config-register
|
Sets the security appliance to ignore the startup configuration when it reloads.
|
enable password
|
Sets the enable password.
|
password
|
Sets the login password.
|
service-policy
To activate a policy map globally on all interfaces or on a targeted interface, use the service-policy command in privileged EXEC mode. To disable, use the no form of this command. Use the service-policy command to enable a set of policies on an interface. In general, a service-policy command can be applied to any interface that can be defined by the nameif command.
service-policy policymap_name [ global | interface intf ]
no service-policy policymap_name [ global | interface intf ]
Syntax Description
policymap_name
|
A unique alphanumeric policy map identifier.
|
global
|
Applies the policy map to all interfaces.
|
interface
|
Applies the policy map to a specific interface
|
intf
|
The interface name defined in the nameif command.
|
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
If an interface name is specified, the policy-map only applies to the interface. The interface name is defined in the nameif command, and an interface policy-map overrides a global policy-map. Only one policy-map is allowed per interface.
Only one global policy is allowed.
Examples
The following example shows the syntax of the service-policy command:
hostname(config)# service-policy outside_security_map outside
Related Commands
Command
|
Description
|
show service-policy
|
Displays the service policy.
|
show running-config service-policy
|
Displays the service policies configured in the running configuration.
|
clear service-policy
|
Clears service policy statistics.
|
clear configure service-policy
|
Clears service policy configurations.
|
session
To establish a Telnet session to an AIP SSM, use the session command in privileged EXEC mode.
session 1
Syntax Description
1
|
Specifies the slot number, which is always 1.
|
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
This command is only available when the AIP SSM is in the Up state. See the show module command for state information.
To end a session, enter exit or Ctrl-Shift-6 then the X key.
Examples
The following example sessions to an SSM in slot 1:
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Related Commands
Command
|
Description
|
debug session-command
|
Shows debug messages for sessions.
|
set connection
To specify connection values within a policy-map for a traffic class, use the set connection command in class mode. Use this command to specify the maximum number of simultaneous connections and to specify whether to enable or disable TCP sequence number randomization. To remove these specifications, thereby allowing unlimited connections, use the no form of this command.
set connection {conn-max | embryonic-conn-max} n random-seq# {enable | disable}
no set connection {conn-max | embryonic-conn-max} n random-seq# {enable | disable}
Syntax Description
conn-max n
|
The maximum number of simultaneous TCP and/or UDP connections that are allowed.
|
disable
|
Turns off TCP sequence number randomization.
|
enable
|
Turns on TCP sequence number randomization.
|
embryonic-conn-max n
|
The maximum number of simultaneous embryonic connections allowed.
|
random-seq#
|
Enable or disable TCP sequence number randomization. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
•If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.
•If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.
•You use a WAAS device that requires the security appliance not to randomize the sequence numbers of connections.
|
Defaults
For both the conn-max and embryonic-conn-max parameters, the default value of n is 0, which allows unlimited connections.
Sequence number randomization is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Class
|
•
|
•
|
—
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
You must have configured the policy-map command and the class command before issuing this command.
Note The set connection command parameters (conn-max, embryonic-conn-max, random-seq#) can co-exist with any nat or static command; that is, you can configure connection parameters either through the nat/static commands using max-conn, emb_limit, or noramdomseq parameters, or through the MPC set connection command using conn-max, embryonic-conn-max, or random-seq# parameters. A mixed configuration is not recommended, but if one exists, it behaves in the following ways:
When a traffic class is subject to a connection limit or embryonic connection limit from both the MPC set connection command and the nat/static command, then whichever limit is reached, that limit is applied.
When a TCP traffic class is configured to have sequence number randomization disabled by either the MPC set connection command or the nat/static command, then sequence number randomization is disabled.
Examples
The following is an example of the use of the set connection command in class mode to configure the maximum number of simultaneous connections as 256 and to disable TCP sequence number randomization:
hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class local_server
hostname(config-pmap-c)# set connection conn-max 256 random-seq# disable
hostname(config-pmap-c)# exit
Related Commands
Command
|
Description
|
class
|
Specifies a class-map to use for traffic classification.
|
clear configure policy-map
|
Remove all policy-map configuration, except that if a policy-map is in use in a service-policy command, that policy-map is not removed.
|
help policy-map
|
Shows syntax help for the policy-map command.
|
policy-map
|
Configures a policy; that is, an association of a traffic class and one or more actions.
|
show running-config policy-map
|
Display all current policy-map configurations.
|
set connection advanced-options
To specify advanced TCP connection options within a policy-map for a traffic class, use the set connection advanced-options command in class mode. To remove advanced TCP connection options for a traffic class within a policy map, use the no form of this command.
set connection advanced-options tcp-mapname
no set connection advanced-options tcp-mapname
Syntax Description
tcp-mapname
|
Name of a TCP map in which advanced TCP connection options are configured.
|
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Class
|
•
|
•
|
—
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
You must have configured the policy-map command and the class command, as well as the TCP map name, before issuing this command. See the description of the tcp-map command for detailed information.
Examples
The following example shows the use of the set connection advanced-options command to specify the use of a TCP map named localmap:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config-cmap)# exit
hostname(config)# tcp-map localmap
hostname(config)# policy-map global_policy global
hostname(config-pmap)# description This policy map defines a policy concerning connection
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection advanced-options localmap
Related Commands
Command
|
Description
|
class
|
Specifies a class-map to use for traffic classification.
|
class-map
|
Configures a traffic class by issuing at most one (with the exception of tunnel-group and default-inspection-traffic) match command, specifying match criteria, in the class-map mode.
|
clear configure policy-map
|
Remove all policy-map configuration, except that if a policy-map is in use in a service-policy command, that policy-map is not removed.
|
policy-map
|
Configures a policy; that is, an association of a traffic class and one or more actions.
|
show running-config policy-map
|
Display all current policy-map configurations.
|
set connection timeout
To configure the timeout period, after which an idle TCP connection is disconnected, use the set connection timeout command in class mode. To remove the timeout, use the no form of this command.
set connection timeout tcp hh[:mm[:ss]] [reset]
no set connection timeout tcp
set connection timeout embryonic hh[:mm[:ss]]
no set connection timeout embryonic
set connection timeout half-closed hh[:mm[:ss]]
no set connection timeout half-closed
Syntax Description
embryonic hh[:mm[:ss]]
|
Timeout period after which a TCP embryonic (half-opened) connection is closed.
|
half-closed hh[:mm[:ss]]
|
The timeout period until a TCP half-closed connection is freed.
|
reset
|
Sends a TCP RST packet to both end systems after TCP idle connections are removed.
|
tcp hh[:mm[:ss]]
|
The idle time after which an established connection closes.
|
Defaults
The default embryonic connection timeout value is 30 seconds.
The default half-closed connection timeout value is 10 minutes.
The default tcp connection timeout value is 1 hour.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Class
|
•
|
•
|
—
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
You must have configured the policy-map command and the class command before issuing this command.
A TCP connection for which a three-way handshake is not complete is an embryonic connection. For the embryonic connection timeout value, use 0:0:0 to specify that the connection never times out. Otherwise, the timeout duration must be at least 5 seconds.
When the TCP connection is in the closing state, use the half-closed parameter to configure the length of time until the connection is freed. Use 0:0:0 to specify that the connection never times out. The minimum timeout duration is 5 minutes.
The tcp inactive connection timeout configures the period after which an idle TCP connection in the established state is disconnected. Use 0:0:0 to specify that the connection never times out. The minimum timeout duration is 5 minutes.
The reset keyword is used to send a TCP RST packet to both end systems once an idle TCP connection has timed out. Some applications require a TCP RST after a timeout to perform properly.
Examples
The following is an example of a set connection timeout command that specifies an embryonic connection timeout of two minutes:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config-cmap)# exit
hostname(config)# policy-map global_policy global
hostname(config-pmap)# description This policy map defines a policy concerning connection
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection timeout embryonic 00:2:00
Related Commands
Command
|
Description
|
class
|
Specifies a class-map to use for traffic classification.
|
clear configure policy-map
|
Remove all policy-map configuration, except that if a policy-map is in use in a service-policy command, that policy-map is not removed.
|
policy-map
|
Configures a policy; that is, an association of a traffic class and one or more actions.
|
set connection
|
Configure connection values.
|
show running-config policy-map
|
Display all current policy-map configurations.
|
set metric
To set the metric value for a routing protocol, use the set metric command in route-map configuration mode. To return to the default metric value, use the no form of this command.
set metric value
no set metric value
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Route-map configuration
|
•
|
—
|
•
|
—
|
—
|
Command History
Release
|
Modification
|
Preexisting
|
This command was preexisting.
|
Usage Guidelines
The no set metric value command allows you to return to the default metric value. In this context, the value is an integer from 0 to 4294967295.
Examples
The following example shows how to configure a route map for OSPF routing:
hostname(config)# route-map maptag1 permit 8
hostname(config-route-map)# set metric 5
hostname(config-route-map)# match metric 5
hostname(config-route-map)# show route-map
route-map maptag1 permit 8
hostname(config-route-map)# exit
Related Commands
Command
|
Description
|
match interface
|
Distributes any routes that have their next hop out one of the interfaces specified,
|
match ip next-hop
|
Distributes any routes that have a next-hop router address that is passed by one of the access lists specified.
|
route-map
|
Defines the conditions for redistributing routes from one routing protocol into another.
|
set metric-type
To specify the type of OSPF metric routes, use the set metric-type command in route-map configuration mode. To return to the default setting, use the no form of this command.
set metric-type {type-1 | type-2}
no set metric-type
Syntax Description
type-1
|
Specifies the type of OSPF metric routes that are external to a specified autonomous system.
|
type-2
|
Specifies the type of OSPF metric routes that are external to a specified autonomous system.
|
Defaults
The default is type-2.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Route-map configuration
|
•
|
—
|
•
|
—
|
—
|
Command History
Release
|
Modification
|
Preexisting
|
This command was preexisting.
|
Examples
The following example shows how to configure a route map for OSPF routing:
hostname(config)# route-map maptag1 permit 8
hostname(config-route-map)# set metric 5
hostname(config-route-map)# match metric 5
hostname(config-route-map)# set metric-type type-2
hostname(config-route-map)# show route-map
route-map maptag1 permit 8
hostname(config-route-map)# exit
Related Commands
Command
|
Description
|
match interface
|
Distributes any routes that have their next hop out one of the interfaces specified,
|
route-map
|
Defines the conditions for redistributing routes from one routing protocol into another.
|
set metric
|
Specifies the metric value in the destination routing protocol for a route map.
|
setup
To configure a minimal configuration for the security appliance using interactive prompts, enter the setup command in global configuration mode. This configuration provides connectivity to use ASDM. See also the configure factory-default command to restore the default configuration.
setup
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Global configuration
|
•
|
•
|
•
|
•
|
•
|
Command History
Release
|
Modification
|
Preexisting
|
This command was preexisting.
|
Usage Guidelines
The setup dialog automatically appears at boot time if there is no startup configuration in Flash memory.
Before you can use the setup command, you must have an inside interface already configured. The PIX 500 series default configuration includes an inside interface (Ethernet 1), but the ASA 550 series default configuration does not. Before using the setup command, enter the interface command for the interface you want to make inside, and then the nameif inside command.
In multiple context mode, you can use the setup command in the system execution space and for each context.
When you enter the setup command, you are asked for the information in Table 7-1. The system setup command includes a subset of these prompts. If there is already a configuration for the prompted parameter, it appears in barckets so you can either accept it as the default or override it by entering something new.
Table 7-1 Setup Prompts
Prompt
|
Description
|
Pre-configure Firewall
now through
interactive prompts
[yes]?
|
Enter yes or no. If you enter yes, the setup dialog continues. If no, the setup dialog stops and the global configuration prompt (hostname(config)#) appears.
|
|
Enter routed or transparent.
|
|
Enter an enable password. (The password must have at least three characters.)
|
Allow password
recovery [yes]?
|
Enter yes or no.
|
|
You cannot enter anything in this field. UTC time is used by default.
|
|
Enter the year using four digits, for example, 2005. The year range is 1993 to 2035.
|
|
Enter the month using the first three characters of the month; for example, Sep for September.
|
|
Enter the day of the month, from 1 to 31.
|
|
Enter the hour, minutes, and seconds in 24-hour time format. For example, enter 20:54:44 for 8:54 p.m and 44 seconds.
|
|
Enter the IP address for the inside interface.
|
|
Enter the network mask that applies to the inside IP address. You must specify a valid network mask, such as 255.0.0.0 or 255.255.0.0.
|
|
Enter the hostname that you want to display in the command line prompt.
|
|
Enter the domain name of the network on which the security appliance runs.
|
IP address of host
running Device
Manager:
|
Enter the IP address of the host that needs to access ASDM.
|
Use this configuration
and write to flash?
|
Enter yes or no. If you enter yes, the inside interface is enabled and the requested configuration is written to the Flash partition.
If you enter no, the setup dialog repeats, beginning with the first question:
Pre-configure Firewall now through interactive prompts [yes]?
Enter no to exit the setup dialog or yes to repeat it.
|
Examples
This example shows how to complete the setup command prompts:
Pre-configure Firewall now through interactive prompts [yes]? yes
Firewall Mode [Routed]: routed
Enable password [<use current password>]: writer
Allow password recovery [yes]? yes
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Domain name: your_company.com
IP address of host running Device Manager: 10.1.1.1
The following configuration will be used:
Allow password recovery: yes
Clock (UTC): 20:54:44 Sep 17 2005
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Domain name: your_company.com
IP address of host running Device Manager: 10.1.1.1
Use this configuration and write to flash? yes
Related Commands
Command
|
Description
|
configure factory-default
|
Restores the default configuration.
|
show aaa local user
To show the list of usernames that are currently locked, or to show details about the username, use the show aaa local user command in global configuration mode.
show aaa local user [locked]
Syntax Description
locked
|
(Optional) Shows the list of usernames that are currently locked.
|
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Global configuration
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
If you omit the optional keyword locked, the security appliance displays the failed-attempts and lockout status details for all AAA local users.
You can specify a single user by using the username option or all users with the all option.
This command affects only the status of users that are locked out.
The administrator cannot be locked out of the device.
Examples
The following example shows use of the show aaa local user command to display the lockout status of all usernames:
This example shows the use of the show aaa local user command to display the number of failed authentication attempts and lockout status details for all AAA local users, after the limit has been set to 5:
hostname(config)# aaa local authentication attempts max-fail 5
hostname(config)# show aaa local user
Lock-time Failed-attempts Locked User
This example shows the use of the show aaa local user command with the lockout keyword to display the number of failed authentication attempts and lockout status details only for any locked-out AAA local users, after the limit has been set to 5:
hostname(config)# aaa local authentication attempts max-fail 5
hostname(config)# show aaa local user
Lock-time Failed-attempts Locked User
Related Commands
Command
|
Description
|
aaa local authentication attempts max-fail
|
Configures the maximum number of times a user can enter a wrong password before being locked out.
|
clear aaa local user fail-attempts
|
Resets the number of failed attempts to 0 without modifying the lockout status.
|
clear aaa local user lockout
|
Clears th e lockout status of the specified user or all users and sets their failed attempts counters to 0.
|
show aaa-server
To display AAA server statistics for AAA servers, use the show aaa-server command in privileged EXEC mode:
show aaa-server [LOCAL | groupname [host hostname] | protocol protocol]
Syntax Description
LOCAL
|
(Optional) Shows statistics for the LOCAL user database.
|
groupname
|
(Optional) Shows statistics for servers in a group.
|
host hostname
|
(Optional) Shows statistics for a particular server in the group.
|
protocol protocol
|
(Optional) Shows statistics for servers of the specificed protocol:
•kerberos
•ldap
•nt
•radius
•sdi
•tacacs+
|
Defaults
By default, all AAA server statistics display.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
—
|
—
|
•
|
Command History
Release
|
Modification
|
Preexisting
|
This command was preexisting.
|
Examples
This example shows the use of the show aaa-server command to display statistics for a particular host in server group group1:
hostname(config)# show aaa-server group1 host 192.68.125.60
Server Address: 192.68.125.60
Server status: ACTIVE/FAILED. Last transaction (success) at 11:10:08 UTC Fri Aug 22
Number of pending requests 20
Average round trip time 4ms
Number of authentication requests 20
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 1
Number of malformed responses 0
Number of bad authenticators 0
Number of pending requests 0
Number of unrecognized responses 0
This example shows the use of the show aaa-server command to show the statistics for all servers in a small, inactive system:
hostname(config)# show aaa-server
Server Protocol: Local database
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 0
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of malformed responses 0
Number of bad authenticators 0
Number of unrecognized responses 0
Related Commands
show running-config aaa-server
|
Display statistics for all servers in the indicated server group or for a particular server.
|
clear aaa-server statistics
|
Clear the AAA server statistics.
|
show access-list
To display the counters for an access list, use the show access-list command in privileged EXEC mode.
show access-list id
Syntax Description
id
|
Identifies the access list.
|
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
Preexisting
|
This command was preexisting.
|
Examples
The following is sample output from the show access-list command:
hostname# show access-list ac
access-list ac; 2 elements
access-list ac line 1 permit ip any any (hitcnt=0)
access-list ac line 2 permit tcp any any (hitcnt=0)
Related Commands
Command
|
Description
|
access-list ethertype
|
Configures an access list that controls traffic based on its EtherType.
|
access-list extended
|
Adds an access list to the configuration and configures policy for IP traffic through the firewall.
|
clear access-list
|
Clears an access list counter.
|
clear configure access-list
|
Clears an access list from the running configuration.
|
show running-config access-list
|
Displays the current running access-list configuration.
|
show activation-key
To display the commands in the configuration for features that are enabled by your activation key, including the number of contexts allowed, use the show activation-key command in privileged EXEC mode.
show activation-key
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
·
|
·
|
·
|
·
|
·
|
Command History
Release
|
Modification
|
PIX Version 7.0
|
Support for this command was introduced on the security appliance.
|
Usage Guidelines
The show activation-key command output indicates the status of the activation key as follows:
•If the activation key in the security appliance Flash file system is the same as the activation key running on the security appliance, then the show activation-key output reads as follows:
The flash activation key is the SAME as the running key.
•If the activation key in the security appliance Flash file system is different from the activation key running on the security appliance, then the show activation-key output reads as follows:
The flash activation key is DIFFERENT from the running key.
The flash activation key takes effect after the next reload.
•If you downgrade your activation key, the display shows that the running key (the old key) differs from the key that is stored in the Flash (the new key). When you restart, the security appliance uses the new key.
•If you upgrade your key to enable extra features, the new key starts running immediately without a restart.
•For the PIX Firewall platform, if there is any change in the failover feature (R/UR/FO) between the new key and the oldkey, it prompts for confimation. If the user enters n, it aborts the change; otherwise it updates the key in the Flash file system. When you restart the security appliance uses the new key.
Examples
This example shows how to display the commands in the configuration for features that are enabled by your activation key:
hostname(config)# show activation-key
Serial Number: P3000000134 Running Activation Key: 0xyadayada 0xyadayada 0xyadayada
0xyadayada 0xyadayada
License Features for this Platform:
Maximum Physical Interfaces : Unlimited
Cut-through Proxy : Enabled
The flash activation key is the SAME as the running key.
Related Commands
Command
|
Description
|
activation-key
|
Changes the activation key.
|
show admin-context
To display the context name currently assigned as the admin context, use the show admin-context command in privileged EXEC mode.
show admin-context
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
—
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Examples
The following is sample output from the show admin-context command. The following example shows the admin context called "admin" and stored in the root directory of flash:
hostname# show admin-context
Admin: admin flash:/admin.cfg
Related Commands
Command
|
Description
|
admin-context
|
Sets the admin context.
|
changeto
|
Changes between contexts or the system execution space.
|
clear configure context
|
Removes all contexts.
|
mode
|
Sets the context mode to single or multiple.
|
show context
|
Shows a list of contexts (system execution space) or information about the current context.
|
show arp
To view the ARP table, use the show arp command in privileged EXEC mode.
show arp
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0(8)
|
Added dynamic ARP age to the display.
|
Usage Guidelines
The display output shows dynamic, static, and proxy ARP entries. Dynamic ARP entries include the age of the ARP entry in seconds. Static ARP entries include a dash (-) instead of the age, and proxy ARP entries state "alias."
Examples
The following is sample output from the show arp command. The first entry is a dynamic entry aged 2 seconds. The second entry is a static entry, and the third entry is from proxy ARP.
outside 10.86.194.61 0011.2094.1d2b 2
outside 10.86.194.1 001a.300c.8000 -
outside 10.86.195.2 00d0.02a8.440a alias
Related Commands
Command
|
Description
|
arp
|
Adds a static ARP entry.
|
arp-inspection
|
For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.
|
clear arp statistics
|
Clears ARP statistics.
|
show arp statistics
|
Shows ARP statistics.
|
show running-config arp
|
Shows the current configuration of the ARP timeout.
|
show arp-inspection
To view the ARP inspection setting for each interface, use the show arp-inspection command in privileged EXEC mode.
show arp-inspection
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
—
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Examples
The following is sample output from the show arp-inspection command:
hostname# show arp-inspection
interface arp-inspection miss
----------------------------------------------------
The miss column shows the default action to take for non-matching packets when ARP inspection is enabled, either "flood" or "no-flood."
Related Commands
Command
|
Description
|
arp
|
Adds a static ARP entry.
|
arp-inspection
|
For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.
|
clear arp statistics
|
Clears ARP statistics.
|
show arp statistics
|
Shows ARP statistics.
|
show running-config arp
|
Shows the current configuration of the ARP timeout.
|
show arp statistics
To view ARP statistics, use the show arp statistics command in privileged EXEC mode.
show arp statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
Preexisting
|
This command was preexisting.
|
Examples
The following is sample output from the show arp statistics command:
hostname# show arp statistics
Interface collision ARPs Received: 5
ARP-defense Gratuitous ARPS sent: 4
Maximum Unresolved hosts: 2
Table 2 shows each field description.
Table 7-2 show arp statistics Fields
Field
|
Description
|
Number of ARP entries
|
The total number of ARP table entries.
|
Dropped blocks in ARP
|
The number of blocks that were dropped while IP addresses were being resolved to their corresponding hardware addresses.
|
Maximum queued blocks
|
The maximum number of blocks that were ever queued in the ARP module, while waiting for the IP address to be resolved.
|
Queued blocks
|
The number of blocks currently queued in the ARP module.
|
Interface collision ARPs received
|
The number of ARP packets received at all security appliance interfaces that were from the same IP address as that of a security appliance interface.
|
ARP-defense gratuitous ARPs sent
|
The number of gratuitous ARPs sent by the security appliance as part of the ARP-Defense mechanism.
|
Total ARP retries
|
The total number of ARP requests sent by the ARP module when the address was not resolved in response to first ARP request.
|
Unresolved hosts
|
The number of unresolved hosts for which ARP requests are still being sent out by the ARP module.
|
Maximum unresolved hosts
|
The maximum number of unresolved hosts that ever were in the ARP module since it was last cleared or the security appliance booted up.
|
Related Commands
Command
|
Description
|
arp-inspection
|
For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.
|
clear arp statistics
|
Clears ARP statistics and resets the values to zero.
|
show arp
|
Shows the ARP table.
|
show running-config arp
|
Shows the current configuration of the ARP timeout.
|
show asdm history
To display the contents of the ASDM history buffer, use the show asdm history command in privileged EXEC mode.
show asdm history [view timeframe] [snapshot] [feature feature] [asdmclient]
Syntax Description
asdmclient
|
(Optional) Displays the ASDM history data formatted for the ASDM client.
|
feature feature
|
(Optional) Limits the history display to the specified feature. The following are valid values for the feature argument:
•all—Displays the history for all features (default).
•blocks—Displays the history for the system buffers.
•cpu—Displays the history for CPU usage.
•failover—Displays the history for failover.
•ids—Displays the history for IDS.
•interface if_name—Displays the history for the specified interface. The if_name argument is the name of the interface as specified by the nameif command.
•memory—Displays memory usage history.
•perfmon—Displays performance history.
•sas—Displays the history for Security Associations.
•tunnels—Displays the history for tunnels.
•xlates—Displays translation slot history.
|
snapshot
|
(Optional) Displays only the last ASDM history data point.
|
view timeframe
|
(Optional) Limits the history display to the specified time period. Valid values for the timeframe argument are:
•all—all contents in the history buffer (default).
•12h—12 hours
•5d—5 days
•60m—60 minutes
•10m—10 minutes
|
Defaults
If no arguments or keywords are specified, all history information for all features is displayed.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
•
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was changed from the show pdm history command to the show asdm history command.
|
Usage Guidelines
The show asdm history command displays the contents of the ASDM history buffer. Before you can view ASDM history information, you must enable ASDM history tracking using the asdm history enable command.
Examples
The following is sample output from the show asdm history command. It limits the output to data for the outside interface collected during the last 10 minutes.
hostname# show asdm history view 10m feature interface outside
[ 10s:12:46:41 Mar 1 2005 ] 62640 62636 62633 62628 62622 62616 62609
[ 10s:12:46:41 Mar 1 2005 ] 25178 25169 25165 25161 25157 25151 25147
[ 10s:12:46:41 Mar 1 2005 ] 752 752 751 751 751 751 751
[ 10s:12:46:41 Mar 1 2005 ] 55 55 55 55 55 55 55
[ 10s:12:46:41 Mar 1 2005 ] 3397 2843 3764 4515 4932 5728 4186
[ 10s:12:46:41 Mar 1 2005 ] 7316 3292 3349 3298 5212 3349 3301
[ 10s:12:46:41 Mar 1 2005 ] 5 4 6 7 6 8 6
[ 10s:12:46:41 Mar 1 2005 ] 1 0 0 0 0 0 0
Input Error Packet Count:
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 375974 375954 375935 375902 375863 375833 375794
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
Output Error Packet Count:
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 128 128 128 128 128 128 128
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0
The following is sample output from the show asdm history command. Like the previous example, it limits the output to data for the outside interface collected during the last 10 minutes. However, in this example the output is formatted for the ASDM client.
hostname# show asdm history view 10m feature interface outside asdmclient
MH|IBC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|62439|62445|62453|62457|62464|6
2469|62474|62486|62489|62496|62501|62506|62511|62518|62522|62530|62534|62539|62542|62547|6
2553|62556|62562|62568|62574|62581|62585|62593|62598|62604|62609|62616|62622|62628|62633|6
2636|62640|62653|62657|62665|62672|62678|62681|62686|62691|62695|62700|62704|62711|62718|6
2723|62728|62733|62738|62742|62747|62751|62761|62770|62775|
MH|OBC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|25023|25023|25025|25025|25025|2
5026|25026|25032|25038|25044|25052|25056|25060|25064|25070|25076|25083|25087|25091|25096|2
5102|25106|25110|25114|25118|25122|25128|25133|25137|25143|25147|25151|25157|25161|25165|2
5169|25178|25321|25327|25332|25336|25341|25345|25349|25355|25359|25363|25367|25371|25375|2
5381|25386|25390|25395|25399|25403|25410|25414|25418|25422|
MH|IPC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|749|749|749|749|749|750|750|750
|750|750|750|750|750|750|750|750|750|750|750|750|751|751|751|751|751|751|751|751|751|751|7
51|751|751|751|751|752|752|752|752|752|752|752|752|752|752|752|752|752|752|753|753|753|753
|753|753|753|753|753|753|753|
MH|OPC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|55|55|55|55|55|55|55|55|55|55|5
5|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|5
5|55|55|56|56|56|56|56|56|56|56|56|56|56|56|56|56|56|56|56|
MH|IBR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|7127|5155|6202|3545|5408|3979|4
381|9492|3033|4962|4571|4226|3760|5923|3265|6494|3441|3542|3162|4076|4744|2726|4847|4292|5
401|5166|3735|6659|3837|5260|4186|5728|4932|4515|3764|2843|3397|10768|3080|6309|5969|4472|
2780|4492|3540|3664|3800|3002|6258|5567|4044|4059|4548|3713|3265|4159|3630|8235|6934|4298|
MH|OBR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|82791|57|1410|588|57|639|0|4698
|5068|4992|6495|3292|3292|3352|5061|4808|5205|3931|3298|3349|5064|3439|3356|3292|3343|3349
|5067|3883|3356|4500|3301|3349|5212|3298|3349|3292|7316|116896|5072|3881|3356|3931|3298|33
49|5064|3292|3349|3292|3292|3349|5061|3883|3356|3931|3452|3356|5064|3292|3349|3292|
MH|IPR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|12|8|6|5|7|5|6|14|5|7|7|5|6|9|5
|8|6|5|5|7|6|5|6|5|6|7|6|8|6|6|6|8|6|7|6|4|5|19|5|8|7|6|4|7|5|6|6|5|7|8|6|6|7|5|5|7|6|9|7|
6|
MH|OPR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|12|0|1|0|0|0|0|4|0|2|2|0|0|0|0|
1|1|0|0|0|0|0|0|0|0|0|0|0|0|1|0|0|0|0|0|0|1|28|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|
MH|IERR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|NB|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|RB|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|374874|374911|374943|374967|3750
10|375038|375073|375113|375140|375160|375181|375211|375243|375289|375316|375350|375373|375
395|375422|375446|375481|375498|375535|375561|375591|375622|375654|375701|375738|375761|37
5794|375833|375863|375902|375935|375954|375974|375999|376027|376075|376115|376147|376168|3
76200|376224|376253|376289|376315|376365|376400|376436|376463|376508|376530|376553|376583|
376614|376668|376714|376749|
MH|RNT|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|GNT|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|CRC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|FRM|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|OR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|UR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|OERR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|COLL|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|LCOLL|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|
MH|RST|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|DEF|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|LCR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|HIQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|128|128|128|128|128|128|128|128
|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|1
28|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128
|128|128|128|128|128|128|128|
MH|SIQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|HOQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|SOQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
MH|DPC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|
The following is sample output from the show asdm history command using the snapshot keyword:
hostname# show asdm history view 10m snapshot
Available 4 byte Blocks: [ 10s] : 100
Used 4 byte Blocks: [ 10s] : 0
Available 80 byte Blocks: [ 10s] : 100
Used 80 byte Blocks: [ 10s] : 0
Available 256 byte Blocks: [ 10s] : 2100
Used 256 byte Blocks: [ 10s] : 0
Available 1550 byte Blocks: [ 10s] : 7425
Used 1550 byte Blocks: [ 10s] : 1279
Available 2560 byte Blocks: [ 10s] : 40
Used 2560 byte Blocks: [ 10s] : 0
Available 4096 byte Blocks: [ 10s] : 30
Used 4096 byte Blocks: [ 10s] : 0
Available 8192 byte Blocks: [ 10s] : 60
Used 8192 byte Blocks: [ 10s] : 0
Available 16384 byte Blocks: [ 10s] : 100
Used 16384 byte Blocks: [ 10s] : 0
Available 65536 byte Blocks: [ 10s] : 10
Used 65536 byte Blocks: [ 10s] : 0
CPU Utilization: [ 10s] : 31
Input KByte Count: [ 10s] : 62930
Output KByte Count: [ 10s] : 26620
Input KPacket Count: [ 10s] : 755
Output KPacket Count: [ 10s] : 58
Input Bit Rate: [ 10s] : 24561
Output Bit Rate: [ 10s] : 518897
Input Packet Rate: [ 10s] : 48
Output Packet Rate: [ 10s] : 114
Input Error Packet Count: [ 10s] : 0
Received Broadcasts: [ 10s] : 377331
Output Error Packet Count: [ 10s] : 0
Hardware Input Queue: [ 10s] : 128
Software Input Queue: [ 10s] : 0
Hardware Output Queue: [ 10s] : 0
Software Output Queue: [ 10s] : 0
Drop KPacket Count: [ 10s] : 0
Input KByte Count: [ 10s] : 3672
Output KByte Count: [ 10s] : 4051
Input KPacket Count: [ 10s] : 19
Output KPacket Count: [ 10s] : 20
Input Bit Rate: [ 10s] : 0
Output Bit Rate: [ 10s] : 0
Input Packet Rate: [ 10s] : 0
Output Packet Rate: [ 10s] : 0
Input Error Packet Count: [ 10s] : 0
Received Broadcasts: [ 10s] : 1458
Output Error Packet Count: [ 10s] : 0
Hardware Input Queue: [ 10s] : 128
Software Input Queue: [ 10s] : 0
Hardware Output Queue: [ 10s] : 0
Software Output Queue: [ 10s] : 0
Drop KPacket Count: [ 10s] : 0
Input KByte Count: [ 10s] : 0
Output KByte Count: [ 10s] : 0
Input KPacket Count: [ 10s] : 0
Output KPacket Count: [ 10s] : 0
Input Bit Rate: [ 10s] : 0
Output Bit Rate: [ 10s] : 0
Input Packet Rate: [ 10s] : 0
Output Packet Rate: [ 10s] : 0
Input Error Packet Count: [ 10s] : 0
Received Broadcasts: [ 10s] : 0
Output Error Packet Count: [ 10s] : 0
Hardware Input Queue: [ 10s] : 128
Software Input Queue: [ 10s] : 0
Hardware Output Queue: [ 10s] : 0
Software Output Queue: [ 10s] : 0
Drop KPacket Count: [ 10s] : 0
Input KByte Count: [ 10s] : 0
Output KByte Count: [ 10s] : 0
Input KPacket Count: [ 10s] : 0
Output KPacket Count: [ 10s] : 0
Input Bit Rate: [ 10s] : 0
Output Bit Rate: [ 10s] : 0
Input Packet Rate: [ 10s] : 0
Output Packet Rate: [ 10s] : 0
Input Error Packet Count: [ 10s] : 0
Received Broadcasts: [ 10s] : 0
Output Error Packet Count: [ 10s] : 0
Hardware Input Queue: [ 10s] : 128
Software Input Queue: [ 10s] : 0
Hardware Output Queue: [ 10s] : 0
Software Output Queue: [ 10s] : 0
Drop KPacket Count: [ 10s] : 0
Available Memory: [ 10s] : 205149944
Used Memory: [ 10s] : 63285512
Connection Count: [ 10s] : 0
TCP Connection Count: [ 10s] : 0
UDP Connection Count: [ 10s] : 0
URL Filtering Count: [ 10s] : 0
URL Server Filtering Count: [ 10s] : 0
TCP Fixup Count: [ 10s] : 0
TCP Intercept Count: [ 10s] : 0
HTTP Fixup Count: [ 10s] : 0
FTP Fixup Count: [ 10s] : 0
AAA Authentication Count: [ 10s] : 0
AAA Authorzation Count: [ 10s] : 0
AAA Accounting Count: [ 10s] : 0
Current Xlates: [ 10s] : 0
L2TP Sessions: [ 10s] : 0
Related Commands
Command
|
Description
|
asdm history enable
|
Enables ASDM history tracking.
|
show asdm image
To the current ASDM software image file, use the show asdm image command in privileged EXEC mode.
show asdm image
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
—
|
•
|
Command History
Release
|
Modification
|
7.0
|
This command was changed from the show pdm image command to the show asdm image command.
|
Examples
The following is sample output from the show asdm image command:
hostname# show asdm image
Device Manager image file, flash:/ASDM
Related Commands
Command
|
Description
|
asdm image
|
Specifies the current ASDM image file.
|
show asdm log_sessions
To display a list of active ASDM logging sessions and their associated session IDs, use the show asdm log_sessions command in privileged EXEC mode.
show asdm log_sessions
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was introduced.
|
Usage Guidelines
Each active ASDM session has one or more associated ASDM logging sessions. ASDM uses the logging session to retrieve syslog messages from the security appliance. Each ASDM logging session is assigned a unique session ID. You can use this session ID with the asdm disconnect log_session command to terminate the specified session.
Note Because each ASDM session has at least one ASDM logging session, the output for the show asdm sessions and show asdm log_sessions may appear to be the same.
Examples
The following is sample output from the show asdm log_sessions command:
hostname# show asdm log_sessions
Related Commands
Command
|
Description
|
asdm disconnect log_session
|
Terminates an active ASDM logging session.
|
show asdm sessions
To display a list of active ASDM sessions and their associated session IDs, use the show asdm sessions command in privileged EXEC mode.
show asdm sessions
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
•
|
—
|
Command History
Release
|
Modification
|
7.0
|
This command was changed from the show pdm sessions command to the show asdm sessions command.
|
Usage Guidelines
Each active ASDM session is assigned a unique session ID. You can use this session ID with the asdm disconnect command to terminate the specified session.
Examples
The following is sample output from the show asdm sessions command:
hostname# show asdm sessions
Related Commands
Command
|
Description
|
asdm disconnect
|
Terminates an active ASDM session.
|
show asp drop
To debug the accelerated security path dropped packets or connections, use the show asp drop command in privileged EXEC mode.
show asp drop [flow [flow_drop_reason] | frame [frame_drop_reason]]
Syntax Description
flow [flow_drop_reason]
|
(Optional) Shows the dropped flows (connections). You can specify a particular reason by using the flow_drop_reason argument. Valid values for the flow_drop_reason argument are listed in the "Usage Guidelines" section, below.
|
frame [frame_drop_reason]
|
(Optional) Shows the dropped packets. You can specify a particular reason by using the frame_drop_reason argument. Valid values for the frame_drop_reason argument are listed in the "Usage Guidelines" section, below.
|
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Privileged EXEC
|
•
|
•
|
•
|
•
|
•
|
Command History
Release
|
Modification
|
7.0(1)
|
This command was introduced.
|
7.0(8)
|
Added a timestamp indicating when the counters were last cleared (see the clear asp drop command). It also displays the drop reason keywords next to the description, so you can easily use the capture asp-drop command with that keyword.
|
Usage Guidelines
The show asp drop command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the Cisco Security Appliance Command Line Configuration Guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.
Table 7-3 lists valid values for the flow_drop_reason argument for dropped flows. Table 7-4 lists valid values for the frame_drop_reason argument for dropped frames.
Table 7-3 Flow Drop Reasons
Flow Drop Reason Keyword
|
Flow Drop Reason Display
|
Description
|
acl-drop
|
Flow is denied by access rule
|
This counter is incremented when a packet is denied by the security appliance, and flow creation is denied. The deny rule could be a default rule created when the security appliance comes up, when various features are turned on or off, when an access list is applied to an interface, or any other feature. Apart from default rule drops, a flow could be denied because of:
•An access list configured on an interface
•An access list configured for AAA, and AAA denied the user
•Through traffic arriving at a management-only interface
•Unencrypted traffic arriving on a IPSec-enabled interface
•Implicit deny at the end of an access list
Recommendation: Observe if one of system messages related to packet drop display. Flow drop results in the corresponding packet drop that would trigger the requisite system message.
System messages: None.
|
audit-failure
|
Audit failure
|
A flow was freed after matching an ip audit signature that had reset as the associated action.
Recommendation: If removing the flow is not the desired outcome of matching this signature, then remove the reset action from the ip audit command.
System messages: None.
|
closed-by-inspection
|
Flow closed by inspection
|
This reason is given for closing a flow due to an error detected during application inspection. For example, if an error is detected during inspecting an H323 message, the corresponding H323 flow is closed with this reason.
Recommendation: None.
System messages: None.
|
conn-limit-exceeded
|
Connection limit exceeded
|
This reason is given for closing a flow when the connection limit has been exceeded. The connection limit is configured using the set connection conn-max command.
Recommendation: None.
System messages: 201011
|
fin-timeout
|
FIN Timeout
|
This reason is given for closing a TCP flow due to expiry of half-closed timer.
Recommendation: If these are valid sessions which take longer to close a TCP flow, increase the half-closed timeout.
System messages: 302014
|
flow-reclaimed
|
Non-tcp/udp flow reclaimed for new request
|
This counter is incremented when a reclaimable flow is removed to make room for a new flow. This occurs only when the number of flows through the security appliance equals the maximum number permitted by the software imposed limit, and a new flow request is received. When this occurs, if the number of reclaimable flows exceeds the number of VPN tunnels permitted by the security appliance, then the oldest reclaimable flow is removed to make room for the new flow. All flows except the following are deemed to be reclaimable:
•TCP, UDP, GRE and failover flows
•ICMP flows if ICMP stateful inspection is enabled
•ESP flows to the security appliance
Recommendation: No action is required if this counter is incrementing slowly. If this counter is incrementing rapidly, it could mean that the security appliance is under attack and the security appliance is spending more time reclaiming and rebuilding flows.
System messages: 302021
|
fo-primary-closed
|
Failover primary closed
|
The standby unit received a flow delete message from the active unit and terminated the flow.
Recommendation: If the security appliance is running stateful failover, then this counter should increment for every replicated connection that is torn down on the standby appliance.
System messages: 302014, 302016, 302018
|
fo-standby
|
Flow closed by failover standby
|
If a through-the-box packet arrives at the security appliance or a context that is in a standby state, then a flow is created, the packet is dropped, and the flow removed. This counter will increment each time a flow is removed in this manner.
Recommendation: This counter should never be incrementing on the active security appliance or context. However, it is normal to see it increment on the standby security appliance or context.
System messages: 302014, 302016, 302018
|
fo_rep_err
|
Standby flow replication error
|
The standby unit failed to replicate a flow.
Recommendation: If the security appliance is processing VPN traffic, then this counter could be constantly increasing on the standby unit because the flow could be replicated before the IKE SA information. No action is required in this case. If the appliance is not processing VPN traffic, then this indicates a software detect; turn on the debug fover fail command on the standby unit, collect the debug output, and report the problem to Cisco TAC.
System messages: 302014, 302016, 302018
|
host-removed
|
Host is removed
|
The flow was removed in response to the clear local-host command.
Recommendation: This is an information counter.
System messages: 302014, 302016, 302018, 302021, 305010, 305012, 609002
|
inspect-fail
|
Inspection failure
|
This counter will increment when the security appliance fails to enable protocol inspection carried out by the NP for the connection. Currently, ICMP and DNS inspections are carried out by the NP. The cause could be memory allocation failure, or for ICMP error message, the security appliance not being able to find any established connection related to the frame embedded in the ICMP error message.
Recommendation: Check system memory usage. For the ICMP error message, if the cause is an attack, you can deny the host using the access lists.
System messages: 313005 for ICMP error.
|
ips-fail-close
|
IPS fail-close
|
This reason is given for terminating a flow because the AIP SSM is down and the fail-close option was used with IPS inspection.
Recommendation: Check and bring up the AIP SSM.
System messages: 420001
|
ips-request
|
Flow terminated by IPS
|
This reason is given for terminating a flow as requested by the AIP SSM.
Recommendation: Check system messages and alerts on the AIP SSM.
System messages: 420002
|
ipsec-spoof-detect
|
IPsec spoof packet detected
|
This counter will increment when the security appliance receives a packet that should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.
Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.
System messages: 402117
|
loopback
|
Flow is a loopback
|
This reason is given for closing a flow due to the following conditions:
•U-turn traffic is present on the flow.
•same-security-traffic permit intra-interface is not configured.
Recommendation: To allow U-turn traffic on an interface, configure the interface with the same-security-traffic permit intra-interface command.
System messages: None.
|
mcast-entry-removed
|
Multicast entry removed
|
This reason is given for one of the following cases:
•A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built.
Recommendation: Reenable multicast if it is disabled.
System messages: None.
•The multicast entry has been deleted so the flow is being cleaned up, but the packet will be reinjected into the data path.
Recommendation: None.
System messages: None.
|
mcast-intrf-removed
|
Multicast interface removed
|
This reason is given for one of the following cases:
•An output interface has been removed from the multicast entry.
Recommendation: None.
System messages: None.
•All output interfaces have been removed from the multicast entry.
Recommendation: Verify that there are no longer any receivers for this group.
System messages: None.
|
nat-failed
|
NAT failed
|
Failed to create an xlate to translate an IP or transport header.
Recommendation: If NAT is not desired, disable nat-control. Otherwise, use the static, nat, or global command to configure NAT policy for the dropped flow. For dynamic NAT, ensure that each nat command is paired with at least one global command. Use show running-config nat and debug pix process to verify NAT rules.
System messages: 305005, 305006, 305009, 305010, 305011, 305012
|
nat-rpf-failed
|
NAT reverse path failed
|
Rejected attempt to connect to a mapped host using the mapped host's real address.
Recommendation: When not on the same interface as the host undergoing NAT, use the mapped address instead of the real address to connect to the host. Also, enable the appropriate inspect command if the application embeds the IP address.
System messages: 305005
|
need-ike
|
Need to start IKE negotiation
|
This counter will increment when the security appliance receives a packet that requires encryption but has no established IPSec security association. This is generally a normal condition for LAN-to-LAN IPSec configurations. This indication will cause the security appliance to begin ISAKMP negotiations with the destination peer.
Recommendation: If you have configured IPSec LAN-to-LANs on your security appliance, this indication is normal and does not indicate a problem. However, if this counter increments rapidly, it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing.
Verify that you can communicate with the destination peer and verify your crypto configuration using the show running-config command.
System messages: None.
|
no-ipv6-ipsec
|
IPsec over IPv6 unsupported
|
This counter will increment when the security appliance receives an IPSec ESP packet, IPSec NAT-T ESP packet, or an IPSec over UDP ESP packet encapsulated in an IPv6 header. The security appliance does not currently support any IPSec sessions encapsulated in IPv6.
Recommendation: None.
System messages: None.
|
non_tcp_syn
|
non-syn TCP
|
This reason is given for terminating a TCP flow when the first packet is not a SYN packet.
Recommendation: None.
System messages: None.
|
out-of-memory
|
No memory to complete flow
|
This counter is incremented when the security appliance is unable to create a flow because of insufficient memory.
Recommendation: Verify that the security appliance is not under attack by checking the current connections. Also verify if the configured timeout values are too large resulting in idle flows residing in memory longer. Check the free memory available by issuing the show memory command. If free memory is low, issue the show processes memory command to determine which processes are utilizing most of the memory.
System messages: None.
|
parent-closed
|
Parent flow is closed
|
When the parent flow of a subordinating flow is closed, the subordinating flow is also closed. For example, an FTP data flow (subordinating flow) will be closed with this specific reason when its control flow (parent flow) is terminated. This reason is also given when a secondary flow (pin-hole) is closed by its controlling application. For example, when the BYE messaged is received, the SIP inspection engine (controlling application) will close the corresponding SIP RTP flows (secondary flow).
Recommendation: None.
System messages: None.
|
pinhole-timeout
|
Pinhole timeout
|
This counter is incremented to report that the security appliance opened a secondary flow, but no packets passed through this flow within the timeout interval, and hence it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.
Recommendation: None.
System messages: 302014, 302016
|
recurse
|
Close recursive flow
|
A flow was recursively freed. This reason applies to pair flows and multicast slave flows, and serves to prevent system messages being issued for each of these subordinate flows.
Recommendation: None.
System messages: None.
|
reinject-punt
|
Flow terminated by punt action
|
This counter is incremented when a packet is punted to the exception path for processing by one of the enhanced services such as inspection or AAA. The servicing routine, having detected a violation in the traffic flowing on the flow, requests that the flow be dropped. The flow is immediately dropped.
Recommendation: Please watch for system messages triggered by a servicing routine. Flow drop terminates the corresponding connection.
System messages: None.
|
reset-by-ips
|
Flow reset by IPS
|
This reason is given for terminating a TCP flow as requested by the AIP SSM.
Recommendation: Check system messages and alerts on the AIP SSM.
System messages: 420003
|
reset-in
|
TCP Reset-I
|
This reason is given for closing an outbound flow (from a low-security interface to a same- or high-security interface) when a TCP reset is received on the flow.
Recommendation: None.
System messages: 302014
|
reset-out
|
TCP Reset-O
|
This reason is given for closing an inbound flow (from a high-security interface to low-security interface) when a TCP reset is received on the flow.
Recommendation: None.
System messages: 302014
|
shunned
|
Flow shunned
|
This counter will increment when a packet is received that has a source IP address that matches a host in the shun database. When a shun command is applied, it will be incremented for each existing flow that matches the shun command.
Recommendation: None.
System messages: 401004
|
syn-timeout
|
SYN Timeout
|
This reason is given for closing a TCP flow due to expiry of embryonic timer.
Recommendation: If these are valid sessions that take longer to establish a connection, then increase the embryonic timeout.
System messages: 302014
|
tcp-fins
|
TCP FINs
|
This reason is given for closing a TCP flow when TCP FIN packets are received.
Recommendation: This counter will increment for each TCP connection that is terminated normally with FINs.
System messages: 302014
|
tcp-intercept-no-response
|
TCP intercept server no respond
|
SYN retransmission timeout after trying three times, once every second. Server unreachable, tearing down connection.
Recommendation: Check if the server is reachable from the security appliance.
System messages: None.
|
tcp-intercept-kill
|
Flow terminated by TCP Intercept
|
TCP intercept tore down the connection for the following reasons:
1. This is the first SYN
2. A connection is created for the SYN
3. TCP intercept replied with a SYN cookie; or TCP intercept sends a SYN to the server and the server replies with a RST after seeing a valid ACK from the client.
Recommendation: TCP intercept normally does not create a connection for the first SYN, except when there are nailed rules, the packet comes over a VPN tunnel, or the next hop gateway address to reach the client is not resolved. So for the first SYN, this indicates that a connection was created. When TCP intercept receives a RST from server, it is likely that the corresponding port is closed on the server.
System messages: None.
|
tcp-intercept-unexpected
|
TCP intercept unexpected state
|
Logic error in the TCP intercept module; this should never happen.
Recommendation: Indicates memory corruption or some other logic error in the TCP intercept module.
System messages: None.
|
tcpnorm-invalid-syn
|
TCP invalid SYN
|
This reason is given for closing a TCP flow when the SYN packet is invalid.
Recommendation: The SYN packet could be invalid for a number of reasons, such as an invalid checksum or an invalid TCP header. Please use the packet capture feature to understand why the SYN packet is invalid. If you would like to allow these connections, use the tcp-map configuration to bypass checks.
System messages: 302014
|
tcpnorm-rexmit-bad
|
TCP bad retransmission
|
This reason is given for closing a TCP flow when the check-retransmission feature is enabled, and the TCP endpoint sent a retransmission with different data from the original packet.
Recommendation: The TCP endpoint may be attacking by sending different data in TCP retransmits. Please use the packet capture feature to learn more about the origin of the packet.
System messages: 302014
|
tcpnorm-win-variation
|
TCP unexpected window size variation
|
This reason is given for closing a TCP flow when the window size advertised by the TCP endpoint is drastically changed without accepting that much data.
Recommendation: In order to allow this connection, use the window-variation command.
System messages: 302014
|
timeout
|
Conn-timeout
|
This counter is incremented when a flow is closed because of the expiration of its inactivity timer.
Recommendation: None.
System messages: 302014, 302016, 302018, 302021
|
tunnel-pending
|
Tunnel being brought up or torn down
|
This counter will increment when the security appliance receives a packet matching an entry in the security policy database (i.e. crypto map) but the security association is in the process of being negotiated; its not complete yet.
This counter will also increment when the security appliance receives a packet matching an entry in the security policy database but the security association has been or is in the process of being deleted. The difference between this indication and the "'Tunnel has been torn down" indication is that the "Tunnel has been torn down" indication is for established flows.
Recommendation: This is a normal condition when the IPSec tunnel is in the process of being negotiated or deleted.
System messages: None.
|
tunnel-torn-down
|
Tunnel has been torn down
|
This counter will increment when the security appliance receives a packet associated with an established flow whose IPSec security association is in the process of being deleted.
Recommendation: This is a normal condition when the IPSec tunnel is torn down for any reason.
System messages: None
|
xlate-removed
|
Xlate Clear
|
The flow was removed in response to the clear xlate command or clear local-host command.
Recommendation: This is an information counter.
System messages: 302014, 302016, 302018, 302021, 305010, 305012, 609002
|
Table 7-4 lists valid values for the frame_drop_reason argument for dropped frames.
Table 7-4 Frame Drop Reasons
Frame Drop Reason Keyword
|
Frame Drop Reason Display
|
Description
|
acl-drop
|
Flow is denied by access rule
|
This counter is incremented when a packet is denied by the security appliance. The deny rule could be a default rule created when the security appliance comes up, when various features are turned on or off, when an access list is applied to an interface, or any other feature. Apart from default rule drops, a flow could be denied because of:
•An access list configured on an interface
•An access list configured for AAA, and AAA denied the user
•Through traffic arriving at a management-only interface
•Unencrypted traffic arriving on a IPSec-enabled interface
Recommendation: Check the access lists referenced by the following system log messages.
System messages: 106023, 106100, 106004
|
bad-crypto
|
Bad crypto return in packet
|
This counter will increment when the security appliance attempts to perform a crypto operation on a packet, and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the security appliance.
Recommendation: If you are receiving many bad crypto indications, your security appliance may need servicing. You should enable system message 402123 to determine whether the crypto errors are hardware or software errors. You can also check the error counter in the global IPSec statistics with the show ipsec stats command. If the IPSec SA that is triggering these errors is known, the SA statistics from the show ipsec sa detail command will also be useful in diagnosing the problem.
System messages: 402123
|
bad-ipsec-natt
|
Bad IPSEC NATT packet
|
This counter will increment when the security appliance receives a packet on an IPSec connection that has negotiated NAT-T, but the packet is not addressed to the NAT-T UDP destination port of 4500 or had an invalid payload length.
Recommendation: Analyze your network traffic to determine the source of the NAT-T traffic.
System messages: None.
|
bad-ipsec-prot
|
IPSEC not AH or ESP
|
This counter will increment when the security appliance receives a packet on an IPSec connection that is not an AH or ESP protocol packet. This is not a normal condition.
Recommendation: If you are receiving many IPSec not AH or ESP indications on your security appliance, analyze your network traffic to determine the source of the traffic.
System messages: 402115
|
bad-ipsec-udp
|
Bad IPSEC UDP packet
|
This counter will increment when the security appliance receives a packet on an IPSec connection that has negotiated IPSec over UDP, but the packet has an invalid payload length.
Recommendation: Analyze your network traffic to determine the source of the NAT-T traffic.
System messages: None.
|
bad-tcp-cksum
|
Bad TCP checksum
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet whose computed TCP checksum does not match the recorded checksum in TCP header.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets, and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. To allow packets with an incorrect TCP checksum, disable the checksum-verification feature.
System messages: None
|
bad-tcp-flags
|
Bad TCP flags
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with invalid TCP flags in the TCP header. For example, a packet with both SYN and FIN TCP flags set will be dropped.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System messages: None.
|
conn-limit
|
Connection limit reached
|
This reason is given for dropping a packet when the connection limit or host connection limit has been exceeded. If this is a TCP packet which is dropped during TCP connection establishment phase due to connection limit, the drop reason "TCP connection limit reached" is also reported.
Recommendation: If this is incrementing rapidly, check the system messages to determine which host's connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack.
System messages: 201011
|
ctm-error
|
CTM returned error
|
This counter will increment when the security appliance attempts to perform a crypto operation on a packet and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the security appliance.
Recommendation: If you are receiving many bad crypto indications, your security appliance may need servicing. You should enable system message 402123 to determine whether the crypto errors are hardware or software errors. You can also check the error counter in the global IPSec statistics with the show ipsec stats command. If the IPSec SA that is triggering these errors is known, the SA statistics from the show ipsec sa detail command will also be useful in diagnosing the problem.
System messages: 402123
|
dns-guard-id-not-matched
|
DNS Guard id not matched
|
This counter will increment when the identification of the DNS response message does not match any DNS queries that passed across the appliance earlier on the same connection. This counter will increment by the DNS Guard function.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System messages: None.
|
dns-guard-out-of-app-id
|
DNS Guard out of app id
|
This counter will increment when the DNS Guard function fails to allocate a data structure to store the identification of the DNS message.
Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory.
System messages: None.
|
dst-l2_lookup-fail
|
Dst MAC L2 Lookup Failed
|
This counter will increment when the security appliance is configured for transparent mode, and the security appliance does a Layer 2 destination MAC address lookup that fails. Upon the lookup failure, the security appliance will begin the destination MAC discovery process and attempt to find the location of the host via ARP and/or ICMP messages.
Recommendation: This is a normal condition when the security appliance is configured for transparent mode. You can also execute the show mac-address-table command to list the L2 MAC address locations currently discovered by the security appliance.
System messages: None.
|
flow-expired
|
Expired flow
|
This counter is incremented when the security appliance tries to inject a new or cached packet belonging to a flow that has already expired. It is also incremented when the security appliance attempts to send an RST on a TCP flow that has already expired, or when a packet returns from the AIP SSM but the flow had already expired. The packet is dropped.
Recommendation: If valid applications are getting preempted, investigate if a longer timeout is needed.
System messages: None.
|
fo-standby
|
Dropped by standby unit
|
If a through-the-box packet arrives at security appliance or context in a standby state, and a flow is created, then the packet is dropped and the flow removed. This counter will increment each time a packet is dropped in this manner.
Recommendation: This counter should never be incrementing on the active security appliance or context. However, it is normal to see it increment on the standby appliance or security appliance.
System messages: 302014, 302016, 302018
|
fragment-reassembly-failed
|
Fragment reassembly failed
|
This counter is incremented when the security appliance fails to reassemble a chain of fragmented packets into a single packet. All the fragment packets in the chain are dropped. This is probably because of a failure while allocating memory for the reassembled packet.
Recommendation: Use the show blocks command to monitor the current block memory.
System messages: None.
|
host-move-pkt
|
FP host move packet
|
This counter will increment when the security appliance or context is configured for transparent mode, and the source interface of a known Layer 2 MAC address is detected on a different interface.
Recommendation: This indicates that a host has been moved from one interface (i.e. LAN segment) to another. This condition is normal while in transparent mode if the host has in fact been moved. However, if the host move toggles back and forth between interfaces, a network loop may be present.
System messages: 412001, 412002, 322001
|
ifc-classify
|
Virtual firewall classification failed
|
A packet arrived on a shared interface, but failed to classify to any specific context interface.
Recommendation: Use the global or static command to specify the IPv4 addresses that belong to each context interface.
System messages: None.
|
inspect-dns-id-not-matched
|
DNS Inspect id not matched
|
This counter will increment when the identification of the DNS response message does not match any DNS queries that passed across the security appliance earlier on the same connection.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System messages: None.
|
inspect-dns-invalid-domain-
label
|
DNS Inspect invalid domain label
|
This counter will increment when the security appliance detects an invalid DNS domain name or label. DNS domain name and label is checked per RFC 1035.
Recommendation: None.
System messages: None.
|
inspect-dns-invalid-pak
|
DNS Inspect invalid packet
|
This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.
Recommendation: None.
System messages: None.
|
inspect-dns-out-of-app-id
|
DNS Inspect out of app id
|
This counter will increment when the DNS inspection engine fails to allocate a data structure to store the identification of the DNS message.
Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory.
System messages: None.
|
inspect-dns-pak-too-long
|
DNS Inspect packet too long
|
This counter is incremented when the length of the DNS message exceeds the configured maximum allowed value.
Recommendation: No action required. If DNS message length checking is not desired, enable DNS inspection without the inspect dns maximum-length option.
System messages: 410001
|
inspect-icmp-error-different-
embedded-conn
|
ICMP Error Inspect different embedded conn
|
This counter will increment when the frame embedded in the ICMP error message does not match the established connection that has been identified when the ICMP connection is created.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System messages: 313005
|
inspect-icmp-error-no-existing-
conn
|
ICMP Error Inspect no existing conn
|
This counter will increment when the security appliance is not able to find any established connection related to the frame embedded in the ICMP error message.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System messages: 313005
|
inspect-icmp-out-of-app-id
|
ICMP Inspect out of app id
|
This counter will increment when the ICMP inspection engine fails to allocate an App ID data structure. The structure is used to store the sequence number of the ICMP packet.
Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory.
System messages: None.
|
inspect-icmp-seq-num-not-
matched
|
ICMP Inspect seq num not matched
|
This counter will increment when the sequence number in the ICMP echo reply message does not match any ICMP echo message that passed across the security appliance earlier on the same connection.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System messages: 313004
|
inspect-icmpv6-error-invalid-
pak
|
ICMPv6 Error Inspect invalid packet
|
This counter will increment when the security appliance detects an invalid frame embedded in the ICMPv6 packet. This check is the same as that on IPv6 packets. For example, an incomplete IPv6 header, a malformed IPv6 Next Header, etc.
Recommendation: None.
System messages: None.
|
inspect-icmpv6-error-no-
existing-conn
|
ICMPv6 Error Inspect no existing conn
|
This counter will increment when the security appliance is not able to find any established connection related to the frame embedded in the ICMPv6 error message.
Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the access lists.
System messages: 313005
|
intercept-unexpected
|
Intercept unexpected packet
|
The security appliance either received data from a client while waiting for a SYNACK from a server, or it received a packet that cannot be handled in a particular state of TCP intercept.
Recommendation: If this drop is causing the connection to fail, please have a sniffer trace of the client- and server-side of the connection while reporting the issue. The security appliance could be under attack, and the sniffer traces or capture would help narrow down the culprit.
System messages: None.
|
interface-down
|
Interface is down
|
This counter will increment for each packet received on an interface that is shutdown using the shutdown command. For ingress traffic, the packet is dropped after security context classification and if the interface associated with the context is shut down. For egress traffic, the packet is dropped when the egress interface is shut down.
Recommendation: None.
System messages: None.
|
invalid-app-length
|
Invalid app length
|
This counter will increment when the security appliance detects an invalid length of the Layer 7 payload in the packet. Currently, it counts the drops by the DNS Guard function only. For example, an incomplete DNS header.
Recommendation: None.
System messages: None.
|
invalid-encap
|
Invalid encapsulation
|
This counter is incremented when the security appliance receives a frame belonging to an unsupported link-level protocol or if the L3 type specified in the frame is not supported by the security appliance. The packet is dropped.
Recommendation: Verify that directly-connected hosts have proper link-level protocol settings.
System messages: None.
|
invalid-ethertype
|
Invalid ethertype
|
This counter is incremented when the fragmentation module on the security appliance receives or tries to send a fragmented packet that does not belong to IP version 4 or version 6. The packet is dropped.
Recommendation: Verify the MTU of the security appliance and other devices on the connected network to determine why the security appliance is processing such fragments.
System messages: None.
|
invalid-ip-header
|
Invalid IP header
|
This counter is incremented and the packet is dropped when the security appliance receives an IP packet whose computed checksum of the IP header does not match the recorded checksum in the header.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a peer is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System messages: None
|
invalid-ip-length
|
Invalid IP length
|
This counter is incremented when the security appliance receives an IPv4 or IPv6 packet in which the header length or total length fields in the IP header are not valid or do not conform to the received packet length.
Recommendation: None.
System messages: None.
|
invalid-ip-option
|
IP option configured drop
|
This counter is incremented when any unicast packet with IP options or a multicast packet with IP options that have not been configured to be accepted, is received by the security appliance. The packet is dropped.
Recommendation: Investigate why a packet with IP options is being sent by the sender.
System messages: None.
|
invalid-tcp-hdr-length
|
Invalid tcp length
|
This counter is incremented when the security appliance receives a TCP packet whose size is smaller than the minimum-allowed header length or does not conform to the received packet length.
Recommendation: The invalid packet could be a bogus packet being sent by an attacker. Investigate the traffic from the source in the following system message.
System messages: 500003.
|
invalid-udp-length
|
Invalid udp length
|
This counter is incremented when the security appliance receives a UDP packet whose size as calculated from the fields in the header is different from the measured size of the packet as received from the network.
Recommendation: The invalid packet could be a bogus packet being sent by an attacker.
System messages: None.
|
ips-fail-close
|
IPS card is down
|
This counter is incremented and the packet is dropped when the AIP SSM is down and the fail-close option was used in IPS inspection.
Recommendation: Check and bring up the AIP SSM.
System messages: 420001
|
ips-request
|
IPS Module requested drop
|
This counter is incremented and the packet is dropped as requested by the AIP SSM when the packet matches a signature on the IPS engine.
Recommendation: Check system messages and alerts on the AIP SSM.
System messages: 420002
|
ipsec-clearpkt-notun
|
IPSEC Clear Pkt w/no tunnel
|
This counter will increment when the security appliance receives a packet that should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.
Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.
System messages: 402117
|
ipsec-ipv6
|
IPSEC via IPV6
|
This counter will increment when the security appliance receives an IPSec ESP packet, IPSec NAT-T ESP packet, or an IPSec over UDP ESP packet encapsulated in an IPv6 header. The security appliance does not currently support any IPSec sessions encapsulated in IPv6.
Recommendation: None.
System messages: None.
|
ipsec-need-sa
|
IPSEC SA Not negotiated yet
|
This counter will increment when the security appliance receives a packet that requires encryption but has no established IPSec security association. This is generally a normal condition for LAN-to-LAN IPSec configurations. This indication will cause the security appliance to begin ISAKMP negotiations with the destination peer.
Recommendation: If you have configured IPSec LAN-to-LAN on your security appliance, this indication is normal and does not indicate a problem. However, if this counter increments rapidly it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing. Verify that you can communicate with the destination peer and verify your crypto configuration using the show running-config command.
System messages: None.
|
ipsec-spoof
|
IPSEC Spoof detected
|
This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.
Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.
System messages: 402117
|
ipsec-tun-down
|
IPSEC tunnel is down
|
This counter will increment when the security appliance receives a packet associated with an IPSec connection which is in the process of being deleted.
Recommendation: This is a normal condition when the IPSec tunnel is torn down for any reason.
System messages: None.
|
ipsecudp-keepalive
|
IPSEC/UDP keepalive message
|
This counter will increment when the security appliance receives an IPSec over UDP keepalive message. IPSec over UDP keepalive messages are sent from the IPSec peer to the security appliance to keep NAT/PAT flow information current in network devices between the IPSec over UDP peer and the security appliance.
Note These are not industry-standard NAT-T keepalive messages that are also carried over UDP and addressed to UDP port 4500.
Recommendation: If you have configured IPSec over UDP on your security appliance, this indication is normal and does not indicate a problem. If IPSec over UDP is not configured on your security appliance, analyze your network traffic to determine the source of the IPSec over UDP traffic.
System messages: None.
|
ipv6_sp-security-failed
|
IPv6 slowpath security checks failed
|
This counter is incremented and the packet is dropped for one of the following reasons:
•An IPv6 through-the-box packet has the identical source and destination address.
•An IPv6 through-the-box packet has a linklocal source or destination address.
•An IPv6 through-the-box packet has a multicast destination address.
Recommendation: These packets could indicate malicious activity, or could be the result of a misconfigured IPv6 host. Use the packet capture feature to capture type asp packets, and use the source MAC address to identify the source.
System messages: For identical source and destination address, system message 106016.
|
l2_acl
|
FP L2 rule drop
|
This counter increments when the security appliance denies a packet due to an EtherType access list. The transparent mode security appliance permits the following traffic by default:
•IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list.
Note For Layer 3 traffic travelling from a low to a high security interface, an extended access list is required on the low security interface.
•ARPs are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection.
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported.
Packets permitted by EtherType access lists might still be dropped by an extended access list.
The EtherType access list only supports EtherTypes and not Layer 2 destination MAC addresses.
The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
•TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
•IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
•BPDU multicast address equal to 0100.0CCC.CCCD
•Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Recommendation: If your non-IP packets are dropped by the security appliance, you can configure an EtherType access list to permit the Layer 2 traffic.
System log messages: 106026, 106027
|
l2_same-lan-port
|
L2 Src/Dst same LAN port
|
This counter will increment when the security appliance or context is configured for transparent mode, and the security appliance determines that the destination interface's L2 MAC address is the same as its ingress interface.
Recommendation: This is a normal condition when the security appliance or context is configured for transparent mode. Since the security appliance interface is operating in promiscuous mode, the security appliance or context receives all packets on the local LAN segment.
System messages: None.
|
loopback-buffer-full
|
Loopback buffer full
|
This counter is incremented and the packet is dropped when packets are sent from one context of the security appliance to another context through a shared interface, and there is no buffer space in the loopback queue.
Recommendation: Check the system CPU to make sure it is not overloaded.
System messages: None.
|
lu-invalid-pkt
|
Invalid LU packet
|
The standby unit received a corrupted Logical Update packet.
Recommendation: The packet corruption could be caused by a bad cable, interface card, line noise, or software defect. If the interface appears to be functioning properly, then report the problem to Cisco TAC.
System messages: None.
|
natt-keepalive
|
NAT-T keepalive message
|
This counter will increment when the security appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the security appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the security appliance.
Recommendation: If you have configured IPSec NAT-T on your security appliance, this indication is normal and does not indicate a problem. If NAT-T is not configured on your security appliance, analyze your network traffic to determine the source of the NAT-T traffic.
System messages: None
|
no-adjacency
|
No valid adjacency
|
This counter is incremented when the security appliance has tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.
Recommendation: Configure a capture for this drop reason and check if a host with the specified destination address exists on the connected network or is routable from the security appliance.
System messages: None.
|
no-mcast-entry
|
FP no mcast entry
|
This counter increments because of one of the following reasons:
•A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built.
Recommendation: Reenable multicast if it is disabled.
System messages: None.
•A multicast entry change has been detected after a packet was punted to the CP, and the NP can no longer forward the packet since no entry is present.
Recommendation: None.
System messages: None.
|
no-mcast-intrf
|
FP no mcast output intrf
|
This counter increments because of one of the following reasons:
•All output interfaces have been removed from the multicast entry.
Recommendation: Verify that there are no longer any receivers for this group.
System messages: None.
•The multicast packet could not be forwarded.
Recommendation: Verify that a flow exists for this packet.
System messages: None.
|
no-route
|
No route to host
|
This counter is incremented when the security appliance tries to send a packet out of an interface and does not find a route for it in the routing table.
Recommendation: Verify that a route exists for the destination address obtained from the generated system message.
System messages: 110001
|
non-ip-pkt-in-routed-mode
|
Non-IP packet received in routed mode
|
This counter will increment when the security appliance receives a packet that is not an IPv4, IPv6, or ARP packet, and the security appliance or context is configured for routed mode. In normal operation such packets should be dropped.
Recommendation: This indicates that a software error should be reported to the Cisco TAC.
System messages: 106026, 106027
|
np-sp-invalid-spi
|
Invalid SPI
|
This counter increments when the security appliance receives an IPSec ESP packet addressed to the security appliance that specifies an SPI (security parameter index) not currently known by the security appliance.
Recommendation: Occasional invalid SPI indications are common, especially during rekey processing. Many invalid SPI indications may suggest a problem or DoS attack. If you are experiencing a high rate of invalid SPI indications, analyze your network traffic to determine the source of the ESP traffic.
System messages: 402114
|
punt-rate-limit
|
Punt rate limit exceeded
|
This counter will increment when the security appliance attempts to forward a Layer 2 packet to a rate-limited control point service routine, and the rate limit (per/second) is now being exceeded. Currently, the only Layer 2 packets destined for a control point service routine that are rate limited are ARP packets. The ARP packet rate limit is 500 ARPs per second per interface.
Recommendation: Analyze your network traffic to determine the reason behind the high rate of ARP packets.
System messages: 322002, 322003
|
queue-removed
|
Queued packet dropped
|
When the QoS configuration is changed or removed, the existing packets in the output queues awaiting transmission are dropped and this counter is incremented.
Recommendation: Under normal conditions, this may be seen when the QoS configuration has been changed by the user. If this occurs when no changes to the QoS configuration were performed, please contact Cisco TAC.
System messages: None.
|
rate-exceeded
|
QoS rate exceeded
|
This counter is incremented when rate-limiting (policing) is configured on an egress interface, and the egress traffic rate exceeds the burst rate configured. The counter is incremented fo each packet dropped.
Recommendation: Investigate and determine why the rate of traffic leaving the interface is higher than the configured rate. This may be normal, or could be an indication of virus or attempted attack.
System messages: None.
|
rpf-violated
|
Reverse-path verify failed
|
This counter is incremented when ip verify reverse-path is configured on an interface and the security appliance receives a packet for which the route lookup of the source IP did not yield the same interface as the one on which the packet was received.
Recommendation: Trace the source of traffic based on the source IP printed in the system message below, and investigate why it is sending spoofed traffic.
System messages: 106021
|
security-failed
|
Early security checks failed
|
This counter is incremented and the packet is dropped when the security appliance:
•Receives an IPv4 multicast packet when the packet multicast MAC address does not match the packet multicast destination IP address
•Receives an IPv6 or IPv4 teardrop fragment containing either small offset or fragment overlapping
•Receives an IPv4 packet that matches an IP audit signature
Recommendation: Contact the remote peer administrator or escalate this issue according to your security policy. For detailed description and system messages for IP audit attack checks please refer the ip audit signature command.
System messages: 106020, 400xx in case of IP audit checks
|
send-ctm-error
|
Send to CTM returned error
|
This counter is obsolete in the security appliance and should never increment.
Recommendation: None.
System messages: None.
|
sp-security-failed
|
Slowpath security checks failed
|
This counter is incremented and the packet is dropped when the security appliance:
•Is in routed mode and receives a through-the-box:
–L2 broadcast packet
–IPv4 packet with destination IP address equal to 0.0.0.0
–IPv4 packet with source IP address equal to 0.0.0.0
Recommendation: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
System messages: 106016
•Is in routed or transparent mode and receives a through-the-box IPv4 packet with:
–The first octet of the source IP address is equal to zero
–The source IP address is equal to the loopback IP address
–Network part of the source IP address is equal to all 0s
–The network part of the source IP address is equal to all 1s
–The source IP address host part is equal to all 0s or all 1s
Recommendation: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
System messages: 106016
•In routed or transparent mode and receives an IPv4 or IPv6 packet with the same source and destination IP addresses
Recommendation: If this message counter is incrementing rapidly, an attack may be in progress. Use the packet capture feature to capture type asp packets, and check the source MAC address in the packet to see where they are coming from.
System messages: 106017
|
tcp-3whs-failed
|
TCP failed 3 way handshake
|
This counter is incremented and the packet is dropped when security appliance receives an invalid TCP packet during the three-way handshake. For example, the SYN-ACK from a client will be dropped for this reason.
Recommendation: None.
System messages: None.
|
tcp-ack-syn-diff
|
TCP ACK in SYNACK invalid
|
This counter is incremented and the packet is dropped when the security appliance receives a SYN-ACK packet during the three-way handshake with an incorrect TCP acknowledgement number.
Recommendation: None.
System messages: None.
|
tcp-acked
|
TCP DUP and has been ACKed
|
This counter is incremented and the packet is dropped when the security appliance receives a retransmitted data packet and the data has been acknowledged by the peer TCP endpoint.
Recommendation: None.
System messages: None.
|
tcp-bad-option-len
|
Bad option length in TCP
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a TCP option set, but the option length does not match the length defined for that option in the TCP RFC.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System messages: None.
|
tcp-bad-option-list
|
TCP option list invalid
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a non-standard TCP header option.
Recommendation: To allow such TCP packets or clear non-standard TCP header options and then allow the packet, use the tcp-options command.
System messages: None.
|
tcp-bad-sack-allow
|
Bad TCP SACK ALLOW option
|
This counter is incremented and the packet is dropped when the appliance receives a TCP packet with the selective acknowledgement option, but the SYN flag is not set.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System messages: None.
|
tcp-bad-winscale
|
Bad TCP window scale value
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with the window-scale option greater than 14.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System messages: None.
|
tcp-buffer-full
|
TCP packet buffer full
|
This counter is incremented and the packet is dropped when the security appliance receives an out-of-order TCP packet on a connection, and there is no buffer space to store this packet. Typically TCP packets are put into order on connections that are inspected by the security appliance or when packets are sent to an SSM for inspection. There is a default queue size, and when packets in excess of this default queue size are received they will be dropped.
Recommendation: On ASA platforms the queue size could be increased using the queue-size command.
System messages: None.
|
tcp-conn-limit
|
TCP Connection limit reached
|
This reason is given for dropping a TCP packet during the TCP connection establishment phase when the connection limit has been exceeded. The connection limit is configured using the set connection conn-max command.
Recommendation: If this is incrementing rapidly, check the system messages to determine which host's connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack.
System messages: 201011
|
tcp-data-past-fin
|
TCP data send after FIN
|
This counter is incremented and the packet is dropped when the security appliance receives new a TCP data packet from an endpoint which had sent a FIN to close the connection.
Recommendation: None.
System messages: None.
|
tcp-discarded-ooo
|
TCP ACK in 3 way handshake invalid
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP ACK packet from a client during the three-way-handshake and the sequence number is not the next expected sequence number.
Recommendation: None.
System messages: None.
|
tcp-dual-open
|
TCP Dual open denied
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet from the server and an embryonic TCP connection is already open.
Recommendation: None.
System messages: None.
|
tcp-fo-drop
|
TCP replicated flow pak drop
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a control flag like SYN, FIN, or RST on an established connection just after the security appliance has taken over as active unit.
Recommendation: None.
System messages: None.
|
tcp-invalid-ack
|
TCP invalid ACK
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with an acknowledgement number greater than the data sent by the peer TCP endpoint.
Recommendation: None.
System messages: None.
|
tcp-mss-exceeded
|
TCP data exceeded MSS
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with a data length greater than the MSS advertized by the peer TCP endpoint.
Recommendation: To allow such TCP packets, use the exceed-mss command.
System messages: 4419001
|
tcp-not-syn
|
First TCP packet not SYN
|
The security appliance received a non-SYN packet as the first packet of a non-intercepted and non-nailed connection.
Recommendation: Under normal conditions, this may be seen when the security appliance has already closed a connection, and the client or server still believe the connection is open, and continue to transmit data. Some examples where this may occur is just after a clear local-host or clear xlate command is issued. Also, if connections have not been recently removed, and the counter is incrementing rapidly, the security appliance may be under attack. Capture a sniffer trace to help isolate the cause.
System messages: 6106015
|
tcp-paws-fail
|
TCP packet failed PAWS test
|
This counter is incremented and the packet is dropped when a TCP packet with a timestamp header option fails the PAWS (Protect Against Wrapped Sequences) test.
Recommendation: To allow such connections to proceed, use the tcp-options command to clear the timestamp option.
System messages: None.
|
tcp-reserved-set
|
TCP reserved flags set
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with reserved flags set in TCP header.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet. To allow such TCP packets or clear reserved flags and then pass the packet, use the reserved-bits command.
System messages: None
|
tcp-rst-syn-in-win
|
TCP RST/SYN in window
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN or TCP RST packet on an established connection with a sequence number within the window, but not as the next expected sequence number.
Recommendation: None.
System messages: None.
|
tcp-rstfin-ooo
|
TCP RST/FIN out of order
|
This counter is incremented and the packet is dropped when the security appliance receives a RST or a FIN packet with the incorrect TCP sequence number.
Recommendation: None.
System messages: None.
|
tcp-seq-past-win
|
TCP packet SEQ past window
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP data packet with a sequence number beyond the window allowed by the peer TCP endpoint.
Recommendation: None.
System messages: None.
|
tcp-seq-syn-diff
|
TCP SEQ in SYN/SYNACK invalid
|
This counter is incremented and the packet is dropped when the security appliance receives a SYN or SYN-ACK packet during the three-way handshake with an incorrect TCP sequence number.
Recommendation: None.
System messages: None.
|
tcp-syn-data
|
TCP SYN with data
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet with data.
Recommendation: To allow such TCP packets use the syn-data command.
System messages: None.
|
tcp-syn-ooo
|
TCP SYN on established conn
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN packet on an established TCP connection.
Recommendation: None.
System messages: None.
|
tcp-synack-data
|
TCP SYNACK with data
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN-ACK packet with data.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System messages: None.
|
tcp-synack-ooo
|
TCP SYNACK on established conn
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP SYN-ACK packet on an established TCP connection.
Recommendation: None.
System messages: None.
|
tcp-winscale-no-syn
|
TCP Window scale on non-SYN
|
This counter is incremented and the packet is dropped when the security appliance receives a TCP packet with the window-scale TCP option without SYN flag set.
Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. Please use the packet capture feature to learn more about the origin of the packet.
System messages: None.
|
tcp_xmit_partial
|
TCP retransmission partial
|
This counter is incremented and the packet is dropped when the check-retransmission feature is enabled, and a partial TCP retransmission was received.
Recommendation: None.
System messages: None.
|
tcpnorm-rexmit-bad
|
TCP bad retransmission
|
This counter is incremented and the packet is dropped when the check-retransmission feature is enabled, and a TCP retransmission with different data from the original packet was received.
Recommendation: None.
System messages: None.
|
tcpnorm-win-variation
|
TCP unexpected window size variation
|
This counter is incremented and the packet is dropped when the window size advertised by the TCP endpoint is drastically changed without accepting that much data.
Recommendation: To allow such packet, use the window-variation command.
System messages: None.
|
tfw-no-mgmt-ip-config
|
No management IP address configured for TFW
|
This counter is incremented when the security appliance receives an IP packet in transparent mode and has no management IP address defined. The packet is dropped.
Recommendation: Configure the security appliance with a management IP address and mask values.
System messages: 322004
|
unable-to-add-flow
|
Flow hash full
|
This counter is incremented when a newly created flow is inserted into the flow hash table, and the insertion failed because the hash table was full. The flow and the packet are dropped. This is different from the counter that increments when the maximum connection limit is reached.
Recommendation: This message signifies a lack of resources on the security appliance to support an operation that should have been successful. Please check if the connections in the show conn output have exceeded their configured idle timeout values. If so, contact Cisco TAC.
System messages: None.
|
unable-to-create-flow
|
Flow denied due to resource limitation
|
This counter is incremented and the packet is dropped when flow creation fails due to a system resource limitation. The resource limit may be either:
•System memory
•Packet block extension memory
•System connection limit
The first two causes occur simultaneously with flow drop reason "No memory to complete flow."
Recommendation:
•Observe if free system memory is low.
•Observe if flow drop reason "No memory to complete flow" occurs.
•Observe if the connection count reaches the system connection limit using the show resource usage command.
System messages: None.
|
unexpected-packet
|
Unexpected packet
|
This counter is incremented when the security appliance in transparent mode receives a non-IP packet destined to its MAC address, but there is no corresponding service running on the security appliance to process the packet.
Recommendation: Verify if the security appliance is under attack. If there are no suspicious packets, or the security appliance is not in transparent mode, this counter is most likely being incremented due to a software error. Attempt to capture the traffic that is causing the counter to increment and contact the Cisco TAC.
System messages: None.
|
unsupport-ipv6-hdr
|
Unsupported IPV6 header
|
This counter is incremented and the packet is dropped if an IPv6 packet is received with an unsupported IPv6 extension header. The supported IPv6 extension headers are: TCP, UDP, ICMPv6, ESP, AH, Hop Options, Destination Options, and Fragment. The IPv6 routing extension header is not supported, and any extension header not listed above is not supported. IPv6 ESP and AH headers are supported only if the packet is through-the-box. To-the-box IPv6 ESP and AH packets are not supported and will be dropped.
Recommendation: This error may be due to a misconfigured host. If this error occurs repeatedly or in large numbers, it could also indicate spurious or malicious activity such as an attempted DoS attack.
System messages: None.
|
unsupported-ip-version
|
Unsupported IP version
|
This counter is incremented when the security appliance receives an IP packet that has an unsupported version in the version field of the IP header. Specifically, if the packet does not belong to version 4 or version 6, the packet is dropped.
Recommendation: Verify that other devices on the connected network are configured to send IP packets belonging to versions 4 or 6 only.
System messages: None.
|
Examples
The following is sample output from the show asp drop command, with the timestamp indicating when the last time the counters were cleared:
Flow is denied by configured rule (acl-drop) 3
Dst MAC L2 Lookup Failed (dst-l2_lookup-fail) 4110
L2 Src/Dst same LAN port (l2_same-lan-port) 760
Expired flow (flow-expired) 1
Flow is denied by access rule (acl-drop)
