Table Of Contents

show isakmp ipsec-over-tcp stats through show route Commands

show isakmp ipsec-over-tcp stats

show isakmp sa

show isakmp stats

show local-host

show logging

show logging rate-limit

show mac-address-table

show management-access

show memory

show memory binsize

show memory delayed-free-poisoner

show memory profile

show memory webvpn

show memory-caller address

show mfib

show mfib active

show mfib count

show mfib interface

show mfib reserved

show mfib status

show mfib summary

show mfib verbose

show mgcp

show mode

show module

show mrib client

show mrib route

show mroute

show nameif

show ntp associations

show ntp status

show ospf

show ospf border-routers

show ospf database

show ospf flood-list

show ospf interface

show ospf neighbor

show ospf request-list

show ospf retransmission-list

show ospf summary-address

show ospf virtual-links

show perfmon

show pim df

show pim group-map

show pim interface

show pim join-prune statistic

show pim neighbor

show pim range-list

show pim topology

show pim topology reserved

show pim topology route-count

show pim traffic

show pim tunnel

show power inline

show priority-queue statistics

show processes

show reload

show resource allocation

show resource types

show resource usage

show rip database

show route

show isakmp ipsec-over-tcp stats through show route Commands

---

show isakmp ipsec-over-tcp stats

To display runtime statistics for IPsec over TCP, use the show isakmp ipsec-over tcp stats command in global configuration mode or privileged EXEC mode.

show isakmp ipsec-over-tcp stats

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	The show isakmp ipsec-over-tcp stats command was introduced.
7.2(1)	The show isakmp ipsec-over-tcp stats command was deprecated. The show crypto isakmp ipsec-over-tcp stats command replaces it.

Usage Guidelines

The output from this command includes the following fields:

•Embryonic connections

•Active connections

•Previous connections

•Inbound packets

•Inbound dropped packets

•Outbound packets

•Outbound dropped packets

•RST packets

•Received ACK heart-beat packets

•Bad headers

•Bad trailers

•Timer failures

•Checksum errors

•Internal errors

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics:

hostname(config)# show isakmp ipsec-over-tcp stats

Global IPSec over TCP Statistics

--------------------------------

Embryonic connections: 2

Active connections: 132

Previous connections: 146

Inbound packets: 6000

Inbound dropped packets: 30

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 260

Received ACK heart-beat packets: 10

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

hostname(config)# 

Related Commands

Command	Description
clear configure crypto isakmp	Clears all the ISAKMP configuration.
clear configure crypto isakmp policy	Clears all ISAKMP policy configuration.
clear crypto isakmp sa	Clears the IKE runtime SA database.
crypto isakmp enable	Enables ISAKMP negotiation on the interface on which the IPSec peer communicates with the security appliance.
show running-config crypto isakmp	Displays all the active ISAKMP configuration.

show isakmp sa

To display the IKE runtime SA database, use the show isakmp sa command in global configuration mode or privileged EXEC mode.

show isakmp sa [detail]

Syntax Description

detail

Displays detailed output about the SA database.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	The show isakmp sa command was introduced.
7.2(1)	This command was deprecated. The show crypto isakmp sa command replaces it.

Usage Guidelines

The output from this command includes the following fields:

Table 27-1

IKE Peer	Type	Dir	Rky	State
209.165.200.225	L2L	Init	No	MM_Active

Detail not specified.

Table 27-2

IKE Peer	Type	Dir	Rky	State	Encrypt	Hash	Auth	Lifetime
209.165.200.225	L2L	Init	No	MM_Active	3des	md5	preshrd	86400

Detail specified.

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database:

hostname(config)# show isakmp sa detail

hostname(config)# sho isakmp sa detail

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

1 209.165.200.225 User  Resp  No   AM_Active  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

2 209.165.200.226 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

3 209.165.200.227 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

4 209.165.200.228 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

hostname(config)# 

Related Commands

Command	Description
clear configure isakmp	Clears all the ISAKMP configuration.
clear configure isakmp policy	Clears all ISAKMP policy configuration.
clear isakmp sa	Clears the IKE runtime SA database.
isakmp enable	Enables ISAKMP negotiation on the interface on which the IPSec peer communicates with the security appliance.
show running-config isakmp	Displays all the active ISAKMP configuration.

show isakmp stats

To display runtime statistics, use the show isakmp stats command in global configuration mode or privileged EXEC mode.

show isakmp stats

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	The show isakmp stats command was introduced.
7.2(1)	This command was deprecated. The show crypto isakmp stats command replaces it.

Usage Guidelines

The output from this command includes the following fields:

•Global IKE Statistics

•Active Tunnels

•In Octets

•In Packets

•In Drop Packets

•In Notifys

•In P2 Exchanges

•In P2 Exchange Invalids

•In P2 Exchange Rejects

•In P2 Sa Delete Requests

•Out Octets

•Out Packets

•Out Drop Packets

•Out Notifys

•Out P2 Exchanges

•Out P2 Exchange Invalids

•Out P2 Exchange Rejects

•Out P2 Sa Delete Requests

•Initiator Tunnels

•Initiator Fails

•Responder Fails

•System Capacity Fails

•Auth Fails

•Decrypt Fails

•Hash Valid Fails

•No Sa Fails

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics:

hostname(config)# show isakmp stats

Global IKE Statistics

Active Tunnels: 132

Previous Tunnels: 132

In Octets: 195471

In Packets: 1854

In Drop Packets: 925

In Notifys: 0

In P2 Exchanges: 132

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 119029

Out Packets: 796

Out Drop Packets: 0

Out Notifys: 264

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

hostname(config)# 

Related Commands

Command	Description
clear configure isakmp	Clears all the ISAKMP configuration.
clear configure isakmp policy	Clears all ISAKMP policy configuration.
clear isakmp sa	Clears the IKE runtime SA database.
isakmp enable	Enables ISAKMP negotiation on the interface on which the IPSec peer communicates with the security appliance.
show running-config isakmp	Displays all the active ISAKMP configuration.

show local-host

To display the network states of local hosts, use the show local-host command in privileged EXEC mode.

show local-host [ip_address] [detail] [all] [brief] [connection]

Syntax Description

all	(Optional) Includes local hosts connecting to the security appliance and from the security appliance.
detail	(Optional) Displays the detailed network states of local host information, including more information about active xlates and network connections.
ip_address	(Optional) Specifies the local host IP address.
brief	(Optional) Enter this keyword for brief information.
connection	(Optional) Show local host information based on the number of connections.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.2(1)	For models with host limits, this command now shows which interface is considered to be the outside interface.
7.2(4)	Two new options, connection and brief, were added to the show local-host command so that the output is filtered by the number of connections for the inside hosts.

Usage Guidelines

The show local-host command lets you display the network states of local hosts. A local-host is created for any host that forwards traffic to, or through, the security appliance.

This command lets you show the translation and connection slots for the local hosts. This command provides information for hosts that are configured with the nat 0 access-list command when normal translation and connection states may not apply.

This command also displays the connection limit values. If a connection limit is not set, the value displays as 0 and the limit is not applied.

For models with host limits, In routed mode, hosts on the inside (Work and Home zones) count towards the limit only when they communicate with the outside (Internet zone). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Work and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit.

In the event of a SYN attack (with TCP intercept configured), the show local-host command output includes the number of intercepted connections in the usage count. This field typically displays only full open connections.

In the show local-host command output, the TCP embryonic count to host counter is used when a maximum embryonic limit (TCP intercept watermark) is configured for a host using a static connection. This counter shows the total embryonic connections to the host from other hosts. If this total exceeds the maximum configured limit, TCP intercept is applied to new connections to the host.

Examples

The following sample output is displayed by the show local-host command:

hostname# show local-host

Interface inside: 0 active, 0 maximum active, 0 denied

Interface outside: 1 active, 2 maximum active, 0 denied

The following sample output is displayed by the show local-host command on a security appliance with host limits:

hostname# show local-host

Detected interface 'outside' as the Internet interface. Host limit applies to all other 
interfaces.

Current host count: 3, towards licensed host limit of: 50

Interface inside: 1 active, 1 maximum active, 0 denied

Interface outside: 0 active, 0 maximum active, 0 denied

The following sample output is displayed by the show local-host command on a security appliance with host limits, but without a default route, the host limits apply to all interfaces. The default route interface might not be detected if the default route or the interface that the route uses is down.

hostname# show local-host

Unable to determine Internet interface from default route. Host limit applied to all 
interfaces.

Current host count: 3, towards licensed host limit of: 50

Interface c1in: 1 active, 1 maximum active, 0 denied

Interface c1out: 0 active, 0 maximum active, 0 denied

The following sample output is displayed by the show local-host command on a security appliance with unlimited hosts:

hostname# show local-host

Licensed host limit: Unlimited

Interface c1in: 1 active, 1 maximum active, 0 denied

Interface c1out: 0 active, 0 maximum active, 0 denied

The following examples show how to display the network states of local hosts:

hostname# show local-host all

Interface outside: 1 active, 2 maximum active, 0 denied

local host: <11.0.0.4>,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited 

Conn:

105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464

105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464

Interface inside: 1 active, 2 maximum active, 0 denied

local host: <17.3.8.2>,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited 

Conn:

105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464

105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464

Interface NP Identity Ifc: 2 active, 4 maximum active, 0 denied

local host: <11.0.0.3>,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited 

Conn:

105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464

105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464

local host: <17.3.8.1>,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited 

Conn:

105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464

105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464

hostname# show local-host 10.1.1.91

Interface third: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 1 maximum active, 0 denied

local host: <10.1.1.91>,

TCP flow count/limit = 1/unlimited

TCP embryonic count to (from) host = 0 (0)

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Xlate:

PAT Global 192.150.49.1(1024) Local 10.1.1.91(4984)

Conn:

TCP out 192.150.49.10:21 in 10.1.1.91:4984 idle 0:00:07 bytes 75 flags UI Interface

outside: 1 active, 1 maximum active, 0 denied

hostname# show local-host 10.1.1.91 detail

Interface third: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 1 maximum active, 0 denied

local host: <10.1.1.91>,

TCP flow count/limit = 1/unlimited

TCP embryonic count to (from) host = 0 (0)

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Xlate:

TCP PAT from inside:10.1.1.91/4984 to outside:192.150.49.1/1024 flags ri

Conn:

TCP outside:192.150.49.10/21 inside:10.1.1.91/4984 flags UI Interface outside: 1 active, 1 
maximum active, 0 denied

The following examples shows the output when using the brief and connection syntax:

hostname#show local-host brief 

Interface inside: 1 active, 1 maximum active, 0 denied

Interface outside: 1 active, 1 maximum active, 0 denied

Interface mgmt: 5 active, 6 maximum active, 0 denied

hostname# show local-host connection  

Interface inside: 1 active, 1 maximum active, 0 denied

Interface outside: 1 active, 1 maximum active, 0 denied

Interface mgmt: 5 active, 6 maximum active, 0 denied

Related Commands

Command	Description
clear local-host	Releases network connections from local hosts displayed by the show local-host command.
nat	Associates a network with a pool of global IP addresses.

show logging

To show the logs in the buffer or to show other logging settings, use the show logging command.

show logging [message [syslog_id | all] | asdm | queue | setting]

Syntax Description

message	(Optional) Displays messages that are at a non-default level. See the logging message command to set the message level.
syslog_id	(Optional) Specifies a message number to display.
all	(Optional) Displays all system log message IDs, along with whether they are enabled or disabled.
setting	(Optional) Displays the logging setting, without displaying the logging buffer.
asdm	(Optional) Displays ASDM logging buffer content.
queue	(Optional) Displays the system log message queue.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

If the logging buffered command is in use, the show logging command without any keywords shows the current message buffer and the current settings.

The show logging queue command allows you to display the following:

•Number of messages that are in the queue

•Highest number of messages recorded that are in the queue

•Number of messages that are discarded because block memory was not available to process them

Examples

The following is sample output from the show logging command:

hostname(config)# show logging 

Syslog logging: enabled

                           Timestamp logging: disabled

                           Console logging: disabled

                           Monitor logging: disabled

                           Buffer logging: level debugging, 37 messages logged

                           Trap logging: disabled

305001: Portmapped translation built for gaddr 209.165.201.5/0 laddr 192.168.1.2/256

...

The following is sample output from the show logging message all command:

hostname(config)# show logging message all

syslog 111111: default-level alerts (enabled)

syslog 101001: default-level alerts (enabled)

syslog 101002: default-level alerts (enabled)

syslog 101003: default-level alerts (enabled)

syslog 101004: default-level alerts (enabled)

syslog 101005: default-level alerts (enabled)

syslog 102001: default-level alerts (enabled)

syslog 103001: default-level alerts (enabled)

syslog 103002: default-level alerts (enabled)

syslog 103003: default-level alerts (enabled)

syslog 103004: default-level alerts (enabled)

syslog 103005: default-level alerts (enabled)

syslog 103011: default-level alerts (enabled)

syslog 103012: default-level informational (enabled)

Related Commands

Command	Description
logging asdm	Enables logging to ASDM
logging buffered	Enables logging to the buffer.
logging message	Sets the message level, or disables messages.
logging queue	Configures the logging queue.

show logging rate-limit

To display the disallowed messages to the original set, use the show logging rate-limit command.

show logging rate-limit

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0	Support for this command was introduced on the security appliance.

Usage Guidelines

After the information is cleared, nothing more displays until the hosts reestablish their connections.

Examples

This example shows how to display the disallowed messages:

hostname(config)# show logging rate-limit

Related Commands

Command	Description
show logging	Displays the enabled logging options.

show mac-address-table

To show the MAC address table, use the show mac-address-table command in privileged EXEC mode.

show mac-address-table [interface_name | count | static]

Syntax Description

count	(Optional) Lists the total number of dynamic and static entries.
interface_name	(Optional) Identifies the interface name for which you want to view MAC address table entries.
static	(Optional) Lists only static entries.

Defaults

If you do not specify an interface, all interface MAC address entries are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	—	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following is sample output from the show mac-address-table command:

hostname# show mac-address-table

interface				    mac address				       type			      Time Left

-----------------------------------------------------------------------

outside					0009.7cbe.2100				   static				-

inside					0010.7cbe.6101				   static				-

inside					0009.7cbe.5101				   dynamic				10

The following is sample output from the show mac-address-table command for the inside interface:

hostname# show mac-address-table inside

interface				    mac address       type			      Time Left

-----------------------------------------------------------------------

inside					0010.7cbe.6101				   static				-

inside					0009.7cbe.5101				   dynamic				10

The following is sample output from the show mac-address-table count command:

hostname# show mac-address-table count

Static     mac-address bridges (curr/max): 0/65535

Dynamic    mac-address bridges (curr/max): 103/65535

Related Commands

Command	Description
firewall transparent	Sets the firewall mode to transparent.
mac-address-table aging-time	Sets the timeout for dynamic MAC address entries.
mac-address-table static	Adds a static MAC address entry to the MAC address table.
mac-learn	Disables MAC address learning.

show management-access

To display the name of the internal interface configured for management access, use the show management-access command in privileged EXEC mode.

show management-access

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The management-access command lets you define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The interface names are defined by the nameif command and displayed in quotes, " ", in the output of the show interface command.)

Examples

The following example shows how to configure a firewall interface named "inside" as the management access interface and display the result:

hostname(config)# management-access inside

hostname(config)# show management-access

management-access inside

Related Commands

Command	Description
clear configure management-access	Removes the configuration of an internal interface for management access of the security appliance.
management-access	Configures an internal interface for management access.

show memory

To display a summary of the maximum physical memory and current free memory available to the operating system, use the show memory command in privileged EXEC mode.

show memory [detail]

Syntax Description

detail

(Optional) Displays a detailed view of free and allocated system memory.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The show memory command lets you display a summary of the maximum physical memory and current free memory available to the operating system. Memory is allocated as needed.

You can use the show memory detail output with show memory binsize command to debug memory leaks.

You can also display the information from the show memory command using SNMP.

Examples

This example shows how to display a summary of the maximum physical memory and current free memory available:

hostname# show memory

Free memory:       845044716 bytes (79%)

Used memory:       228697108 bytes (21%)

-------------     ----------------

Total memory:     1073741824 bytes (100%)

This example shows detailed memory output:

hostname# show memory detail  
Free memory: 15958088 bytes (24%) 
Used memory: 
Allocated memory in use: 29680332 bytes (44%) 
Reserved memory: 21470444 bytes (32%) 
----------------------------- ---------------- 
Total memory: 67108864 bytes (100%) 
 
Least free memory: 4551716 bytes ( 7%) 
Most used memory: 62557148 bytes (93%) 
 
----- fragmented memory statistics ----- 
 
fragment size count total 
(bytes) (bytes) 
---------------- ---------- -------------- 
16 8 128 
24 4 96 
32 2 64 
40 5 200 
64 3 192 
88 1 88 
168 1 168 
224 1 224 
256 1 256 
296 2 592 
392 1 392 
400 1 400 
1816 1 1816* 
4435968 1 4435968** 
11517504 1 11517504 
 
* - top most releasable chunk. 
** - contiguous memory on top of heap. 
 
 
----- allocated memory statistics ----- 
 
fragment size count total 
(bytes) (bytes) 
---------------- ---------- -------------- 
40 50 2000 
48 144 6912 
56 24957 1397592 
64 101 6464 
72 99 7128 
80 1032 82560 
88 18 1584 
96 64 6144 
104 57 5928 
112 6 672 
120 112 13440 
128 15 1920 
136 87 11832 
144 22 3168

152 31 4712 
160 90 14400 
168 65 10920 
176 74 13024 
184 11 2024 
192 8 1536 
200 1 200 
<output omitted> 

Related Commands

Command	Description
show memory profile	Displays information about the memory usage (profiling) of the security appliance.
show memory binsize	Displays summary information about the chunks allocated for a specific bin size.

show memory binsize

To display summary information about the chunks allocated for a specific bin size, use the show memory binsize command in privileged EXEC mode.

show memory binsize size

Syntax Description

size	Displays chunks (memory blocks) of a specific bin size. The bin size is from the "fragment size" column of the show memory detail command output.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release