Table Of Contents

show service-policy through show xlate Commands

show service-policy

show service-policy inspect gtp

show service-policy inspect radius-accounting

show shun

show sip

show skinny

show sla monitor configuration

show sla monitor operational-state

show snmp-server statistics

show ssh sessions

show startup-config

show sunrpc-server active

show switch mac-address-table

show switch vlan

show tcpstat

show tech-support

show track

show traffic

show uauth

show url-block

show url-cache statistics

show url-server

show version

show vlan

show vpn load-balancing

show vpn-sessiondb

show vpn-sessiondb ratio

show vpn-sessiondb summary

show wccp

show webvpn csd

show webvpn group-alias

show webvpn group-url

show webvpn sso-server

show webvpn svc

show xlate

show service-policy through show xlate Commands

---

show service-policy

To display the service policy statistics, use the show service-policy command in privileged EXEC mode.

show service-policy [global | interface intf] [csc | inspect | ips | police | priority | shape]

show service-policy [global | interface intf] [set connection [details]]

show service-policy [global | interface intf] [flow protocol {host src_host | src_ip src_mask} [eq src_port] {host dest_host | dest_ip dest_mask} [eq dest_port] [icmp_number | icmp_control_message]]

Syntax Description

csc	(Optional) Limits the output to policies that include the csc command.
dest_ip dest_mask	The destination IP address and netmask of the traffic flow.
details	(Optional) Displays per-client connection information, if a per-client connection limit is enabled.
eq dest_port	(Optional) The equals operator, requiring the destination port to match the port number that follows.
eq src_port	(Optional) The equals operator, requiring the source port to match the port number that follows.
flow protocol	(Optional) Specifies a traffic flow for which you want to see the policies that the security appliance would apply to the flow. The arguments and keywords following the flow keyword specify the flow in ip-5-tuple format. Valid values for the protocol argument are listed in the "Usage Guidelines" section, below.
global	(Optional) Limits output to the global policy, which applies to all interfaces.
host dest_host	The host destination IP address of the traffic flow.
host src_host	The host source IP address of the traffic flow.
icmp_control_message	(Optional) Specifies an ICMP control message of the traffic flow. Valid values for the icmp_control_message argument are listed in the "Usage Guidelines" section, below.
icmp_number	(Optional) Specifies the ICMP protocol number of the traffic flow.
inspect	(Optional) Limits the output to policies that include an inspect command.
interface intf	(Optional) Displays policies applied to the interface specified by the intf argument, where intf is the interface name given by the nameif command.
ips	Limits output to policies that include the ips command.
police	Limits output to policies that include the police command.
priority	Limits output to policies that include the priority command.
set connection	Limits output to policies that include the set connection command.
shape	Limits output to policies that include the shape command.
src_ip src_mask	The source IP address and netmask used in the traffic flow.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
7.1(1)	The csc keyword was added.
7.2(4)	The shape keyword was added.

Usage Guidelines

The flow keyword lets you determine, for any flow that you can describe, the policies that the security appliance would apply to that flow. You can use this to check that your service policy configuration will provide the services you want for specific connections. The arguments and keywords following the flow keyword specifies the flow in ip-5-tuple format with no object grouping.

Because the flow is described in ip-5-tuple format, not all match criteria are supported. Following are the list of match criteria that are supported for flow match:

•match access-list

•match port

•match rtp

•match default-inspection-traffic

The priority keyword is used to display the aggregate counter values of packets transmitted through an interface.

The number of embryonic connections displayed in the show service-policy command output indicates the current number of embryonic connections to an interface for traffic matching that defined by the class-map command. The "embryonic-conn-max" field shows the maximum embryonic limit configured for the traffic class using the Modular Policy Framework. If the current embryonic connections displayed equals or exceeds the maximum, TCP intercept is applied to new TCP connections that match the traffic type defined by the class-map command.

protocol Argument Values

The following are valid values for the protocol argument:

•number—The protocol number (0 - 255).

•ah

•eigrp

•esp

•gre

•icmp

•icmp6

•igmp

•igrp

•ip

•ipinip

•ipsec

•nos

•ospf

•pcp

•pim

•pptp

•snp

•tcp

•udp

icmp_control_message Argument Values

The following are valid values for the icmp_control_message argument:

•alternate-address

•conversion-error

•echo

•echo-reply

•information-reply

•information-request

•mask-reply

•mask-request

•mobile-redirect

•parameter-problem

•redirect

•router-advertisement

•router-solicitation

•source-quench

•time-exceeded

•timestamp-reply

•timestamp-request

•traceroute

•unreachable

Examples

The following is sample output from the show service-policy global command:

hostname# show service-policy global

Global policy:

  Service-policy: inbound_policy

    Class-map: ftp-port

      Inspect: ftp strict inbound_ftp, packet 0, drop 0, reset-drop 0

The following is sample output from the show service-policy priority command:

hostname# show service-policy priority

Interface outside:

Global policy:

  Service-policy: sa_global_fw_policy

Interface outside:

  Service-policy: ramap

    Class-map: clientmap

      Priority:

        Interface outside: aggregate drop 0, aggregate transmit 5207048

    Class-map: udpmap

      Priority:

        Interface outside: aggregate drop 0,  aggregate transmit 5207048

    Class-map: cmap

The following is sample output from the show service-policy flow command:

hostname# show service-policy flow udp host 209.165.200.229 host 209.165.202.158 eq 5060

Global policy: 

  Service-policy: f1_global_fw_policy

    Class-map: inspection_default

      Match: default-inspection-traffic

      Action:

        Input flow:  inspect sip 

Interface outside:

  Service-policy: test

    Class-map: test

      Match: access-list test

        Access rule: permit ip 209.165.200.229 255.255.255.224 209.165.202.158 
255.255.255.224

      Action:

        Input flow:  ids inline

        Input flow:  set connection conn-max 10 embryonic-conn-max 20

The following is sample output from the show service-policy inspect http command. This example shows the statistics of each match command in a match-any class map.

hostname# show service-policy inspect http

Global policy: 

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: http http, packet 1916, drop 0, reset-drop 0

        protocol violations

          packet 0

        class http_any (match-any) 

          Match: request method get, 638 packets

          Match: request method put, 10 packets

          Match: request method post, 0 packets

          Match: request method connect, 0 packets

          log, packet 648

The following is sample output from the show service-policy inspect waas command. This example shows the waas statistics.

hostname# show service-policy inspect waas

Global policy: 

  Service-policy: global_policy

    Class-map: WAAS

      Inspect: waas, packet 12, drop 0, reset-drop 0

		SYN with WAAS option 4

		SYN-ACK with WAAS option 4

		Confirmed WAAS connections 4

		Invalid ACKs seen on WAAS connections 0

		Data exceeding window size on WAAS connections 0

Related Commands

Command	Description
clear configure service-policy	Clears service policy configurations.
clear service-policy	Clears all service policy configurations.
service-policy	Configures the service policy.
show running-config service-policy	Displays the service policies configured in the running configuration.

show service-policy inspect gtp

To display the GTP configuration, use the show service-policy inspect gtp command in privileged EXEC mode.

show service-policy [interface int] inspect gtp {pdp-context [apn ap_name | detail | imsi IMSI_value | ms-addr IP_address | tid tunnel_ID | version version_num ] | pdpmcb | requests | statistics [gsn IP_address] }

Syntax Description

apn	(Optional) Displays the detailed output of the PDP contexts based on the APN specified.
ap_name	Identifies the specific access point name for which statistics are displayed.
detail	(Optional) Displays the detailed output of the PDP contexts.
imsi	Displays the detailed output of the PDP contexts based on the IMSI specified.
IMSI_value	Hexadecimal value that identifies the specific IMSI for which statistics are displayed.
interface	(Optional) Identifies a specific interface.
int	Identifies the interface for which information will be displayed.
gsn	(Optional) Identifies the GPRS support node, which is interface between the GPRS wireless data network and other networks.
gtp	(Optional) Displays the service policy for GTP.
IP_address	IP address for which statistics are displayed.
ms-addr	(Optional) Displays the detailed output of the PDP contexts based on the MS Address specified.
pdp-context	(Optional) Identifies the Packet Data Protocol context
pdpmcb	(Optional) Displays the status of the PDP master control block.
requests	(Optional) Displays status of GTP requests.
statistics	(Optional) Displays GTP statistics.
tid	(Optional) Displays the detailed output of the PDP contexts based on the TID specified.
tunnel_ID	Hexadecimal value that identifies the specific tunnel for which statistics are displayed.
version	(Optional) Displays the detailed output of the PDP contexts based on the GTP version.
version_num	Specifies the version of the PDP context for which statistics are displayed. The valid range is 0 to 255.

.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

You can use the vertical bar | to filter the display. Type | for more display filtering options.

The show pdp-context command displays PDP context-related information.

The Packet Data Protocol context is identified by the tunnel ID, which is a combination of IMSI and NSAPI. A GTP tunnel is defined by two associated PDP Contexts in different GSN nodes and is identified with a Tunnel ID. A GTP tunnel is necessary to forward packets between an external packet data network and a mobile station user.

The show gtp requests command displays current requests in the request queue.

Examples

The following is sample output from the show gtp requests command:

hostname# show gtp requests

0 in use, 0 most used, 200 maximum allowed

You can use the vertical bar | to filter the display, as in the following example:

hostname# show service-policy gtp statistics | grep gsn

This example shows the GTP statistics with the word gsn in the output.

The following command shows the statistics for GTP inspection:

hostname# show service-policy inspect gtp statistics

GPRS GTP Statistics:

  version_not_support | 0 | msg_too_short | 0

  unknown_msg | 0 | unexpected_sig_msg | 0

  unexpected_data_msg | 0 | ie_duplicated | 0

  mandatory_ie_missing | 0 | mandatory_ie_incorrect | 0

  optional_ie_incorrect | 0 | ie_unknown | 0

  ie_out_of_order | 0 | ie_unexpected | 0

  total_forwarded | 0 | total_dropped | 0

  signalling_msg_dropped | 0 | data_msg_dropped | 0

  signalling_msg_forwarded | 0 | data_msg_forwarded | 0

  total created_pdp | 0 | total deleted_pdp | 0

  total created_pdpmcb | 0 | total deleted_pdpmcb | 0

  pdp_non_existent | 0

The following command displays information about the PDP contexts:

hostname# show service-policy inspect gtp pdp-context

1 in use, 1 most used, timeout 0:00:00

Version TID | MS Addr | SGSN Addr | Idle | APN

v1 | 1234567890123425 | 1.1.1.1 | 11.0.0.2 0:00:13  gprs.cisco.com

 | user_name (IMSI): 214365870921435 | MS address: | 1.1.1.1

 | primary pdp: Y | nsapi: 2

 | sgsn_addr_signal: | 11.0.0.2 | sgsn_addr_data: | 11.0.0.2

 | ggsn_addr_signal: | 9.9.9.9 | ggsn_addr_data: | 9.9.9.9

 | sgsn control teid: | 0x000001d1 | sgsn data teid: | 0x000001d3

 | ggsn control teid: | 0x6306ffa0 | ggsn data teid: | 0x6305f9fc

 | seq_tpdu_up: | 0 | seq_tpdu_down: | 0

 | signal_sequence: | 0

 | upstream_signal_flow: | 0 | upstream_data_flow: | 0

 | downstream_signal_flow: | 0 | downstream_data_flow: | 0

 | RAupdate_flow: | 0

Table 30-1 describes each column the output from the show service-policy inspect gtp pdp-context command.

Table 30-1 PDP Contexts

Column Heading	Description
Version	Displays the version of GTP.
TID	Displays the tunnel identifier.
MS Addr	Displays the mobile station address.
SGSN Addr	Displays the serving gateway service node.
Idle	Displays the time for which the PDP context has not been in use.
APN	Displays the access point name.

Related Commands

Commands	Description
class-map	Defines the traffic class to which to apply security actions.
clear service-policy inspect gtp	Clears global GTP statistics.
debug gtp	Displays detailed information about GTP inspection.
gtp-map	Defines a GTP map and enables GTP map configuration mode.
inspect gtp	Applies a specific GTP map to use for application inspection.

show service-policy inspect radius-accounting

To display the GTP configuration, use the show service-policy inspect radius-accounting command in privileged EXEC mode.

show service-policy [interface int] inspect radius-accounting

Syntax Description

interface int

(Optional) Identifies a specific interface.

.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

Examples

The following is sample output from the show gtp requests command:

hostname# show gtp requests

0 in use, 0 most used, 200 maximum allowed

You can use the vertical bar | to filter the display, as in the following example:

hostname# show service-policy gtp statistics | grep gsn

This example shows the GTP statistics with the word gsn in the output.

The following command shows the statistics for GTP inspection:

hostname# show service-policy inspect gtp statistics

GPRS GTP Statistics:

  version_not_support | 0 | msg_too_short | 0

  unknown_msg | 0 | unexpected_sig_msg | 0

  unexpected_data_msg | 0 | ie_duplicated | 0

  mandatory_ie_missing | 0 | mandatory_ie_incorrect | 0

  optional_ie_incorrect | 0 | ie_unknown | 0

  ie_out_of_order | 0 | ie_unexpected | 0

  total_forwarded | 0 | total_dropped | 0

  signalling_msg_dropped | 0 | data_msg_dropped | 0

  signalling_msg_forwarded | 0 | data_msg_forwarded | 0

  total created_pdp | 0 | total deleted_pdp | 0

  total created_pdpmcb | 0 | total deleted_pdpmcb | 0

  pdp_non_existent | 0

The following command displays information about the PDP contexts:

hostname# show service-policy inspect gtp pdp-context

1 in use, 1 most used, timeout 0:00:00

Version TID | MS Addr | SGSN Addr | Idle | APN

v1 | 1234567890123425 | 1.1.1.1 | 11.0.0.2 0:00:13  gprs.cisco.com

 | user_name (IMSI): 214365870921435 | MS address: | 1.1.1.1

 | primary pdp: Y | nsapi: 2

 | sgsn_addr_signal: | 11.0.0.2 | sgsn_addr_data: | 11.0.0.2

 | ggsn_addr_signal: | 9.9.9.9 | ggsn_addr_data: | 9.9.9.9

 | sgsn control teid: | 0x000001d1 | sgsn data teid: | 0x000001d3

 | ggsn control teid: | 0x6306ffa0 | ggsn data teid: | 0x6305f9fc

 | seq_tpdu_up: | 0 | seq_tpdu_down: | 0

 | signal_sequence: | 0

 | upstream_signal_flow: | 0 | upstream_data_flow: | 0

 | downstream_signal_flow: | 0 | downstream_data_flow: | 0

 | RAupdate_flow: | 0

Table 30-1 describes each column the output from the show service-policy inspect gtp pdp-context command.

Table 30-2 PDP Contexts

Column Heading	Description
Version	Displays the version of GTP.
TID	Displays the tunnel identifier.
MS Addr	Displays the mobile station address.
SGSN Addr	Displays the serving gateway service node.
Idle	Displays the time for which the PDP context has not been in use.
APN	Displays the access point name.

Related Commands

Commands	Description
class-map	Defines the traffic class to which to apply security actions.

show shun

To display shun information, use the show shun command in privileged EXEC mode.

show shun [src_ip | statistics]

Syntax Description

src_ip	(Optional) Displays the information for that address.
statistics	(Optional) Displays the interface counters only.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Examples

The following is sample output from the show shun command:

hostname# show shun

shun (outside) 10.1.1.27 10.2.2.89 555 666 6

shun (inside1) 10.1.1.27 10.2.2.89 555 666 6

Related Commands

Command	Description
clear shun	Disables all the shuns that are currently enabled and clears the shun statistics.
shun	Enables a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection.

show sip

To display SIP sessions, use the show sip command in privileged EXEC mode.

show sip

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The show sip command assists in troubleshooting SIP inspection engine issues and is described with the inspect protocol sip udp 5060 command. The show timeout sip command displays the timeout value of the designated protocol.

The show sip command displays information for SIP sessions established across the security appliance. Along with the debug sip and show local-host commands, this command is used for troubleshooting SIP inspection engine issues.

---

Note We recommend that you configure the pager command before using the show sip command. If there are a lot of SIP session records and the pager command is not configured, it will take a while for the show sip command output to reach its end.

---

Examples

The following is sample output from the show sip command:

hostname# show sip

Total: 2

call-id c3943000-960ca-2e43-228f@10.130.56.44

 | state Call init, idle 0:00:01

call-id c3943000-860ca-7e1f-11f7@10.130.56.45

 | state Active, idle 0:00:06

This sample shows two active SIP sessions on the security appliance (as shown in the Total field). Each call-id represents a call.

The first session, with the call-id c3943000-960ca-2e43-228f@10.130.56.44, is in the state Call Init, which means the session is still in call setup. Call setup is complete only when the ACK is seen. This session has been idle for 1 second.

The second session is in the state Active, in which call setup is complete and the endpoints are exchanging media. This session has been idle for 6 seconds.

Related Commands

Commands	Description
class-map	Defines the traffic class to which to apply security actions.
debug sip	Enables debug information for SIP.
inspect sip	Enables SIP application inspection.
show conn	Displays the connection state for different connection types.
timeout	Sets the maximum idle time duration for different protocols and session types.

show skinny

To troubleshoot SCCP (Skinny) inspection engine issues, use the show skinny command in privileged EXEC mode.

show skinny

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The show skinny command assists in troubleshooting SCCP (Skinny) inspection engine issues.

Examples

The following is sample output from the show skinny command under the following conditions. There are two active Skinny sessions set up across the security appliance. The first one is established between an internal Cisco IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33. TCP port 2000 is the CallManager. The second one is established between another internal Cisco IP Phone at local address 10.0.0.22 and the same Cisco CallManager.

hostname# show skinny

        LOCAL                   FOREIGN                 STATE

---------------------------------------------------------------

1       10.0.0.11/52238         172.18.1.33/2000                1

  MEDIA 10.0.0.11/22948         172.18.1.22/20798

2       10.0.0.22/52232         172.18.1.33/2000                1

  MEDIA 10.0.0.22/20798         172.18.1.11/22948

The output indicates a call has been established between both internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively.

The following is the xlate information for these Skinny connections:

hostname# show xlate debug

2 in use, 2 most used

Flags: D | DNS, d | dump, I | identity, i | inside, n | no random,

 | o | outside, r | portmap, s | static

NAT from inside:10.0.0.11 to outside:172.18.1.11 flags si idle 0:00:16 timeout 0:05:00

NAT from inside:10.0.0.22 to outside:172.18.1.22 flags si idle 0:00:14 timeout 0:05:00

Related Commands

Commands	Description
class-map	Defines the traffic class to which to apply security actions.
debug skinny	Enables SCCP debug information.
inspect skinny	Enables SCCP application inspection.
show conn	Displays the connection state for different connection types.
timeout	Sets the maximum idle time duration for different protocols and session types.

show sla monitor configuration

To display the configuration values, including the defaults, for SLA operations, use the show sla monitor configuration command in user EXEC mode.

show sla monitor configuration [sla-id]

Syntax Description

sla-id

(Optional) The ID number of the SLA operation. Valid values are from 1 to 2147483647.

Defaults

If the sla-id is not specified, the configuration values for all SLA operations are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

Use the show running config sla monitor command to see the SLA operation commands in the running configuration.

Examples

The following is sample output from the show sla monitor command. It displays the configuration values for SLA operation 123. Following the output of the show sla monitor command is the output of the show running-config sla monitor command for the same SLA operation.

hostname> show sla monitor 124

SA Agent, Infrastructure Engine-II

Entry number: 124

Owner: 

Tag: 

Type of operation to perform: echo

Target address: 10.1.1.1

Interface: outside

Number of packets: 1

Request size (ARR data portion): 28