-
Cisco Security Appliance Command Reference, Version 8.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Table Of Contents
queue-limit through rtp-conformance Commands
remote-access threshold session-threshold-exceeded
revert webvpn plug-in protocol
revert webvpn translation-table
queue-limit through rtp-conformance Commands
queue-limit (priority-queue)
To specify the depth of the priority queues, use the queue-limit command in priority-queue mode. To remove this specification, use the no form of this command.
queue-limit number-of-packets
no queue-limit number-of-packets
Syntax Description
Defaults
The default queue limit is 1024 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Priority-queue
•
•
•
•
—
Command History
Usage Guidelines
The security appliance allows two classes of traffic: low-latency queuing (LLQ) for higher priority, latency sensitive traffic (such as voice and video) and best-effort, the default, for all other traffic. The security appliance recognizes priority traffic and enforces appropriate Quality of Service (QoS) policies. You can configure the size and depth of the priority queue to fine-tune the traffic flow.
You must use the priority-queue command to create the priority queue for an interface before priority queuing takes effect. You can apply one priority-queue command to any interface that can be defined by the nameif command.
The priority-queue command enters priority-queue mode, as shown by the prompt. In priority-queue mode, you can configure the maximum number of packets allowed in the transmit queue at any given time (tx-ring-limit command) and the number of packets of either type (priority or best -effort) allowed to be buffered before dropping packets (queue-limit command).
Note
The tx-ring-limit and the queue-limit that you specify affect both the higher priority low-latency queue and the best-effort queue. The tx-ring-limit is the number of either type of packets allowed into the driver before the driver pushes back to the queues sitting in front of the interface to let them buffer packets until the congestion clears. In general, you can adjust these two parameters to optimize the flow of low-latency traffic.
Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped. This is tail drop. To avoid having the queue fill up, you can use the queue-limit command to increase the queue buffer size.
Note
On ASA Model 5505 (only), configuring priority-queue on one interface overwrites the same configuration on all other interfaces. That is, only the last applied configuration is present on all interfaces. Further, if the priority-queue configuration is removed from one interface, it is removed from all interfaces.
To work around this issue, configure the priority-queue command on only one interface. If different interfaces need different settings for the queue-limit and/or tx-ring-limit commands, use the largest of all queue-limits and smallest of all tx-ring-limits on any one interface (CSCsi13132).
Examples
The following example configures a priority queue for the interface named test, specifying a queue limit of 30,000 packets and a transmit queue limit of 256 packets.
hostname(config)# priority-queue testhostname(priority-queue)# queue-limit 30000hostname(priority-queue)# tx-ring-limit 256Related Commands
queue-limit (tcp-map)
To configure the maximum number of out-of-order packets that can be buffered and put in order for a TCP connection, use the queue-limit command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command.
queue-limit pkt_num [timeout seconds]
no queue-limit
Syntax Description
Defaults
The default setting is 0, which means this command is disabled.
The default timeout is 4 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
7.2(4)/8.0(4)
The timeout keyword was added.
Usage Guidelines
To enable TCP normalization, use the Modular Policy Framework:
1.
a.
2.
3.
a.
b.
4.
If you do not enable TCP normalization, or if the queue-limit command is set to the default of 0, which means it is disabled, then the default system queue limit is used depending on the type of traffic:
•
•
If you set the queue-limit command to be 1 or above, then the number of out-of-order packets allowed for all TCP traffic matches this setting. For application inspection, IPS, and TCP check-retransmission traffic, any advertized settings are ignored. For other TCP traffic, out-of-order packets are now buffered and put in order instead of passed through untouched.
Examples
The following example sets the queue limit to 8 packets and the buffer timeout to 6 seconds for all Telnet connections:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# queue-limit 8 timeout 6hostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq telnethostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalhostname(config)#Related Commands
quit
To exit the current configuration mode, or to logout from privileged or user EXEC modes, use the quit command.
quit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.
When you enter the quit command in privileged or user EXEC modes, you log out from the security appliance. Use the disable command to return to user EXEC mode from privileged EXEC mode.
Examples
The following example shows how to use the quit command to exit global configuration mode, and then logout from the session:
hostname(config)# quithostname# quitLogoffThe following example shows how to use the quit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:
hostname(config)# quithostname# disablehostname>Related Commands
radius-common-pw
To specify a common password to be used for all users who are accessing this RADIUS authorization server through this security appliance, use the radius-common-pw command in AAA-server host mode. To remove this specification, use the no form of this command:
radius-common-pw string
no radius-common-pw
Syntax Description
string
A case-sensitive, alphanumeric keyword of up to 127 characters to be used as a common password for all authorization transactions with this RADIUS server.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for RADIUS authorization servers.
The RADIUS authorization server requires a password and username for each connecting user. The security appliance provides the username automatically. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this security appliance. Be sure to provide this information to your RADIUS server administrator.
If you do not specify a common user password, each user's password is his or her own username. For example, a user with the username "jsmith" would enter "jsmith". If you are using usernames for the common user passwords, as a security precaution do not use this RADIUS server for authorization anywhere else on your network.
13-125
Note
Examples
The following example configures a RADIUS AAA server group named "svrgrp1" on host "1.2.3.4", sets the timeout interval to 9 seconds, sets the retry interval to 7 seconds, and configures the RADIUS commnon password as "allauthpw".
hostname(config)# aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry 7hostname(config-aaa-server-host)# radius-common-pw allauthpwhostname(config-aaa-server-host)# exithostname(config)#Related Commands
radius-reject-message
To enable the display of a RADIUS reject message on the login screen when authentication is rejected, use the radius-eject-message command from tunnel-group webvpn attributes configuration mode. To remove the command from the configuration, use the no form of the command:
radius-reject-message
no radius-reject-message
Defaults
The default is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Enable this command if you want to display to remote users a RADIUS message about an authentication failure.
Examples
The following example enables the display of a RADIUS rejection message for the connection profile named engineering:
hostname(config)# tunnel-group engineering webvpn-attributeshostname(config-tunnel-webvpn)# radius-reject-messageradius-with-expiry (removed)
To have the security appliance use MS-CHAPv2 to negotiate a password update with the user during authentication, use the radius-with-expiry command in tunnel-group ipsec-attributes configuration mode. The security appliance ignores this command if RADIUS authentication has not been configured. To return to the default value, use the no form of this command.
radius-with-expiry
no radius-with-expiry
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting for this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to IPSec remote-access tunnel-group type.
Examples
The following example entered in config-ipsec configuration mode, configures Radius with Expiry for the remote-access tunnel group named remotegrp:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp ipsec-attributeshostname(config-tunnel-ipsec)# radius-with-expiryRelated Commands
rate-limit
When using the Modular Policy Framework, limit the rate of messages for packets that match a match command or class map by using the rate-limit command in match or class configuration mode. This rate limit action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action. To disable this action, use the no form of this command.
rate-limit messages_per_second
no rate-limit messages_per_second
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Match and class configuration
•
•
•
•
—
Command History
Usage Guidelines
An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the rate-limit command to limit the rate of messages.
When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect dns dns_policy_map command where dns_policy_map is the name of the inspection policy map.
Examples
The following example limits the invite requests to 100 messages per second:
hostname(config-cmap)# policy-map type inspect sip sip-map1hostname(config-pmap-c)# match request-method invitehostname(config-pmap-c)# rate-limit 100Related Commands
reactivation-mode
To specify the method by which failed servers in a group are reactivated, use the reactivation-mode command in aaa-server protocol mode. To remove this specification, use the no form of this command:
reactivation-mode {depletion [deadtime minutes] | timed}
no reactivation-mode [depletion [deadtime minutes] | timed]
Syntax Description
Defaults
The default reactivation mode is depletion, and the default deadtime value is 10.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server protcocol configuration
•
•
•
•
—
Command History
Usage Guidelines
Each server group has an attribute that specifies the reactivation policy for its servers.
In depletion mode, when a server is deactivated, it remains inactive until all other servers in the group are inactive. When and if this occurs, all servers in the group are reactivated. This approach minimizes the occurrence of connection delays due to failed servers. When depletion mode is in use, you can also specify the deadtime parameter. The deadtime parameter specifies the amount of time (in minutes) that will elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. This parameter is meaningful only when the server group is being used in conjunction with the local fallback feature.
In timed mode, failed servers are reactivated after 30 seconds of down time. This is useful when customers use the first server in a server list as the primary server and prefer that it is online whenever possible. This policy breaks down in the case of UDP servers. Since a connection to a UDP server will not fail, even if the server is not present, UDP servers are put back on line blindly. This could lead to slowed connection times or connection failures if a server list contains multiple servers that are not reachable.
Accounting server groups that have simultaneous accounting enabled are forced to use the timed mode. This implies that all servers in a given list are equivalent.
Examples
The following example configures aTACACS+ AAA server named "srvgrp1" to use the depletion reactivation mode, with a deadtime of 15 minutes:
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-sersver-group)# reactivation-mode depletion deadtime 15hostname(config-aaa-server)# exithostname(config)#The following example configures aTACACS+ AAA server named "srvgrp1" to use timed reactivation mode:
hostname(config)# aaa-server svrgrp2 protocol tacacs+hostname(config-aaa-server)# reactivation-mode timedhostname(config-aaa-server)#Related Commands
record-entry
To specify the trustpoints to be used for the creation of the CTL file, use the record-entry command in ctl-file configuration mode. To remove a record entry from a CTL, use the no form of this command.
record-entry [ capf | cucm | cucm-tftp | tftp ] trustpoint trustpoint address ip_address [domain-name domain_name]
no record-entry [ capf | cucm | cucm-tftp | tftp ] trustpoint trust_point address ip_address [domain-name domain_name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
CTL-file configuration
•
—
•
—
—
Command History
Usage Guidelines
Only one domain-name can be specified. If the CTL file does not exist, manually export this certificate from CUCM to the security appliance.
Use this command only when you have not configured a CTL file for the Phone Proxy. Do not use this command when you have already configured a CTL file.
The IP address you specify in the ip_address argument must be the global address or address as seen by the IP phones because it will be the IP address used for the CTL record for the trustpoint.
Add additional record-entry configurations for each entity that is required in the CTL file.
Examples
The following example shows the use of the record-entry command to specify the trustpoints to be used for the creation of the CTL file:
hostname(config-ctl-file)# record-entry cucm-tftp trustpoint cucm1 address 192.168.1.2Related Commands
redirect-fqdn
To enable or disable redirection using a fully-qualified domain name in vpn load-balancing mode, use the redirect-fqdn enable command in global configuration mode.
redirect-fqdn {enable | disable}
no redirect-fqdn {enable | disable}
Note
Syntax Description
disable
Disables redirection with fully-qualified domain names.
enable
Enables redirection with fully-qualified domain names.
Defaults
This behavior is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Vpn load-balancing mode
•
—
•
—
—
Command History
Usage Guidelines
By default, the ASA sends only IP addresses in load-balancing redirection to a client. If certificates are in use that are based on DNS names, the certificates will be invalid when redirected to a secondary device.
As a VPN cluster master, this security appliance can send a fully qualified domain name (FQDN), using reverse DNS lookup, of a cluster device (another security appliance in the cluster), instead of its outside IP address, when redirecting VPN client connections to that cluster device.
All of the outside and inside network interfaces on the load-balancing devices in a cluster must be on the same IP network.
To do WebVPN load Balancing using FQDNs rather than IP addresses, you must do the following configuration steps:
Step 1
Step 2
Step 3
Step 4
Examples
The following is an example of the redirect-fqdn command that disables redirection:
hostname(config)# vpn load-balancinghostname(config-load-balancing)# redirect-fqdn disablehostname(config-load-balancing)#The following is an example of a VPN load-balancing command sequence that includes an interface command that enables redirection for a fully-qualified domain name, specifies the public interface of the cluster as "test" and the private interface of the cluster as "foo":
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# nat 192.168.10.10hostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster key 123456789hostname(config-load-balancing)# cluster encryptionhostname(config-load-balancing)# cluster port 9023hostname(config-load-balancing)# redirect-fqdn enablehostname(config-load-balancing)# participateRelated Commands
redistribute (EIGRP)
To redistribute routes from one routing domain into the EIGRP routing process, use the redistribute command in router configuration mode. To remove the redistribution, use the no form of this command.
redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | rip | static | connected} [metric bandwidth delay reliability load mtu] [route-map map_name]
no redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | rip | static | connected} [metric bandwidth delay reliability load mtu] [route-map map_name]
Syntax Description
Defaults
The following are the command defaults:
•
Command Modes
The following table shows the modes in which you can enter the command:
