Cisco ASA 5500 Series Command Reference, 8.2
show service-policy -- show xlate
Download this chapter
show service-policy -- show xlateshow service-policy -- show xlate
Download the complete book
Cisco Security Appliance Command Reference Book, Version 8.2--Whole Book PDFCisco Security Appliance Command Reference Book, Version 8.2--Whole Book PDF (PDF - 26 MB)
give_us_feedback

Table Of Contents

show service-policy through show xlate Commands

show service-policy

show service-policy inspect gtp

show service-policy inspect radius-accounting

show shared license

show shun

show sip

show skinny

show sla monitor configuration

show sla monitor operational-state

show snmp-server engineid

show snmp-server group

show snmp-server statistics

show snmp-server user

show ssh sessions

show startup-config

show sunrpc-server active

show switch mac-address-table

show switch vlan

show tcpstat

show tech-support

show threat-detection rate

show threat-detection scanning-threat

show threat-detection shun

show threat-detection statistics host

show threat-detection statistics port

show threat-detection statistics protocol

show threat-detection statistics top

show tls-proxy

show track

show traffic

show uauth

show url-block

show url-cache statistics

show url-server

show version

show vlan

show vpn load-balancing

show vpn-sessiondb

show vpn-sessiondb ratio

show vpn-sessiondb summary

show wccp

show webvpn csd

show webvpn group-alias

show webvpn group-url

show webvpn sso-server

show webvpn svc

show xlate


show service-policy through show xlate Commands

show service-policy

To display the service policy statistics, use the show service-policy command in privileged EXEC mode.

show service-policy [global | interface intf] [csc | inspect | ips | police | priority | shape]

show service-policy [global | interface intf] [set connection [details]]

show service-policy [global | interface intf] [flow protocol {host src_host | src_ip src_mask} [eq src_port] {host dest_host | dest_ip dest_mask} [eq dest_port] [icmp_number | icmp_control_message]]

Syntax Description

csc

(Optional) Limits the output to policies that include the csc command.

dest_ip dest_mask

The destination IP address and netmask of the traffic flow.

details

(Optional) Displays per-client connection information, if a per-client connection limit is enabled.

eq dest_port

(Optional) The equals operator, requiring the destination port to match the port number that follows.

eq src_port

(Optional) The equals operator, requiring the source port to match the port number that follows.

flow protocol

(Optional) Specifies a traffic flow for which you want to see the policies that the adaptive security appliance would apply to the flow. The arguments and keywords following the flow keyword specify the flow in ip-5-tuple format. Valid values for the protocol argument are listed in the "Usage Guidelines" section, below.

global

(Optional) Limits output to the global policy, which applies to all interfaces.

host dest_host

The host destination IP address of the traffic flow.

host src_host

The host source IP address of the traffic flow.

icmp_control_message

(Optional) Specifies an ICMP control message of the traffic flow. Valid values for the icmp_control_message argument are listed in the "Usage Guidelines" section, below.

icmp_number

(Optional) Specifies the ICMP protocol number of the traffic flow.

inspect

(Optional) Limits the output to policies that include an inspect command.

interface intf

(Optional) Displays policies applied to the interface specified by the intf argument, where intf is the interface name given by the nameif command.

ips

Limits output to policies that include the ips command.

police

Limits output to policies that include the police command.

priority

Limits output to policies that include the priority command.

set connection

Limits output to policies that include the set connection command.

shape

Limits output to policies that include the shape command.

src_ip src_mask

The source IP address and netmask used in the traffic flow.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.

7.1(1)

The csc keyword was added.

7.2(4)/8.0(4)

The shape keyword was added.


Usage Guidelines

The flow keyword lets you determine, for any flow that you can describe, the policies that the adaptive security appliance would apply to that flow. You can use this to check that your service policy configuration will provide the services you want for specific connections. The arguments and keywords following the flow keyword specifies the flow in ip-5-tuple format with no object grouping.

Because the flow is described in ip-5-tuple format, not all match criteria are supported. Following are the list of match criteria that are supported for flow match:

match access-list

match port

match rtp

match default-inspection-traffic

The priority keyword is used to display the aggregate counter values of packets transmitted through an interface.

The number of embryonic connections displayed in the show service-policy command output indicates the current number of embryonic connections to an interface for traffic matching that defined by the class-map command. The "embryonic-conn-max" field shows the maximum embryonic limit configured for the traffic class using the Modular Policy Framework. If the current embryonic connections displayed equals or exceeds the maximum, TCP intercept is applied to new TCP connections that match the traffic type defined by the class-map command.

protocol Argument Values

The following are valid values for the protocol argument:

number—The protocol number (0 - 255).

ah

eigrp

esp

gre

icmp

icmp6

igmp

igrp

ip

ipinip

ipsec

nos

ospf

pcp

pim

pptp

snp

tcp

udp

icmp_control_message Argument Values

The following are valid values for the icmp_control_message argument:

alternate-address

conversion-error

echo

echo-reply

information-reply

information-request

mask-reply

mask-request

mobile-redirect

parameter-problem

redirect

router-advertisement

router-solicitation

source-quench

time-exceeded

timestamp-reply

timestamp-request

traceroute

unreachable

Examples

The following is sample output from the show service-policy global command: 

hostname# show service-policy global


Global policy:

  Service-policy: inbound_policy

    Class-map: ftp-port

      Inspect: ftp strict inbound_ftp, packet 0, drop 0, reset-drop 0

The following is sample output from the show service-policy priority command: 

hostname# show service-policy priority


Interface outside:


Global policy:

  Service-policy: sa_global_fw_policy


Interface outside:

  Service-policy: ramap

    Class-map: clientmap

      Priority:

        Interface outside: aggregate drop 0, aggregate transmit 5207048

    Class-map: udpmap

      Priority:

        Interface outside: aggregate drop 0,  aggregate transmit 5207048

    Class-map: cmap

The following is sample output from the show service-policy flow command: 

hostname# show service-policy flow udp host 209.165.200.229 host 209.165.202.158 eq 5060


Global policy: 

  Service-policy: f1_global_fw_policy

    Class-map: inspection_default

      Match: default-inspection-traffic

      Action:

        Input flow:  inspect sip 


Interface outside:

  Service-policy: test

    Class-map: test

      Match: access-list test

        Access rule: permit ip 209.165.200.229 255.255.255.224 209.165.202.158 
255.255.255.224

      Action:

        Input flow:  ids inline

        Input flow:  set connection conn-max 10 embryonic-conn-max 20

The following is sample output from the show service-policy inspect http command. This example shows the statistics of each match command in a match-any class map. 

hostname# show service-policy inspect http


Global policy: 

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: http http, packet 1916, drop 0, reset-drop 0

        protocol violations

          packet 0

        class http_any (match-any) 

          Match: request method get, 638 packets

          Match: request method put, 10 packets

          Match: request method post, 0 packets

          Match: request method connect, 0 packets

          log, packet 648

The following is sample output from the show service-policy inspect waas command. This example shows the waas statistics. 

hostname# show service-policy inspect waas


Global policy: 

  Service-policy: global_policy

    Class-map: WAAS

      Inspect: waas, packet 12, drop 0, reset-drop 0

		SYN with WAAS option 4

		SYN-ACK with WAAS option 4

		Confirmed WAAS connections 4

		Invalid ACKs seen on WAAS connections 0

		Data exceeding window size on WAAS connections 0

Related Commands

Command
Description

clear configure service-policy

Clears service policy configurations.

clear service-policy

Clears all service policy configurations.

service-policy

Configures the service policy.

show running-config service-policy

Displays the service policies configured in the running configuration.


show service-policy inspect gtp

To display the GTP configuration, use the show service-policy inspect gtp command in privileged EXEC mode.

show service-policy [interface int] inspect gtp {pdp-context [apn ap_name | detail | imsi IMSI_value | ms-addr IP_address | tid tunnel_ID | version version_num ] | pdpmcb | requests | statistics [gsn IP_address] }

Syntax Description

apn

(Optional) Displays the detailed output of the PDP contexts based on the APN specified.

ap_name

Identifies the specific access point name for which statistics are displayed.

detail

(Optional) Displays the detailed output of the PDP contexts.

imsi

Displays the detailed output of the PDP contexts based on the IMSI specified.

IMSI_value

Hexadecimal value that identifies the specific IMSI for which statistics are displayed.

interface

(Optional) Identifies a specific interface.

int

Identifies the interface for which information will be displayed.

gsn

(Optional) Identifies the GPRS support node, which is interface between the GPRS wireless data network and other networks.

gtp

(Optional) Displays the service policy for GTP.

IP_address

IP address for which statistics are displayed.

ms-addr

(Optional) Displays the detailed output of the PDP contexts based on the MS Address specified.

pdp-context

(Optional) Identifies the Packet Data Protocol context

pdpmcb

(Optional) Displays the status of the PDP master control block.

requests

(Optional) Displays status of GTP requests.

statistics

(Optional) Displays GTP statistics.

tid

(Optional) Displays the detailed output of the PDP contexts based on the TID specified.

tunnel_ID

Hexadecimal value that identifies the specific tunnel for which statistics are displayed.

version

(Optional) Displays the detailed output of the PDP contexts based on the GTP version.

version_num

Specifies the version of the PDP context for which statistics are displayed. The valid range is 0 to 255.


.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

You can use the vertical bar | to filter the display. Type | for more display filtering options.

The show pdp-context command displays PDP context-related information.

The Packet Data Protocol context is identified by the tunnel ID, which is a combination of IMSI and NSAPI. A GTP tunnel is defined by two associated PDP Contexts in different GSN nodes and is identified with a Tunnel ID. A GTP tunnel is necessary to forward packets between an external packet data network and a mobile station user.

The show gtp requests command displays current requests in the request queue.

Examples

The following is sample output from the show gtp requests command: 

hostname# show gtp requests

0 in use, 0 most used, 200 maximum allowed

You can use the vertical bar | to filter the display, as in the following example: 

hostname# show service-policy gtp statistics | grep gsn

This example shows the GTP statistics with the word gsn in the output.

The following command shows the statistics for GTP inspection: 

hostname# show service-policy inspect gtp statistics

GPRS GTP Statistics:

  version_not_support | 0 | msg_too_short | 0

  unknown_msg | 0 | unexpected_sig_msg | 0

  unexpected_data_msg | 0 | ie_duplicated | 0

  mandatory_ie_missing | 0 | mandatory_ie_incorrect | 0

  optional_ie_incorrect | 0 | ie_unknown | 0

  ie_out_of_order | 0 | ie_unexpected | 0

  total_forwarded | 0 | total_dropped | 0

  signalling_msg_dropped | 0 | data_msg_dropped | 0

  signalling_msg_forwarded | 0 | data_msg_forwarded | 0

  total created_pdp | 0 | total deleted_pdp | 0

  total created_pdpmcb | 0 | total deleted_pdpmcb | 0

  pdp_non_existent | 0

The following command displays information about the PDP contexts: 

hostname# show service-policy inspect gtp pdp-context

1 in use, 1 most used, timeout 0:00:00


Version TID | MS Addr | SGSN Addr | Idle | APN

v1 | 1234567890123425 | 1.1.1.1 | 11.0.0.2 0:00:13  gprs.cisco.com


 | user_name (IMSI): 214365870921435 | MS address: | 1.1.1.1

 | primary pdp: Y | nsapi: 2

 | sgsn_addr_signal: | 11.0.0.2 | sgsn_addr_data: | 11.0.0.2

 | ggsn_addr_signal: | 9.9.9.9 | ggsn_addr_data: | 9.9.9.9

 | sgsn control teid: | 0x000001d1 | sgsn data teid: | 0x000001d3

 | ggsn control teid: | 0x6306ffa0 | ggsn data teid: | 0x6305f9fc

 | seq_tpdu_up: | 0 | seq_tpdu_down: | 0

 | signal_sequence: | 0

 | upstream_signal_flow: | 0 | upstream_data_flow: | 0

 | downstream_signal_flow: | 0 | downstream_data_flow: | 0

 | RAupdate_flow: | 0

Table 29-1 describes each column the output from the show service-policy inspect gtp pdp-context command.

Table 29-1 PDP Contexts

Column Heading
Description

Version

Displays the version of GTP.

TID

Displays the tunnel identifier.

MS Addr

Displays the mobile station address.

SGSN Addr

Displays the serving gateway service node.

Idle

Displays the time for which the PDP context has not been in use.

APN

Displays the access point name.


Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.


show service-policy inspect radius-accounting

To display the GTP configuration, use the show service-policy inspect radius-accounting command in privileged EXEC mode.

show service-policy [interface int] inspect radius-accounting

Syntax Description

interface int

(Optional) Identifies a specific interface.


.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following is sample output from the show gtp requests command: 

hostname# show gtp requests

0 in use, 0 most used, 200 maximum allowed

You can use the vertical bar | to filter the display, as in the following example: 

hostname# show service-policy gtp statistics | grep gsn

This example shows the GTP statistics with the word gsn in the output.

The following command shows the statistics for GTP inspection: 

hostname# show service-policy inspect gtp statistics

GPRS GTP Statistics:

  version_not_support | 0 | msg_too_short | 0

  unknown_msg | 0 | unexpected_sig_msg | 0

  unexpected_data_msg | 0 | ie_duplicated | 0

  mandatory_ie_missing | 0 | mandatory_ie_incorrect | 0

  optional_ie_incorrect | 0 | ie_unknown | 0

  ie_out_of_order | 0 | ie_unexpected | 0

  total_forwarded | 0 | total_dropped | 0

  signalling_msg_dropped | 0 | data_msg_dropped | 0

  signalling_msg_forwarded | 0 | data_msg_forwarded | 0

  total created_pdp | 0 | total deleted_pdp | 0

  total created_pdpmcb | 0 | total deleted_pdpmcb | 0

  pdp_non_existent | 0

The following command displays information about the PDP contexts: 

hostname# show service-policy inspect gtp pdp-context

1 in use, 1 most used, timeout 0:00:00


Version TID | MS Addr | SGSN Addr | Idle | APN

v1 | 1234567890123425 | 1.1.1.1 | 11.0.0.2 0:00:13  gprs.cisco.com


 | user_name (IMSI): 214365870921435 | MS address: | 1.1.1.1

 | primary pdp: Y | nsapi: 2

 | sgsn_addr_signal: | 11.0.0.2 | sgsn_addr_data: | 11.0.0.2

 | ggsn_addr_signal: | 9.9.9.9 | ggsn_addr_data: | 9.9.9.9

 | sgsn control teid: | 0x000001d1 | sgsn data teid: | 0x000001d3

 | ggsn control teid: | 0x6306ffa0 | ggsn data teid: | 0x6305f9fc

 | seq_tpdu_up: | 0 | seq_tpdu_down: | 0

 | signal_sequence: | 0

 | upstream_signal_flow: | 0 | upstream_data_flow: | 0

 | downstream_signal_flow: | 0 | downstream_data_flow: | 0

 | RAupdate_flow: | 0

Table 29-1 describes each column the output from the show service-policy inspect gtp pdp-context command.

Table 29-2 PDP Contexts

Column Heading
Description

Version

Displays the version of GTP.

TID

Displays the tunnel identifier.

MS Addr

Displays the mobile station address.

SGSN Addr

Displays the serving gateway service node.

Idle

Displays the time for which the PDP context has not been in use.

APN

Displays the access point name.


Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.


show shared license

To show shared license statistics, use the show shared license command in privileged EXEC mode. Optional keywords are available only for the licensing server.

show shared license [detail | client [hostname] | backup]

Syntax Description

backup

(Optional) Shows information about the backup server.

client

(Optional) Limits the display to participants.

detail

(Optional) Shows all statistics, including per participant.

hostname

(Optional) Limits the display to a particular participant.


Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.


Usage Guidelines

To clear the statistics, enter the clear shared license command.

Examples

The following is sample output from the show shared license command on the license participant: 

hostname>  show shared license

Primary License Server : 10.3.32.20

  Version              : 1

  Status               : Inactive


Shared license utilization:

  SSLVPN:

    Total for network :     5000

    Available         :     5000

    Utilized          :        0

  This device:

    Platform limit    :      250

    Current usage     :        0

    High usage        :        0

  Messages Tx/Rx/Error:

    Registration    : 0 / 0 / 0

    Get             : 0 / 0 / 0

    Release         : 0 / 0 / 0

    Transfer        : 0 / 0 / 0


Client ID           Usage   Hostname

  ASA0926K04D         0       5510-B

The following is sample output from the show shared license detail command on the license server: 

hostname>  show shared license detail

Backup License Server Info:


Device ID           : ABCD

Address             : 10.1.1.2

Registered          : NO

HA peer ID          : EFGH

Registered          : NO

  Messages Tx/Rx/Error:

    Hello           : 0 / 0 / 0

    Sync            : 0 / 0 / 0

    Update          : 0 / 0 / 0


Shared license utilization:

  SSLVPN:

    Total for network :      500

    Available         :      500

    Utilized          :        0

  This device:

    Platform limit    :      250

    Current usage     :        0

    High usage        :        0

  Messages Tx/Rx/Error:

    Registration    : 0 / 0 / 0

    Get             : 0 / 0 / 0

    Release         : 0 / 0 / 0

    Transfer        : 0 / 0 / 0


Client Info:


  Hostname          : 5540-A

  Device ID         : XXXXXXXXXXX

  SSLVPN:

    Current usage   : 0

    High            : 0

  Messages Tx/Rx/Error:

    Registration    : 1 / 1 / 0

    Get             : 0 / 0 / 0

    Release         : 0 / 0 / 0

    Transfer        : 0 / 0 / 0

...

Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server enable

Enables a unit to be the shared licensing server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show vpn-sessiondb

Shows license information about VPN sessions.


show shun

To display shun information, use the show shun command in privileged EXEC mode.

show shun [src_ip | statistics]

Syntax Description

src_ip

(Optional) Displays the information for that address.

statistics

(Optional) Displays the interface counters only.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following is sample output from the show shun command: 

hostname# show shun

shun (outside) 10.1.1.27 10.2.2.89 555 666 6

shun (inside1) 10.1.1.27 10.2.2.89 555 666 6

Related Commands

Command
Description

clear shun

Disables all the shuns that are currently enabled and clears the shun statistics.

shun

Enables a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection.


show sip

To display SIP sessions, use the show sip command in privileged EXEC mode.

show sip

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show sip command assists in troubleshooting SIP inspection engine issues and is described with the inspect protocol sip udp 5060 command. The show timeout sip command displays the timeout value of the designated protocol.

The show sip command displays information for SIP sessions established across the adaptive security appliance. Along with the debug sip and show local-host commands, this command is used for troubleshooting SIP inspection engine issues.

Note We recommend that you configure the pager command before using the show sip command. If there are a lot of SIP session records and the pager command is not configured, it will take a while for the show sip command output to reach its end.

Examples

The following is sample output from the show sip command: 

hostname# show sip

Total: 2

call-id c3943000-960ca-2e43-228f@10.130.56.44

 | state Call init, idle 0:00:01

call-id c3943000-860ca-7e1f-11f7@10.130.56.45

 | state Active, idle 0:00:06

This sample shows two active SIP sessions on the adaptive security appliance (as shown in the Total field). Each call-id represents a call.

The first session, with the call-id c3943000-960ca-2e43-228f@10.130.56.44, is in the state Call Init, which means the session is still in call setup. Call setup is complete only when the ACK is seen. This session has been idle for 1 second.

The second session is in the state Active, in which call setup is complete and the endpoints are exchanging media. This session has been idle for 6 seconds.

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug sip

Enables debug information for SIP.

inspect sip

Enables SIP application inspection.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.


show skinny

To troubleshoot SCCP (Skinny) inspection engine issues, use the show skinny command in privileged EXEC mode.

show skinny

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show skinny command assists in troubleshooting SCCP (Skinny) inspection engine issues.

Examples

The following is sample output from the show skinny command under the following conditions. There are two active Skinny sessions set up across the adaptive security appliance. The first one is established between an internal Cisco IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33. TCP port 2000 is the CallManager. The second one is established between another internal Cisco IP Phone at local address 10.0.0.22 and the same Cisco CallManager. 

hostname# show skinny

        LOCAL                   FOREIGN                 STATE

---------------------------------------------------------------

1       10.0.0.11/52238         172.18.1.33/2000                1

  MEDIA 10.0.0.11/22948         172.18.1.22/20798

2       10.0.0.22/52232         172.18.1.33/2000                1

  MEDIA 10.0.0.22/20798         172.18.1.11/22948

The output indicates a call has been established between both internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively.

The following is the xlate information for these Skinny connections: 

hostname# show xlate debug

2 in use, 2 most used

Flags: D | DNS, d | dump, I | identity, i | inside, n | no random,

 | o | outside, r | portmap, s | static

NAT from inside:10.0.0.11 to outside:172.18.1.11 flags si idle 0:00:16 timeout 0:05:00

NAT from inside:10.0.0.22 to outside:172.18.1.22 flags si idle 0:00:14 timeout 0:05:00

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug skinny

Enables SCCP debug information.

inspect skinny

Enables SCCP application inspection.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.


show sla monitor configuration

To display the configuration values, including the defaults, for SLA operations, use the show sla monitor configuration command in user EXEC mode.

show sla monitor configuration [sla-id]

Syntax Description

sla-id

(Optional) The ID number of the SLA operation. Valid values are from 1 to 2147483647.


Defaults

If the sla-id is not specified, the configuration values for all SLA operations are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

Use the show running config sla monitor command to see the SLA operation commands in the running configuration.

Examples

The following is sample output from the show sla monitor command. It displays the configuration values for SLA operation 123. Following the output of the show sla monitor command is the output of the show running-config sla monitor command for the same SLA operation. 

hostname> show sla monitor 124


SA Agent, Infrastructure Engine-II

Entry number: 124

Owner: 

Tag: 

Type of operation to perform: echo

Target address: 10.1.1.1

Interface: outside

Number of packets: 1

Request size (ARR data portion): 28

Operation timeout (milliseconds): 1000

Type Of Service parameters: 0x0

Verify data: No

Operation frequency (seconds): 3

Next Scheduled Start Time: Start Time already passed

Group Scheduled : FALSE

Life (seconds): Forever

Entry Ageout (seconds): never

Recurring (Starting Everyday): FALSE

Status of entry (SNMP RowStatus): Active

Enhanced History:


hostname# show running-config sla monitor 124


sla monitor 124

 type echo protocol ipIcmpEcho 10.1.1.1 interface outside

 timeout 1000

 frequency 3

sla monitor schedule 124 life forever start-time now

Related Commands

Command
Description

show running-config sla monitor

Displays the SLA operation configuration commands in the running configuration.

sla monitor

Defines an SLA monitoring operation.


show sla monitor operational-state

To display the operational state of SLA operations, use the show sla monitor operational-state command in user EXEC mode.

show sla monitor operational-state [sla-id]

Syntax Description

sla-id

(Optional) The ID number of the SLA operation. Valid values are from 1 to 2147483647.


Defaults

If the sla-id is not specified, statistics for all SLA operations are displayed.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

Use the show running-config sla monitor command to display the SLA operation commands in the running configuration.

Examples

The following is sample output from the show sla monitor operational-state command: 

hostname> show sla monitor operationl-state


Entry number: 124

Modification time: 14:42:23.607 EST Wed Mar 22 2006

Number of Octets Used by this Entry: 1480

Number of operations attempted: 4043

Number of operations skipped: 0

Current seconds left in Life: Forever

Operational state of entry: Active

Last time this entry was reset: Never

Connection loss occurred: FALSE

Timeout occurred: TRUE

Over thresholds occurred: FALSE

Latest RTT (milliseconds): NoConnection/Busy/Timeout

Latest operation start time: 18:04:26.609 EST Wed Mar 22 2006

Latest operation return code: Timeout

RTT Values:

RTTAvg: 0       RTTMin: 0       RTTMax: 0

NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

Related Commands

Command
Description

show running-config sla monitor

Displays the SLA operation configuration commands in the running configuration.

sla monitor

Defines an SLA monitoring operation.


show snmp-server engineid

To display the identification of the SNMP engine that has been configured on the adaptive security appliance, use the show snmp-server engineid command in privileged EXEC mode.

show snmp-server engineid

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.


Examples

The following is sample output from the show snmp-server engineid command: 

hostname# show snmp-server engineid

Local SNMP engineID: 80000009fe85f8fd882920834a3af7e4ca79a0a1220fe10685

Usage Guidelines

An SNMP engine is a copy of SNMP that can reside on a local device. The engine ID is a unique value that is assigned for each SNMP agent for each adaptive security appliance context. The engine ID is not configurable on the adaptive security appliance. The engine ID is 25 bytes long, and is used to generate encrypted passwords. The encrypted passwords are then stored in flash memory. The engine ID can be cached. In a failover pair, the engine ID is synchronized with the peer.

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.


show snmp-server group

To display the names of configured SNMP groups, the security model being used, the status of different views, and the storage type of each group, use the show snmp-server group command in privileged EXEC mode.

show snmp-server group

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.


Examples

The following is sample output from the show snmp-server group command: 

hostname# show snmp-server group

groupname: public                           security model:v1

readview : <no readview specified>          writeview: <no writeview specified>

notifyview: <no readview specified>

row status: active


groupname: public                           security model:v2c

readview : <no readview specified>          writeview: <no writeview specified>

notifyview: *<no readview specified>

row status: active


groupname: privgroup                   security model:v3 priv

readview : def_read_view               writeview: <no writeview specified>

notifyview: def_notify_view

row status: active

Usage Guidelines

SNMP users and groups are used according to the View-based Access Control Model (VACM) for SNMP. The SNMP group determines the security model to be used. The SNMP user should match the security model of the SNMP group. Each SNMP group name and security level pair must be unique.

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.


show snmp-server statistics

To display SNMP server statistics, use the show snmp-server statistics command in privileged EXEC mode.

show snmp-server statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following is sample output fromthe show snmp-server statistics command: 

hostname# show snmp-server statistics

0 SNMP packets input

    0 Bad SNMP version errors

    0 Unknown community name

    0 Illegal operation for community name supplied

    0 Encoding errors

    0 Number of requested variables

    0 Number of altered variables

    0 Get-request PDUs

    0 Get-next PDUs

    0 Get-bulk PDUs

    0 Set-request PDUs (Not supported)

0 SNMP packets output

    0 Too big errors (Maximum packet size 512)

    0 No such name errors

    0 Bad values errors

    0 General errors

    0 Response PDUs

    0 Trap PDUs

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

clear snmp-server statistics

Clears the SNMP packet input and output counters.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.


show snmp-server user

To display information about the configured characteristics of SNMP users, use the show snmp-server user command in privileged EXEC mode.

show snmp-server user [username]

Syntax Description

username

(Optional) Identifies a specific user or users about which to display SNMP information.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.


Examples

The following is sample output from the show snmp-server user command: 

hostname# show snmp-server user authuser

User name: authuser 

Engine ID: 00000009020000000C025808 

storage-type: nonvolatile       active access-list: N/A

Rowstatus: active 

Authentication Protocol: MD5

Privacy protocol: DES 

Group name: VacmGroupName

The output provides the following information:

The username, which is a string that identifies the name of the SNMP user.

The engine ID, which is a string that identifies the copy of SNMP on the adaptive security appliance.

The storage-type, which indicates whether or not the settings have been set in volatile or temporary memory on the adaptive security appliance, or in nonvolatile or persistent memory, in which settings remain after the adaptive security appliance has been turned off and on again.

The active access list, which is the standard IP access list associated with the SNMP user.

The Rowstatus, which indicates whether or not it is active or inactive.

The authentication protocol, which identifies which authentication protocol is being used. Options are MD5, SHA, or none. If authentication is not supported in your software image, this field does not appear.

The privacy protocol, which indicates whether or not DES packet encryption is enabled. If privacy is not supported in your software image, this field does not appear.

The group name, which indicates to which SNMP group the user belongs. SNMP groups are defined according to the View-based Access Control Model (VACM).

Usage Guidelines

An SNMP user must be part of an SNMP group. If you do not enter the username argument, the show snmp-server user command displays information about all configured users. If you enter the username argument and the user exists, the information about that user appears.

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.


show ssh sessions

To display information about the active SSH session on the adaptive security appliance, use the show ssh sessions command in privileged EXEC mode.

show ssh sessions [ip_address]

Syntax Description

ip_address

(Optional) Displays session information for only the specified IP address.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The SID is a unique number that identifies the SSH session. The Client IP is the IP address of the system running an SSH client. The Version is the protocol version number that the SSH client supports. If the SSH only supports SSH version 1, then the Version column displays 1.5. If the SSH client supports both SSH version 1 and SSH version 2, then the Version column displays 1.99. If the SSH client only supports SSH version 2, then the Version column displays 2.0. The Encryption column shows the type of encryption that the SSH client is using. The State column shows the progress that the client is making as it interacts with the adaptive security appliance. The Username column lists the login username that has been authenticated for the session.

Examples

The following example demonstrates the output of the show ssh sessions command: 

hostname# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State           Username

0   172.69.39.39    1.99    IN   aes128-cbc md5      SessionStarted  pat

                            OUT  aes128-cbc md5      SessionStarted  pat

1   172.23.56.236   1.5     -    3DES       -        SessionStarted  pat

2   172.69.39.29    1.99    IN   3des-cbc   sha1     SessionStarted  pat

                            OUT  3des-cbc   sha1     SessionStarted  pat

Related Commands

Command
Description

ssh disconnect

Disconnects an active SSH session.

ssh timeout

Sets the timeout value for idle SSH sessions.


show startup-config

To show the startup configuration or to show any errors when the startup configuration loaded, use the show startup-config command in privileged EXEC mode.

show startup-config [errors]

Syntax Description

errors

(Optional) Shows any errors that were generated when the adaptive security appliance loaded the startup configuration.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System1

Privileged EXEC

1 The errors keyword is only available in single mode and the system execution space,


Command History

Release
Modification

7.0(1)

The errors keyword was added.


Usage Guidelines

In multiple context mode, this command shows the startup configuration for your current execution space: the system configuration or the security context.

To clear the startup errors from memory, use the clear startup-config errors command.

Examples

The following is sample output from the show startup-config command: 

hostname# show startup-config

: Saved

: Written by enable_15 at 01:44:55.598 UTC Thu Apr 17 2003


Version 7.X(X)

!

interface GigabitEthernet0/0

 nameif inside

 security-level 100

 ip address 209.165.200.224

 webvpn enable

!

interface GigabitEthernet0/1

 shutdown

 nameif test

 security-level 0

 ip address 209.165.200.225

!


...

!

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname firewall1

domain-name example.com

boot system disk0:/cdisk.bin

ftp mode passive

names

name 10.10.4.200 outside

access-list xyz extended permit ip host 192.168.0.4 host 209.165.200.226

!

ftp-map ftp_map

!

ftp-map inbound_ftp

 deny-request-cmd appe stor stou

!


...


Cryptochecksum:4edf97923899e712ed0da8c338e07e63

The following is sample output from the show startup-config errors command: 

hostname# show startup-config errors


ERROR: 'Mac-addresses': invalid resource name

*** Output from config line 18, "limit-resource Mac-add..."

INFO: Admin context is required to get the interfaces

*** Output from config line 30, "arp timeout 14400"

Creating context 'admin'... WARNING: Invoked the stub function ibm_4gs3_context_

set_max_mgmt_sess

WARNING: Invoked the stub function ibm_4gs3_context_set_max_mgmt_sess

Done. (1)

*** Output from config line 33, "admin-context admin"

WARNING: VLAN *24* is not configured.

*** Output from config line 12, context 'admin', "nameif inside"

.....

*** Output from config line 37, "config-url disk:/admin..."

Related Commands

Command
Description

clear startup-config errors

Clears the startup errors from memory.

show running-config

Shows the running configuration.


show sunrpc-server active

To display the pinholes open for Sun RPC services, use the show sunrpc-server active command in privileged EXEC mode.

show sunrpc-server active

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Use the show sunrpc-server active command to display the pinholes open for Sun RPC services, such as NFS and NIS.

Examples

To display the pinholes open for Sun RPC services, enter the show sunrpc-server active command. The following is sample output from the show sunrpc-server active command: 

hostname# show sunrpc-server active

        LOCAL           FOREIGN                 SERVICE TIMEOUT

        -----------------------------------------------

        192.168.100.2/0 209.165.200.5/32780     100005 00:10:00

Related Commands

Command
Description

clear configure sunrpc-server

Clears the Sun remote processor call services from the adaptive security appliance.

clear sunrpc-server active

Clears the pinholes opened for Sun RPC services, such as NFS or NIS.

inspect sunrpc

Enables or disables Sun RPC application inspection and configures the port used.

show running-config sunrpc-server

Displays information about the SunRPC services configuration.


show switch mac-address-table

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the show switch mac-address-table command in privileged EXEC mode to view the switch MAC address table.

show switch mac-address-table

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

This command is for models with built-in switches only. The switch MAC address table maintains the MAC address-to-switch port mapping for traffic within each VLAN in the switch hardware. If you are in transparent firewall mode, use the show mac-address-table command to view the bridge MAC address table in the ASA software. The bridge MAC address table maintains the MAC address-to-VLAN interface mapping for traffic that passes between VLANs.

MAC address entries age out in 5 minutes.

Examples

The following is sample output from the show switch mac-address-table command. 

hostname# show switch mac-address-table

Legend: Age - entry expiration time in seconds


   Mac Address  | VLAN |       Type       | Age | Port

-------------------------------------------------------

 000e.0c4e.2aa4 | 0001 |     dynamic      | 287 | Et0/0

 0012.d927.fb03 | 0001 |     dynamic      | 287 | Et0/0

 0013.c4ca.8a8c | 0001 |     dynamic      | 287 | Et0/0

 00b0.6486.0c14 | 0001 |     dynamic      | 287 | Et0/0

 00d0.2bff.449f | 0001 |     static       |  -  | In0/1

 0100.5e00.000d | 0001 | static multicast |  -  | In0/1,Et0/0-7

Total Entries: 6

Table 29-3 shows each field description:

Table 29-3 show switch mac-address-table Fields

Field
Description

Mac Address

Shows the MAC address.

VLAN

Shows the VLAN associated with the MAC address.

Type

Shows if the MAC address was learned dynamically, as a static multicast address, or statically. The only static entry is for the internal backplane interface.

Age

Shows the age of a dynamic entry in the MAC address table.

Port

Shows the switch port through which the host with the MAC address can be reached.


Related Commands

Command
Description

show mac-address-table

Shows the MAC address table for models that do not have a built-in switch.

show switch vlan

Shows the VLAN and physical MAC address association.


show switch vlan

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the show switch vlan command in privileged EXEC mode to view the VLANs and the associated switch ports.

show switch vlan

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

This command is for models with built-in switches only. For other models, use the show vlan command.

Examples

The following is sample output from the show switch vlan command. 

hostname# show switch vlan


VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------

100  inside                           up        Et0/0, Et0/1

200  outside                          up        Et0/7

300  -                                down      Et0/1, Et0/2

400  backup                           down      Et0/3

Table 29-3 shows each field description:

Table 29-4 show switch vlan Fields

Field
Description

VLAN

Shows the VLAN number.

Name

Shows the name of the VLAN interface. If no name is set using the nameif command, or if there is no interface vlan command, the display shows a dash (-).

Status

Shows the status, up or down, to receive and send traffic to and from the VLAN in the switch. At least one switch port in the VLAN needs to be in an up state for the VLAN state to be up.

Ports

Shows the switch ports assigned to each VLAN. If a switch port is listed for multiple VLANs, it is a trunk port. The above sample output shows Ethernet 0/1 is a trunk port that carries VLAN 100 and 300.


Related Commands

Command
Description

clear interface

Clears counters for the show interface command.

interface vlan

Creates a VLAN interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.

show vlan

Shows the VLANs for models that do not have built-in switches.

switchport mode

Sets the mode of the switch port to access or trunk mode.


show tcpstat

To display the status of the adaptive security appliance TCP stack and the TCP connections that are terminated on the adaptive security appliance (for debugging), use the show tcpstat command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show tcpstat

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show tcpstat command allows you to display the status of the TCP stack and TCP connections that are terminated on the adaptive security appliance. The TCP statistics displayed are described in Table 28.

Table 29-5 TCP Statistics in the show tcpstat Command 

Statistic
Description

tcb_cnt

Number of TCP users.

proxy_cnt

Number of TCP proxies. TCP proxies are used by user authorization.

tcp_xmt pkts

Number of packets that were transmitted by the TCP stack.

tcp_rcv good pkts

Number of good packets that were received by the TCP stack.

tcp_rcv drop pkts

Number of received packets that the TCP stack dropped.

tcp bad chksum

Number of received packets that had a bad checksum.

tcp user hash add

Number of TCP users that were added to the hash table.

tcp user hash add dup

Number of times a TCP user was already in the hash table when trying to add a new user.

tcp user srch hash hit

Number of times a TCP user was found in the hash table when searching.

tcp user srch hash miss

Number of times a TCP user was not found in the hash table when searching.

tcp user hash delete

Number of times that a TCP user was deleted from the hash table.

tcp user hash delete miss

Number of times that a TCP user was not found in the hash table when trying to delete the user.

lip

Local IP address of the TCP user.

fip

Foreign IP address of the TCP user.

lp

Local port of the TCP user.

fp

Foreign port of the TCP user.

st

State (see RFC 793) of the TCP user. The possible values are as follows: 

1   CLOSED

2   LISTEN

3   SYN_SENT

4   SYN_RCVD

5   ESTABLISHED

6   FIN_WAIT_1

7   FIN_WAIT_2

8   CLOSE_WAIT

9   CLOSING

10  LAST_ACK

11  TIME_WAIT

rexqlen

Length of the retransmit queue of the TCP user.

inqlen

Length of the input queue of the TCP user.

tw_timer

Value of the time_wait timer (in milliseconds) of the TCP user.

to_timer

Value of the inactivity timeout timer (in milliseconds) of the TCP user.

cl_timer

Value of the close request timer (in milliseconds) of the TCP user.

per_timer

Value of the persist timer (in milliseconds) of the TCP user.

rt_timer

Value of the retransmit timer (in milliseconds) of the TCP user.

tries

Retransmit count of the TCP user.


Examples

This example shows how to display the status of the TCP stack on the adaptive security appliance: 

hostname# show tcpstat

                CURRENT MAX     TOTAL

tcb_cnt         2       12      320

proxy_cnt       0       0       160


tcp_xmt pkts = 540591

tcp_rcv good pkts = 6583

tcp_rcv drop pkts = 2

tcp bad chksum = 0

tcp user hash add = 2028

tcp user hash add dup = 0

tcp user srch hash hit = 316753

tcp user srch hash miss = 6663

tcp user hash delete = 2027

tcp user hash delete miss = 0


lip = 172.23.59.230 fip = 10.21.96.254 lp = 443 fp = 2567 st = 4 rexqlen = 0

in0

  tw_timer = 0 to_timer = 179000 cl_timer = 0 per_timer = 0

rt_timer = 0

tries 0

Related Commands

Command
Description

show conn

Displays the connections used and those that are available.


show tech-support

To display the information that is used for diagnosis by technical support analysts, use the show tech-support command in privileged EXEC mode.

show tech-support [detail | file | no-config]

Syntax Description

detail

(Optional) Lists detailed information.

file

(Optional) Writes the output of the command to a file.

no-config

(Optional) Excludes the output of the running configuration.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

The detail and file keywords were added.

7.2(1)

The output display was enhanced to display more detailed information about processes that hog the CPU.


Usage Guidelines

The show tech-support command lets you list information that technical support analysts need to help you diagnose problems. This command combines the output from the show commands that provide the most information to a technical support analyst.

Examples

The following example shows how to display information that is used for technical support analysis, excluding the output of the running configuration: 

hostname# show tech-support no-config


Cisco XXX Firewall Version X.X(X)

Cisco Device Manager Version X.X(X)


Compiled on Fri 15-Apr-05 14:35 by root


XXX up 2 days 8 hours


Hardware:   XXX, 64 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB


0: ethernet0: address is 0003.e300.73fd, irq 10

1: ethernet1: address is 0003.e300.73fe, irq 7

2: ethernet2: address is 00d0.b7c8.139e, irq 9

Licensed Features:

Failover:           Disabled

VPN-DES:            Enabled

VPN-3DES-AES:       Disabled

Maximum Interfaces: 3

Cut-through Proxy:  Enabled

Guards:             Enabled

URL-filtering:      Enabled

Inside Hosts:       Unlimited

Throughput:         Unlimited

IKE peers:          Unlimited


This XXX has a Restricted (R) license.


Serial Number: 480430455 (0x1ca2c977)

Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734 

Configuration last modified by enable_15 at 23:05:24.264 UTC Sat Nov 16 2002


------------------ show clock ------------------


00:08:14.911 UTC Sun Apr 17 2005


------------------ show memory ------------------


Free memory:        50708168 bytes

Used memory:        16400696 bytes

-------------     ----------------

Total memory:       67108864 bytes


------------------ show conn count ------------------


0 in use, 0 most used


------------------ show xlate count ------------------


0 in use, 0 most used


------------------ show blocks ------------------


  SIZE    MAX    LOW    CNT

     4   1600   1600   1600

    80    400    400    400

   256    500    499    500

  1550   1188    795    919


------------------ show interface ------------------


interface ethernet0 "outside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0003.e300.73fd

  IP address 172.23.59.232, subnet mask 255.255.0.0

  MTU 1500 bytes, BW 10000 Kbit half duplex

        1267 packets input, 185042 bytes, 0 no buffer

        Received 1248 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        20 packets output, 1352 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 9 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (13/128) software (0/2)

        output queue (curr/max blocks): hardware (0/1) software (0/1)

interface ethernet1 "inside" is up, line protocol is down

  Hardware is i82559 ethernet, address is 0003.e300.73fe

  IP address 10.1.1.1, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 10000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        1 packets output, 60 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        1 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/0)

        output queue (curr/max blocks): hardware (0/1) software (0/1)

interface ethernet2 "intf2" is administratively down, line protocol is down

  Hardware is i82559 ethernet, address is 00d0.b7c8.139e

  IP address 127.0.0.1, subnet mask 255.255.255.255

  MTU 1500 bytes, BW 10000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 packets output, 0 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/0)

        output queue (curr/max blocks): hardware (0/0) software (0/0)


------------------ show cpu usage ------------------


CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%


------------------ show cpu hogging process ------------------


Process:      fover_parse, NUMHOG: 2, MAXHOG: 280, LASTHOG: 140

LASTHOG At:   02:08:24 UTC Jul 24 2005

PC:           11a4d5

Traceback:    12135e  121893  121822  a10d8b  9fd061  114de6 113e56f

              777135  7a3858  7a3f59  700b7f  701fbf  14b984


------------------ show process ------------------



    PC       SP       STATE       Runtime    SBASE     Stack Process

Hsi 001e3329 00763e7c 0053e5c8          0 00762ef4 3784/4096 arp_timer

Lsi 001e80e9 00807074 0053e5c8          0 008060fc 3832/4096 FragDBGC

Lwe 00117e3a 009dc2e4 00541d18          0 009db46c 3704/4096 dbgtrace

Lwe 003cee95 009de464 00537718          0 009dc51c 8008/8192 Logger

Hwe 003d2d18 009e155c 005379c8          0 009df5e4 8008/8192 tcp_fast

Hwe 003d2c91 009e360c 005379c8          0 009e1694 8008/8192 tcp_slow

Lsi 002ec97d 00b1a464 0053e5c8          0 00b194dc 3928/4096 xlate clean

Lsi 002ec88b 00b1b504 0053e5c8          0 00b1a58c 3888/4096 uxlate clean

Mwe 002e3a17 00c8f8d4 0053e5c8          0 00c8d93c 7908/8192 tcp_intercept_times

Lsi 00423dd5 00d3a22c 0053e5c8          0 00d392a4 3900/4096 route_process

Hsi 002d59fc 00d3b2bc 0053e5c8          0 00d3a354 3780/4096 XXX Garbage Collecr

Hwe 0020e301 00d5957c 0053e5c8          0 00d55614 16048/16384 isakmp_time_keepr

Lsi 002d377c 00d7292c 0053e5c8          0 00d719a4 3928/4096 perfmon

Hwe 0020bd07 00d9c12c 0050bb90          0 00d9b1c4 3944/4096 IPSec

Mwe 00205e25 00d9e1ec 0053e5c8          0 00d9c274 7860/8192 IPsec timer handler

Hwe 003864e3 00db26bc 00557920          0 00db0764 6952/8192 qos_metric_daemon

Mwe 00255a65 00dc9244 0053e5c8          0 00dc8adc 1436/2048 IP Background

Lwe 002e450e 00e7bb94 00552c30          0 00e7ad1c 3704/4096 XXX/trace

Lwe 002e471e 00e7cc44 00553368          0 00e7bdcc 3704/4096 XXX/tconsole

Hwe 001e5368 00e7ed44 00730674          0 00e7ce9c 7228/8192 XXX/intf0

Hwe 001e5368 00e80e14 007305d4          0 00e7ef6c 7228/8192 XXX/intf1

Hwe 001e5368 00e82ee4 00730534       2470 00e8103c 4892/8192 XXX/intf2

H*  0011d7f7 0009ff2c 0053e5b0        780 00e8511c 13004/16384 ci/console

Csi 002dd8ab 00e8a124 0053e5c8          0 00e891cc 3396/4096 update_cpu_usage

Hwe 002cb4d1 00f2bfbc 0051e360          0 00f2a134 7692/8192 uauth_in

Hwe 003d17d1 00f2e0bc 00828cf0          0 00f2c1e4 7896/8192 uauth_thread

Hwe 003e71d4 00f2f20c 00537d20          0 00f2e294 3960/4096 udp_timer

Hsi 001db3ca 00f30fc4 0053e5c8          0 00f3004c 3784/4096 557mcfix

Crd 001db37f 00f32084 0053ea40  121094970 00f310fc 3744/4096 557poll

Lsi 001db435 00f33124 0053e5c8          0 00f321ac 3700/4096 557timer

Hwe 001e5398 00f441dc 008121e0          0 00f43294 3912/4096 fover_ip0

Cwe 001dcdad 00f4523c 00872b48         20 00f44344 3528/4096 ip/0:0

Hwe 001e5398 00f4633c 008121bc          0 00f453f4 3532/4096 icmp0

Hwe 001e5398 00f47404 00812198          0 00f464cc 3896/4096 udp_thread/0

Hwe 001e5398 00f4849c 00812174          0 00f475a4 3832/4096 tcp_thread/0

Hwe 001e5398 00f495bc 00812150          0 00f48674 3912/4096 fover_ip1

Cwe 001dcdad 00f4a61c 008ea850          0 00f49724 3832/4096 ip/1:1

Hwe 001e5398 00f4b71c 0081212c          0 00f4a7d4 3912/4096 icmp1

Hwe 001e5398 00f4c7e4 00812108          0 00f4b8ac 3896/4096 udp_thread/1

Hwe 001e5398 00f4d87c 008120e4          0 00f4c984 3832/4096 tcp_thread/1

Hwe 001e5398 00f4e99c 008120c0          0 00f4da54 3912/4096 fover_ip2

Cwe 001e542d 00f4fa6c 00730534          0 00f4eb04 3944/4096 ip/2:2

Hwe 001e5398 00f50afc 0081209c          0 00f4fbb4 3912/4096 icmp2

Hwe 001e5398 00f51bc4 00812078          0 00f50c8c 3896/4096 udp_thread/2

Hwe 001e5398 00f52c5c 00812054          0 00f51d64 3832/4096 tcp_thread/2

Hwe 003d1a65 00f78284 008140f8          0 00f77fdc  300/1024 listen/http1

Mwe 0035cafa 00f7a63c 0053e5c8          0 00f786c4 7640/8192 Crypto CA


------------------ show failover ------------------


No license for Failover


------------------ show traffic ------------------


outside:

        received (in 205213.390 secs):

                1267 packets    185042 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 205213.390 secs):

                20 packets      1352 bytes

                0 pkts/sec      0 bytes/sec

inside:

        received (in 205215.800 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 205215.800 secs):

                1 packets       60 bytes

                0 pkts/sec      0 bytes/sec

intf2:

        received (in 205215.810 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 205215.810 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec


------------------ show perfmon ------------------



PERFMON STATS:    Current      Average

Xlates               0/s          0/s

Connections          0/s          0/s

TCP Conns            0/s          0/s

UDP Conns            0/s          0/s

URL Access           0/s          0/s

URL Server Req       0/s          0/s

TCP Fixup            0/s          0/s

TCPIntercept         0/s          0/s

HTTP Fixup           0/s          0/s

FTP Fixup            0/s          0/s

AAA Authen           0/s          0/s

AAA Author           0/s          0/s

AAA Account          0/s          0/s

Related Commands

Command
Description

show clock

Displays the clock for use with the Syslog Server (PFSS) and the Public Key Infrastructure (PKI) protocol.

show conn count

Displays the connections used and available.

show cpu

Display the CPU utilization information.

show failover

Displays the status of a connection and which adaptive security appliance is active

show memory

Displays a summary of the maximum physical memory and current free memory that is available to the operating system.

show perfmon

Displays information about the performance of the adaptive security appliance

show processes

Displays a list of the processes that are running.

show running-config

Displays the configuration that is currently running on the adaptive security appliance.

show xlate

Displays information about the translation slot.


show threat-detection rate

When you enable basic threat detection using the threat-detection basic-threat command, you can view statistics using the show threat-detection rate command in privileged EXEC mode.

show threat-detection rate [min-display-rate min_display_rate] [acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack]

Syntax Description

acl-drop

(Optional) Shows the rate for dropped packets caused by denial by access lists.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.

bad-packet-drop

(Optional) Shows the rate for dropped packets caused by denial by a bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length).

conn-limit-drop

(Optional) Shows the rate for dropped packets caused by the connection limits being exceeded (both system-wide resource limits, and limits set in the configuration).

dos-drop

(Optional) Shows the rate for dropped packets caused by a detected DoS attack (such as an invalid SPI, Stateful Firewall check failure).

fw-drop

(Optional) Shows the rate for dropped packets caused by basic firewall check failure. This option is a combined rate that includes all firewall-related packet drops in this command. It does not include non-firewall-related drops such as interface-drop, inspect-drop, and scanning-threat.

icmp-drop

(Optional) Shows the rate for dropped packets caused by denial by suspicious ICMP packets detected.

inspect-drop

(Optional) Shows the rate limit for dropped packets caused by packets failing application inspection.

interface-drop

(Optional) Shows the rate limit for dropped packets caused by an interface overload.

scanning-threat

(Optional) Shows the rate for dropped packets caused by a scanning attack detected. This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection (see the threat-detection scanning-threat command) takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.

syn-attack

(Optional) Shows the rate for dropped packets caused by an incomplete session, such as TCP SYN attack or no data UDP session attack.


Defaults

If you do not specify an event type, all events are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinshed burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 10 minutes, then the burst interval is 10 seconds. If the last burst interval was from 3:00:00 to 3:00:10, and you use the show command at 3:00:15, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 59 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection rate command: 

hostname# show threat-detection rate


                          Average(eps)    Current(eps) Trigger         Total events

  10-min ACL  drop:                  0               0       0                   16

  1-hour ACL  drop:                  0               0       0                  112

  1-hour SYN attck:                  5               0       2                21438

  10-min  Scanning:                  0               0      29                  193

  1-hour  Scanning:                106               0      10               384776

  1-hour Bad  pkts:                 76               0       2               274690

  10-min  Firewall:                  0               0       3                   22

  1-hour  Firewall:                 76               0       2               274844

  10-min DoS attck:                  0               0       0                    6

  1-hour DoS attck:                  0               0       0                   42

  10-min Interface:                  0               0       0                  204

  1-hour Interface:                 88               0       0               318225

Related Commands

Command
Description

clear threat-detection rate

Clears basic threat detection statistics.

show running-config all threat-detection

Shows the threat detection configuration, including the default rate settings if you did not configure them individually.

threat-detection basic-threat

Enables basic threat detection.

threat-detection rate

Sets the threat detection rate limits per event type.

threat-detection scanning-threat

Enables scanning threat detection.


show threat-detection scanning-threat

If you enable scanning threat detection with the threat-detection scanning-threat command, then view the hosts that are categorized as attackers and targets using the show threat-detection scanning-threat command in privileged EXEC mode.

show threat-detection scanning-threat [attacker | target]

Syntax Description

attacker

(Optional) Shows attacking host IP addresses.

target

(Optional) Shows targetted host IP addresses.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.0(4)

The display was modified to include "& Subnet List" in the heading text.


Examples

The following is sample output from the show threat-detection scanning-threat command: 

hostname# show threat-detection scanning-threat

Latest Target Host & Subnet List:

    192.168.1.0

    192.168.1.249

   Latest Attacker Host & Subnet List:

    192.168.10.234

    192.168.10.0

    192.168.10.2

    192.168.10.3

    192.168.10.4

    192.168.10.5

    192.168.10.6

    192.168.10.7

    192.168.10.8

    192.168.10.9

Related Commands

Command
Description

clear threat-detection shun

Releases hosts from being shunned.

show threat-detection shun

Shows the currently shunned hosts.

show threat-detection statistics protocol

Shows the protocol statistics.

show threat-detection statistics top

Shows the top 10 statistics.

threat-detection scanning-threat

Enables scanning threat detection.


show threat-detection shun

If you enable scanning threat detection with the threat-detection scanning-threat command, and you automatically shun attacking hosts, then view the currently shunned hosts using the show threat-detection shun command in privileged EXEC mode.

show threat-detection shun

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

To release a host from being shunned, use the clear threat-detection shun command.

Examples

The following is sample output from the show threat-detection shun command: 

hostname# show threat-detection shun

Shunned Host List:

10.1.1.6

198.1.6.7

Related Commands

Command
Description

clear threat-detection shun

Releases hosts from being shunned.

show threat-detection statistics host

Shows the host statistics.

show threat-detection statistics protocol

Shows the protocol statistics.

show threat-detection statistics top

Shows the top 10 statistics.

threat-detection scanning-threat

Enables scanning threat detection.


show threat-detection statistics host

After you enable threat statistics with the threat-detection statistics host command, view host statistics using the show threat-detection statistics host command in privileged EXEC mode. Threat detection statistics show both allowed and dropped traffic rates.

show threat-detection statistics [min-display-rate min_display_rate] host [ip_address [mask]]

Syntax Description

ip_address

(Optional) Shows statistics for a particular host.

mask

(Optional) Sets the subnet mask for the host IP address.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded (for dropped traffic statistics only)

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinshed burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection statistics host command: 

hostname# show threat-detection statistics host


                          Average(eps)    Current(eps) Trigger         Total events

Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0

  1-hour Sent byte:               2938               0       0             10580308

  8-hour Sent byte:                367               0       0             10580308

 24-hour Sent byte:                122               0       0             10580308

  1-hour Sent pkts:                 28               0       0               104043

  8-hour Sent pkts:                  3               0       0               104043

 24-hour Sent pkts:                  1               0       0               104043

  20-min Sent drop:                  9               0       1                10851

  1-hour Sent drop:                  3               0       1                10851

  1-hour Recv byte:               2697               0       0              9712670

  8-hour Recv byte:                337               0       0              9712670

 24-hour Recv byte:                112               0       0              9712670

  1-hour Recv pkts:                 29               0       0               104846

  8-hour Recv pkts:                  3               0       0               104846

 24-hour Recv pkts:                  1               0       0               104846

  20-min Recv drop:                 42               0       3                50567

  1-hour Recv drop:                 14               0       1                50567

Host:10.0.0.0: tot-ses:1 act-ses:0 fw-drop:0 insp-drop:0 null-ses:0 bad-acc:0

  1-hour Sent byte:                  0               0       0                  614

  8-hour Sent byte:                  0               0       0                  614

 24-hour Sent byte:                  0               0       0                  614

  1-hour Sent pkts:                  0               0       0                    6

  8-hour Sent pkts:                  0               0       0                    6

 24-hour Sent pkts:                  0               0       0                    6

  20-min Sent drop:                  0               0       0                    4

  1-hour Sent drop:                  0               0       0                    4

  1-hour Recv byte:                  0               0       0                  706

  8-hour Recv byte:                  0               0       0                  706

 24-hour Recv byte:                  0               0       0                  706

  1-hour Recv pkts:                  0               0       0                    7

Table 29-6 shows each field description.

Table 29-6 show threat-detection statistics host Fields 

Field
Description

Host

Shows the host IP address.

tot-ses

Shows the total number of sessions for this host since it was added to the database.

act-ses

Shows the total number of active sessions that the host is currently involved in.

fw-drop

Shows the number of firewall drops. Firewall drops is a combined rate that includes all firewall-related packet drops tracked in basic threat detection, including access list denials, bad packets, exceeded connection limits, DoS attack packets, suspicious ICMP packets, TCP SYN attack packets, and no data UDP attack packets. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.

insp-drop

Shows the number of packets dropped because they failed application inspection.

null-ses

Shows the number of null sessions, which are TCP SYN sessions that did not complete within the 3-second timeout, and UDP sessions that did not have any data sent by its server 3 seconds after the session starts.

bad-acc

Shows the number of bad access attempts to host ports that are in a closed state. When a port is determined to be in a null session (see above), the port state of the host is set to HOST_PORT_CLOSE. Any client accessing the port of the host is immediately classified as a bad access without the need to wait for a timeout.

Average(eps)

Shows the average rate in events/sec over each time period.

The security appliance stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinshed burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Current(eps)

Shows the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger. For the example specified in the Average(eps) description, the current rate is the rate from 3:19:30 to 3:20:00

Trigger

Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.

Total events

Shows the total number of events over each rate interval. The unfinshed burst interval presently occurring is not included in the total events. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

20-min, 1-hour, 8-hour, and 24-hour

By default, there are three rate intervals shown. You can reduce the number of rate intervals using the threat-detection statistics host number-of-rate command. Because host statistics use a lot of memory, reducing the number of rate intervals from the default of 3 reduces the memory usage. If you set this keyword to 1, then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained.

Sent byte

Shows the number of successful bytes sent from the host.

Sent pkts

Shows the number of successful packets sent from the host.

Sent drop

Shows the number of packets sent from the host that were dropped because they were part of a scanning attack.

Recv byte

Shows the number of successful bytes received by the host.

Recv pkts

Shows the number of successful packets received by the host.

Recv drop

Shows the number of packets received by the host that were dropped because they were part of a scanning attack.


Related Commands

Command
Description

threat-detection scanning-threat

Enables scanning threat detection.

show threat-detection statistics top

Shows the top 10 statistics.

show threat-detection statistics port

Shows the port statistics.

show threat-detection statistics protocol

Shows the protocol statistics.

threat-detection statistics

Enables threat statistics.


show threat-detection statistics port

After you enable threat statistics with the threat-detection statistics port command, view TCP and UDP port statistics using the show threat-detection statistics port command in privileged EXEC mode. Threat detection statistics show both allowed and dropped traffic rates.

show threat-detection statistics [min-display-rate min_display_rate] port [start_port[-end_port]]

Syntax Description

start_port[-end_port]

(Optional) Shows statistics for a particular port or range of ports, between 0 and 65535.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded (for dropped traffic statistics only)

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection statistics port command: 

hostname# show threat-detection statistics port


                          Average(eps)    Current(eps) Trigger         Total events

80/HTTP: tot-ses:310971 act-ses:22571

  1-hour Sent byte:               2939               0       0             10580922

  8-hour Sent byte:                367           22043       0             10580922

 24-hour Sent byte:                122            7347       0             10580922

  1-hour Sent pkts:                 28               0       0               104049

  8-hour Sent pkts:                  3             216       0               104049

 24-hour Sent pkts:                  1              72       0               104049

  20-min Sent drop:                  9               0       2                10855

  1-hour Sent drop:                  3               0       2                10855

  1-hour Recv byte:               2698               0       0              9713376

  8-hour Recv byte:                337           20236       0              9713376

 24-hour Recv byte:                112            6745       0              9713376

  1-hour Recv pkts:                 29               0       0               104853

  8-hour Recv pkts:                  3             218       0               104853

 24-hour Recv pkts:                  1              72       0               104853

  20-min Recv drop:                 24               0       2                29134

  1-hour Recv drop:                  8               0       2                29134

Table 29-6 shows each field description.

Table 29-7 show threat-detection statistics port Fields 

Field
Description

Average(eps)

Shows the average rate in events/sec over each time period.

The security appliance stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Current(eps)

Shows the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger. For the example specified in the Average(eps) description, the current rate is the rate from 3:19:30 to 3:20:00

Trigger

Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.

Total events

Shows the total number of events over each rate interval. The unfinished burst interval presently occurring is not included in the total events. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

port_number/port_name

Shows the port number and name where the packet or byte was sent, received, or droppped.

tot-ses

Shows the total number of sessions for this port.

act-ses

Shows the total number of active sessions that the port is currently involved in.

20-min, 1-hour, 8-hour, and 24-hour

Shows statistics for these fixed rate intervals.

Sent byte

Shows the number of successful bytes sent from the port.

Sent pkts

Shows the number of successful packets sent from the port.

Sent drop

Shows the number of packets sent from the port that were dropped because they were part of a scanning attack.

Recv byte

Shows the number of successful bytes received by the port.

Recv pkts

Shows the number of successful packets received by the port.

Recv drop

Shows the number of packets received by the port that were dropped because they were part of a scanning attack.


Related Commands

Command
Description

threat-detection scanning-threat

Enables scanning threat detection.

show threat-detection statistics top

Shows the top 10 statistics.

show threat-detection statistics host

Shows the host statistics.

show threat-detection statistics protocol

Shows the protocol statistics.

threat-detection statistics

Enables threat statistics.


show threat-detection statistics protocol

After you enable threat statistics with the threat-detection statistics protocol command, view IP protocol statistics using the show threat-detection statistics protocol command in privileged EXEC mode. Threat detection statistics show both allowed and dropped traffic rates.

show threat-detection statistics [min-display-rate min_display_rate] protocol [protocol_number | protocol_name]

Syntax Description

protocol_number

(Optional) Shows statistics for a specific protocol number, between 0 and 255.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.

protocol_name

(Optional) Shows statistics for a specific protocol name:

ah

eigrp

esp

gre

icmp

igmp

igrp

ip

ipinip

ipsec

nos

ospf

pcp

pim

pptp

snp

tcp

udp


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded (for dropped traffic statistics only)

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection statistics protocol command: 

hostname# show threat-detection statistics protocol


                          Average(eps)    Current(eps) Trigger         Total events

ICMP: tot-ses:0 act-ses:0

  1-hour Sent byte:                  0               0       0                 1000

  8-hour Sent byte:                  0               2       0                 1000

 24-hour Sent byte:                  0               0       0                 1000

  1-hour Sent pkts:                  0               0       0                   10

  8-hour Sent pkts:                  0               0       0                   10

 24-hour Sent pkts:                  0               0       0                   10

Table 29-6 shows each field description.

Table 29-8 show threat-detection statistics protocol Fields 

Field
Description

Average(eps)

Shows the average rate in events/sec over each time period.

The security appliance stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Current(eps)

Shows the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger. For the example specified in the Average(eps) description, the current rate is the rate from 3:19:30 to 3:20:00

Trigger

Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.

Total events

Shows the total number of events over each rate interval. The unfinished burst interval presently occurring is not included in the total events. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

protocol_number/
protocol_name

Shows the protocol number and name where the packet or byte was sent, received, or droppped.

tot-ses

Not currently used.

act-ses

Not currently used.

20-min, 1-hour, 8-hour, and 24-hour

Shows statistics for these fixed rate intervals.

Sent byte

Shows the number of successful bytes sent from the protocol.

Sent pkts

Shows the number of successful packets sent from the protocol.

Sent drop

Shows the number of packets sent from the protocol that were dropped because they were part of a scanning attack.

Recv byte

Shows the number of successful bytes received by the protocol.

Recv pkts

Shows the number of successful packets received by the protocol.

Recv drop

Shows the number of packets received by the protocol that were dropped because they were part of a scanning attack.


Related Commands

Command
Description

threat-detection scanning-threat

Enables scanning threat detection.

show threat-detection statistics top

Shows the top 10 statistics.

show threat-detection statistics port

Shows the port statistics.

show threat-detection statistics host

Shows the host statistics.

threat-detection statistics

Enables threat statistics.


show threat-detection statistics top

After you enable threat statistics with the threat-detection statistics command, view the top 10 statistics using the show threat-detection statistics top command in privileged EXEC mode. If you did not enable the threat detection statistics for a particular type, then you cannot view those statistics with this command. Threat detection statistics show both allowed and dropped traffic rates.

show threat-detection statistics [min-display-rate min_display_rate] top [[access-list | host | port-protocol] [rate-1 | rate-2 | rate-3] | tcp-intercept [all] [detail] [long]]

Syntax Description

access-list

(Optional) Shows the top 10 ACEs that that match packets, including both permit and deny ACEs. Permitted and denied traffic are not differentiated in this display. If you enable basic threat detection using the threat-detection basic-threat command, you can track access list denies using the show threat-detection rate access-list command.

all

(Optional) For TCP Intercept, shows the history data of all the traced servers.

detail

(Optional) For TCP Intercept, shows history sampling data.

host

(Optional) Shows the top 10 host statistics for each fixed time period.

long

(Optional) Shows the statistical history in a long format, with the real IP address and the untranslated IP address of the server.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.

port-protocol

(Optional) Shows the top 10 combined statistics of TCP/UDP port and IP protocol types. TCP (protocol 6) and UDP (protocol 17) are not included in the display for IP protocols; TCP and UDP ports are, however, included in the display for ports. If you only enable statistics for one of these types, port or protocol, then you will only view the enabled statistics.

rate-1

(Optional) Shows the statistics for the smallest fixed rate intervals available in the display. For example, if the display shows statistics for the last 1 hour, 8 hours, and 24 hours, then when you use the rate-1 keyword, the adaptive security appliance shows only the 1 hour time interval.

rate-2

(Optional) Shows the statistics for the middle fixed rate intervals available in the display. For example, if the display shows statistics for the last 1 hour, 8 hours, and 24 hours, then when you use the rate-2 keyword, the adaptive security appliance shows only the 8 hour time interval.

rate-3

(Optional) Shows the statistics for the largest fixed rate intervals available in the display. For example, if the display shows statistics for the last 1 hour, 8 hours, and 24 hours, then when you use the rate-3 keyword, the adaptive security appliance shows only the 24 hour time interval.

tcp-intercept

Shows TCP Intercept statistics. The display includes the top 10 protected servers under attack.


Defaults

If you do not specify an event type, all events are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.0(4)

The tcp-intercept keyword was added.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded (for dropped traffic statistics only)

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection statistics top access-list command: 

hostname# show threat-detection statistics top access-list


                   Top    Average(eps)    Current(eps) Trigger         Total events

  1-hour ACL hits:

              100/3[0]             173               0       0               623488

              200/2[1]              43               0       0               156786

              100/1[2]              43               0       0               156786

  8-hour ACL hits:

              100/3[0]              21            1298       0               623488

              200/2[1]               5             326       0               156786

              100/1[2]               5             326       0               156786

Table 29-6 shows each field description.

Table 29-9 show threat-detection statistics top access-list Fields 

Field
Description

Top

Shows the ranking of the ACE within the time period, from [0] (highest count) to [9] (lowest count). You might not have enough statistics for all 10 positions, so less then 10 ACEs might be listed.

Average(eps)

Shows the average rate in events/sec over each time period.

The security appliance stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Current(eps)

Shows the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger. For the example specified in the Average(eps) description, the current rate is the rate from 3:19:30 to 3:20:00.

Trigger

This column is always 0, because there are no rate limits triggered by access list traffic; denied and permitted traffic are not differentiated in this display. If you enable basic threat detection using the threat-detection basic-threat command, you can track access list denies using the show threat-detection rate access-list command.

Total events

Shows the total number of events over each rate interval. The unfinished burst interval presently occurring is not included in the total events. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

1-hour, 8-hour

Shows statistics for these fixed rate intervals.

acl_name/line_number

Shows the access list name and line number of the ACE that caused the denies.


The following is sample output from the show threat-detection statistics top access-list rate-1 command: 

hostname# show threat-detection statistics top access-list rate-1


                   Top    Average(eps)    Current(eps) Trigger         Total events

  1-hour ACL hits:

              100/3[0]             173               0       0               623488

              200/2[1]              43               0       0               156786

              100/1[2]              43               0       0               156786

The following is sample output from the show threat-detection statistics top port-protocol command: 

hostname# show threat-detection statistics top port-protocol


Top          Name   Id    Average(eps)    Current(eps) Trigger      Total events

  1-hour Recv byte:

 1         gopher   70              71               0       0          32345678

 2  btp-clnt/dhcp   68              68               0       0          27345678

 3         gopher   69              65               0       0          24345678

 4    Protocol-96 * 96              63               0       0          22345678

 5      Port-7314 7314              62               0       0          12845678

 6 BitTorrent/trc 6969              61               0       0          12645678

 7     Port-8191-65535              55               0       0          12345678

 8           SMTP  366              34               0       0           3345678

 9         IPinIP *  4              30               0       0           2345678

10          EIGRP * 88              23               0       0           1345678

  1-hour Recv pkts:

...

...

  8-hour Recv byte:

...

...

  8-hour Recv pkts:

...

...

 24-hour Recv byte:

...

...

 24-hour Recv pkts:

...

...


Note: Id preceded by * denotes the Id is an IP protocol type

Table 29-10 shows each field description.

Table 29-10 show threat-detection statistics top port-protocol Fields 

Field
Description

Top

Shows the ranking of the port or protocol within the time period/type of statistic, from [0] (highest count) to [9] (lowest count). You might not have enough statistics for all 10 positions, so less then 10 ports/protocols might be listed.

Name

Shows the port/protocol name.

Id

Shows the port/protocol ID number. The asterisk (*) means the ID is an IP protocol number.

Average(eps)

See the description in Table 29-6.

Current(eps)

See the description in Table 29-6.

Trigger

Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.

Total events

See the description in Table 29-6.

Time_interval Sent byte

Shows the number of successful bytes sent from the listed ports and protocols for each time period.

Time_interval Sent packet

Shows the number of successful packets sent from the listed ports and protocols for each time period.

Time_interval Sent drop

Shows the number of packets sent for each time period from the listed ports and protocols that were dropped because they were part of a scanning attack.

Time_interval Recv byte

Shows the number of successful bytes received by the listed ports and protocols for each time period.

Time_interval Recv packet

Shows the number of successful packets received by the listed ports and protocols for each time period.

Time_interval Recv drop

Shows the number of packets received for each time period by the listed ports and protocols that were dropped because they were part of a scanning attack.

port_number/port_name

Shows the port number and name where the packet or byte was sent, received, or droppped.

protocol_number/protocol_name

Shows the protocol number and name where the packet or byte was sent, received, or droppped.



The following is sample output from the show threat-detection statistics top host command: 

hostname# show threat-detection statistics top host


                   Top    Average(eps)    Current(eps) Trigger         Total events

  1-hour Sent byte:

          10.0.0.1[0]            2938               0       0             10580308

  1-hour Sent pkts:

          10.0.0.1[0]              28               0       0               104043

  20-min Sent drop:

          10.0.0.1[0]               9               0       1                10851

  1-hour Recv byte:

          10.0.0.1[0]            2697               0       0              9712670

  1-hour Recv pkts:

          10.0.0.1[0]              29               0       0               104846

  20-min Recv drop:

          10.0.0.1[0]              42               0       3                50567

  8-hour Sent byte:

          10.0.0.1[0]             367               0       0             10580308

  8-hour Sent pkts:

          10.0.0.1[0]               3               0       0               104043

  1-hour Sent drop:

          10.0.0.1[0]               3               0       1                10851

  8-hour Recv byte:

          10.0.0.1[0]             337               0       0              9712670

  8-hour Recv pkts:

          10.0.0.1[0]               3               0       0               104846

  1-hour Recv drop:

          10.0.0.1[0]              14               0       1                50567

 24-hour Sent byte:

          10.0.0.1[0]             122               0       0             10580308

 24-hour Sent pkts:

          10.0.0.1[0]               1               0       0               104043

 24-hour Recv byte:

          10.0.0.1[0]             112               0       0              9712670

 24-hour Recv pkts:

          10.0.0.1[0]               1               0       0               104846

Table 29-11 shows each field description.

Table 29-11 show threat-detection statistics top host Fields 

Field
Description

Top

Shows the ranking of the host within the time period/type of statistic, from [0] (highest count) to [9] (lowest count). You might not have enough statistics for all 10 positions, so less then 10 hosts might be listed.

Average(eps)

See the description in Table 29-6.

Current(eps)

See the description in Table 29-6.

Trigger

See the description in Table 29-6.

Total events

See the description in Table 29-6.

Time_interval Sent byte

Shows the number of successful bytes sent to the listed hosts for each time period.

Time_interval Sent packet

Shows the number of successful packets sent to the listed hosts for each time period.

Time_interval Sent drop

Shows the number of packets sent for each time period to the listed hosts that were dropped because they were part of a scanning attack.

Time_interval Recv byte

Shows the number of successful bytes received by the listed hosts for each time period.

Time_interval Recv packet

Shows the number of successful packets received by the listed ports and protocols for each time period.

Time_interval Recv drop

Shows the number of packets received for each time period by the listed ports and protocols that were dropped because they were part of a scanning attack.

host_ip_address

Shows the host IP address where the packet or byte was sent, received, or droppped.


The following is sample output from the show threat-detection statistics top tcp-intercept command: 

hostname# show threat-detection statistics top tcp-intercept long


Top 10 Protected Servers under Attack (sorted by average rate)

Monitoring Window Size: 30 mins    Sampling Interval: 30 secs

<Rank> <Server IP:Port (RealIP:Real Port)> <Interface> <Ave Rate> <Cur Rate> <Total> 
<Source IP (Last Attack Time)>

----------------------------------------------------------------------------------

1    192.168.1.2:5000 inside 1249 9503 2249245 <various> Last: 10.0.0.3 (0 secs ago)

2    192.168.1.3:5000 inside 10 10 6080 10.0.0.200 (0 secs ago)

3    192.168.1.4:5000 inside 2 6 560 10.0.0.200 (59 secs ago)

4    192.168.1.5:5000 inside 1 5 560 10.0.0.200 (59 secs ago)

5    192.168.1.6:5000 inside 1 4 560 10.0.0.200 (59 secs ago)

6    192.168.1.7:5000 inside 0 3 560 10.0.0.200 (59 secs ago)

7    192.168.1.8:5000 inside 0 2 560 10.0.0.200 (59 secs ago)

8    192.168.1.9:5000 inside 0 1 560 10.0.0.200 (59 secs ago)

9    192.168.1.10:5000 inside 0 0 550 10.0.0.200 (2 mins ago)

10   192.168.1.11:5000 inside 0 0 550 10.0.0.200 (5 mins ago)

Table 29-12 shows each field description.

Table 29-12 show threat-detection statistics top tcp-intercept Fields 

Field
Description

Monitoring window size:

Shows the period of time over which the adaptive security appliance samples data for statistics. The default is 30 minutes. You can change this setting using the threat-detection statistics tcp-intercept rate-interval command. The adaptive security appliance samples data 30 times during this interval.

Sampling interval:

Shows the interval between samples. This value is always the rate interval divided by 30.

rank

Shows the ranking, 1 through 10, where 1 is the most attacked server, and 10 is the least attacked server.

server_ip:port

Shows the server IP address and the port on which it is being attacked.

interface

Shows the inerface through which the server is being attacked.

avg_rate

Shows the average rate of attack, in attacks per second over the sampling period

current_rate

Shows the current attack rate, in attacks per second.

total

Shows the total number of attacks.

attacker_ip

Shows the attacker IP address.

(last_attack_time ago)

Shows when the last attack occurred.


The following is sample output from the show threat-detection statistics top tcp-intercept detail command: 

hostname# show threat-detection statistics top tcp-intercept detail


Top 10 Protected Servers under Attack (sorted by average rate)

Monitoring Window Size: 30 mins    Sampling Interval: 30 secs

<Rank> <Server IP:Port> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack 
Time)> 

----------------------------------------------------------------------------------

1    192.168.1.2:5000 inside 1877 9502 3379276 <various> Last: 10.0.0.45 (0 secs ago)

     Sampling History (30 Samplings):

             95348      95337      95341      95339      95338      95342

             95337      95348      95342      95338      95339      95340

             95339      95337      95342      95348      95338      95342

             95337      95339      95340      95339      95347      95343

             95337      95338      95342      95338      95337      95342

             95348      95338      95342      95338      95337      95343

             95337      95349      95341      95338      95337      95342

             95338      95339      95338      95350      95339      95570

             96351      96351      96119      95337      95349      95341

             95338      95337      95342      95338      95338      95342

......

Table 29-13 shows each field description.

Table 29-13 show threat-detection statistics top tcp-intercept detail Fields 

Field
Description

Monitoring window size:

Shows the period of time over which the adaptive security appliance samples data for statistics. The default is 30 minutes. You can change this setting using the threat-detection statistics tcp-intercept rate-interval command. The adaptive security appliance samples data 30 times during this interval.

Sampling interval:

Shows the interval between samples. This value is always the rate interval divided by 30.

rank

Shows the ranking, 1 through 10, where 1 is the most attacked server, and 10 is the least attacked server.

server_ip:port

Shows the server IP address and the port on which it is being attacked.

interface

Shows the inerface through which the server is being attacked.

avg_rate

Shows the average rate of attack, in attacks per second over the rate interval set by the threat-detection statistics tcp-intercept rate-interval command (by default, the rate interval is 30 minutes). The adaptive security appliance samples the data every 30 seconds over the rate interval.

current_rate

Shows the current attack rate, in attacks per second.

total

Shows the total number of attacks.

attacker_ip or <various> Last: attacker_ip

Shows the attacker IP address. If there is more than one attacker, then "<various>" displays followed by the last attacker IP address.

(last_attack_time ago)

Shows when the last attack occurred.

sampling data

Shows all 30 sampling data values, which show the number of attacks at each inerval.


Related Commands

Command
Description

threat-detection scanning-threat

Enables scanning threat detection.

show threat-detection statistics host

Shows the host statistics.

show threat-detection statistics port

Shows the port statistics.

show threat-detection statistics protocol

Shows the protocol statistics.

threat-detection statistics

Enables threat statistics.


show tls-proxy

To display TLS proxy and session information, use the show tls-proxy command in global configuration mode.

show tls-proxy tls_name [session [host host_addr | detail [cert-dump | count]]

Syntax Description

cert-dump

Dumps the local dynamic certificate. Output is a hex dump of the LDC.

count

Shows only the session counters.

detail

Shows detailed TLS proxy information including the cipher for each SSL leg and the LDC.

host host_addr

Specifies a particular host to show the sessions associated with.

session

Shows active TLS proxy sessions.

tls_name

Name of the TLS proxy to show.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC mode

·

·

·

·

·


Command History

Release
Modification

8.0(2)

This command was introduced.


Examples

The following is sample output from the show tls-proxy command: 

hostname# show tls-proxy

TLS-Proxy `proxy': ref_cnt 1, seq#1

	Server proxy: 

		Trust-point: local_ccm

	Client proxy:

		Local dynamic certificate issuer: ldc_signer

		Local dynamic certificate key-pair: phone_common

		Cipher-suite <unconfigured>

	Run-time proxies:

		Proxy 0x448b468: Class-map: skinny_ssl, Inspect: skinny

			Active sess 1, most sess 4, byte 3244

The following is sample output from the show tls-proxy session command: 

hostname# show tls-proxy session

outside 133.9.0.211:51291 inside 195.168.2.200:2443 P:0x4491a60(proxy)

S:0x482e790 byte 3388

The following is sample output from the show tls-proxy session detail command: 

hostname# show tls-proxy session detail

1 in use, 1 most used

outside 133.9.0.211:50433 inside 195.168.2.200:2443 P:0xcba60b60(proxy) S:0xcbc10748 byte 
1831704

	Client: State SSLOK  Cipher AES128-SHA Ch 0xca55efc8 TxQSize 0 LastTxLeft 0 Flags 0x1

	Server: State SSLOK  Cipher AES128-SHA Ch 0xca55efa8 TxQSize 0 LastTxLeft 0 Flags 0x9

Local Dynamic Certificate

	Status: Available

	Certificate Serial Number: 29

	Certificate Usage: General Purpose

	Public Key Type: RSA (1024 bits)

	Issuer Name: 

		cn=TLS-Proxy-Signer

	Subject Name:

		cn=SEP0002B9EB0AAD

		o=Cisco Systems Inc

		c=US

	Validity Date: 

		start date: 00:47:12 PDT Feb 27 2007

		end   date: 00:47:12 PDT Feb 27 2008

	Associated Trustpoints:

Related Commands

Command
Description

client

Defines a cipher suite and sets the local dynamic certificate issuer or keypair.

ctl-provider

Defines a CTL provider instance and enters provider configuration mode.

show running-config tls-proxy

Shows running configuration of all or specified TLS proxies.

tls-proxy

Defines a TLS proxy instance and sets the maximum sessions.


show track

To display information about object tracked by the tracking process, use the show track command in user EXEC mode.

show track [track-id]

Syntax Description

track-id

A tracking entry object ID. Valid values are from 1 to 500.


Defaults

If the track-id is not provided, then information about all tracking objects is displayed.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following is sample output from the show track command: 

hostname(config)# show track


Track 5

	Response Time Reporter 124 reachability

	Reachability is UP

	2 changes, last change 03:41:16

	Latest operation return code: OK

	Tracked by:

		STATIC-IP-ROUTING 0

Related Commands

Command
Description

show running-config track

Displays the track rtr commands in the running configuration.

track rtr

Creates a tracking entry to poll the SLA.


show traffic

To display interface transmit and receive activity, use the show traffic command in privileged EXEC mode.

show traffic

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

Special display for the ASA 5550 adaptive security appliance was added.


Usage Guidelines

The show traffic command lists the number of packets and bytes moving through through each interface since the last show traffic command was entered or since the adaptive adaptive security appliance came online. The number of seconds is the duration the adaptive adaptive security appliance has been online since the last reboot, unless the clear traffic command was entered since the last reboot. If this is the case, then the number of seconds is the duration since that command was entered.

For the ASA 5550 adaptive security appliance, the show traffic command also shows the aggregated throughput per slot. Because the ASA 5550 adaptive security appliance requires traffic to be evenly distributed across slots fro maximum throughput, this display helps you determine if the traffic is distributed evenly.

Examples

The following example shows output from the show traffic command: 

hostname# show traffic

outside: 
        received (in 102.080 secs): 
                2048 packets 204295 bytes 
                20 pkts/sec 2001 bytes/sec 
        transmitted (in 102.080 secs): 
                2048 packets 204056 bytes 
                20 pkts/sec 1998 bytes/sec 
 
Ethernet0: 
        received (in 102.080 secs): 
                2049 packets 233027 bytes 
                20 pkts/sec 2282 bytes/sec 
        transmitted (in 102.080 secs): 
                2048 packets 232750 bytes 
                20 pkts/sec 2280 bytes/sec

For the ASA 5550 adaptive security appliance, the following text is displayed at the end: 


----------------------------------------

        Per Slot Throughput Profile      

----------------------------------------

  Packets-per-second profile:

    Slot 0:       3148  50%|****************

    Slot 1:       3149  50%|****************


  Bytes-per-second profile:

    Slot 0:     427044  50%|****************

    Slot 1:     427094  50%|****************

Related Commands

Command
Description

clear traffic

Resets the counters for transmit and receive activity.


show uauth

To display one or all currently authenticated users, the host IP to which they are bound, and any cached IP and port authorization information, use the show uauth command in privileged EXEC mode.

show uauth [username]

Syntax Description

username

(Optional) Specifies, by username, the user authentication and authorization information to display.


Defaults

Omitting username displays the authorization information for all users.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show uauth command displays the AAA authorization and authentication caches for one user or for all users.

This command is used with the timeout command.

Each user host IP address has an authorization cache attached to it. The cache allows up to 16 address and service pairs for each user host. If the user attempts to access a service that has been cached from the correct host, the adaptive security appliance considers it preauthorized and immediately proxies the connection. Once you are authorized to access a website, for example, the authorization server is not contacted for each image as it is loaded (assuming the images come from the same IP address). This process significantly increases performance and reduces the load on the authorization server.

The output from the show uauth command displays the username that is provided to the authorization server for authentication and authorization purposes, the IP address to which the username is bound, and whether the user is authenticated only or has cached services.

Note When you enable Xauth, an entry is added to the uauth table (as shown by the show uauth command) for the IP address that is assigned to the client. However, when using Xauth with the Easy VPN Remote feature in Network Extension Mode, the IPSec tunnel is created from network to network, so that the users behind the firewall cannot be associated with a single IP address. For this reason, a uauth entry cannot be created upon completion of Xauth. If AAA authorization or accounting services are required, you can enable the AAA authentication proxy to authenticate users behind the firewall. For more information on AAA authentication proxies, see to the aaa commands.

Use the timeout uauth command to specify how long the cache should be kept after the user connections become idle. Use the clear uauth command to delete all the authorization caches for all the users, which will cause them to have to reauthenticate the next time that they create a connection.

Examples

This example shows sample output from the show uauth command when no users are authenticated and one user authentication is in progress: 

hostname(config)# show uauth     

                        Current    Most Seen

Authenticated Users       0          0

Authen In Progress        0          1

This example shows sample output from the show uauth command when three users are authenticated and authorized to use services through the adaptive security appliance: 

hostname(config)# show uauth

user `pat' from 209.165.201.2 authenticated

user `robin' from 209.165.201.4 authorized to:

                       port 192.168.67.34/telnet                        192.168.67.11/http                                    192.168.67.33/tcp/8001

                                                          192.168.67.56/tcp/25                              192.168.67.42/ftp

user `terry' from 209.165.201.7 authorized to:

                       port 192.168.1.50/http                                     209.165.201.8/http

Related Commands

Command
Description

clear uauth

Remove current user authentication and authorization information.

timeout

Set the maximum idle time duration.


show url-block

To display the number of packets held in the url-block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission, use the show url-block command in privileged EXEC mode.

show url-block [block statistics]

Syntax Description

block statistics

(Optional) Displays block buffer usage statistics.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show url-block block statistics command displays the number of packets held in the url block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission.

Examples

The following is sample output from the show url-block command: 

hostname# show url-block

 | url-block url-mempool 128 | url-block url-size 4 | url-block block 128

This shows the configuration of the URL block buffer.


The following is sample output from the show url-block block statistics command: 

hostname# show url-block block statistics


URL Pending Packet Buffer Stats with max block  128 | 

Cumulative number of packets held: | 896

Maximum number of packets held (per URL): | 3

Current number of packets held (global): | 38

Packets dropped due to

 | exceeding url-block buffer limit: | 7546

 | HTTP server retransmission: | 10

Number of packets released back to client: | 0

Related Commands

Commands
Description

clear url-block block statistics

Clears the block buffer usage counters.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


show url-cache statistics

To display information about the url-cache, which is used for URL responses received from an N2H2 or Websense filtering server, use the show url-cache statistics command in privileged EXEC mode.

show url-cache statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show url-cache statistics command displays the following entries:

Size—The size of the cache in kilobytes, set with the url-cache size option.

Entries—The maximum number of cache entries based on the cache size.

In Use—The current number of entries in the cache.

Lookups—The number of times the adaptive security appliance has looked for a cache entry.

Hits—The number of times the adaptive security appliance has found an entry in the cache.

You can view additional information about N2H2 Sentian or Websense filtering activity with the show perfmon command.

Examples

The following is sample output from the show url-cache statistics command: 

hostname# show url-cache statistics


URL Filter Cache Stats

----------------------

 | Size :                               1KB

 Entries :                                   36

             In Use :                                   30

 Lookups :                                   300

 | Hits :                                   290

Related Commands

Commands
Description

clear url-cache statistics

Removes url-cache command statements from the configuration.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching for responses received from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


show url-server

To display information about the URL filtering server, use the show url-server command in privileged EXEC mode.

show url-server statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show url-server statistics command displays the URL server vendor; number of URLs total, allowed, and denied; number of HTTPS connections total, allowed, and denied; number of TCP connections total, allowed, and denied; and the URL server status.

The show url-server command displays the following information:

For N2H2, url-server (if_name) vendor n2h2 host local_ip port number timeout seconds protocol [{TCP | UDP}{version 1 | 4}]

For Websense, url-server (if_name) vendor websense host local_ip timeout seconds protocol [{TCP | UDP}]

Examples

The following is sample output from the show url-server statistics command: 

hostname## show url-server statistics

Global Statistics:

------------------

URLs total/allowed/denied         994387/155648/838739

URLs allowed by cache/server      70483/85165

URLs denied by cache/server       801920/36819

HTTPSs total/allowed/denied       994387/155648/838739

HTTPs allowed by cache/server     70483/85165

HTTPs denied by cache/server      801920/36819

FTPs total/allowed/denied         994387/155648/838739

FTPs allowed by cache/server      70483/85165

FTPs denied by cache/server       801920/36819

Requests dropped                  28715

Server timeouts/retries           567/1350

Processed rate average 60s/300s   1524/1344 requests/second

Denied rate average 60s/300s      35648/33022 requests/second

Dropped rate average 60s/300s     156/189 requests/second


URL Server Statistics:

----------------------

192.168.0.1                       UP

Vendor                          websense

Port                            17035

Requests total/allowed/denied   366519/255495/110457

Server timeouts/retries         567/1350

Responses received              365952

Response time average 60s/300s  2/1 seconds/request

192.168.0.2                       DOWN

Vendor                          websense

Port                            17035

Requests total/allowed/denied   0/0/0

Server timeouts/retries         0/0

Responses received              0

Response time average 60s/300s  0/0 seconds/request

. . .

URL Packets Sent and Received Stats:

------------------------------------

Message                 Sent    Received

STATUS_REQUEST          411     0

LOOKUP_REQUEST          366519  365952

LOG_REQUEST             0       NA


Errors:

-------

RFC noncompliant GET method     0

URL buffer update failure       0


Semantics:

This command allows the operator to display url-server statistics organized on a global 
and per-server basis.  The output is reformatted to provide: more-detailed information and 
per-server organization.


Supported Modes:

privileged

router || transparent

single || multi/context


Privilege:

ATTR_ES_CHECK_CONTEXT


Debug support:

N/A


Migration Strategy (if any):

N/A

Related Commands

Commands
Description

clear url-server

Clears the URL filtering server statistics.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


show version

To display the software version, hardware configuration, license key, and related uptime data, use the show version command in user EXEC mode.

show version

Syntax Description