Table Of Contents

show debug through show ipv6 traffic Commands

show debug

show dhcprelay state

show dhcprelay statistics

show disk

show dns-hosts

show failover

show file

show firewall

show fragment

show gc

show h225

show h245

show h323-ras

show history

show idb

show igmp groups

show igmp traffic

show interface

show interface ip brief

show ip address

show ip verify statistics

show ipsec sa

show ipsec sa summary

show ipsec stats

show ipv6 access-list

show ipv6 interface

show ipv6 neighbor

show ipv6 route

show ipv6 routers

show ipv6 traffic

show debug through show ipv6 traffic Commands

---

show debug

To show the current debugging configuration in privileged EXEC mode, use the show debug command.

show debug [command [keywords]]

Syntax Description

command [keywords]

(Optional) Specifies the debug command whose current configuration you want to view. For each command, the syntax following command is identical to the syntax supported by the associated debug command. For example, valid keywords following show debug aaa are the same as the valid keywords for the debug aaa command. Thus, show debug aaa supports an accounting keyword, which lets you specify that you want to see the debugging configuration for that portion of AAA debugging.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

The valid command values follow. For information about valid syntax after command, see the entry for debug command, as applicable.

---

Note The availability of each command value depends upon the command modes that support the applicable debug command.

---

•aaa

•appfw

•arp

•asdm

•context

•crypto

•ctiqbe

•ctm

•dhcpc

•dhcpd

•dhcprelay

•disk

•dns

•email

•entity

•fixup

•fover

•fsm

•ftp

•generic

•gtp

•h323

•http

•http-map

•icmp

•igmp

•ils

•imagemgr

•ipsec-over-tcp

•ipv6

•iua-proxy

•kerberos

•ldap

•mfib

•mgcp

•mrib

•ntdomain

•ntp

•ospf

•parser

•pim

•pix

•pptp

•radius

•rip

•rtsp

•sdi

•sequence

•sip

•skinny

•smtp

•sqlnet

•ssh

•ssl

•sunrpc

•tacacs

•timestamps

•vpn-sessiondb

•xdmcp

Examples

The following commands enable debugging for authentication, accounting, and Flash memory. The show debug command is used in three ways to demonstrate how you can use it to view all debugging configuration, debugging configuration for a specific feature, and even debugging configuration for a subset of a feature.

hostname# debug aaa authentication 

debug aaa authentication enabled at level 1

hostname# debug aaa accounting

debug aaa accounting enabled at level 1

hostname# debug disk filesystem

debug disk filesystem enabled at level 1

hostname# show debug

debug aaa authentication enabled at level 1

debug aaa accounting enabled at level 1

debug disk filesystem enabled at level 1

hostname# show debug aaa

debug aaa authentication enabled at level 1

debug aaa authorization is disabled.

debug aaa accounting enabled at level 1

debug aaa internal is disabled.

debug aaa vpn is disabled.

hostname# show debug aaa accounting

debug aaa accounting enabled at level 1

hostname# 

Related Commands

Command	Description
debug	See all debug commands.

show dhcprelay state

To view the state of the DHCP relay agent, use the show dhcprelay state command in privileged EXEC or global configuration mode.

show dhcprelay state

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC or global configuration	•	—	•	•	—

Command History

Release	Modification
2.2(1)	This command was introduced.
3.1(1)	This command was changed from show dhcprelay.

Usage Guidelines

This command displays the DHCP relay agent state information for the current context and each interface.

Examples

The following is sample output from the show dhcprelay state command:

hostname# show dhcprelay state

Context Configured as DHCP Relay

Interface outside, Not Configured for DHCP

Interface infrastructure, Configured for DHCP RELAY SERVER

Interface inside, Configured for DHCP RELAY

Related Commands

Command	Description
show dhcpd	Displays DHCP server statistics and state information.
show dhcprelay statistics	Displays the DHCP relay statistics.
show running-config dhcprelay	Displays the current DHCP relay agent configuration.

show dhcprelay statistics

To display the DHCP relay statistics, use the show dhcprelay statistics command in privileged EXEC mode.

show dhcprelay statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
2.2(1)	This command was introduced.
3.1(1)	This command was changed from show dhcprelay.

Usage Guidelines

The output of the show dhcprelay statistics command increments until you enter the clear dhcprelay statistics command.

Examples

The following is sample output for the show dhcprelay statistics command:

hostname# show dhcprelay statistics

DHCP UDP Unreachable Errors: 0

DHCP Other UDP Errors: 0

Packets Relayed

BOOTREQUEST          0

DHCPDISCOVER         7

DHCPREQUEST          3

DHCPDECLINE          0

DHCPRELEASE          0

DHCPINFORM           0

BOOTREPLY            0

DHCPOFFER            7

DHCPACK              3

DHCPNAK              0

FeralPix(config)# 

Related Commands

Command	Description
clear configure dhcprelay	Removes all DHCP relay agent settings.
clear dhcprelay statistics	Clears the DHCP relay agent statistic counters.
debug dhcprelay	Displays debug information for the DHCP relay agent.
show dhcprelay state	Displays the state of the DHCP relay agent.
show running-config dhcprelay	Displays the current DHCP relay agent configuration.

show disk

To display the contents of the Flash memory, use the show disk command in privileged EXEC mode.

show disk [filesys | all]

Syntax Description

filesys	Shows information about the compact Flash card.
all	Shows the contents of Flash memory plus the file system information,

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
2.2(1)	This command was introduced.

Examples

The following is sample output from the show disk command:

hostname# show disk

-#- --length-- -----date/time------ path

 11 1301       Feb 21 2005 18:01:34 test.cfg

 12 1949       Feb 21 2005 20:13:36 test1.cfg

 13 2551       Jan 06 2005 10:07:36 test2.cfg

 14 609223     Jan 21 2005 07:14:18 test3.cfg

 15 1619       Jul 16 2004 16:06:48 test4.cfg

 16 3184       Aug 03 2004 07:07:00 old_running.cfg

 17 4787       Mar 04 2005 12:32:18 test5.cfg

 20 1792       Jan 21 2005 07:29:24 test6.cfg

 21 7765184    Mar 07 2005 19:38:30 test7.cfg

 22 1674       Nov 11 2004 02:47:52 test8.cfg

 23 1863       Jan 21 2005 07:29:18 test9.cfg

 24 1197       Jan 19 2005 08:17:48 test10.cfg

 25 608554     Jan 13 2005 06:20:54 backupconfig.cfg

 26 5124096    Feb 20 2005 08:49:28 cdisk1

 27 5124096    Mar 01 2005 17:59:56 cdisk2

 28 2074       Jan 13 2005 08:13:26 test11.cfg

 29 5124096    Mar 07 2005 19:56:58 cdisk3

 30 1276       Jan 28 2005 08:31:58 lead

 31 7756788    Feb 24 2005 12:59:46 asdmfile.dbg

 32 7579792    Mar 08 2005 11:06:56 asdmfile1.dbg

 33 7764344    Mar 04 2005 12:17:46 asdmfile2.dbg

 34 5124096    Feb 24 2005 11:50:50 cdisk4

 35 15322      Mar 04 2005 12:30:24 hs_err.log

10170368 bytes available (52711424 bytes used)

The following is sample output from the show disk filesys command:

hostname# show disk filesys

******** Flash Card Geometry/Format Info ********

COMPACT FLASH CARD GEOMETRY

   Number of Heads:            4

   Number of Cylinders       978

   Sectors per Cylinder       32

   Sector Size               512

   Total Sectors          125184

COMPACT FLASH CARD FORMAT

   Number of FAT Sectors      61

   Sectors Per Cluster         8

   Number of Clusters      15352

   Number of Data Sectors 122976

   Base Root Sector          123

   Base FAT Sector             1

   Base Data Sector          155

Related Commands

Command	Description
dir	Displays the directory contents.

show dns-hosts

To show the DNS cache, use the show dns-hosts command in privileged EXEC mode.The DNS cache includes dynamically learned entries from a DNS server as well as manually entered name and IP addresses using the name command.

show dns-hosts

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show dns-hosts command:

hostname# show dns-hosts

Host                       Flags      Age Type   Address(es)

ns2.example.com            (temp, OK) 0    IP    10.102.255.44

ns1.example.com            (temp, OK) 0    IP    192.168.241.185

snowmass.example.com       (temp, OK) 0    IP    10.94.146.101

server.example.com         (temp, OK) 0    IP    10.94.146.80

The show dns-hosts field descriptions are as follows:

Field	Description
Host	Shows the hostname.
Flags	Shows the entry status, as a combination of the following: •temp—This entry is temporary because it comes from a DNS server. The FWSM removes this entry after 72 hours of inactivity. •perm—This entry is permanent because it was added with the name command. •OK—This entry is valid. •??—This entry is suspect and needs to be revalidated. •EX—This entry is expired.
Age	Shows the number of hours since this entry was last referenced.
Type	Shows the type of DNS record; this value is always IP.
Address(es)	The IP addresses.

Related Commands

Command	Description
clear dns-hosts cache	Clears the DNS cache.
dns domain-lookup	Enables the FWSM to perform a name lookup.
dns name-server	Configures a DNS server address.
dns retries	Specifies the number of times to retry the list of DNS servers when the FWSM does not receive a response.
dns timeout	Specifies the amount of time to wait before trying the next DNS server.

show failover

To display information about the failover status of the unit, use the show failover command in privileged EXEC mode.

show failover [group num | history | interface | state | statistics]

Syntax Description

group	Displays the running state of the specified failover group.
history	Displays failover history. The failover history displays past failover state changes and the reason for the state change.
interface	Displays failover command and stateful link information.
num	Failover group number.
state	Displays the failover state of both failover units. The information displayed includes the primary or secondary status of the unit, the Active/Standby status of the unit, and, if a unit is in the failed state, the reason for the failure.
statistics	Displays transmit and receive packet count of failover command interface.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.
2.1(1)	Support for the Autostate feature and suspend configuration synchronization were added.
3.1(1)	This command was modified to include failover groups. The output includes additional information.

Usage Guidelines

The show failover command displays the dynamic failover information, interface status, and Stateful Failover statistics. The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled. The "xerr" and "rerr" values do not indicate errors in failover, but rather the number of packet transmit or receive errors.

In the show failover command output, the fields have the following values:

•Stateful Obj has these values:

–xmit—Indicates the number of packets transmitted.

–xerr—Indicates the number of transmit errors.

–rcv—Indicates the number of packets received.

–rerr—Indicates the number of receive errors.

•Each row is for a particular object static count as follows:

–General—Indicates the sum of all stateful objects.

–sys cmd—Refers to the logical update system commands, such as login or stay alive.

–up time—Indicates the value for the FWSM up time, which the active FWSM passes on to the standby FWSM.

–RPC services—Remote Procedure Call connection information.

–TCP conn—Dynamic TCP connection information.

–UDP conn—Dynamic UDP connection information.

–ARP tbl—Dynamic ARP table information.

–Xlate_Timeout—Indicates connection translation timeout information.

–VPN IKE upd—IKE connection information.

–VPN IPSEC upd—IPSec connection information.

–VPN CTCP upd—cTCP tunnel connection information.

–VPN SDI upd—SDI AAA connection information.

–VPN DHCP upd—Tunneled DHCP connection information.

If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address, and monitoring of the interfaces remain in a "waiting" state. You must set a failover IP address for failover to work.

In multiple configuration mode, only the show failover command is available in a security context; you cannot enter the optional keywords.

Examples

The following is sample output from the show failover command for Active/Standby Failover.

hostname# show failover

Failover On

Failover unit Primary 

Failover LAN Interface: fover Vlan 101 (up) 

Unit Poll frequency 1 seconds, holdtime 3 seconds 

Interface Poll frequency 15 seconds 

Interface Policy 1 

Monitored Interfaces 2 of 250 maximum 

failover replication http 

Last Failover at: 22:44:03 UTC Dec 8 2004

        This host: Primary - Active 

                Active time: 13434 (sec)

                Interface inside (10.130.9.3): Normal 

                Interface outside (10.132.9.3): Normal 

        Other host: Secondary - Standby Ready 

                Active time: 0 (sec)

                Interface inside (10.130.9.4): Normal 

                Interface outside (10.132.9.4): Normal 

Stateful Failover Logical Update Statistics

        Link : fover Vlan 101 (up)

        Stateful Obj    xmit       xerr       rcv        rerr      

        General         0          0          0          0         

        sys cmd         1733       0          1733       0         

        up time         0          0          0          0         

        RPC services    0          0          0          0         

        TCP conn        6          0          0          0         

        UDP conn        0          0          0          0         

        ARP tbl         106        0          0          0         

        Xlate_Timeout   0          0          0          0

        VPN IKE upd     15         0          0          0

        VPN IPSEC upd   90         0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       2       1733

        Xmit Q:         0       2       15225

The following is sample output from the show failover command for Active/Active Failover.

hostname# show failover

Failover On

Failover unit Primary

Failover LAN Interface: third Vlan 101(up) 

Unit Poll frequency 1 seconds, holdtime 15 seconds 

Interface Poll frequency 4 seconds 

Interface Policy 1 

Monitored Interfaces 8 of 250 maximum 

failover replication http 

Group 1 last failover at: 13:40:18 UTC Dec 9 2004 

Group 2 last failover at: 13:40:06 UTC Dec 9 2004

  This host:    Primary

  Group 1       State:          Active

                Active time:    2896 (sec)

  Group 2       State:          Standby Ready

                Active time:    0 (sec)

                admin Interface outside (10.132.8.5): Normal 

                admin Interface third (10.132.9.5): Normal 

                admin Interface inside (10.130.8.5): Normal 

                admin Interface fourth (10.130.9.5): Normal 

                ctx1 Interface outside (10.1.1.1): Normal 

                ctx1 Interface inside (10.2.2.1): Normal 

                ctx2 Interface outside (10.3.3.2): Normal 

                ctx2 Interface inside (10.4.4.2): Normal 

  Other host:   Secondary

  Group 1       State:          Standby Ready

                Active time:    190 (sec)

  Group 2       State:          Active

                Active time:    3322 (sec)

                admin Interface outside (10.132.8.6): Normal 

                admin Interface third (10.132.9.6): Normal 

                admin Interface inside (10.130.8.6): Normal 

                admin Interface fourth (10.130.9.6): Normal 

                ctx1 Interface outside (10.1.1.2): Normal 

                ctx1 Interface inside (10.2.2.2): Normal 

                ctx2 Interface outside (10.3.3.1): Normal 

                ctx2 Interface inside (10.4.4.1): Normal 

Stateful Failover Logical Update Statistics

        Link : third Vlan 101 (up)

        Stateful Obj    xmit       xerr       rcv        rerr      

        General         0          0          0          0         

        sys cmd         380        0          380        0         

        up time         0          0          0          0         

        RPC services    0          0          0          0         

        TCP conn        1435       0          1450       0         

        UDP conn        0          0          0          0         

        ARP tbl         124        0          65         0         

        Xlate_Timeout   0          0          0          0 

        VPN IKE upd     15         0          0          0

        VPN IPSEC upd   90         0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       1       1895

        Xmit Q:         0       0       1940

Related Commands

Command	Description
show running-config failover	Displays the failover commands in the current configuration.

show file

To display information about the file system, use the show file command in privileged EXEC mode.

show file descriptors | system | information filename

Syntax Description

descriptors	Displays all open file descriptors.
information	Displays information about a specific file.
filename	Specifies the filename.
system	Displays the size, bytes available, type of media, flags, and prefix information about the disk file system.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
3.1(1)	Support for this command was introduced.

Examples

The following example shows how to display the file system information:

hostname# show file descriptors

No open file descriptors

hostname# show file system

File Systems:

   Size(b)     Free(b)    Type  Flags  Prefixes

* 60985344    60973056    disk    rw     disk:

Related Commands

Command	Description
dir	Displays the directory contents.
pwd	Displays the current working directory.

show firewall

To show the current firewall mode (routed or transparent), use the show firewall command in privileged EXEC mode.

show firewall

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
2.2(1)	This command was introduced.
3.1(1)	In the system execution space, this command now shows the firewall mode for each context. You can now set the firewall mode independently for each context.

Examples

The following is sample output from the show firewall command in single mode or within a context:

hostname# show firewall

Firewall mode: Router

The following is sample output from the show firewall command within a context:

hostname# show firewall

Context      Mode

-------------------------

customerA    Transparent

customerB    Routed

Related Commands

Command	Description
firewall transparent	Sets the firewall mode.
show mode	Shows the current context mode, either single or multiple.

show fragment

To display the operational data of the IP fragment reassembly module, enter the show fragment command in privileged EXEC mode.

show fragment [interface]

Syntax Description

interface

(Optional) Specifies the FWSM interface.

Defaults

If an interface is not specified, the command applies to all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC mode	·	·	·	·

Command History

Release	Modification
1.1(1)	This command was introduced.
3.1(1)	The command was separated into two commands, show fragment and show running-config fragment, to separate the configuration data from the operational data.

Examples

This example shows how to display the operational data of the IP fragment reassembly module:

hostname# show fragment 

Interface: inside

    Size: 200, Chain: 24, Timeout: 5, Threshold: 133

    Queue: 0, Assembled: 0, Fail: 0, Overflow: 0

Interface: outside1

    Size: 200, Chain: 24, Timeout: 5, Threshold: 133

    Queue: 0, Assembled: 0, Fail: 0, Overflow: 0

Interface: test1

    Size: 200, Chain: 24, Timeout: 5, Threshold: 133

    Queue: 0, Assembled: 0, Fail: 0, Overflow: 0

Interface: test2

    Size: 200, Chain: 24, Timeout: 5, Threshold: 133

    Queue: 0, Assembled: 0, Fail: 0, Overflow: 0

Related Commands

Command	Description
clear configure fragment	Clears the IP fragment reassembly configuration and resets the defaults.
clear fragment	Clears the operational data of the IP fragment reassembly module.
fragment	Provides additional management of packet fragmentation and improves compatibility with NFS.
show running-config fragment	Displays the IP fragment reassembly configuration.

show gc

To display the garbage collection process statistics, use the show gc command in privileged EXEC mode.

show gc

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Examples

The following is sample output from the show gc command:

hostname# show gc

Garbage collection process stats:

Total tcp conn delete response             :            0

Total udp conn delete response             :            0

Total number of zombie cleaned             :            0

Total number of embryonic conn cleaned     :            0

Total error response                       :            0

Total queries generated                    :            0

Total queries with conn present response   :            0

Total number of sweeps                     :          946

Total number of invalid vcid               :            0

Total number of zombie vcid                :            0

Related Commands

Command	Description
clear gc	Removes the garbage collection process statistics.

show h225

To display information for H.225 sessions established across the FWSM, use the show h225 command in privileged EXEC mode.

show h225

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

The show h225 command displays information for H.225 sessions established across the FWSM. Along with the debug h323 h225 event, debug h323 h245 event, and show local-host commands, this command is used for troubleshooting H.323 inspection engine issues.

Before using the show h225, show h245, or show h323-ras commands, we recommend that you configure the pager command. If there are a lot of session records and the pager command is not configured, it may take a while for the show output to reach its end. If there is an abnormally large number of connections, check that the sessions are timing out based on the default timeout values or the values set by you. If they are not, then there is a problem that needs to be investigated.

Examples

The following is sample output from the show h225 command:

hostname# show h225

Total H.323 Calls: 1

1 Concurrent Call(s) for

 | Local: | 10.130.56.3/1040 | Foreign: 172.30.254.203/1720

 | 1. CRV 9861

 | Local: | 10.130.56.3/1040 | Foreign: 172.30.254.203/1720

0 Concurrent Call(s) for

 | Local: | 10.130.56.4/1050 | Foreign: 172.30.254.205/1720

This output indicates that there is currently 1 active H.323 call going through the FWSM between the local endpoint 10.130.56.3 and foreign host 172.30.254.203, and for these particular endpoints, there is 1 concurrent call between them, with a CRV (Call Reference Value) for that call of 9861.

For the local endpoint 10.130.56.4 and foreign host 172.30.254.205, there are 0 concurrent Calls. This means that there is no active call between the endpoints even though the H.225 session still exists. This could happen if, at the time of the show h225 command, the call has already ended but the H.225 session has not yet been deleted. Alternately, it could mean that the two endpoints still have a TCP connection opened between them because they set "maintainConnection" to TRUE, so that the session is kept open until they set it to FALSE again, or until the session times out based on the H.225 timeout value in your configuration.

Related Commands

Commands	Description
debug h323	Enables the display of debug information for H.323.
inspect h323	Enables H.323 application inspection.
show h245	Displays information for H.245 sessions established across the FWSM by endpoints using slow start.
show h323-ras	Displays information for H.323 RAS sessions established across the FWSM.
timeout	Configures the idle timeouts related to H.225 and H.323.

show h245

To display information for H.245 sessions established across the FWSM by endpoints using slow start, use the show h245 command in privileged EXEC mode.

show h245

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

The show h245 command displays information for H.245 sessions established across the FWSM by endpoints using slow start. (Slow start is when the two endpoints of a call open another TCP control channel for H.245. Fast start is where the H.245 messages are exchanged as part of the H.225 messages on the H.225 control channel.) Along with the debug h323 h245 event, debug h323 h225 event, and show local-host commands, this command is used for troubleshooting H.323 inspection engine issues.

Examples

The following is sample output from the show h245 command:

hostname# show h245

Total: 1

 | LOCAL | TPKT | FOREIGN | TPKT

1 | 10.130.56.3/1041 | 0 | 172.30.254.203/1245 | 0

 | MEDIA: LCN 258 Foreign 172.30.254.203 RTP 49608 RTCP 49609

 | Local | 10.130.56.3 RTP 49608 RTCP 49609

 | MEDIA: LCN 259 Foreign 172.30.254.203 RTP 49606 RTCP 49607

 | Local | 10.130.56.3 RTP 49606 RTCP 49607

There is currently one H.245 control session active across the FWSM. The local endpoint is 10.130.56.3, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0. (The TKTP header is a 4-byte header preceding each H.225/H.245 message. It gives the length of the message, including the 4-byte header.) The foreign host endpoint is 172.30.254.203, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0.

The media negotiated between these endpoints have a LCN (logical channel number) of 258 with the foreign RTP IP address/port pair of 172.30.254.203/49608 and a RTCP IP address/port of 172.30.254.203/49609 with a local RTP IP address/port pair of 10.130.56.3/49608 and a RTCP port of 49609.

The second LCN of 259 has a foreign RTP IP address/port pair of 172.30.254.203/49606 and a RTCP IP address/port pair of 172.30.254.203/49607 with a local RTP IP address/port pair of 10.130.56.3/49606 and RTCP port of 49607.

Related Commands

Commands	Description
debug h323	Enables the display of debug information for H.323.
inspect h323	Enables H.323 application inspection.
show h245	Displays information for H.245 sessions established across the FWSM by endpoints using slow start.
show h323-ras	Displays information for H.323 RAS sessions established across the FWSM.
timeout	Configures the idle timeouts related to H.225 and H.323.

show h323-ras

To display information for H.323 RAS sessions established across the FWSM between a gatekeeper and its H.323 endpoint, use the show h323-ras command in privileged EXEC mode.

show h323-ras

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

The show h323-ras command displays information for H.323 RAS sessions established across the FWSM between a gatekeeper and its H.323 endpoint. Along with the debug h323 ras event and show local-host commands, this command is used for troubleshooting H.323 RAS inspection engine issues.

The show h323-ras command displays connection information for troubleshooting H.323 inspection engine issues, and is described in the inspect protocol h323 {h225 | ras} command page.

Examples

The following is sample output from the show h323-ras command:

hostname# show h323-ras

Total: 1

 | GK | Caller

 | 172.30.254.214 10.130.56.14

This output shows that there is one active registration between the gatekeeper 172.30.254.214 and its client 10.130.56.14.

Related Commands

Commands	Description
debug h323	Enables the display of debug information for H.323.
inspect h323	Enables H.323 application inspection.
show h245	Displays information for H.245 sessions established across the FWSM by endpoints using slow start.
show h323-ras	Displays information for H.323 RAS sessions established across the FWSM.
timeout	Configures the idle timeouts related to H.225 and H.323.

show history

To display the previously entered commands, use the show history command in user EXEC mode.

show history

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC	•	•	•	•	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The show history command lets you display previously entered commands. You can examine commands individually with the up and down arrows, enter ^p to display previously entered lines, or enter ^n to display the next line.

Examples

The following example shows how to display previously entered commands when you are in user EXEC mode:

hostname> show history

show history

help

show history

The following example shows how to display previously entered commands in privileged EXEC mode:

hostname# show history

show history

help

show history

enable

show history

This example shows how to display previously entered commands in global configuration mode:

hostname(config)# show history

show history

help

show history

enable

show history

config t 

show history

Related Commands

Command	Description
help	Displays help information for the command specified.

show idb

To display information about the status of interface descriptor blocks, use the show idb command in privileged EXEC mode.

show idb

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC	•	•	•	—	•

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

IDBs are the internal data structure representing interface resources. See the Examples section for a description of the display output.

Examples

The following is sample output from the show idb command:

hostname# show idb

Maximum number of Software IDBs 16464.  In use 14.                                                  

                   HWIDBs     SWIDBs                                    

            Active 3          13

          Inactive 1          1

        Total IDBs 4          14

 Size each (bytes) 156        260

       Total bytes 624        3640

HWIDB#  1 0x2e63b40  EOBC

HWIDB#  2 0x2e4fd00  Vlan

HWIDB#  3 0x2e5f670  Vlan

SWIDB#  1 0x02e4fdc8 0xffffffff Vlan UP UP

SWIDB#  2 0x04b97970 0xffffffff Vlan20 UP UP

SWIDB#  3 0x04b98c58 0xffffffff Vlan22 UP UP

SWIDB#  4 0x04b98e48 0xffffffff Vlan34 UP UP

SWIDB#  5 0x04b99038 0xffffffff Vlan35 UP UP

SWIDB#  6 0x04b99228 0xffffffff Vlan36 UP UP

SWIDB#  7 0x04b99418 0xffffffff Vlan37 UP UP

SWIDB#  8 0x04b99608 0xffffffff Vlan38 UP UP

SWIDB#  9 0x04b997f8 0xffffffff Vlan124 UP UP

SWIDB# 10 0x04b999f8 0xffffffff Vlan136 UP UP

SWIDB# 11 0x04b99bf8 0xffffffff Vlan137 UP UP

SWIDB# 12 0x02e5f738 0xffffffff Vlan UP UP

SWIDB# 13 0x02e63c08 0x00000103 EOBC UP UP

Fields and description are as follows:

Field	Description
HWIDBs	Shows the statistics for all HWIDBs. HWIDBs are created for each hardware port in the system.
SWIDBs	Shows the statistics for all SWIDBs. SWIDBs are created for each interface in the system, and for each interface that is allocated to a context. Some other internal software modules also create IDBs.
HWIDB#	Specifies a hardware interface entry. The IDB sequence number, address, and interface name is displayed in each line.
SWIDB#	Specifies a software interface entry. The IDB sequence number, address, corresponding vPif id, and interface name are displayed in each line.
PEER IDB#	Specifies an interface allocated to a context. The IDB sequence number, address, corresponding vPif id, context id and interface name are displayed in each line.

Related Commands

Command	Description
interface	Configures an interface and enters interface configuration mode.
show interface	Displays the runtime status and statistics of interfaces.

show igmp groups

To display the multicast groups with receivers that are directly connected to the FWSM and that were learned through IGMP, use the show igmp groups command in privileged EXEC mode.

show igmp groups [[reserved | group] [if_name] [detail]] | summary]

Syntax Description

detail	(Optional) Provides a detailed description of the sources.
group	(Optional) The address of an IGMP group. Including this optional argument limits the display to the specified group.
if_name	(Optional) Displays group information for the specified interface.
reserved	(Optional) Displays information about reserved groups.
summary	(Optional) Displays group joins summary information.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

If you omit all optional arguments and keywords, the show igmp groups command displays all directly connected multicast groups by group address, interface type, and interface number.

Examples

The following is sample output from the show igmp groups command:

hostname# show igmp groups

IGMP Connected Group Membership

Group Address    Interface            Uptime    Expires   Last Reporter

224.1.1.1        inside               00:00:53  00:03:26  192.168.1.6

Related Commands

Command	Description
show igmp interface	Displays multicast information for an interface.

show igmp traffic

To display IGMP traffic statistics, use the show igmp traffic command in privileged EXEC mode.

show igmp traffic

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Examples

The following is sample output from the show igmp traffic command:

hostname# show igmp traffic

IGMP Traffic Counters

Elapsed time since counters cleared: 00:02:30

                             Received     Sent

Valid IGMP Packets              3           6

Queries                         2           6

Reports                         1           0

Leaves                          0           0

Mtrace packets                  0           0

DVMRP packets                   0           0

PIM packets                     0           0

Errors:

Malformed Packets               0

Martian source                  0

Bad Checksums                   0

Related Commands

Command	Description
clear igmp counters	Clears all IGMP statistic counters.
clear igmp traffic	Clears the IGMP traffic counters.

show interface

To display information about interfaces, use the show interface command in privileged EXEC mode.

show interface [interface_name] [detail | stats | {ip [brief]}]

Syntax Description

interface_name	(Optional) Identifies the interface name set with the nameif command.
detail	(Optional) Displays the interface configuration details.
stats	(Optional) Displays the interface statistics.
ip	(Default) Displays information about the interface IP configuration.
brief	(Optional) Displays compacted information about the interface IP configuration.

Defaults

If you do not identify any options, this command shows basic statistics for all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.
3.1(1)	This command was modified to include the new interface numbering scheme, and to add the stats keyword for clarity, and the detail keyword.

Usage Guidelines

You can use this command to display the status of interfaces. You can specify the ID (as either the VLAN or the mapped name) or the name of the interface.

The dropped packets statistic in the display shows a record of those packets that arrived on the interface, but were not destined for the FWSM. These packets include traffic flooded by the switch, multicast and broadcast traffic (unless the FWSM is configured to relay those) and packets that fail sanity checks such as incorrect IP length versus Layer 2 length or checksums. This counter does not record packets dropped by the security policy.

---

Note The show interface command only shows interfaces you have configured using the interface vlan command; it does not show VLANs assigned to the FWSM that you have not yet configured. To view all VLANs assigned to the FWSM, use the show vlan command.

---

Examples

The following is sample output from the show interface command:

hostname# show interface

Interface Vlan20 "outsidedmz", is down, line protocol is down

        MAC address 000f.90d7.1a00, MTU 1500

        IP address 10.0.0.1, subnet mask 255.0.0.0

  Traffic Statistics for "outsidedmz":

        0 packets input, 0 bytes

        0 packets output, 0 bytes

        0 packets dropped

Interface Vlan55 "inside", is up, line protocol is up

        MAC address 000f.90d7.1a00, MTU 1500

        IP address 192.168.62.20, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

        14582034 packets input, 2171077656 bytes

        406297 packets output, 243028833 bytes

        14812043 packets dropped

Interface Vlan56 "outside", is up, line protocol is up

        MAC address 000f.90d7.1a00, MTU 1500

        IP address 10.1.1.1, subnet mask 255.0.0.0

  Traffic Statistics for "outside":

        0 packets input, 0 bytes

        33 packets output, 2244 bytes

        569730 packets dropped

Interface Vlan80 "", is up, line protocol is up

        Available but not configured via nameif

Field descriptions for the show interface command are shown below:

Field	Description
Interface ID	The interface ID. Within a context, the FWSM shows the mapped name (if configured), unless you set the allocate-interface command visible keyword.
"interface_name"	The interface name set with the nameif command. In the system execution space, this field is blank because you cannot set the name in the system. If you do not configure a name, the following message appears after the Hardware line: Available but not configured via nameif
is state	The administrative state, as follows: •up—The interface is not shut down. •administratively down—The interface is shut down with the shutdown command.
Line protocol is state	The line status, as follows: •up—A working cable is plugged into the network interface. •down—Either the cable is incorrect or not plugged into the interface connector.
message area	A message might be displayed in some circumstances. See the following examples: •In the system execution space, you might see the following message: Available for allocation to a context •If you do not configure a name, you see the following message: Available but not configured via nameif
MAC address	The interface MAC address.
MTU	The maximum size, in bytes, of packets allowed on this interface. If you do not set the interface name, this field shows "MTU not set."
IP address	The interface IP address set using the ip address command or received from a DHCP server. In the system execution space, this field shows "IP address unassigned" because you cannot set the IP address in the system.
Subnet mask	The subnet mask for the IP address.
Traffic Statistics:	The number of packets received, transmitted, or dropped.
Packets input	The number of packets received and the number of bytes.
Packets output	The number of packets transmitted and the number of bytes.
Packets dropped	The number of packets dropped.

The following is sample output from the show interface detail command:

hostname# show interface detail

Interface Vlan20 "outsidedmz", is down, line protocol is down

        MAC address 000f.90d7.1a00, MTU 1500

        IP address 10.0.0.1, subnet mask 255.0.0.0

  Traffic Statistics for "outsidedmz":

        0 packets input, 0 bytes

        0 packets output, 0 bytes

        0 packets dropped

  Control Point Interface States:

        Interface number is 1

        Interface config status is active

        Interface state is not active

  Control Point Vlan20 States:

        Interface vlan config status is not active

        Interface vlan state is UP

Interface Vlan55 "inside", is up, line protocol is up

        MAC address 000f.90d7.1a00, MTU 1500

        IP address 172.23.62.20, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

        14582811 packets input, 2171191886 bytes

        406469 packets output, 243041933 bytes

        14812823 packets dropped

  Control Point Interface States:

        Interface number is 2

        Interface config status is active

        Interface state is active

  Control Point Vlan55 States:

        Interface vlan config status is active

        Interface vlan state is UP

Interface Vlan56 "outside", is up, line protocol is up

        MAC address 000f.90d7.1a00, MTU 1500

        IP address 1.1.1.1, subnet mask 255.0.0.0

  Traffic Statistics for "outside":

        0 packets input, 0 bytes

        33 packets output, 2244 bytes

        570042 packets dropped

  Control Point Interface States:

        Interface number is 3

        Interface config status is active

        Interface state is active

  Control Point Vlan56 States:

        Interface vlan config status is active

        Interface vlan state is UP

  Asymmetrical Routing Statistics:

        Received 0 packets

        Transmitted 163 packets

        Dropped 0 packets 

Interface Vlan80 "", is up, line protocol is up

        Available but not configured via nameif

Each field description for the show interface detail command is shown below.

Field	Description
Control Point Interface States:
Interface number	A number used for debugging that indicates in what order this interface was created, starting with 0.
Interface config status	The administrative state, as follows: •active—The interface is not shut down. •not active—The interface is shut down with the shutdown command.
Interface state	The actual state of the interface. In most cases, this state matches the config status above. If you configure high availability, it is possible there can be a mismatch because the FWSM brings the interfaces up or down as needed.
Control Point vlan States:
Interface vlan config status	The administrative state, as follows: •active—The interface is not shut down. •not active—The interface is shut down with the shutdown command.
Interface vlan state	The actual state of the interface. In most cases, this state matches the config status above. If you configure high availability, it is possible there can be a mismatch because the FWSM brings the interfaces up or down as needed.
Asymmetrical Routing Statistics:
Received X1 packets	Number of ASR packets received on this interface.
Transmitted X2 packets	Number of ASR packets sent on this interfaces.
Dropped X3 packets	Number of ASR packets dropped on this interface. The packets might be dropped if the interface is down when trying to forward the packet.

Related Commands

Command	Description
allocate-interface	Assigns interfaces and subinterfaces to a security context.
clear interface	Clears counters for the show interface command.
interface	Configures an interface and enters interface configuration mode.
nameif	Sets the interface name.
show interface ip brief	Shows the interface IP address and status.

show interface ip brief

To view interface IP addresses and status, use the show interface ip brief command in privileged EXEC mode.

show interface [interface interface_name] ip brief

Syntax Description

interface interface_name	(Optional) Identifies the interface name set with the nameif command.
ip brief	(Optional) Displays compacted information about the interface IP configuration.

Defaults

If you do not specify an interface, the FWSM shows all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

In multiple context mode, if you mapped the interface ID in the allocate-interface command, you can only specify the mapped name or the interface name in a context.

Examples

The following is sample output from the show ip brief command:

hostname# show interface ip brief

Interface                  IP-Address      OK? Method  Status                Protocol

Vlan10 209.165.200.226 YES CONFIG  up                    up

Vlan40 unassigned      YES unset   administratively down down

Vlan41 10.1.1.50       YES manual  administratively down down

Vlan42 192.168.2.6     YES DHCP    administratively down down

The field descriptions for the show interface ip brief command are as follows:

Field	Description
Interface	The interface ID or, in multiple context mode, the mapped name if you configured it using the allocate-interface command.
IP-Address	The interface IP address.
OK?	This column is not currently used, and always shows "Yes."
Method	The method by which the interface received the IP address. Values include the following: •unset—No IP address configured. •manual—Configured the running configuration. •CONFIG—Loaded from the startup configuration. •DHCP—Received from a DHCP server.
Status	The administrative state, as follows: •up—The interface is not shut down. •administratively down—The interface is shut down with the shutdown command.
Protocol	The line status, as follows: •up—A working cable is plugged into the network interface. •down—Either the cable is incorrect or not plugged into the interface connector.

Related Commands

Command	Description
allocate-interface	Assigns interfaces and subinterfaces to a security context.
interface	Configures an interface and enters interface configuration mode.
ip address	Sets the IP address for the interface or sets the management IP address for a transparent firewall.
nameif	Sets the interface name.
show interface	Displays the runtime status and statistics of interfaces.

show ip address

To view interface IP addresses or, for transparent mode, the management IP address, use the show ip address command in privileged EXEC mode.

show ip address [interface interface_name]

Syntax Description

interface interface_name

(Optional) Shows statistics for the specified interface.

Defaults

If you do not specify an interface, the FWSM shows all interface IP addresses.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

This command shows the primary IP addresses (called "System" in the display) for when you configure high availability as well as the current IP addresses. If the unit is active, then the system and current IP addresses match. If the unit is standby, then the current IP addresses show the standby addresses.

Examples

The following is sample output from the show ip address command:

hostname# show ip address

System IP Addresses:

Interface                Name         IP address      Subnet mask       Method 

Vlan20        mgmt         10.7.12.100     255.255.255.0     CONFIG 

Vlan22        inside       10.1.1.100      255.255.255.0     CONFIG 

Vlan34        outside      209.165.201.2   255.255.255.224   DHCP

Vlan35        dmz          209.165.200.225 255.255.255.224   manual

Current IP Addresses:

Interface                Name         IP address      Subnet mask       Method 

Vlan36       mgmt         10.7.12.100     255.255.255.0     CONFIG 

Vlan37       inside       10.1.1.100      255.255.255.0     CONFIG 

Vlan38       outside      209.165.201.2   255.255.255.224   DHCP

Vlan124       dmz          209.165.200.225 255.255.255.224   manual

The current IP addresses are the same as the system IP addresses on the failover active module. When the primary module fails, the current IP addresses become the IP addresses of the standby module.

The field descriptions for the show ip address command are as follows:

Field	Description
Interface	The interface ID.
Name	The interface name set with the nameif command.
IP address	The interface IP address.
Subnet mask	The IP address subnet mask.
Method	The method by which the interface received the IP address. Values include the following: •unset—No IP address configured. •manual—Configured the running configuration. •CONFIG—Loaded from the startup configuration. •DHCP—Received from a DHCP server.

Related Commands

Command	Description
allocate-interface	Assigns interfaces and subinterfaces to a security context.
interface	Configures an interface and enters interface configuration mode.
nameif	Sets the interface name.
show interface	Displays the runtime status and statistics of interfaces.
show interface ip brief	Shows the interface IP address and status.

show ip verify statistics

To show the number of packets dropped because of the Unicast RPF feature, use the show ip verify statistics command in privileged EXEC mode. Use the ip verify reverse-path command to enable Unicast RPF.

show ip verify statistics [interface interface_name]

Syntax Description

interface interface_name

(Optional) Shows statistics for the specified interface.

Defaults

This command shows statistics for all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
1.1(1)	This command was introduced,

Examples

The following is sample output from the show ip verify statistics command:

hostname# show ip verify statistics

interface outside: 2 unicast rpf drops

interface inside: 1 unicast rpf drops

interface intf2: 3 unicast rpf drops

Related Commands

Command	Description
clear configure ip verify reverse-path	Clears the ip verify reverse-path configuration.
clear ip verify statistics	Clears the Unicast RPF statistics.
ip verify reverse-path	Enables the Unicast Reverse Path Forwarding feature to prevent IP spoofing.
show running-config ip verify reverse-path	Shows the ip verify reverse-path configuration.

show ipsec sa

To display a list of IPSec SAs, use the show ipsec sa command in global configuration mode or privileged EXEC mode. You can also use the alternate form of this command: show crypto ipsec sa.

show ipsec sa [entry | identity | map map-name | peer peer-addr ] [detail]

Syntax Description

detail	(Optional) Displays detailed error information on what is displayed.
entry	(Optional) Displays IPSec SAs sorted by peer address
identity	(Optional) Displays IPSec SAs for sorted by identity, not including ESPs. This is a condensed form.
map map-name	(Optional) Displays IPSec SAs for the specified crypto map.
peer peer-addr	(Optional) Displays IPSec SAs for specified peer IP addresses.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	—	—
Privileged EXEC	•	•	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Examples

The following example, entered in global configuration mode, displays IPSec SAs.

hostname(config)# show ipsec sa

interface: outside2

    Crypto map tag: def, local addr: 10.132.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0)

      current_peer: 172.20.0.21

      dynamic allocated peer ip: 10.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    inbound esp sas:

      spi: 0x1E8246FC (511854332)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 548

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDC15BF68 (3692412776)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 548

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: def, local addr: 10.132.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

hostname(config)# 

The following example, entered in global configuration mode, displays IPSec SAs for a crypto map named def.

hostname(config)# show ipsec sa map def

cryptomap: def

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1146, #pkts decrypt: 1146, #pkts verify: 1146

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    inbound esp sas:

      spi: 0x1E8246FC (511854332)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 480

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDC15BF68 (3692412776)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 480

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73672, #pkts encrypt: 73672, #pkts digest: 73672

      #pkts decaps: 78824, #pkts decrypt: 78824, #pkts verify: 78824

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73672, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

    inbound esp sas:

      spi: 0xB32CF0BD (3006066877)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 263

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3B6F6A35 (997157429)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 263

         IV size: 8 bytes

         replay detection support: Y

hostname(config)#

The following example, entered in global configuration mode, shows IPSec SAs for the keyword entry.

hostname(config)# show ipsec sa entry

peer address: 10.132.0.21

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    inbound esp sas:

      spi: 0x1E8246FC (511854332)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 429

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDC15BF68 (3692412776)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 429

         IV size: 8 bytes

         replay detection support: Y

peer address: 10.135.1.8

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73723, #pkts encrypt: 73723, #pkts digest: 73723

      #pkts decaps: 78878, #pkts decrypt: 78878, #pkts verify: 78878

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73723, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

    inbound esp sas:

      spi: 0xB32CF0BD (3006066877)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 212

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3B6F6A35 (997157429)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 212

         IV size: 8 bytes

         replay detection support: Y

hostname(config)#

The following example, entered in global configuration mode, shows IPSec SAs with the keywords entry detail.

hostname(config)# show ipsec sa entry detail

peer address: 10.132.0.21

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1148, #pkts decrypt: 1148, #pkts verify: 1148

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    inbound esp sas:

      spi: 0x1E8246FC (511854332)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 322

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDC15BF68 (3692412776)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 322

         IV size: 8 bytes

         replay detection support: Y

peer address: 10.135.1.8

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73831, #pkts encrypt: 73831, #pkts digest: 73831

      #pkts decaps: 78989, #pkts decrypt: 78989, #pkts verify: 78989

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73831, #pkts comp failed: 0, #pkts decomp failed: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

    inbound esp sas:

      spi: 0xB32CF0BD (3006066877)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 104

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3B6F6A35 (997157429)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 104

         IV size: 8 bytes

         replay detection support: Y

hostname(config)#

The following example shows IPSec SAs with the keyword identity.

hostname(config)# show ipsec sa identity

interface: outside2

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73756, #pkts encrypt: 73756, #pkts digest: 73756

      #pkts decaps: 78911, #pkts decrypt: 78911, #pkts verify: 78911

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73756, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

The following example shows IPSec SAs with the keywords identity and detail.

hostname(config)# show ipsec sa identity detail

interface: outside2

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73771, #pkts encrypt: 73771, #pkts digest: 73771

      #pkts decaps: 78926, #pkts decrypt: 78926, #pkts verify: 78926

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73771, #pkts comp failed: 0, #pkts decomp failed: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

Related Commands

Command	Description
clear configure isakmp	Clears all the ISAKMP configuration.
clear configure isakmp policy	Clears all ISAKMP policy configuration.
clear isakmp sa	Clears the IKE runtime SA database.
isakmp enable	Enables ISAKMP negotiation on the interface on which the IPSec peer communicates with the FWSM.
show running-config isakmp	Displays all the active ISAKMP configuration.

show ipsec sa summary

To display a summary of IPSec SAs, use the show ipsec sa summary command in global configuration mode or privileged EXEC mode.

show ipsec sa summary

Syntax Description

This command has no arguments or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	—	—
Privileged EXEC	•	•	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Examples

The following example, entered in global configuration mode, displays a summary of IPSec SAs by the following connection types:

•IPSec

•IPSec over UDP

•IPSec over NAT-T

•IPSec over TCP

•IPSec VPN load balancing

hostname(config)# show ipsec sa summary

Current IPSec SA's:            Peak IPSec SA's:

IPSec            :     2         Peak Concurrent SA  :    14

IPSec over UDP   :     2         Peak Concurrent L2L :     0

IPSec over NAT-T :     4         Peak Concurrent RA  :    14

IPSec over TCP   :     6

IPSec VPN LB     :     0

Total            :    14

hostname(config)# 

Related Commands

Command	Description
clear ipsec sa	Removes IPSec SAs entirely or based on specific parameters.
show ipsec sa	Displays a list of IPSec SAs.
show ipsec stats	Displays a list of IPSec statistics.

show ipsec stats

To display a list of IPSec statistics, use the show ipsec stats command in global configuration mode or privileged EXEC mode.

show ipsec stats

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	—	—
Privileged EXEC	•	•	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Examples

The following example, entered in global configuration mode, displays IPSec statistics:

hostname(config)# show ipsec stats

IPsec Global Statistics

-----------------------

Active tunnels: 2

Previous tunnels: 9

Inbound

    Bytes: 4933013

    Decompressed bytes: 4933013

    Packets: 80348

    Dropped packets: 0

    Replay failures: 0

    Authentications: 80348

    Authentication failures: 0

    Decryptions: 80348

    Decryption failures: 0

Outbound

    Bytes: 4441740

    Uncompressed bytes: 4441740

    Packets: 74029

    Dropped packets: 0

    Authentications: 74029

    Authentication failures: 0

    Encryptions: 74029

    Encryption failures: 0

Protocol failures: 0

Missing SA failures: 0

System capacity failures: 0

hostname(config)# 

Related Commands

Command	Description
clear ipsec sa	Clears IPSec SAs or counters based on specified parameters.
crypto ipsec transform-set	Defines a transform set.
show ipsec sa	Displays IPSec SAs based on specified parameters.
show ipsec sa summary	Displays a summary of IPSec SAs.

show ipv6 access-list

To display the IPv6 access list, use the show ipv6 access-list command in privileged EXEC mode. The IPv6 access list determines what IPv6 traffic can pass through the FWSM.

show ipv6 access-list [id [source-ipv6-prefix/prefix-length | any | host source-ipv6-address]]

Syntax Description

any	(Optional) An abbreviation for the IPv6 prefix ::/0.
host source-ipv6-address	(Optional) IPv6 address of a specific host. When provided, only the access rules for the specified host are displayed.
id	(Optional) The access list name. When provided, only the specified access list is displayed.
source-ipv6-prefix /prefix-length	(Optional) IPv6 network address and prefix. When provided, only the access rules for the specified IPv6 network are displayed.

Defaults

Displays all IPv6 access lists.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

The show ipv6 access-list command provides output similar to the show ip access-list command, except that it is IPv6-specific.

Examples

The following is sample output from the show ipv6 access-list command. It shows IPv6 access lists named inbound, tcptraffic, and outbound.

hostname# show ipv6 access-list

IPv6 access list inbound

    permit tcp any any eq bgp reflect tcptraffic (8 matches) sequence 10

    permit tcp any any eq telnet reflect tcptraffic (15 matches) sequence 20

    permit udp any any reflect udptraffic sequence 30

IPv6 access list tcptraffic (reflexive) (per-user)

    permit tcp host 2001:0DB8:1::1 eq bgp host 2001:0DB8:1::2 eq 11000 timeout 300 (time 

        left 243) sequence 1

    permit tcp host 2001:0DB8:1::1 eq telnet host 2001:0DB8:1::2 eq 11001 timeout 300 

        (time left 296) sequence 2

IPv6 access list outbound

    evaluate udptraffic

    evaluate tcptraffic

Related Commands

Command	Description
ipv6 access-list	Creates an IPv6 access list.

show ipv6 interface

To display the status of interfaces configured for IPv6, use the show ipv6 interface command in privileged EXEC mode.

show ipv6 interface [brief] [if_name [prefix]]

Syntax Description

brief	Displays a brief summary of IPv6 status and configuration for each interface.
if_name	(Optional) The internal or external interface name, as designated by the nameif command. The status and configuration for only the designated interface is shown.
prefix	(Optional) Prefix generated from a local IPv6 prefix pool.

Defaults

Displays all IPv6 interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

The show ipv6 interface command provides output similar to the show interface command, except that it is IPv6-specific. If the interface hardware is usable, the interface is marked up. If the interface can provide two-way communication, the line protocol is marked up.

When an interface name is not specified, information on all IPv6 interfaces is displayed. Specifying an interface name displays information about the specified interface.

Examples

The following is sample output from the show ipv6 interface command:

hostname# show ipv6 interface outside

interface Vlan101 "outside" is up, line protocol is up

  IPv6 is enabled, link-local address is 2001:0DB8::/29 [TENTATIVE]

  Global unicast address(es):

    2000::2, subnet is 2000::/64

  Joined group address(es):

    FF02::1

    FF02::1:FF11:6770

  MTU is 1500 bytes

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND advertised reachable time is 0 milliseconds

  ND advertised retransmit interval is 0 milliseconds

  ND router advertisements are sent every 200 seconds

  ND router advertisements live for 1800 seconds

The following is sample output from the show ipv6 interface command when entered with the brief keyword:

hostname# show ipv6 interface brief

outside [up/up]

    unassigned

inside [up/up]

    fe80::20d:29ff:fe1d:69f0

    fec0::a:0:0:a0a:a70

vlan101 [up/up]

    fe80::20d:29ff:fe1d:69f0

    fec0::65:0:0:a0a:6570

dmz-ca [up/up]

    unassigned

The following is sample output from the show ipv6 interface command. It shows the characteristics of an interface which has generated a prefix from an address.

hostname# show ipv6 interface inside prefix

IPv6 Prefix Advertisements inside

Codes: A - Address, P - Prefix-Advertisement, O - Pool

       U - Per-user prefix, D - Default       N - Not advertised, C - Calendar

AD      fec0:0:0:a::/64 [LA] Valid lifetime 2592000, preferred lifetime 604800

show ipv6 neighbor

To display the IPv6 neighbor discovery cache information, use the show ipv6 neighbor command in privileged EXEC mode.

show ipv6 neighbor [if_name | address]

Syntax Description

address	(Optional) Displays neighbor discovery cache information for the supplied IPv6 address only.
if_name	(Optional) Displays cache information for the supplied interface name, as configure by the nameif command, only.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

The following information is provided by the show ipv6 neighbor command:

•IPv6 Address—the IPv6 address of the neighbor or interface.

•Age—the time (in minutes) since the address was confirmed to be reachable. A hyphen (-) indicates a static entry.

•Link-layer Addr—MAC address. If the address is unknown, a hyphen (-) is displayed.

•State—The state of the neighbor cache entry.

---

Note Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache; therefore, the descriptions for the INCMP (Incomplete) and REACH (Reachable) states are different for dynamic and static cache entries.

---

The following are possible states for dynamic entries in the IPv6 neighbor discovery cache:

–INCMP—(Incomplete) Address resolution is being performed on the entry. A neighbor solicitation message has been sent to the solicited-node multicast address of the target, but the corresponding neighbor advertisement message has not yet been received.

–REACH—(Reachable) Positive confirmation was received within the last ReachableTime milliseconds that the forward path to the neighbor was functioning properly. While in REACH state, the device takes no special action as packets are sent.

–STALE—More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. While in STALE state, the device takes no action until a packet is sent.

–DELAY—More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. A packet was sent within the last DELAY_FIRST_PROBE_TIME seconds. If no reachability confirmation is received within DELAY_FIRST_PROBE_TIME seconds of entering the DELAY state, send a neighbor solicitation message and change the state to PROBE.

–PROBE—A reachability confirmation is actively sought by resending neighbor solicitation messages every RetransTimer milliseconds until a reachability confirmation is received.

–????—Unknown state.

The following are possible states for static entries in the IPv6 neighbor discovery cache:

–INCMP—(Incomplete) The interface for this entry is down.

–REACH—(Reachable) The interface for this entry is up.

· Interface

Interface from which the address was reachable.

Examples

The following is sample output from the show ipv6 neighbor command when entered with an interface:

hostname# show ipv6 neighbor inside

IPv6 Address                             Age Link-layer Addr State Interface

2000:0:0:4::2                              0 0003.a0d6.141e  REACH inside

FE80::203:A0FF:FED6:141E                   0 0003.a0d6.141e  REACH inside

3001:1::45a                                - 0002.7d1a.9472  REACH inside

The following is sample output from the show ipv6 neighbor command when entered with an IPv6 address:

hostname# show ipv6 neighbor 2000:0:0:4::2

IPv6 Address                             Age Link-layer Addr State Interface

2000:0:0:4::2                              0 0003.a0d6.141e  REACH inside

Related Commands

Command	Description
clear ipv6 neighbors	Deletes all entries in the IPv6 neighbor discovery cache, except static entries.
ipv6 neighbor	Configures a static entry in the IPv6 neighbor discovery cache.

show ipv6 route

To display the contents of the IPv6 routing table, use the show ipv6 route command in privileged EXEC mode.

show ipv6 route

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

•Codes—Indicates the protocol that derived the route. Values are as follows:

–C—Connected

–L—Local

–S—Static

–R—RIP derived

–B—BGP derived

–I1—ISIS L1—Integrated IS-IS Level 1 derived

–I2—ISIS L2—Integrated IS-IS Level 2 derived

–IA—ISIS interarea—Integrated IS-IS interarea derived

•fe80::/10—Indicates the IPv6 prefix of the remote network.

•[0/0]—The first number in the brackets is the administrative distance of the information source; the second number is the metric for the route.

•via ::—Specifies the address of the next router to the remote network.

•inside—Specifies the interface through which the next router to the specified network can be reached.

Examples

The following is sample output from the show ipv6 route command:

hostname# show ipv6 route

IPv6 Routing Table - 7 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

       U - Per-user Static route

       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea

       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

L   fe80::/10 [0/0]

     via ::, inside

     via ::, vlan101

L   fec0::a:0:0:a0a:a70/128 [0/0]

     via ::, inside

C   fec0:0:0:a::/64 [0/0]

     via ::, inside

L   fec0::65:0:0:a0a:6570/128 [0/0]

     via ::, vlan101

C   fec0:0:0:65::/64 [0/0]

     via ::, vlan101

L   ff00::/8 [0/0]

     via ::, inside

     via ::, vlan101

S   ::/0 [0/0]

     via fec0::65:0:0:a0a:6575, vlan101

Related Commands

Command	Description
debug ipv6 route	Displays debug messages for IPv6 routing table updates and route cache updates.
ipv6 route	Adds a static entry to the IPv6 routing table.

show ipv6 routers

To display IPv6 router advertisement information received from on-link routers, use the show ipv6 routers command in privileged EXEC mode.

show ipv6 routers [if_name]

Syntax Description

if_name

(Optional) The internal or external interface name, as designated by the nameif command, that you want to display information about.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

When an interface name is not specified, information on all IPv6 interfaces is displayed. Specifying an interface name displays information about the specified interface.

Examples

The following is sample output from the show ipv6 routers command when entered without an interface name:

hostname# show ipv6 routers

Router FE80::83B3:60A4 on outside, last update 3 min

  Hops 0, Lifetime 6000 sec, AddrFlag=0, OtherFlag=0

  Reachable time 0 msec, Retransmit time 0 msec

  Prefix 3FFE:C00:8007::800:207C:4E37/96 autoconfig

    Valid lifetime -1, preferred lifetime -1

Router FE80::290:27FF:FE8C:B709 on inside, last update 0 min

  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0

  Reachable time 0 msec, Retransmit time 0 msec

Related Commands

Command	Description
ipv6 route	Adds a static entry to the IPv6 routing table.

show ipv6 traffic

To display statistics about IPv6 traffic, use the show ipv6 traffic command in privileged EXEC mode.

show ipv6 traffic

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

Use the clear ipv6 traffic command to clear the traffic counters.

Examples

The following is sample output from the show ipv6 traffic command:

hostname# show ipv6 traffic

IPv6 statistics:

  Rcvd:  545 total, 545 local destination

         0 source-routed, 0 truncated

         0 format errors, 0 hop count exceeded

         0 bad header, 0 unknown option, 0 bad source

         0 unknown protocol, 0 not a router

         218 fragments, 109 total reassembled

         0 reassembly timeouts, 0 reassembly failures

  Sent:  228 generated, 0 forwarded

         1 fragmented into 2 fragments, 0 failed

         0 encapsulation failed, 0 no route, 0 too big

  Mcast: 168 received, 70 sent

ICMP statistics:

  Rcvd: 116 input, 0 checksum errors, 0 too short

        0 unknown info type, 0 unknown error type

        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port

        parameter: 0 error, 0 header, 0 option

        0 hopcount expired, 0 reassembly timeout,0 too big

        0 echo request, 0 echo reply

        0 group query, 0 group report, 0 group reduce

        0 router solicit, 60 router advert, 0 redirects

        31 neighbor solicit, 25 neighbor advert

  Sent: 85 output, 0 rate-limited

        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port

        parameter: 0 error, 0 header, 0 option

        0 hopcount expired, 0 reassembly timeout,0 too big

        0 echo request, 0 echo reply

        0 group query, 0 group report, 0 group reduce

        0 router solicit, 18 router advert, 0 redirects

        33 neighbor solicit, 34 neighbor advert

UDP statistics:

  Rcvd: 109 input, 0 checksum errors, 0 length errors

        0 no port, 0 dropped

  Sent: 37 output

TCP statistics:

  Rcvd: 85 input, 0 checksum errors

  Sent: 103 output, 0 retransmitted

Related Commands

Command	Description
clear ipv6 traffic	Clears IPv6 traffic counters.