Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
show isakmp sa through show route
Download this chapter
show isakmp sa through show routeshow isakmp sa through show route
Download the complete book
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 2.3 -- Whole Book PDF Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 2.3 -- Whole Book PDF (PDF - 23 MB)
give_us_feedback

Table Of Contents

show isakmp sa through show route Commands

show isakmp sa

show isakmp stats

show local-host

show logging

show mac-address-table

show management-access

show memory

show memory binsize

show memory delayed-free-poisoner

show memory profile

show memory-caller address

show mfib

show mfib active

show mfib count

show mfib interface

show mfib reserved

show mfib status

show mfib summary

show mfib verbose

show mgcp

show mode

show mrib client

show mrib route

show mrib route summary

show mroute

show nameif

show np

show np acl-notification

show np block

show np pc

show ospf

show ospf border-routers

show ospf database

show ospf flood-list

show ospf interface

show ospf neighbor

show ospf request-list

show ospf retransmission-list

show ospf summary-address

show ospf virtual-links

show pc conn

show perfmon

show pim df

show pim group-map

show pim interface

show pim join-prune statistic

show pim neighbor

show pim range-list

show pim topology

show pim topology reserved

show pim topology route-count

show pim traffic

show pim tunnel

show processes

show prompt

show reload

show resource acl-partition

show resource allocation

show resource types

show resource usage

show route


show isakmp sa through show route Commands

show isakmp sa

To display the IKE runtime SA database, use the show isakmp sa command in global configuration mode or privileged EXEC mode.

show isakmp sa [detail]

Syntax Description

detail

Displays detailed output about the SA database.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The output from this command includes the following fields:

Table 27-1

IKE Peer

Type

Dir

Rky

State

209.165.200.225

L2L

Init

No

MM_Active


Detail not specified.

Table 27-2

IKE Peer

Type

Dir

Rky

State

Encrypt

Hash

Auth

Lifetime

209.165.200.225

L2L

Init

No

MM_Active

3des

md5

preshrd

86400


Detail specified.

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database: 

hostname(config)# show isakmp sa detail

hostname(config)# sho isakmp sa detail


IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

1 209.165.200.225 User  Resp  No   AM_Active  3des    SHA   preshrd 86400


IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

2 209.165.200.226 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400


IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

3 209.165.200.227 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400


IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

4 209.165.200.228 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400


hostname(config)#

Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

isakmp enable

Enables ISAKMP negotiation on the interface on which the IPSec peer communicates with the FWSM.

show running-config isakmp

Displays all the active ISAKMP configuration.


show isakmp stats

To display runtime statistics, use the show isakmp stats command in privileged EXEC mode.

show isakmp stats

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The output from this command includes the following fields:

Global IKE Statistics

Active Tunnels

In Octets

In Packets

In Drop Packets

In Notifys

In P2 Exchanges

In P2 Exchange Invalids

In P2 Exchange Rejects

In P2 Sa Delete Requests

Out Octets

Out Packets

Out Drop Packets

Out Notifys

Out P2 Exchanges

Out P2 Exchange Invalids

Out P2 Exchange Rejects

Out P2 Sa Delete Requests

Initiator Tunnels

Initiator Fails

Responder Fails

System Capacity Fails

Auth Fails

Decrypt Fails

Hash Valid Fails

No Sa Fails

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics: 

hostname(config)# show isakmp stats

Global IKE Statistics

Active Tunnels: 132

Previous Tunnels: 132

In Octets: 195471

In Packets: 1854

In Drop Packets: 925

In Notifys: 0

In P2 Exchanges: 132

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 119029

Out Packets: 796

Out Drop Packets: 0

Out Notifys: 264

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

hostname(config)#

Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

isakmp enable

Enables ISAKMP negotiation on the interface on which the IPSec peer communicates with the FWSM.

show running-config isakmp

Displays all the active ISAKMP configuration.


show local-host

To display the IP addresses of hosts that initiated current connections through the FWSM, use the show local-host command in privileged EXEC mode. This command also shows the address translation, if present, and the number of TCP, UDP, and embryonic connections per host.

show local-host [ip_address] [detail] [all]

Syntax Description

all

(Optional) Shows all initiating hosts, including connections to or from the FWSM. If you do not use the all keyword, connections to the FWSM and from the FWSM do not display.

detail

(Optional) Displays detailed network states.

ip_address

(Optional) Specifies the initiating host IP address.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.

2.2(1)

This command was modified to support UDP maximum connections for local hosts.

2.3(1)

Because the TCP intercept feature was changed to use SYN cookies, this command no longer shows embryonic connections above the embryonic connection limit.


Usage Guidelines

In most cases, the "local host" is the initiating host. However, if you configure static NAT for an IP address, that host always shows as the local host even if they did not initiate the connection.

If you configure outside NAT (either static NAT or NAT exemption), and an inside host initiates a connection to the outside host, both the inside and outside hosts are listed as local hosts in the show local-host output. This feature lets you track connection limits for both hosts.

If you configure an embryonic connection limit, and the limit is exceeded, the FWSM implements TCP intercept to prevent a SYN attack. After TCP intercept is triggered, additional embryonic connections do not appear in the show local-host output.

The connection limits are set using the nat or static commands, or using the set connection commands.

Examples

The following examples show how to display the network states of local hosts: 

hostname# show local-host

local host: <10.5.59.30>, tcp conn(s)/limit = 1/0, embryonic(s)/limit =

0/0 udp conn(s)/limit = 0/0

    Xlate(s):

        Global 10.5.59.30 Local 10.5.59.30

Table 27-3 shows each field description.

Table 27-3 show local-host Fields

Field
Description

local host: <ip_address>

Shows the host IP address.

tcp conn(s)/limit = x/y

Shows the current TCP connections followed by the connection limit. 0 means no limit was set.

embryonic(s)/limit = x/y

Shows the current embryonic connections followed by the connection limit. 0 means no limit was set.

udp conn(s)/limit = x/y

Shows the current UDP connections followed by the connection limit. 0 means no limit was set.

Xlate(s):

Shows the address translation. The FWSM shows the same address for local and global if you did not configure NAT, or if you configured identity NAT or NAT exemption.


Related Commands

Command
Description

clear local-host

Clears connections.

nat

Associates a network with a pool of global IP addresses.

show conns

Shows connection information.

static

Statically translates an address.

set connection

Sets connection limits.


show logging

To show system log messages currently in the log buffer or to show other logging settings, use the show logging command in privileged EXEC mode.

show logging [message [syslog_id | all] | asdm | queue | setting]

Syntax Description

message

(Optional) Displays messages that are at a non-default level. See the logging message command to set the message level.

syslog_id

(Optional) Specifies a message number to display.

all

(Optional) Displays all system log message IDs, along with whether they are enabled or disabled.

setting

(Optional) Displays the logging setting, without displaying the logging buffer.

asdm

(Optional) Displays ASDM logging buffer content.

queue

(Optional) Displays messages currently in the logging queue.


Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If the logging buffered command is in use, the show logging command without any keywords shows the current message buffer and the current settings.

The show logging queue command lets you to display the following:

Number of messages that are in the queue

Highest number of messages recorded that are in the queue

Number of messages that are discarded because block memory was not available to process them

Examples

The following is sample output from the show logging command: 

hostname(config)# show logging 

Syslog logging: enabled

                           Timestamp logging: disabled

                           Console logging: disabled

                           Monitor logging: disabled

                           Buffer logging: level debugging, 37 messages logged

                           Trap logging: disabled

305001: Portmapped translation built for gaddr 209.165.201.5/0 laddr 192.168.1.2/256

...

The following is sample output from the show logging message all command: 

hostname(config)# show logging message all


syslog 111111: default-level alerts (enabled)

syslog 101001: default-level alerts (enabled)

syslog 101002: default-level alerts (enabled)

syslog 101003: default-level alerts (enabled)

syslog 101004: default-level alerts (enabled)

syslog 101005: default-level alerts (enabled)

syslog 102001: default-level alerts (enabled)

syslog 103001: default-level alerts (enabled)

syslog 103002: default-level alerts (enabled)

syslog 103003: default-level alerts (enabled)

syslog 103004: default-level alerts (enabled)

syslog 103005: default-level alerts (enabled)

syslog 103011: default-level alerts (enabled)

syslog 103012: default-level informational (enabled)

Related Commands

Command
Description

logging asdm

Enables logging to ASDM

logging buffered

Enables logging to the buffer.

logging message

Sets the message level, or disables messages.

logging queue

Configures the logging queue.


show mac-address-table

To show the MAC address table, use the show mac-address-table command in privileged EXEC mode.

show mac-address-table [interface_name | count | static]

Syntax Description

count

(Optional) Lists the total number of dynamic and static entries.

interface_name

(Optional) Identifies the interface name for which you want to view MAC address table entries.

static

(Optional) Lists only static entries.


Defaults

If you do not specify an interface, all interface MAC address entries are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

2.2(1)

This command was introduced.


Examples

The following is sample output from the show mac-address-table command: 

hostname# show mac-address-table

interface				    mac address				       type			      Time Left

-----------------------------------------------------------------------

outside					0009.7cbe.2100				   static				-

inside					0010.7cbe.6101				   static				-

inside					0009.7cbe.5101				   dynamic				10

The following is sample output from the show mac-address-table command for the inside interface: 

hostname# show mac-address-table inside

interface				    mac address       type			      Time Left

-----------------------------------------------------------------------

inside					0010.7cbe.6101				   static				-

inside					0009.7cbe.5101				   dynamic				10

The following is sample output from the show mac-address-table count command: 

hostname# show mac-address-table count

Static     mac-address bridges (curr/max): 0/65535

Dynamic    mac-address bridges (curr/max): 103/65535

Related Commands

Command
Description

firewall transparent

Sets the firewall mode to transparent.

mac-address-table aging-time

Sets the timeout for dynamic MAC address entries.

mac-address-table static

Adds a static MAC address entry to the MAC address table.

mac-learn

Disables MAC address learning.


show management-access

To display the name of the internal interface configured for management access, use the show management-access command in privileged EXEC mode.

show management-access

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1

This command was introduced.


Usage Guidelines

The management-access command lets you define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The interface names are defined by the nameif command and displayed in quotes, " ", in the output of the show interface command.)

Examples

The following example shows how to configure a firewall interface named "inside" as the management access interface and display the result: 

hostname(config)# management-access inside

hostname(config)# show management-access

management-access inside

Related Commands

Command
Description

clear configure management-access

Removes the configuration of an internal interface for management access of the FWSM.

management-access

Configures an internal interface for management access.


show memory

To display a summary of the maximum physical memory and current free memory available to the operating system, use the show memory command in privileged EXEC mode.

show memory [detail]

Syntax Description

detail

(Optional) Displays a detailed view of free and allocated system memory.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

2.2(1)

This command was introduced.


Usage Guidelines

The show memory command lets you display a summary of the maximum physical memory and current free memory available to the operating system. Memory is allocated as needed.

You can use the show memory detail output with show memory binsize command to debug memory leaks.

You can also display the information from the show memory command using SNMP.

Examples

The following example shows how to display a summary of the maximum physical memory and current free memory available: 

hostname# show memory

Free memory:       845044716 bytes (79%)

Used memory:       228697108 bytes (21%)

-------------     ----------------

Total memory:     1073741824 bytes (100%)

This example shows detailed memory output: 

hostname# show memory detail  
Free memory: 15958088 bytes (24%) 
Used memory: 
Allocated memory in use: 29680332 bytes (44%) 
Reserved memory: 21470444 bytes (32%) 
----------------------------- ---------------- 
Total memory: 67108864 bytes (100%) 
 
Least free memory: 4551716 bytes ( 7%) 
Most used memory: 62557148 bytes (93%) 
 
----- fragmented memory statistics ----- 
 
fragment size count total 
(bytes) (bytes) 
---------------- ---------- -------------- 
16 8 128 
24 4 96 
32 2 64 
40 5 200 
64 3 192 
88 1 88 
168 1 168 
224 1 224 
256 1 256 
296 2 592 
392 1 392 
400 1 400 
1816 1 1816* 
4435968 1 4435968** 
11517504 1 11517504 
 
* - top most releasable chunk. 
** - contiguous memory on top of heap. 
 
 
----- allocated memory statistics ----- 
 
fragment size count total 
(bytes) (bytes) 
---------------- ---------- -------------- 
40 50 2000 
48 144 6912 
56 24957 1397592 
64 101 6464 
72 99 7128 
80 1032 82560 
88 18 1584 
96 64 6144 
104 57 5928 
112 6 672 
120 112 13440 
128 15 1920 
136 87 11832 
144 22 3168

152 31 4712 
160 90 14400 
168 65 10920 
176 74 13024 
184 11 2024 
192 8 1536 
200 1 200 
<output omitted>

Related Commands

Command
Description

show memory profile

Displays information about the memory usage (profiling) of the FWSM.

show memory binsize

Displays summary information about the chunks allocated for a specific bin size.


show memory binsize

To display summary information about the chunks allocated for a specific bin size, use the show memory binsize command in privileged EXEC mode.

show memory binsize size

Syntax Description

size

Displays chunks (memory blocks) of a specific bin size. The bin size is from the "fragment size" column of the show memory detail command output.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

The following example displays summary information about a chunk allocated to a bin size of 500: 

hostname# show memory binsize 500

pc = 0x00b33657, size = 460      , count = 1

Related Commands

Command
Description

show memory-caller address

Displays the address ranges configured on the FWSM.

show memory profile

Displays information about the memory usage (profiling) of the FWSM.

show memory

Displays a summary of the maximum physical memory and current free memory available to the operating system.


show memory delayed-free-poisoner

To display a summary of the memory delayed-free-poisoner queue usage, use the show memory delayed-free-poisoner command in privileged EXEC mode.

show memory delayed-free-poisoner

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

Use the clear memory delayed-free-poisoner command to clear the queue and statistics.

Examples

This following is sample output from the show memory delayed-free-poisoner command: 

hostname# show memory delayed-free-poisoner

delayed-free-poisoner statistics:

		 3335600:  memory held in queue

		    6095:  current queue count

		       0:  elements dequeued

		       3:  frees ignored by size

		    1530:  frees ignored by locking

		      27:  successful validate runs

		       0:  aborted validate runs

		01:09:36:  local time of last validate

Table 27-4 describes the significant fields in the show memory delayed-free-poisoner command output.

Table 27-4 show memory delayed-free-poisoner Command Output Descriptions

Field
Description

memory held in queue

The memory that is held in the delayed free-memory poisoner tool queue. Such memory is normally in the "Free" quantity in the show memory output if the delayed free-memory poisoner tool is not enabled.

current queue count

The number of elements in the queue.

elements dequeued

The number of elements that have been removed from the queue. This number begins to increase when most or all of the otherwise free memory in the system ends up in being held in the queue.

frees ignored by size

The number of free requests not placed into the queue because the request was too small to hold required tracking information.

frees ignored by locking

The number of free requests intercepted by the tool not placed into the queue because the memory is in use by more than one application. The last application to free the memory back to the system ends up placing such memory regions into the queue.

successful validate runs

The number of times since monitoring was enabled or cleared using the clear memory delayed-free-poisoner command that the queue contents were validated (either automatically or by the memory delayed-free-poisoner validate command).

aborted validate runs

The number of times since monitoring was enabled or cleared using the clear memory delayed-free-poisoner command that requests to check the queue contents have been aborted because more than one task (either the periodic run or a validate request from the CLI) attempted to use the queue at a time.

local time of last validate

The local system time when the last validate run completed.


Related Commands

Command
Description

clear memory delayed-free-poisoner

Clears the delayed free-memory poisoner tool queue and statistics.

memory delayed-free-poisoner enable

Enables the delayed free-memory poisoner tool.

memory delayed-free-poisoner validate

Forces validation of the elements in the delayed free-memory poisoner tool queue.


show memory profile

To display information about the memory usage (profiling) of the FWSM, use the show memory profile command in privileged EXEC mode.

show memory profile [peak] [detail | collated | status]

Syntax Description

collated

(Optional) Collates the memory information displayed.

detail

(Optional) Displays detailed memory information.

peak

(Optional) Displays the peak capture buffer rather than the "in use" buffer.

status

(Optional) Displays the current state of memory profiling and the peak capture buffer.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Usage Guidelines

Use the show memory profile command to troubleshoot memory usage level and memory leaks. You can still see the profile buffer contents even if profiling has been stopped. Starting profiling clears the buffer automatically.

Note The FWSM might experience a temporary reduction in performance when memory profiling is enabled

The following example shows... 

hostname# show memory profile 

Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004  
Total = 0

The output of the show memory profile detail command (below) is divided into six data columns and one header column, at the far left. The address of the memory bucket corresponding to the first data column is given at the header column (the hexidecimal number). The data itself is the number of bytes that is held by the text/code that falls in the bucket address. A period (.) in the data column means no memory is held by the text at this bucket. Other columns in the row correspond to the bucket address that is greater than the increment amount from the previous column. For example, the address bucket of the first data column in the first row is 0x001069e0. The address bucket of the second data column in the first row is 0x001069e4 and so on. Normally the header column address is the next bucket address; that is, the address of the last data column of the previous row plus the increment. All rows without any usage are suppressed. More than one such contiguous row can be suppressed, indicated with three periods at the header column (...). 

hostname# show memory profile detail 

Range: start = 0x00100020, end = 0x00e006e0, increment = 00000004  
Total = 48941152  
...  
0x001069e0 . 24462 . . . .  
...  
0x00106d88 . 1865870 . . . .  
...  
0x0010adf0 . 7788 . . . .  
...  
0x00113640 . . . . 433152 .  
...  
0x00116790 2480 . . . . .  
<snip>

The following example shows collated output: 

hostname# show memory profile collated

Range: start = 0x00100020, end = 0x00e006e0, increment = 00000004  
Total = 48941152  
24462 0x001069e4  
1865870 0x00106d8c  
7788 0x0010adf4  
433152 0x00113650  
2480 0x00116790  
<snip>

The following example shows the peak capture buffer: 

hostname# show memory profile peak

Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004  
Total = 102400

The following example shows the peak capture buffer and the number of bytes held: 

hostname# show memory profile peak detail 

Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004  
Total = 102400  
...  
0x00404c8c . . 102400 . . .

The following example shows the current state of memory profiling and the peak capture buffer: 

hostname# show memory profile status 

InUse profiling: ON 
Peak profiling: OFF 
Memory used by profile buffers: 11518860 bytes 
Profile: 
0x00100020-0x00bfc3a8(00000004)

Related Commands

Command
Description

memory profile enable

Enables the monitoring of memory usage (memory profiling).

memory profile text

Configures a program text range of memory to profile.

clear memory profile

Clears the memory buffers held by the memory profiling function.


show memory-caller address

To display the address ranges configured on the FWSM, use the show memory-caller address command in privileged EXEC mode.

show memory-caller address

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Usage Guidelines

You must first configure an address ranges with the memory caller-address command before you can display them with the show memory-caller address command.

Examples

The following examples show the address ranges configured with the memory caller-address commands, and the resulting display of the show memory-caller address command: 
hostname# memory caller-address 0x00109d5c 0x00109e08  
hostname# memory caller-address 0x009b0ef0 0x009b0f14  
hostname# memory caller-address 0x00cf211c 0x00cf4464 


hostname# show memory-caller address
<