Information About Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
Packet Tracing
Packet tracing provides the ability to generate Control Plane Policing (CPP) statistics for a specified packet flow, with minimal effect on router throughput. It also traces the path of each packet in the flow, which helps in determining the input interface, features used, and the output path.
Application layer gateway (ALG) generates statistics and keeps a log of the path along which the packets travel.
Conditional Debugging
In a typical Application layer gateway (ALG)-enabled scenario where certain connections from the source address or destination address fail, debugging displays a list of messages for all the traffic that passes through the ALG. Enabling conditional debugging ensures that debug messages related to specified connections are displayed on the console. Prior to the introduction of this feature, debugging used to display many messages for all traffic that passes through the ALG.
Debug Logs
The following severity levels have been added:
-
Error: Error and firewall packet drop conditions.
Examples: -
Unable to send a packet
-
ALG error condition
-
-
Warning: Warning debug messages.
-
Info: Information about an event.
Examples: -
Packet drop due to policy configuration, malformed packets, or hardcoded limit and threshold
-
State machine transition
-
ALG check status
-
Packet pass and drop status
-
-
Verbose: All log messages.
Examples: -
Data structures
-
Event details
-
Note |
Both the ALG-AIC functional debug flag and the severity level must be set. If only the severity level is set and the ALG-AIC functional debug flag is not set, the debug log will not be enabled. If only the ALG-AIC functional debug flag is set, the Info level, which is the default severity level, is logged. |