FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This chapter contains the following sections:
You can use vemcmd commands to troubleshoot issues with Distributed Firewall flow logging. This section lists the commands and their functions and provides sample output.
For general information about Distributed Firewall flow logging and how to configure it, see the section "Distributed Firewall Flow Logging" in the Cisco ACI Virtualization Guide.
For Distributed Firewall scalability information, see the Verified Scalability Guide for Cisco ACI.
Displays all or unreported permit flows.
The following example shows the output of the command vemcmd show dfw flows all:
# vemcmd show dfw flows all
For ltl 8
---------------------------------------------------------------------------------------------------
ACTIVE LIST:
Failed to get DFW Entry
---------------------------------------------------------------------------------------------------
ESTABLISHED-FREE LIST:
Failed to get DFW Entry
---------------------------------------------------------------------------------------------------
FREE LIST:
For ltl 50
---------------------------------------------------------------------------------------------------
ACTIVE LIST:
Failed to get DFW Entry
---------------------------------------------------------------------------------------------------
ESTABLISHED-FREE LIST:
Failed to get DFW Entry
---------------------------------------------------------------------------------------------------
FREE LIST:
For ltl 51
---------------------------------------------------------------------------------------------------
ACTIVE LIST:
V/D BUCK SIP DIP SP DP PRO TS EC SQ SQ-2 FG
V 458 192.168.5.1 192.168.5.2 35110 5001 6 2657566 0 1 0 13
V 1823 192.168.5.1 192.168.5.2 35108 5001 6 2657566 0 1 0 13
V 2294 192.168.5.1 192.168.5.2 35109 5001 6 2657566 0 1 0 13
V 3922 192.168.5.1 192.168.5.2 35111 5001 6 2657566 0 1 0 13
V 3948 192.168.5.1 192.168.5.2 35107 5001 6 2657566 0 1 0 13
---------------------------------------------------------------------------------------------------
ESTABLISHED-FREE LIST:
---------------------------------------------------------------------------------------------------
FREE LIST:
For ltl 52
---------------------------------------------------------------------------------------------------
ACTIVE LIST:
V/D BUCK SIP DIP SP DP PRO TS EC SQ SQ-2 FG
V 642 192.168.5.2 192.168.5.1 5001 35109 6 2657566 0 1 0 23
V 920 192.168.5.2 192.168.5.1 5001 35107 6 2657566 0 1 0 23
V 1896 192.168.5.2 192.168.5.1 5001 35108 6 2657566 0 1 0 23
V 1989 192.168.5.2 192.168.5.1 5001 35110 6 2657566 0 1 0 23
V 2437 192.168.5.2 192.168.5.1 5001 35111 6 2657565 0 1 0 23
---------------------------------------------------------------------------------------------------
ESTABLISHED-FREE LIST:
---------------------------------------------------------------------------------------------------
FREE LIST:
Number of Active Flows: 10
Number of Deleted Flows: 0
Number of Established Free Flows: 0
Number of Free Flows: 0
The following example shows the output of the command vemcmd show dfw flows unreported:
# vemcmd show dfw flows unreported
For ltl 8
---------------------------------------------------------------------------------------------------
ACTIVE LIST:
Failed to get DFW Entry
---------------------------------------------------------------------------------------------------
ESTABLISHED-FREE LIST:
Failed to get DFW Entry
---------------------------------------------------------------------------------------------------
FREE LIST:
For ltl 50
---------------------------------------------------------------------------------------------------
ACTIVE LIST:
Failed to get DFW Entry
---------------------------------------------------------------------------------------------------
ESTABLISHED-FREE LIST:
Failed to get DFW Entry
---------------------------------------------------------------------------------------------------
FREE LIST:
For ltl 51
---------------------------------------------------------------------------------------------------
ACTIVE LIST:
V/D BUCK SIP DIP SP DP PRO TS EC SQ SQ-2 FG
V 458 192.168.5.1 192.168.5.2 35110 5001 6 2657712 0 1 0 13
V 1823 192.168.5.1 192.168.5.2 35108 5001 6 2657712 0 1 0 13
V 2294 192.168.5.1 192.168.5.2 35109 5001 6 2657712 0 1 0 13
V 3922 192.168.5.1 192.168.5.2 35111 5001 6 2657712 0 1 0 13
V 3948 192.168.5.1 192.168.5.2 35107 5001 6 2657712 0 1 0 13
---------------------------------------------------------------------------------------------------
ESTABLISHED-FREE LIST:
---------------------------------------------------------------------------------------------------
FREE LIST:
For ltl 52
---------------------------------------------------------------------------------------------------
ACTIVE LIST:
V/D BUCK SIP DIP SP DP PRO TS EC SQ SQ-2 FG
V 642 192.168.5.2 192.168.5.1 5001 35109 6 2657712 0 1 0 23
V 920 192.168.5.2 192.168.5.1 5001 35107 6 2657712 0 1 0 23
V 1896 192.168.5.2 192.168.5.1 5001 35108 6 2657712 0 1 0 23
V 1989 192.168.5.2 192.168.5.1 5001 35110 6 2657712 0 1 0 23
V 2437 192.168.5.2 192.168.5.1 5001 35111 6 2657712 0 1 0 23
---------------------------------------------------------------------------------------------------
ESTABLISHED-FREE LIST:
---------------------------------------------------------------------------------------------------
FREE LIST:
Number of Active Flows: 10
Number of Deleted Flows: 0
Number of Established Free Flows: 0
Number of Free Flows: 0
Displays all DFW deny flows or DFW deny flows for a particular LTL.
The following example shows the output of the command vemcmd show dfwdenyflows all:
# vemcmd show dfwdenyflows all ltl Vem Port Source IP Dest IP Source Port Dest Port Protocol Deny Reason Timestamp 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4546 500 TCP syn-ack ingress 2016-06-20T08:21:10.421 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4549 500 TCP syn-ack ingress 2016-06-20T08:21:13.422 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4545 500 TCP syn-ack ingress 2016-06-20T08:21:09.421 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4547 500 TCP syn-ack ingress 2016-06-20T08:21:11.422 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4548 500 TCP syn-ack ingress 2016-06-20T08:21:12.422
The following example shows the output of the command vemcmd show dfwdenyflows 51 where 51 is the LTL number:
# vemcmd show dfwdenyflows 51 ltl Vem Port Source IP Dest IP Source Port Dest Port Protocol Deny Reason Timestamp 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4546 500 TCP syn-ack ingress 2016-06-20T08:21:10.421 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4549 500 TCP syn-ack ingress 2016-06-20T08:21:13.422 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4545 500 TCP syn-ack ingress 2016-06-20T08:21:09.421 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4547 500 TCP syn-ack ingress 2016-06-20T08:21:11.422 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 4548 500 TCP syn-ack ingress 2016-06-20T08:21:12.422
Displays all entries or entries for a particular LTL in the short-lived flows table.
The following example shows the output of the command vemcmd show dfwslflows all:
# vemcmd show dfwslflows all ltl Vem Port Source IP Dest IP Source Port Dest Port Protocol Timestamp 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35118 TCP 2016-06-20T08:11:34.689 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35120 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35119 5001 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35114 5001 TCP 2016-06-20T08:09:14.157 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35116 TCP 2016-06-20T08:09:14.158 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35115 TCP 2016-06-20T08:09:14.158 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35116 5001 TCP 2016-06-20T08:09:14.158 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35121 5001 TCP 2016-06-20T08:11:34.689 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35114 TCP 2016-06-20T08:09:14.157 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35113 TCP 2016-06-20T08:09:14.150 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35112 5001 TCP 2016-06-20T08:09:14.149 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35119 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35117 5001 TCP 2016-06-20T08:11:34.689 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35112 TCP 2016-06-20T08:09:14.149 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35120 5001 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35113 5001 TCP 2016-06-20T08:09:14.150 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35118 5001 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35115 5001 TCP 2016-06-20T08:09:14.158 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35121 TCP 2016-06-20T08:11:34.689 52 UB3_sid.eth0 192.168.5.2 192.168.5.1 5001 35117 TCP 2016-06-20T08:11:34.689 ~ # ~ #
The following example shows the output of the command vemcmd show dfwslflows 51where 51 is the LTL number:
# vemcmd show dfwslflows 51 ltl Vem Port Source IP Dest IP Source Port Dest Port Protocol Timestamp 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35119 5001 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35114 5001 TCP 2016-06-20T08:09:14.157 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35116 5001 TCP 2016-06-20T08:09:14.158 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35121 5001 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35112 5001 TCP 2016-06-20T08:09:14.149 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35117 5001 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35120 5001 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35113 5001 TCP 2016-06-20T08:09:14.150 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35118 5001 TCP 2016-06-20T08:11:34.689 51 UB4_sid.eth0 192.168.5.1 192.168.5.2 35115 5001 TCP 2016-06-20T08:09:14.158
Displays Distributed Firewall and logging state, total number of deny flows, permit flows, and short lived flows, respectively.
The following example shows the output of the command vemcmd show dfw globals:
# vemcmd show dfw globals
Show DFW GLobals
DFW Feature Enable: ENABLED
DFW Total Flows : 10
DFW Flows Allowed : 250000
DFW Current Time : 2658561
DFW Logging Enable: ENABLED
DFW Deny Logging Total Flows : 0
Max DFW Deny Logging flows : 250000
DFW Short Lived Total Flows : 0
Max DFW Short lived flows : 5000
Displays global statistics for a specified interface.
The following example shows the output of the command vemcmd show dfw globals ltl 51 where 51 is the LTL number:
# vemcmd show dfw globals ltl 51
Show DFW Port: 51 GLobals
DFW Feature Enable: ENABLED
DFW Total Flows : 10
DFW Current Time : 2658777
DFW Port Init : 1
DFW Port Flows : 5
DFW Free Flows : 0
Displays consolidated statistics per interface.
The following example shows the output of the command vemcmd show dfw connection stats:
# vemcmd show dfw connection stats
LTL CREATED DELETED AGED DENIED_GBL DENIED_PORT DENIED_NO_MEM REPLACED UNALIGNED
--- ------- ------- -------- ---------- ----------- ------------- -------- ---------
50 0 0 0 0 0 0 0 0
51 14 0 10 0 0 0 0 0
52 5 0 0 0 0 0 0 0
--- ------- ------- -------- ---------- ----------- ------------- -------- ---------
Total 19 0 10 0 0 0 0 0
Displays all permitted Distributed Firewall flows for a specified interface.
The following example shows the output of the command vemcmd show dfwflows ltl 51 where 51 is the LTL number:
# vemcmd show dfwflows ltl 51
Get DFWFLOW Table for ltl: 51
SIP DIP SP DP PRO State Age
192.168.5.1 192.168.5.2 35110 5001 TCP ESTABLISHED 0
192.168.5.1 192.168.5.2 35108 5001 TCP ESTABLISHED 0
192.168.5.1 192.168.5.2 35109 5001 TCP ESTABLISHED 0
192.168.5.1 192.168.5.2 35111 5001 TCP ESTABLISHED 0
192.168.5.1 192.168.5.2 35107 5001 TCP ESTABLISHED 0
Number of Flows: 5
Displays configuration information received from APIC to assist with verification of the logging server configuration.
The following example shows the output of the command vemcmd dpa show dfwlog config:
# vemcmd dpa show dfwlog config
=>dpa command is: show dfwlog config
DFW-Log Config:
DFW Log Enable: enabled
DFW Deny Logging Enable: enabled
DFW Permit Logging Enable: enabled
Reporting Interval: 300 sec
Syslog Severity: information (6)
Syslog Srvr 1: Enable: 1 IP: 10.197.138.81 Sev: information (6) Fac: local7 (7) Port: 514
Syslog Srvr 2: Enable: 0 IP: 0.0.0.0 Sev: information (6) Fac: local4 (4) Port: 514
Syslog Srvr 3: Enable: 0 IP: 0.0.0.0 Sev: information (6) Fac: local4 (4) Port: 514
Syslog Srvr Name 1: 10.197.138.81
Syslog Srvr Name 2:
Syslog Srvr Name 3:
#byeBye#