Troubleshooting System Issues
This chapter describes how to troubleshoot Cisco Virtual Security Gateway (VSG) system issues.
This chapter includes the following sections:
•Information About the System
•Problems with VM Traffic
•VEM Troubleshooting Commands
•VEM Log Commands
Information About the System
The Cisco VSG provides firewall functionality for the VMs that have the vEths with port profiles created by the Virtual Supervisor Module (VSM). To allow the Cisco VSG to function properly, the Cisco VSG should have registered with a Cisco Virtual Network Management Center (VNMC) and the Cisco VSG's data interface MAC address should be seen by the VSM.
The example shows how to display information about the system:
VSG Software Version: 4.2(1)VSG1(1) build [4.2(1)VSG1(1)]
VSG-PERF-1_1# show vnm-pa status
VNM Policy-Agent status is - Installed Successfully. Version 1.0(1j)-vsg
Make sure that the Cisco VSG MAC address is learned by the VSM by entering the show vsn details command as follows:
#VSN VLAN: 754, IP-ADDR: 126.96.36.199
MODULE VSN-MAC-ADDR FAIL-MODE VSN-STATE
3 00:50:56:83:00:01 Close Up
#VSN Ports, Port-Profile, Org and Security-Profile Association:
#VSN VLAN: 754, IP-ADDR: 188.8.131.52
Port-Profile: profile-traffic, Security-Profile: sec-profile-perf, Org:
For more information, see the following documents:
•Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1)
•Cisco Virtual Network Management Center, Release 1.0.1 Installation
•Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center.
Problems with VM Traffic
When troubleshooting problems with intra-host VM traffic, follow these guidelines:
•Make sure that at least one of the VMware virtual NICs is on the correct DV's port group and is connected.
•If the VMware virtual NIC is down, determine if there is a conflict between the MAC address configured in the OS and the MAC addresses as assigned by VMware. You can see the assigned MAC addresses in the .vmx file.
When troubleshooting problems with inter-host VM traffic, follow these guidelines:
•Determine if there is exactly one uplink sharing a VLAN with the VMware virtual NIC. If there is more than one uplink, they must be in a port channel.
•Ping an SVI on the upstream switch by entering the show intX counters command.
VEM Troubleshooting Commands
This section includes the following topics:
•Displaying VEM information
•Displaying Miscellaneous VEM Details
Displaying VEM information
Use the following commands to display Virtual Ethernet Module (VEM) information:
•vemlog—Displays and controls VEM kernel logs
•vemcmd—Displays configuration and status information
•vem-support all—Displays support information
•vem status—Displays status information
•vem version—Displays version information
•vemcmd show arp all—Displays the ARP table on the VEM
• vemcmd show vsn config—Displays all the Cisco VSGs configured on the VEM and the Cisco VSG licensing status (firewall on or off).
•vemcmd show vsn binding—Displays all of the VM LTL ports to the Cisco VSG bindings
•vemcmd show learnt—Displays all of the VMs that have been learned by the VEM
Displaying Miscellaneous VEM Details
These commands provide additional VEM details:
•vemlog show last number-of-entries—Displays the circular buffer
This example shows how to display the number of entries in the circular buffer:
[root@esx-cos1 ~]# vemlog show last 5
Timestamp Entry CPU Mod Lv Message
Oct 13 13:15:52.615416 1095 1 1 4 Warning vssnet_port_pg_data_ ...
Oct 13 13:15:52.620028 1096 1 1 4 Warning vssnet_port_pg_data_ ...
Oct 13 13:15:52.630377 1097 1 1 4 Warning svs_switch_state ...
Oct 13 13:15:52.633201 1098 1 1 8 Info vssnet new switch ...
Oct 13 13:16:24.990236 1099 1 0 0 Suspending log
•vemlog show info—Displays information about entries in the log
This example shows how to display log entries:
[root@esx-cos1 ~]# vemlog show info
Stop After Entry: Not Specified
•vemcmd help—Displays the type of information you can display
This example shows how to display the vemcmd help:
[root@esx-cos1 ~]# vemcmd help
show card Show the card's global info
show vlan [vlan] Show the VLAN/BD table
show bd [bd] Show the VLAN/BD table
show l2 <bd-number> Show the L2 table for a given BD/VLAN
show l2 all Show the L2 table
show port [priv|vsm] Show the port table
show pc Show the port channel table
show portmac Show the port table MAC entries
show trunk [priv|vsm] Show the trunk ports in the port table
show stats Show port stats
VEM Log Commands
Use the following commands to control the vemlog:
•vemlog stop—tops the log
•vemlog clear—Clears the log
•vemlog start number-of-entries—Starts the log and stops it after the specified number of entries
•vemlog stop number-of-entries—Stops the log after the next specified number of entries
•vemlog resume—Starts the log but does not clear the stop value
You can display the list of debug filters by entering the vemlog show debug | grp vpath command.
This example shows how to display the list of debug filters:
~ # vemlog show debug | grep vpath
vpath ENWID P ( 95) ENW ( 7)
vpathapi ENWID P ( 95) ENW ( 7)
vpathfm ENWID P ( 95) ENW ( 7)
vpathfsm ENWID P ( 95) ENW ( 7)
vpathutils ENWID P ( 95) ENW ( 7)
vpathtun ENWID P ( 95) ENW ( 7)