advertisement
▼
Scroll to page 2
of 1322
Cisco ASA Series Command Reference, S Commands Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. Text Part Number: N/A, Online only THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco ASA Series Command Reference, S Commands © 2015 Cisco Systems, Inc. All rights reserved. CH A P T E R 1 same-security-traffic through shape Commands Cisco ASA Series Command Reference, S Commands 1-1 Chapter same-security-traffic To permit communication between interfaces with equal security levels, or to allow traffic to enter anciscoasad exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command. same-security-traffic permit {inter-interface | intra-interface} no same-security-traffic permit {inter-interface | intra-interface} Syntax Description inter-interface Permits communication between different interfaces that have the same security level. intra-interface Permits communication in and out of the same interface. Defaults This command is disabled by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History Usage Guidelines • Yes Transparent Single • Yes • Yes Context • Yes System — Release Modification 7.0(1) This command was added. 7.2(1) The intra-interface keyword now allows all traffic to enter and exit the same interface, and not just IPsec traffic. Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits: • You can configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100). • You can allow traffic to flow freely between all same security interfaces without access lists. The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the ASA is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the ASA and then out again to the other spoke. Cisco ASA Series Command Reference, S Commands 1-2 Chapter Note Examples All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the ASA. The following example shows how to enable the same-security interface communication: ciscoasa(config)# same-security-traffic permit inter-interface The following example shows how to enable traffic to enter and exit the same interface: ciscoasa(config)# same-security-traffic permit intra-interface Related Commands Related Commandss Command Description show running-config same-security-traffic Displays the same-security-traffic configuration. To specify a SASL (Simple Authentication and Security Layer) mechanism for authenticating an LDAP client to an LDAP server, use the sasl-mechanism command in aaa-server host configuration mode. The SASL authentication mechanism options are digest-md5 and kerberos. To disable an authentication mechanism, use the no form of this command. sasl-mechanism {digest-md5 | kerberos server-group-name} no sasl-mechanism {digest-md5 | kerberos server-group-name} Note Syntax Description Defaults Because the ASA serves as a client proxy to the LDAP server for VPN users, the LDAP client referred to here is the ASA. digest-md5 The ASA responds with an MD5 value computed from the username and password. kerberos The ASA responds by sending the username and realm using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos mechanism. server-group-name Specifies the Kerberos aaa-server group, up to 64 characters. No default behavior or values. The ASA passes the authentication parameters to the LDAP server in plain text. Note We recommend that you secure LDAP communications with SSL using the ldap-over-ssl command if you have not configured SASL. Cisco ASA Series Command Reference, S Commands 1-3 Chapter Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed aaa-server host configuration Command History Usage Guidelines Yes • Transparent Single • Release Modification 7.1(1) This command was added. Yes • Yes Context • Yes System — Use this command to specify ASA authentication to an LDAP server using SASL mechanisms. Both the ASA and the LDAP server can support multiple SASL authentication mechanisms. When negotiating SASL authentication, the ASA retrieves the list of SASL mechanisms configured on the server and sets the authentication mechanism to the strongest mechanism configured on both the ASA and the server. The Kerberos mechanism is stronger than the Digest-MD5 mechanism. To illustrate, if both the LDAP server and the ASA support both mechanisms, the ASA selects Kerberos, the stronger of the mechanisms. When disabling the SASL mechanisms, you must enter a separate no command for each mechanism you want to disable because they are configured independently. Mechanisms that you do not specifically disable remain in effect. For example, you must enter both of the following commands to disable both SASL mechanisms: no sasl-mechanism digest-md5 no sasl-mechanism kerberos server-group-name Examples The following examples, entered in aaa-server host configuration mode, enable the SASL mechanisms for authentication to an LDAP server named ldapsvr1 with an IP address of 10.10.0.1. This example enables the SASL digest-md5 authentication mechanism: ciscoasa(config)# aaa-server ldapsvr1 protocol ldap ciscoasa(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1 ciscoasa(config-aaa-server-host)# sasl-mechanism digest-md5 The following example enables the SASL Kerberos authentication mechanism and specifies kerb-servr1 as the Kerberos AAA server: ciscoasa(config)# aaa-server ldapsvr1 protocol ldap ciscoasa(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1 ciscoasa(config-aaa-server-host)# sasl-mechanism kerberos kerbsvr1 Related Commands Command Description ldap-over-ssl Specifies that SSL secures the LDAP client-server connection. Cisco ASA Series Command Reference, S Commands 1-4 Chapter Command Description server-type Specifies the LDAP server vendor as either Microsoft or Sun. ldap attribute-map (global configuration mode) Creates and names an LDAP attribute map for mapping user-defined attribute names to Cisco LDAP attribute names. Cisco ASA Series Command Reference, S Commands 1-5 Chapter saml idp To add a new SAML IdP, use the saml idp command in webvpn configuration mode. To remove a SAML IdP, use the no form of this command. saml idp idp-entityID no saml idp idp-entityID Syntax Description idp-entityID Defaults None. Command Modes The following table shows the modes in which you can enter the command: The entity ID of the SAML Idp you are configuring the ASA to use. Firewall Mode Security Context Multiple Command Mode Routed webvpn Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.5(2) This command was added. Yes • Yes Context • Yes System — This command configures one or more third party SAML identity provider's settings. The IdP settings are not used until they are applied in a tunnel group. The SAML IdP's sign-in url, sign-out url, signing certificate can be found on the vendor's website. You must create a trustpoint to hold the IdP's signing certificate. The trustpoint name will be used by trustpoint idp. Creating an Idp in webvpn mode puts you into saml-idp sub-mode, where you configure the following settings for this Idp: • url sign-in—URL to sign in to the Idp. • url sign-out—URL for redirecting to when signing out of the IdP. • signature—Enable or disable signature in SAML request. By default, the signature is disabled. • time-out—SAML timeout value in seconds. • base-url—URL is provided to third-party IdPs to redirect end-users back to the ASA. • trustpoint—Assigns an existing trustpoint based on the ASA (SP)'s or IDP certificate that the IdP can use to verify ASA's signature or encrypt SAML assertion. Cisco ASA Series Command Reference, S Commands 1-6 Chapter Examples The following example shows how to define an Idp, and configure the Idp settings: ciscoasa(config)# same-security-traffic permit inter-interface ciscoasa(config-webvpn)# saml idp salesforce_idp ciscoasa(config-webvpn-saml-idp)# url sign-in https://asa-dev-ed.my.salesforce.com/idp/endpoint/HttpRedirect ciscoasa(config-webvpn-saml-idp)# url sign-out https://asa-dev-ed.my.salesforce.com/idp/endpoint/HttpRedirect ciscoasa(config-webvpn-saml-idp)# trustpoint idp salesforce_trustpoint ciscoasa(config-webvpn-saml-idp)# trustpoint sp asa_trustpoint ciscoasa(config-webvpn)# saml idp feide_idp ciscoasa(config-webvpn-saml-idp)# url sign-in http://cisco.feide.no/simplesaml/saml2/idp/SSOService.php ciscoasa(config-webvpn-saml-idp)# trustpoint idp feide_trustpoint ciscoasa(config-webvpn-saml-idp)# trustpoint sp asa_trustpoint ciscoasa(config-webvpn-saml-idp)# signature ciscoasa(config-webvpn-saml-idp)# timeout assertion 120 ciscoasa(config-webvpn-saml-idp)# base-url https://ssl-vpn.cisco.com Related Commands Command Description authentication Sets the authentication type for a tunnel group, such as saml. identity-provider Names this configuration of a third-party SAML identity provider in the ASA. Cisco ASA Series Command Reference, S Commands 1-7 Chapter saml identity-provider Use this CLI in config-tunnel-webvpn mode to assign a SAML IdP to a tunnel group (connection profile) saml identity-provider name no saml identity-provider name Syntax Description name Defaults None. Command Modes The following table shows the modes in which you can enter the command: The name of the SAML Idp you are configuring the ASA to use. Firewall Mode Security Context Multiple Command Mode Routed webvpn Command History • Yes Transparent Single • Release Modification 9.5(2) This command was added. Yes • Yes Context • Yes Usage Guidelines This names this configuration of a third-party SAML identity provider in the ASA. Related Commands Command Description authentication Sets the authentication type for a tunnel group, such as saml. idp Sets the Idp for a third-party SAML identity provider. Cisco ASA Series Command Reference, S Commands 1-8 System — Chapter sast To specify the number of SAST certificates to create in the CTL record, use the sast command in ctl-file configuration mode. To set the number of SAST certificates in the CTL file back to the default value of 2, use the no form of this command. sast number_sasts no sast number_sasts Syntax Description number_sasts Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Specifies the number of SAST keys to create. The default is 2. The maximum allowed is 5. Firewall Mode Security Context Multiple Command Mode Ctl-file configuration Command History Usage Guidelines Routed • Yes Transparent Single Context System — — — Release Modification 8.0(4) The command was added. • Yes CTL files are signed by a System Administrator Security Token (SAST). Because the Phone Proxy generates the CTL file, it needs to create the SAST key to sign the CTL file itself. This key can be generated on the ASA. A SAST is created as a self-signed certificate. Typically, a CTL file contains more than one SAST. In case a SAST is not recoverable, the other one can be used to sign the file later. Examples The following example shows the use of the sast command to create 5 SAST certificates in the CTL file: ciscoasa(config-ctl-file)# sast 5 Cisco ASA Series Command Reference, S Commands 1-9 Chapter Related Commands Command Description ctl-file (global) Specifies the CTL file to create for Phone Proxy configuration or the CTL file to parse from Flash memory. ctl-file (phone-proxy) Specifies the CTL file to use for Phone Proxy configuration. phone-proxy Configures the Phone Proxy instance. Cisco ASA Series Command Reference, S Commands 1-10 Chapter scansafe To enable Cloud Web Security inspection for a context, use the scansafe command in context configuration mode. To disable Cloud Web Security, use the no form of this command. scansafe [license key] no scansafe [license key] Syntax Description license key Command Default By default, the context uses the license entered in the system configuration. Command Modes The following table shows the modes in which you can enter the command: Enters an authentication key for this context. If you do not specify a key, the context uses the license configured in the system configuration. The ASA sends the authentication key to the Cloud Web Security proxy servers to indicate from which organization the request comes. The authentication key is a 16-byte hexadecimal number. Firewall Mode Security Context Multiple Command Mode Global configuration Command History Routed • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context • Yes System — Usage Guidelines In multiple context mode, you must allow Cloud Web Security per context. Examples The following sample configuration enables Cloud Web Security in context one with the default license and in context two with the license key override: ! System Context ! scansafe general-options server primary ip 180.24.0.62 port 8080 retry-count 5 license 366C1D3F5CE67D33D3E9ACEC265261E5 ! context one allocate-interface GigabitEthernet0/0.1 allocate-interface GigabitEthernet0/1.1 allocate-interface GigabitEthernet0/3.1 scansafe Cisco ASA Series Command Reference, S Commands 1-11 Chapter config-url disk0:/one_ctx.cfg ! context two allocate-interface GigabitEthernet0/0.2 allocate-interface GigabitEthernet0/1.2 allocate-interface GigabitEthernet0/3.2 scansafe license 366C1D3F5CE67D33D3E9ACEC26789534 config-url disk0:/two_ctx.cfg ! Related Commands Command Description class-map type inspect Creates an inspection class map for whitelisted users and groups. scansafe default user group Specifies the default username and/or group if the ASA cannot determine the identity of the user coming into the ASA. http[s] (parameters) Specifies the service type for the inspection policy map, either HTTP or HTTPS. inspect scansafe Enables Cloud Web Security inspection on the traffic in a class. license Configures the authentication key that the ASA sends to the Cloud Web Security proxy servers to indicate from which organization the request comes. match user group Matches a user or group for a whitelist. policy-map type inspect scansafe Creates an inspection policy map so you can configure essential parameters for the rule and also optionally identify the whitelist. retry-count Enters the retry counter value, which is the amount of time that the ASA waits before polling the Cloud Web Security proxy server to check its availability. scansafe general-options Configures general Cloud Web Security server options. server {primary | backup} Configures the fully qualified domain name or IP address of the primary or backup Cloud Web Security proxy servers. show conn scansafe Shows all Cloud Web Security connections, as noted by the capitol Z flag. show scansafe server Shows the status of the server, whether it’s the current active server, the backup server, or unreachable. show scansafe statistics Shows total and current http connections. user-identity monitor Downloads the specified user or group information from the AD agent. whitelist Performs the whitelist action on the class of traffic. Cisco ASA Series Command Reference, S Commands 1-12 Chapter scansafe general-options To configure communication with the Cloud Web Security proxy server, use the scansafe general-options command in global configuration mode. To remove the server configuration, use the no form of this command. scansafe general-options no scansafe general-options Syntax Description This command has no arguments or keywords. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Global configuration Command History Routed • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context — Usage Guidelines You can configure a primary and backup proxy server for Cloud Web Security. Examples The following example configures a primary server: System • Yes scansafe general-options server primary ip 180.24.0.62 port 8080 retry-count 5 license 366C1D3F5CE67D33D3E9ACEC265261E5 Related Commands Command Description class-map type inspect Creates an inspection class map for whitelisted users and groups. scansafe default user group Specifies the default username and/or group if the ASA cannot determine the identity of the user coming into the ASA. http[s] (parameters) Specifies the service type for the inspection policy map, either HTTP or HTTPS. Cisco ASA Series Command Reference, S Commands 1-13 Chapter Command Description inspect scansafe Enables Cloud Web Security inspection on the traffic in a class. license Configures the authentication key that the ASA sends to the Cloud Web Security proxy servers to indicate from which organization the request comes. match user group Matches a user or group for a whitelist. policy-map type inspect scansafe Creates an inspection policy map so you can configure essential parameters for the rule and also optionally identify the whitelist. retry-count Enters the retry counter value, which is the amount of time that the ASA waits before polling the Cloud Web Security proxy server to check its availability. scansafe In multiple context mode, allows Cloud Web Security per context. server {primary | backup} Configures the fully qualified domain name or IP address of the primary or backup Cloud Web Security proxy servers. show conn scansafe Shows all Cloud Web Security connections, as noted by the capitol Z flag. show scansafe server Shows the status of the server, whether it’s the current active server, the backup server, or unreachable. show scansafe statistics Shows total and current http connections. user-identity monitor Downloads the specified user or group information from the AD agent. whitelist Performs the whitelist action on the class of traffic. Cisco ASA Series Command Reference, S Commands 1-14 Chapter scep-enrollment enable To enable or disable the Simple Certificate Enrollment Protocol for a tunnel group, use the scep-enrollment enable command in tunnel-group general-attributes mode. To remove the command from the configuration, use the no form of this command. scep-enrollment enable no scep-enrollment enable Syntax Description This command has no arguments or keywords. Defaults By default, this command is not present in the tunnel group configuration. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Tunnel-group general-attributes configuration Command History Usage Guidelines • Yes Transparent Single Context System — — — Release Modification 8.4(1) This command was added. • Yes Only the Cisco AnyConnect Secure Mobility Client, Release 3.0 and later, supports this feature. The ASA can proxy SCEP requests between AnyConnect and a third-party certificate authority. The certificate authority only needs to be accessible to the ASA if it is acting as the proxy. For the ASA to provide this service, the user must authenticate using any of the methods supported by AAA before the ASA sends an enrollment request. You can also use Host Scan and dynamic access policies to enforce rules of eligibility to enroll. The ASA supports this feature only with an AnyConnect SSL or IKEv2 VPN session. It supports all SCEP-compliant certificate authorities, including IOS CS, Windows Server 2003 CA, and Windows Server 2008 CA. Clientless (browser-based) access does not support SCEP Proxy, although WebLaunch—clientless-initiated AnyConnect—does support it. The ASA does not support polling for certificates. The ASA supports load balancing for this feature. Cisco ASA Series Command Reference, S Commands 1-15 Chapter Example The following example, entered in global configuration mode, creates a remote access tunnel group named remotegrp and enables SCEP for the group policy: ciscoasa(config)# tunnel-group remotegrp type remote-access ciscoasa(config)# tunnel-group remotegrp general-attributes ciscoasa(config-tunnel-general)# scep-enrollment enable INFO: 'authentication aaa certificate' must be configured to complete setup of this option. Related Commands Command Description crypto ikev2 enable Enables IKEv2 negotiation on the interface on which IPsec peers communicate. scep-forwarding-url Enrolls the SCEP certificate authority for the group policy. secondary-pre-fill-username clientless Supplies a common, secondary password when a certificate is unavailable for WebLaunch support of the SCEP proxy. secondary-authentication-server- Supplies the username when a certificate is unavailable. group Cisco ASA Series Command Reference, S Commands 1-16 Chapter scep-forwarding-url To enroll an SCEP certificate authority for a group policy, use the scep-forwarding-url command in group-policy configuration mode. To remove the command from the configuration, use the no form of this command. scep-forwarding-url {none | value [URL]} no scep-forwarding-url Syntax Description none Specifies no certificate authority for the group policy. URL Specifies the SCEP URL of the certificate authority. value Enables this feature for clientless connections. Defaults By default, this command is not present. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Group-policy configuration Command History • Yes Transparent Single Context System — — — Release Modification 8.4(1) This command was added. • Yes Usage Guidelines Enter this command once per group policy to support a third-party digital certificate. Example The following example, entered in global configuration mode, creates a group policy named FirstGroup and enrolls a certificate authority for the group policy: ciscoasa(config)# group-policy FirstGroup internal ciscoasa(config)# group-policy FirstGroup attributes ciscoasa(config-group-policy)# scep-forwarding-url value http://ca.example.com:80/ Attempting to retrieve the CA/RA certificate(s) using the URL. Please wait ... Related Commands Cisco ASA Series Command Reference, S Commands 1-17 Chapter Command Description crypto ikev2 enable Enables IKEv2 negotiation on the interface on which IPsec peers communicate. scep-enrollment enable Enables Simple Certificate Enrollment Protocol for a tunnel group. secondary-pre-fill-username clientless Supplies a common, secondary password when a certificate is unavailable for WebLaunch support of the SCEP proxy. secondary-authentication-server- Supplies the username when a certificate is unavailable. group Cisco ASA Series Command Reference, S Commands 1-18 Chapter secondary To give the secondary unit higher priority in a failover group, use the secondary command in failover group configuration mode. To restore the default, use the no form of this command. secondary no secondary Syntax Description This command has no arguments or keywords. Defaults If primary or secondary is not specified for a failover group, the failover group defaults to primary. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Failover group configuration Command History • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes — Context — System • Yes Usage Guidelines Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simultaneously (within a unit polltime). If one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the second unit as a priority do not become active on the second unit unless the failover group is configured with the preempt command or is manually forced to the other unit with the no failover active command. Examples The following example configures failover group 1 with the primary unit as the higher priority and failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with the preempt command, so the groups will automatically become active on their preferred unit as the units become available. ciscoasa(config)# failover group 1 ciscoasa(config-fover-group)# primary ciscoasa(config-fover-group)# preempt 100 ciscoasa(config-fover-group)# exit ciscoasa(config)# failover group 2 ciscoasa(config-fover-group)# secondary ciscoasa(config-fover-group)# preempt 100 ciscoasa(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012 ciscoasa(config-fover-group)# exit Cisco ASA Series Command Reference, S Commands 1-19 Chapter ciscoasa(config)# Related Commands Command Description failover group Defines a failover group for Active/Active failover. preempt Forces the failover group to become active on its preferred unit when the unit becomes available. primary Gives the primary unit a higher priority than the secondary unit. Cisco ASA Series Command Reference, S Commands 1-20 Chapter secondary-authentication-server-group To specify a secondary authentication server group to associate with the session when double authentication is enabled, use the secondary-authentication-server-group command in tunnel-group general-attributes mode. To remove the attribute from the configuration, use the no form of this command. secondary-authentication-server-group [interface_name] {none | LOCAL | groupname [LOCAL]} [use-primary-username]} no secondary-authentication-server-group Syntax Description interface_name (Optional) Specifies the interface where the IPsec tunnel terminates. LOCAL (Optional) Requires authentication against the local user database if all of the servers in the server group have been deactivated due to communication failures. If the server group name is either LOCAL or NONE, do not use the LOCAL keyword here. none (Optional) Specifies the server group name as NONE, indicating that authentication is not required. groupname [LOCAL] Identifies the previously configured authentication server or group of servers. Optionally, this can be the LOCAL group. use-primary-username Use the primary username as the username for the secondary authentication. Defaults The default value is none. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Tunnel-group general-attributes configuration Command History Usage Guidelines • Yes Transparent Single Context System — — — Release Modification 8.2(1) This command was added. • Yes This command is meaningful only when double authentication is enabled. The secondary-authentication-server-group command specifies the secondary AAA server group. The secondary server group cannot be an SDI server group. If the use-primary-username keyword is configured, then only one username is requested in the login dialog. Cisco ASA Series Command Reference, S Commands 1-21 Chapter If the usernames are extracted from a digital certificate, only the primary username is used for authentication. Examples The following example, entered in global configuration mode, creates a remote access tunnel group named remotegrp and specifies the use of the group sdi_server as the primary server group and the group ldap_ server as the secondary authentication server group for the connection: ciscoasa(config)# tunnel-group remotegrp type remote-access ciscoasa(config)# tunnel-group remotegrp general-attributes ciscoasa(config-tunnel-webvpn)# authentication-server-group sdi_server ciscoasa(config-tunnel-webvpn)# secondary-authentication-server-group ldap_server ciscoasa(config-tunnel-webvpn)# Related Commands Command Description pre-fill-username Enables the pre-fill username feature. show running-config tunnel-group Shows the indicated tunnel-group configuration. tunnel-group general-attributes Specifies the general attributes for the named tunnel-group. username-from-certificate Specifies the field in a certificate to use as the username for authorization. Cisco ASA Series Command Reference, S Commands 1-22 Chapter secondary-color To set a secondary color for the WebVPN login, home page, and file access page, use the secondary-color command in webvpn configuration mode. To remove a color from the configuration and reset the default, use the no form of this command. secondary-color [color] no secondary-color Syntax Description color (Optional) Specifies the color. You can use a comma separated RGB value, an HTML color value, or the name of the color if recognized in HTML. • RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. • HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. • Name length maximum is 32 characters Defaults The default secondary color is HTML #CCCCFF, a lavender shade. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Webvpn configuration Command History Routed • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes — Context — System • Yes Usage Guidelines The number of RGB values recommended for use is 216, many fewer than the mathematical possibilities. Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best results, check published RGB tables. To find RGB tables online, enter RGB in a search engine. Examples The following example shows how to set an HTML color value of #5F9EAO, which is a teal shade: ciscoasa(config)# webvpn ciscoasa(config-webvpn)# secondary-color #5F9EAO Cisco ASA Series Command Reference, S Commands 1-23 Chapter Related Commands Command Description title-color Sets a color for the WebVPN title bar on the login, home page, and file access page Cisco ASA Series Command Reference, S Commands 1-24 Chapter secondary-pre-fill-username To enable the extraction of a username from a client certificate for use in double authentication for a clientless or an AnyConnect connection, use the secondary-pre-fill-username command in tunnel-group webvpn-attributes mode. To remove the attribute from the configuration, use the no form of this command. secondary-pre-fill-username {clientless | ssl-client} [hide] secondary-pre-fill-username {clientless | ssl-client} hide [use-primary-password | use-common-password [type_num] password] no secondary-no pre-fill-username Syntax Description clientless Enables this feature for clientless connections. hide Hides the username to be used for authentication from the VPN user. password Enter the password string. ssl-client Enables this feature for AnyConnect VPN client connections. type_num Enter one of the following options: • 0 if the password to be entered is plain text. • 8 if the password to be entered is encrypted. The password appears as asterisks as you type. use-common-password Specifies a common secondary authentication password to use without prompting the user for it. use-primary-password Reuses the primary authentication password for secondary authentication without prompting the user for it. Defaults This feature is disabled by default. Entering this command without the hide keyword reveals the extracted username to the VPN user. The user receives a password prompt if you specify neither the use-primary-password nor the use-common-password keywords. The default value of type_num is 8. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Tunnel-group webvpn-attributes configuration Routed • Yes Transparent Single Context System — — — • Yes Cisco ASA Series Command Reference, S Commands 1-25 Chapter Command History Usage Guidelines Release Modification 8.2(1) This command was added. 8.3(2) The [use-primary-password | use-common-password [type_num] password] option was added. To enable this feature, you must also enter the secondary-username-from-certificate command in tunnel-group general-attributes mode. This command is meaningful only if double authentication is enabled. The secondary-pre-fill-username command enables the use of a username extracted from the certificate field specified in the secondary-username-from-certificate command as the username for secondary username/password authentication. To use this secondary-pre-fill username-from-certificate feature, you must configure both commands. Note Clientless and SSL-client connections are not mutually exclusive options. Only one can be specified per command line, but both can be enabled at the same time. If you hide the second username and use a primary or common password, the user experience is similar to single authentication. Using the primary or common password makes the use of device certificates to authenticate a device a seamless user experience. The use-primary-password keyword specifies the use of the primary password as the secondary password for all authentications. The use-common-password keyword specifies the use of a common secondary password for all secondary authentications. If a device certificate installed on the endpoint contains a BIOS ID or some other identifier, a secondary authentication request can use the pre-filled BIOS ID as the second username and use a common password configured for all authentications in that tunnel group. Examples The following example creates an IPsec remote access tunnel group named remotegrp, and specifies the reuse of a name from the digital certificate on the endpoint as the name to be used for an authentication or authorization query when the connections are browser-based. ciscoasa(config)# tunnel-group remotegrp type ipsec_ra ciscoasa(config)# tunnel-group remotegrp webvpn-attributes ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username clientless The following example performs the same function as the previous command, but hides the extracted username from the user: ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username clientless hide The following example performs the same function as the previous command, except that it applies only to AnyConnect connections: ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username ssl-client hide The following example hides the username and reuses the primary authentication password for secondary authentication without prompting the user: ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username ssl-client hide use-primary-password Cisco ASA Series Command Reference, S Commands 1-26 Chapter The following example hides the username and uses the password you enter for secondary authentication: ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username ssl-client hide use-common-password ********** Related Commands Command Description pre-fill-username Enables the pre-fill username feature. show running-config tunnel-group Shows the indicated tunnel-group configuration. tunnel-group general-attributes Specifies the general attributes for the named tunnel-group. username-from-certificate Specifies the field in a certificate to use as the username for authorization. Cisco ASA Series Command Reference, S Commands 1-27 Chapter secondary-text-color To set the secondary text color for the WebVPN login, home page and file access page, use the secondary-text-color command in webvpn mode. To remove the color from the configuration and reset the default, use the no form of this command. secondary-text-color [black | white] no secondary-text-color Syntax Description auto Chooses black or white based on the settings for the text-color command. That is, if the primary color is black, this value is white. black The default secondary text color is black. white You can change the text color to white. Defaults The default secondary text color is black. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Webvpn Command History Examples • Yes Transparent Single Context System — — — Release Modification 7.0(1) This command was added. • Yes The following example shows how to set the secondary text color to white: ciscoasa(config)# webvpn ciscoasa(config-webvpn)# secondary-text-color white Related Commands Command Description text-color Sets a color for text in the WebVPN title bar on the login, home page and file access page Cisco ASA Series Command Reference, S Commands 1-28 Chapter secondary-username-from-certificate To specify the field in a certificate to use as the secondary username for double authentication for a clientless or AnyConnect (SSL-client) connection, use the secondary-username-from-certificate command in tunnel-group general-attributes mode. To remove the attribute from the configuration and restore default values, use the no form of this command. secondary-username-from-certificate {primary-attr [secondary-attr] | use-entire-name | use-script} no secondary-username-from-certificate Syntax Description primary-attr Specifies the attribute to use to derive a username for an authorization query from a certificate. If pre-fill-username is enabled, the derived name can also be used in an authentication query. secondary-attr (Optional) Specifies an additional attribute to use with the primary attribute to derive a username for an authentication or authorization query from a digital certificate. If pre-fill-username is enable, the derived name can also be used in an authentication query. use-entire-name Specifies that the ASA must use the entire subject DN (RFC1779) to derive a name for an authorization query from a digital certificate. use-script Specifies the use of a script file generated by ASDM to extract the DN fields from a certificate for use as a username. Defaults This feature is disabled by default and is meaningful only when double authentication is enabled. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Tunnel-group general-attributes configuration Command History Usage Guidelines • Yes Transparent Single Context System — — — Release Modification 8.2(1) This command was added. • Yes This command is meaningful only when double authentication is enabled. Cisco ASA Series Command Reference, S Commands 1-29 Chapter When double authentication is enabled. this command selects one or more fields in a certificate to use as the username. The secondary-username-from-certificate command forces the security appliance to use the specified certificate field as the second username for the second username/password authentication. To use this derived username in the pre-fill username from certificate feature for the secondary username/password authentication or authorization, you must also configure the pre-fill-username and secondary-pre-fill-username commands in tunnel-group webvpn-attributes mode. That is, to use the secondary pre-fill username feature, you must configure both commands. Possible values for primary and secondary attributes include the following: Note Examples Attribute Definition C Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations. CN Common Name: the name of a person, system, or other entity. Not available a s a secondary attribute. DNQ Domain Name Qualifier. EA E-mail address. GENQ Generational Qualifier. GN Given Name. I Initials. L Locality: the city or town where the organization is located. N Name. O Organization: the name of the company, institution, agency, association or other entity. OU Organizational Unit: the subgroup within the organization (O). SER Serial Number. SN Surname. SP State/Province: the state or province where the organization is located T Title. UID User Identifier. UPN User Principal Name. use-entire-name Use entire DN name. Not available a s a secondary attribute. use-script Use a script file generated by ASDM. If you also specify the secondary-authentication-server-group command, along with the secondary-username-from-certificate command, only the primary username is used for authentication. The following example, entered in global configuration mode, creates a remote access tunnel group named remotegrp and specifies the use of CN (Common Name) as the primary attribute and OU as the secondary attribute to use to derive a name for an authorization query from a digital certificate: ciscoasa(config)# tunnel-group remotegrp type remote-access ciscoasa(config)# tunnel-group remotegrp general-attributes ciscoasa(config-tunnel-general)# username-from-certificate CN ciscoasa(config-tunnel-general)# secondary-username-from-certificate OU Cisco ASA Series Command Reference, S Commands 1-30 Chapter ciscoasa(config-tunnel-general)# The following example shows how to modify the tunnel-group attributes to configure the pre-fill username. username-from-certificate {use-entire-name | use-script | <primary-attr>} [secondary-attr] secondary-username-from-certificate {use-entire-name | use-script | <primary-attr>} [secondary-attr] ; used only for double-authentication Related Commands Command Description pre-fill-username Enables the pre-fill username feature. secondary-pre-fill-username Enables username extraction for clientless or AnyConnect client connection username-from-certificate Specifies the field in a certificate to use as the username for authorization. show running-config tunnel-group Shows the indicated tunnel-group configuration. secondary-authentication-server- Specifies the secondary AAA server group. If the usernames are group extracted from a digital certificate, only the primary username is used for authentication. Cisco ASA Series Command Reference, S Commands 1-31 Chapter secure-unit-authentication To enable secure unit authentication, use the secure-unit-authentication enable command in group-policy configuration mode. To disable secure unit authentication, use the secure-unit-authentication disable command. To remove the secure unit authentication attribute from the running configuration, use the no form of this command. secure-unit-authentication {enable | disable} no secure-unit-authentication Syntax Description disable Disables secure unit authentication. enable Enables secure unit authentication. Defaults Secure unit authentication is disabled. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Group-policy configuration Command History Usage Guidelines • Yes Transparent Single Context System — — — Release Modification 7.0(1) This command was added. • Yes Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware client(s) use. If you require secure unit authentication on the primary ASA, be sure to configure it on any backup servers as well. The no option allows inheritance of a value for secure unit authentication from another group policy. Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password. Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password. Cisco ASA Series Command Reference, S Commands 1-32 Chapter Examples The following example shows how to enable secure unit authentication for the group policy named FirstGroup: ciscoasa(config)# group-policy FirstGroup attributes ciscoasa(config-group-policy)# secure-unit-authentication enable Related Commands Command Description ip-phone-bypass Lets IP phones connect without undergoing user authentication. Secure unit authentication remains in effect. leap-bypass Lets LEAP packets from wireless devices behind a VPN hardware client travel across a VPN tunnel prior to user authentication, when enabled. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per user authentication. user-authentication Requires users behind a hardware client to identify themselves to the ASA before connecting. Cisco ASA Series Command Reference, S Commands 1-33 Chapter security-group To add a security group to a security object group for use with Cisco TrustSec, use the security-group command in object-group security configuration mode. To remove the security group, use the no form of this command. security-group {tag sgt# | name sg_name} no security-group {tag sgt# | name sg_name} Syntax Description tag sgt# Specifies the security group object as an inline tag. Enter a number from 1 to 65533 for a Tag security type. An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC authentication bypass (MAB) by the ISE. Security group names are created on the ISE and provide user-friendly names for security groups. The security group table maps SGTs to security group names. name sg_name Specifies the security group object as a named object. Enter a 32-byte case-sensitive string for a Name security type. The sg_name can contain any character including [a-z], [A-Z], [0-9], [!@#$%^&()-_{}. ]. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Object-group security configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context • Yes System — You can create security group object groups for use in features that support Cisco TrustSec by including the group in an extended ACL, which in turn can be used in an access rule, for example. When integrated with Cisco TrustSec, the ASA downloads security group information from the ISE. The ISE acts as an identity repository, by providing Cisco TrustSec tag to user identity mapping and Cisco TrustSec tag to server resource mapping. You provision and manage security group access lists centrally on the ISE. Cisco ASA Series Command Reference, S Commands 1-34 Chapter However, the ASA might have localized network resources that are not defined globally that require local security groups with localized security policies. Local security groups can contain nested security groups that are downloaded from the ISE. The ASA consolidates local and central security groups. To create local security groups on the ASA, you create a local security object group. A local security object group can contain one or more nested security object groups or Security IDs or security group names. User can also create a new Security ID or security group name that does not exist on the ASA. You can use the security object groups you create on the ASA to control access to network resources. You can use the security object group as part of an access group or service policy. Examples The following example shows how to configure a security group object: ciscoasa(config)# object-group security mktg-sg ciscoasa(config)# security-group name mktg ciscoasa(config)# security-group tag 1 The following example shows how to configure a security group object: ciscoasa(config)# object-group security mktg-sg-all ciscoasa(config)# security-group name mktg-managers ciscoasa(config)# group-object mktg-sg // nested object-group Related Commands Command Description object-group security Creates a security group object. Cisco ASA Series Command Reference, S Commands 1-35 Chapter security-group-tag To configure a security group tag attribute in a remote access VPN group policy or for a user in the LOCAL user database, use the security-group-tag value command in group-policy or username configuration mode. To remove the security group tag attribute, use the no form of this command. security-group-tag {none | value sgt} no security-group-tag {none | value sgt} Syntax Description none Do not set a security group tag for this group policy or user. value sgt Specifies the security group tag number. Command Default The default is security-group-tag none, which means that there is no security group tag in this attribute set. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Group-policy or username configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.3(1) This command was added. Yes • Yes Context • Yes System — ASA supports security group tagging of VPN sessions. You can assign a Security Group Tag (SGT) to a VPN session using an external AAA server, or by configuring a security group tag for a local user or for a VPN group policy. This tag can then be propagated through the Cisco TrustSec system over Layer 2 Ethernet. Security group tags are useful on group policies and for local users when the AAA server cannot provide an SGT. Following is the typical process for assigning an SGT to a VPN user: 1. A user connects to a remote access VPN that uses a AAA server group containing ISE servers. 2. The ASA requests AAA information from ISE, which might include an SGT. The ASA also assigns an IP address for the user’s tunneled traffic. 3. The ASA uses AAA information to authenticate the user and creates a tunnel. 4. The ASA uses the SGT from AAA information and the assigned IP address to add an SGT in the Layer 2 header. 5. Packets that include the SGT are passed to the next peer device in the Cisco TrustSec network. Cisco ASA Series Command Reference, S Commands 1-36 Chapter If there is no SGT in the attributes from the AAA server to assign to a VPN user, then the ASA uses the SGT in the group policy. If there is no SGT in the group policy, then tag 0x0 is assigned. Examples The following example shows how to configure SGT attributes for a group policy. ciscoasa(config-group-policy)# security-group-tag value 101 Related Commands Command Description show asp table cts sgt-map Displays the IP address-security group table mapping entries from the IP address-security group table mapping database maintained in the datapath. show cts sgt-map Displays the IP address-security group table manager entries in the control path. Cisco ASA Series Command Reference, S Commands 1-37 Chapter security-level To set the security level of an interface, use the security-level command in interface configuration mode. To set the security level to the default, use the no form of this command. The security level protects higher security networks from lower security networks by imposing additional protection between the two. security-level number no security-level Syntax Description number Defaults By default, the security level is 0. An integer between 0 (lowest) and 100 (highest). If you name an interface “inside” and you do not set the security level explicitly, then the ASA sets the security level to 100 (see the nameif command). You can change this level if desired. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Interface configuration Command History Usage Guidelines • Yes Transparent Single • Yes • Yes Context • Yes System — Release Modification 7.0(1) This command was moved from a keyword of the nameif command to an interface configuration mode command. The level controls the following behavior: • Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower. • Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction. – NetBIOS inspection engine—Applied only for outbound connections. – OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the ASA. Cisco ASA Series Command Reference, S Commands 1-38 Chapter • Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction. • NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside). Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword. • established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host. For same security interfaces, you can configure established commands for both directions. Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, see the same-security-traffic command. You might want to assign two interfaces to the same level and allow them to communicate if you want to create more than 101 communicating interfaces, or you want protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure. If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command. Examples The following example configures the security levels for two interfaces to be 100 and 0: ciscoasa(config)# interface gigabitethernet0/0 ciscoasa(config-if)# nameif inside ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# interface gigabitethernet0/1 ciscoasa(config-if)# nameif outside ciscoasa(config-if)# security-level 0 ciscoasa(config-if)# ip address 10.1.2.1 255.255.255.0 ciscoasa(config-if)# no shutdown Related Commands Command Description clear local-host Resets all connections. interface Configures an interface and enters interface configuration mode. nameif Sets the interface name. vlan Assigns a VLAN ID to a subinterface. Cisco ASA Series Command Reference, S Commands 1-39 Chapter segment-id To specify the VXLAN ID for a VNI interface, use the segment-id command in interface configuration mode. To remove the ID, use the no form of this command. segment-id id no segment-id id Syntax Description id Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Sets the ID between 1 and 16777215. Firewall Mode Security Context Multiple Command Mode Routed Interface configuration Command History • Yes Transparent Single • Release Modification 9.4(1) This command was added. Yes • Yes Context • Yes System — Usage Guidelines The segment ID is used for VXLAN tagging. Examples The following example configures the VNI 1 interface and specifies a segment ID of 1000: ciscoasa(config)# interface vni 1 ciscoasa(config-if)# segment-id 1000 ciscoasa(config-if)# vtep-nve 1 ciscoasa(config-if)# nameif vxlan1000 ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2 ciscoasa(config-if)# ipv6 address 2001:0DB8::BA98:0:3210/48 ciscoasa(config-if)# security-level 50 ciscoasa(config-if)# mcast-group 236.0.0.100 Related Commands Command Description debug vxlan Debugs VXLAN traffic. default-mcast-group Specifies a default multicast group for all VNI interfaces associated with the VTEP source interface. Cisco ASA Series Command Reference, S Commands 1-40 Chapter Command Description encapsulation vxlan Sets the NVE instance to VXLAN encapsulation. inspect vxlan Enforces compliance with the standard VXLAN header format. interface vni Creates the VNI interface for VXLAN tagging. mcast-group Sets the multicast group address for the VNI interface. nve Specifies the Network Virtualization Endpoint instance. nve-only Specifies that the VXLAN source interface is NVE-only. peer ip Manually specifies the peer VTEP IP address. show arp vtep-mapping Displays MAC addresses cached on the VNI interface for IP addresses located in the remote segment domain and the remote VTEP IP addresses. show interface vni Shows the parameters, status and statistics of a VNI interface, status of its bridged interface (if configured), and NVE interface it is associated with. show mac-address-table vtep-mapping Displays the Layer 2 forwarding table (MAC address table) on the VNI interface with the remote VTEP IP addresses. show nve Shows the parameters, status and statistics of a NVE interface, status of its carrier interface (source interface), IP address of the carrier interface, VNIs that use this NVE as the VXLAN VTEP, and peer VTEP IP addresses associated with this NVE interface. show vni vlan-mapping Shows the mapping between VNI segment IDs and VLAN interfaces or physical interfaces in transparent mode. source-interface Specifies the VTEP source interface. vtep-nve Associates a VNI interface with the VTEP source interface. vxlan port Sets the VXLAN UDP port. By default, the VTEP source interface accepts VXLAN traffic to UDP port 4789. Cisco ASA Series Command Reference, S Commands 1-41 Chapter send response To send a RADIUS Accounting-Response Start and Accounting-Response Stop message to the sender of the RADIUS Accounting-Request Start and Stop messages, use the send response command in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accounting command. This option is disabled by default. send response no send response Syntax Description This command has no arguments or keywords. Defaults No default behaviors or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Radius-accounting parameter configuration Command History Examples • Yes Release Modification 7.2(1) This command was added. Transparent Single • Yes • Yes • Yes The following example shows how to send a response with RADIUS accounting: hostname(config)# policy-map type inspect radius-accounting ra ciscoasa(config-pmap)# send response ciscoasa(config-pmap-p)# send response Related Commands Commands Description inspect radius-accounting Sets inspection for RADIUS accounting. parameters Sets parameters for an inspection policy map. Cisco ASA Series Command Reference, S Commands 1-42 Context System — Chapter seq-past-window To set the action for packets that have past-window sequence numbers (the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window), use the seq-past-window command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command. seq-past-window {allow | drop} no seq-past-window Syntax Description allow Allows packets that have past-window sequence numbers. This action is only allowed if the queue-limit command is set to 0 (disabled). drop Drops packets that have past-window sequence numbers. Defaults The default action is to drop packets that have past-window sequence numbers. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Tcp-map configuration Command History Usage Guidelines Routed • Yes Transparent Single • Release Modification 7.2(4)/8.0(4) This command was added. Yes • Yes Context • Yes System — To enable TCP normalization, use the Modular Policy Framework: 1. tcp-map—Identifies the TCP normalization actions. a. seq-past-window—In tcp-map configuration mode, you can enter the seq-past-window command and many others. 2. class-map—Identify the traffic on which you want to perform TCP normalization. 3. policy-map—Identify the actions associated with each class map. a. class—Identify the class map on which you want to perform actions. b. set connection advanced-options—Identify the tcp-map you created. 4. service-policy—Assigns the policy map to an interface or globally. Cisco ASA Series Command Reference, S Commands 1-43 Chapter Examples The following example sets the ASA to allow packets that have past-window sequence numbers: ciscoasa(config)# tcp-map tmap ciscoasa(config-tcp-map)# seq-past-window allow ciscoasa(config)# class-map cmap ciscoasa(config-cmap)# match any ciscoasa(config)# policy-map pmap ciscoasa(config-pmap)# class cmap ciscoasa(config-pmap)# set connection advanced-options tmap ciscoasa(config)# service-policy pmap global ciscoasa(config)# Related Commands Command Description class-map Identifies traffic for a service policy. policy-map dentifies actions to apply to traffic in a service policy. queue-limit Sets the out-of-order packet limit. set connection advanced-options Enables TCP normalization. service-policy Applies a service policy to interface(s). show running-config tcp-map Shows the TCP map configuration. tcp-map Creates a TCP map and allows access to tcp-map configuration mode. Cisco ASA Series Command Reference, S Commands 1-44 Chapter serial-number To include the ASA serial number in the certificate during enrollment, use the serial-number command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command. serial-number no serial-number Syntax Description This command has no arguments or keywords. Defaults The default setting is to not include the serial number. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Crypto ca trustpoint configuration Command History Examples Routed • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the ASA serial number in the enrollment request for trustpoint central: ciscoasa(config)# crypto ca trustpoint central ciscoasa(ca-trustpoint)# serial-number Related Commands Command Description crypto ca trustpoint Enters trustpoint configuration mode. Cisco ASA Series Command Reference, S Commands 1-45 Chapter server (pop3s, imap4s, smtps) (Deprecated) Note The last supported release for this command was Version 9.5(1). To specify a default e-mail proxy server, use the server command in the applicable e-mail proxy configuration mode. To remove the attribute from the configuration, use the no version of this command. The ASA sends requests to the default e-mail server when the user connects to the e-mail proxy without specifying a server. If you do not configure a default server, and a user does not specify a server, the ASA returns an error. server {ipaddr or hostname} no server Syntax Description hostname The DNS name of the default e-mail proxy server. ipaddr The IP address of the default e-mail proxy server. Defaults There is no default e-mail proxy server by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Context System Pop3s configuration • Yes • Yes — — • Yes Imap4s configuration • Yes • Yes — — • Yes Smtps configuration • Yes • Yes — — • Yes Release Modification 7.0(1) This command was added. 9.5.2 This command was deprecated. The following example shows how to set a default POP3S e-mail server with an IP address. of 10.1.1.7: ciscoasa(config)# pop3s ciscoasa(config-pop3s)# server 10.1.1.7 Cisco ASA Series Command Reference, S Commands 1-46 Transparent Single Chapter server (scansafe general-options) To configure the primary and backup Cloud Web Security proxy servers, use the server command in scansafe general-options configuration mode. To remove the server, use the no form of this command. server {primary | backup} {ip ip_address | fqdn fqdn} [port port] no server {primary | backup} {ip ip_address | fqdn fqdn} [port port] Syntax Description backup Specifies that you are identifying the backup server. ip ip_address Specifies the server IP address. fqdn fqdn Specifies the server fully-qualified domain name (FQDN). port port (Optional) By default, the Cloud Web Security proxy server uses port 8080 for both HTTP and HTTPS traffic; do not change this value unless directed to do so. primary Specifies that you are identifying the primary server. Command Default The default port is 8080. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Scansafe general-options configuration Command History Usage Guidelines Routed • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context — System • Yes When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web Security proxy server and backup proxy server. These servers are routinely polled to check for their availability. If your ASA is unable to reach the Cloud Web Security proxy server (for example, if no SYN/ACK packets arrive from the proxy server), then the proxy server is polled through a TCP three-way handshake to check its availability. If the proxy server is unavailable after a configured number of retries (the default is five), the server is declared as unreachable, and the backup proxy server becomes active. Cisco ASA Series Command Reference, S Commands 1-47 Chapter Note You can further refine failover by checking the health of the Cloud Web Security application. In some cases, the server can complete the TCP three-way handshake, yet the Cloud Web Security application on the server is not functioning correctly. If you enable application health checking, the system can fail over to the backup server even if the three-way handshake completes, if the application itself does not respond. This provides a more reliable failover setup. Use the health-check application command to enable this extra check. The ASA automatically falls back to the primary Cloud Web Security proxy server from the backup server after continued polling shows that the primary server is active for two consecutive retry count periods. You can change this polling interval using the retry-count command. Traffic Conditions Under Which Proxy Server Is Not Reachable Examples Server Timeout Calculation Connection Timeout Result High traffic Client half open connection timeout + ASA TCP connection timeout (30 + 30) = 60 seconds Single connection failure (30 + ((5-1) x (30)) = 150 Client half open connection timeout + ((retry threshold - 1) x seconds (ASA TCP connection timeout)) Idle—No connections are passing 15 minutes + ((retry threshold) x 900 + (5 x (30) = 1050 seconds (ASA TCP connection timeout)) The following example configures a primary and backup server. You must enter the command separately for the primary and backup server. scansafe general-options server primary ip 10.24.0.62 port 8080 server backup ip 10.10.0.7 port 8080 retry-count 7 license 366C1D3F5CE67D33D3E9ACEC265261E5 Related Commands Command Description class-map type inspect Creates an inspection class map for whitelisted users and groups. scansafe default user group Specifies the default username and/or group if the ASA cannot determine the identity of the user coming into the ASA. http[s] (parameters) Specifies the service type for the inspection policy map, either HTTP or HTTPS. inspect scansafe Enables Cloud Web Security inspection on the traffic in a class. license Configures the authentication key that the ASA sends to the Cloud Web Security proxy servers to indicate from which organization the request comes. match user group Matches a user or group for a whitelist. policy-map type inspect scansafe Creates an inspection policy map so you can configure essential parameters for the rule and also optionally identify the whitelist. Cisco ASA Series Command Reference, S Commands 1-48 Chapter Command Description retry-count Enters the retry counter value, which is the amount of time that the ASA waits before polling the Cloud Web Security proxy server to check its availability. scansafe In multiple context mode, allows Cloud Web Security per context. scansafe general-options Configures general Cloud Web Security server options. server {primary | backup} Configures the fully qualified domain name or IP address of the primary or backup Cloud Web Security proxy servers. show conn scansafe Shows all Cloud Web Security connections, as noted by the capitol Z flag. show scansafe server Shows the status of the server, whether it’s the current active server, the backup server, or unreachable. show scansafe statistics Shows total and current HTTP(S) connections. user-identity monitor Downloads the specified user or group information from the AD agent. whitelist Performs the whitelist action on the class of traffic. Cisco ASA Series Command Reference, S Commands 1-49 Chapter server (ssh pubkey-chain) To manually add or delete SSH servers and their keys from the ASA database for the on-board Secure Copy (SCP) client, use the server command in ssh pubkey-chain configuration mode. To remove a server and its host key, use the no form of this command. server ip_address no server ip_address Syntax Description ip_address Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Specifies the SSH server IP address. Firewall Mode Security Context Multiple Command Mode Routed Ssh pubkey-chain configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.1(5) This command was added. Yes • Yes Context — System • Yes You can copy files to and from the ASA using the on-board SCP client. The ASA stores the SSH host key for each SCP server to which it connects. You can manually add or delete servers and their keys from the ASA database if desired. For each server, you can specify the key-string (public key) or key-hash (hashed value) of the SSH host. Examples The following example adds an already hashed host key for the server at 10.86.94.170: ciscoasa(config)# ssh pubkey-chain ciscoasa(config-ssh-pubkey-chain)# server 10.86.94.170 ciscoasa(config-ssh-pubkey-server)# key-hash sha256 65:d9:9d:fe:1a:bc:61:aa:64:9d:fc:ee:99:87:38:df:a8:8e:d9:e9:ff:42:de:e8:8d:2d:bf:a9:2b:85: 2e:19 Cisco ASA Series Command Reference, S Commands 1-50 Chapter The following example adds a host string key for the server at 10.7.8.9: ciscoasa(config)# ssh pubkey-chain ciscoasa(config-ssh-pubkey-chain)# server 10.7.8.9 ciscoasa(config-ssh-pubkey-server)# key-string Enter the base 64 encoded RSA public key. End with the word "exit" on a line by itself ciscoasa(config-ssh-pubkey-server-string)# c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:87 ciscoasa(config-ssh-pubkey-server-string)# exit Related Commands Command Description copy Copies a file to or from the ASA. key-hash Enters a hashed SSH host key. key-string Enters a public SSH host key. ssh pubkey-chain Manually adds or deletes servers and their keys from the ASA database. ssh stricthostkeycheck Enables SSH host key checking for the on-board Secure Copy (SCP) client. Cisco ASA Series Command Reference, S Commands 1-51 Chapter server authenticate-client To enable the ASA to authenticate the TLS client during TLS handshake, use the server authenticate-client command in tls-proxy configuration mode. To bypass client authentication, use the no form of this command. server authenticate-client no server authenticate-client Syntax Description This command has arguments or keywords. Defaults This command is enabled by default, which means the TLS client is required to present a certificate during handshake with the ASA. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Tls-proxy configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 8.0(4) This command was added. Yes • Yes Context • Yes System — Use the server authenticate-client command to control whether a client authentication is required during TLS Proxy handshake. When enabled (by default), the security appliance sends a Certificate Request TLS handshake message to the TLS client, and the TLS client is required to present its certificate. Use the no form of this command to disable client authentication. Disabling TLS client authentication is suitable when the ASA must interoperate with CUMA client or clients such as a Web browser that are incapable of sending a client certificate. Examples The following example configures a TLS proxy instance with client authentication disabled: ciscoasa(config)# tls-proxy mmp_tls ciscoasa(config-tlsp)# no server authenticate-client ciscoasa(config-tlsp)# server trust-point cuma_server_proxy Cisco ASA Series Command Reference, S Commands 1-52 Chapter Related Commands Command Description tls-proxy Configures the TLS proxy instance. Cisco ASA Series Command Reference, S Commands 1-53 Chapter server-port To configure a AAA server port for a host, use the server-port command in aaa-server host mode. To remove the designated server port, use the no form of this command. server-port port-number no server-port port-number Syntax Description port-number Defaults The default server ports are as follows: Command Modes • SDI—5500 • LDAP—389 • Kerberos—88 • NT—139 • TACACS+—49 A port number in the range of 0 through 65535. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Aaa-server group Command History Examples • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes — The following example configures an SDI AAA server named srvgrp1 to use server port number 8888: ciscoasa(config)# aaa-server srvgrp1 protocol sdi ciscoasa(config-aaa-server-group)# aaa-server srvgrp1 host 192.168.10.10 ciscoasa(config-aaa-server-host)# server-port 8888 Related Commands Command Description aaa-server host Configures host-specific AAA server parameters. Cisco ASA Series Command Reference, S Commands 1-54 System Chapter clear configure aaa-server Removes all AAA server configurations. show running-config aaa-server Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol. Cisco ASA Series Command Reference, S Commands 1-55 Chapter server-separator (pop3s, imap4s, smtps) (Deprecated) Note The last supported release for this command was Version 9.5(1). To specify a character as a delimiter between the e-mail and VPN server names, use server-separator command in the applicable e-mail proxy mode. To revert to the default, “:”, use the no form of this command. server-separator {symbol} no server-separator Syntax Description symbol Defaults The default is “@” (at). Command Modes The following table shows the modes in which you can enter the command: The character that separates the e-mail and VPN server names. Choices are “@,” (at) “|” (pipe), “:”(colon), “#” (hash), “,” (comma), and “;” (semi-colon). Firewall Mode Security Context Multiple Command Mode Command History Routed Transparent Single Context System Pop3s • Yes — • Yes — — Imap4s • Yes — • Yes — — Smtps • Yes — • Yes — — Release Modification 7.0(1) This command was added. 9.5.2 This command was deprecated. Usage Guidelines The server separator must be different from the name separator. Examples The following example shows how to set a pipe (|) as the server separator for IMAP4S: ciscoasa(config)# imap4s ciscoasa(config-imap4s)# server-separator | Cisco ASA Series Command Reference, S Commands 1-56 Chapter Related Commands Command Description name-separator Separates the e-mail and VPN usernames and passwords. Cisco ASA Series Command Reference, S Commands 1-57 Chapter server trust-point To specify the proxy trustpoint certificate to present during TLS handshake, use the server trust-point command in TLS server configuration mode. server trust-point proxy_trustpoint Syntax Description proxy_trustpoint Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Specifies the trustpoint defined by the crypto ca trustpoint command. Firewall Mode Security Context Multiple Command Mode Routed TLS-proxy configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 8.0(4) This command was added. Yes • Yes Context • Yes System — The trustpoint can be self-signed, enrolled with a certificate authority, or from an imported credential. The server trust-point command has precedence over the global ssl trust-point command. The server trust-point command specifies the proxy trustpoint certificate presented during TLS handshake. The certificate must be owned by the ASA (identity certificate). The certificate can be self-signed, enrolled with a certificate authority, or from an imported credential. Create TLS proxy instances for each entity that can initiate a connection. The entity that initiates the TLS connection is in the role of TLS client. Because the TLS Proxy has strict definition of client proxy and server proxy, two TLS proxy instances must be defined if either of the entities could initiate the connection. Note Examples When you are creating the TLS proxy instance to use with the Phone Proxy, the server trustpoint is the internal Phone Proxy trustpoint created the CTL file instance. The trustpoint name is in the form internal_PP_<ctl-file_instance_name> The following example shows the use of the server trust-point command to specify the proxy trustpoint certificate to present during TLS handshake: ciscoasa(config-tlsp)# server trust-point ent_y_proxy Cisco ASA Series Command Reference, S Commands 1-58 Chapter Related Commands Command Description client (tls-proxy) Configures trustpoints, keypairs, and cipher suites for a TLS proxy instance. client trust-point Specifies the proxy trustpoint certificate to present during TLS handshake. ssl trust-point Specifies the certificate trustpoint that represents the SSL certificate for an interface. tls-proxy Configures a TLS proxy instance. Cisco ASA Series Command Reference, S Commands 1-59 Chapter server-type To manually configure the LDAP server model, use the server-type command in aaa-server host configuration mode. The ASA supports the following server models: • Microsoft Active Directory • Sun Microsystems JAVA System Directory Server, formerly named the Sun ONE Directory Server • Generic LDAP directory servers that comply with LDAPv3 (no password management) To disable this command, use the no form of this command. server-type {auto-detect | microsoft | sun | generic | openldap | novell} no server-type {auto-detect | microsoft | sun | generic | openldap | novell} Syntax Description auto-detect Specifies that the ASA determines the LDAP server type through auto-detection. generic Specifies LDAP v3-compliant directory servers other than Sun and Microsoft LDAP directory servers. Password management is not supported with generic LDAP servers. microsoft Specifies that the LDAP server is a Microsoft Active Directory. openldap Specifies that the LDAP server is an OpenLDAP server. novell Specifies that the LDAP server is a Novell server. sun Specifies that the LDAP server is a Sun Microsystems JAVA System Directory Server. Defaults By default, auto-detection attempts to determine the server type. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Aaa-server host configuration Command History Usage Guidelines Yes • Yes • Yes Context • Yes Release Modification 7.1(1) This command was added. 8.0(2) Support for the OpenLDAP and Novell server types was added. System — The ASA supports LDAP version 3 and is compatible with the Sun Microsystems JAVA System Directory Server, the Microsoft Active Directory, and other LDAPv3 directory servers. Cisco ASA Series Command Reference, S Commands 1-60 • Transparent Single Chapter Note • Sun—The DN configured on the ASA to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy. Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory. • Generic—Password management features are not supported. • By default, the ASA auto-detects whether it is connected to a Microsoft directory server, a Sun LDAP directory server, or a generic LDAPv3 server. However, if auto-detection fails to determine the LDAP server type and if you know the server is either a Microsoft or Sun server, you can use the server-type command to manually configure the server as either a Microsoft or a Sun Microsystems LDAP server. Examples The following example, entered in aaa-server host configuration mode, configures the server type for the LDAP server ldapsvr1 at IP address 10.10.0.1. The first example configures a Sun Microsystems LDAP server. ciscoasa(config)# aaa-server ldapsvr1 protocol ldap ciscoasa(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1 ciscoasa(config-aaa-server-host)# server-type sun The following example specifies that the ASA use auto-detection to determine the server type: ciscoasa(config)# aaa-server ldapsvr1 protocol LDAP ciscoasa(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1 ciscoasa(config-aaa-server-host)# server-type auto-detect Related Commands Command Description ldap-over-ssl Specifies that SSL secures the LDAP client-server connection. sasl-mechanism Configures SASL authentication between the LDAP client and server. ldap attribute-map (global configuration mode) Creates and names an LDAP attribute map for mapping user-defined attribute names to Cisco LDAP attribute names. Cisco ASA Series Command Reference, S Commands 1-61 Chapter service (ctl-provider) To specify the port to which the Certificate Trust List provider listens, use the service command in CTL provider configuration mode. To remove the configuration, use the no form of this command. service port listening_port no service port listening_port Syntax Description port listening_port Defaults Default port is 2444. Command Modes The following table shows the modes in which you can enter the command: Specifies the certificate to be exported to the client. Firewall Mode Security Context Multiple Command Mode Routed Ctl provider configuration Command History • Yes Transparent Single • Release Modification 8.0(2) This command was added. Yes • Yes Context • Yes System — Usage Guidelines Use the service command in CTL provider configuration mode to specify the port to which the CTL provider listens. The port must be the one listened to by the CallManager servers in the cluster (as configured under Enterprise Parameters on the CallManager administration page). The default port is 2444. Examples The following example shows how to create a CTL provider instance: ciscoasa(config)# ctl-provider ciscoasa(config-ctl-provider)# ciscoasa(config-ctl-provider)# ciscoasa(config-ctl-provider)# ciscoasa(config-ctl-provider)# Related Commands Commands Description client Specifies clients allowed to connect to the CTL provider and also username and password for client authentication. ctl Parses the CTL file from the CTL client and install trustpoints. Cisco ASA Series Command Reference, S Commands 1-62 my_ctl client interface inside 172.23.45.1 client username CCMAdministrator password XXXXXX encrypted export certificate ccm_proxy ctl install Chapter Commands Description ctl-provider Configures a CTL provider instance in CTL provider mode. export Specifies the certificate to be exported to the client tls-proxy Defines a TLS proxy instance and sets the maximum sessions. Cisco ASA Series Command Reference, S Commands 1-63 Chapter service (global) To enable resets for denied TCP connections, use the service command in global configuration mode. To disable resets, use the no form of this command. service {resetinbound [interface interface_name] | resetoutbound [interface interface_name] | resetoutside} no service {resetinbound [interface interface_name] | resetoutbound [interface interface_name] | resetoutside} Syntax Description interface interface_name Enables or disables resets for the specified interface. resetinbound Sends TCP resets for all inbound TCP sessions that attempt to transit the ASA and are denied by the ASA based on access lists or AAA settings. The ASA also sends resets for packets that are allowed by an access list or AAA, but do not belong to an existing connection and are denied by the stateful firewall. Traffic between same security level interfaces is also affected. When this option is not enabled, the ASA silently discards denied packets. If you do not specify an interface, then this setting applies to all interfaces. resetoutbound Sends TCP resets for all outbound TCP sessions that attempt to transit the ASA and are denied by the ASA based on access lists or AAA settings. The ASA also sends resets for packets that are allowed by an access list or AAA, but do not belong to an existing connection and are denied by the stateful firewall. Traffic between same security level interfaces is also affected. When this option is not enabled, the ASA silently discards denied packets. This option is enabled by default. You might want to disable outbound resets to reduce the CPU load during traffic storms, for example. resetoutside Enables resets for TCP packets that terminate at the least secure interface and are denied by the ASA based on access lists or AAA settings. The ASA also sends resets for packets that are allowed by an access list or AAA, but do not belong to an existing connection and are denied by the stateful firewall. When this option is not enabled, the ASA silently discards the packets of denied packets. We recommend that you use the resetoutside keyword with interface PAT. This keyword allows the ASA to terminate the IDENT from an external SMTP or FTP server. Actively resetting these connections avoids the 30-second timeout delay. Defaults By default, service resetoutbound is enabled for all interfaces. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Global configuration Cisco ASA Series Command Reference, S Commands 1-64 Routed • Yes Transparent Single • Yes • Yes Context • Yes System — Chapter Command History Release Modification 7.1(1) The interface keyword and the resetoutbound command were added. Usage Guidelines You might want to explicitly send resets for inbound traffic if you need to reset identity request (IDENT) connections. When you send a TCP RST (reset flag in the TCP header) to the denied host, the RST stops the incoming IDENT process so that you do not have to wait for IDENT to time out. Waiting for IDENT to time out can cause traffic to slow because outside hosts keep retransmitting the SYN until the IDENT times out, so the service resetinbound command might improve performance. Examples The following example disables outbound resets for all interfaces except for the inside interface: ciscoasa(config)# no service resetoutbound ciscoasa(config)# service resetoutbound interface inside The following example enables inbound resets for all interfaces except for the DMZ interface: ciscoasa(config)# service resetinbound ciscoasa(config)# no service resetinbound interface dmz The following example enables resets for connections that terminate on the outside interface: ciscoasa(config)# service resetoutside Related Commands Command Description show running-config service Displays the service configuration. Cisco ASA Series Command Reference, S Commands 1-65 Chapter service (object service) To define the protocol and optional attributes for a service object, use the service command in object service configuration mode. Use the no form of this command to remove the definition. service {protocol | {tcp | udp | sctp} [source operator number] [destination operator number] | {icmp | icmp6} [icmp_type [icmp_code]]} no service {protocol | {tcp | udp | sctp} [source operator number] [destination operator number] | {icmp | icmp6} [icmp_type [icmp_code]]} Syntax Description destination operator number (Optional; tcp, udp, sctp only.) Specifies the destination port name or number, between 0 and 65535. For a list of supported names, see the CLI help. Operators include: • eq—Equals the port number. • gt—Greater than the port number. • lt—Less than the port number. • neq—Not equal to the port number. • range—A range of ports. Specify two numbers separated by a space, such as range 1024 4500. {icmp | icmp6} [icmp_ Specifies that the service type is for ICMP or ICMP version 6 connections. type [icmp_code]] You can optionally specify the ICMP type by name or number, between 0 and 255. (For available optional ICMP type names, see the CLI help.) If you specify a type, you can optionally include an ICMP code, between 1 and 255. protocol Identifies the protocol name or number, between 0 and 255. For a list of supported names, see the CLI help. sctp Specifies that the service type is for Stream Control Transmission Protocol (SCTP) connections. source operator number (Optional; tcp, udp, sctp only.) Specifies the source port name or number, between 0 and 65535. For a list of supported names, see the CLI help. The operators are the same as those for destination. tcp Specifies that the service type is for TCP connections. udp Specifies that the service type is for UDP connections. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Object service configuration Cisco ASA Series Command Reference, S Commands 1-66 Routed • Yes Transparent Single • Yes • Yes Context • Yes System — Chapter Command History Usage Guidelines Release Modification 8.3(1) This command was added. 9.0(1) Support for ICMP code was added. 9.5(2) Support for SCTP was added. You can use service objects by name in other parts of your configuration, for example ACLs (the access-list command) and NAT (the nat command). If you configure an existing service object with a different protocol and port, the new configuration replaces the existing protocol and port with the new ones. Examples The following example shows how to create a service object for SSH traffic: ciscoasa(config)# service object SSH ciscoasa(config-service-object)# service tcp destination eq ssh The following example shows how to create a service object for EIGRP traffic: ciscoasa(config)# service object EIGRP ciscoasa(config-service-object)# service eigrp The following example shows how to create a service object for traffic coming from port 0 through 1024 to HTTPS: ciscoasa(config)# service object HTTPS ciscoasa(config-service-object)# service tcp source range 0 1024 destination eq https Related Commands Command Description clear configure object Clears all objects created. object-group service Configures a service object. show running-config object service Shows the current service object configuration. Cisco ASA Series Command Reference, S Commands 1-67 Chapter service call-home To enable the Call Home service, use the service call-home command in global configuration mode. To disable the Call Home service, use the no form of this command. service call-home no service call-home Syntax Description This command has no arguments or keywords. Defaults By default, the service Call Home command is disabled. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History Examples • Transparent Single Yes • Release Modification 8.2(2) This command was added. Yes • Yes Context System — The following example shows how to enable the Call Home service: ciscoasa(config)# service call-home The following example shows how to disable the Call Home service: hostname(config)# no service call-home Related Commands Command Description call-home (global configuration) Enters Call Home configuration mode. call-home test Manually sends a Call Home test message. show call-home Displays Call Home configuration information. Cisco ASA Series Command Reference, S Commands 1-68 • Yes Chapter service-object To add a service or service object to a service object group that is not pre-defined as TCP, UDP, or TCP-UDP, use the service-object command in object-group service configuration mode. To remove a service, use the no form of this command. service-object {protocol | {tcp | udp | tcp-udp | sctp} [source operator number] [destination operator number] | {icmp | icmp6} [icmp_type [icmp_code]] | object name} no service-object {protocol | {tcp | udp | tcp-udp | sctp} [source operator number] [destination operator number] | {icmp | icmp6} [icmp_type [icmp_code]] | object name} Syntax Description destination operator number (Optional; tcp, udp, tcp-udp, sctp only.) Specifies the destination port name or number, between 0 and 65535. For a list of supported names, see the CLI help. Operators include: • eq—Equals the port number. • gt—Greater than the port number. • lt—Less than the port number. • neq—Not equal to the port number. • range—A range of ports. Specify two numbers separated by a space, such as range 1024 4500. {icmp | icmp6} [icmp_ Specifies that the service type is for ICMP or ICMP version 6 connections. type [icmp_code]] You can optionally specify the ICMP type by name or number, between 0 and 255. (For available optional ICMP type names, see the CLI help.) If you specify a type, you can optionally include an ICMP code, between 1 and 255. object name Adds the named object or group to the object. protocol Identifies the protocol name or number, between 0 and 255. For a list of supported names, see the CLI help. sctp Specifies that the service type is for Stream Control Transmission Protocol (SCTP) connections. source operator number (Optional; tcp, udp, tcp-udp, sctp only.) Specifies the source port name or number, between 0 and 65535. For a list of supported names, see the CLI help. The operators are the same as those for destination. Defaults tcp Specifies that the service type is for TCP connections. tcp-udp Specifies that the service type is for TCP or UDP connections. udp Specifies that the service type is for UDP connections. No default behavior or values. Cisco ASA Series Command Reference, S Commands 1-69 Chapter Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Object-group service configuration Command History Release • Yes Transparent Single • Yes • Yes Context • Yes System — Modification 8.0(1) This command was added. 8.3(1) The object keyword was added to support service objects (the object service command). 9.0(1) Support for ICMP code was added. 9.5(2) Support for SCTP was added. Usage Guidelines When you create a service object group with the object-group service command, and you do not pre-define the protocol type for the whole group, then you can add multiple services and service objects to the group of various protocols, including ports, using the service-object command. When you create a service object group for a specific protocol type using the object-group service [tcp | udp | tcp-udp] command, then you can only identify the destination ports for the object group using the port-object command. Examples The following example shows how to add both TCP and UDP services to a service object group: ciscoasa(config)# object-group service ciscoasa(config-service-object-group)# ciscoasa(config-service-object-group)# ciscoasa(config-service-object-group)# ciscoasa(config-service-object-group)# ciscoasa(config-service-object-group)# CommonApps service-object service-object service-object service-object service-object tcp destination eq ftp tcp-udp destination eq www tcp destination eq h323 tcp destination eq https udp destination eq ntp The following example shows how to add multiple service objects to a service object group: hostname(config)# service object SSH hostname(config-service-object)# service tcp destination eq ssh hostname(config)# service object EIGRP hostname(config-service-object)# service eigrp hostname(config)# service object HTTPS hostname(config-service-object)# service tcp source range 0 1024 destination eq https ciscoasa(config)# object-group service ciscoasa(config-service-object-group)# ciscoasa(config-service-object-group)# ciscoasa(config-service-object-group)# Related Commands Cisco ASA Series Command Reference, S Commands 1-70 Group1 service-object object SSH service-object object EIGRP service-object object HTTPS Chapter Command Description clear configure object-group Removes all the object-group commands from the configuration. network-object Adds a network object to a network object group. object service Adds a service object. object-group Defines object groups to optimize your configuration. port-object Adds a port object to a service object group. show running-config object-group Displays the current object groups. Cisco ASA Series Command Reference, S Commands 1-71 Chapter service password-recovery To enable password recovery, use the service password-recovery command in global configuration mode. To disable password recovery, use the no form of this command. Password recovery is enabled by default, but you might want to disable it to ensure that unauthorized users cannot use the password recovery mechanism to compromise the ASA. service password-recovery no service password-recovery Syntax Description This command has no arguments or keywords. Defaults Password recovery is enabled by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context — System • Yes On the ASA 5500 series adaptive security appliance, if you forget the passwords, you can boot the ASA into ROMMON by pressing the Escape key on the terminal keyboard when prompted during startup. Then set the ASA to ignore the startup configuration by changing the configuration register (see the config-register command). For example if your configuration register is the default 0x1, then change the value to 0x41 by entering the confreg 0x41 command. After reloading the ASA, it loads a default configuration, and you can enter privileged EXEC mode using the default passwords. Then load the startup configuration by copying it to the running configuration and reset the passwords. Finally, set the ASA to boot as before by setting the configuration register to the original setting. For example, enter the config-register 0x1 command in global configuration mode. On the PIX 500 series security appliance, boot the ASA into monitor mode by pressing the Escape key on the terminal keyboard when prompted during startup. Then download the PIX password tool to the ASA, which erases all passwords and aaa authentication commands. On the ASA 5500 series adaptive security appliance, the no service password-recovery command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the ASA prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized Cisco ASA Series Command Reference, S Commands 1-72 Chapter users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the ASA is configured to ignore the startup configuration at startup (in preparation for password recovery), then the ASA changes the setting to boot the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit. On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the ASA reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. Examples The following example disables password recovery for the ASA 5500 series: ciscoasa(config)# no service password-recovery WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line. The following example for the ASA 5500 series shows when to enter ROMMON at startup and how to complete a password recovery operation. Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. Boot interrupted. Use ? for help. rommon #0> confreg Current Configuration Register: 0x00000001 Configuration Summary: boot default image from Flash Do you wish to change this configuration? y/n [n]: n rommon #1> confreg 0x41 Update Config Register (0x41) in NVRAM... rommon #2> boot Launching BootLoader... Boot configuration file contains 1 entry. Loading disk0:/ASA_7.0.bin... Booting... ################### ... Ignoring startup configuration as instructed by configuration register. Type help or '?' for a list of available commands. Cisco ASA Series Command Reference, S Commands 1-73 Chapter ciscoasa> enable Password: ciscoasa# configure terminal ciscoasa(config)# copy startup-config running-config Destination filename [running-config]? Cryptochecksum(unchanged): 7708b94c e0e3f0d5 c94dde05 594fbee9 892 bytes copied in 6.300 secs (148 bytes/sec) ciscoasa(config)# enable password NewPassword ciscoasa(config)# config-register 0x1 Related Commands Command Description config-register Sets the ASA to ignore the startup configuration when it reloads. enable password Sets the enable password. password Sets the login password. Cisco ASA Series Command Reference, S Commands 1-74 Chapter service-policy (class) To apply a hierarchical policy map under another policy map, use the service-policy command in class configuration mode. To disable the service policy, use the no form of this command. Hierarchical policies are supported only for QoS traffic shaping when you want to perform priority queuing on a subset of shaped traffic. service-policy policymap_name no service-policy policymap_name Syntax Description policymap_name Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Specifies the policy map name that you configured in the policy-map command. You can only specify a Layer 3/4 policy map that includes the priority command. Firewall Mode Security Context Multiple Command Mode Class configuration Command History Usage Guidelines Routed • Yes Transparent Single • Release Modification 7.2(4)/8.0(4) This command was added. Yes • Yes Context • Yes System — Hierarchical priority queuing is used on interfaces on which you enable a traffic shaping queue. A subset of the shaped traffic can be prioritized. The standard priority queue is not used (the priority-queue command). For hierarchical priority-queuing, perform the following tasks using Modular Policy Framework: 1. class-map—Identify the traffic on which you want to perform priority queuing. 2. policy-map (for priority queuing)—Identify the actions associated with each class map. a. class—Identify the class map on which you want to perform actions. b. priority—Enable priority queuing for the class map. You can only include the priority command in this policy map if you want to use is hierarchically. 3. policy-map (for traffic shaping)—Identify the actions associated with the class-default class map. a. class class-default—Identify the class-default class map on which you want to perform actions. b. shape—Apply traffic shaping to the class map. Cisco ASA Series Command Reference, S Commands 1-75 Chapter c. service-policy—Call the priority queuing policy map in which you configured the priority command so you can apply priority queuing to a subset of shaped traffic. 4. Examples service-policy—Assigns the policy map to an interface or globally. The following example enables traffic shaping for all traffic on the outside interface, and prioritizes traffic within VPN tunnel-grp1 with the DSCP bit set to ef: ciscoasa(config)# class-map TG1-voice ciscoasa(config-cmap)# match tunnel-group tunnel-grp1 ciscoasa(config-cmap)# match dscp ef ciscoasa(config)# policy-map priority-sub-policy ciscoasa(config-pmap)# class TG1-voice ciscoasa(config-pmap-c)# priority ciscoasa(config-pmap-c)# policy-map shape_policy ciscoasa(config-pmap)# class class-default ciscoasa(config-pmap-c)# shape ciscoasa(config-pmap-c)# service-policy priority-sub-policy ciscoasa(config-pmap-c)# service-policy shape_policy interface outside Related Commands Command Description class (policy-map) Identifies a class map for a policy map. clear configure service-policy Clears service policy configurations. clear service-policy Clears service policy statistics. policy-map Identifies actions to perform on class maps. priority Enables priority queuing. service-policy (global) Applies a policy map to an interface. shape Enables traffic shaping. show running-config service-policy Displays the service policies configured in the running configuration. show service-policy Displays the service policy statistics. Cisco ASA Series Command Reference, S Commands 1-76 Chapter service-policy (global) To activate a policy map globally on all interfaces or on a targeted interface, use the service-policy command in global configuration mode. To disable the service policy, use the no form of this command. Use the service-policy command to enable a set of policies on an interface. service-policy policymap_name [global | interface intf ] [fail-close] no service-policy policymap_name [global | interface intf ] [fail-close] Syntax Description fail-close Generates a syslog (767001) for IPv6 traffic that is dropped by application inspections that do not support IPv6 traffic. By default, syslogs are not generated. global Applies the policy map to all interfaces. interface intf Applies the policy map to a specific interface. policymap_name Specifies the policy map name that you configured in the policy-map command. You can only specify a Layer 3/4 policy map, and not an inspection policy map (policy-map type inspect). Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Global configuration Command History Usage Guidelines Routed • Yes Transparent Single • Yes Release Modification 7.0(1) This command was added. 9.0(1) The fail-close keyword was added. • Yes Context • Yes System — To enable the service policy, use the Modular Policy Framework: 1. class-map—Identify the traffic on which you want to perform priority queuing. 2. policy-map—Identify the actions associated with each class map. a. class—Identify the class map on which you want to perform actions. b. commands for supported features—For a given class map, you can configure many actions for various features, including QoS, application inspection, CSC or AIP SSM, TCP and UDP connections limits and timeout, and TCP normalization. See the CLI configuration guide for more details about the commands available for each feature. Cisco ASA Series Command Reference, S Commands 1-77 Chapter 3. service-policy—Assigns the policy map to an interface or globally. Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface policy with inspections, then only the interface policy inspections are applied to that interface. By default, the configuration includes a global policy that matches all default application inspection traffic and applies inspection to the traffic globally. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. The default service policy includes the following command: service-policy global_policy global Examples The following example shows how to enable the inbound_policy policy map on the outside interface: ciscoasa(config)# service-policy inbound_policy interface outside The following commands disable the default global policy, and enables a new one called new_global_policy on all other ASA interfaces: ciscoasa(config)# no service-policy global_policy global ciscoasa(config)# service-policy new_global_policy global Related Commands Command Description clear configure service-policy Clears service policy configurations. clear service-policy Clears service policy statistics. service-policy (class) Applies a hierarchical policy under another policy map. show running-config service-policy Displays the service policies configured in the running configuration. show service-policy Displays the service policy statistics. Cisco ASA Series Command Reference, S Commands 1-78 Chapter service sw-reset-button To enable the reset button on the ASA 5506-X and ASA 5508-X series security appliances, use the service sw-reset-button command in global configuration mode. To disable the reset button, use the no form of this command. service sw-reset-button no service sw-reset-button Syntax Description This command has no arguments or keywords. Defaults By default, service sw-reset-button is enabled. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Global configuration Command History Examples Routed • Yes Transparent Single • Release Modification 9.3(2) This command was added. Yes • Yes Context • Yes System — The following example enables the software reset button: ciscoasa(config)# service sw-reset-button ciscoasa# show sw-reset-button Software Reset Button is configured. The following example disables the software reset button: ciscoasa(config)# no service sw-reset-button ciscoasa(config)# show sw-reset-button Software Reset Button is not configured. Related Commands Command Description show running-config service Displays the service configuration. Cisco ASA Series Command Reference, S Commands 1-79 Chapter session To establish a Telnet session from the ASA to a module, such as an IPS SSP or a CSC SSM, to access the module CLI, use the session command in privileged EXEC mode. session id Syntax Description id Specifies the module ID: • Physical module—1 (for slot number 1) • Software module, ASA FirePOWER—sfr • Software module, IPS—ips • Software module, ASA CX—cxsc Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Yes • Yes Context — Yes Modification 7.0(1) This command was added. 8.6(1) The ips module ID for the IPS SSP software module was added. 9.1(1) Support for the ASA CX module was added (the cxsc keyword). 9.2(1) Support for the ASA FirePOWER module was added (the sfr keyword). This command is only available when the module is in the Up state. See the show module command for state information. Note that the session 1 command does not work with the following hardware modules: • ASA CX • ASA FirePOWER The following example sessions to a module in slot 1: ciscoasa# session 1 Cisco ASA Series Command Reference, S Commands 1-80 • Release To end a session, enter exit or Ctrl-Shift-6, then the x key. Examples System Chapter Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. Related Commands Command Description debug session-command Shows debugging messages for sessions. Cisco ASA Series Command Reference, S Commands 1-81 Chapter session console To establish a virtual console session from the ASA to a software module, such as an IPS SSP software module, use the session console command in privileged EXEC mode. This command might be useful if you cannot establish a Telnet session using the session command because the control plane is down. session id console Syntax Description id Specifies the module ID: • ASA FirePOWER module—sfr • IPS module—ips • ASA CX module—cxsc • ASA 5506W-X wireless access point—wlan Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Yes • Yes Context System — Release Modification 8.6(1) This command was added. 9.1(1) Support for the ASA CX module was added (the cxsc keyword). • Yes 9.2(1) Support for the ASA FirePOWER module was added (the sfr keyword). 9.4(1) Support for the ASA 5506W-X wireless access point (the wlan keyword) was added. To end a session, enter Ctrl-Shift-6, then the x key. Do not use this command in conjunction with a terminal server where Ctrl-Shift-6, x is the escape sequence to return to the terminal server prompt. Ctrl-Shift-6, x is also the sequence to escape the module console and return to the ASA prompt. Therefore, if you try to exit the module console in this situation, you instead exit all the way to the terminal server prompt. If you reconnect the terminal server to the ASA, the module console session is still active; you can never exit to the ASA prompt. You must use a direct serial connection to return the console to the ASA prompt. Use the session command instead. Cisco ASA Series Command Reference, S Commands 1-82 Chapter Examples The following example creates a console session to the IPS module: ciscoasa# session ips console Establishing console session with slot 1 Opening console session with module ips. Connected to module ips. Escape character sequence is 'CTRL-SHIFT-6 then x'. sensor login: service Password: test The following example creates a console session to the wireless access point: ciscoasa# session wlan console opening console session with module wlan connected to module wlan. Escape character sequence is ‘CTRL-^X’ ap> Related Commands Command Description session Initiates a Telnet session to a module. show module log console Displays console log information. Cisco ASA Series Command Reference, S Commands 1-83 Chapter session do To establish a Telnet session and perform a command from the ASA to a module, use the session do command in privileged EXEC mode. session id do command Syntax Description id command Specifies the module ID: • Physical module—1 (for slot number 1) • Software module, ASA FirePOWER—sfr • Software module, IPS—ips • Software module, ASA CX—cxsc Performs a command on the module. Supported commands include: • setup host ip ip_address/mask,gateway_ip—Sets the management IP address and gateway. • get-config—Gets the module configuration. • password-reset—Resets the module password to the default. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines Release • Yes Transparent Single • Yes Yes System — • Yes Modification 7.1(1) This command was added. 8.6(1) The ips module ID for the IPS SSP software module was added. 8.4(4.1) Support for the ASA CX module was added. 9.2(1) Support for the ASA FirePOWER module, including the sfr keyword was added. This command is only available when the module is in the Up state. See the show module command for state information. To end a session, enter exit or Ctrl-Shift-6, then the X key. Cisco ASA Series Command Reference, S Commands 1-84 • Context Chapter Examples The following example sets the management IP address to 10.1.1.2/24, with a default gateway of 10.1.1.1: ciscoasa# session 1 do setup host ip 10.1.1.2/24,10.1.1.1 Related Commands Command Description debug session-command Shows debugging messages for sessions. Cisco ASA Series Command Reference, S Commands 1-85 Chapter session ip To configure logging IP addresses for the module, such as an IPS SSP or a CSC SSM, use the session ip command in privileged EXEC mode. session id ip {address address mask | gateway address} Syntax Description id Specifies the module ID: • Physical module—1 (for slot number 1) • Software module, IPS—ips address address Sets the syslog server address. gateway address Sets the gateway to the syslog server. mask Sets the subnet mask. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Yes — Modification 7.1(1) This command was added. 8.4(4.1) Support for the ASA CX module was added. 8.6(1) The ips module ID for the IPS SSP software module was added. • Yes This command is only available when the module is in the Up state. See the show module command for state information. The following example sessions to a module in slot 1: ciscoasa# session 1 ip address Cisco ASA Series Command Reference, S Commands 1-86 Yes System Release To end a session, enter exit or Ctrl-Shift-6, then the X key. Examples • Context Chapter Related Commands Command Description debug session-command Shows debugging messages for sessions. Cisco ASA Series Command Reference, S Commands 1-87 Chapter set as-path To modify an autonomous system path for BGP routes, use the set as-path command in route-map configuration mode. To not modify the autonomous system path, use the no form of this command. set as-path {tag | prepend as-path-string} no set as-path {tag | prepend as-path-string} Syntax Description as-path-string Number of an autonomous system to prepend to the AS_PATH attribute. The range of values for this argument is any valid autonomous system number from 1 to 65535. Multiple values can be entered; up to 10 AS numbers can be entered. For more details about autonomous system number formats, see the router bgp command. prepend Appends the string following the keyword prepend to the autonomous system path of the route that is matched by the route map. Applies to inbound and outbound BGP route maps. tag Converts the tag of a route into an autonomous system path. Applies only when redistributing routes into BGP. Defaults An autonomous system path is not modified. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Route-map configuration Command History Usage Guidelines • Yes Transparent Single — Release Modification 9.2(1) This command was added. • Yes Context • Yes System — The only global BGP metric available to influence the best path selection is the autonomous system path length. By varying the length of the autonomous system path, a BGP speaker can influence the best path selection by a peer further away. By allowing you to convert the tag into an autonomous system path, the set as-path tag variation of this command modifies the autonomous system length. The set as-path prepend variation allows you to "prepend" an arbitrary autonomous system path string to BGP routes. Usually the local autonomous system number is prepended multiple times, increasing the autonomous system path length. Cisco ASA Series Command Reference, S Commands 1-88 Chapter Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions. Examples The following example converts the tag of a redistributed route into an autonomous system path: ciscoasa(config)# route-map set-as-path-from-tag ciscoasa(config-route-map)# set as-path tag ciscoasa(config-route-map)# router bgp 100 ciscoasa(config-router)# address-family ipv4 ciscoasa(config-router-af)# redistribute ospf 109 route-map set-as-path-from-tag The following example prepends 100 100 100 to all the routes that are advertised to 10.108.1.1: ciscoasa(config)# route-map set-as-path ciscoasa(config-route-map)# match as-path 1 ciscoasa(config-route-map)# set as-path prepend 100 100 100 ciscoasa(config-route-map)# router bgp 100 ciscoasa(config-router)# address-family ipv4 ciscoasa(config-router-af)# neighbor 10.108.1.1 route-map set-as-path out Related Commands Command Description clear bgp Resets BGP connections using hard or soft reconfiguration. bgp asnotation dot Changes the default display and regular expression match format of Border Gateway Protocol (BGP) 4-byte autonomous system numbers from asplain format (decimal values) to dot notation. Cisco ASA Series Command Reference, S Commands 1-89 Chapter set automatic-tag To automatically compute the tag value, use the set automatic-tag command in route-map configuration mode. To disable this function, use the no form of this command. set automatic-tag no set automatic-tag Syntax Description This command has no arguments or keywords. Defaults This command is disabled by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Route-map configuration Command History Usage Guidelines • Yes Transparent Single — Release Modification 9.2(1) This command was added. • Yes Context • Yes System — You must have a match clause (even if it points permit everything) if you want to set tags. Use the route-map global configuration command and the match and set route-map configuration commands, to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria--the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions--the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map. The set route-map configuration commands specify the redistribution set actions to be performed when all the match criteria of a route map are met. When all match criteria are met, all set actions are performed. Examples The following example configures the Cisco ASA software to automatically compute the tag value for the Border Gateway Protocol (BGP) learned routes: ciscoasa(config-route-map)# route-map tag ciscoasa(config-route-map)# match as-path 10 iscoasa(config-route-map)# set automatic-tag ciscoasa(config-route-map)# router bgp 100 Cisco ASA Series Command Reference, S Commands 1-90 Chapter ciscoasa(config-router)# address-family ipv4 ciscoasa(config-router-af)# table-map tag Cisco ASA Series Command Reference, S Commands 1-91 Chapter set community To set the BGP communities attribute, use the set community route map configuration command. To delete the entry, use the no form of this command. set community {community-number [additive] | [well-known-community] [additive] | none} no set community Syntax Description additive (Optional) Adds the community to the already existing community. community-number Specifies that community number. Valid values are from 1 to 4294967200, no-export, or no-advertise. none (Optional) Removes the community attribute from the prefixes that pass the route map. well-known-community (Optional) Well-known communities can be specified by using the following keywords: • internet • local-as • no-advertise • no-export Defaults No BGP communities attributes exist. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Route-map configuration Command History Usage Guidelines • Yes Transparent Single — Release Modification 9.2(1) This command was added. • Yes Context • Yes System — You must have a match clause (even if it points to a “permit everything” list) if you want to set tags. Use the route-map global configuration command, and the match and set route map configuration commands, to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map. Cisco ASA Series Command Reference, S Commands 1-92 Chapter The set route map configuration commands specify the redistribution set actions to be performed when all of the match criteria of a route map are met. When all match criteria are met, all set actions are performed. Examples In the following example, routes that pass the autonomous system path access list 1 have the community set to 109. Routes that pass the autonomous system path access list 2 have the community set to no-export (these routes will not be advertised to any external BGP [eBGP] peers). ciscoasa(config-route-map)# ciscoasa(config-route-map)# ciscoasa(config-route-map)# ciscoasa(config-route-map)# ciscoasa(config-route-map)# ciscoasa(config-route-map)# Related Commands set community match as-path set community set community match as-path set community 10 1 109 20 2 no-export Command Description match as-path Match a BGP autonomous system path that is specified by an access list. Cisco ASA Series Command Reference, S Commands 1-93 Chapter set connection To specify connection limits within a policy map for a traffic class, use the set connection command in class configuration mode. To remove these specifications, thereby allowing unlimited connections, use the no form of this command. set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]} no set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]} Syntax Description conn-max n (TCP, UDP, SCTP) Sets the maximum number of simultaneous connections that are allowed, between 0 and 2000000. The default is 0, which allows unlimited connections. For example, if two servers are configured to allow simultaneous connections, the connection limit is applied to each configured server separately. When configured under a class, this argument restricts the maximum number of simultaneous connections that are allowed for the entire class. In this case, one attack host can consume all the connections and leave none of the rest of the hosts matched in the access list under the class. embryonic-conn-max n Sets the maximum number of simultaneous embryonic TCP connections allowed, between 0 and 2000000. The default is 0, which allows unlimited connections. per-client-embryonic-max n Sets the maximum number of simultaneous embryonic TCP connections allowed per client, between 0 and 2000000. A client is defined as the host that sends the initial packet of a connection (that builds the new connection) through the ASA. If an access-list is used with a class-map to match traffic for this feature, the embryonic limit is applied per-host, and not the cumulative embryonic connections of all clients that match the access list. The default is 0, which allows unlimited connections. This keyword is not available for management class maps. per-client-max n (TCP, UDP, SCTP) Sets the maximum number of simultaneous connections allowed per client, between 0 and 2000000. A client is defined as the host that sends the initial packet of a connection (that builds the new connection) through the ASA. If an access-list is used with a class-map to match traffic for this feature, the connection limit is applied per-host, and not the cumulative connections of all clients that match the access list. The default is 0, which allows unlimited connections. This keyword is not available for management class maps. When configured under a class, this keyword restricts the maximum number of simultaneous connections that are allowed for each host that is matched through an access list under the class. random-sequence-number {enable | disable} Enables or disables TCP sequence number randomization. This keyword is not available for management class maps. See the “Usage Guidelines” section for more information. Cisco ASA Series Command Reference, S Commands 1-94 Chapter Defaults For the conn-max, embryonic-conn-max, per-client-embryonic-max, and per-client-max parameters, the default value of n is 0, which allows unlimited connections. Sequence number randomization is enabled by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Class configuration Command History Usage Guidelines Note • Yes Transparent Single • Yes • Yes Context • Yes System — Release Modification 7.0(1) This command was added. 7.1(1) The per-client-embryonic-max and per-client-max keywords were added. 8.0(2) This command is now available for a Layer 3/4 management class map, for to-the-ASA management traffic. Only the conn-max and embryonic-conn-max keywords are available. 9.0(1) The maximum number of connections was increased from 65535 to 2000000. 9.5(2) The conn-max and per-client-max keywords now apply to SCTP as well as TCP and UDP. Configure this command using Modular Policy Framework. First define the traffic to which you want to apply the timeout using the class-map command (for through traffic) or class-map type management command (for management traffic). Then enter the policy-map command to define the policy, and enter the class command to reference the class map. In class configuration mode, you can enter the set connection command. Finally, apply the policy map to an interface using the service-policy command. For more information about how Modular Policy Framework works, see the CLI configuration guide. Depending on the number of CPU cores on your ASA model, the maximum concurrent and embryonic connections may exceed the configured numbers due to the way each core manages connections. In the worst case scenario, the ASA allows up to n-1 extra connections and embryonic connections, where n is the number of cores. For example, if your model has 4 cores, if you configure 6 concurrent connections and 4 embryonic connections, you could have an additional 3 of each type. To determine the number of cores for your model, enter the show cpu core command. TCP Intercept Overview Limiting the number of embryonic connections protects you from a DoS attack. The ASA uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing Cisco ASA Series Command Reference, S Commands 1-95 Chapter connection requests. When the embryonic connection threshold of a connection is crossed, the ASA acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the ASA receives an ACK back from the client, it can then authenticate the client and allow the connection to the server. TCP Sequence Randomization Each TCP connection has two ISNs: one generated by the client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session. TCP initial sequence number randomization can be disabled if required. For example: Examples • If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic. • If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum. • You use a WAAS device that requires the ASA not to randomize the sequence numbers of connections. The following is an example of the use of the set connection command configure the maximum number of simultaneous connections as 256 and to disable TCP sequence number randomization: ciscoasa(config)# policy-map localpolicy1 ciscoasa(config-pmap)# class local_server ciscoasa(config-pmap-c)# set connection conn-max 256 random-sequence-number disable ciscoasa(config-pmap-c)# You can enter this command with multiple parameters or you can enter each parameter as a separate command. The ASA combines the commands into one line in the running configuration. For example, if you entered the following two commands in class configuration mode: ciscoasa(config-pmap-c)# set connection conn-max 600 ciscoasa(config-pmap-c)# set connection embryonic-conn-max 50 The output of the show running-config policy-map command would display the result of the two commands in a single, combined command: set connection conn-max 600 embryonic-conn-max 50 Related Commands Command Description class Specifies a class-map to use for traffic classification. clear configure poli- Removes all policy-map configuration, except that if a policy-map is in use in cy-map a service-policy command, that policy-map is not removed. policy-map Configures a policy; that is, an association of a traffic class and one or more actions. show running-config Displays all current policy-map configurations. policy-map show service-policy Displays service policy configuration. Use the set connection keyword to view policies that include the set connection command. Cisco ASA Series Command Reference, S Commands 1-96 Chapter set connection advanced-options To configure advanced connection settings, use the set connection advanced-options command in class configuration mode. To remove the options, use the no form of this command. set connection advanced-options {tcp_mapname | tcp-state-bypass | sctp-state-bypass | flow-offload} no set connection advanced-options {tcp_mapname | tcp-state-bypass | sctp-state-bypass | flow-offload} Syntax Description flow-offload Identify matching flows as eligible for off-loading from the ASA and switched directly in the NIC. This provides improved performance for large data flows in data centers. Flow off-load is available for the Firepower 9300 series running FXOS 1.1.3+, or the Firepower 4100 series running FXOS 1.1.4+. You must also enable flow off-loading before this option works. Use the flow-offload enable command. sctp-state-bypass Implements SCTP State Bypass to turn off SCTP stateful inspection. SCTP traffic is not validated for protocol conformance. tcp_mapname Name of a TCP map created by the tcp-map command. Use this option to customize TCP normalization. tcp-state-bypass Bypass TCP state checking if you use asymmetrical routing in your network. See the Usage section below for detail information and guidelines for using TCP State Bypass. Defaults No default behavior or values. No options are enabled by default, although all TCP Normalizer options (within a TCP map) have default settings. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Class configuration Command History • Yes Transparent Single • Yes Release Modification 7.0(1) This command was added. 8.2(1) The tcp-state-bypass keyword was added. 9.5(2) The sctp-state-bypass keyword was added. • Yes Context • Yes System — Cisco ASA Series Command Reference, S Commands 1-97 Chapter Usage Guidelines Release Modification 9.5(2) The flow-offload keyword was added. The option also requires Firepower eXtensible Operating System 1.1.3+, and is available for the Firepower 9300 series. 9.6(1) Flow offload support was added for the Firepower 4100 series running FXOS 1.1.4+. To customize TCP normalization with a TCP map, use the Modular Policy Framework: 1. tcp-map—Identify the TCP normalization actions if you intend to modify them. 2. class-map—Identify the traffic on which you want to perform TCP normalization actions. 3. policy-map—Identify the actions associated with the class map. a. class—Identify the class map on which you want to perform actions. b. set connection advanced options—Apply a TCP map or another option to the class map. 4. service-policy—Assigns the policy map to an interface or globally. TCP State Bypass: Allowing Outbound and Inbound Flows through Separate Devices By default, all traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. The ASA maximizes the firewall performance by checking the state of each packet (is this a new connection or an established connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection). TCP packets that match existing connections in the fast path can pass through the ASA without rechecking every aspect of the security policy. This feature maximizes performance. However, the method of establishing the session in the fast path using the SYN packet, and the checks that occur in the fast path (such as TCP sequence number), can stand in the way of asymmetrical routing solutions: both the outbound and inbound flow of a connection must pass through the same ASA. For example, a new connection goes to ASA 1. The SYN packet goes through the session management path, and an entry for the connection is added to the fast path table. If subsequent packets of this connection go through ASA 1, then the packets will match the entry in the fast path, and are passed through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through the session management path, then there is no entry in the fast path for the connection, and the packets are dropped. If you have asymmetric routing configured on upstream routers, and traffic alternates between two ASAs, then you can configure TCP state bypass for specific traffic. TCP state bypass alters the way sessions are established in the fast path and disables the fast path checks. This feature treats TCP traffic much as it treats a UDP connection: when a non-SYN packet matching the specified networks enters the ASA, and there is not a fast path entry, then the packet goes through the session management path to establish the connection in the fast path. Once in the fast path, the traffic bypasses the fast path checks. Unsupported Features for TCP State Bypass The following features are not supported when you use TCP state bypass: • Application inspection—Application inspection requires both inbound and outbound traffic to go through the same ASA, so application inspection is not supported with TCP state bypass. • AAA authenticated sessions—When a user authenticates with one ASA, traffic returning via the other ASA will be denied because the user did not authenticate with that ASA. Cisco ASA Series Command Reference, S Commands 1-98 Chapter • TCP Intercept, maximum embryonic connection limit, TCP sequence number randomization—The ASA does not keep track of the state of the connection, so these features are not applied. • TCP normalization—The TCP normalizer is disabled. • SSM functionality—You cannot use TCP state bypass and any application running on an SSM, such as IPS or CSC. NAT Guidelines for TCP State Bypass Because the translation session is established separately for each ASA, be sure to configure static NAT on both ASAs for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session on ASA 1 will differ from the address chosen for the session on ASA 2. Connection Timeout Guidelines If there is no traffic on a given connection for 2 minutes, the connection times out. You can override this default using the set connection timeout tcp command. Normal TCP connections timeout by default after 60 minutes. Examples The following example shows the use of the set connection advanced-options command to specify the use of a TCP map named localmap: ciscoasa(config)# access-list http-server permit tcp any host 10.1.1.1 ciscoasa(config)# class-map http-server ciscoasa(config-cmap)# match access-list http-server ciscoasa(config-cmap)# exit ciscoasa(config)# tcp-map localmap ciscoasa(config)# policy-map global_policy global ciscoasa(config-pmap)# description This policy map defines a policy concerning connection to http server. ciscoasa(config-pmap)# class http-server ciscoasa(config-pmap-c)# set connection advanced-options localmap ciscoasa(config-pmap-c)# The following is an example configuration for TCP state bypass: ciscoasa(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any ciscoasa(config)# class-map tcp_bypass ciscoasa(config-cmap)# description "TCP traffic that bypasses stateful firewall" ciscoasa(config-cmap)# match access-list tcp_bypass ciscoasa(config-cmap)# policy-map tcp_bypass_policy ciscoasa(config-pmap)# class tcp_bypass ciscoasa(config-pmap-c)# set connection advanced-options tcp-state-bypass ciscoasa(config-pmap-c)# service-policy tcp_bypass_policy outside The following is an example configuration for SCTP state bypass: ciscoasa(config)# access-list sctp_bypass extended permit sctp 10.1.1.0 255.255.255.224 any ciscoasa(config)# class-map sctp_bypass ciscoasa(config-cmap)# description "SCTP traffic that bypasses stateful inspection" ciscoasa(config-cmap)# match access-list sctp_bypass ciscoasa(config-cmap)# policy-map sctp_bypass_policy ciscoasa(config-pmap)# class sctp_bypass ciscoasa(config-pmap-c)# set connection advanced-options sctp-state-bypass Cisco ASA Series Command Reference, S Commands 1-99 Chapter ciscoasa(config-pmap-c)# service-policy sctp_bypass_policy outside Related Commands Command Description class Identifies a class map in the policy map. class-map Creates a class map for use in a service policy. flow-offload Enables flow offload. policy-map Configures a policy map that associates a class map and one or more actions. service-policy Assigns a policy map to an interface. set connection timeout Sets the connection timeouts. show running-config Display all current policy-map configurations. policy-map tcp-map Creates a TCP map. Cisco ASA Series Command Reference, S Commands 1-100 Chapter set connection decrement-ttl To decrement the time to live value within a policy map for a traffic class, use the set connection decrement-ttl command in class configuration mode. To not decrement the time to live, use the no form of this command. set connection decrement-ttl no set connection decrement-ttl Syntax Description This command has no arguments or keywords. Defaults By default, the ASA does not decrement the time to live. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Class configuration Command History Usage Guidelines • Yes Release Modification 7.2(2) This command was added. Transparent Single • Yes • Yes Context • Yes System — This command, along with the icmp unreachable command, is required to allow a traceroute through the ASA that shows the ASA as one of the hops. If you decrement time to live, packets with a TTL of 1 will be dropped, but a connection will be opened for the session on the assumption that the connection might contain packets with a greater TTL. Note that some packets, such as OSPF hello packets, are sent with TTL = 1, so decrementing time to live can have unexpected consequences. Examples The following example enables time to live decrements and sets the ICMP unreachable rate limit: ciscoasa(config)# policy-map localpolicy1 ciscoasa(config-pmap)# class local_server ciscoasa(config-pmap-c)# set connection decrement-ttl ciscoasa(config-pmap-c)# exit ciscoasa(config)# icmp unreachable rate-limit 50 burst-size 6 Related Commands Cisco ASA Series Command Reference, S Commands 1-101 Chapter Command Description class Specifies a class map to use for traffic classification. icmp unreachable Controls the rate at which ICMP unreachables are allowed through the ASA. policy-map Configures a policy; that is, an association of a traffic class and one or more actions. show running-config Displays all current policy map configurations. policy-map show service-policy Displays service policy configuration. Cisco ASA Series Command Reference, S Commands 1-102 Chapter set connection timeout To specify connection timeouts within a policy map for a traffic class, use the set connection timeout command in class configuration mode. To remove the timeout, use the no form of this command. set connection timeout {[embryonic hh:mm:ss] [idle hh:mm:ss [reset]] [half-closed hh:mm:ss] [dcd [retry_interval [max_retries]]]} no set connection timeout {[embryonic hh:mm:ss] [idle hh:mm:ss [reset]] [half-closed hh:mm:ss] [dcd [retry_interval [max_retries]]]} Syntax Description Defaults dcd Enables dead connection detection (DCD). DCD detects a dead connection and allows it to expire, without expiring connections that can still handle traffic. You configure DCD when you want idle, but valid connections to persist. After a TCP connection times out, the ASA sends DCD probes to the end hosts to determine the validity of the connection. If one of the end hosts fails to respond after the maximum retries are exhausted, the ASA frees the connection. If both end hosts respond that the connection is valid, the ASA updates the activity timeout to the current time and reschedules the idle timeout accordingly. embryonic hh:mm:ss Sets the timeout period until a TCP embryonic (half-open) connection is closed, between 0:0:5 and 1193:0:0. The default is 0:0:30. You can also set the value to 0, which means the connection never times out. A TCP connection for which a three-way handshake is not complete is an embryonic connection. half-closed hh:mm:ss Sets the idle timeout period until a half-closed connection is closed, between 0:5:0 (for 9.1(1) and earlier) or 0:0:30 (for 9.1(2) and later) and 1193:0:0. The default is 0:10:0. You can also set the value to 0, which means the connection never times out. Half-closed connections are not affected by DCD. Also, the ASA does not send a reset when taking down half-closed connections. idle hh:mm:ss Sets the idle timeout period after which an established connection of any protocol closes. The valid range is from 0:0:1 to 1193:0:0. max_retries Sets the number of consecutive failed retries for DCD before declaring the connection as dead. The minimum value is 1 and the maximum value is 255. The default is 5. reset For TCP traffic only, sends a TCP RST packet to both end systems after idle connections are removed. retry_interval Time duration in hh:mm:ss format to wait after each unresponsive DCD probe before sending another probe, between 0:0:1 and 24:0:0. The default is 0:0:15. Unless you change the default globally using the timeout command, the defaults are: • The default embryonic timeout is 30 seconds. • The default half-closed idle timeout is 10 minutes. • The default dcd max_retries value is 5. • The default dcd retry_interval value is 15 seconds. • The default idle timeout is 1 hour. • The default udp idle timeout is 2 minutes. Cisco ASA Series Command Reference, S Commands 1-103 Chapter Command Modes • The default icmp idle timeout is 2 seconds. • The default esp and ha idle timeout is 30 seconds. • For all other protocols, the default idle timeout is 2 minutes. • To never time out, enter 0:0:0. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Class configuration Command History Usage Guidelines • Yes Transparent Single • Yes • Yes Context • Yes System — Release Modification 7.0(1) This command was added. 7.2(1) Support for DCD was added. 8.2(2) The tcp keyword was deprecated in favor of the idle keyword, which controls the idle timeout for all protocols. 9.1(2) The minimum half-closed value was lowered to 30 seconds (0:0:30). Configure this command using Modular Policy Framework. First define the traffic to which you want to apply the timeout using the class-map command. Then enter the policy-map command to define the policy, and enter the class command to reference the class map. In class configuration mode, you can enter the set connection timeout command. Finally, apply the policy map to an interface using the service-policy command. For more information about how Modular Policy Framework works, see the CLI configuration guide. The show service-policy command to includes counters to show the amount of activity from DCD. Examples The following example sets the connection timeouts for all traffic: ciscoasa(config)# class-map CONNS ciscoasa(config-cmap)# match any ciscoasa(config-cmap)# policy-map CONNS ciscoasa(config-pmap)# class CONNS ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 embryonic 0:40:0 half-closed 0:20:0 dcd ciscoasa(config-pmap-c)# service-policy CONNS interface outside You can enter set connection commands with multiple parameters, or you can enter each parameter as a separate command. The ASA combines the commands into one line in the running configuration. For example, if you entered the following two commands in class configuration mode: ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 ciscoasa(config-pmap-c)# set connection timeout embryonic 0:40:0 Cisco ASA Series Command Reference, S Commands 1-104 Chapter Then the output of the show running-config policy-map command would display the result of the two commands in the following single, combined command: set connection timeout idle 2:0:0 embryonic 0:40:0 Related Commands Command Description class Specifies a class-map to use for traffic classification. clear configure poli- Remove all policy-map configuration, except that if a policy-map is in use in cy-map a service-policy command, that policy-map is not removed. policy-map Configures a policy; that is, an association of a traffic class and one or more actions. set connection Configure connection values. show running-config Display all current policy-map configurations. policy-map show service-policy Displays counters for DCD and other service activity. Cisco ASA Series Command Reference, S Commands 1-105 Chapter set default interface The set interface command when used with default option will imply that the first attempt to route the matching traffic has to be done through normal route-lookup by looking up for an explicit route. Only when normal route-lookup fails, PBR will forward the traffic using the interface specified. Since both ‘default’ triggered lookup and the interface option triggered lookup depend on the presence of an explicit route to destination. Always ‘default’ lookup will succeed. When ‘default’ lookup fails, it means there is no explicit route to destination. So, interface action cannot be applied. When “set default interface” is configured, only ‘Null0’ can be configured as interface. When this option is configured, if normal route lookup does not yield an explicit route (non-default route) to the destination, traffic will be dropped. set default interface Null0 no set default interface Null0 Syntax Description interface Interface to which packets are forwarded. Defaults There is no default for this command and Null0 interface has to be specified as set action. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Route-map configuration Command History Usage Guidelines • Yes Transparent Single — Release Modification 9.4(1) This command was added. • Yes Context • Yes System — Use this command to provide certain users a different default route. If the Cisco ASA has no explicit route for the destination, then it routes the packet to this interface. The first interface specified with the set default interface command that is up is used. The optionally specified interfaces are tried in turn. Use the ip policy route-map interface configuration command, the route-map global configuration command, and the match and set route-map configuration commands to define the conditions for policy routing packets. The ip policy route-map command identifies a route map by name. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which policy routing occurs. The set commands specify the set actions—the particular routing actions to perform if the criteria enforced by the match commands are met. In PBR for IPv6, use the ipv6 policy route-map or ipv6 local policy route-map command with match and set route map configuration commands to define conditions for policy routing packets. Cisco ASA Series Command Reference, S Commands 1-106 Chapter The set clauses can be used in conjunction with one another. They are evaluated in the following order: Examples 1. set ip next-hop 2. set interface 3. set ip default next-hop 4. set default interface (config)# route-map testmap (config-route-map)# set default interface Null0 (config)# show run route-map ! route-map testmap permit 10 set default interface Null0 ! (config)# show route-map testmap route-map testmap, permit, sequence 10 Match clauses: Set clauses: default interface Null0 Cisco ASA Series Command Reference, S Commands 1-107 Chapter set dscp The set dscp command is used to set the QoS bits in the matching IP packets. set ip dscp {0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } no set ip dscp set ipv6 dscp {0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } no set ipv6 dscp Syntax Description 0-63 numeric range of dscp value. af assured forwarding class ef expedited forwarding default cs Defaults The DSCP value in the ToS byte is not set. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Route-map configuration Command History Usage Guidelines • Yes Transparent Single — Release Modification 9.4(1) This command was added. • Yes Context • Yes System — Once the DSCP bit is set, other quality of service (QoS) features can then operate on the bit settings. DSCP and Precedence Values Are Mutually Exclusive The set dscp command cannot be used with the set precedence command to mark the same packet. The two values, DSCP and precedence, are mutually exclusive. A packet can have one value or the other, but not both. Precedence Value and Queuing Cisco ASA Series Command Reference, S Commands 1-108 Chapter The network gives priority (or some type of expedited handling) to marked traffic. Typically, you set the precedence value at the edge of the network (or administrative domain); data then is queued according to the precedence. Weighted fair queueing (WFQ) can speed up handling for high-precedence traffic at congestion points. Weighted Random Early Detection (WRED) ensures that high-precedence traffic has lower loss rates than other traffic during times of congestion. Use of the “from-field” Packet-marking Category If you are using this command as part of the Enhanced Packet Marking feature, it can specify the “from-field” packet-marking category to be used for mapping and setting the DSCP value. The “from-field” packet-marking categories are as follows: • Class of service (CoS) • QoS group If you specify a “from-field” category but do not specify the table keyword and the applicable table-map-name argument, the default action will be to copy the value associated with the “from-field” category as the DSCP value. For instance, if you configure the set dscp cos command, the CoS value will be copied and used as the DSCP value. Note The CoS field is a three-bit field, and the DSCP field is a six-bit field. If you configure the set dscp cos command, only the three bits of the CoS field will be used. If you configure the set dscp qos-group command, the QoS group value will be copied and used as the DSCP value. The valid value range for the DSCP is a number from 0 to 63. The valid value range for the QoS group is a number from 0 to 99. Therefore, when configuring the set dscp qos-group command, note the following points: • If a QoS group value falls within both value ranges (for example, 44), the packet-marking value will be copied and the packets will be marked. • If QoS group value exceeds the DSCP range (for example, 77), the packet-marking value will not be copied and the packet will not be marked. No action is taken. Set DSCP Values in IPv6 Environments When this command is used in IPv6 environments, the default match occurs on both IP and IPv6 packets. However, the actual packets set by this function are only those that meet the match criteria of the class map containing this function. Set DSCP Values for IPv6 Packets Only To set DSCP values for IPv6 values only, you must also use the match protocol ipv6 command. Without that command, the precedence match defaults to match both IPv4 and IPv6 packets. Set DSCP Values for IPv4 Packets Only To set DSCP values for IPv4 values only, you must use the appropriate match ip command. Without this command, the class map may match both IPv6 and IPv4 packets, depending on the other match criteria, and the DSCP values may act upon both types of packets. Cisco ASA Series Command Reference, S Commands 1-109 Chapter Examples (config)# route-map testmapv4 (config-route-map)# set ip dscp af22 (config)# show run route-map ! route-map testmapv4 permit 10 set ip dscp af22 ! (config)# show route-map testmapv4 route-map testmapv4, permit, sequence 10 Match clauses: Set clauses: ip dscp af22 (config)# route-map testmapv6 (config-route-map)# set ipv6 dscp cs6 (config)# show run route-map ! route-map testmapv6 permit 10 set ipv6 dscp cs6 ! (config)# show route-map testmap route-map testmap, permit, sequence 10 Match clauses: Set clauses: ipv6 dscp cs6 Cisco ASA Series Command Reference, S Commands 1-110 Chapter set interface The set interface command is used to configure the interface through which the matching traffic has to be forwarded. It is allowed to configure multiple interfaces in which case they are evaluated in the specified order until a valid up and running interface to forward the packets is found. When the interface name is specified as ‘Null0’, all traffic matching the route-map will be dropped. set interface [...interface] no set interface [...interface] Syntax Description interface Interface to which packets are forwarded. Defaults No command defaults. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Route-map configuration Command History Usage Guidelines • Yes Transparent Single — Release Modification 9.4(1) This command was added. • Yes Context • Yes System — Use the ip policy route-map interface configuration command, the route-map global configuration command, and the match and set route-map configuration commands to define the conditions for policy-routing packets. The ip policy route-map command identifies a route map by name. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which policy routing occurs. The set commands specify the set actions—the particular routing actions to perform if the criteria enforced by the match commands are met. In PBR for IPv6, use the ipv6 policy route-map or ipv6 local policy route-map command with match and set route-map configuration commands to define conditions for policy-routing packets. If the first interface specified with the set interface command is down, the optionally specified interfaces are tried in turn. The set clauses can be used in conjunction with one another. They are evaluated in the following order: 1. set ip next-hop 2. set interface 3. set ip default next-hop 4. set default interface Cisco ASA Series Command Reference, S Commands 1-111 Chapter A useful next hop implies an interface. As soon as a next hop and an interface are found, the packet is routed. Examples ciscoasa(config)# route-map testmap ciscoasa(config-route-map)# set interface outside ciscoasa(config)# show run route-map ! route-map testmap permit 10 set interface outside ! ciscoasa(config)# show route-map testmap route-map testmap, permit, sequence 10 Match clauses: Set clauses: interface outside Cisco ASA Series Command Reference, S Commands 1-112 Chapter set ip df The set ip df command is used to set the df (do-not-fragment) bit in the matching IP packets.. set ip df [0|1] no set ip df Syntax Description 0 Sets the df bit to 0 (clears the df bit), allows packets fragmentation. 1 Sets the DF bit to 1 which prohibits packet fragmentation. Defaults There is no default for this command and either 0 or 1 has to be specified as DF bit, in the set action. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Route-map configuration Command History Usage Guidelines Note Examples Routed • Yes Transparent Single — Release Modification 9.4(1) This command was added. • Yes Context • Yes System — Using Path MTU Discovery (PMTUD) you can determine an MTU value for IP packets that avoids fragmentation. If ICMP messages are blocked by a router, the path MTU is broken and packets with the DF bit set are discarded. Use the set ip df command to clear the DF bit and allow the packet to be fragmented and sent. Fragmentation can slow the speed of packet forwarding on the network but access lists can be used to limit the number of packets on which the DF bit will be cleared. Some IP transmitters (notably some versions of Linux) may set the identification field in the IP header (IPid) to zero when the DF bit is set. If the router should clear the DF bit on such a packet and if that packet should subsequently be fragmented, then the IP receiver will probably be unable to correctly reassemble the original IP packet. (config)# route-map testmap (config-route-map)# set ip df 1 (config)# show run route-map ! route-map testmap permit 10 set ip df 1 ! (config)# show route-map testmap Cisco ASA Series Command Reference, S Commands 1-113 Chapter route-map testmap, permit, sequence 10 Match clauses: Set clauses: ip df 1 Cisco ASA Series Command Reference, S Commands 1-114 Chapter set ip default next-hop The set ip next-hop command when used with the default option implies that the first attempt to route the matching traffic has to be done through normal route-lookup by looking for an explicit route. Only when normal route-lookup fails, Policy Based Routing (PBR) will forward the traffic using the specified next-hop ip address. set ip default next-hop ip-address [... ip-address] no set ip default next-hop ip-address [... ip-address] set default ipv6next-hop ip-address [... ip-address] no set default ipv6 next-hop ip-address [... ip-address] Syntax Description ip-address IP address of the next hop to which packets are output. It need not be an adjacent router. ipv6-address IPv6 address of the next hop to which packets are output. It need not be an adjacent router. Defaults This command is disabled by default and at least one next-hop ip address has to be specified for the set action. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Route-map configuration Command History Usage Guidelines Routed • Yes Transparent Single — Release Modification 9.4(1) This command was added. • Yes Context • Yes System — Use this command to provide certain users a different default route. If the software has no explicit route for the destination in the packet, then it routes the packet to this next hop. The first next hop specified with the set ip default next-hop command needs to be adjacent to the router. The optional specified IP addresses are tried in turn. Use the ip policy route-map interface configuration command, the route-map global configuration command, and the match and set route-map configuration commands to define the conditions for policy routing packets. The ip policy route-map command identifies a route map by name. Each route-map command has a list of match and set commands associated with it. The match commands specify the Cisco ASA Series Command Reference, S Commands 1-115 Chapter match criteria--the conditions under which policy routing occurs. The set commands specify the set actions--the particular routing actions to perform if the criteria enforced by the match commands are met. If the first next hop specified with the set next-hop command is down, the optionally specified IP addresses are tried in turn. The set clauses can be used in conjunction with one another. They are evaluated in the following order: Note Examples 1. set next-hop 2. set interface 3. set default next-hop 4. set default interface The set ip next-hop and set ip default next-hop are similar commands but have a different order of operations. Configuring the set ip next-hop command causes the system to use policy routing first and then use the routing table. Configuring the set ip default next-hop command causes the system to use the routing table first and then policy route the specified next hop. (config)# route-map testmapv4 (config-route-map)# set ip default next-hop 1.1.1.1 (config)# show run route-map ! route-map testmapv4 permit 10 set ip default next-hop 1.1.1.1 ! (config)# show route-map testmapv4 route-map testmapv4, permit, sequence 10 Match clauses: Set clauses: ip default next-hop 1.1.1.1 (config)# route-map testmapv6 (config-route-map)# set ipv6 default next-hop 2001::1 (config)# show run route-map ! route-map testmapv6 permit 10 set ipv6 default next-hop 2001::1 ! (config)# show route-map testmapv6 route-map testmapv6, permit, sequence 10 Match clauses: Set clauses: ipv6 default next-hop 2001::1 Cisco ASA Series Command Reference, S Commands 1-116 Chapter set ip next-hop To indicate where to output packets that pass a match clause of a route map for policy routing, use the set ip next-hop command in route-map configuration mode. To delete an entry, use the no form of this command. set ip next-hop ip-address [... ip-address] [peer-address] no set ip next-hop ip-address [... ip-address] [peer-address] set ipv6 next-hop Syntax Description ip-address IP address of the next hop to which packets are output. It need not be an adjacent router. peer-address (Optional) Sets the next hop to be the BGP peering address. Defaults This command is disabled by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Route-map configuration Command History Usage Guidelines Routed • Yes Transparent Single — Release Modification 9.2(1) This command was added. • Yes Context • Yes System — An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the ip-address argument. Use the ip policy route-map interface configuration command, the route-map global configuration command, and the match and set route-map configuration commands to define the conditions for policy routing packets. The ip policy route-map command identifies a route map by name. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which policy routing occurs. The set commands specify the set actions—the particular routing actions to perform if the criteria enforced by the match commands are met. If the first next hop specified with the set next-hop command is down, the optionally specified IP addresses are tried in turn. Cisco ASA Series Command Reference, S Commands 1-117 Chapter When the set next-hop command is used with the peer-address keyword in an inbound route map of a BGP peer, the next hop of the received matching routes will be set to be the neighbor peering address, overriding any third-party next hops. So the same route map can be applied to multiple BGP peers to override third-party next hops. When the set next-hop command is used with the peer-address keyword in an outbound route map of a BGP peer, the next hop of the advertised matching routes will be set to be the peering address of the local router, thus disabling the next hop calculation. The set next-hop command has finer granularity than the (per-neighbor) neighbor next-hop-self command, because you can set the next hop for some routes, but not others. The neighbor next-hop-self command sets the next hop for all routes sent to that neighbor. The set clauses can be used in conjunction with one another. They are evaluated in the following order: Note Examples 1. set next-hop 2. set interface 3. set default next-hop 4. set default interface To avoid a common configuration error for reflected routes, do not use the set next-hop command in a route map to be applied to BGP route reflector clients. In the following example, three routers are on the same LAN (with IP addresses 10.1.1.1, 10.1.1.2, and 10.1.1.3). Each is in a different autonomous system. The set ip next-hop peer-address command specifies that traffic from the router (10.1.1.3) in remote autonomous system 300 for the router (10.1.1.1) in remote autonomous system 100 that matches the route map is passed through the router bgp 200, rather than sent directly to the router (10.1.1.1) in autonomous system 100 over their mutual connection to the LAN. ciscoasa(config)# router bgp 200 ciscoasa(config-router)# address-family ipv4 ciscoasa(config-router-af)# neighbor 10.1.1.3 remote-as 300 ciscoasa(config-router-af)# neighbor 10.1.1.3 route-map set-peer-address out ciscoasa(config-router-af)# neighbor 10.1.1.1 remote-as 100 ciscoasa(config-route-af)# route-map set-peer-address permit 10 ciscoasa(config-route-map)# set ip next-hop peer-address Cisco ASA Series Command Reference, S Commands 1-118 Chapter set ip next-hop recursive Both set ip next-hop and set ip default next-hop require that the next-hop be found on a directly connected subnet. With set ip next-hop recursive, the next-hop address does not need to be directly connected. Instead a recursive lookup is performed on the next-hop address, and matching traffic is forwarded to the next-hop used by that route entry according to the routing path in use on the router. Recursive next-hop lookup is not applicable for IPv6 or when default keyword is specified. set ip next-hop recursive [ipv4-address] no set ip next-hop recursive [ipv4-address] Syntax Description ipv4-address IP address of the next hop to which packets are output. It need not be an adjacent router. Defaults This command is disabled by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Route-map configuration Command History Usage Guidelines • Yes Transparent Single — Release Modification 9.4(1) This command was added. • Yes Context • Yes System — Use the ip policy route-map interface configuration command, the route-map global configuration command, and the match and set route-map configuration commands to define the conditions for policy routing packets. The ip policy route-map command identifies a route map by name. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which policy routing occurs. The set commands specify the set actions—the particular routing actions to perform if the criteria enforced by the match commands are met. If the interface associated with the first next hop specified with the set ip next-hop command is down, the optionally specified IP addresses are tried in turn. The set clauses can be used in conjunction with one another. They are evaluated in the following order: 1. set ip next-hop 2. set interface 3. set ip default next-hop 4. set default interface Cisco ASA Series Command Reference, S Commands 1-119 Chapter Note Examples The set ip next-hop and set ip default next-hop are similar commands but have a different order of operations. Configuring the set ip next-hop command causes the system to use policy routing first and then use the routing table. Configuring the set ip default next-hop command causes the system to use the routing table first and then policy route the specified next hop. (config)# route-map testmapv4 (config-route-map)# set ip next-hop recursive 1.1.1.1 (config)# show run route-map ! route-map testmapv4 permit 10 set ip next-hop recursive 1.1.1.1 ! (config)# show route-map testmapv4 route-map testmapv4, permit, sequence 10 Match clauses: Set clauses: ip next-hop recursive 1.1.1.1 Cisco ASA Series Command Reference, S Commands 1-120 Chapter set ip next-hop verify-availability The set ip next-hop verify-availability can be configured with an SLA monitor tracking object to verify the reachability of the next-hop. To verify the availability of multiple next-hops, multiple set ip next-hop verify-availability commands can be configured with different sequence numbers and different tracking objects. set ip next-hop verify-availability [sequence number] track [tracked-object-number] no set ip next-hop verify-availability [sequence number] track [tracked-object-number] Syntax Description sequence-number Sequence of next hops. The acceptable range is from 1-65535. track The tracking method is track. tracked-object-number Object number that the tracking subsystem is tracking. The acceptable range is from 1 to 500. Defaults No command defaults. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Route-map configuration Command History Usage Guidelines Routed • Yes Transparent Single Context System — — — Release Modification 9.4(1) This command was added. • Yes The set ip next-hop verify-availability command can be used in the following two ways: • With policy-based routing (PBR) to verify next hop reachability using Cisco Discovery Protocol (CDP). • With optional arguments to support object tracking using Internet Control Message Protocol (ICMP) ping or an HTTP GET request to verify if a remote device is reachable. Using CDP Verification This command is used to verify that the next hop is reachable before the router tries to policy route to it. This command has the following characteristics: • It causes some performance degradation. • CDP must be configured on the interface. • The next hop must be a Cisco device with CDP enabled. Cisco ASA Series Command Reference, S Commands 1-121 Chapter • It is supported in process switching and Cisco Express Forwarding (CEF) policy routing, but is not available in distributed CEF (dCEF) because of the dependency of the CDP neighbor database. If the router is policy routing packets to the next hop and the next hop is down, the router will try unsuccessfully to use Address Resolution Protocol (ARP) for the next hop (which is down). This behavior will continue indefinitely. To prevent this situation from occurring, use the set ip next-hop verify-availability command to configure the router to verify that the next hop of the route map is a CDP neighbor before routing to that next hop. This command is optional because some media or encapsulations do not support CDP, or it may not be a Cisco device that is sending traffic to the router. If this command is set and the next hop is not a CDP neighbor, then the router looks to the subsequent next hop, if there is one. If there is no next hop, the packets are not policy routed. If this command is not set, the packets are either successfully policy routed or remain forever unrouted. If you want to selectively verify availability of only some next hops, you can configure different route map entries (under the same route map name) with different criteria (using access list matching or packet size matching), and then use the set ip next-hop verify-availability command selectively. Using Object Tracking With optional arguments to support object tracking, this command allows PBR to make decisions based on the following criteria: • ICMP ping reachability to a remote device. • Application running on a remote device (for example, the device responds to an HTTP GET request). • A route exists in the Routing Information Base (RIB) (for example, policy route only if 10.2.2.0/24 is in the RIB). • Interface state (for example, packets received on E0 should be policy routed out E1 only if E2 is down). Object tracking functions in the following manner. PBR will inform the tracking process that it is interested in tracking a certain object. The tracking process will in turn notify PBR when the state of the object changes. This notification is done via registries and is event driven. The tracking subsystem is responsible for tracking the state of an object. The object can be an IP address that is periodically being pinged by the tracking process. The state of the object (up or down) is stored in a track report data structure. The tracking process will create the tracking object report. Then the exec process that is configuring the route map can query the tracking process to determine if a given object exists. If the object exists, the tracking subsystem can start tracking it and read the initial state of the object. If the object changes state, the tracking process will notify all the clients that are tracking this process that the state of the object has changed. So, the route map structure that PBR is using can be updated to reflect the current state of the object in the track report. This interprocess communication is done by means of registries and the shared track report. Note Examples If the CDP and object tracking commands are mixed, the tracked next hops will be tried first. ciscoasa(config)# sla monitor 1 ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 1.1.1.1 interface outside ciscoasa(config)# sla monitor schedule 1 life forever start-time now ciscoasa(config)# ciscoasa(config)# route-map testmapv4 ciscoasa(config-route-map)# set ip next-hop verify-availability 10 track 1 Cisco ASA Series Command Reference, S Commands 1-122 Chapter ciscoasa(config)# show run route-map ! route-map testmapv4 permit 10 set ip next-hop verify-availability 1.1.1.1 10 track 1 ! ciscoasa(config)# show route-map testmap route-map testmapv4, permit, sequence 10 Match clauses: Set clauses: ip next-hop verify-availability 1.1.1.1 10 track 1 Cisco ASA Series Command Reference, S Commands 1-123 Chapter set local-preference To specify a preference value for the autonomous system path, use the set local-preference command in route-map configuration mode. To delete an entry, use the no form of this command. set local-preference number-value no set local-preference number-value Syntax Description number-value Defaults Preference value is 100. Command Modes The following table shows the modes in which you can enter the command: Preference value. An integer from 0 to 4294967295. Firewall Mode Security Context Multiple Command Mode Routed Route-map configuration Command History Usage Guidelines • Yes Transparent Single — Release Modification 9.2(1) This command was added. • Yes Context • Yes System — The preference is sent only to all routers in the local autonomous system. Use the route-map global configuration command, and the match and set route-map configuration commands, to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria--the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions--the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map. The set route-map configuration commands specify the redistribution set actions to be performed when all the match criteria of a route map are met. When all match criteria are met, all set actions are performed. You can change the default preference value with the bgp default local-preference command. Examples The following example sets the local preference to 100 for all routes that are included in access list 1: ciscoasa(config-route-map)# route-map map-preference ciscoasa(config-route-map)# match as-path 1 ciscoasa(config-route-map)# set local-preference 100 Cisco ASA Series Command Reference, S Commands 1-124 Chapter set metric To set the metric value of a route for OSPF and other dynamic routing protocols in a route map, use the set metric command in route-map configuration mode. To return to the default metric value for OSPF and other dynamic routing protocols, use the no form of this command. set metric metric-value | [bandwidth delay reliability loading mtu] no set metric metric-value | [bandwidth delay reliability loading mtu] Syntax Description bandwidth EIGRP bandwidth of a route, in kbps. Valid values range from 0 to 4294967295. delay EIGRP route delay, in tens of microseconds. Valid values range from 0 to 4294967295. loading Effective EIGRP bandwidth of a route expressed as a number from 0 to 255. The value 255 means 100 percent loading. metric-value Metric value of a route for OSPF and other dynamic routing protocols (except for EIGRP), expressed as a number. Valid values range from 0 to 4294967295. mtu Minimum MTU size of a route for EIGRP, in bytes. Valid values range from 0 to 4294967295. reliability Likelihood of successful packet transmission for EIGRP expressed as a number from 0 to 255. The value 255 means 100 percent reliability; 0 means no reliability. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Route-map configuration Command History Release Routed • Yes Transparent Single — • Yes Context • Yes System — Modification 7.0(1) This command was added. 8.2(5) The bandwidth, delay, reliability, loading, and mtu arguments to support EIGRP in a route map were added. 9.0(1) Support for multiple context mode was added. Cisco ASA Series Command Reference, S Commands 1-125 Chapter Usage Guidelines The no set metric command allows you to return to the default metric value for OSPF and other dynamic routing protocols. In this context, the metric-value argument is an integer from 0 to 4294967295. Examples The following example shows how to configure a route map for OSPF routing: ciscoasa(config)# route-map ciscoasa(config-route-map)# ciscoasa(config-route-map)# ciscoasa(config-route-map)# route-map maptag1 permit 8 set metric 5 match metric 5 maptag1 permit 8 set metric 5 match metric 5 show route-map The following example shows how to set the metric value for EIGRP in a route map: ciscoasa(config)# access-list route-out line 1 standard permit 10.1.1.0 255.255.255.0 ciscoasa(config)# route-map rmap permit 10 ciscoasa(config-route-map)# set metric 10000 60 100 1 1500 ciscoasa(config-route-map)# show route-map rmap route-map rmap, permit, sequence 10 Match clauses: ip address (access-lists): route-out Set clauses: metric 10000 60 100 1 1500 ciscoasa(config-route-map)# show running-config route-map route-map rmap permit 10 match ip address route-out set metric 10000 60 100 1 1500 Related Commands Command Description match interface Distributes any routes that have their next hop out of one of the interfaces specified, match ip next-hop Distributes any routes that have a next-hop router address that is passed by one of the access lists specified. route-map Defines the conditions for redistributing routes from one routing protocol into another. Cisco ASA Series Command Reference, S Commands 1-126 Chapter set metric-type To specify the type of OSPF metric routes, use the set metric-type command in route-map configuration mode. To return to the default setting, use the no form of this command. set metric-type{type-1 | type-2} no set metric-type Syntax Description type-1 Specifies the type of OSPF metric routes that are external to a specified autonomous system. type-2 Specifies the type of OSPF metric routes that are external to a specified autonomous system. Defaults The default is type-2. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Route-map configuration Command History Routed • Yes Transparent Single — • Yes Release Modification 7.0(1) This command was added. 9.0(1) Support for multiple context mode was added. Context • Yes System — Cisco ASA Series Command Reference, S Commands 1-127 Chapter Examples The following example shows how to configure a route map for OSPF routing: ciscoasa(config)# route-map ciscoasa(config-route-map)# ciscoasa(config-route-map)# ciscoasa(config-route-map)# ciscoasa(config-route-map)# route-map maptag1 permit 8 set metric 5 set metric-type type-2 match metric 5 ciscoasa(config-route-map)# ciscoasa(config)# Related Commands maptag1 permit 8 set metric 5 match metric 5 set metric-type type-2 show route-map exit Command Description match interface Distributes any routes that have their next hop out one of the interfaces specified, route-map Defines the conditions for redistributing routes from one routing protocol into another. set metric Specifies the metric value in the destination routing protocol for a route map. Cisco ASA Series Command Reference, S Commands 1-128 Chapter set metric-type internal To set the Multi Exit Discriminator (MED) value on prefixes advertised to external BGP (eBGP) neighbors to match the Interior Gateway Protocol (IGP) metric of the next hop, use the set metric-type internal command in route-map configuration mode. To return to the default, use the no form of this command. set metric-type internal no set metric-type internal Syntax Description This command has no arguments or keywords. Command Default This command is disabled by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Route-map configuration Command History Usage Guidelines Routed • Yes Transparent Single — Release Modification 9.2(1) We added this command. • Yes Context • Yes System — This command will cause BGP to advertise a MED value that corresponds to the IGP metric associated with the next hop of the route. This command applies to generated, internal BGP (iBGP)-, and eBGP-derived routes. If this command is used, multiple BGP speakers in a common autonomous system can advertise different MED values for a particular prefix. Also, note that if the IGP metric changes, BGP will readvertise the route every 10 minutes. Use the route-map global configuration command and the match and set route-map configuration commands to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map. The set route-map configuration commands specify the redistribution set actions to be performed when all of the match criteria of the route map are met. When all match criteria are met, all set actions are performed. Cisco ASA Series Command Reference, S Commands 1-129 Chapter Note Examples This command is not supported for redistributing routes into the Border Gateway Protocol (BGP). In the following example, the MED value for all the advertised routes to neighbor 172.16.2.3 is set to the corresponding IGP metric of the next hop: ciscoasa(config)# router bgp 109 ciscoasa(config-router)# address-family ipv4 ciscoasa(config-router-af)# network 172.16.0.0 ciscoasa(config-router-af)# neighbor 172.16.2.3 remote-as 200 ciscoasa(config-router-af)# neighbor 172.16.2.3 route-map setMED out ciscoasa(config-route-map)# route-map setMED permit 10 ciscoasa(config-route-map)# match as-path as-path-acl ciscoasa(config-route-map)# set metric-type internal ciscoasa(config-route-map)# ip as-path access-list as-path-acl permit .* Cisco ASA Series Command Reference, S Commands 1-130 Chapter set origin To set the BGP origin code, use the set origin command in route-map configuration mode. To delete an entry, use the no form of this command. set origin {igp | egp autonomous-system-number | incomplete} no set origin {igp | egp autonomous-system-number | incomplete} Syntax Description autonomous-system- Number of a remote autonomous system number. The range of values for this number argument is any valid autonomous system number from 1 to 65535. egp Local External Gateway Protocol (EGP) system. igp Remote Interior Gateway Protocol (IGP) system. incomplete Unknown heritage. Defaults The origin of the route is based on the path information of the route in the main IP routing table. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Route-map configuration Command History Usage Guidelines Routed • Yes Transparent Single — Release Modification 9.2(1) This command was added. • Yes Context • Yes System — You must have a match clause (even if it points to a “permit everything” list) if you want to set the origin of a route. Use this command to set a specific origin when a route is redistributed into BGP. When routes are redistributed, the origin is usually recorded as incomplete, identified with a ? in the BGP table. Use the route-map global configuration command, and the match and set route-map configuration commands, to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map. The set route-map configuration commands specify the redistribution set actions to be performed when all of the match criteria of a route map are met. When all match criteria are met, all set actions are performed. Cisco ASA Series Command Reference, S Commands 1-131 Chapter Examples The following example sets the origin of routes that pass the route map to IGP: ciscoasa(config-route-map)# route-map set_origin ciscoasa(config-route-map)# match as-path 10 ciscoasa(config-route-map)# set origin igp Cisco ASA Series Command Reference, S Commands 1-132 Chapter setup To configure a minimal configuration for the ASA using interactive prompts, enter the setup command in global configuration mode. setup Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History Usage Guidelines • Yes Transparent Single • Yes • Yes Context • Yes System • Yes Release Modification 7.0(1) This command was added. 8.4(1) In routed mode for the ASA 5510 and higher, the interface configured is now the Management slot/port interface, and not the “inside” interface. For the ASA 5505, the interface configured is the VLAN 1 interface, not “inside”. 9.0(1) The default configuration prompt was changed, and Ctrl + Z to exit the setup process was enabled. The setup prompt automatically appears at boot time if there is no startup configuration in flash memory. The setup command walks you through minimal configuration to establish ASDM connectivity. This command is designed for a unit that has either no configuration or a partial configuration. If your model supports a factory default configuration, we recommend using the factory default configuration instead of the setup command (to restore the default configuration, use the configure factory-default command). The setup command requires an already-named interface called “management.” When you enter the setup command, you are asked for the information in Table 1-1. If there is already a configuration for the listed parameter, it appears in brackets, so you can either accept it as the default or override it by entering a new value. The exact prompts available may differ per model. The system setup command includes a subset of these prompts. Cisco ASA Series Command Reference, S Commands 1-133 Chapter Table 1-1 Setup Prompts Prompt Description Pre-configure Firewall now through interactive prompts [yes]? Enter yes or no. If you enter yes, the setup continues. If no, the setup stops and the global configuration prompt (ciscoasa(config)#) appears. Firewall Mode [Routed]: Enter routed or transparent. Enable password: Enter an enable password. (The password must have at least three characters.) Allow password recovery [yes]? Enter yes or no. Clock (UTC): You cannot enter anything in this field. The UTC time is used by default. Year: Enter the year using four digits, for example, 2005. The year range is 1993 to 2035. Month: Enter the month using the first three characters of its name, for example, Sep for September. Day: Enter the day of the month, from 1 to 31. Time: Enter the hour, minutes, and seconds in 24-hour time format, for example, enter 20:54:44 for 8:54 p.m and 44 seconds. Host name: Enter the hostname that you want to display in the command line prompt. Domain name: Enter the domain name of the network on which the ASA runs. IP address of host running Device Manager: Enter the IP address of the host that needs to access ASDM. Use this configuration and save to flash (yes)? Enter yes or no. If you enter yes, the inside interface is enabled and the requested configuration is written to the Flash partition. If you enter no, the setup prompt repeats, beginning with the first question: Pre-configure Firewall now through interactive prompts [yes]? Enter Ctrl + Z to exit the setup or yes to repeat the prompt. Examples The following example shows how to complete the setup command: ciscoasa(config)# setup Pre-configure Firewall now through interactive prompts [yes]? yes Firewall Mode [Routed]: routed Enable password [<use current password>]: writer Allow password recovery [yes]? yes Clock (UTC): Year: 2005 Month: Nov Day: 15 Time: 10:0:0 Inside IP address: 192.168.1.1 Inside network mask: 255.255.255.0 Host name: tech_pubs Domain name: example.com IP address of host running Device Manager: 10.1.1.1 Cisco ASA Series Command Reference, S Commands 1-134 Chapter The following configuration will be used: Enable password: writer Allow password recovery: yes Clock (UTC): 20:54:44 Sep 17 2005 Firewall Mode: Routed Inside IP address: 192.168.1.1 Inside network mask: 255.255.255.0 Host name: tech_pubs Domain name: example.com IP address of host running Device Manager: 10.1.1.1 Use this configuration and write to flash? yes Related Commands Command Description configure factory-default Restores the default configuration. Cisco ASA Series Command Reference, S Commands 1-135 Chapter set weight To specify the BGP weight for the routing table, use the set weight command in route-map configuration mode. To delete an entry, use the no form of this command. set weight number no set weight number Syntax Description number Defaults The weight is not changed by the specified route map. Command Modes The following table shows the modes in which you can enter the command: Weight value. It can be an integer ranging from 0 to 65535. Firewall Mode Security Context Multiple Command Mode Routed Route-map configuration Command History • Yes Transparent Single — Release Modification 9.2(1) This command was added. • Yes Context • Yes System — Usage Guidelines The implemented weight is based on the first matched autonomous system path. Weights indicated when an autonomous system path is matched override the weights assigned by global neighbor commands. In other words, the weights assigned with the set weight route-map configuration command override the weights assigned using the neighbor weight command. Examples The following example sets the BGP weight for the routes matching the autonomous system path access list to 200: ciscoasa(config-route-map)# route-map set-weight ciscoasa(config-route-map)# match as-path as_path_acl iscoasa(config-route-map)# set weight 200 Cisco ASA Series Command Reference, S Commands 1-136 Chapter sfr To redirect traffic to the ASA FirePOWER module, use the sfr command in class configuration mode. To remove the redirect, use the no form of this command. sfr {fail-close | fail-open} [monitor-only] no sfr {fail-close | fail-open} [monitor-only] Syntax Description fail-close Sets the ASA to block the traffic if the module is unavailable. fail-open Sets the ASA to allow the traffic through, applying ASA policies only, if the module is unavailable. monitor-only Sends a read-only copy of traffic to the module, i.e. passive mode. If you do not include the keyword, the traffic is sent in inline mode. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Class configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.2(1) This command was added. Yes • Yes Context • Yes System — You can access the class configuration mode by first entering the policy-map command. Before or after you configure the sfr command on the ASA, configure the security policy on the module using Firepower Management Center. To configure the sfr command, you must first configure the class-map command, policy-map command, and the class command. Traffic Flow The ASA FirePOWER module runs a separate application from the ASA. It is, however, integrated into the ASA traffic flow. When you apply the sfr command for a class of traffic on the ASA, traffic flows through the ASA and the module in the following way: 1. Traffic enters the ASA. 2. Incoming VPN traffic is decrypted. 3. Firewall policies are applied. Cisco ASA Series Command Reference, S Commands 1-137 Chapter 4. Traffic is sent to the ASA FirePOWER module over the backplane. 5. The module applies its security policy to the traffic and takes appropriate actions. 6. In inline mode, valid traffic is sent back to the ASA over the backplane; the ASA FirePOWER module might block some traffic according to its security policy, and that traffic is not passed on. In passive mode, no traffic is returned, and the module cannot block traffic. 7. Outgoing VPN traffic is encrypted. 8. Traffic exits the ASA. Compatibility with ASA Features The ASA includes many advanced application inspection features, including HTTP inspection. However, the ASA FirePOWER module provides more advanced HTTP inspection than the ASA provides, as well as additional features for other applications, including monitoring and controlling application usage. To take full advantage of the ASA FirePOWER module features, see the following guidelines for traffic that you send to the ASA FirePOWER module: • Do not configure ASA inspection on HTTP traffic. • Do not configure Cloud Web Security (ScanSafe) inspection. If you configure both ASA FirePOWER inspection and Cloud Web Security inspection for the same traffic, the ASA only performs ASA FirePOWER inspection. • Other application inspections on the ASA are compatible with the ASA FirePOWER module, including the default inspections. • Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA FirePOWER module. • If you enable failover, when the ASA fails over, any existing ASA FirePOWER flows are transferred to the new ASA. The ASA FirePOWER module in the new ASA begins inspecting the traffic from that point forward; old inspection states are not transferred. Monitor-Only Mode The traffic flow in monitor-only mode is the same as it is for inline mode. The only difference is that the ASA FirePOWER module does not pass traffic back to the ASA. Instead, the module applies the security policy to the traffic and lets you know what it would have done if it were operating in inline mode, e.g. traffic might be marked “would have dropped” in events. You can use this information for traffic analysis and to help you decide if inline mode is desirable. Note Examples You cannot configure both monitor-only mode and normal inline mode at the same time on the ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure monitor-only mode for some contexts, and regular inline mode for others. The following example diverts all HTTP traffic to the ASA FirePOWER module, and blocks all HTTP traffic if the module fails for any reason: ciscoasa(config)# access-list ASASFR permit tcp any any eq port 80 ciscoasa(config)# class-map my-sfr-class ciscoasa(config-cmap)# match access-list ASASFR ciscoasa(config-cmap)# policy-map my-sfr-policy ciscoasa(config-pmap)# class my-sfr-class ciscoasa(config-pmap-c)# sfr fail-close Cisco ASA Series Command Reference, S Commands 1-138 Chapter ciscoasa(config-pmap-c)# service-policy my-cx-policy global The following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network to the ASA FirePOWER module, and allows all traffic through if the module fails for any reason. ciscoasa(config)# access-list my-sfr-acl permit ip any 10.1.1.0 255.255.255.0 ciscoasa(config)# access-list my-sfr-acl2 permit ip any 10.2.1.0 255.255.255.0 ciscoasa(config)# class-map my-sfr-class ciscoasa(config-cmap)# match access-list my-sfr-acl ciscoasa(config)# class-map my-sfr-class2 ciscoasa(config-cmap)# match access-list my-sfr-acl2 ciscoasa(config-cmap)# policy-map my-sfr-policy ciscoasa(config-pmap)# class my-sfr-class ciscoasa(config-pmap-c)# sfr fail-open ciscoasa(config-pmap)# class my-sfr-class2 ciscoasa(config-pmap-c)# sfr fail-open ciscoasa(config-pmap-c)# service-policy my-sfr-policy interface outside Related Commands Command Description class Specifies a class map to use for traffic classification. class-map Identifies traffic for use in a policy map. hw-module module reload Reloads the module. hw-module module reset Performs a reset and then reloads the module. hw-module module shutdown Shuts down the module. policy-map Configures a policy; that is, an association of a traffic class and one or more actions. show asp table classify domain sfr Shows the NP rules created to send traffic to the ASA FirePOWER module. show module Shows the module status. show running-config policy-map Displays all current policy map configurations. show service-policy Shows service policy statistics. sw-module module sfr reload Reloads the software module. sw-module module sfr reset Resets the software module. sw-module module sfr recover Installs the software module boot image. sw-module module sfr shutdown Shuts down the software module. Cisco ASA Series Command Reference, S Commands 1-139 Chapter shape To enable QoS traffic shaping, use the shape command in class configuration mode. If you have a device that transmits packets at a high speed, such as a ASA with Fast Ethernet, and it is connected to a low speed device such as a cable modem, then the cable modem is a bottleneck at which packets are frequently dropped. To manage networks with differing line speeds, you can configure the ASA to transmit packets at a fixed slower rate, called traffic shaping. To remove this configuration, use the no form of this command. Note Traffic shaping is only supported on the ASA 5505, 5510, 5520, 5540, and 5550. Multi-core models (such as the ASA 5500-X) do not support shaping. shape average rate [burst_size] no shape average rate [burst_size] Syntax Description average rate Sets the average rate of traffic in bits per second over a given fixed time period, between 64000 and 154400000. Specify a value that is a multiple of 8000. See the “Usage Guidelines” section for more information about how the time period is calculated. burst_size Sets the average burst size in bits that can be transmitted over a given fixed time period, between 2048 and 154400000. Specify a value that is a multiple of 128. If you do not specify the burst_size, the default value is equivalent to 4-milliseconds of traffic at the specified average rate. For example, if the average rate is 1000000 bits per second, 4 ms worth = 1000000 * 4/1000 = 4000. Defaults If you do not specify the burst_size, the default value is equivalent to 4-milliseconds of traffic at the specified average rate. For example, if the average rate is 1000000 bits per second, 4 ms worth = 1000000 * 4/1000 = 4000. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Class configuration Command History • Context System — — — Release Modification 7.2(4)/8.0(4) This command was added. Cisco ASA Series Command Reference, S Commands 1-140 Yes Transparent Single • Yes Chapter Usage Guidelines To enable traffic shaping, use the Modular Policy Framework: 1. policy-map—Identify the actions associated with the class-default class map. a. class class-default—Identify the class-default class map on which you want to perform actions. b. shape—Apply traffic shaping to the class map. c. (Optional) service-policy—Call a different policy map in which you configured the priority command so you can apply priority queueing to a subset of shaped traffic. 2. service-policy—Assigns the policy map to an interface or globally. Traffic Shaping Overview Traffic shaping is used to match device and link speeds, thereby controlling packet loss, variable delay, and link saturation, which can cause jitter and delay. • Traffic shaping must be applied to all outgoing traffic on a physical interface or in the case of the ASA 5505, on a VLAN. You cannot configure traffic shaping for specific types of traffic. • Traffic shaping is implemented when packets are ready to be transmitted on an interface, so the rate calculation is performed based on the actual size of a packet to be transmitted, including all the possible overhead such as the IPsec header and L2 header. • The shaped traffic includes both through-the-box and from-the-box traffic. • The shape rate calculation is based on the standard token bucket algorithm. The token bucket size is twice the burst size value. See the CLI configuration guide for more information about the token bucket. • When bursty traffic exceeds the specified shape rate, packets are queued and transmitted later. Following are some characteristics regarding the shape queue (for information about hierarchical priority queuing, see the priority command): – The queue size is calculated based on the shape rate. The queue can hold the equivalent of 200-milliseconds worth of shape rate traffic, assuming a 1500-byte packet. The minimum queue size is 64. – When the queue limit is reached, packets are tail-dropped. – Certain critical keep-alive packets such as OSPF Hello packets are never dropped. – The time interval is derived by time_interval = burst_size / average_rate. The larger the time interval is, the burstier the shaped traffic might be, and the longer the link might be idle. The effect can be best understood using the following exaggerated example: Average Rate = 1000000 Burst Size = 1000000 In the above example, the time interval is 1 second, which means, 1 Mbps of traffic can be bursted out within the first 10 milliseconds of the 1-second interval on a 100 Mbps FE link and leave the remaining 990 milliseconds idle without being able to send any packets until the next time interval. So if there is delay-sensitive traffic such as voice traffic, the Burst Size should be reduced compared to the average rate so the time interval is reduced. How QoS Features Interact You can configure each of the QoS features alone if desired for the ASA. Often, though, you configure multiple QoS features on the ASA so you can prioritize some traffic, for example, and prevent other traffic from causing bandwidth problems. Cisco ASA Series Command Reference, S Commands 1-141 Chapter See the following supported feature combinations per interface: • Standard priority queuing (for specific traffic) + Policing (for the rest of the traffic). You cannot configure priority queuing and policing for the same set of traffic. • Traffic shaping (for all traffic on an interface) + Hierarchical priority queuing (for a subset of traffic). You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. For example, if you configure standard priority queuing for the global policy, and then configure traffic shaping for a specific interface, the feature you configured last is rejected because the global policy overlaps the interface policy. Typically, if you enable traffic shaping, you do not also enable policing for the same traffic, although the ASA does not restrict you from configuring this. Examples The following example enables traffic shaping for all traffic on the outside interface, and prioritizes traffic within VPN tunnel-grp1 with the DSCP bit set to ef: ciscoasa(config)# class-map TG1-voice ciscoasa(config-cmap)# match tunnel-group tunnel-grp1 ciscoasa(config-cmap)# match dscp ef ciscoasa(config)# policy-map priority-sub-policy ciscoasa(config-pmap)# class TG1-voice ciscoasa(config-pmap-c)# priority ciscoasa(config-pmap-c)# policy-map shape_policy ciscoasa(config-pmap)# class class-default ciscoasa(config-pmap-c)# shape ciscoasa(config-pmap-c)# service-policy priority-sub-policy ciscoasa(config-pmap-c)# service-policy shape_policy interface outside Related Commands Command Description class Identifies the class map on which you want to perform actions in a policy map. police Enables QoS policing. policy-map Identifies actions to apply to traffic in a service policy. priority Enables QoS priority queuing. service-policy (class) Applies a hierarchical policy map. service-policy (global) Applies a service policy to interface(s). show service-policy Shows QoS statistics. Cisco ASA Series Command Reference, S Commands 1-142 CH A P T E R 2 show aaa kerberos through show asdm sessions Commands Cisco ASA Series Command Reference, S Commands 2-1 Chapter show aaa kerberos To display all the Kerberos tickets cached on the ASA, use the show aaa kerberos command in webvpn configuration mode. show aaa kerberos [username user | host ip | hostname] Syntax Description host Specifies the specific host that you want to view. hostname Specifies the hostname. ip Specifies the IP address for the host. username Specifies the specific user that you want to view. Defaults No defaults exist for this command. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Webvpn configuration Command History • Yes Transparent Single Context System — — — Release Modification 8.4(1) This command was added. • Yes Usage Guidelines Use the show aaa kerberos command in webvpn configuration mode to view all the Kerberos tickets cached on the ASA. The username and host keywords are used to view the Kerberos tickets of a specific user or host. Examples The following example shows the usage of the show aaa kerberos command: ciscoasa(config)# show aaa kerberos Default Principal Valid Starting Expires Service Principal [email protected] 06/29/10 17:33:00 06/30/10 17:33:00 asa$/[email protected] [email protected] 06/29/10 17:33:00 06/30/10 17:33:00 http/[email protected] Related Commands Command Description clear aaa kerberos Clears all the Kerberos tickets cached on the ASA. Cisco ASA Series Command Reference, S Commands 2-2 Chapter clear configure aaa-server Removes all AAA command statements from the configuration. show running-config aaa-server Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol. Cisco ASA Series Command Reference, S Commands 2-3 Chapter show aaa local user To show the list of usernames that are currently locked, or to show details about the username, use the show aaa local user command in global configuration mode. show aaa local user [locked] Syntax Description locked Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Shows the list of usernames that are currently locked. Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System — If you omit the optional keyword locked, the ASA displays the failed-attempts and lockout status details for all AAA local users. You can specify a single user by using the username option or all users with the all option. This command affects only the status of users that are locked out. The administrator cannot be locked out of the device. Examples The following example shows use of the show aaa local user command to display the lockout status of all usernames: This example shows the use of the show aaa local user command to display the number of failed authentication attempts and lockout status details for all AAA local users, after the limit has been set to 5: ciscoasa(config)# aaa local authentication attempts max-fail 5 ciscoasa(config)# show aaa local user Lock-time Failed-attempts Locked User 6 Y test 2 N mona 1 N cisco 4 N newuser ciscoasa(config)# Cisco ASA Series Command Reference, S Commands 2-4 Chapter This example shows the use of the show aaa local user command with the lockout keyword to display the number of failed authentication attempts and lockout status details only for any locked-out AAA local users, after the limit has been set to 5: ciscoasa(config)# aaa local authentication attempts max-fail 5 ciscoasa(config)# show aaa local user Lock-time Failed-attempts Locked User 6 Y test ciscoasa(config)# Related Commands Command Description aaa local authentication Configures the maximum number of times a user can enter a wrong attempts max-fail password before being locked out. clear aaa local user fail-attempts Resets the number of failed attempts to 0 without modifying the lockout status. clear aaa local user lockout Clears th e lockout status of the specified user or all users and sets their failed attempts counters to 0. Cisco ASA Series Command Reference, S Commands 2-5 Chapter show aaa-server To display AAA server statistics for AAA servers, use the show aaa-server command in privileged EXEC mode. show aaa-server [LOCAL | groupname [host hostname] | protocol protocol] Syntax Description LOCAL (Optional) Shows statistics for the LOCAL user database. groupname (Optional) Shows statistics for servers in a group. host hostname (Optional) Shows statistics for a particular server in the group. protocol protocol (Optional) Shows statistics for servers of the following specified protocols: • kerberos • ldap • nt • radius • sdi • tacacs+ Defaults By default, all AAA server statistics display. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Yes • Yes • Yes System — Release Modification 7.1(1) The http-form protocol was added. 8.0(2) The server status shows if the status was changed manually using the aaa-server active command or fail command. The following is sample output from the show aaa-server command: ciscoasa(config)# show aaa-server group1 host 192.68.125.60 Server Group: group1 Server Protocol: RADIUS Server Address: 192.68.125.60 Server port: 1645 Server status: ACTIVE. Last transaction (success) at 11:10:08 UTC Number of pending requests 20 Cisco ASA Series Command Reference, S Commands 2-6 Context Fri Aug 22 Chapter Average round trip time Number of authentication requests Number of authorization requests Number of accounting requests Number of retransmissions Number of accepts Number of rejects Number of challenges Number of malformed responses Number of bad authenticators Number of timeouts Number of unrecognized responses 4ms 20 0 0 1 16 4 5 0 0 0 0 The following table shows field descriptions for the show aaa-server command: Field Description Server Group The server group name specified by the aaa-server command. Server Protocol The server protocol for the server group specified by the aaa-server command. Server Address The IP address of the AAA server. Server port The communication port used by the ASA and the AAA server. You can specify the RADIUS authentication port using the authentication-port command. You can specify the RADIUS accounting port using the accounting-port command. For non-RADIUS servers, the port is set by the server-port command. Server status The status of the server. One of the following values appears: • ACTIVE—The ASA will communicate with this AAA server. • FAILED—The ASA cannot communicate with the AAA server. Servers that are put into this state remain there for some period of time, depending on the policy configured, and are then reactivated. If the status is followed by “(admin initiated),” then the server was manually failed or reactivated using the aaa-server active command or fail command. The date and time of the last transaction appear in the following form: Last transaction ({success | failure}) at time timezone date If the ASA has never communicated with the server, the message shows as the following: Last transaction at Unknown Number of pending requests The number of requests that are still in progress. Average round trip time The average time that it takes to complete a transaction with the server. Number of authentication requests The number of authentication requests sent by the ASA. This value does not include retransmissions after a timeout. Cisco ASA Series Command Reference, S Commands 2-7 Chapter Field Description Number of authorization requests The number of authorization requests. This value refers to authorization requests due to command authorization, authorization for through-the-box traffic (for TACACS+ servers), or for WebVPN and IPsec authorization functionality enabled for a tunnel group. This value does not include retransmissions after a timeout. Number of accounting requests The number of accounting requests. This value does not include retransmissions after a timeout. Number of retransmissions The number of times a message was retransmitted after an internal timeout. This value applies only to Kerberos and RADIUS servers (UDP). Number of accepts The number of successful authentication requests. Number of rejects The number of rejected requests. This value includes error conditions as well as true credential rejections from the AAA server. Number of challenges The number of times the AAA server required additional information from the user after receiving the initial username and password information. Number of malformed responses N/A. Reserved for future use. Number of bad authenticators The number of times that one of the following occurs: • The “authenticator” string in the RADIUS packet is corrupted (rare). • The shared secret key on the ASA does not match the one on the RADIUS server. To fix this problem, enter the correct server key. This value only applies to RADIUS. Number of timeouts The number of times the ASA has detected that a AAA server is not responsive or otherwise misbehaving and has declared it offline. Number of unrecognized responses The number of times that the ASA received a response from the AAA server that it could not recognize or support. For example, the RADIUS packet code from the server was an unknown type, something other than the known “access-accept,” “access-reject,” “access-challenge,” or “accounting-response” types. Typically, this means that the RADIUS response packet from the server was corrupted, which is rare. Cisco ASA Series Command Reference, S Commands 2-8 Chapter Related Commands Command Description show running-config aaa-server Displays statistics for all servers in the indicated server group or for a particular server. clear aaa-server statistics Clears the AAA server statistics. Cisco ASA Series Command Reference, S Commands 2-9 Chapter show access-list To display the hit counters and a timestamp value for an access list, use the show access-list command in privileged EXEC mode. show access-list id_1 [...[id_2]] [brief] Syntax Description brief (Optional) Displays the access list identifiers, the hit count, and the timestamp of the last rule hit, all in hexadecimal format. id_1 A name or set of characters that identifies an existing access list. id_2 (Optional) A name or set of characters that identifies an existing access list. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines Release • Yes Transparent Single • Yes • Yes Context • Yes System — Modification 8.0(2) Support for the brief keyword was added. 8.3(1) The ACE show pattern to display ACL timestamp was modified. You can display multiple access lists at one time by entering the access list identifiers in one command. You can specify the brief keyword to display access list hit count, identifiers, and timestamp information in hexadecimal format. The configuration identifiers displayed in hexadecimal format are presented in three columns, and they are the same identifiers used in syslogs 106023 and 106100. If an access list has been changed recently, the list is excluded from the output. A message will indicate when this happens. Clustering Guidelines When using ASA clustering, if traffic is received by a single unit, the other units may still show a hit count for the ACL due to the clustering director logic. This is an expected behavior. Because the unit that did not receive any packets directly from the client may receive forwarded packets over the cluster control link for an owner request, the unit may check the ACL before sending the packet back to the receiving unit. As a result, the ACL hit count will be increased even though the unit did not pass the traffic. Cisco ASA Series Command Reference, S Commands 2-10 Chapter Examples The following examples show brief information about the specified access policy in hexadecimal format (ACEs in which the hitcount is not zero). The first two columns display identifiers in hexadecimal format, the third column lists the hit count, and the fourth column displays the timestamp value, also in hexadecimal format. The hit count value represents the number of times the rule has been hit by traffic. The timestamp value reports the time of the last hit. If the hit count is zero, no information is displayed. The following is sample output from the show access-list command and shows the access list name “test,” which is applied on an outside interface in the “IN” direction: ciscoasa# show access-list test access-list test; 3 elements; name hash: 0xcb4257a3 access-list test line 1 extended permit icmp any any (hitcnt=0) 0xb422e9c2 access-list test line 2 extended permit object-group TELNET-SSH object-group S1 object-group D1 0x44ae5901 access-list test line 2 extended permit tcp 100.100.100.0 255.255.255.0 10.10.10.0 255.255.255.0 eq telnet (hitcnt=1) 0xca10ca21 access-list test line 2 extended permit tcp 100.100.100.0 255.255.255.0 10.10.10.0 255.255.255.0 eq ssh(hitcnt=1) 0x5b704158 The following is sample output from the show access-list command when object-group-search group is not enabled: ciscoasa# show access-list KH-BLK-Tunnel access-list KH-BLK-Tunnel; 9 elements access-list KH-BLK-Tunnel line 1 extended permit ip object-group KH-LAN object-group BLK-LAN 0x724c956b access-list KH-BLK-Tunnel line 1 extended permit ip 192.168.97.0 255.255.255.0 192.168.4.0 255.255.255.0 (hitcnt=10) 0x30fe29a6 access-list KH-BLK-Tunnel line 1 extended permit ip 13.13.13.0 255.255.255.0 192.168.4.0 255.255.255.0 (hitcnt=4) 0xc6ef2338 access-list KH-BLK-Tunnel line 1 extended permit ip 192.168.97.0 255.255.255.0 14.14.14.0 255.255.255.0 (hitcnt=2) 0xce8596ec access-list KH-BLK-Tunnel line 1 extended permit ip 13.13.13.0 255.255.255.0 14.14.14.0 255.255.255.0 (hitcnt=0) 0x9a2f1c4d access-list KH-BLK-Tunnel line 2 extended permit ospf interface pppoe1 host 87.139.87.200 (hitcnt=0) 0xb62d5832 access-list KH-BLK-Tunnel line 3 extended permit ip interface pppoe1 any (hitcnt=0) 0xa2c9ed34 access-list KH-BLK-Tunnel line 4 extended permit ip host 1.1.1.1 any (hitcnt=0) 0xd06f7e6b access-list KH-BLK-Tunnel line 5 extended deny ip 1.1.0.0 255.255.0.0 any (hitcnt=0) 0x9d979934 access-list KH-BLK-Tunnel line 6 extended permit ip 1.1.1.0 255.255.255.0 any (hitcnt=0) 0xa52a0761 The following is sample output from the show access-list command when object-group-search group is enabled: ciscoasa# show access-list KH-BLK-Tunnel access-list KH-BLK-Tunnel; 6 elements access-list KH-BLK-Tunnel line 1 extended BLK-LAN(2)(hitcount=16) 0x724c956b access-list KH-BLK-Tunnel line 2 extended (hitcnt=0) 0xb62d5832 access-list KH-BLK-Tunnel line 3 extended 0xa2c9ed34 access-list KH-BLK-Tunnel line 4 extended access-list KH-BLK-Tunnel line 5 extended 0x9d979934 access-list KH-BLK-Tunnel line 6 extended 0xa52a0761 permit ip object-group KH-LAN(1) object-group permit ospf interface pppoe1 host 87.139.87.200 permit ip interface pppoe1 any (hitcnt=0) permit ip host 1.1.1.1 any (hitcnt=0) 0xd06f7e6b deny ip 1.1.0.0 255.255.0.0 any (hitcnt=0) permit ip 1.1.1.0 255.255.255.0 any (hitcnt=0) Cisco ASA Series Command Reference, S Commands 2-11 Chapter The following is sample output from the show access-list brief command when Telnet traffic is passed: ciscoasa (config)# sh access-list test brief access-list test; 3 elements; name hash: 0xcb4257a3 ca10ca21 44ae5901 00000001 4a68aa7e The following is sample output from the show access-list brief command when SSH traffic is passed: ciscoasa (config)# sh access-list test brief access-list test; 3 elements; name hash: 0xcb4257a3 ca10ca21 44ae5901 00000001 4a68aa7e 5b704158 44ae5901 00000001 4a68aaa9 The following is sample output from the show access-list command and shows the access list name “test,” which is applied on an outside interface in the “IN” direction, with ACL Optimization enabled: ciscoasa# show access-list test access-list test; 3 elements; name hash: 0xcb4257a3 access-list test line 1 extended permit icmp any any (hitcnt=0) 0xb422e9c2 access-list test line 2 extended permit object-group TELNET-SSH object-group S1 object-group D1 0x44ae5901 access-list test line 2 extended permit tcp object-group S1(1) object-group D1(2) eq telnet (hitcnt=1) 0x7b1c1660 access-list test line 2 extended permit tcp object-group S1(1) object-group D1(2) eq ssh (hitcnt=1) 0x3666f922 The following is sample output from the show access-list brief command when Telnet traffic is passed: ciscoasa (config)# sh access-list test brief access-list test; 3 elements; name hash: 0xcb4257a3 7b1c1660 44ae5901 00000001 4a68ab51 The following is sample output from the show access-list brief command when SSH traffic is passed: ciscoasa (config)# sh access-list test brief access-list test; 3 elements; name hash: 0xcb4257a3 7b1c1660 44ae5901 00000001 4a68ab51 3666f922 44ae5901 00000001 4a68ab66 Related Commands Command Description access-list ethertype Configures an access list that controls traffic based on its EtherType. access-list extended Adds an access list to the configuration and configures policy for IP traffic through the firewall. clear access-list Clears an access list counter. clear configure access-list Clears an access list from the running configuration. show running-config access-list Displays the current running access-list configuration. Cisco ASA Series Command Reference, S Commands 2-12 Chapter show activation-key To display the permanent license, active time-based licenses, and the running license, which is a combination of the permanent license and active time-based licenses. use the show activation-key command in privileged EXEC mode. For failover units, this command also shows the “Failover cluster” license, which is the combined keys of the primary and secondary units. show activation-key [detail] Syntax Description detail Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command. Shows inactive time-based licenses. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Yes • Context Yes • Yes System • Yes Release Modification 7.0(1) This command was added. 8.0(4) The detail keyword was added. 8.2(1) The output was modified to include additional licensing information. 8.3(1) The output now includes whether a feature uses the permanent or time-based key, as well as the duration of the time-based key in use. It also shows all installed time-based keys, both active and inactive. 8.4(1) Support for No Payload Encryption models was added. Some permanent licenses require you to reload the ASA after you activate them. Table 2-1 lists the licenses that require reloading. Table 2-1 Permanent License Reloading Requirements Model License Action Requiring Reload All models Downgrading the Encryption license. ASAv Downgrading the vCPU license. If you need to reload, then the show activation-key output reads as follows: The flash activation key is DIFFERENT from the running key. Cisco ASA Series Command Reference, S Commands 2-13 Chapter The flash activation key takes effect after the next reload. If you have a No Payload Encryption model, then when you view the license, VPN and Unified Communications licenses will not be listed. Examples Example 2-1 Standalone Unit Output for the show activation-key command The following is sample output from the show activation-key command for a standalone unit that shows the running license (the combined permanent license and time-based licenses), as well as each active time-based license: ciscoasa# show activation-key Serial Number: JMX1232L11M Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Running Timebased Activation Key: 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 10 GTP/GPRS : Enabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 750 Total VPN Peers : 750 Shared License : Enabled Shared AnyConnect Premium Peers : 12000 AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 12 Total UC Proxy Sessions : 12 Botnet Traffic Filter : Enabled Intercompany Media Engine : Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual 62 days 62 days 646 days perpetual This platform has a Base license. The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Botnet Traffic Filter : Enabled 646 days 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 Total UC Proxy Sessions : 10 62 days Example 2-2 Standalone Unit Output for show activation-key detail The following is sample output from the show activation-key detail command for a standalone unit that shows the running license (the combined permanent license and time-based licenses), as well as the permanent license and each installed time-based license (active and inactive): ciscoasa# show activation-key detail Cisco ASA Series Command Reference, S Commands 2-14 Chapter Serial Number: 88810093382 Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20 Dual ISPs : Enabled VLAN Trunk Ports : 8 Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 25 Total VPN Peers : 25 AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Enabled Intercompany Media Engine : Disabled perpetual DMZ Unrestricted perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual 39 days perpetual This platform has an ASA 5505 Security Plus license. Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20 Dual ISPs : Enabled VLAN Trunk Ports : 8 Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 25 Total VPN Peers : 25 AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Enabled Intercompany Media Engine : Disabled perpetual DMZ Unrestricted perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual 39 days perpetual The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Botnet Traffic Filter : Enabled 39 days Inactive Timebased Activation Key: 0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3 AnyConnect Premium Peers : 25 7 days Cisco ASA Series Command Reference, S Commands 2-15 Chapter Example 2-3 Primary Unit Output in a Failover Pair for show activation-key detail The following is sample output from the show activation-key detail command for the primary failover unit that shows: • The primary unit license (the combined permanent license and time-based licenses). • The “Failover Cluster” license, which is the combined licenses from the primary and secondary units. This is the license that is actually running on the ASA. The values in this license that reflect the combination of the primary and secondary licenses are in bold. • The primary unit permanent license. • The primary unit installed time-based licenses (active and inactive). ciscoasa# show activation-key detail Serial Number: P3000000171 Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 12 GTP/GPRS : Enabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 750 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Enabled Intercompany Media Engine : Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual 33 days perpetual This platform has an ASA 5520 VPN Plus license. Failover cluster licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 12 perpetual GTP/GPRS : Enabled perpetual AnyConnect Premium Peers : 4 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 750 perpetual Total VPN Peers : 750 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 4 perpetual Total UC Proxy Sessions : 4 perpetual Botnet Traffic Filter : Enabled 33 days Cisco ASA Series Command Reference, S Commands 2-16 Chapter Intercompany Media Engine : Disabled perpetual This platform has an ASA 5520 VPN Plus license. Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Disabled Security Contexts : 2 GTP/GPRS : Disabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 750 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled Intercompany Media Engine : Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Botnet Traffic Filter : Enabled 33 days Inactive Timebased Activation Key: 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 Security Contexts : 2 7 days AnyConnect Premium Peers : 100 7 days 0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4 Total UC Proxy Sessions : 100 14 days Example 2-4 Secondary Unit Output in a Failover Pair for show activation-key detail The following is sample output from the show activation-key detail command for the secondary failover unit that shows: • The secondary unit license (the combined permanent license and time-based licenses). • The “Failover Cluster” license, which is the combined licenses from the primary and secondary units. This is the license that is actually running on the ASA. The values in this license that reflect the combination of the primary and secondary licenses are in bold. • The secondary unit permanent license. • The secondary installed time-based licenses (active and inactive). This unit does not have any time-based licenses, so none display in this sample output. ciscoasa# show activation-key detail Serial Number: P3000000011 Running Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 Cisco ASA Series Command Reference, S Commands 2-17 Chapter Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Disabled Security Contexts : 2 GTP/GPRS : Disabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 750 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled Intercompany Media Engine : Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual This platform has an ASA 5520 VPN Plus license. Failover cluster licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 10 perpetual GTP/GPRS : Enabled perpetual AnyConnect Premium Peers : 4 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 750 perpetual Total VPN Peers : 750 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 4 perpetual Total UC Proxy Sessions : 4 perpetual Botnet Traffic Filter : Enabled 33 days Intercompany Media Engine : Disabled perpetual This platform has an ASA 5520 VPN Plus license. Running Permanent Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Disabled Security Contexts : 2 GTP/GPRS : Disabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 750 Total VPN Peers : 750 Shared License : Disabled Cisco ASA Series Command Reference, S Commands 2-18 perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual Chapter AnyConnect for Mobile AnyConnect for Cisco VPN Phone Advanced Endpoint Assessment UC Phone Proxy Sessions Total UC Proxy Sessions Botnet Traffic Filter Intercompany Media Engine : : : : : Disabled : Disabled : Disabled 2 2 Disabled Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual The flash permanent activation key is the SAME as the running permanent key. Example 2-5 Standalone Unit Output for the ASAv without a License for show activation-key The following output for a deployed 1 vCPU ASAv shows a blank activation key, an Unlicensed status, and a message to install a 1 vCPU license. Note The command output shows, “This platform has an ASAv VPN Premium license.” This message specifies that the ASAv can perform payload encryption; it does not refer to the ASAv Standard vs. Premium licenses. ciscoasa# show activation-key Serial Number: 9APM1G4RV41 Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 ASAv Platform License State: Unlicensed *Install 1 vCPU ASAv platform license for full functionality. The Running Activation Key is not valid, using default settings: Licensed features for this platform: Virtual CPUs : 0 Maximum Physical Interfaces : 10 Maximum VLANs : 50 Inside Hosts : Unlimited Failover : Active/Standby Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : 0 GTP/GPRS : Disabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 250 Total VPN Peers : 250 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Enabled Intercompany Media Engine : Disabled Cluster : Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual This platform has an ASAv VPN Premium license. Failed to retrieve flash permanent activation key. The flash permanent activation key is the SAME as the running permanent key. Cisco ASA Series Command Reference, S Commands 2-19 Chapter Example 2-6 Note Standalone Unit Output for the ASAv with a 4 vCPU Standard License for show activation-key The command output shows, “This platform has an ASAv VPN Premium license.” This message specifies that the ASAv can perform payload encryption; it does not refer to the ASAv Standard vs. Premium licenses. ciscoasa# show activation-key Serial Number: 9ALQ8W1XCJ7 Running Permanent Activation Key: 0x0013e945 0x685a232c 0x1153fdac 0xeae8b068 0x4413f4ae ASAv Platform License State: Compliant Licensed features for this platform: Virtual CPUs : 4 Maximum Physical Interfaces : 10 Maximum VLANs : 200 Inside Hosts : Unlimited Failover : Active/Standby Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : 0 GTP/GPRS : Enabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 750 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 1000 Total UC Proxy Sessions : 1000 Botnet Traffic Filter : Enabled Intercompany Media Engine : Enabled Cluster : Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual This platform has an ASAv VPN Premium license. The flash permanent activation key is the SAME as the running permanent key. Example 2-7 Note Standalone Unit Output for the ASAv with a 4 vCPU Premium License for show activation-key The command output shows, “This platform has an ASAv VPN Premium license.” This message specifies that the ASAv can perform payload encryption; it does not refer to the ASAv Standard vs. Premium licenses. ciscoasa# show activation-key Serial Number: 9ALQ8W1XCJ7 Running Permanent Activation Key: 0x8224dd7d 0x943ed77c 0x9d71cdd0 0xd90474d0 0xcb04df82 ASAv Platform License State: Compliant Licensed features for this platform: Virtual CPUs : 4 Maximum Physical Interfaces : 10 Cisco ASA Series Command Reference, S Commands 2-20 perpetual perpetual Chapter Maximum VLANs Inside Hosts Failover Encryption-DES Encryption-3DES-AES Security Contexts GTP/GPRS AnyConnect Premium Peers AnyConnect Essentials Other VPN Peers Total VPN Peers Shared License AnyConnect for Mobile AnyConnect for Cisco VPN Phone Advanced Endpoint Assessment UC Phone Proxy Sessions Total UC Proxy Sessions Botnet Traffic Filter Intercompany Media Engine Cluster : : : : : : : : : : : : : : : : : : : : 200 Unlimited Active/Standby Enabled Enabled 0 Enabled 750 Disabled 750 750 Disabled Enabled Enabled Enabled 1000 1000 Enabled Enabled Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual This platform has an ASAv VPN Premium license. The flash permanent activation key is the SAME as the running permanent key. ciscoasa# Example 2-8 Primary Unit Output for the ASA Services Module in a Failover Pair for show activation-key The following is sample output from the show activation-key command for the primary failover unit that shows: • The primary unit license (the combined permanent license and time-based licenses). • The “Failover Cluster” license, which is the combined licenses from the primary and secondary units. This is the license that is actually running on the ASA. The values in this license that reflect the combination of the primary and secondary licenses are in bold. • The primary unit installed time-based licenses (active and inactive). ciscoasa# show activation-key erial Number: SAL144705BF Running Permanent Activation Key: 0x4d1ed752 0xc8cfeb37 0xf4c38198 0x93c04c28 0x4a1c049a Running Timebased Activation Key: 0xbc07bbd7 0xb15591e0 0xed68c013 0xd79374ff 0x44f87880 Licensed features for this platform: Maximum Interfaces : 1024 Inside Hosts : Unlimited Failover : Active/Active DES : Enabled 3DES-AES : Enabled Security Contexts : 25 GTP/GPRS : Enabled Botnet Traffic Filter : Enabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual 330 days This platform has an WS-SVC-ASA-SM1 No Payload Encryption license. Failover cluster licensed features for this platform: Maximum Interfaces : 1024 perpetual Inside Hosts : Unlimited perpetual Cisco ASA Series Command Reference, S Commands 2-21 Chapter Failover DES 3DES-AES Security Contexts GTP/GPRS Botnet Traffic Filter : : : : : : Active/Active Enabled Enabled 50 Enabled Enabled perpetual perpetual perpetual perpetual perpetual 330 days This platform has an WS-SVC-ASA-SM1 No Payload Encryption license. The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: 0xbc07bbd7 0xb15591e0 0xed68c013 0xd79374ff 0x44f87880 Botnet Traffic Filter : Enabled 330 days Example 2-9 Secondary Unit Output for the ASA Services Module in a Failover Pair for show activation-key The following is sample output from the show activation-key command for the secondary failover unit that shows: • The secondary unit license (the combined permanent license and time-based licenses). • The “Failover Cluster” license, which is the combined licenses from the primary and secondary units. This is the license that is actually running on the ASA. The values in this license that reflect the combination of the primary and secondary licenses are in bold. • The secondary installed time-based licenses (active and inactive). This unit does not have any time-based licenses, so none display in this sample output. ciscoasa# show activation-key detail Serial Number: SAD143502E3 Running Permanent Activation Key: 0xf404c46a 0xb8e5bd84 0x28c1b900 0x92eca09c 0x4e2a0683 Licensed features for this platform: Maximum Interfaces : 1024 Inside Hosts : Unlimited Failover : Active/Active DES : Enabled 3DES-AES : Enabled Security Contexts : 25 GTP/GPRS : Disabled Botnet Traffic Filter : Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual This platform has an WS-SVC-ASA-SM1 No Payload Encryption license. Failover cluster licensed features for this platform: Maximum Interfaces : 1024 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual DES : Enabled perpetual 3DES-AES : Enabled perpetual Security Contexts : 50 perpetual GTP/GPRS : Enabled perpetual Botnet Traffic Filter : Enabled 330 days This platform has an WS-SVC-ASA-SM1 No Payload Encryption license. The flash permanent activation key is the SAME as the running permanent key. Cisco ASA Series Command Reference, S Commands 2-22 Chapter Example 2-10 Output in a Cluster for show activation-key ciscoasa# show activation-key Serial Number: JMX1504L2TD Running Permanent Activation Key: 0x4a3eea7b 0x54b9f61a 0x4143a90c 0xe5849088 0x4412d4a9 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Enabled perpetual This platform has an ASA 5585-X base license. Failover cluster licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 4 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 4 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 4 perpetual Total UC Proxy Sessions : 4 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Enabled perpetual This platform has an ASA 5585-X base license. The flash permanent activation key is the SAME as the running permanent key. Serial Number: JMX1232L11M Running Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 Running Activation Key: 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 Cisco ASA Series Command Reference, S Commands 2-23 Chapter Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 50 Inside Hosts : Unlimited Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 0 GTP/GPRS : Disabled SSL VPN Peers : 2 Total VPN Peers : 250 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled AnyConnect Essentials : Enabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 12 Total UC Proxy Sessions : 12 Botnet Traffic Filter : Enabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual 62 days 62 days 646 days This platform has a Base license. The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 Botnet Traffic Filter : Enabled 646 days 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 Total UC Proxy Sessions : 10 62 days Inactive Timebased Activation Key: 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 SSL VPN Peers : 100 108 days Related Commands Command Description activation-key Changes the activation key. Cisco ASA Series Command Reference, S Commands 2-24 Chapter show ad-groups To display groups that are listed on an Active Directory server, use the show ad-groups command in privileged EXEC mode: show ad-groups name [filter string] Syntax Description name The name of the Active Directory server group to query. string A string within quotes specifying all or part of the group name to search for. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC mode Command History Usage Guidelines Routed • Yes Transparent Single Context System — — — Release Modification 8.0(4) This command was added. • Yes The show ad-groups command applies only to Active Directory servers that use the LDAP protocol to retrieve groups. Use this command to display AD groups that you can use for dynamic access policy AAA selection criteria. When the LDAP attribute type = LDAP, the default time that the ASA waits for a response from the server is 10 seconds. You can adjust this time using the group-search-timeout command in aaa-server host configuration mode. Note If the Active Directory server has a large number of groups, the output of the show ad-groups command may be truncated based on limitations of the amount of data the server can fit into a response packet. To avoid this problem, use the filter option to reduce the number of groups reported by the server. Cisco ASA Series Command Reference, S Commands 2-25 Chapter Examples ciscoasa# show ad-groups LDAP-AD17 Server Group LDAP-AD17 Group list retrieved successfully Number of Active Directory Groups 46 Account Operators Administrators APP-SSL-VPN CIO Users Backup Operators Cert Publishers CERTSVC_DCOM_ACCESS Cisco-Eng DHCP Administrators DHCP Users Distributed COM Users DnsAdmins DnsUpdateProxy Doctors Domain Admins Domain Computers Domain Controllers Domain Guests Domain Users Employees Engineering Engineering1 Engineering2 Enterprise Admins Group Policy Creator Owners Guests HelpServicesGroup The next example shows the same command with the filter option: ciscoasa(config)# show ad-groups LDAP-AD17 filter “Eng” . Server Group LDAP-AD17 Group list retrieved successfully Number of Active Directory Groups 4 Cisco-Eng Engineering Engineering1 Engineering2 Related Commands Command Description ldap-group-base-dn Specifies a level in the Active Directory hierarchy where the server begins searching for groups that are used by dynamic group policies. group-search-timeout Adjusts the time the ASA waits for a response from an Active Directory server for a list of groups. Cisco ASA Series Command Reference, S Commands 2-26 Chapter show admin-context To display the context name currently assigned as the admin context, use the show admin-context command in privileged EXEC mode. show admin-context Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Transparent Single Yes • Release Modification 7.0(1) This command was added. Yes — Context — System • Yes The following is sample output from the show admin-context command. The following example shows the admin context called “admin” and stored in the root directory of flash: ciscoasa# show admin-context Admin: admin flash:/admin.cfg Related Commands Command Description admin-context Sets the admin context. changeto Changes between contexts or the system execution space. clear configure context Removes all contexts. mode Sets the context mode to single or multiple. show context Shows a list of contexts (system execution space) or information about the current context. Cisco ASA Series Command Reference, S Commands 2-27 Chapter show arp To view the ARP table, use the show arp command in privileged EXEC mode. show arp Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Privileged EXEC Command History • Yes Transparent Single • Yes • Yes Release Modification 7.0(8)/7.2(4)/8.0(4) Dynamic ARP age was added to the display. Context • Yes System — Usage Guidelines The display output shows dynamic, static, and proxy ARP entries. Dynamic ARP entries include the age of the ARP entry in seconds. Static ARP entries include a dash (-) instead of the age, and proxy ARP entries state “alias.” Examples The following is sample output from the show arp command. The first entry is a dynamic entry aged 2 seconds. The second entry is a static entry, and the third entry is from proxy ARP. ciscoasa# show arp outside 10.86.194.61 0011.2094.1d2b 2 outside 10.86.194.1 001a.300c.8000 outside 10.86.195.2 00d0.02a8.440a alias Related Commands Command Description arp Adds a static ARP entry. arp-inspection For transparent firewall mode, inspects ARP packets to prevent ARP spoofing. clear arp statistics Clears ARP statistics. show arp statistics Shows ARP statistics. show running-config arp Shows the current configuration of the ARP timeout. Cisco ASA Series Command Reference, S Commands 2-28 Chapter show arp-inspection To view the ARP inspection setting for each interface, use the show arp-inspection command in privileged EXEC mode. show arp-inspection Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command History Examples Command Mode Routed Privileged EXEC — Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System — The following is sample output from the show arp-inspection command: ciscoasa# show arp-inspection interface arp-inspection miss ---------------------------------------------------inside1 enabled flood outside disabled - The miss column shows the default action to take for non-matching packets when ARP inspection is enabled, either “flood” or “no-flood.” Related Commands Command Description arp Adds a static ARP entry. arp-inspection For transparent firewall mode, inspects ARP packets to prevent ARP spoofing. clear arp statistics Clears ARP statistics. show arp statistics Shows ARP statistics. show running-config arp Shows the current configuration of the ARP timeout. Cisco ASA Series Command Reference, S Commands 2-29 Chapter show arp statistics To view ARP statistics, use the show arp statistics command in privileged EXEC mode. show arp statistics Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Privileged EXEC Command History Examples Yes • Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System — The following is sample output from the show arp statistics command: ciscoasa# show arp statistics Number of ARP entries: ASA : 6 Dropped blocks in ARP: 6 Maximum Queued blocks: 3 Queued blocks: 1 Interface collision ARPs Received: 5 ARP-defense Gratuitous ARPS sent: 4 Total ARP retries: 15 Unresolved hosts: 1 Maximum Unresolved hosts: 2 Table 2 shows each field description. Table 2-2 show arp statistics Fields Field Description Number of ARP entries The total number of ARP table entries. Dropped blocks in ARP The number of blocks that were dropped while IP addresses were being resolved to their corresponding hardware addresses. Maximum queued blocks The maximum number of blocks that were ever queued in the ARP module, while waiting for the IP address to be resolved. Cisco ASA Series Command Reference, S Commands 2-30 Chapter Table 2-2 Related Commands show arp statistics Fields (continued) Field Description Queued blocks The number of blocks currently queued in the ARP module. Interface collision ARPs received The number of ARP packets received at all ASA interfaces that were from the same IP address as that of an ASA interface. ARP-defense gratuitous ARPs sent The number of gratuitous ARPs sent by the ASA as part of the ARP-Defense mechanism. Total ARP retries The total number of ARP requests sent by the ARP module when the address was not resolved in response to first ARP request. Unresolved hosts The number of unresolved hosts for which ARP requests are still being sent out by the ARP module. Maximum unresolved hosts The maximum number of unresolved hosts that ever were in the ARP module since it was last cleared or the ASA booted up. Command Description arp-inspection For transparent firewall mode, inspects ARP packets to prevent ARP spoofing. clear arp statistics Clears ARP statistics and resets the values to zero. show arp Shows the ARP table. show running-config arp Shows the current configuration of the ARP timeout. Cisco ASA Series Command Reference, S Commands 2-31 Chapter show arp vtep-mapping To display MAC addresses cached on the VNI interface for IP addresses located in the remote segment domain and the remote VTEP IP addresses, use the show arp vtep-mapping command in privileged EXEC mode. show arp vtep-mapping Syntax Description This command has no arguments or keywords. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Transparent Single Yes • Release Modification 9.4(1) This command was added. Yes • Context Yes • Yes System — When the ASA sends a packet to a device behind a peer VTEP, the ASA needs two important pieces of information: • The destination MAC address of the remote device • The destination IP address of the peer VTEP There are two ways in which the ASA can find this information: • A single peer VTEP IP address can be statically configured on the ASA. You cannot manually define multiple peers. The ASA then sends a VXLAN-encapsulated ARP broadcast to the VTEP to learn the end node MAC address. • A multicast group can be configured on each VNI interface (or on the VTEP as a whole). The ASA sends a VXLAN-encapsulated ARP broadcast packet within an IP multicast packet through the VTEP source interface. The response to this ARP request enables the ASA to learn both the remote VTEP IP address along with the destination MAC address of the remote end node. The ASA maintains a mapping of destination MAC addresses to remote VTEP IP addresses for the VNI interfaces. Cisco ASA Series Command Reference, S Commands 2-32 Chapter Examples See the following output for the show arp vtep-mapping command: ciscoasa# show arp vtep-mapping vni-outside 192.168.1.4 0012.0100.0003 577 15.1.2.3 vni-inside 192.168.0.4 0014.0100.0003 577 15.1.2.3 Related Commands Command Description debug vxlan Debugs VXLAN traffic. default-mcast-group Specifies a default multicast group for all VNI interfaces associated with the VTEP source interface. encapsulation vxlan Sets the NVE instance to VXLAN encapsulation. inspect vxlan Enforces compliance with the standard VXLAN header format. interface vni Creates the VNI interface for VXLAN tagging. mcast-group Sets the multicast group address for the VNI interface. nve Specifies the Network Virtualization Endpoint instance. nve-only Specifies that the VXLAN source interface is NVE-only. peer ip Manually specifies the peer VTEP IP address. segment-id Specifies the VXLAN segment ID for a VNI interface. show interface vni Shows the parameters, status and statistics of a VNI interface, status of its bridged interface (if configured), and NVE interface it is associated with. show mac-address-table vtep-mapping Displays the Layer 2 forwarding table (MAC address table) on the VNI interface with the remote VTEP IP addresses. show nve Shows the parameters, status and statistics of a NVE interface, status of its carrier interface (source interface), IP address of the carrier interface, VNIs that use this NVE as the VXLAN VTEP, and peer VTEP IP addresses associated with this NVE interface. show vni vlan-mapping Shows the mapping between VNI segment IDs and VLAN interfaces or physical interfaces in transparent mode. source-interface Specifies the VTEP source interface. vtep-nve Associates a VNI interface with the VTEP source interface. vxlan port Sets the VXLAN UDP port. By default, the VTEP source interface accepts VXLAN traffic to UDP port 4789. Cisco ASA Series Command Reference, S Commands 2-33 Chapter show asdm history To display the contents of the ASDM history buffer, use the show asdm history command in privileged EXEC mode. show asdm history [view timeframe] [snapshot] [feature feature] [asdmclient] Syntax Description Defaults asdmclient (Optional) Displays the ASDM history data formatted for the ASDM client. feature feature (Optional) Limits the history display to the specified feature. The following are valid values for the feature argument: • all—Displays the history for all features (default). • blocks—Displays the history for the system buffers. • cpu—Displays the history for CPU usage. • failover—Displays the history for failover. • ids—Displays the history for IDS. • interface if_name—Displays the history for the specified interface. The if_name argument is the name of the interface as specified by the nameif command. • memory—Displays memory usage history. • perfmon—Displays performance history. • sas—Displays the history for Security Associations. • tunnels—Displays the history for tunnels. • xlates—Displays translation slot history. snapshot (Optional) Displays only the last ASDM history data point. view timeframe (Optional) Limits the history display to the specified time period. Valid values for the timeframe argument are: • all—all contents in the history buffer (default). • 12h—12 hours • 5d—5 days • 60m—60 minutes • 10m—10 minutes If no arguments or keywords are specified, all history information for all features is displayed. Cisco ASA Series Command Reference, S Commands 2-34 Chapter Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Transparent Single Yes • Yes • Context Yes • System Yes • Yes Release Modification 7.0(1) This command was changed from the show pdm history command to the show asdm history command. Usage Guidelines The show asdm history command displays the contents of the ASDM history buffer. Before you can view ASDM history information, you must enable ASDM history tracking using the asdm history enable command. Examples The following is sample output from the show asdm history command. It limits the output to data for the outside interface collected during the last 10 minutes. ciscoasa# show asdm history view 10m feature interface outside Input KByte Count: [ 10s:12:46:41 Mar Output KByte Count: [ 10s:12:46:41 Mar Input KPacket Count: [ 10s:12:46:41 Mar Output KPacket Count: [ 10s:12:46:41 Mar Input Bit Rate: [ 10s:12:46:41 Mar Output Bit Rate: [ 10s:12:46:41 Mar Input Packet Rate: [ 10s:12:46:41 Mar Output Packet Rate: [ 10s:12:46:41 Mar Input Error Packet Count: [ 10s:12:46:41 Mar No Buffer: [ 10s:12:46:41 Mar Received Broadcasts: [ 10s:12:46:41 Mar Runts: [ 10s:12:46:41 Mar Giants: [ 10s:12:46:41 Mar CRC: [ 10s:12:46:41 Mar Frames: [ 10s:12:46:41 Mar Overruns: [ 10s:12:46:41 Mar Underruns: 1 2005 ] 62640 62636 62633 62628 62622 62616 62609 1 2005 ] 25178 25169 25165 25161 25157 25151 25147 1 2005 ] 752 752 751 751 751 751 751 1 2005 ] 55 55 55 55 55 55 55 1 2005 ] 3397 2843 3764 4515 4932 5728 4186 1 2005 ] 7316 3292 3349 3298 5212 3349 3301 1 2005 ] 5 4 6 7 6 8 6 1 2005 ] 1 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 375974 375954 375935 375902 375863 375833 375794 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 Cisco ASA Series Command Reference, S Commands 2-35 Chapter [ 10s:12:46:41 Mar Output Error Packet Count: [ 10s:12:46:41 Mar Collisions: [ 10s:12:46:41 Mar LCOLL: [ 10s:12:46:41 Mar Reset: [ 10s:12:46:41 Mar Deferred: [ 10s:12:46:41 Mar Lost Carrier: [ 10s:12:46:41 Mar Hardware Input Queue: [ 10s:12:46:41 Mar Software Input Queue: [ 10s:12:46:41 Mar Hardware Output Queue: [ 10s:12:46:41 Mar Software Output Queue: [ 10s:12:46:41 Mar Drop KPacket Count: [ 10s:12:46:41 Mar ciscoasa# 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 128 128 128 128 128 128 128 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 1 2005 ] 0 0 0 0 0 0 0 The following is sample output from the show asdm history command. Like the previous example, it limits the output to data for the outside interface collected during the last 10 minutes. However, in this example the output is formatted for the ASDM client. ciscoasa# show asdm history view 10m feature interface outside asdmclient MH|IBC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|62439|62445|62453|62457|62464| 62469|62474|62486|62489|62496|62501|62506|62511|62518|62522|62530|62534|62539|62542|62547| 62553|62556|62562|62568|62574|62581|62585|62593|62598|62604|62609|62616|62622|62628|62633| 62636|62640|62653|62657|62665|62672|62678|62681|62686|62691|62695|62700|62704|62711|62718| 62723|62728|62733|62738|62742|62747|62751|62761|62770|62775| ... The following is sample output from the show asdm history command using the snapshot keyword: ciscoasa# show asdm history view 10m snapshot Available 4 byte Blocks: [ 10s] : 100 Used 4 byte Blocks: [ 10s] : 0 Available 80 byte Blocks: [ 10s] : 100 Used 80 byte Blocks: [ 10s] : 0 Available 256 byte Blocks: [ 10s] : 2100 Used 256 byte Blocks: [ 10s] : 0 Available 1550 byte Blocks: [ 10s] : 7425 Used 1550 byte Blocks: [ 10s] : 1279 Available 2560 byte Blocks: [ 10s] : 40 Used 2560 byte Blocks: [ 10s] : 0 Available 4096 byte Blocks: [ 10s] : 30 Used 4096 byte Blocks: [ 10s] : 0 Available 8192 byte Blocks: [ 10s] : 60 Used 8192 byte Blocks: [ 10s] : 0 Available 16384 byte Blocks: [ 10s] : 100 Used 16384 byte Blocks: [ 10s] : 0 Available 65536 byte Blocks: [ 10s] : 10 Used 65536 byte Blocks: [ 10s] : 0 CPU Utilization: [ 10s] : 31 Input KByte Count: [ 10s] : 62930 Output KByte Count: [ 10s] : 26620 Input KPacket Count: [ 10s] : 755 Cisco ASA Series Command Reference, S Commands 2-36 Chapter Output KPacket Count: [ 10s] : 58 Input Bit Rate: [ 10s] : 24561 Output Bit Rate: [ 10s] : 518897 Input Packet Rate: [ 10s] : 48 Output Packet Rate: [ 10s] : 114 Input Error Packet Count: [ 10s] : 0 No Buffer: [ 10s] : 0 Received Broadcasts: [ 10s] : 377331 Runts: [ 10s] : 0 Giants: [ 10s] : 0 CRC: [ 10s] : 0 Frames: [ 10s] : 0 Overruns: [ 10s] : 0 Underruns: [ 10s] : 0 Output Error Packet Count: [ 10s] : 0 Collisions: [ 10s] : 0 LCOLL: [ 10s] : 0 Reset: [ 10s] : 0 Deferred: [ 10s] : 0 Lost Carrier: [ 10s] : 0 Hardware Input Queue: [ 10s] : 128 Software Input Queue: [ 10s] : 0 Hardware Output Queue: [ 10s] : 0 Software Output Queue: [ 10s] : 0 Drop KPacket Count: [ 10s] : 0 Input KByte Count: [ 10s] : 3672 Output KByte Count: [ 10s] : 4051 Input KPacket Count: [ 10s] : 19 Output KPacket Count: [ 10s] : 20 Input Bit Rate: [ 10s] : 0 Output Bit Rate: [ 10s] : 0 Input Packet Rate: [ 10s] : 0 Output Packet Rate: [ 10s] : 0 Input Error Packet Count: [ 10s] : 0 No Buffer: [ 10s] : 0 Received Broadcasts: [ 10s] : 1458 Runts: [ 10s] : 1 Giants: [ 10s] : 0 CRC: [ 10s] : 0 Frames: [ 10s] : 0 Overruns: [ 10s] : 0 Underruns: [ 10s] : 0 Output Error Packet Count: [ 10s] : 0 Collisions: [ 10s] : 63 LCOLL: [ 10s] : 0 Reset: [ 10s] : 0 Deferred: [ 10s] : 15 Lost Carrier: [ 10s] : 0 Hardware Input Queue: [ 10s] : 128 Software Input Queue: [ 10s] : 0 Hardware Output Queue: [ 10s] : 0 Software Output Queue: [ 10s] : 0 Drop KPacket Count: [ 10s] : 0 Input KByte Count: [ 10s] : 0 Output KByte Count: [ 10s] : 0 Input KPacket Count: [ 10s] : 0 Output KPacket Count: [ 10s] : 0 Input Bit Rate: [ 10s] : 0 Output Bit Rate: [ 10s] : 0 Input Packet Rate: [ 10s] : 0 Output Packet Rate: [ 10s] : 0 Input Error Packet Count: [ 10s] : 0 No Buffer: [ 10s] : 0 Received Broadcasts: [ 10s] : 0 Cisco ASA Series Command Reference, S Commands 2-37 Chapter Runts: [ 10s] : 0 Giants: [ 10s] : 0 CRC: [ 10s] : 0 Frames: [ 10s] : 0 Overruns: [ 10s] : 0 Underruns: [ 10s] : 0 Output Error Packet Count: [ 10s] : 0 Collisions: [ 10s] : 0 LCOLL: [ 10s] : 0 Reset: [ 10s] : 0 Deferred: [ 10s] : 0 Lost Carrier: [ 10s] : 0 Hardware Input Queue: [ 10s] : 128 Software Input Queue: [ 10s] : 0 Hardware Output Queue: [ 10s] : 0 Software Output Queue: [ 10s] : 0 Drop KPacket Count: [ 10s] : 0 Input KByte Count: [ 10s] : 0 Output KByte Count: [ 10s] : 0 Input KPacket Count: [ 10s] : 0 Output KPacket Count: [ 10s] : 0 Input Bit Rate: [ 10s] : 0 Output Bit Rate: [ 10s] : 0 Input Packet Rate: [ 10s] : 0 Output Packet Rate: [ 10s] : 0 Input Error Packet Count: [ 10s] : 0 No Buffer: [ 10s] : 0 Received Broadcasts: [ 10s] : 0 Runts: [ 10s] : 0 Giants: [ 10s] : 0 CRC: [ 10s] : 0 Frames: [ 10s] : 0 Overruns: [ 10s] : 0 Underruns: [ 10s] : 0 Output Error Packet Count: [ 10s] : 0 Collisions: [ 10s] : 0 LCOLL: [ 10s] : 0 Reset: [ 10s] : 0 Deferred: [ 10s] : 0 Lost Carrier: [ 10s] : 0 Hardware Input Queue: [ 10s] : 128 Software Input Queue: [ 10s] : 0 Hardware Output Queue: [ 10s] : 0 Software Output Queue: [ 10s] : 0 Drop KPacket Count: [ 10s] : 0 Available Memory: [ 10s] : 205149944 Used Memory: [ 10s] : 63285512 Xlate Count: [ 10s] : 0 Connection Count: [ 10s] : 0 TCP Connection Count: [ 10s] : 0 UDP Connection Count: [ 10s] : 0 URL Filtering Count: [ 10s] : 0 URL Server Filtering Count: [ 10s] : 0 TCP Fixup Count: [ 10s] : 0 TCP Intercept Count: [ 10s] : 0 HTTP Fixup Count: [ 10s] : 0 FTP Fixup Count: [ 10s] : 0 AAA Authentication Count: [ 10s] : 0 AAA Authorzation Count: [ 10s] : 0 AAA Accounting Count: [ 10s] : 0 Current Xlates: [ 10s] : 0 Max Xlates: [ 10s] : 0 ISAKMP SAs: [ 10s] : 0 IPsec SAs: [ 10s] : 0 Cisco ASA Series Command Reference, S Commands 2-38 Chapter L2TP Sessions: [ 10s] : 0 L2TP Tunnels: [ 10s] : 0 ciscoasa# Related Commands Command Description asdm history enable Enables ASDM history tracking. Cisco ASA Series Command Reference, S Commands 2-39 Chapter show asdm image To the current ASDM software image file, use the show asdm image command in privileged EXEC mode. show asdm image Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Privileged EXEC Command History Examples • Yes Transparent Single • Yes • • Yes Modification 7.0(1) This command was changed from the show pdm image command to the show asdm image command. The following is sample output from the show asdm image command: Device Manager image file, flash:/ASDM Related Commands — System Release ciscoasa# show asdm image Command Description asdm image Specifies the current ASDM image file. Cisco ASA Series Command Reference, S Commands 2-40 Yes Context Chapter show asdm log_sessions To display a list of active ASDM logging sessions and their associated session IDs, use the show asdm log_sessions command in privileged EXEC mode. show asdm log_sessions Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Note Routed • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System — Each active ASDM session has one or more associated ASDM logging sessions. ASDM uses the logging session to retrieve syslog messages from the ASA. Each ASDM logging session is assigned a unique session ID. You can use this session ID with the asdm disconnect log_session command to terminate the specified session. Because each ASDM session has at least one ASDM logging session, the output for the show asdm sessions and show asdm log_sessions may appear to be the same. Cisco ASA Series Command Reference, S Commands 2-41 Chapter Examples The following is sample output from the show asdm log_sessions command: ciscoasa# show asdm log_sessions 0 192.168.1.1 1 192.168.1.2 Related Commands Command Description asdm disconnect log_session Terminates an active ASDM logging session. Cisco ASA Series Command Reference, S Commands 2-42 Chapter show asdm sessions To display a list of active ASDM sessions and their associated session IDs, use the show asdm sessions command in privileged EXEC mode. show asdm sessions Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Yes • Yes Context • Yes System — Release Modification 7.0(1) This command was changed from the show pdm sessions command to the show asdm sessions command. Usage Guidelines Each active ASDM session is assigned a unique session ID. You can use this session ID with the asdm disconnect command to terminate the specified session. Examples The following is sample output from the show asdm sessions command: ciscoasa# show asdm sessions 0 192.168.1.1 1 192.168.1.2 Related Commands Command Description asdm disconnect Terminates an active ASDM session. Cisco ASA Series Command Reference, S Commands 2-43 Chapter Cisco ASA Series Command Reference, S Commands 2-44 CH A P T E R 3 show as-path-access-list through show auto-update Commands Cisco ASA Series Command Reference, S Commands 3-1 Chapter show as-path-access-list To display the contents of all current autonomous system (AS) path access lists, use the show as-path-access-list command in user EXEC or privileged EXEC mode show as-path-access-list [name] Syntax Description name Defaults If the name argument is not specified, command output is displayed for all AS path access lists. Command Modes The following table shows the modes in which you can enter the command: (Optional) Specifies the AS path access list name.. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The following is sample output from the show as-path-access-list command: ciscoasa# show as-path-access-list AS path access list as-path-acl-1 deny RTR$ AS path access list as-path-acl-2 permit 100$ Table 3-1 shows each field description. Table 3-1 show as-path-access-list Fields Field Description AS path access list Indicates the AS path access list name. deny Indicates the number of packets that are rejected since the regular expression failed to match the representation of the AS path of the route as an ASCII string. permit Indicates the number of packets that are forwarded since the regular expression matched the representation of the AS path of the route as an ASCII string. Cisco ASA Series Command Reference, S Commands 3-2 Chapter show asp cluster counter To debug global or context-specific information in a clustering environment, use the show asp cluster counter command in privileged EXEC mode. show asp cluster counter Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context • Yes System • Yes Usage Guidelines The show asp cluster counter command shows the global and context-specific DP counters, which might help you troubleshoot a problem. This information is used for debugging purposes only, and the information output is subject to change. Consult the Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp cluster counter command: ciscoasa# show asp cluster counter Global dp-counters: Context specific dp-counters: MCAST_FP_TO_SP MCAST_SP_TOTAL MCAST_SP_PKTS MCAST_SP_PKTS_TO_CP MCAST_FP_CHK_FAIL_NO_HANDLE MCAST_FP_CHK_FAIL_NO_ACCEPT_IFC MCAST_FP_CHK_FAIL_NO_FP_FWD 361136 361136 143327 143327 217809 81192 62135 Cisco ASA Series Command Reference, S Commands 3-3 Chapter Related Commands Command Description show asp drop Shows the accelerated security path counters for dropped packets. Cisco ASA Series Command Reference, S Commands 3-4 Chapter show asp drop To debug the accelerated security path dropped packets or connections, use the show asp drop command in privileged EXEC mode. show asp drop [flow [flow_drop_reason] | frame [frame_drop_reason]] Syntax Description flow [flow_drop_reason] (Optional) Shows the dropped flows (connections). You can specify a particular reason by using the flow_drop_reason argument. Use ? to see a list of possible flow drop reasons. frame [frame_drop_reason] (Optional) Shows the dropped packets. You can specify a particular reason by using the frame_drop_reason argument. Use ? to see a list of possible frame drop reasons. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Yes Transparent Single • Yes • Yes Context • Yes System • Yes Release Modification 7.0(1) This command was added. 7.0(8)/7.2(4)/8.0(4) Output includes a timestamp indicating when the counters were last cleared (see the clear asp drop command). It also displays the drop reason keywords next to the description, so you can easily use the capture asp-drop command with the associated keyword. The show asp drop command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. For detailed descriptions of each drop reason name and description, including recommendations, see show asp drop Command Usage. Examples The following is sample output from the show asp drop command, with the time stamp indicating the last time the counters were cleared: Cisco ASA Series Command Reference, S Commands 3-5 Chapter ciscoasa# show asp drop Frame drop: Flow is denied by configured rule (acl-drop) Dst MAC L2 Lookup Failed (dst-l2_lookup-fail) L2 Src/Dst same LAN port (l2_same-lan-port) Expired flow (flow-expired) 3 4110 760 1 Last clearing: Never Flow drop: Flow is denied by access rule (acl-drop) NAT failed (nat-failed) NAT reverse path failed (nat-rpf-failed) Inspection failure (inspect-fail) 24 28739 22266 19433 Last clearing: 17:02:12 UTC Jan 17 2012 by enable_15 Related Commands Command Description capture Captures packets, including the option to capture packets based on an ASP drop code. clear asp drop Clears drop statistics for the accelerated security path. show conn Shows information about connections. Cisco ASA Series Command Reference, S Commands 3-6 Chapter show asp event dp-cp To debug the data path or control path event queues, use the show asp event dp-cp command in privileged EXEC mode. show asp event dp-cp [cxsc msg] Syntax Description cxsc msg Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Identifies the CXSC event messages that are sent to the CXSC event queue. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single Yes • • Release Modification 9.0(1) This command was added. 9.1(3) A routing event queue entry was added. Yes Context • Yes System • Yes Usage Guidelines The show asp event dp-cp command shows the contents of the data path and control path, which might help you troubleshoot a problem. See the CLI configuration guide for more information about the data path and control path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp event dp-cp command: ciscoasa# show asp event dp-cp DP-CP EVENT QUEUE Punt Event Queue Routing Event Queue Identity-Traffic Event Queue General Event Queue Syslog Event Queue Non-Blocking Event Queue Midpath High Event Queue Midpath Norm Event Queue SRTP Event Queue HA Event Queue Threat-Detection Event Queue QUEUE-LEN 0 0 0 0 0 0 0 0 0 0 0 HIGH-WATER 2048 1 17 0 3192 4 0 0 0 3 3 Cisco ASA Series Command Reference, S Commands 3-7 Chapter ARP Event Queue IDFW Event Queue CXSC Event Queue EVENT-TYPE punt inspect-sunrp routing arp-in identity-traffic syslog threat-detection ips-cplane ha-msg cxsc-msg 0 0 0 ALLOC ALLOC-FAIL ENQUEUED ENQ-FAIL 4005920 0 935295 3070625 4005920 0 935295 3070625 77 0 77 0 618 0 618 0 1519 0 1519 0 5501 0 5501 0 12 0 12 0 1047 0 1047 0 520 0 520 0 127 0 127 0 Cisco ASA Series Command Reference, S Commands 3-8 3 0 0 RETIRED 15SEC-RATE 4005920 4372 4005920 4372 77 0 618 0 1519 0 5501 0 12 0 1047 0 520 0 127 0 Chapter show asp load-balance To display a histogram of the load balancer queue sizes, use the show asp load-balance command in privileged EXEC mode. show asp load-balance [detail] Syntax Description detail Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Shows detailed information about hash buckets. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 8.1(1) This command was added. Yes • Yes Context — System • Yes Usage Guidelines The show asp load-balance command might help you troubleshoot a problem. Normally a packet will be processed by the same core that pulled it in from the interface receive ring. However, if another core is already processing the same connection as the packet just received, then the packet will be queued to that core. This queuing can cause the load balancer queue to grow while other cores are idle. See the asp load-balance per-packet command for more information. Examples The following is sample output from the show asp load-balance command. The X-axis represents the number of packets queued in different queues. The Y-axis represents the number of load balancer hash buckets (not to be confused with the bucket in the histogram title, which refers to the histogram bucket) that has packets queued. To know the exact number of hash buckets having the queue, use the detail keyword. ciscoasa# show asp load-balance Histogram of 'ASP load balancer queue sizes' 64 buckets sampling from 1 to 65 (1 per bucket) 6 samples within range (average=23) ASP load balancer queue sizes 100 + | | | Cisco ASA Series Command Reference, S Commands 3-9 Chapter S a m p l e s | | | | 10 + | | | | | # | # # # # # | # # # # # +---------+---------+---------+---------+---------+---------+---10 20 30 40 50 60 # of queued jobs per queue The following is sample output from the show asp load-balance detail command. ciscoasa# show asp load-balance detail <Same histogram output as before with the addition of the following values for the histogram> Data points: <snip> bucket[1-1] = bucket[2-2] = bucket[3-3] = bucket[4-4] = bucket[5-5] = bucket[6-6] = <snip> bucket[28-28] bucket[29-29] bucket[30-30] <snip> bucket[41-41] bucket[42-42] RelatedCommands 0 0 0 1 0 1 samples samples samples samples samples samples = 2 samples = 0 samples = 1 samples = 0 samples = 1 samples Command Description asp load-balance per-packet Changes the core load balancing method for multi-core ASA models. Cisco ASA Series Command Reference, S Commands 3-10 Chapter show asp load-balance per-packet To display specific statistics for ASP load balancing per packet, use the show asp load-balance per-packet command in privileged EXEC mode. show asp load-balance per-packet [history] Syntax Description history Defaults If you do not specify any options, this command shows the basic status, related values, and statistics of ASP load balancing per packet. Command Modes The following table shows the modes in which you can enter the command: (Optional) Shows the configuration status (enabled, disabled, or auto), current status (enabled or disabled), high and low watermarks, the global threshold, the number of times an automatic switch occurred, the minimum and maximum wait times with automatic switching enabled, the history of ASP load balancing per packet with time stamps, and the reasons for switching it on and off. Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Transparent Single Yes • Release Modification 9.3(1) This command was added. Yes • Yes Context — System • Yes The show asp load-balance per-packet command shows the configuration status (enabled, disabled, or auto), current status (enabled or disabled), high and low watermarks, the global threshold, the number of times an automatic switch occurred, and the minimum and maximum wait times with automatic switching enabled, for ASP load balancing per packet. The information appears in the following format: Config mode : [ enabled | disabled | auto ] Current status : [ enabled | disabled ] RX ring Blocks low/high watermark : [RX ring Blocks low watermark in percentage] / [RX ring Blocks high watermark in percentage] System RX ring count low threshold : [System RX ring count low threshold] / [Total number of RX rings in the system] System RX ring count high threshold : [System RX ring count high threshold] / [Total number of RX rings in the system] Cisco ASA Series Command Reference, S Commands 3-11 Chapter Auto mode Current RX ring count threshold status : [Number of RX rings crossed watermark] / [Total number of RX rings in the system] Number of times auto switched : [Number of times ASP load-balance per-packet has been switched] Min/max wait time with auto enabled : [Minimal wait time with auto enabled] / [Maximal wait time with auto enabled] (ms) Manual mode Current RX ring count threshold status : N/A Only the ASA 5585-X and the ASASM support the use of this command. Examples The following is sample output from the show asp load-balance per-packet command: ciscoasa# show asp load-balance per-packet Config status : auto Current status : disabled RX ring Blocks low/high watermark System RX ring count low threshold System RX ring count high threshold Current RX ring count threshold status Number of times auto switched Min/max wait time with auto enabled : : : : : : 50% 1 / 7 / 0 / 17 200 / 75% 33 33 33 / 6400 (ms) The following is sample output from the show asp load-balance per-packet history command: ciscoasa# show asp load-balance per-packet history Config status : auto Current status : disabled RX ring Blocks low/high watermark System RX ring count low threshold System RX ring count high threshold Current RX ring count threshold status Number of times auto switched Min/max wait time with auto enabled : : : : : : 50% 1 / 7 / 0 / 17 200 / 75% 33 33 33 / 6400 (ms) =================================================================================================== From State To State Reason =================================================================================================== 15:07:13 UTC Dec 17 2013 Manually Disabled Manually Disabled Disabled at startup 15:09:14 UTC Dec 17 2013 Manually Disabled Manually Enabled Config 15:09:15 UTC Dec 17 2013 Manually Enabled Auto Disabled 0/33 of the ring(s) crossed the watermark 15:10:16 UTC Dec 17 2013 Auto Disabled Auto Enabled 15:10:16 UTC Dec 17 2013 Auto Enabled Auto Enabled 1/33 of the ring(s) crossed the watermark Internal-Data0/0 RX[01] crossed above high watermark 2/33 of the ring(s) crossed the watermark Internal-Data0/1 RX[04] crossed above high watermark Cisco ASA Series Command Reference, S Commands 3-12 Chapter 15:10:16 UTC Dec 17 2013 Auto Enabled Auto Enabled 15:10:16 UTC Dec 17 2013 Auto Enabled Auto Enabled 15:10:17 UTC Dec 17 2013 Auto Enabled Auto Enabled 3/33 of the ring(s) crossed the watermark Internal-Data0/1 RX[05] crossed above high watermark 2/33 of the ring(s) crossed the watermark Internal-Data0/0 RX[01] dropped below low watermark 3/33 of the ring(s) crossed the watermark Internal-Data0/2 RX[01] crossed above high watermark (---More---) 15:14:01 UTC Dec 17 2013 Auto Enabled Auto Disabled 15:14:01 UTC Dec 17 2013 Auto Disabled Auto Enabled 8/33 of the ring(s) crossed the watermark Internal-Data0/3 RX[01] crossed above high watermark 7/33 of the ring(s) crossed the watermark Internal-Data0/3 RX[01] dropped below low watermark (---More---) 15:20:11 UTC Dec 17 2013 Auto Enabled Auto Disabled 0/33 of the ring(s) crossed the watermark Internal-Data0/2 RX[01] dropped below low watermark (---More---) Related Commands Command Description asp load-balance per-packet auto Automatically switches ASP load balancing per packet on and off on each interface receive ring or set of flows. clear asp load-balance Clears the history of ASP load balancing per packet and reset the number of history times an automatic switch occurred. Cisco ASA Series Command Reference, S Commands 3-13 Chapter show asp table arp To debug the accelerated security path ARP tables, use the show asp table arp command in privileged EXEC mode. show asp table arp [interface interface_name] [address ip_address [netmask mask]] Syntax Description address ip_address (Optional) Identifies an IP address for which you want to view ARP table entries. interface interface_name (Optional) Identifies a specific interface for which you want to view the ARP table. netmask mask (Optional) Sets the subnet mask for the IP address. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes Usage Guidelines The show arp command shows the contents of the control plane, while the show asp table arp command shows the contents of the accelerated security path, which might help you troubleshoot a problem. See the CLI configuration guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp table arp command: ciscoasa# show asp table arp Context: single_vf, Interface: inside 10.86.194.50 10.86.194.1 10.86.194.172 10.86.194.204 10.86.194.188 Context: single_vf, Interface: identity Cisco ASA Series Command Reference, S Commands 3-14 Active Active Active Active Active 000f.66ce.5d46 00b0.64ea.91a2 0001.03cf.9e79 000f.66ce.5d3c 000f.904b.80d7 hits hits hits hits hits 0 638 0 0 0 Chapter :: 0.0.0.0 Related Commands Active Active Command Description show arp Shows the ARP table. show arp statistics Shows ARP statistics. 0000.0000.0000 hits 0 0000.0000.0000 hits 50208 Cisco ASA Series Command Reference, S Commands 3-15 Chapter show asp table classify To debug the accelerated security path classifier tables, use the show asp table classify command in privileged EXEC mode. show asp table classify [interface interface_name] [crypto | domain domain_name] [hits] [match regexp] [user-statistics] Syntax Description crypto (Optional) Shows the encrypt, decrypt, and ipsec tunnel flow domains only. domain domain_name (Optional) Shows entries for a specific classifier domain. See the CLI help for a list of the available domains. hits (Optional) Shows classifier entries that have non-zero hits values. interface interface_name (Optional) Identifies a specific interface for which you want to view the classifier table. match regexp (Optional) Shows classifier entries that match the regular expression. Use quotes when regular expressions include spaces. user-statistics (Optional) Specifies user and group information. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • • Yes • Yes Context • Yes System • Yes Release Modification 7.0(1) This command was added. 7.2(4) The hits option and the timestamp were added to indicate the last time the ASP table counters were cleared. 8.0(2) A new counter was added to show the number of times a match compilation was aborted. This counter is shown only if the value is greater than 0. 8.2(2) The match regexp option was added. 8.4(4.1) The csxc and cxsc-auth-proxy domains for the ASA CX module was added. 9.0(1) The user-statistics keyword was added. The output was updated to add security group names and source and destination tags. Cisco ASA Series Command Reference, S Commands 3-16 Yes Transparent Single Chapter Release Modification 9.2(1) Added the sfr domain for the ASA FirePOWER module. 9.3(1) The security group tag (SGT) value has been modified in the output. The tag value “tag=0” indicates an exact match to 0x0, which is the reserved SGT value for “unknown.” The SGT value “tag=any” indicates a value that you do not need to consider in the rule. Usage Guidelines The show asp table classify command shows the classifier contents of the accelerated security path, which might help you troubleshoot a problem. See the CLI configuration guide for more information about the accelerated security path. The classifier examines properties of incoming packets, such as protocol, and source and destination address, to match each packet to an appropriate classification rule. Each rule is labeled with a classification domain that determines what types of actions are performed, such as dropping a packet or allowing it through. The information shown is used for debugging purposes only, and the output is subject to change. Consult Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp table classify command: ciscoasa# show asp table classify Interface test: No. of aborted compiles for input action table 0x33b3d70: 29 in id=0x36f3800, priority=10, domain=punt, deny=false hits=0, user_data=0x0, flags=0x0 src ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip=10.86.194.60, mask=255.255.255.255, port=0, tag=any in id=0x33d3508, priority=99, domain=inspect, deny=false hits=0, user_data=0x0, use_real_addr, flags=0x0 src ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any in id=0x33d3978, priority=99, domain=inspect, deny=false hits=0, user_data=0x0, use_real_addr, flags=0x0 src ip=0.0.0.0, mask=0.0.0.0, port=53, tag=any dst ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any ... The following is sample output from the show asp table classify hits command with a record of the last clearing hits counters: Interface mgmt: in id=0x494cd88, priority=210, domain=permit, deny=true hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, dscp=0x0 in id=0x494d1b8, priority=112, domain=permit, deny=false hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Interface inside: in id=0x48f1580, priority=210, domain=permit, deny=true hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, dscp=0x0 in id=0x48f09e0, priority=1, domain=permit, deny=false hits=101, user_data=0x0, cs_id=0x0, l3_type=0x608 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 Cisco ASA Series Command Reference, S Commands 3-17 Chapter Interface outside: in id=0x48c0970, priority=210, domain=permit, deny=true hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, dscp=0x0 The following is sample output from the show asp table classify hits command that includes Layer 2 information: Input Table in id=0x7fff2de10ae0, priority=120, domain=permit, deny=false hits=4, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0 input_ifc=LAN-SEGMENT, output_ifc=identity in id=0x7fff2de135c0, priority=0, domain=inspect-ip-options, deny=true hits=41, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=LAN-SEGMENT, output_ifc=any . . . Output Table: L2 - Output Table: L2 - Input Table: in id=0x7fff2de0e080, priority=1, domain=permit, deny=false hits=30, user_data=0x0, cs_id=0x0, l3_type=0x608 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=LAN-SEGMENT, output_ifc=any in id=0x7fff2de0e580, priority=1, domain=permit, deny=false hits=382, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=LAN-SEGMENT, output_ifc=any in id=0x7fff2de0e800, priority=1, domain=permit, deny=false hits=312, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=ffff.ffff.ffff, mask=ffff.ffff.ffff input_ifc=LAN-SEGMENT, output_ifc=any The following is sample output from the show asp table classify command when a security group is not specified in the access list: ciscoasa# show asp table classify in id=0x7ffedb54cfe0, priority=500, domain=permit, deny=true hits=0, user_data=0x6, cs_id=0x0, flags=0x0, protocol=0 src ip/id=224.0.0.0, mask=240.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=management, output_ifc=any Related Commands Command Description show asp drop Shows the accelerated security path counters for dropped packets. Cisco ASA Series Command Reference, S Commands 3-18 Chapter show asp table cluster chash-table To debug the accelerated security path cHash tables for clustering, use the show asp table cluster chash-table command in privileged EXEC mode. show asp table cluster chash-table Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context • Yes System • Yes Usage Guidelines The show asp table cluster chash-table command shows the contents of the accelerated security path, which might help you troubleshoot a problem. See the CLI configuration guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp table cluster chash-table command: ciscoasa# show asp table cluster chash-table Cluster current chash table: 00003333 21001200 22000033 02222223 33331111 21110000 00133103 22222223 30000102 11222222 23222331 00002223 33111111 Cisco ASA Series Command Reference, S Commands 3-19 Chapter 11000112 22332000 00231121 11222220 33330223 31013211 11101111 13111111 11023133 30001100 00000111 12022222 00133333 33222000 00022222 33011333 11110002 33333322 13333030 Related Commands Command Description show asp cluster counter Shows cluster datapath counter information. Cisco ASA Series Command Reference, S Commands 3-20 Chapter show asp table cts sgt-map To show the IP address-security group table mapping from the IP address-security group table database that is maintained in the data path for Cisco TrustSec, use the show asp table cts sgt-map command in privileged EXEC mode. show asp table cts sgt-map [address ipv4[/mask] | address ipv6[/prefix] | ipv4 | ipv6 | sgt sgt] Syntax Description address {ipv4[/mask] /ipv6[/prefix]} (Optional.) Shows only IP address-security group table mapping for the specific IPv4 or IPv6 address. Include an IPv4 subnet mask or IPv6 prefix to see the mapping for a network. ipv4 (Optional) Shows all of the IP address-security group table mapping for IPv4 addresses. ipv6 (Optional) Shows all of the IP address-security group table mapping for IPv6 addresses. sgt sgt (Optional) Shows the IP address-security group table mapping for the specified security group table. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Yes • Context Yes Release Modification 9.0(1) This command was added. 9.6(1) The ability to show network mappings was added. • Yes System — Usage Guidelines If the address is not specified, then all the entries in the IP address-security group table database in the data path appear. In addition, the security group names appear when available. Examples The following is sample output from the show asp table cts sgt-map command: Cisco ASA Series Command Reference, S Commands 3-21 Chapter ciscoasa# show asp table cts sgt-map IP Address SGT ================================================== 10.10.10.5 1234:Marketing 10.34.89.12 5:Engineering 10.67.0.0\16 338:HR 192.4.4.4 345:Finance Total number of entries shown = 4 The following is sample output from the show asp table cts sgt-map address command: ciscoasa# show asp table cts sgt-map address 10.10.10.5 IP Address SGT ================================================= 10.10.10.5 1234:Marketing Total number of entries shown = 1 The following is sample output from the show asp table cts sgt-map ipv6 command: ciscoasa# show asp table cts sgt-map ipv6 IP Address SGT ============================================================= FE80::A8BB:CCFF:FE00:110 17:Marketing-Servers FE80::A8BB:CCFF:FE00:120 18:Eng-Servers Total number of entries shown = 2 The following is sample output from the show asp table cts sgt-map sgt command: ciscoasa# show asp table cts sgt-map sgt 17 IP Address SGT ============================================== FE80::A8BB:CCFF:FE00:110 17 Total number of entries shown = 1 Related Commands Command Description show running-config cts Shows the SXP connections for the running configuration. show cts environment Shows the health and status of the environment data refresh operation. Cisco ASA Series Command Reference, S Commands 3-22 Chapter show asp table dynamic-filter To debug the accelerated security path Botnet Traffic Filter tables, use the show asp table dynamic-filter command in privileged EXEC mode. show asp table dynamic-filter [hits] Syntax Description hits Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Shows classifier entries which have non-zero hits values. Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Release Modification 8.2(1) This command was added. Yes • Yes Context • Yes System — Usage Guidelines The show asp table dynamic-filter command shows the Botnet Traffic Filter rules in the accelerated security path, which might help you troubleshoot a problem. See the CLI configuration guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp table dynamic-filter command: ciscoasa# show asp table dynamic-filter Context: admin Address 10.246.235.42 mask 255.255.255.255 name: example.info flags: 0x44 hits 0 Address 10.40.9.250 mask 255.255.255.255 name: bad3.example.com flags: 0x44 hits 0 Address 10.64.147.20 mask 255.255.255.255 name: bad2.example.com flags: 0x44 hits 0 Address 10.73.210.121 mask 255.255.255.255 name: bad1.example.com flags: 0x44 hits 0 Address 10.34.131.135 mask 255.255.255.255 name: bad.example.com flags: 0x44 hits 0 Address 10.64.147.16 mask 255.255.255.255 name: 1st-software-downloads.com flags: 0x44 hits 2 Address 10.131.36.158 mask 255.255.255.255 name: www.example.com flags: 0x41 hits 0 Cisco ASA Series Command Reference, S Commands 3-23 Chapter Address 10.129.205.209 mask 255.255.255.255 flags: 0x1 hits 0 Address 10.166.20.10 mask 255.255.255.255 flags: 0x1 hits 0 ... Related Commands Command Description address Adds an IP address to the blacklist or whitelist. clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration. clear dynamic-filter dns-snoop Clears Botnet Traffic Filter DNS snooping data. clear dynamic-filter reports Clears Botnet Traffic filter report data. clear dynamic-filter statistics Clears Botnet Traffic filter statistics. dns domain-lookup Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands. dns server-group Identifies a DNS server for the ASA. dynamic-filter ambiguous-is-black Treats greylisted traffic as blacklisted traffic for action purposes. dynamic-filter blacklist Edits the Botnet Traffic Filter blacklist. dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database. dynamic-filter database find Searches the dynamic database for a domain name or IP address. dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database. dynamic-filter drop blacklist Automatically drops blacklisted traffic. dynamic-filter enable Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list. dynamic-filter updater-client enable Enables downloading of the dynamic database. dynamic-filter use-database Enables use of the dynamic database. dynamic-filter whitelist Edits the Botnet Traffic Filter whitelist. inspect dns dynamic-filter-snoop Enables DNS inspection with Botnet Traffic Filter snooping. name Adds a name to the blacklist or whitelist. show dynamic-filter data Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries. show dynamic-filter dns-snoop Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names. show dynamic-filter reports Generates reports of the top 10 botnet sites, ports, and infected hosts. show dynamic-filter statistics Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist. show dynamic-filter updater-client Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed. show running-config dynamic-filter Shows the Botnet Traffic Filter running configuration. Cisco ASA Series Command Reference, S Commands 3-24 Chapter show asp table filter To debug the accelerated security path filter tables, use the show asp table filter command in privileged EXEC mode. show asp table filter [access-list acl-name] [hits] [match regexp] Syntax Description acl-name (Optional) Specifies the installed filter for a specified access list. hits (Optional) Specifies the filter rules that have non-zero hits values. match regexp (optional) Shows classifier entries that match the regular expression. Use quotes when regular expressions include spaces. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 8.2(2) This command was added. Yes • Yes Context • Yes System — Usage Guidelines When a filter has been applied to a VPN tunnel, the filter rules are installed into the filter table. If the tunnel has a filter specified, then the filter table is checked before encryption and after decryption to determine whether the inner packet should be permitted or denied. Examples The following is sample output from the show asp table filter command before a user1 connects. Only the implicit deny rules are installed for IPv4 and IPv6 in both the inbound and outbound directions. ciscoasa# show asp table filter Global Filter Table: in id=0xd616ef20, priority=11, domain=vpn-user, deny=true hits=0, user_data=0xd613ea60, filter_id=0x0(-implicit deny-), protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 in id=0xd616f420, priority=11, domain=vpn-user, deny=true hits=0, user_data=0xd615ef70, filter_id=0x0(-implicit deny-), protocol=0 src ip=::/0, port=0 dst ip=::/0, port=0 out id=0xd616f1a0, priority=11, domain=vpn-user, deny=true hits=0, user_data=0xd614d900, filter_id=0x0(-implicit deny-), protocol=0 Cisco ASA Series Command Reference, S Commands 3-25 Chapter src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 out id=0xd616f6d0, priority=11, domain=vpn-user, deny=true hits=0, user_data=0xd6161638, filter_id=0x0(-implicit deny-), protocol=0 src ip=::/0, port=0 dst ip=::/0, port=0 The following is sample output from the show asp table filter command after a user1 has connected. VPN filter ACLs are defined based on the inbound direction—the source represents the peer and the destination represents inside resources. The outbound rules are derived by swapping the source and destination for the inbound rule. ciscoasa# show asp table filter Global Filter Table: in id=0xd682f4a0, priority=12, domain=vpn-user, deny=false hits=0, user_data=0xd682f460, filter_id=0x2(vpnfilter), protocol=6 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=95.1.224.100, mask=255.255.255.255, port=21 in id=0xd68366a0, priority=12, domain=vpn-user, deny=false hits=0, user_data=0xd6d89050, filter_id=0x2(vpnfilter), protocol=6 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=95.1.224.100, mask=255.255.255.255, port=5001 in id=0xd45d5b08, priority=12, domain=vpn-user, deny=false hits=0, user_data=0xd45d5ac8, filter_id=0x2(vpnfilter), protocol=17 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=95.1.224.100, mask=255.255.255.255, port=5002 in id=0xd6244f30, priority=12, domain=vpn-user, deny=false hits=0, user_data=0xd6244ef0, filter_id=0x2(vpnfilter), protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=95.1.224.100, mask=255.255.255.255, port=0 in id=0xd64edca8, priority=12, domain=vpn-user, deny=true hits=0, user_data=0xd64edc68, filter_id=0x2(vpnfilter), protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 in id=0xd616f018, priority=11, domain=vpn-user, deny=true hits=43, user_data=0xd613eb58, filter_id=0x0(-implicit deny-), protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 in id=0xd616f518, priority=11, domain=vpn-user, deny=true hits=0, user_data=0xd615f068, filter_id=0x0(-implicit deny-), protocol=0 src ip=::/0, port=0 dst ip=::/0, port=0 out id=0xd7395650, priority=12, domain=vpn-user, deny=false hits=0, user_data=0xd7395610, filter_id=0x2(vpnfilter), protocol=6 src ip=95.1.224.100, mask=255.255.255.255, port=21 dst ip=0.0.0.0, mask=0.0.0.0, port=0 out id=0xd45d49b8, priority=12, domain=vpn-user, deny=false hits=0, user_data=0xd45d4978, filter_id=0x2(vpnfilter), protocol=6 src ip=95.1.224.100, mask=255.255.255.255, port=5001 dst ip=0.0.0.0, mask=0.0.0.0, port=0 out id=0xd45d5cf0, priority=12, domain=vpn-user, deny=false hits=0, user_data=0xd45d5cb0, filter_id=0x2(vpnfilter), protocol=17 src ip=95.1.224.100, mask=255.255.255.255, port=5002 dst ip=0.0.0.0, mask=0.0.0.0, port=0 out id=0xd6245118, priority=12, domain=vpn-user, deny=false hits=0, user_data=0xd62450d8, filter_id=0x2(vpnfilter), protocol=1 src ip=95.1.224.100, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 out id=0xd64ede90, priority=12, domain=vpn-user, deny=true hits=0, user_data=0xd64ede50, filter_id=0x2(vpnfilter), protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Cisco ASA Series Command Reference, S Commands 3-26 Chapter out id=0xd616f298, priority=11, domain=vpn-user, deny=true hits=0, user_data=0xd614d9f8, filter_id=0x0(-implicit deny-), protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 out id=0xd616f7c8, priority=11, domain=vpn-user, deny=true hits=0, user_data=0xd6161730, filter_id=0x0(-implicit deny-), protocol=0 src ip=::/0, port=0 dst ip=::/0, port=0 Related Commands Command Description show asp drop Shows the accelerated security path counters for dropped packets. show asp table classifier Shows the classifier contents of the accelerated security path. Cisco ASA Series Command Reference, S Commands 3-27 Chapter show asp table interfaces To debug the accelerated security path interface tables, use the show asp table interfaces command in privileged EXEC mode. show asp table interfaces Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes Usage Guidelines The show asp table interfaces command shows the interface table contents of the accelerated security path, which might help you troubleshoot a problem. See the CLI configuration guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp table interfaces command: ciscoasa# show asp table interfaces ** Flags: 0x0001-DHCP, 0x0002-VMAC, 0x0010-Ident Ifc, 0x0020-HDB Initd, 0x0040-RPF Enabled Soft-np interface 'dmz' is up context single_vf, nicnum 0, mtu 1500 vlan 300, Not shared, seclvl 50 0 packets input, 1 packets output flags 0x20 Soft-np interface 'foo' is down context single_vf, nicnum 2, mtu 1500 vlan <None>, Not shared, seclvl 0 0 packets input, 0 packets output flags 0x20 Cisco ASA Series Command Reference, S Commands 3-28 Chapter Soft-np interface 'outside' is down context single_vf, nicnum 1, mtu 1500 vlan <None>, Not shared, seclvl 50 0 packets input, 0 packets output flags 0x20 Soft-np interface 'inside' is up context single_vf, nicnum 0, mtu 1500 vlan <None>, Not shared, seclvl 100 680277 packets input, 92501 packets output flags 0x20 ... Related Commands Command Description interface Configures an interface and enters interface configuration mode. show interface Displays the runtime status and statistics of interfaces. Cisco ASA Series Command Reference, S Commands 3-29 Chapter show asp table routing management-only To debug the accelerated security path routing tables, use the show asp table routing command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses. The management-only keyword, displays the number portability routes in the management routing table. show asp table routing [input | output] [address ip_address [netmask mask] | interface interface_name] management-only Syntax Description address ip_address Sets the IP address for which you want to view routing entries. For IPv6 addresses, you can include the subnet mask as a slash (/) followed by the prefix (0 to 128). For example, enter the following: fe80::2e0:b6ff:fe01:3b7a/128 input Shows the entries from the input route table. interface interface_name (Optional) Identifies a specific interface for which you want to view the routing table. netmask mask For IPv4 addresses, specifies the subnet mask. output Shows the entries from the output route table. management-only Shows the number portability routes in the management routing table. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes 9.3(2) Routing per zone information was added. 9.5(1) The management-only keyword to support management routing table was added. The show asp table routing command shows the routing table contents of the accelerated security path, which might help you troubleshoot a problem. See the CLI configuration guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The management-only keyword, displays the number-portability routes in the management routing table. Cisco ASA Series Command Reference, S Commands 3-30 Yes Transparent Single Chapter Note Examples Invalid entries may appear in the show asp table routing command output on the ASA 5505. The following is sample output from the show asp table routing command: ciscoasa# show asp table routing in in in in in in in in in in in in out out out out out out out out out out Note Related Commands 255.255.255.255 224.0.0.9 10.86.194.60 10.86.195.255 10.86.194.0 209.165.202.159 209.165.202.255 209.165.201.30 209.165.201.0 10.86.194.0 224.0.0.0 0.0.0.0 255.255.255.255 224.0.0.0 255.255.255.255 224.0.0.0 255.255.255.255 10.86.194.0 224.0.0.0 0.0.0.0 0.0.0.0 :: 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.254.0 240.0.0.0 0.0.0.0 255.255.255.255 240.0.0.0 255.255.255.255 240.0.0.0 255.255.255.255 255.255.254.0 240.0.0.0 0.0.0.0 0.0.0.0 :: identity identity identity identity identity identity identity identity identity inside identity inside foo foo test test inside inside inside via 10.86.194.1, inside via 0.0.0.0, identity via 0.0.0.0, identity Invalid entries in the show asp table routing command output may appear on the ASA 5505 platform. Ignore these entries; they have no effect. Command Description show route Shows the routing table in the control plane. Cisco ASA Series Command Reference, S Commands 3-31 Chapter show asp table socket To help debug the accelerated security path socket information, use the show asp table socket command in privileged EXEC mode. show asp table socket [socket handle] [stats] Syntax Description socket handle Specifies the length of the socket. stats Shows the statistics from the accelerated security path socket table. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 8.0(2) This command was added. Yes • Context Yes • Yes System • Yes Usage Guidelines The show asp table socket command shows the accelerated security path socket information, which might help in troubleshooting accelerated security path socket problems. See the CLI configuration guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp table socket command. Protocol TCP TCP SSL SSL DTLS SSL DTLS TCP Socket 00012bac 0001c124 00023b84 0002d01c 00032b1c 0003a3d4 00046074 02c08aec Local Address 10.86.194.224:23 10.86.194.224:22 10.86.194.224:443 192.168.1.1:443 10.86.194.224:443 0.0.0.0:443 0.0.0.0:443 10.86.194.224:22 Foreign Address 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 171.69.137.139:4190 The following is sample output from the show asp table socket stats command. TCP Statistics: Rcvd: total14794 Cisco ASA Series Command Reference, S Commands 3-32 State LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN ESTAB Chapter checksum errors0 no port0 Sent: total0 UDP Statistics: Rcvd: total0 checksum errors0 Sent: total0 copied0 NP SSL System Stats: Handshake Started:33 Handshake Complete:33 SSL Open:4 SSL Close:117 SSL Server:58 SSL Server Verify:0 SSL Client:0 TCP/UDP statistics are packet counters representing the number of packets sent or received that are directed to a service that is running or listening on the ASA, such as Telnet, SSH, or HTTPS. Checksum errors are the number of packets dropped because the calculated packet checksum did not match the checksum value stored in the packet (that is, the packet was corrupted). The NP SSL statistics indicate the number of each type of message received. Most indicate the start and completion of new SSL connections to either the SSL server or SSL client. Related Commands Command Description show asp table vpn-context Shows the accelerated security path VPN context tables. Cisco ASA Series Command Reference, S Commands 3-33 Chapter show asp table vpn-context To debug the accelerated security path VPN context tables, use the show asp table vpn-context command in privileged EXEC mode. show asp table vpn-context [detail] Syntax Description detail Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Shows additional detail for the VPN context tables. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Yes • Transparent Single • Yes • Context Yes • Yes System • Yes Release Modification 7.0(1) This command was added. 8.0(4) The +PRESERVE flag for each context that maintains stateful flows after the tunnel drops was added. 9.0(1) Support for multiple context mode was added. Usage Guidelines The show asp table vpn-context command shows the VPN context contents of the accelerated security path, which might help you troubleshoot a problem. See the CLI configuration guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp table vpn-context command: ciscoasa# show asp table vpn-context VPN VPN VPN VPN VPN VPN VPN VPN VPN ... ID=0058070576, ID=0058193920, ID=0058168568, ID=0058161168, ID=0058153728, ID=0058150440, ID=0058102088, ID=0058134088, ID=0058103216, DECR+ESP, ENCR+ESP, DECR+ESP, ENCR+ESP, DECR+ESP, ENCR+ESP, DECR+ESP, ENCR+ESP, DECR+ESP, Cisco ASA Series Command Reference, S Commands 3-34 UP, UP, UP, UP, UP, UP, UP, UP, UP, pk=0000000000, pk=0000000000, pk=0000299627, pk=0000305043, pk=0000271432, pk=0000285328, pk=0000268550, pk=0000274673, pk=0000252854, rk=0000000000, rk=0000000000, rk=0000000061, rk=0000000061, rk=0000000061, rk=0000000061, rk=0000000061, rk=0000000061, rk=0000000061, gc=0 gc=0 gc=2 gc=1 gc=2 gc=1 gc=2 gc=1 gc=2 Chapter The following is sample output from the show asp table vpn-context command when the persistent IPsec tunneled flows feature is enabled, as shown by the PRESERVE flag: ciscoasa(config)# show asp table vpn-context VPN CTX=0x0005FF54, Ptr=0x6DE62DA0, DECR+ESP+PRESERVE, UP, pk=0000000000, rk=0000000000, gc=0 VPN CTX=0x0005B234, Ptr=0x6DE635E0, ENCR+ESP+PRESERVE, UP, pk=0000000000, rk=0000000000, gc=0 The following is sample output from the show asp table vpn-context detail command: ciscoasa# show asp table vpn-context detail VPN Ctx = State = Flags = SA = SPI = Group = Pkts = Bad Pkts = Bad SPI = Spoof = Bad Crypto Rekey Pkt Rekey Call 0058070576 [0x03761630] UP DECR+ESP 0x037928F0 0xEA0F21F0 0 0 0 0 0 = 0 = 0 = 0 VPN Ctx = State = Flags = SA = SPI = Group = Pkts = Bad Pkts = Bad SPI = Spoof = Bad Crypto Rekey Pkt Rekey Call ... 0058193920 [0x0377F800] UP ENCR+ESP 0x037B4B70 0x900FDC32 0 0 0 0 0 = 0 = 0 = 0 The following is sample output from the show asp table vpn-context detail command when the persistent IPsec tunneled flows feature is enabled, as shown by the PRESERVE flag.: ciscoasa(config)# show asp table vpn-context detail VPN CTX = 0x0005FF54 Peer IP = Pointer = State = Flags = SA = SPI = Group = Pkts = Bad Pkts = Bad SPI = Spoof = Bad Crypto Rekey Pkt Rekey Call ASA_Private 0x6DE62DA0 UP DECR+ESP+PRESERVE 0x001659BF 0xB326496C 0 0 0 0 0 = 0 = 0 = 0 Cisco ASA Series Command Reference, S Commands 3-35 Chapter VPN CTX = 0x0005B234 Peer IP = ASA_Private Pointer = 0x6DE635E0 State = UP Flags = ENCR+ESP+PRESERVE SA = 0x0017988D SPI = 0x9AA50F43 Group = 0 Pkts = 0 Bad Pkts = 0 Bad SPI = 0 Spoof = 0 Bad Crypto = 0 Rekey Pkt = 0 Rekey Call = 0 ciscoasa(config)# Configuration and Restrictions This configuration option is subject to the same CLI configuration restrictions as other sysopt VPN CLI. Related Commands Command Description show asp drop Shows the accelerated security path counters for dropped packets. Cisco ASA Series Command Reference, S Commands 3-36 Chapter show asp table zone To debug the accelerated security path zone table, use the show asp table zone command in privileged EXEC mode. show asp table zone [zone_name] Syntax Description zone_name Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Identifies the zone name. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single — Release Modification 9.3(2) This command was added. • Yes Context • Yes System • Yes Usage Guidelines The show asp table zone command shows the contents of the accelerated security path, which might help you troubleshoot a problem. See the CLI configuration guide for more information about the accelerated security path. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Examples The following is sample output from the show asp table zone command: ciscoasa# show asp table zone Zone: outside-zone id: 2 Context: test-ctx Zone Member(s) : 2 outside1 GigabitEthernet0/0 outside2 GigabitEthernet0/1 Related Commands Command Description show asp table routing Shows the accelerated security path tables for debugging purposes, and shows the zone associated with each route. show zone Shows zone ID, context, security level, and members. Cisco ASA Series Command Reference, S Commands 3-37 Chapter show auto-update To see the Auto Update Server status, use the show auto-update command in privileged EXEC mode. show auto-update Syntax Description This command has no arguments or keywords. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Global configuration Command History • Yes Transparent Single • Yes Release Modification 7.2(1) This command was added.. • Yes Usage Guidelines Use this command to view Auto Update Server status. Examples The following is sample output from the show auto-update command: Context System — — ciscoasa(config)# show auto-update Poll period: 720 minutes, retry count: 0, retry period: 5 minutes Timeout: none Device ID: host name [ciscoasa] Related Commands auto-update device-id Sets the ASA device ID for use with an Auto Update Server. auto-update poll-period Sets how often the ASA checks for updates from an Auto Update Server. auto-update server Identifies the Auto Update Server. auto-update timeout Stops traffic from passing through the ASA if the Auto Update Server is not contacted within the timeout period. clear configure auto-update Clears the Auto Update Server configuration. show running-config auto-update Shows the Auto Update Server configuration. Cisco ASA Series Command Reference, S Commands 3-38 CH A P T E R 4 show bgp through show cpu Commands Cisco ASA Series Command Reference, S Commands 4-1 Chapter show bgp To display entries in the Border Gateway Protocol (BGP) routing table, use the show bgp command in user EXEC or privileged EXEC mode. show bgp [ip-address [mask [longer-prefixes [injected] | shorter-prefixes [length] | bestpath | multipaths | subnets] | bestpath | multipaths] | all | prefix-list name | pending-prefixes | route-map name]] Syntax Description Command Modes ip-address (Optional) Specifies the AS path access list name.. mask (Optional) Mask to filter or match hosts that are part of the specified network. longer-prefixes (Optional) Displays the specified route and all more specific routes. injected (Optional) Displays more specific prefixes injected into the BGP routing table. shorter-prefixes (Optional) Displays the specified route and all less specific routes. length (Optional) The prefix length. The value for this argument is a number from 0 to 32. bestpath (Optional) Displays the bestpath for this prefix multipaths (Optional) Displays multipaths for this prefix. subnets (Optional) Displays the subnet routes for the specified prefix. all (Optional) Displays all address family information in the BGP routing table. prefix-list name (Optional) Filters the output based on the specified prefix list. pending-prefixes (Optional) Displays prefixes that are pending deletion from the BGP routing table. route-map name (Optional) Filters the output based on the specified route map. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Usage Guidelines Yes — Release Modification 9.2(1) This command was added • Yes Context • Yes System — The show bgp command is used to display the contents of the BGP routing table. The output can be filtered to display entries for a specific prefix, prefix length, and prefixes injected through a prefix list, route map, or conditional advertisement. Cisco ASA Series Command Reference, S Commands 4-2 • Transparent Single Chapter In Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS XE Release 2.4, and later releases, the Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions. Examples The following sample output shows the BGP routing table: Router# show bgp BGP table version is 22, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.1.1.1/32 0.0.0.0 0 32768 i *>i10.2.2.2/32 172.16.1.2 0 100 0 i *bi10.9.9.9/32 192.168.3.2 0 100 0 10 10 i *> 192.168.1.2 0 10 10 i * i172.16.1.0/24 172.16.1.2 0 100 0 i *> 0.0.0.0 0 32768 i *> 192.168.1.0 0.0.0.0 0 32768 i *>i192.168.3.0 172.16.1.2 0 100 0 i *bi192.168.9.0 192.168.3.2 0 100 0 10 10 i *> 192.168.1.2 0 10 10 i *bi192.168.13.0 192.168.3.2 0 100 0 10 10 i *> 192.168.1.2 0 10 10 i Table 4-1 shows each field description. Table 4-1 show bgp Fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID IP address of the router. Cisco ASA Series Command Reference, S Commands 4-3 Chapter Field Description Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: Origin codes • s—The table entry is suppressed. • d—The table entry is dampened. • h—The table entry history. • *—The table entry is valid. • >—The table entry is the best entry to use for that network. • i—The table entry was learned via an internal BGP (iBGP) session. • r—The table entry is a RIB-failure. • S—The table entry is stale. • m—The table entry has multipath to use for that network. • b—The table entry has backup path to use for that network. • x—The table entry has best external route to use for the network. Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: • i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. • e—Entry originated from an Exterior Gateway Protocol (EGP). • ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network IP address of a network entity. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the router has some non-BGP routes to this network. Metric If shown, the value of the interautonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. (stale) Indicates that the following path for the specified autonomous system is marked as "stale" during a graceful restart process. show bgp (4-Byte Autonomous System Numbers): Example The following sample output shows the BGP routing table with 4-byte autonomous system numbers, 65536 and 65550, shown under the Path field. This example requires Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS XE Release 2.4, or a later release. RouterB# show bgp BGP table version is 4, local router ID is 172.17.1.99 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Cisco ASA Series Command Reference, S Commands 4-4 Chapter Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 10.1.1.0/24 *> 10.2.2.0/24 *> 172.17.1.0/24 Next Hop 192.168.1.2 192.168.3.2 0.0.0.0 Metric LocPrf Weight Path 0 0 65536 0 0 65550 0 32768 i i i show bgp ip-address: Example The following sample output displays information about the 192.168.1.0 entry in the BGP routing table: Router# show bgp 192.168.1.0 BGP routing table entry for 192.168.1.0/24, version 22 Paths: (2 available, best #2, table default) Additional-path Advertised to update-groups: 3 10 10 192.168.3.2 from 172.16.1.2 (10.2.2.2) Origin IGP, metric 0, localpref 100, valid, internal, backup/repair 10 10 192.168.1.2 from 192.168.1.2 (10.3.3.3) Origin IGP, localpref 100, valid, external, best , recursive-via-connected The following sample output displays information about the 10.3.3.3 255.255.255.255 entry in the BGP routing table: Router# show bgp 10.3.3.3 255.255.255.255 BGP routing table entry for 10.3.3.3/32, version 35 Paths: (3 available, best #2, table default) Multipath: eBGP Flag: 0x860 Advertised to update-groups: 1 200 10.71.8.165 from 10.71.8.165 (192.168.0.102) Origin incomplete, localpref 100, valid, external, backup/repair Only allowed to recurse through connected route 200 10.71.11.165 from 10.71.11.165 (192.168.0.102) Origin incomplete, localpref 100, weight 100, valid, external, best Only allowed to recurse through connected route 200 10.71.10.165 from 10.71.10.165 (192.168.0.104) Origin incomplete, localpref 100, valid, external, Only allowed to recurse through connected route Table 4-2 shows each field description. Table 4-2 show bgp (4 byte autonomous system numbers) Fields Field Description BGP routing table entry fo IP address or network number of the routing table entry. version Internal version number of the table. This number is incremented whenever the table changes. Paths The number of available paths, and the number of installed best paths. This line displays “Default-IP-Routing-Table” when the best path is installed in the IP routing table. Cisco ASA Series Command Reference, S Commands 4-5 Chapter Field Description Multipath This field is displayed when multipath loadsharing is enabled. This field will indicate if the multipaths are iBGP or eBGP. Advertised to update-groups The number of each update group for which advertisements are processed. Origin Origin of the entry. The origin can be IGP, EGP, or incomplete. This line displays the configured metric (0 if no metric is configured), the local preference value (100 is default), and the status and type of route (internal, external, multipath, best). Extended Community This field is displayed if the route carries an extended community attribute. The attribute code is displayed on this line. Information about the extended community is displayed on a subsequent line. show bgp all: Example The following is sample output from the show bgp command entered with the all keyword. Information about all configured address families is displayed. Router# show bgp all For address family: IPv4 Unicast ***** BGP table version is 27, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 10.1.1.0/24 *> 10.13.13.0/24 *> 10.15.15.0/24 *>i10.18.18.0/24 *>i10.100.0.0/16 *>i10.100.0.0/16 *>i10.101.0.0/16 *>i10.103.0.0/16 *>i10.104.0.0/16 *>i10.100.0.0/16 *>i10.101.0.0/16 * 10.100.0.0/16 *> * 10.101.0.0/16 *> *> 10.102.0.0/16 *> 172.16.14.0/24 *> 192.168.5.0 *> 10.80.0.0/16 *> 10.80.0.0/16 Next Hop 0.0.0.0 0.0.0.0 0.0.0.0 172.16.14.105 172.16.14.107 172.16.14.105 172.16.14.105 172.16.14.101 172.16.14.101 172.16.14.106 172.16.14.106 172.16.14.109 172.16.14.108 172.16.14.109 172.16.14.108 172.16.14.108 0.0.0.0 0.0.0.0 172.16.14.108 172.16.14.108 Metric LocPrf Weight Path 0 32768 ? 0 32768 ? 0 32768 ? 1388 91351 0 100 e 262 272 0 1 2 3 i 1388 91351 0 100 e 1388 91351 0 100 e 1388 173 173 100 e 1388 173 173 100 e 2219 20889 0 53285 33299 51178 47751 e 2219 20889 0 53285 33299 51178 47751 e 2309 0 200 300 e 1388 0 100 e 2309 0 200 300 e 1388 0 100 e 1388 0 100 e 0 32768 ? 0 32768 ? 1388 0 50 e 1388 0 50 e show bgp longer-prefixes: Example The following is sample output from the show bgp command entered with the longer-prefixes keyword: Router# show bgp 10.92.0.0 255.255.0.0 longer-prefixes BGP table version is 1738, local router ID is 192.168.72.24 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 10.92.0.0 Next Hop 10.92.72.30 Cisco ASA Series Command Reference, S Commands 4-6 Metric LocPrf Weight Path 8896 32768 ? Chapter * *> * *> * *> * *> * *> * *> * *> * *> * 10.92.1.0 10.92.11.0 10.92.14.0 10.92.15.0 10.92.16.0 10.92.17.0 10.92.18.0 10.92.19.0 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 10.92.72.30 0 32768 0 32768 0 32768 0 32768 0 32768 0 32768 0 32768 0 32768 0 8796 42482 8796 8696 1400 1400 8876 8876 109 ? 109 ? 109 ? 109 ? 109 ? 109 ? 109 ? 109 ? 109 108 ? 108 ? 108 ? 108 ? 108 ? 108 ? 108 ? 108 ? 108 ? show bgp shorter-prefixes: Example The following is sample output from the show bgp command entered with the shorter-prefixes keyword. An 8-bit prefix length is specified. Router# show bgp 172.16.0.0/16 shorter-prefixes 8 *> 172.16.0.0 * 10.0.0.2 10.0.0.2 0 0 ? 0 200 ? show bgp prefix-list: Example The following is sample output from the show bgp command entered with the prefix-list keyword: Router# show bgp prefix-list ROUTE BGP table version is 39, local router ID is 10.0.0.1 Status codes:s suppressed, d damped, h history, * valid, > best, i internal Origin codes:i - IGP, e - EGP, ? - incomplete Network *> 192.168.1.0 Next Hop 10.0.0.2 * 10.0.0.2 Metric LocPrf Weight Path 0 ? 0 0 200 ? show bgp route-map: Example The following is sample output from the show bgp command entered with the route-map keyword: Router# show bgp route-map LEARNED_PATH BGP table version is 40, local router ID is 10.0.0.1 Status codes:s suppressed, d damped, h history, * valid, > best, i internal Origin codes:i - IGP, e - EGP, ? - incomplete Network *> 192.168.1.0 * Next Hop 10.0.0.2 10.0.0.2 Metric LocPrf Weight Path 0 ? 0 0 200 ? Cisco ASA Series Command Reference, S Commands 4-7 Chapter show bgp all community To display routes for all address families belonging to a particular Border Gateway Protocol (BGP) community, use the show bgp all community command in user EXEC or privileged EXEC configuration mode. show bgp all community [community-number...[community-number]] [local-as] [no-advertise] [no-export] [exact-match] Syntax Description community-number. (Optional) Displays the routes pertaining to the community numbers specified. You can specify multiple community numbers. The range is from 1 to 4294967295 or AA:NN (autonomous system:community number, which is a 2-byte number). local-as (Optional) Displays only routes that are not sent outside of the local autonomous system (well-known community). no-advertise (Optional) Displays only routes that are not advertised to any peer (well-known community). no-export (Optional) Displays only routes that are not exported outside of the local autonomous system (well-known community). exact-match (Optional) Displays only routes that match exactly with the BGP community list specified. Note The availability of keywords in the command depends on the command mode. The exact-match keyword is not available in user EXEC mode. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Usage Guidelines Yes • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes User can enter the local-as, no-advertise and no-export keywords in any order. When using the bgp all community command, be sure to enter the numerical communities before the well-known communities. Cisco ASA Series Command Reference, S Commands 4-8 • Transparent Single Chapter .For example, the following string is not valid: ciscoasa# show bgp all community local-as 111:12345 Use the following string instead: ciscoasa# show bgp all community 111:12345 local-as Examples The following is sample output from the show bgp all community command, specifying communities of 1, 2345, and 6789012: ciscoasa# show bgp all community 1 2345 6789012 no-advertise local-as no-export exact-match For address family: IPv4 Unicast BGP table version is 5, local router ID is 30.0.0.5 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop *> 10.0.3.0/24 10.0.0.4 *> 10.1.0.0/16 10.0.0.4 *> 10.12.34.0/24 10.0.0.6 Metric LocPrf Weight Path 0 0 0 4 3 ? 0 4 ? 0 6 ? Table 4-26 shows each field description. Table 4-3 show bgp all community Fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes local router ID The router ID of the router on which the BGP communities are set to display. A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. d—The table entry is dampened. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP session. Origin codes Indicates the origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from the Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from the Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a route that is redistributed into BGP from an IGP. Network The network address and network mask of a network entity. The type of address depends on the address family. Cisco ASA Series Command Reference, S Commands 4-9 Chapter Table 4-3 show bgp all community Fields (continued) Field Description Next Hop IP address of the next system that is used when forwarding a packet to the destination network. The type of address depends on the address family Metric The value of the inter autonomous system metric. This field is not used frequently. LocPrf Local preference value as set with the set local-preference command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. Cisco ASA Series Command Reference, S Commands 4-10 Chapter show bgp all neighbors To display information about Border Gateway Protocol (BGP) connections to neighbors of all address families, use the show bgp all neighbors command in user EXEC or privileged EXEC mode. show bgp all neighbors [ip-address ] [advertised-routes | paths [reg-exp] | policy [detail] | received prefix-filter | received-routes | routes] Syntax Description ip-address (Optional) IP address of a neighbor. If this argument is omitted, information about all neighbors is displayed. advertised-routes Optional) Displays all routes that have been advertised to neighbors. paths reg-exp (Optional) Displays autonomous system paths learned from the specified neighbor. An optional regular expression can be used to filter the output. policy (Optional) Displays the policies applied to neighbor per address family. detail (Optional) Displays detailed policy information such as route maps, prefix lists, community lists, Access Control Lists (ACLs), and autonomous system path filter lists. received prefix-filter (Optional) Displays the prefix-list (outbound route filter [ORF]) sent from the specified neighbor. received-routes (Optional) Displays all received routes (both accepted and rejected) from the specified neighbor. routes (Optional) Displays all routes that are received and accepted. The output displayed when this keyword is entered is a subset of the output displayed by the received-routes keyword. Defaults The output of this command displays information for all neighbors. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes Use the show bgp all neighbors command to display BGP and TCP connection information for neighbor sessions specific to address families such as IPv4. Cisco ASA Series Command Reference, S Commands 4-11 Chapter Examples The following example shows output of the show bgp all neighbors command: ciscoasa# show bgp all neighbors For address family: IPv4 Unicast BGP neighbor is 172.16.232.53, remote AS 100, external link Member of peer-group internal for session parameters BGP version 4, remote router ID 172.16.232.53 BGP state = Established, up for 13:40:17 Last read 00:00:09, hold time is 180, keepalive interval is 60 seconds Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 3 3 Notifications: 0 0 Updates: 0 0 Keepalives: 113 112 Route Refresh: 0 0 Total: 116 11 Default minimum time between advertisement runs is 5 seconds Connections established 22; dropped 21 Last reset 13:47:05, due to BGP Notification sent, hold time expired External BGP neighbor may be up to 2 hops away. Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Enqueued packets for retransmit: 0, input: 0 Event Timers (current time is 0x1A0D543C): Timer Starts Wakeups Retrans 1218 5 TimeWait 0 0 AckHold 3327 3051 SendWnd 0 0 KeepAlive 0 0 GiveUp 0 0 PmtuAger 0 0 DeadWait 0 0 iss: 1805423033 irs: 821333727 snduna: 1805489354 rcvnxt: 821591465 mis-ordered: 0 (0 bytes) Next 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 sndnxt: 1805489354 rcvwnd: 15547 sndwnd: delrcvwnd: 15531 837 SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms Flags: higher precedence, nagle Datagrams (max data segment is 1420 bytes): Rcvd: 4252 (out of order: 0), with data: 3328, total data bytes: 257737 Sent:4445 (retransmit: 5), with data: 4445, total data bytes;244128 Table 4-4 shows each field description. Table 4-4 show bgp all neighbor Fields Field Description For address family Address family to which the following fields refer. BGP neighbor IP address of the BGP neighbor and its autonomous system number. remote AS Autonomous system number of the neighbor. Cisco ASA Series Command Reference, S Commands 4-12 Chapter Table 4-4 show bgp all neighbor Fields (continued) Field Description external link External Border Gateway Protocol (eBGP) peerP. BGP version BGP version being used to communicate with the remote router. remote router ID IP address of the neighbor. BGP state State of this BGP connection up for Time, in hh:mm:ss, that the underlying TCP connection has been in existence. Last read Time, in hh:mm:ss, since BGP last received a message from this neighbor. hold time Time, in seconds, that BGP will maintain the session with this neighbor without receiving messages. keepalive interval Time interval, in seconds, at which keepalive messages are transmitted to this neighbor. Message statistics Statistics organized by message type. InQ depth is Number of messages in the input queue. OutQ depth is Number of messages in the output queue. Sent Total number of transmitted messages. Rcvd Total number of received messages. Opens Number of open messages sent and received. Notifications Number of notification (error) messages sent and received. Updates Number of update messages sent and received. Keepalives Number of keepalive messages sent and received. Route Refresh Number of route refresh request messages sent and received. Total Total number of messages sent and received. Default minimum time between... Time, in seconds, between advertisement transmissions. Connections established Number of times a TCP and BGP connection has been successfully established. dropped Number of times that a valid session has failed or been taken down. Last reset Time, in hh:mm:ss, since this peering session was last reset. The reason for the reset is displayed on this line. External BGP neighbor may be... Indicates that the BGP Time-to-live (TTL) security check is enabled. The maximum number of hops that can separate the local and remote peer is displayed on this line. Connection state Connection status of the BGP peer. Local host, Local IP address of the local BGP speaker and the port number. Foreign host, Foreign port Neighbor address and BGP destination port number. Enqueued packets for retransmit: Packets queued for retransmission by TCP. Event Timers TCP event timers. Counters are provided for starts and wakeups (expired timers). Retrans Number of times a packet has been retransmitted. Cisco ASA Series Command Reference, S Commands 4-13 Chapter Table 4-4 show bgp all neighbor Fields (continued) Field Description TimeWait Time waiting for the retransmission timers to expire. AckHold Acknowledgment hold timer. SendWnd Transmission (send) window. KeepAlive Number of keepalive packets. GiveUp Number times a packet is dropped due to no acknowledgment. PmtuAger Path MTU discovery timer. DeadWait Expiration timer for dead segments. iss: Initial packet transmission sequence number. snduna: Last transmission sequence number that has not been acknowledged sndnxt: Next packet sequence number to be transmitted. sndwnd: TCP window size of the remote host. irs: Initial packet receives sequence number. rcvnxt: Last receive sequence number that has been locally acknowledged. rcvwnd: TCP window size of the local host. delrcvwnd: Delayed receive window—data the local host has read from the connection, but has not yet subtracted from the receive window the host has advertised to the remote host. The value in this field gradually increases until it is larger than a full-sized packet, at which point it is applied to the rcvwnd field. SRTT: A calculated smoothed round-trip timeout. RTTO: Round-trip timeout. RTV: Variance of the round-trip time. KRTT: New round-trip timeout (using the Karn algorithm). This field separately tracks the round-trip time of packets that have been re-sent. minRTT: Smallest recorded round-trip timeout (hard-wire value used for calculation). maxRTT: Largest recorded round-trip timeout. ACK hold Length of time the local host will delay an acknowledgment to carry (piggyback) additional data. IP Precedence value IP precedence of the BGP packets. Datagrams Number of update packets received from a neighbor. Rcvd: Number of received packets. with data Number of update packets sent with data. total data bytes Total amount of data received, in bytes. Sent Number of update packets sent. with data Number of update packets received with data. total data bytes Total amount of data sent, in bytes. Cisco ASA Series Command Reference, S Commands 4-14 Chapter show bgp cidr-only To display routes with classless inter domain routing (CIDR), use the show bgp cidr-only command in EXEC mode. show bgp cidr-only Syntax Description This command has no arguments or keywords. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The following is sample output from the show bgp cidr-only command: ciscoasa# show bgp cidr-only BGP table version is 220, local router ID is 172.16.73.131 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 192.168.0.0/8 *> 172.16.0.0/16 Next Hop 172.16.72.24 172.16.72.30 Metric LocPrf Weight Path 0 1878 ? 0 108 ? Table 4-5 shows each field description. Table 4-5 show bgp cidr-only Fields Field Description BGP table version is 220 Internal version number of the table. This number is incremented whenever the table changes.. local router ID IP address of the router. Cisco ASA Series Command Reference, S Commands 4-15 Chapter Table 4-5 show bgp cidr-only Fields (continued) Field Description Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP.. Cisco ASA Series Command Reference, S Commands 4-16 Chapter show bgp community To display routes that belong to specified BGP communities, use the show bgp community command in EXEC mode. show bgp community community-number [exact] Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Transparent Single Yes • Release Modification 9.2(1) This command was added Yes • Yes Context • System Yes • Yes The following is sample output from the show bgp community command in privileged EXEC mode: ciscoasa# show bgp community 111:12345 local-as BGP table version is 10, local router ID is 224.0.0.10 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete *> *> *> *> * *> *> *> Network 172.16.2.2/32 10.0.0.0 10.43.0.0 10.43.44.44/32 10.43.222.0/24 172.17.240.0/21 192.168.212.0 172.31.1.0 Next Hop 10.43.222.2 10.43.222.2 10.43.222.2 10.43.222.2 10.43.222.2 10.43.222.2 10.43.222.2 10.43.222.2 Metric LocPrf Weight Path 0 0 222 ? 0 0 222 ? 0 0 222 ? 0 0 222 ? 0 0 222 i 0 0 222 ? 0 0 222 i 0 0 222 ? Table 4-6 shows each field description. Table 4-6 show bgp community Fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID IP address of the router. Cisco ASA Series Command Reference, S Commands 4-17 Chapter Table 4-6 show bgp community Fields (continued) Field Description Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-18 Chapter show bgp community-list To display routes that are permitted by the Border Gateway Protocol (BGP) community list, use the show bgp community-list command in user or privileged EXEC mode. show bgp community-list {community-list-number | community-list-name [exact-match]} Syntax Description Command Modes community-list-number A standard or expanded community list number in the range from 1 to 500. community-list-name Community list name. The community list name can be standard or expanded. exact-match (Optional) Displays only routes that have an exact match. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes Usage Guidelines This command requires you to specify an argument when used. The exact-match keyword is optional. Examples The following is sample output of the show bgp community-list command in privileged EXEC mode: ciscoasa# show bgp community-list 20 BGP table version is 716977, local router ID is 192.168.32.1 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i10.3.0.0 *>i * i10.6.0.0 *>i * i10.7.0.0 *>i * * i10.8.0.0 *>i * * i10.13.0.0 Next Hop 10.0.22.1 10.0.16.1 10.0.22.1 10.0.16.1 10.0.22.1 10.0.16.1 10.92.72.24 10.0.22.1 10.0.16.1 10.92.72.24 10.0.22.1 Metric LocPrf Weight Path 0 100 0 1800 1239 ? 0 100 0 1800 1239 ? 0 100 0 1800 690 568 ? 0 100 0 1800 690 568 ? 0 100 0 1800 701 35 ? 0 100 0 1800 701 35 ? 0 1878 704 701 35 ? 0 100 0 1800 690 560 ? 0 100 0 1800 690 560 ? 0 1878 704 701 560 ? 0 100 0 1800 690 200 ? Cisco ASA Series Command Reference, S Commands 4-19 Chapter *>i * * i10.15.0.0 *>i * i10.16.0.0 *>i * 10.0.16.1 10.92.72.24 10.0.22.1 10.0.16.1 10.0.22.1 10.0.16.1 10.92.72.24 0 100 0 0 0 0 100 100 100 100 0 0 0 0 0 0 0 1800 1878 1800 1800 1800 1800 1878 690 704 174 174 701 701 704 200 ? 701 200 ? ? ? i i 701 i Table 4-7 shows each field description. Table 4-7 show bgp community-list Fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID IP address of the router. Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP.. Cisco ASA Series Command Reference, S Commands 4-20 Chapter show bgp filter-list To display routes that conform to a specified filter list, use the show bgp filter-list command in EXEC mode. show bgp filter-list access-list-name Syntax Description access-list-name Command Modes Name of an autonomous system path access list. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The following is sample output of the show bgp filter-list command in privileged EXEC mode: ciscoasa# show bgp filter-list filter-list-acl BGP table version is 1738, local router ID is 172.16.72.24 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete * * * * * * * * * * * * * * * * * * Network 172.16.0.0 172.16.1.0 172.16.11.0 172.16.14.0 172.16.15.0 172.16.16.0 172.16.17.0 172.16.18.0 172.16.19.0 172.16.24.0 172.16.29.0 172.16.30.0 172.16.33.0 172.16.35.0 172.16.36.0 172.16.37.0 172.16.38.0 172.16.39.0 Next Hop 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 Metric LocPrf Weight 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Path 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 109 108 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Cisco ASA Series Command Reference, S Commands 4-21 Chapter Table 4-8 shows each field description. Table 4-8 show bgp filter-list Fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID IP address of the router. Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP.. Cisco ASA Series Command Reference, S Commands 4-22 Chapter show bgp injected-paths To display all the injected paths in the Border Gateway Protocol (BGP) routing table, use the show bgp injected-paths command in user or privileged EXEC mode. show bgp injected-paths Syntax Description This command has no arguments or keywords. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Privileged EXEC, User EXEC Command History Examples • Transparent Single Yes • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The following is sample output from the show bgp injected-paths command in EXEC mode: ciscoasa# show bgp injected-paths BGP table version is 11, local router ID is 10.0.0.1 Status codes:s suppressed, d damped, h history, * valid, > best, i internal Origin codes:i - IGP, e - EGP, ? - incomplete Network *> 172.16.0.0 *> 172.17.0.0/16 Next Hop 10.0.0.2 10.0.0.2 Metric LocPrf Weight Path 0 ? 0 ? Table 4-9 shows each field description. Table 4-9 show bgp injected-path Fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID IP address of the router. Cisco ASA Series Command Reference, S Commands 4-23 Chapter Table 4-9 show bgp injected-path Fields (continued) Field Description Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-24 Chapter show bgp ipv4 To display entries in the IP version 4 (IPv4) Border Gateway Protocol (BGP) routing table, use the show bgp ipv4 command in privileged EXEC mode. show bgp ipv4 Syntax Description This command has no arguments or keywords. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The following is sample output from the show bgp ipv4 unicast command: ciscoasa# show bgp ipv4 unicast BGP table version is 4, local router ID is 10.0.40.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 10.10.10.0/24 *> 10.10.20.0/24 * 10.20.10.0/24 Next Hop 172.16.10.1 172.16.10.1 172.16.10.1 Metric LocPrf Weight Path 0 0 300 i 0 0 300 i 0 0 300 i The following is sample output from the show bgp ipv4 multicast command: Router# show bgp ipv4 multicast BGP table version is 4, local router ID is 10.0.40.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 10.10.10.0/24 *> 10.10.20.0/24 * 10.20.10.0/24 Next Hop 172.16.10.1 172.16.10.1 172.16.10.1 Metric LocPrf Weight Path 0 0 300 i 0 0 300 i 0 0 300 i Cisco ASA Series Command Reference, S Commands 4-25 Chapter Table 4-10 shows each field description. Table 4-10 show bgp ipv4 Fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID IP address of the router. Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP.. Cisco ASA Series Command Reference, S Commands 4-26 Chapter show bgp ipv6 To display entries in the IPv6 Border Gateway Protocol (BGP) routing table, use the show bgp ipv6 command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast [ipv6-prefix/prefix-length] [longer-prefixes] [labels] Syntax Description unicast Specifies IPv6 unicast address prefixes. ipv6-prefix (Optional) IPv6 network number, entered to display a particular network in the IPv6 BGP routing table. This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons. Command Modes /prefix-length (Optional) The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value. longer-prefixes (Optional) Displays the route and more specific routes. labels (Optional) Displays the policies applied to this neighbor per address family. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Transparent Single Yes • Release Modification 9.3(2) This command was added Yes • Yes Context • Yes System • Yes The following is sample output from the show bgp ipv6 command: ciscoasa# show bgp ipv6 unicast BGP table version is 12612, local router ID is 172.16.7.225 Status codes: s suppressed, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop *> 10.10.10.0/24 172.16.10.1 *> 10.10.20.0/24 172.16.10.1 * 10.20.10.0/24 172.16.10.1 Metric LocPrf Weight Path 0 0 300 i 0 0 300 i 0 0 300 i Cisco ASA Series Command Reference, S Commands 4-27 Chapter The following is sample output from the show bgp ipv4 multicast command: Router# show bgp ipv4 multicast BGP table version is 4, local router ID is 10.0.40.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * * Next Hop Metric LocPrf Weight Path 3FFE:C00:E:C::2 0 3748 4697 1752 i 3FFE:1100:0:CC00::1 0 1849 1273 1752 i * 2001:618:3::/48 3FFE:C00:E:4::2 1 0 4554 1849 65002 i *> 3FFE:1100:0:CC00::1 0 1849 65002 i * 2001:620::/35 2001:0DB8:0:F004::1 0 3320 1275 559 i * 3FFE:C00:E:9::2 0 1251 1930 559 i * 3FFE:3600::A 0 3462 10566 1930 559 i * 3FFE:700:20:1::11 0 293 1275 559 i * 3FFE:C00:E:4::2 1 0 4554 1849 1273 559 i * 3FFE:C00:E:B::2 0 237 3748 1275 559 i Table 4-10 shows each field description. Table 4-11 show bgp ipv6 Fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID IP address of the router. Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Cisco ASA Series Command Reference, S Commands 4-28 Chapter Table 4-11 show bgp ipv6 Fields (continued) Field Description Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. The following is sample output from the show bgp ipv6 command, showing information for prefix 3FFE:500::/24: ciscoasa# show bgp ipv6 unicast 3FFE:500::/24 BGP routing table entry for 3FFE:500::/24, version 19421 Paths: (6 available, best #1) 293 3425 2500 3FFE:700:20:1::11 from 3FFE:700:20:1::11 (192.168.2.27) Origin IGP, localpref 100, valid, external, best 4554 293 3425 2500 3FFE:C00:E:4::2 from 3FFE:C00:E:4::2 (192.168.1.1) Origin IGP, metric 1, localpref 100, valid, external 33 293 3425 2500 3FFE:C00:E:5::2 from 3FFE:C00:E:5::2 (209.165.18.254) Origin IGP, localpref 100, valid, external 6175 7580 2500 3FFE:C00:E:1::2 from 3FFE:C00:E:1::2 (209.165.223.204) Origin IGP, localpref 100, valid, external 1849 4697 2500, (suppressed due to dampening) 3FFE:1100:0:CC00::1 from 3FFE:1100:0:CC00::1 (172.31.38.102) Origin IGP, localpref 100, valid, external 237 10566 4697 2500 3FFE:C00:E:B::2 from 3FFE:C00:E:B::2 (172.31.0.3) Origin IGP, localpref 100, valid, external ciscoasa# show bgp ipv6 unicast BGP table version is 28, local router ID is 172.10.10.1 Status codes:s suppressed, h history, * valid, > best, i internal, r RIB-failure, S Stale Origin codes:i - IGP, e - EGP, ? - incomplete Network *>i4004::/64 Next Hop ::FFFF:172.11.11.1 * i ::FFFF:172.30.30.1 Metric LocPrf Weight Path 0 100 0 ? 0 100 0 ? Cisco ASA Series Command Reference, S Commands 4-29 Chapter show bgp ipv6 community To display entries in the IPv6 Border Gateway Protocol (BGP) routing table, use the show bgp ipv6community command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast community [community-number] [exact-match] [local-as | no-advertise | no-export] Syntax Description Command Modes unicast Specifies IPv6 unicast address prefixes. community-number (Optional) Valid value is a community number in the range from 1 to 4294967295 or AA:NN (autonomous system-community number:2-byte number). exact-match (Optional) Displays only routes that have an exact match. local-as (Optional) Displays only routes that are not sent outside of the local autonomous system (well-known community). no-advertise (Optional) Displays only routes that are not advertised to any peer (well-known community). no-export (Optional) Displays only routes that are not exported outside of the local autonomous system (well-known community). The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Yes Context • Yes System • Yes The show bgp ipv6 community command provides output similar to the show ip bgp community command, except it is IPv6-specific. Communities are set with the set community route-map configuration command. You must enter the numerical communities before the well-known communities. For example, the following string is not valid: ciscoasa# show ipv6 bgp unicast community local-as 111:12345 Use following strings instead: ciscoasa# show ipv6 bgp unicast community 111:12345 local-as Examples Cisco ASA Series Command Reference, S Commands 4-30 Chapter The following is sample output from the show bgp ipv6 community command: BGP table version is 69, local router ID is 10.2.64.5 Status codes:s suppressed, h history, * valid, > best, i - internal Origin codes:i - IGP, e - EGP, ? - incomplete Network *> 2001:0DB8:0:1::1/64 *> 2001:0DB8:0:1:1::/80 *> 2001:0DB8:0:2::/64 *> 2001:0DB8:0:2:1::/80 * 2001:0DB8:0:3::1/64 *> *> 2001:0DB8:0:4::/64 *> 2001:0DB8:0:5::1/64 *> 2001:0DB8:0:6::/64 *> 2010::/64 *> 2020::/64 *> 2030::/64 *> 2040::/64 *> 2050::/64 Table 4-12 Next Hop :: :: 2001:0DB8:0:3::2 2001:0DB8:0:3::2 2001:0DB8:0:3::2 :: 2001:0DB8:0:3::2 :: 2000:0:0:3::2 :: :: :: :: :: Metric LocPrf Weight Path 0 32768 i 0 32768 ? 0 2 i 0 2 ? 0 2 ? 0 32768 ? 0 2 ? 0 32768 ? 0 2 3 i 0 32768 ? 0 32768 ? 0 32768 ? 0 32768 ? 0 32768 ? show bgp ipv6 community fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Cisco ASA Series Command Reference, S Commands 4-31 Chapter Table 4-12 show bgp ipv6 community fields (continued) Field Description Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-32 Chapter show bgp ipv6 community-list To display routes that are permitted by the IPv6 Border Gateway Protocol (BGP) community list, use the show bgp ipv6 community-list command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast community-list {number | name} [exact-match] Syntax Description Command Modes unicast Specifies IPv6 unicast address prefixes. number Community list number in the range from 1 to 199. name Community list name. exact-match (Optional) Displays only routes that have an exact match. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Context Yes • Yes System • Yes The show bgp ipv6 unicast community-list command provide output similar to the show ip bgp community-list command, except they are IPv6-specific. Examples The following is sample output of the show bgp ipv6 community-list command for community list number 3: ciscoasa# show bgp ipv6 unicast community-list 3 BGP table version is 14, local router ID is 10.2.64.6 Status codes:s suppressed, h history, * valid, > best, i - internal Origin codes:i - IGP, e - EGP, ? - incomplete Network *> 2001:0DB8:0:1::/64 *> 2001:0DB8:0:1:1::/80 *> 2001:0DB8:0:2::1/64 *> 2001:0DB8:0:2:1::/80 * 2001:0DB8:0:3::2/64 *> *> 2001:0DB8:0:4::2/64 *> 2001:0DB8:0:5::/64 Next Hop 2001:0DB8:0:3::1 2001:0DB8:0:3::1 :: :: 2001:0DB8:0:3::1 :: :: 2001:0DB8:0:3::1 Metric LocPrf Weight Path 0 1 i 0 1 i 0 32768 i 0 32768 ? 0 1 ? 0 32768 ? 0 32768 ? 0 1 ? Cisco ASA Series Command Reference, S Commands 4-33 Chapter *> *> *> *> *> 2010::/64 2020::/64 2030::/64 2040::/64 2050::/64 2001:0DB8:0:3::1 2001:0DB8:0:3::1 2001:0DB8:0:3::1 2001:0DB8:0:3::1 2001:0DB8:0:3::1 0 0 0 0 0 1 1 1 1 1 ? ? ? ? ? Table below describes the significant fields shown in the display. Table 4-13 show bgp ipv6 community-list fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-34 Chapter show bgp ipv6 filter-list To display routes that conform to a specified IPv6 filter list, use the show bgp ipv6 filter-list command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast filter-list access-list-number Syntax Description Command Modes unicast Specifies IPv6 unicast address prefixes. access-list-number Number of an IPv6 autonomous system path access list. It can be a number from 1 to 199. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Context Yes • Yes System • Yes The show bgp ipv6 filter-list command provides output similar to the show ip bgp filter-list command, except that it is IPv6-specific. Examples: The following is sample output from the show bgp ipv6 filter-list command for IPv6 autonomous system path access list number 1: ciscoasa# show bgp ipv6 unicast filter-list 1 BGP table version is 26, local router ID is 192.168.0.2 Status codes:s suppressed, h history, * valid, > best, i - internal Origin codes:i - IGP, e - EGP, ? - incomplete *> *> *> *> *> * *> * *> *> *> Network 2001:0DB8:0:1::/64 2001:0DB8:0:1:1::/80 2001:0DB8:0:2:1::/80 2001:0DB8:0:3::/64 2001:0DB8:0:4::/64 2001:0DB8:0:5::/64 2001:0DB8:0:6::1/64 2030::/64 2040::/64 Next Hop 2001:0DB8:0:4::2 2001:0DB8:0:4::2 2001:0DB8:0:4::2 2001:0DB8:0:4::2 :: 2001:0DB8:0:4::2 :: 2001:0DB8:0:4::2 :: 2001:0DB8:0:4::2 2001:0DB8:0:4::2 Metric LocPrf Weight Path 0 2 1 i 0 2 1 i 0 2 ? 0 2 ? 32768 ? 0 2 ? 32768 ? 0 2 1 ? 32768 i 0 1 0 2 1 ? Cisco ASA Series Command Reference, S Commands 4-35 Chapter *> 2050::/64 2001:0DB8:0:4::2 0 2 1 ? Table below describes the significant fields shown in the display. Table 4-14 show bgp ipv6 community-list fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-36 Chapter show bgp ipv6 inconsistent-as To display IPv6 Border Gateway Protocol (BGP) routes with inconsistent originating autonomous systems, use the show bgp ipv6 inconsistent-as command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast inconsistent-as Syntax Description unicast Command Modes Specifies IPv6 unicast address prefixes. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Yes Context • Yes System • Yes The show bgp ipv6 unicast inconsistent-as command provide output similar to the show ip bgp inconsistent-as command, except they are IPv6-specific. Examples The following is sample output from the show bgp ipv6 inconsistent-as command: ciscoasa# show bgp ipv6 unicast inconsistent-as BGP table version is 12612, local router ID is 192.168.7.225 Status codes: s suppressed, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete * * * * Network 3FFE:1300::/24 Next Hop Metric LocPrf Weight Path 2001:0DB8:0:F004::1 0 3320 293 6175 ? 3FFE:C00:E:9::2 0 1251 4270 10318 ? 3FFE:3600::A 0 3462 6175 ? 3FFE:700:20:1::11 0 293 6175 ? Table 4-15 below describes the significant fields shown in the display. Table 4-15 show bgp ipv6 community-list fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Cisco ASA Series Command Reference, S Commands 4-37 Chapter Table 4-15 show bgp ipv6 community-list fields (continued) Field Description Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-38 Chapter show bgp ipv6 neighbors To display information about IPv6 Border Gateway Protocol (BGP) connections to neighbors, use the show bgp ipv6 neighbors command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast neighbors [ipv6-address] [ received-routes | routes | advertised-routes | paths regular-expression ] Syntax Description unicast Specifies IPv6 unicast address prefixes. ipv6-address (Optional) Address of the IPv6 BGP-speaking neighbor. If you omit this argument, all IPv6 neighbors are displayed. This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons. Command Modes received-routes (Optional) Displays all received routes (both accepted and rejected) from the specified neighbor. routes (Optional) Displays all routes received and accepted. This is a subset of the output from the received-routes keyword. advertised-routes (Optional) Displays all the routes the networking device advertised to the neighbor. paths regular-expression (Optional) Regular expression used to match the paths received. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added. Yes • Context Yes • Yes System • Yes The show bgp ipv6 unicast neighbors provide output similar to the show ip bgp neighbors command, except they are IPv6-specific. Examples The following is sample output from the show bgp ipv6 neighbors command: ciscoasa# show bgp ipv6 unicast neighbors BGP neighbor is 3FFE:700:20:1::11, remote AS 65003, external link BGP version 4, remote router ID 192.168.2.27 Cisco ASA Series Command Reference, S Commands 4-39 Chapter BGP state = Established, up for 13:40:17 Last read 00:00:09, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received Address family IPv6 Unicast: advertised and received Received 31306 messages, 20 notifications, 0 in queue Sent 14298 messages, 1 notifications, 0 in queue Default minimum time between advertisement runs is 30 seconds For address family: IPv6 Unicast BGP table version 21880, neighbor version 21880 Index 1, Offset 0, Mask 0x2 Route refresh request: received 0, sent 0 Community attribute sent to this neighbor Outbound path policy configured Incoming update prefix filter list is bgp-in Outgoing update prefix filter list is aggregate Route map for outgoing advertisements is uni-out 77 accepted prefixes consume 4928 bytes Prefix advertised 4303, suppressed 0, withdrawn 1328 Number of NLRIs in the update sent: max 1, min 0 1 history paths consume 64 bytes Connections established 22; dropped 21 Last reset 13:47:05, due to BGP Notification sent, hold time expired Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Local host: 3FFE:700:20:1::12, Local port: 55345 Foreign host: 3FFE:700:20:1::11, Foreign port: 179 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x1A0D543C): Timer Starts Wakeups Next Retrans 1218 5 0x0 TimeWait 0 0 0x0 AckHold 3327 3051 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 iss: 1805423033 snduna: 1805489354 sndnxt: 1805489354 sndwnd: 15531 irs: 821333727 rcvnxt: 821591465 rcvwnd: 15547 delrcvwnd: 837 SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms Flags: higher precedence, nagle Datagrams (max data segment is 1420 bytes): Rcvd: 4252 (out of order: 0), with data: 3328, total data bytes: 257737 Sent: 4445 (retransmit: 5), with data: 4445, total data bytes: 244128 The table below describes the significant fields shown in the display. Table 4-16 show bgp ipv6 community-list fields Field Description BGP neighbor IP address of the BGP neighbor and its autonomous system number. If the neighbor is in the same autonomous system as the router, then the link between them is internal; otherwise, it is considered external. remote AS Autonomous system of the neighbor. internal link Indicates that this peer is an interior Border Gateway Protocol (iBGP) peer. Cisco ASA Series Command Reference, S Commands 4-40 Chapter Table 4-16 show bgp ipv6 community-list fields (continued) Field Description BGP version BGP version being used to communicate with the remote router; the router ID (an IP address) of the neighbor is also specified. remote router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). BGP state Internal state of this BGP connection. up for Amount of time that the underlying TCP connection has been in existence. Last read Time that BGP last read a message from this neighbor. hold time Maximum amount of time that can elapse between messages from the peer. keepalive interval Time period between sending keepalive packets, which help ensure that the TCP connection is up. Neighbor capabilitie s BGP capabilities advertised and received from this neighbor. Route refresh Indicates that the neighbor supports dynamic soft reset using the route refresh capability. Address family IPv6 Unicast Indicates that BGP peers are exchanging IPv6 reachability information. Received Number of total BGP messages received from this peer, including keepalives. notification Number of error messages received from the peer . s Sent Total number of BGP messages that have been sent to this peer, including keepalives. notificatio ns Number of error messages the router has sent to this peer. advertisem Value of the minimum advertisement interval. ent runs For address Address family to which the following fields refer. family BGP table version Internal version number of the table. This number is incremented whenever the table changes. neighbor version Number used by the software to track the prefixes that have been sent and those that must be sent to this neighbor. Route refresh request Number of route refresh requests sent and received from this neighbor. . Communit Appears if the neighbor send-community command is configured for this neighbor. . y attribute (not shown in sample output) Cisco ASA Series Command Reference, S Commands 4-41 Chapter Table 4-16 Field show bgp ipv6 community-list fields (continued) Description Indicates whether an inbound filter list or route map is configured. Inbound path policy (not shown in sample output) Outbound Indicates whether an outbound filter list, route map, or unsuppress map is configured. path policy (not shown in sample output) bgp-in (not Name of the inbound update prefix filter list for the IPv6 unicast address family. shown in sample output) aggregate Name of the outbound update prefix filter list for the IPv6 unicast address family. (not shown in sample output) Name of the outbound route map for the IPv6 unicast address family. uni-out (not shown in sample output) accepted prefixes Number of prefixes accepted. Prefix advertised Number of prefixes advertised. suppressed Number of prefixes suppressed withdrawn Number of prefixes withdrawn. history paths (not shown in sample output) Number of path entries held to remember history. Connectio Number of times the router has established a TCP connection and the two peers have ns agreed to speak BGP with each other. established dropped Number of times that a good connection has failed or been taken down. Last reset Elapsed time (in hours:minutes:seconds) since this peering session was last reset. Connectio n state State of the BGP Peer unread Number of bytes of packets still to be processed. input bytes Local host, Peering address of the local router, plus the port. Local port Cisco ASA Series Command Reference, S Commands 4-42 Chapter Table 4-16 show bgp ipv6 community-list fields (continued) Field Description Foreign host, Foreign port Peering address of the neighbor. Event Timers Table that displays the number of starts and wakeups for each timer. snduna Last send sequence number for which the local host sent but has not received an acknowledgment. sndnxt Sequence number the local host will send next. sndwnd TCP window size of the remote host. irs Initial receive sequence number. rcvnxt Last receive sequence number the local host has acknowledged. rcvwnd TCP window size of the local host. delrecvwn d Delayed receive window--data the local host has read from the connection, but has not yet subtracted from the receive window the host has advertised to the remote host. The value in this field gradually increases until it is larger than a full-sized packet, at which point it is applied to the rcvwnd field. SRTT A calculated smoothed round-trip timeout (in milliseconds). RTTO Round-trip timeout (in milliseconds). RTV Variance of the round-trip time (in milliseconds). KRTT New round-trip timeout (in milliseconds) using the Karn algorithm. This field separately tracks the round-trip time of packets that have been re-sent. minRTT Smallest recorded round-trip timeout (in milliseconds) with hard wire value used for calculation. maxRTT Largest recorded round-trip timeout (in milliseconds). ACK hold Time (in milliseconds) the local host will delay an acknowledgment in order to "piggyback" data on it. Flags IP precedence of the BGP packets. Datagrams Number of update packets received from neighbor. : Rcvd with data Number of update packets received with data. total data bytes Total number of bytes of data. Sent Number of update packets sent. with data Number of update packets with data sent. total data bytes Total number of data bytes. The following is sample output from the show bgp ipv6 neighbors command with the advertised-routes keyword: ciscoasa# show bgp ipv6 unicast neighbors 3FFE:700:20:1::11 advertised-routes Cisco ASA Series Command Reference, S Commands 4-43 Chapter BGP table version is 21880, local router ID is 192.168.7.225 Status codes: s suppressed, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 2001:200::/35 3FFE:700:20:1::11 0 293 3425 2500 i *> 2001:208::/35 3FFE:C00:E:B::2 0 237 7610 i *> 2001:218::/35 3FFE:C00:E:C::2 0 3748 4697 i The following is sample output from the show bgp ipv6 neighbors command with the routes keyword: ciscoasa# show bgp ipv6 unicast neighbors 3FFE:700:20:1::11 routes BGP table version is 21885, local router ID is 192.168.7.225 Status codes: s suppressed, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 2001:200::/35 3FFE:700:20:1::11 0 293 3425 * 2001:208::/35 3FFE:700:20:1::11 0 293 7610 * 2001:218::/35 3FFE:700:20:1::11 0 293 3425 * 2001:230::/35 3FFE:700:20:1::11 0 293 1275 2500 i i 4697 i 3748 i Table below describes the significant fields shown in the display. Table 4-17 show bgp ipv6 neighbors advertised-routes and routes fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Cisco ASA Series Command Reference, S Commands 4-44 Chapter Table 4-17 show bgp ipv6 neighbors advertised-routes and routes fields (continued) Field Description Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. The following is sample output from the show bgp ipv6 neighbors command with the paths keyword: ciscoasa# show bgp ipv6 unicast neighbors 3FFE:700:20:1::11 paths ^293 Address Refcount Metric Path 0x6131D7DC 2 0 293 3425 2500 i 0x6132861C 2 0 293 7610 i 0x6131AD18 2 0 293 3425 4697 i 0x61324084 2 0 293 1275 3748 i 0x61320E0C 1 0 293 3425 2500 2497 i 0x61326928 1 0 293 3425 2513 i 0x61327BC0 2 0 293 i 0x61321758 1 0 293 145 i 0x61320BEC 1 0 293 3425 6509 i 0x6131AAF8 2 0 293 1849 2914 ? 0x61320FE8 1 0 293 1849 1273 209 i 0x613260A8 2 0 293 1849 i 0x6132586C 1 0 293 1849 5539 i 0x6131BBF8 2 0 293 1849 1103 i 0x6132344C 1 0 293 4554 1103 1849 1752 i 0x61324150 2 0 293 1275 559 i 0x6131E5AC 2 0 293 1849 786 i 0x613235E4 1 0 293 1849 1273 i 0x6131D028 1 0 293 4554 5539 8627 i 0x613279E4 1 0 293 1275 3748 4697 3257 i 0x61320328 1 0 293 1849 1273 790 i 0x6131EC0C 2 0 293 1275 5409 i The table below describes the significant fields shown in the display. show bgp ipv6 neighbors paths fields Field Description Address Internal address where the path is stored. Refcount Number of routes using that path. Metric The Multi Exit Discriminator (MED) metric for the path. (The name of this metric for BGP versions 2 and 3 is INTER_AS.) Path The autonomous system path for that route, followed by the origin code for that route. The following sample output from the show bgp ipv6 neighbors command shows the received routes for IPv6 address 2000:0:0:4::2: Cisco ASA Series Command Reference, S Commands 4-45 Chapter ciscoasa# show bgp ipv6 unicast neighbors 2000:0:0:4::2 received-routes BGP table version is 2443, local router ID is 192.168.0.2 Status codes:s suppressed, h history, * valid, > best, i - internal Origin codes:i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 2000:0:0:1::/64 2000:0:0:4::2 0 2 1 i *> 2000:0:0:2::/64 2000:0:0:4::2 0 2 i *> 2000:0:0:2:1::/80 2000:0:0:4::2 0 2 ? *> 2000:0:0:3::/64 2000:0:0:4::2 0 2 ? * 2000:0:0:4::1/64 2000:0:0:4::2 0 2 ? Cisco ASA Series Command Reference, S Commands 4-46 Chapter show bgp ipv6 paths To display all the IPv6 Border Gateway Protocol (BGP) paths in the database, use the show bgp ipv6 paths command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast paths regular-expression Syntax Description Command Modes unicast Specifies IPv6 unicast address prefixes. regular-expression Regular expression that is used to match the received paths in the database. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Yes Context • Yes System • Yes The show bgp ipv6 unicast paths command provide output similar to the show ip bgp paths command, except they are IPv6-specific. Examples The following is sample output from the show bgp ipv6 paths command: ciscoasa# show bgp ipv6 unicast Address Hash Refcount Metric 0x61322A78 0 2 0 0x6131C214 3 2 0 0x6131D600 13 1 0 0x613229F0 17 1 0 0x61324AE0 18 1 1 0x61326818 32 1 1 0x61324728 34 1 0 0x61323804 35 1 0 0x61327918 35 1 0 0x61320504 38 2 0 0x61320988 41 2 0 0x6132245C 46 1 0 paths Path i 6346 8664 786 i 3748 1275 8319 1273 209 i 3748 1275 8319 12853 i 4554 3748 4697 5408 i 4554 5609 i 6346 8664 9009 ? 3748 1275 8319 i 237 2839 8664 ? 3748 4697 1752 i 1849 786 i 6346 8664 4927 i Table below describes the significant fields shown in the display. Cisco ASA Series Command Reference, S Commands 4-47 Chapter Field Description Address Internal address where the path is stored. Refcount Number of routes using that path. Metric The Multi Exit Discriminator (MED) metric for the path. (The name of this metric for BGP versions 2 and 3 is INTER_AS.) Path The autonomous system path for that route, followed by the origin code for that route. Cisco ASA Series Command Reference, S Commands 4-48 Chapter show bgp ipv6 prefix-list To display routes that match a prefix list, use the show bgp ipv6 prefix-list command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast prefix-list name Syntax Description Command Modes unicast Specifies IPv6 unicast address prefixes. name The specified prefix-list The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Yes Context • Yes System • Yes The specified prefix list must be an IPv6 prefix list, which is similar in format to an IPv4 prefix list. Example The following is sample output from the show bgp ipv6 prefix-list command: Router# show bgp ipv6 unicast prefix-list pin ipv6 prefix-list pin: count:4, range entries:3, sequences:5 - 20, refcount:2 seq 5 permit 747::/16 (hit count:1, refcount:2) seq 10 permit 747:1::/32 ge 64 le 64 (hit count:2, refcount:2) seq 15 permit 747::/32 ge 33 (hit count:1, refcount:1) seq 20 permit 777::/16 le 124 (hit count:2, refcount:1) The ipv6 prefix-list match the following prefixes: seq 5: matches the exact match 747::/16 seq 10:first 32 bits in prefix must match with a prefixlen of /64 seq 15:first 32 bits in prefix must match with any prefixlen up to /128 seq 20:first 16 bits in prefix must match with any prefixlen up to /124 Table below describes the significant fields shown in the display. Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Cisco ASA Series Command Reference, S Commands 4-49 Chapter Field Description Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-50 Chapter show bgp ipv6 quote-regexp To display IPv6 Border Gateway Protocol (BGP) routes matching the autonomous system path regular expression as a quoted string of characters, use the show bgp ipv6 quote-regexp command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast quote-regexp regular expression Syntax Description Command Modes unicast Specifies IPv6 unicast address prefixes. regular expression Regular expression that is used to match the BGP autonomous system paths The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Yes Context • Yes System • Yes The show bgp ipv6 unicast quote-regexp command provide output similar to the show ip bgp quote-regexp command, except they are IPv6-specific. Example The following is sample output from the show bgp ipv6 quote-regexp command that shows paths beginning with 33 or containing 293: Router# show bgp ipv6 unicast quote-regexp ^33|293 BGP table version is 69964, local router ID is 192.31.7.225 Status codes: s suppressed, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 2001:200::/35 3FFE:C00:E:4::2 1 0 4554 293 3425 2500 i * 2001:0DB8:0:F004::1 0 3320 293 3425 2500 i * 2001:208::/35 3FFE:C00:E:4::2 1 0 4554 293 7610 i * 2001:228::/35 3FFE:C00:E:F::2 0 6389 1849 293 2713 i * 3FFE::/24 3FFE:C00:E:5::2 0 33 1849 4554 i * 3FFE:100::/24 3FFE:C00:E:5::2 0 33 1849 3263 i * 3FFE:300::/24 3FFE:C00:E:5::2 0 33 293 1275 1717 i * 3FFE:C00:E:F::2 0 6389 1849 293 1275 Table below describes the significant fields shown in the display. Cisco ASA Series Command Reference, S Commands 4-51 Chapter Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-52 Chapter show bgp ipv6 regexp To display IPv6 Border Gateway Protocol (BGP) routes matching the autonomous system path regular expression, use the show bgp ipv6 regexp command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast regexp regular-expression Syntax Description Command Modes unicast Specifies IPv6 unicast address prefixes. regular-expression Regular expression that is used to match the BGP autonomous system paths The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Yes Context • Yes System • Yes The show bgp ipv6 unicast regexp command provide output similar to the show ip bgp regexp command, except they are IPv6-specific. Example The following is sample output from the show bgp ipv6 regexp command that shows paths beginning with 33 or containing 293: Router# show bgp ipv6 unicast regexp ^33|293 BGP table version is 69964, local router ID is 192.168.7.225 Status codes: s suppressed, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 2001:200::/35 3FFE:C00:E:4::2 1 0 4554 293 3425 2500 i * 2001:0DB8:0:F004::1 0 3320 293 3425 2500 i * 2001:208::/35 3FFE:C00:E:4::2 1 0 4554 293 7610 i * 2001:228::/35 3FFE:C00:E:F::2 0 6389 1849 293 2713 i * 3FFE::/24 3FFE:C00:E:5::2 0 33 1849 4554 i * 3FFE:100::/24 3FFE:C00:E:5::2 0 33 1849 3263 i * 3FFE:300::/24 3FFE:C00:E:5::2 0 33 293 1275 1717 i * 3FFE:C00:E:F::2 0 6389 1849 293 1275 Table below describes the significant fields shown in the display. Cisco ASA Series Command Reference, S Commands 4-53 Chapter Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-54 Chapter show bgp ipv6 route-map To display IPv6 Border Gateway Protocol (BGP) routes that failed to install in the routing table, use the show bgp ipv6 route-map command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast route-map name Syntax Description Command Modes unicast Specifies IPv6 unicast address prefixes. name A specified route map to match. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Yes Context • Yes System • Yes The following is sample output from the show bgp ipv6 route-map command for a route map named rmap: Router# show bgp ipv6 unicast route-map rmap BGP table version is 16, local router ID is 172.30.242.1 Status codes:s suppressed, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes:i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i12:12::/64 2001:0DB8:101::1 0 100 50 ? *>i12:13::/64 2001:0DB8:101::1 0 100 50 ? *>i12:14::/64 2001:0DB8:101::1 0 100 50 ? *>i543::/64 2001:0DB8:101::1 0 100 50 ? The table below describes the significant fields shown in the display: Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID A 32-bit number written as 4 octets separated by periods (dotted-decimal format). Cisco ASA Series Command Reference, S Commands 4-55 Chapter Field Description Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. h—The table entry is history. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP. Cisco ASA Series Command Reference, S Commands 4-56 Chapter show bgp ipv6 summary To display the status of all IPv6 Border Gateway Protocol (BGP) connections, use the show bgp ipv6 summary command in user EXEC or privileged EXEC mode. show bgp ipv6 unicast summary Syntax Description unicast Command Modes Specifies IPv6 unicast address prefixes. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.3(2) This command was added Yes • Context Yes • System Yes • Yes The show bgp ipv6 unicast summary command provides output similar to the show ip bgp summary command, except they are IPv6-specific. Examples The following is sample output from the show bgp ipv6 summary command: ciscoasa# show bgp ipv6 unicast summary BGP device identifier 172.30.4.4, local AS number 200 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer 2001:0DB8:101::2 4 200 6869 6882 0 InQ 0 OutQ 0 Up/Down 06:25:24 State/PfxRcd Active The table below describes the significant fields shown in the display. Field Description BGP device identifier IP address of the networking device. BGP table version Internal version number of the table. This number is incremented whenever the table changes. Cisco ASA Series Command Reference, S Commands 4-57 Chapter Field Description main routing table version Last version of BGP database that was injected into the main routing table. Neighbor IPv6 address of a neighbor. V BGP version number spoken to that neighbor. AS Autonomous System MsgRcvd BGP messages received from that neighbor. MsgSent BGP messages sent to that neighbor TblVer Last version of the BGP database that was sent to that neighbor. InQ Number of messages from that neighbor waiting to be processed. OutQ Number of messages waiting to be sent to that neighbor. Up/Down The length of time that the BGP session has been in state Established, or the current state if it is not Established. State/PfxR Current state of the BGP session/the number of prefixes the device has received from a cd neighbor. When the maximum number (as set by the neighbor maximum-prefix command) is reached, the string "PfxRcd" appears in the entry, the neighbor is shut down, and the connection is Idle. An (Admin) entry with Idle status indicates that the connection has been shut down using the neighbor shutdown command. Cisco ASA Series Command Reference, S Commands 4-58 Chapter show bgp neighbors To display information about Border Gateway Protocol (BGP) and TCP connections to neighbors, use the show bgp neighbors command in user or privileged EXEC mode. show bgp neighbors [slow | ip-address [advertised-routes | | paths [reg-exp] |policy [detail] | received prefix-filter | received-routes | routes]] Syntax Description slow (Optional) Displays information about dynamically configured slow peers ip-address (Optional) Displays information about the IPv4 neighbor. If this argument is omitted, information about all neighbors is displayed. advertised-routes (Optional) Displays all routes that have been advertised to neighbors. paths reg-exp (Optional) Displays autonomous system paths learned from the specified neighbor. An optional regular expression can be used to filter the output. policy (Optional) Displays the policies applied to this neighbor per address family. detail (Optional) Displays detailed policy information such as route maps, prefix lists, community lists, access control lists (ACLs), and autonomous system path filter lists. received prefix-filter (Optional) Displays the prefix-list (outbound route filter [ORF]) sent from the specified neighbor. received-routes (Optional) Displays all received routes (both accepted and rejected) from the specified neighbor. routes (Optional) Displays all routes that are received and accepted. The output displayed when this keyword is entered is a subset of the output displayed by the received-routes keyword. Command Default The output of this command displays information for all neighbors. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes Cisco ASA Series Command Reference, S Commands 4-59 Chapter Usage Guidelines Use the show bgp neighbors command to display BGP and TCP connection information for neighbor sessions. For BGP, this includes detailed neighbor attribute, capability, path, and prefix information. For TCP, this includes statistics related to BGP neighbor session establishment and maintenance. Prefix activity is displayed based on the number of prefixes that are advertised and withdrawn. Policy denials display the number of routes that were advertised but then ignored based on the function or attribute that is displayed in the output. Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions. Examples Example output is different for the various keywords available for the show bgp neighbors command. Examples using the various keywords appear in the following sections: show bgp neighbors: Example The following example shows output for the BGP neighbor at 10.108.50.2. This neighbor is an internal BGP (iBGP) peer. This neighbor supports the route refresh and graceful restart capabilities. ciscoasa# show bgp neighbors 10.108.50.2 BGP neighbor is 10.108.50.2, remote AS 1, internal link BGP version 4, remote router ID 192.168.252.252 BGP state = Established, up for 00:24:25 Last read 00:00:24, last write 00:00:24, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(old & new) MPLS Label capability: advertised and received Graceful Restart Capability: advertised Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 3 3 Notifications: 0 0 Updates: 0 0 Keepalives: 113 112 Route Refresh: 0 0 Total: 116 115 Default minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP additional-paths computation is enabled BGP advertise-best-external is enabled BGP table version 1, neighbor version 1/0 Output queue size : 0 Index 1, Offset 0, Mask 0x2 1 update-group member Sent Rcvd Prefix activity: ------Prefixes Current: 0 0 Prefixes Total: 0 0 Implicit Withdraw: 0 0 Explicit Withdraw: 0 0 Cisco ASA Series Command Reference, S Commands 4-60 Chapter Used as bestpath: Used as multipath: n/a n/a 0 0 Outbound Inbound Local Policy Denied Prefixes: -------------Total: 0 0 Number of NLRIs in the update sent: max 0, min 0 Connections established 3; dropped 2 Last reset 00:24:26, due to Peer closed the session External BGP neighbor may be up to 2 hops away. Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled Local host: 10.108.50.1, Local port: 179 Foreign host: 10.108.50.2, Foreign port: 42698 Enqueued packets for retransmit: 0, input: 0 Event Timers (current time is 0x68B944): Timer Starts Wakeups Retrans 27 0 TimeWait 0 0 AckHold 27 18 SendWnd 0 0 KeepAlive 0 0 GiveUp 0 0 PmtuAger 0 0 DeadWait 0 0 iss: 3915509457 irs: 233567076 snduna: 3915510016 rcvnxt: 233567616 mis-ordered: 0 (0 bytes) Next 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 sndnxt: 3915510016 rcvwnd: 15845 sndwnd: delrcvwnd: 15826 539 SRTT: 292 ms, RTTO: 359 ms, RTV: 67 ms, KRTT: 0 ms minRTT: 12 ms, maxRTT: 300 ms, ACK hold: 200 ms Flags: passive open, nagle, gen tcbs IP Precedence value : 6 Datagrams (max data segment is 1460 bytes): Rcvd: 38 (out of order: 0), with data: 27, total data bytes: 539 Sent: 45 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 08 Below table describes the significant fields shown in the display. Fields that are preceded by the asterisk character (*) are displayed only when the counter has a nonzero value. Table 4-10 shows each field description. Table 4-18 show bgp ipv4 Fields Field Description BGP neighbor IP address of the BGP neighbor and its autonomous system number. remote AS Autonomous system number of the neighbor. local AS 300 no-prepend (not shown in display) Verifies that the local autonomous system number is not prepended to received external routes. This output supports the hiding of the local autonomous systems when migrating autonomous systems. internal link "internal link" is displayed for iBGP neighbors. "external link" is displayed for external BGP (eBGP) neighbors. BGP version BGP version being used to communicate with the remote router. Cisco ASA Series Command Reference, S Commands 4-61 Chapter Table 4-18 show bgp ipv4 Fields (continued) Field Description remote router ID IP address of the neighbor. BGP state Finite state machine (FSM) stage of session negotiation. up for Time, in hhmmss, that the underlying TCP connection has been in existence. Last read Time, in hhmmss, since BGP last received a message from this neighbor. last write Time, in hhmmss, since BGP last sent a message to this neighbor. hold time Time, in seconds, that BGP will maintain the session with this neighbor without receiving a messages. keepalive interval Time interval, in seconds, at which keepalive messages are transmitted to this neighbor. Neighbor capabilities BGP capabilities advertised and received from this neighbor. “advertised and received” is displayed when a capability is successfully exchanged between two routers Route Refresh Status of the route refresh capability. Graceful Restart Capability Status of the graceful restart capability. Address family IPv4 IP Version 4 unicast-specific properties of this neighbor. Unicast Message statistics Statistics organized by message type. InQ depth is Number of messages in the input queue. OutQ depth is Number of messages in the output queue. Sent Total number of transmitted messages. Received Total number of received messages. Opens Number of open messages sent and received. notifications Number of notification (error) messages sent and received. Updates Number of update messages sent and received. Keepalives Number of keepalive messages sent and received. Route Refresh Number of route refresh request messages sent and received. Total Total number of messages sent and received. Default minimum time between... Time, in seconds, between advertisement transmissions. For address family: Address family to which the following fields refer. BGP table version Internal version number of the table. This number is incremented whenever the table changes. neighbor version Number used by the software to track prefixes that have been sent and those that need to be sent. update-group Number of update-group member for this address family Prefix activity Prefix statistics for this address family. Prefixes current Number of prefixes accepted for this address family. Prefixes total Total number of received prefixes. Cisco ASA Series Command Reference, S Commands 4-62 Chapter Table 4-18 show bgp ipv4 Fields (continued) Field Description Implicit Withdraw Number of times that a prefix has been withdrawn and readvertised. Explicit Withdraw Number of times that prefix has been withdrawn because it is no longer feasible. Used as bestpath Number of received prefixes installed as bestpaths. Used as multipath Number of received prefixes installed as multipaths. * Saved (soft-reconfig) Number of soft resets performed with a neighbor that supports soft reconfiguration. This field is displayed only if the counter has a nonzero value. * History paths This field is displayed only if the counter has a nonzero value. * Invalid paths Number of invalid paths. This field is displayed only if the counter has a nonzero value. Local Policy Denied Prefixes denied due to local policy configuration. Counters are updated for Prefixes inbound and outbound policy denials. The fields under this heading are displayed only if the counter has a nonzero value. * route-map Displays inbound and outbound route-map policy denials. * filter-list Displays inbound and outbound filter-list policy denials. * prefix-list Displays inbound and outbound prefix-list policy denials. * AS_PATH too long Displays outbound AS-path length policy denials. * AS_PATH loop Displays outbound AS-path loop policy denials. * AS_PATH confed info Displays outbound confederation policy denials. * AS_PATH contains Displays outbound denials of autonomous system (AS) 0. AS 0 * NEXT_HOP Martian Displays outbound martian denials. * NEXT_HOP non-local Displays outbound non-local next-hop denials. * NEXT_HOP is us Displays outbound next-hop-self denials. * CLUSTER_LIST loop Displays outbound cluster-list loop denials. * ORIGINATOR loop Displays outbound denials of local originated routes. * unsuppress-map Displays inbound denials due to an unsuppress-map. * advertise-map Displays inbound denials due to an advertise-map. * Well-known Community Displays inbound denials of well-known communities. * SOO loop Displays inbound denials due to site-of-origin. * Bestpath from this peer Displays inbound denials because the bestpath came from the local router. * Suppressed due to dampening Displays inbound denials because the neighbor or link is in a dampening state. Cisco ASA Series Command Reference, S Commands 4-63 Chapter Table 4-18 show bgp ipv4 Fields (continued) Field Description * Bestpath from iBGP peer Deploys inbound denials because the bestpath came from an iBGP neighbor. * Incorrect RIB for CE Deploys inbound denials due to RIB errors for a CE router. * BGP distribute-list Displays inbound denials due to a distribute list. Number of NLRIs... Number of network layer reachability attributes in updates. Connections established Number of times a TCP and BGP connection has been successfully established. dropped Number of times that a valid session has failed or been taken down. Last reset Time since this peering session was last reset. The reason for the reset is displayed on this line. External BGP neighbor may be... (not shown in the display) Indicates that the BGP TTL security check is enabled. The maximum number of hops that can separate the local and remote peer is displayed on this line. Connection state Connection status of the BGP peer. Connection is ECN Disabled Explicit congestion notification status (enabled or disabled). Local host: 10.108.50.1, Local port: 179 IP address of the local BGP speaker. BGP port number 179. Foreign host: Neighbor address and BGP destination port number. 10.108.50.2, Foreign port: 42698 Enqueued packets for retransmit: Packets queued for retransmission by TCP. Event Timers TCP event timers. Counters are provided for starts and wakeups (expired timers). Retrans Number of times a packet has been retransmitted. TimeWait Time waiting for the retransmission timers to expire. AckHold Acknowledgment hold timer. SendWnd Transmission (send) window. KeepAlive Number of keepalive packets. GiveUp Number times a packet is dropped due to no acknowledgment. PmtuAger Path MTU discovery timer DeadWait Expiration timer for dead segments. iss: Initial packet transmission sequence number. snduna Last transmission sequence number that has not been acknowledged. sndnxt: Next packet sequence number to be transmitted. sndwnd: TCP window size of the remote neighbor. Cisco ASA Series Command Reference, S Commands 4-64 Chapter Table 4-18 show bgp ipv4 Fields (continued) Field Description irs: Initial packet receive sequence number. rcvnxt: Last receive sequence number that has been locally acknowledged. rcvwnd: TCP window size of the local host. delrcvwnd: Delayed receive window—data the local host has read from the connection, but has not yet subtracted from the receive window the host has advertised to the remote host. The value in this field gradually increases until it is larger than a full-sized packet, at which point it is applied to the rcvwnd field. SRTT: A calculated smoothed round-trip timeout. RTTO: Round-trip timeout. RTV: Variance of the round-trip time. KRTT: New round-trip timeout (using the Karn algorithm). This field separately tracks the round-trip time of packets that have been re-sent. minRTT: Smallest recorded round-trip timeout (hard-wire value used for calculation). maxRTT: Largest recorded round-trip timeout. ACK hold: Length of time the local host will delay an acknowledgment to carry (piggyback) additional data. IP Precedence value: IP precedence of the BGP packets. Datagrams Number of update packets received from a neighbor. Rcvd: Number of received packets. with data Number of update packets sent with data. total data bytes Total amount of data received, in bytes. Sent Number of update packets sent. Second Congestion Number of second retransmissions sent due to congestion. Datagrams: Rcvd Number of update packets received from a neighbor. out of order: Number of packets received out of sequence. with data Number of update packets received with data. Last reset Elapsed time since this peering session was last reset. unread input bytes Number of bytes of packets still to be processed. retransmit Number of packets retransmitted. fastretransmit Number of duplicate acknowledgments retransmitted for an out of order segment before the retransmission timer expires. partialack Number of retransmissions for partial acknowledgments (transmissions before or without subsequent acknowledgments). show bgp neighbors advertised-routes: Example The following example displays routes advertised for only the 172.16.232.178 neighbor: ciscoasa# show bgp neighbors 172.16.232.178 advertised-routes BGP table version is 27, local router ID is 172.16.232.181 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Cisco ASA Series Command Reference, S Commands 4-65 Chapter Origin codes: i - IGP, e - EGP, ? - incomplete Network *>i10.0.0.0 *> 10.20.2.0 Next Hop 172.16.232.179 10.0.0.0 Metric LocPrf Weight Path 0 100 0 ? 0 32768 i Table 4-19 shows each field description. Table 4-19 show bgp neighbors advertised routes Fields Field Description BGP table version Internal version number of the table. This number is incremented whenever the table changes. local router ID IP address of the router. Status codes Status of the table entry. The status is displayed at the beginning of each line in the table. It can be one of the following values: s—The table entry is suppressed. *—The table entry is valid. >—The table entry is the best entry to use for that network. i—The table entry was learned via an internal BGP (iBGP) session. Origin codes Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values: i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with a network router configuration command. e—Entry originated from an Exterior Gateway Protocol (EGP). ?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP from an IGP. Network Internet address of the network the entry describes. Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to this network. Metric If shown, the value of the inter autonomous system metric. LocPrf Local preference value as set with the set local-preference route-map configuration command. The default value is 100. Weight Weight of the route as set via autonomous system filters. Path Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path. At the end of the path is the origin code for the path: i—The entry was originated with the IGP and advertised with a network router configuration command. e—The route originated with EGP. ?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from an IGP.. Cisco ASA Series Command Reference, S Commands 4-66 Chapter show bgp neighbors paths: Example The following is example output from the show bgp neighbors command entered with the paths keyword: ciscoasa# show bgp neighbors 172.29.232.178 paths ^10 Address Refcount Metric Path 0x60E577B0 2 40 10 ? Table 4-20 shows each field description. Table 4-20 show bgp neighbors paths Fields Field Description Address Internal address where the path is stored. Refcount Number of routes using that path.. Metric Multi Exit Discriminator (MED) metric for the path. (The name of this metric for BGP versions 2 and 3 is INTER_AS.). Path Autonomous system path for that route, followed by the origin code for that route.. show bgp neighbors received prefix-filter: Example The following example shows that a prefix-list that filters all routes in the 10.0.0.0 network has been received from the 192.168.20.72 neighbor: ciscoasa# show bgp neighbors 192.168.20.72 received prefix-filter Address family:IPv4 Unicast ip prefix-list 192.168.20.72:1 entries seq 5 deny 10.0.0.0/8 le 32 Table 4-21 shows each field description. Table 4-21 show bgp neighbors received prefix filter Fields Field Description Address family Address family mode in which the prefix filter is received. ip prefix-list Prefix list sent from the specified neighbor. show bgp neighbors policy: Example The following sample output shows the policies applied to the neighbor at 192.168.1.2. The output displays policies configured on the neighbor device. ciscoasa# show bgp neighbors 192.168.1.2 policy Neighbor: 192.168.1.2, Address-Family: IPv4 Unicast Locally configured policies: route-map ROUTE in Inherited polices: prefix-list NO-MARKETING in route-map ROUTE in weight 300 maximum-prefix 10000 Cisco ASA Series Command Reference, S Commands 4-67 Chapter show bgp neighbors: Example The following is sample output from the show bgp neighbors command that verifies that BGP TCP path maximum transmission unit (MTU) discovery is enabled for the BGP neighbor at 172.16.1.2: ciscoasa# show bgp neighbors 172.16.1.2 BGP neighbor is 172.16.1.2, remote AS 45000, internal link BGP version 4, remote router ID 172.16.1.99 . . . For address family: IPv4 Unicast BGP table version 5, neighbor version 5/0 . . . Address tracking is enabled, the RIB does have a route to 172.16.1.2 Address tracking requires at least a /24 route to the peer Connections established 3; dropped 2 Last reset 00:00:35, due to Router ID changed Transport(tcp) path-mtu-discovery is enabled . . . SRTT: 146 ms, RTTO: 1283 ms, RTV: 1137 ms, KRTT: 0 ms minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms Flags: higher precedence, retransmission timeout, nagle, path mtu capable The following is partial output from the show bgp neighbors command that verifies the status of the BGP graceful restart capability for the external BGP peer at 192.168.3.2. Graceful restart is shown as disabled for this BGP peer. ciscoasa# show bgp neighbors 192.168.3.2 BGP neighbor is 192.168.3.2, remote AS 50000, external link Inherits from template S2 for session parameters BGP version 4, remote router ID 192.168.3.2 BGP state = Established, up for 00:01:41 Last read 00:00:45, last write 00:00:45, hold time is 180, keepalive intervals Neighbor sessions: 1 active, is multisession capable Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received . . . Address tracking is enabled, the RIB does have a route to 192.168.3.2 Connections established 1; dropped 0 Last reset never Transport(tcp) path-mtu-discovery is enabled Graceful-Restart is disabled Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Cisco ASA Series Command Reference, S Commands 4-68 Chapter show bgp paths To display all the BGP paths in the database, use the show bgp paths command in EXEC mode. show bgp paths Cisco 10000 Series Router show bgp paths regexp Syntax Description regexp Command Modes Regular expression to match the BGP autonomous system paths. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The following is sample output from the show bgp paths command in privileged EXEC mode: ciscoasa# show bgp paths Address Hash Refcount Metric Path 0x60E5742C 0 1 0 i 0x60E3D7AC 2 1 0 ? 0x60E5C6C0 11 3 0 10 ? 0x60E577B0 35 2 40 10 ? Table 4-22 shows each field description. Table 4-22 show bgp paths Fields Field Description Address Internal address where the path is stored. Hash Hash bucket where path is stored. Refcount Number of routes using that path. Metric The Multi Exit Discriminator (MED) metric for the path. (The name of this metric for BGP versions 2 and 3 is INTER_AS.) Path The autonomous system path for that route, followed by the origin code for that route. Cisco ASA Series Command Reference, S Commands 4-69 Chapter show bgp policy-list To display information about a configured policy list and policy list entries, use the show bgp policy-list command in user EXEC mode. show bgp policy-list [policy-list-name] Syntax Description policy-list-name Command Modes (Optional) Displays information about the specified policy list with this argument. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The following is sample output from the show bgp policy-list command. The output of this command will display the policy-list name and configured match clauses. The following sample output is similar to the output that will be displayed: ciscoasa# show bgp policy-list policy-list POLICY-LIST-NAME-1 permit Match clauses: metric 20 policy-list POLICY-LIST-NAME-2 permit Match clauses: as-path (as-path filter): 1 Cisco ASA Series Command Reference, S Commands 4-70 Transparent Single Chapter show bgp prefix-list To display information about a prefix list or prefix list entries, use the show bgp prefix-list command in user or privileged EXEC mode show bgp prefix-list [detail | summary][prefix-list-name [seq sequence-number | network/length [longer| first-match]]] Syntax Description Command Modes detail | summary (Optional) Displays detailed or summarized information about all prefix lists. first-match (Optional) Displays the first entry of the specified prefix list that matches the given network/length. longer (Optional) Displays all entries of the specified prefix list that match or are more specific than the given network/length. network/length (Optional) Displays all entries in the specified prefix list that use this network address and netmask length (in bits). prefix-list-name (Optional) Displays the entries in a specific prefix list. seq sequence-number (Optional) Displays only the prefix list entry with the specified sequence number in the specified prefix-list. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Examples • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The following example shows the output of the show bgp prefix-list command with details about the prefix list named test: ciscoasa# show bgp prefix-list detail test ip prefix-list test: Description: test-list count: 1, range entries: 0, sequences: 10 - 10, refcount: 3 seq 10 permit 10.0.0.0/8 (hit count: 0, refcount: 1) Cisco ASA Series Command Reference, S Commands 4-71 Chapter show bgp regexp To display routes matching the autonomous system path regular expression, use the show bgp regexp command in EXEC mode. show bgp regexp regexp Syntax Description regexp Regular expression to match the BGP autonomous system paths. For more details about autonomous system number formats, see the router bgp command. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions. To ensure a smooth transition we recommend that all BGP speakers within an autonomous system that is identified using a 4-byte autonomous system number, are upgraded to support 4-byte autonomous system numbers. Examples The following is sample output from the show bgp regexp command in privileged EXEC mode: Router# show bgp regexp 108$ BGP table version is 1738, local router ID is 172.16.72.24 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight * 172.16.0.0 172.16.72.30 0 * 172.16.1.0 172.16.72.30 0 * 172.16.11.0 172.16.72.30 0 * 172.16.14.0 172.16.72.30 0 Cisco ASA Series Command Reference, S Commands 4-72 Path 109 108 109 108 109 108 109 108 ? ? ? ? Chapter * * * * * * * * * * * * * * 172.16.15.0 172.16.16.0 172.16.17.0 172.16.18.0 172.16.19.0 172.16.24.0 172.16.29.0 172.16.30.0 172.16.33.0 172.16.35.0 172.16.36.0 172.16.37.0 172.16.38.0 172.16.39.0 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 172.16.72.30 0 0 0 0 0 0 0 0 0 0 0 0 0 0 109 109 109 109 109 109 109 109 109 109 109 109 109 109 108 108 108 108 108 108 108 108 108 108 108 108 108 108 ? ? ? ? ? ? ? ? ? ? ? ? ? ? After the bgp asnotation dot command is configured, the regular expression match format for 4-byte autonomous system paths is changed to asdot notation format. Although a 4-byte autonomous system number can be configured in a regular expression using either asplain or asdot format, only 4-byte autonomous system numbers configured using the current default format are matched. In the first example, the show bgp regexp command is configured with a 4-byte autonomous system number in asplain format. The match fails because the default format is currently asdot format and there is no output. In the second example using asdot format, the match passes and the information about the 4-byte autonomous system path is shown using the asdot notation. Note The asdot notation uses a period which is a special character in Cisco regular expressions. to remove the special meaning, use a backslash before the period. Router# show bgp regexp ^65536$ Router# show bgp regexp ^1\.0$ BGP table version is 2, local router ID is 172.17.1.99 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 10.1.1.0/24 Next Hop 192.168.1.2 Metric LocPrf Weight Path 0 0 1.0 i The following is sample output from the show bgp regexp command after the bgp asnotation dot command has been entered to display 4-byte autonomous system numbers Note The asdot notation uses a period which is a special character in Cisco regular expressions. to remove the special meaning, use a backslash before the period. Router# show bgp regexp ^1\.14$ BGP table version is 4, local router ID is 172.17.1.99 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 10.1.1.0/24 Next Hop 192.168.1.2 Metric LocPrf Weight Path 0 0 1.14 i Cisco ASA Series Command Reference, S Commands 4-73 Chapter show bgp replication To display update replication statistics for Border Gateway Protocol (BGP) update groups, use the show bgp replication command in EXEC mode. show bgp replication [index-group | ip-address] Syntax Description Command Modes index-group (Optional) Displays update replication statistics for the update group with the corresponding index number. The range of update-group index numbers is from 1 to 4294967295. ip-address (Optional) Displays update replication statistics for this neighbor. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Usage Guidelines • Transparent Single Yes • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The output of this command displays BGP update-group replication statistics. When a change to outbound policy occurs, the router automatically recalculates update-group memberships and applies the changes by triggering an outbound soft reset after a 3-minute timer expires. This behavior is designed to provide the network operator with time to change the configuration if a mistake is made. You can manually enable an outbound soft reset before the timer expires by entering the clearbgp ip-address soft out command. Examples The following sample output from the show bgp replication command shows update-group replication information for all neighbors: ciscoasa# show bgp replication BGP Total Messages Formatted/Enqueued : 0/0 Index Type Members Leader MsgFmt MsgRepl Csize Qsize 1 internal 1 10.4.9.21 0 0 0 0 2 internal 2 10.4.9.5 0 0 0 0 The following sample output from the show bgp replication command shows update-group statistics for the 10.4.9.5 neighbor: Router# show bgp replication 10.4.9.5 Cisco ASA Series Command Reference, S Commands 4-74 Chapter Index Type 2 internal Members 2 Leader 10.4.9.5 MsgFmt 0 MsgRepl 0 Csize 0 Qsize 0 Table 4-23 shows each field description. Table 4-23 show bgp replication Fields Field Description Index Index number of the update group. Type Type of peer (internal or external). Members Number of members in the dynamic update peer group. Leader First member of the dynamic update peer group. Cisco ASA Series Command Reference, S Commands 4-75 Chapter show bgp rib-failure To display Border Gateway Protocol (BGP) routes that failed to install in the Routing Information Base (RIB) table, use the show bgp rib-failure command in privileged EXEC mode. show bgp rib-failure Syntax Description This command has no keywords or arguments. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Privileged EXEC, User EXEC Command History Examples • Transparent Single Yes • Release Modification 9.2(1) This command was added Yes • Context Yes • Yes System • Yes The following is a sample output from the show bgp rib-failure command: ciscoasa# show bgp rib-failure Network 10.1.15.0/24 10.1.16.0/24 Next Hop 10.1.35.5 10.1.15.1 RIB-failure Higher admin distance Higher admin distance RIB-NH Matches n/a n/a Table 4-24 shows each field description. Table 4-24 show bgp rib-failure Fields Field Description Network IP address of a network entity Next Hop IP address of the next system that is used when forwarding a packet to the destination network. An entry of 0.0.0.0 indicates that the router has some non-BGP routes to this network. Cisco ASA Series Command Reference, S Commands 4-76 Chapter Table 4-24 Field show bgp rib-failure Fields (continued) Description RIB-failure Cause of RIB failure. Higher admin distance means that a route with a better (lower) administrative distance such as a static route already exists in the IP routing table. RIB-NH Matches Route status that applies only when Higher admin distance appears in the RIB-failure column and bgp suppress-inactive is configured for the address family being used. There are three choices: • Yes—Means that the route in the RIB has the same next hop as the BGP route or next hop recurses down to the same adjacency as the BGP nexthop. • No—Means that the next hop in the RIB recurses down differently from the next hop of the BGP route. • n/a—Means that bgp suppress-inactive is not configured for the address family being used. Cisco ASA Series Command Reference, S Commands 4-77 Chapter show bgp summary To display the status of all Border Gateway Protocol (BGP) connections, use the show bgp summary command in user EXEC or privileged EXEC mode. show bgp summary Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.2(1) This command was added Yes • Yes Context • Yes System • Yes The show bgp summary command is used to display BGP path, prefix, and attribute information for all connections to BGP neighbors. A prefix is an IP address and network mask. It can represent an entire network, a subset of a network, or a single host route. A path is a route to a given destination. By default, BGP will install only a single path for each destination. If multipath routes are configured, BGP will install a path entry for each multipath route, and only one multipath route will be marked as the bestpath. BGP attribute and cache entries are displayed individually and in combinations that affect the bestpath selection process. The fields for this output are displayed when the related BGP feature is configured or attribute is received. Memory usage is displayed in bytes. The Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions. Examples The following is sample output from the show bgp summary command in privileged EXEC mode: Router# show bgp summary BGP router identifier 172.16.1.1, local AS number 100 BGP table version is 199, main routing table version 199 37 network entries using 2850 bytes of memory 59 path entries using 5713 bytes of memory 18 BGP path attribute entries using 936 bytes of memory 2 multipath network entries and 4 multipath paths 10 BGP AS-PATH entries using 240 bytes of memory 7 BGP community entries using 168 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory Cisco ASA Series Command Reference, S Commands 4-78 Chapter 0 BGP filter-list cache entries using 0 bytes of memory 90 BGP advertise-bit cache entries using 1784 bytes of memory 36 received paths for inbound soft reconfiguration BGP using 34249 total bytes of memory Dampening enabled. 4 history paths, 0 dampened paths BGP activity 37/2849 prefixes, 60/1 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.100.1.1 4 200 26 22 199 0 0 00:14:23 23 10.200.1.1 4 300 21 51 199 0 0 00:13:40 0 Table 4-25 shows each field description. Table 4-25 show bgp summary Fields Field Description BGP router identifier In order of precedence and availability, the router identifier specified by the bgp router-id command, a loopback address, or the highest IP address. BGP table version Internal version number of BGP database. main routing table version Last version of BGP database that was injected into the main routing table. ...network entries Number of unique prefix entries in the BGP database. ...using ... bytes of memory Amount of memory, in bytes, that is consumed for the path, prefix, or attribute entry displayed on the same line. ...path entries using Number of path entries in the BGP database. Only a single path entry will be installed for a given destination. If multipath routes are configured, a path entry will be installed for each multipath route. ...multipath network entries using Number of multipath entries installed for a given destination. * ...BGP path/bestpath attribute entries using Number of unique BGP attribute combinations for which a path is selected as the bestpath. * ...BGP rrinfo entries using Number of unique ORIGINATOR and CLUSTER_LIST attribute combinations. ...BGP AS-PATH Number of unique AS_PATH entries. entries using ...BGP community entries using Number of unique BGP community attribute combinations. *...BGP extended Number of unique extended community attribute combinations. community entries using BGP route-map cache entries using Number of BGP route-map match and set clause combinations. A value of 0 indicates that the route cache is empty. Cisco ASA Series Command Reference, S Commands 4-79 Chapter Table 4-25 show bgp summary Fields (continued) Field Description ...BGP filter-list cache entries using Number of filter-list entries that match an AS-path access list permit or deny statements. A value of 0 indicates that the filter-list cache is empty. BGP advertise-bit cache entries using (Cisco IOS Release 12.4(11)T and later releases only) Number of advertised bitfield entries and the associated memory usage. A bitfield entry represents a piece of information (one bit) that is generated when a prefix is advertised to a peer. The advertised bit cache is built dynamically when required ...received paths for inbound soft reconfiguration Number paths received and stored for inbound soft reconfiguration. BGP using... Total amount of memory, in bytes, used by the BGP process. Dampening enabled... Indicates that BGP dampening is enabled. The number of paths that carry an accumulated penalty and the number of dampened paths are displayed on this line. BGP activity... Displays the number of times that memory has been allocated or released for a path or prefix. Neighbor IP address of the neighbor. V BGP version number spoken to the neighbor. AS Autonomous system number. MsgRcvd Number of messages received from the neighbor. MsgSent Number of messages sent to the neighbor. TblVer Last version of the BGP database that was sent to the neighbor. InQ Number of messages queued to be processed from the neighbor. OutQ Number of messages queued to be sent to the neighbor. Up/Down The length of time that the BGP session has been in the Established state, or the current status if not in the Established state. State/PfxRcd Current state of the BGP session, and the number of prefixes that have been received from a neighbor or peer group. When the maximum number (as set by the neighbor maximum-prefix command) is reached, the string "PfxRcd" appears in the entry, the neighbor is shut down, and the connection is set to Idle. An (Admin) entry with Idle status indicates that the connection has been shut down using the neighbor shutdown command. The following output from the show bgp summary command shows that the BGP neighbor 192.168.3.2 was dynamically created and is a member of the listen range group, group192. The output also shows that the IP prefix range of 192.168.0.0/16 is defined for the listen range group named group192. In Cisco IOS Release 12.2(33)SXH and later releases, the BGP dynamic neighbor feature added the ability to support the dynamic creation of BGP neighbor peers using a subnet range associated with a peer group (listen range group). ciscoasa# show bgp summary BGP router identifier 192.168.3.1, local AS number 45000 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent Cisco ASA Series Command Reference, S Commands 4-80 TblVer InQ OutQ Up/Down State/PfxRcd Chapter *192.168.3.2 4 50000 2 2 0 0 0 00:00:37 * Dynamically created based on a listen range command Dynamically created neighbors: 1/(200 max), Subnet ranges: 1 0 BGP peergroup group192 listen range group members: 192.168.0.0/16 The following output from the show bgp summary command shows two BGP neighbors, 192.168.1.2 and 192.168.3.2, in different 4-byte autonomous system numbers, 65536 and 65550. The local autonomous system 65538 is also a 4-byte autonomous system number and the numbers are displayed in the default asplain format. Router# show bgp summary BGP router identifier 172.17.1.99, local AS number 65538 BGP table version is 1, main routing table version 1 Neighbor 192.168.1.2 192.168.3.2 V 4 4 AS MsgRcvd MsgSent 65536 7 7 65550 4 4 TblVer 1 1 InQ OutQ Up/Down 0 0 00:03:04 0 0 00:00:15 Statd 0 0 The following output from the show bgp summary command shows the same two BGP neighbors, but the 4-byte autonomous system numbers are displayed in asdot notation format. To change the display format the bgp asnotation dot command must be configured in router configuration mode. Router# show bgp summary BGP router identifier 172.17.1.99, local AS number 1.2 BGP table version is 1, main routing table version 1 Neighbor 192.168.1.2 192.168.3.2 V 4 4 AS MsgRcvd MsgSent 1.0 9 9 1.14 6 6 TblVer 1 1 InQ OutQ Up/Down 0 0 00:04:13 0 0 00:01:24 Statd 0 0 The following example displays sample output of the show bgp summary slow command: ciscoasa> show bgp summary slow BGP router identifier 2.2.2.2, local AS number 100 BGP table version is 37, main routing table version 37 36 network entries using 4608 bytes of memory 36 path entries using 1872 bytes of memory 1/1 BGP path/bestpath attribute entries using 124 bytes of memory 1 BGP rrinfo entries using 24 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 1 BGP extended community entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 6700 total bytes of memory BGP activity 46/0 prefixes, 48/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 6.6.6.6 4 100 11 10 1 0 0 00:44:20 0 Cisco ASA Series Command Reference, S Commands 4-81 Chapter show bgp system-config To display running configuration for bgp of system context in user context, use the show bgp system-config command in user or privileged EXEC mode. show bgp system-config Syntax Description This command has no arguments or keywords. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC, User EXEC Command History • Transparent Single Yes • Release Modification 9.2(1) This command was added Yes • Yes Context System — — Usage Guidelines This command can be used only in user context without any arguments or keywords. This command can be useful for checking the running configuration enforced on user context by system context. Examples The following sample output is similar to the output that will be displayed when the show bgp system-config command is entered in user EXEC mode: ciscoasa/c1(config)# show bgp system-config router bgp 1 bgp log-neighbor-changes no bgp always-compare-med no bgp asnotation dot no bgp bestpath med no bgp bestpath compare-routerid bgp default local-preference 100 no bgp deterministic-med bgp enforce-first-as bgp maxas-limit 0 bgp transport path-mtu-discovery timers bgp 60 180 0 address-family ipv4 unicast bgp scan-time 0 bgp nexthop trigger enable bgp nexthop trigger delay 5 exit-address-family Cisco ASA Series Command Reference, S Commands 4-82 Chapter show blocks To show the packet buffer utilization, use the show blocks command in privileged EXEC mode. show blocks [{address hex | all | assigned | free | old | pool size [summary]} [diagnostics | dump | header | packet] | queue history | [exhaustion snapshot | history [list] [1-MAX_NUM_SNAPSHOT | index] [detail]] Syntax Description address hex (Optional) Shows a block corresponding to this address, in hexadecimal. all (Optional) Shows all blocks. assigned (Optional) Shows blocks that are assigned and in use by an application. detail (Optional) Shows a portion (128 bytes) of the first block for each unique queue type. dump (Optional) Shows the entire block contents, including the header and packet information. The difference between dump and packet is that dump includes additional information between the header and the packet. diagnostics (Optional) Shows block diagnostics. exhaustion snapshot (Optional) Prints the last x number (x is currently 10) of snapshots that were taken and the time stamp of the last snapshot). After a snapshot is taken, another snapshot is not taken if less than 5 minutes has passed. free (Optional) Shows blocks that are available for use. header (Optional) Shows the header of the block. history 1-MAX_NUM_SNAPSHOT The history option displays recent and all snapshots in the history. history index Defaults The history list option displays a summary of snapshots in the history. The history index option displays the index of snapshots in the history. history list The history 1-MAX_NUM_SNAPSHOT option displays only one snapshot in the history. old (Optional) Shows blocks that were assigned more than a minute ago. packet (Optional) Shows the header of the block as well as the packet contents. pool size (Optional) Shows blocks of a specific size. queue history (Optional) Shows where blocks are assigned when the ASA runs out of blocks. Sometimes, a block is allocated from the pool but never assigned to a queue. In that case, the location is the code address that allocated the block. summary (Optional) Shows detailed information about block usage sorted by the program addresses of applications that allocated blocks in this class, program addresses of applications that released blocks in this class, and the queues to which valid blocks in this class belong. No default behavior or values. Cisco ASA Series Command Reference, S Commands 4-83 Chapter Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Release Modification Transparent Single Yes • Yes • Yes Context • Yes System • Yes 7.0(1) The pool summary option was added. 8.0(2) The dupb block uses 0 length blocks now instead of 4 byte blocks. An additional line was added for 0 byte blocks. 9.1(5) The exhaustion snapshot, history list, history index, and history 1-MAX_NUM_SNAPSHOT options were added. The show blocks command helps you determine if the ASA is overloaded. This command lists preallocated system buffer utilization. A full memory condition is not a problem as long as traffic is moving through the ASA. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is full, there may be a problem. You can also view this information using SNMP. The information shown in a security context includes the system-wide information as well as context-specific information about the blocks in use and the high water mark for block usage. See the “Examples” section for a description of the display output. Examples The following is sample output from the show blocks command in single mode: ciscoasa# show blocks SIZE MAX LOW 0 100 99 4 1600 1598 80 400 398 256 3600 3540 1550 4716 3177 16384 10 10 2048 1000 1000 CNT 100 1599 399 3542 3184 10 1000 Table 4-26 shows each field description. Table 4-26 show blocks Fields Field Description SIZE Size, in bytes, of the block pool. Each size represents a particular type. 0 Used by dupb blocks. 4 Duplicates existing blocks in applications such as DNS, ISAKMP, URL filtering, uauth, TFTP, and TCP modules. Also, this sized block can be used normally by code to send packets to drivers, etc. Cisco ASA Series Command Reference, S Commands 4-84 Chapter Table 4-26 show blocks Fields (continued) Field Description 80 Used in TCP intercept to generate acknowledgment packets and for failover hello messages. 256 Used for Stateful Failover updates, syslogging, and other TCP functions. These blocks are mainly used for Stateful Failover messages. The active ASA generates and sends packets to the standby ASA to update the translation and connection table. In bursty traffic, where high rates of connections are created or torn down, the number of available blocks might drop to 0. This situation indicates that one or more connections were not updated to the standby ASA. The Stateful Failover protocol catches the missing translation or connection the next time. If the CNT column for 256-byte blocks stays at or near 0 for extended periods of time, then the ASA is having trouble keeping the translation and connection tables synchronized because of the number of connections per second that the ASA is processing. Syslog messages sent out from the ASA also use the 256-byte blocks, but they are generally not released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows that the number of 256-byte blocks is near 0, ensure that you are not logging at Debugging (level 7) to the syslog server. This is indicated by the logging trap line in the ASA configuration. We recommend that you set logging at Notification (level 5) or lower, unless you require additional information for debugging purposes. 1550 Used to store Ethernet packets for processing through the ASA. When a packet enters an ASA interface, it is placed on the input interface queue, passed up to the operating system, and placed in a block. The ASA determines whether the packet should be permitted or denied based on the security policy and processes the packet through to the output queue on the outbound interface. If the ASA is having trouble keeping up with the traffic load, the number of available blocks will hover close to 0 (as shown in the CNT column of the command output). When the CNT column is zero, the ASA attempts to allocate more blocks. The maximum can be greater than 8192 for 1550-byte blocks if you issue this command. If no more blocks are available, the ASA drops the packet. 16384 Only used for the 64-bit, 66-MHz Gigabit Ethernet cards (i82543). See the description for 1550 for more information about Ethernet packets. 2048 Control or guided frames used for control updates. MAX Maximum number of blocks available for the specified byte block pool. The maximum number of blocks are carved out of memory at bootup. Typically, the maximum number of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the ASA can dynamically create more when needed. The maximum can be greater than 8192 for 1550-byte blocks if you issue this command. LOW Low-water mark. This number indicates the lowest number of this size blocks available since the ASA was powered up, or since the last clearing of the blocks (with the clear blocks command). A zero in the LOW column indicates a previous event where memory was full. CNT Current number of blocks available for that specific size block pool. A zero in the CNT column means memory is full now. The following is sample output from the show blocks all command: ciscoasa# show blocks all Cisco ASA Series Command Reference, S Commands 4-85 Chapter Class 0, size 4 Block allocd_by 0x01799940 0x00000000 0x01798e80 0x00000000 0x017983c0 0x00000000 freed_by 0x00101603 0x00101603 0x00101603 data size 0 0 0 alloccnt 0 0 0 dup_cnt oper location 0 alloc not_specified 0 alloc not_specified 0 alloc not_specified ... Found 1000 of 1000 blocks Displaying 1000 of 1000 blocks Table 4-27 shows each field description. Table 4-27 show blocks all Fields Field Description Block The block address. allocd_by The program address of the application that last used the block (0 if not used). freed_by The program address of the application that last released the block. data size The size of the application buffer/packet data that is inside the block. alloccnt The number of times this block has been used since the block came into existence. dup_cnt The current number of references to this block if used: 0 means 1 reference, 1 means 2 references. oper One of the four operations that was last performed on the block: alloc, get, put, or free. location The application that uses the block, or the program address of the application that last allocated the block (same as the allocd_by field). The following is sample output from the show blocks command in a context: ciscoasa/contexta# show blocks SIZE MAX LOW CNT INUSE 4 1600 1599 1599 0 80 400 400 400 0 256 3600 3538 3540 0 1550 4616 3077 3085 0 HIGH 0 0 1 0 The following is sample output from the show blocks queue history command: ciscoasa# show blocks queue history Each Summary for User and Queue_type is followed its top 5 individual queues Block Size: 4 Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1396 Blk_cnt Q_cnt Last_Op Queue_Type User Context 186 1 put contexta 15 1 put contexta 1 1 put contexta 1 1 put contextb 1 1 put contextc Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200 Blk_cnt Q_cnt Last_Op Queue_Type User Context 21 1 put contexta 1 1 put contexta 1 1 put contexta 1 1 put contextb 1 1 put contextc Blk_cnt Q_cnt Last_Op Queue_Type User Context 200 1 alloc ip_rx tcp contexta Cisco ASA Series Command Reference, S Commands 4-86 Chapter 108 85 42 1 get 1 free 1 put ip_rx fixup fixup udp h323_ras skinny contexta contextb contextb Block Size: 1550 Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1000 Blk_cnt Q_cnt Last_Op Queue_Type User Context 186 1 put contexta 15 1 put contexta 1 1 put contexta 1 1 put contextb 1 1 put contextc ... The following is sample output from the show blocks queue history detail command: ciscoasa# show blocks queue history detail History buffer memory usage: 2136 bytes (default) Each Summary for User and Queue type is followed its top 5 individual queues Block Size: 4 Summary for User "http", Queue_Type "tcp_unp_c_in", Blocks 1595, Queues 1396 Blk_cnt Q_cnt Last_Op Queue_Type User Context 186 1 put contexta 15 1 put contexta 1 1 put contexta 1 1 put contextb 1 1 put contextc First Block information for Block at 0x..... dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a, start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193 urgent_addr 0xefb118c, end_addr 0xefb17b2 0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00 | ....G.a....8v... 0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3 | ....E........... 0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62 | .......P...=..`b 0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49 | ~sU.P...E...-- I 0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09 | P --..10.7.13.1. 0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d | ==>.10.7.0.80... Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200 Blk_cnt Q_cnt Last_Op Queue_Type User Context 21 1 put contexta 1 1 put contexta 1 1 put contexta 1 1 put contextb 1 1 put contextc First Block information for Block at 0x..... dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a, start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193 urgent_addr 0xefb118c, end_addr 0xefb17b2 0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00 | ....G.a....8v... 0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3 | ....E........... 0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62 | .......P...=..`b 0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49 | ~sU.P...E...-- I 0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09 | P --..10.7.13.1. 0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d | ==>.10.7.0.80... ... total_count: total buffers in this class The following is sample output from the show blocks pool summary command: ciscoasa# show blocks pool 1550 summary Class 3, size 1550 Cisco ASA Series Command Reference, S Commands 4-87 Chapter ================================================= total_count=1531 miss_count=0 Alloc_pc valid_cnt invalid_cnt 0x3b0a18 00000256 00000000 0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000 0x3a8f6b 00001275 00000012 0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000 0x00000000 ================================================= total_count=9716 miss_count=0 Freed_pc valid_cnt invalid_cnt 0x9a81f3 00000104 00000007 0x05006140 0x05000380 0x04fffa20 0x04ffde00 00000000 0x9a0326 00000053 00000033 0x05006aa0 0x050057e0 0x05004e80 0x05003260 00000000 0x4605a2 00000005 00000000 0x04ff5ac0 0x01e8e2e0 0x01e2eac0 0x01e17d20 00000000 ... ================================================= total_count=1531 miss_count=0 Queue valid_cnt invalid_cnt 0x3b0a18 00000256 00000000 Invalid Bad qtype 0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x3a8f6b 00001275 00000000 Invalid Bad qtype 0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 ================================================= free_cnt=8185 fails=0 actual_free=8185 hash_miss=0 03a8d3e0 03a8b7c0 03a7fc40 03a6ff20 03a6f5c0 03a6ec60 kao-f1# The following is sample output from the show blocks exhaustion history list command: ciscoasa# show blocks exhaustion history list 1 Snapshot created at 18:01:03 UTC Feb 19 2014: Snapshot created due to 16384 blocks running out 2 Snapshot created at 18:02:03 UTC Feb 19 2014: Snapshot created due to 16384 blocks running out 3 Snapshot created at 18:03:03 UTC Feb 19 2014: Snapshot created due to 16384 blocks running out 4 Snapshot created at 18:04:03 UTC Feb 19 2014: Snapshot created due to 16384 blocks running out Table 4-28 shows each field description. Table 4-28 show blocks pool summary Fields Field Description total_count The number of blocks for a given class. miss_count The number of blocks not reported in the specified category due to technical reasons. Freed_pc The program addresses of applications that released blocks in this class. Alloc_pc The program addresses of applications that allocated blocks in this class. Queue The queues to which valid blocks in this class belong. valid_cnt The number of blocks that are currently allocated. Cisco ASA Series Command Reference, S Commands 4-88 Chapter Table 4-28 Related Commands show blocks pool summary Fields Field Description invalid_cnt The number of blocks that are not currently allocated. Invalid Bad qtype Either this queue has been freed and the contents are invalid or this queue was never initialized. Valid tcp_usr_conn_inp The queue is valid. Command Description blocks Increases the memory assigned to block diagnostics clear blocks Clears the system buffer statistics. show conn Shows active connections. Cisco ASA Series Command Reference, S Commands 4-89 Chapter show bootvar To show the boot file and configuration properties, use the show bootvar command in privileged EXEC mode. show bootvar Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History d • Yes Transparent Single • Release Modification 7.2(1) This command was added. Yes • Yes Context • Yes System • Yes Usage Guidelines The BOOT variable specifies a list of bootable images on various devices. The CONFIG_FILE variable specifies the configuration file used during system initialization. Set these variables with the boot system command and boot config command, respectively. Examples The BOOT variable contains disk0:/f1_image, which is the image booted when the system reloads. The current value of BOOT is disk0:/f1_image; disk0:/f1_backupimage. This value means that the BOOT variable has been modified with the boot system command, but the running configuration has not been saved with the write memory command. When the running configuration is saved, the BOOT variable and current BOOT variable will both be disk0:/f1_image; disk0:/f1_backupimage. Assuming that the running configuration is saved, the boot loader will try to load the contents of the BOOT variable, starting with disk0:/f1image, but if that is not present or invalid, the boot loader will try to boot disk0:1/f1_backupimage. The CONFIG_FILE variable points to the system startup configuration. In this example it is not set, so the startup configuration file is the default specified with the boot config command. The current CONFIG_FILE variable may be modified with the boot config command and saved with the write memory command. The following is sample output from the show bootvar command: ciscoasa# show bootvar BOOT variable = disk0:/f1_image Current BOOT variable = disk0:/f1_image; disk0:/f1_backupimage Cisco ASA Series Command Reference, S Commands 4-90 Chapter CONFIG_FILE variable = Current CONFIG_FILE variable = ciscoasa# Related Commands Command Description boot Specifies the configuration file or image file used at startup. Cisco ASA Series Command Reference, S Commands 4-91 Chapter show bridge-group To show bridge group information such as interfaces assigned, MAC addresses, and IP addresses, use the show bridge-group command in privileged EXEC mode. show bridge-group bridge-group-number Syntax Description bridge-group-number Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Specifies the bridge group number as an integer between 1 and 100. Firewall Mode Security Context Multiple Command History Examples Command Mode Routed Privileged EXEC — Transparent Single • Release Modification 8.4(1) This command was added. Yes • Yes Context • Yes System — The following is sample output from the show bridge-group command with IPv4 addresses: ciscoasa# show bridge-group 1 Interfaces: GigabitEthernet0/0.101, GigabitEthernet0/0.201 Management System IP Address: 10.0.1.1 255.255.255.0 Management Current IP Address: 10.0.1.1 255.255.255.0 Management IPv6 Global Unicast Address(es): N/A Static mac-address entries: 0 Dynamic mac-address entries: 2 The following is sample output from the show bridge-group command with IPv4 and IPv6 addresses: ciscoasa# show bridge-group 1 Interfaces: GigabitEthernet0/0.101, GigabitEthernet0/0.201 Management System IP Address: 10.0.1.1 255.255.255.0 Management Current IP Address: 10.0.1.1 255.255.255.0 Management IPv6 Global Unicast Address(es): 2000:100::1, subnet is 2000:100::/64 2000:101::1, subnet is 2000:101::/64 2000:102::1, subnet is 2000:102::/64 Static mac-address entries: 0 Dynamic mac-address entries: 2 Cisco ASA Series Command Reference, S Commands 4-92 Chapter Related Commands Command Description bridge-group Groups transparent firewall interfaces into a bridge group. clear configure interface bvi Clears the bridge group interface configuration. interface Configures an interface. interface bvi Creates a bridge virtual interface. ip address Sets the management IP address for a bridge group. show running-config interface bvi Shows the bridge group interface configuration. Cisco ASA Series Command Reference, S Commands 4-93 Chapter show call-home To display the configured Call Home information, use the show call-home command in privileged EXEC mode. [cluster exec] show call-home [alert-group | detail | events | mail-server status | profile {profile _name | all} | statistics] Syntax Description alert-group (Optional) Displays the available alert group. cluster exec (Optional) In a clustering environment, enables you to issue the show call-home command in one unit and run the command in all the other units at the same time. detail (Optional) Displays the Call Home configuration in detail. events (Optional) Displays current detected events. mail-server status (Optional) Displays the Call Home mail server status information. profile profile _name all (Optional) Displays configuration information for all existing profiles. statistics (Optional) Displays the Call Home statistics. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Yes • Yes — System • Yes Release Modification 8.2(2) This command was added. 9.1(3) A new type of Smart Call Home message has been added to include the output of the show cluster history command and show cluster info command. The following is sample output from the show call-home command and displays the configured Call Home settings: ciscoasa# show call-home Current Smart Call-Home settings: Smart Call-Home feature : enable Smart Call-Home message's from address: [email protected] Smart Call-Home message's reply-to address: [email protected] contact person's email address: [email protected] contact person's phone: 111-222-3333 street address: 1234 Any Street, Any city, Any state, 12345 customer ID: ExampleCorp Cisco ASA Series Command Reference, S Commands 4-94 Context Chapter contract ID: X123456789 site ID: SantaClara Mail-server[1]: Address: smtp.example.com Priority: 1 Mail-server[2]: Address: 192.168.0.1 Priority: 10 Rate-limit: 60 message(s) per minute Available alert groups: Keyword State ------------------------ ------Syslog Enable diagnostic Enable environmental Enable inventory Enable configuration Enable firewall Enable troubleshooting Enable report Enable Profiles: Profile Name: CiscoTAC-1 Profile Name: prof1 Profile Name: prof2 The following is sample output from the show call-home detail command and displays detailed Call Home configuration information: ciscoasa# show call-home detail Description: Show smart call-home configuration in detail. Supported Modes: single mode and system context in multi mode, routed/transparent. Output: Current Smart Call-Home settings: Smart Call-Home feature: enable Smart Call-Home message's from address: [email protected] Smart Call-Home message's reply-to address: [email protected] contact person's email address: [email protected] contact person's phone: 111-222-3333 street address: 1234 Any Street, Any city, Any state, 12345 customer ID: 111111 contract ID: 123123 site ID: SantaClara Mail-server[1]: Address: example.example.com Priority: 1 Mail-server[2]: Address: example.example.com Priority: 10 Rate-limit: 60 message(s) per minute Available alert groups: Keyword State ------------------------ ------syslog Enable diagnostic Enable environmental Enable inventory Enable configuration Enable firewall Enable troubleshooting Enable report Enable Profiles: Profile Name: CiscoTAC-1 Profile status: ACTIVE Preferred Message Format: xml Message Size Limit: 3145728 Bytes Email address(es): [email protected] HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService Periodic inventory message is scheduled monthly at 01:00 Alert-group Severity ------------------------ -----------inventory n/a Cisco ASA Series Command Reference, S Commands 4-95 Chapter Profile Name: prof1 Profile status: ACTIVE Preferred Message Format: xml Message Size Limit: 3145728 Bytes Email address(es): [email protected] HTTP address(es): https://kafan-lnx-01.cisco.com:8443/sch/sch.jsp Periodic configuration message is scheduled daily at 01:00 Periodic inventory message is scheduled every 60 minutes Alert-group Severity ------------------------ -----------configuration n/a inventory n/a Profile Name: prof2 Profile status: ACTIVE Preferred Message Format: short-text Message Size Limit: 1048576 Bytes Email address(es): [email protected] HTTP address(es): https://example.example.com:8443/sch/sch.jsp Periodic configuration message is scheduled every 1 minutes Periodic inventory message is scheduled every 1 minutes Alert-group Severity ------------------------ -----------configuration n/a inventory n/a The following is sample output from the show call-home events command and displays available Call Home events: ciscoasa# show call-home events Description: Show current detected events. Supported Modes: single mode and system context in multi mode, routed/transparent. Output: Active event list: Event client alert-group severity active (sec) -------------------------------------------------------------------Configuration Client configuration none 5 Inventory inventory none 15 The following is sample output from the show call-home mail-server status command and displays available Call Home mail-server status: ciscoasa# show call-home mail-server status Description: Show smart call-home configuration, status, and statistics. Supported Modes: single mode and system context in multi mode, routed/transparent. Output: Mail-server[1]: Address: example.example.com Priority: 1 [Available] Mail-server[2]: Address: example.example.com Priority: 10 [Not Available] The following is sample output from the show call-home alert-group command and displays the available alert groups: ciscoasa# show call-home alert-group Description: Show smart call-home alert-group states. Supported Modes: single mode and system context in multi mode, routed/transparent. Output: Available alert groups: Keyword State ------------------------ ------syslog Enable diagnostic Enable environmental Enable inventory Enable configuration Enable firewall Enable troubleshooting Enable report Enable Cisco ASA Series Command Reference, S Commands 4-96 Chapter The following is sample output from the show call-home profile profile-name | all command and displays information for all predefined and user-defined profiles: ciscoasa# show call-home profile {profile-name | all} Description: Show smart call-home profile configuration. Supported Modes: single mode and system context in multi mode, routed/transparent. Output: Profiles: Profile Name: CiscoTAC-1 Profile status: ACTIVE Preferred Message Format: xml Message Size Limit: 3145728 Bytes Email address(es): [email protected] HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService Periodic inventory message is scheduled monthly at 01:00 Alert-group Severity ------------------------ -----------inventory n/a Profile Name: prof1 Profile status: ACTIVE Preferred Message Format: xml Message Size Limit: 3145728 Bytes Email address(es): [email protected] HTTP address(es): https://example.example.com:8443/sch/sch.jsp Periodic configuration message is scheduled daily at 01:00 Periodic inventory message is scheduled every 60 minutes Alert-group Severity ------------------------ -----------configuration n/a inventory n/a Profile Name: prof2 Profile status: ACTIVE Preferred Message Format: short-text Message Size Limit: 1048576 Bytes Email address(es): [email protected] HTTP address(es): https://example.example.com:8443/sch/sch.jsp Periodic configuration message is scheduled every 1 minutes Periodic inventory message is scheduled every 1 minutes Alert-group Severity ------------------------ -----------configuration n/a inventory n/a The following is sample output from the show call-home statistics command and displays the call-home statistics: ciscoasa# show call-home statistics Description: Show smart call-home statistics. Supported Modes: single mode and system context in multi mode, routed/transparent. Output: Message Types Total Email HTTP -------------------- ---------------- ---------------- ---------------Total Success 0 0 0 Total In-Queue 0 0 0 Total Dropped 5 4 1 Tx Failed 5 4 1 inventory 3 2 1 configuration 2 2 0 Event Types Total -------------------- ---------------Total Detected 2 inventory 1 configuration 1 Total In-Queue 0 Total Dropped 0 Last call-home message sent time: 2009-06-17 14:22:09 GMT-07:00 Cisco ASA Series Command Reference, S Commands 4-97 Chapter The following is sample output from the show call-home status command and displays the call-home status: ciscoasa# show call-home mail-server status Description: Show smart call-home configuration, status, and statistics. Supported Modes: single mode and system context in multi mode, routed/transparent. Output: Mail-server[1]: Address: kafan-lnx-01.cisco.com Priority: 1 [Available] Mail-server[2]: Address: kafan-lnx-02.cisco.com Priority: 10 [Not Available] 37. ciscoasa# show call-home events Description: Show current detected events. Supported Modes: single mode and system context in multi mode, routed/transparent. Output: Active event list: Event client alert-group severity active (sec) -------------------------------------------------------------------Configuration Client configuration none 5 Inventory inventory none 15 The following is sample output from the cluster exec show call-home statistics command and displays call-home statistics for a cluster: ciscoasa(config)# cluster exec show call-home statistics A(LOCAL):************************************************************* Message Types Total Email HTTP ----------------------------------- ---------------- ---------------Total Success 3 3 0 test 3 3 0 Total In-Delivering 0 0 0 Total In-Queue 0 0 0 Total Dropped Tx Failed configuration test 8 8 2 6 8 8 2 6 0 0 0 0 Event Types -------------------Total Detected configuration test Total ---------------10 1 9 Total In-Processing 0 Total In-Queue 0 Total Dropped 0 Last call-home message sent time: 2013-04-15 05:37:16 GMT+00:00 B:******************************************************************** Message Types Total Email HTTP ----------------------------------- ---------------- ---------------Total Success 1 1 0 test 1 1 0 Total In-Delivering 0 0 0 Total In-Queue 0 0 0 Cisco ASA Series Command Reference, S Commands 4-98 Chapter Total Dropped Tx Failed configuration 2 2 2 Event Types -------------------Total Detected configuration test Total ---------------2 1 1 Total In-Processing 0 Total In-Queue 0 Total Dropped 2 2 2 0 0 0 0 Last call-home message sent time: 2013-04-15 05:36:16 GMT+00:00 C:******************************************************************** Message Types Total Email HTTP ----------------------------------- ---------------- ---------------Total Success 0 0 0 Total In-Delivering 0 0 0 Total In-Queue 0 0 0 Total Dropped Tx Failed configuration 2 2 2 2 2 2 0 0 0 Event Types -------------------Total Detected configuration Total ---------------1 1 Total In-Processing 0 Total In-Queue 0 Total Dropped 0 Last call-home message sent time: n/a D:******************************************************************** Message Types Total Email HTTP ----------------------------------- ---------------- ---------------Total Success 1 1 0 test 1 1 0 Total In-Delivering 0 0 0 Total In-Queue 0 0 0 Total Dropped Tx Failed configuration 2 2 2 2 2 2 0 0 0 Event Types -------------------Total Detected configuration test Total ---------------2 1 1 Cisco ASA Series Command Reference, S Commands 4-99 Chapter Total In-Processing 0 Total In-Queue 0 Total Dropped 0 Last call-home message sent time: 2013-04-15 05:35:34 GMT+00:00 ciscoasa(config)# Related Commands Command Description call-home Enters call home configuration mode. call-home send alert-group Sends a specific alert group message. service call-home Enables or disables Call Home. Cisco ASA Series Command Reference, S Commands 4-100 Chapter show call-home registered-module status To display the registered module status, use the show call-home registered-module status command in privileged EXEC mode. show call-home registered-module status [all] Note The [all] option is only valid in system context mode. Syntax Description all Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Displays module status based on the device, not per context. In multiple context mode, if a module is enabled in at least one context, it is displayed as enabled if the “all” option is included. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples Transparent Single Yes • • Release Modification 8.2(2) This command was added. Yes • Yes Context System — • Yes The following example displays the show call-home registered-module status all output: Output: Module Name Status ---------------------------------------- -------------------Smart Call-Home enabled Failover Standby/Active Related Commands Command Description call-home Enters call-home configuration mode. call-home send alert-group Sends a specific alert group message. service call-home Enables or disables Call Home. Cisco ASA Series Command Reference, S Commands 4-101 Chapter show capture To display the capture configuration when no options are specified, use the show capture command in privileged EXEC mode. [cluster exec] show capture [capture_name] [access-list access_list_name] [count number] [decode] [detail] [dump] [packet-number number] Syntax Description access-list (Optional) Displays information for packets that are based on IP or higher fields access_list_name for the specific access list identification. capture_name (Optional) Specifies the name of the packet capture. cluster exec (Optional) In a clustering environment, enables you to issue the show capture command in one unit and run the command in all the other units at the same time. count number (Optional) Displays the number of packets specified data. decode This option is useful when a capture of type isakmp is applied to an interface. All ISAKMP data flowing through that interface will be captured after decryption and shown with more information after decoding the fields. detail (Optional) Displays additional protocol information for each packet. dump (Optional) Displays a hexadecimal dump of the packets that are transported over the data link. packet-number number Starts the display at the specified packet number. Defaults This command has no default settings. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Release Modification 7.0(1) This command was added. • Yes • Yes Context • Yes 8.4(2) Detailed information in the output for IDS was added. 9.0(1) The cluster exec option was added. 9.2(1) The vpn-user domain name was changed to filter-aaa in the output. 9.3(1) Output for SGT plus Ethernet Tagging was added. Cisco ASA Series Command Reference, S Commands 4-102 Yes Transparent Single System • Yes Chapter Usage Guidelines If you specify the capture_name, then the capture buffer contents for that capture are displayed. The dump keyword does not display MAC information in the hexadecimal dump. The decoded output of the packets depend on the protocol of the packet. In Table 4-29, the bracketed output is displayed when you specify the detail keyword. Table 4-29 Packet Capture Output Formats Packet Type Capture Output Format 802.1Q HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet ARP HH:MM:SS.ms [ether-hdr] arp-type arp-info IP/ICMP HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure] IP/UDP HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: [checksum-info] udp payload-len IP/TCP HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options IP/Other HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length Other HH:MM:SS.ms ether-hdr: hex-dump If the ASA receives packets with an incorrectly formatted TCP header and drops them because of the ASP drop reason invalid-tcp-hdr-length, the show capture command output on the interface where those packets are received does not show those packets. Examples This example shows how to display the capture configuration: ciscoasa(config)# show capture capture arp ethernet-type arp interface outside capture http access-list http packet-length 74 interface inside This example shows how to display the packets that are captured by an ARP capture: ciscoasa(config)# show capture arp 2 packets captured 19:12:23.478429 arp who-has 171.69.38.89 tell 171.69.38.10 19:12:26.784294 arp who-has 171.69.38.89 tell 171.69.38.10 2 packets shown The following example shows how to display the packets that are captured on a single unit in a clustering environment: ciscoasa(config)# show capture capture 1 cluster type raw-data interface primary interface cluster [Buffer Full - 524187 bytes] capture 2 type raw-data interface cluster [Capturing - 232354 bytes] The following example shows how to display the packets that are captured on all units in a clustering environment: ciscoasa(config)# cluster exec show capture mycapture (LOCAL):---------------------------------------------------------- Cisco ASA Series Command Reference, S Commands 4-103 Chapter capture 1 type raw-data interface primary [Buffer Full - 524187 bytes] capture 2 type raw-data interface cluster [Capturing - 232354 bytes] yourcapture:---------------------------------------------------------------capture 1 type raw-data interface primary [Capturing - 191484 bytes] capture 2 type raw-data interface cluster [Capturing - 532354 bytes] The following example shows the packets that are captured on the cluster control link in a clustering environment after the following commands are entered: ciscoasa ciscoasa ciscoasa ciscoasa ciscoasa ciscoasa ciscoasa (config)# (config)# (config)# (config)# (config)# (config)# (config)# capture a interface cluster capture cp interface cluster match udp any eq 49495 any capture cp interface cluster match udp any any eq 49495 access-list cc1 extended permit udp any any eq 4193 access-list cc1 extended permit udp any eq 4193 any capture dp interface cluster access-list cc1 capture lacp type lacp interface gigabitEthernet 0/0 ciscoasa(config)# show capture capture a type raw-data interface cluster [Capturing - 970 bytes] capture cp type raw-data interface cluster [Capturing - 26236 bytes] match udp any eq 49495 any capture dp type raw-data access-list cc1 interface cluster [Capturing - 4545230 bytes] capture lacp type lacp interface gigabitEthernet0/0 [Capturing - 140 bytes] The following example shows the packets that are captured when SGT plus Ethernet tagging has been enabled on an interface: ciscoasa(config)# show capture my-inside-capture 1: 11:34:42.931012 INLINE-TAG 36 10.0.101.22 > 11.0.101.100: 2: 11:34:42.931470 INLINE-TAG 48 11.0.101.100 > 10.0.101.22: 3: 11:34:43.932553 INLINE-TAG 36 10.0.101.22 > 11.0.101.100: 4: 11.34.43.933164 INLINE-TAG 48 11.0.101.100 > 10.0.101.22: icmp: icmp: icmp: icmp: echo echo echo echo request reply request reply When SGT plus Ethernet tagging has been enabled on an interface, the interface can still receive tagged or untagged packets. The example shown is for tagged packets, which have INLINE-TAG 36 in the output. When the same interface receives untagged packets, the output remains unchanged (that is, no “INLINE-TAG 36” entry is included in the output). Related Commands Command Description capture Enables packet capture capabilities for packet sniffing and network fault isolation. clear capture Clears the capture buffer. copy capture Copies a capture file to a server. Cisco ASA Series Command Reference, S Commands 4-104 Chapter show chardrop To display the count of characters dropped from the serial console, use the show chardrop command in privileged EXEC mode. show chardrop Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Examples Routed • Yes Transparent Single • Release Modification 7.2(1) This command was added. Yes • Yes Context • Yes System • Yes The following is sample output from the show chardrop command: ciscoasa# show chardrop Chars dropped pre-TxTimeouts: 0, post-TxTimeouts: 0 Related Commands Command Description show running-config Shows the current operating configuration. Cisco ASA Series Command Reference, S Commands 4-105 Chapter show checkheaps To show the checkheaps statistics, use the show checkheaps command in privileged EXEC mode. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region. show checkheaps Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes The following is sample output from the show checkheaps command: ciscoasa# show checkheaps Checkheaps stats from buffer validation runs -------------------------------------------Time elapsed since last run : 42 secs Duration of last run : 0 millisecs Number of buffers created : 8082 Number of buffers allocated : 7808 Number of buffers free : 274 Total memory in use : 43570344 bytes Total memory in free buffers : 87000 bytes Total number of runs : 310 Related Commands Command Description checkheaps Sets the checkheap verification intervals. Cisco ASA Series Command Reference, S Commands 4-106 Context — System • Yes Chapter show checksum To display the configuration checksum, use the show checksum command in privileged EXEC mode. show checksum Syntax Description This command has no arguments or keywords. Defaults This command has no default settings. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Release Modification 7.2(1) This command was added. Transparent Single • Yes • Yes Context • Yes System — The show checksum command allows you to display four groups of hexadecimal numbers that act as a digital summary of the configuration contents. This checksum is calculated only when you store the configuration in flash memory. If a dot (“.”) appears before the checksum in the show config or show checksum command output, the output indicates a normal configuration load or write mode indicator (when loading from or writing to the ASA flash partition). The “.” shows that the ASA is preoccupied with the operation but is not “hung up.” This message is similar to a “system processing, please wait” message. Examples This example shows how to display the configuration or the checksum: ciscoasa(config)# show checksum Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81 Cisco ASA Series Command Reference, S Commands 4-107 Chapter show chunkstat To display the chunk statistics, use the show chunkstat command in privileged EXEC mode. show chunkstat Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context — System • Yes This example shows how to display the chunk statistics: ciscoasa# show chunkstat Global chunk statistics: created 181, destroyed 34, siblings created 94, siblings destroyed 34 Per-chunk statistics: siblings created 0, siblings trimmed 0 Dump of chunk at 01edb4cc, name "Managed Chunk Queue Elements", data start @ 01edbd24, end @ 01eddc54 next: 01eddc8c, next_sibling: 00000000, prev_sibling: 00000000 flags 00000001 maximum chunk elt's: 499, elt size: 16, index first free 498 # chunks in use: 1, HWM of total used: 1, alignment: 0 Per-chunk statistics: siblings created 0, siblings trimmed 0 Dump of chunk at 01eddc8c, name "Registry Function List", data start @ 01eddea4, end @ 01ede348 next: 01ede37c, next_sibling: 00000000, prev_sibling: 00000000 flags 00000001 maximum chunk elt's: 99, elt size: 12, index first free 42 # chunks in use: 57, HWM of total used: 57, alignment: 0 Related Commands Command Description show counters Displays the protocol stack counters. show cpu Displays the CPU utilization information. Cisco ASA Series Command Reference, S Commands 4-108 Chapter show class To show the contexts assigned to a class, use the show class command in privileged EXEC mode. show class name Syntax Description name Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Specifies the name as a string up to 20 characters long. To show the default class, enter default for the name. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Transparent Single Yes • Release Modification 7.2(1) This command was added. Yes — Context — System • Yes The following is sample output from the show class default command: ciscoasa# show class default Class Name default Related Commands Members All ID 1 Flags 0001 Command Description class Configures a resource class. clear configure class Clears the class configuration. context Configures a security context. limit-resource Sets the resource limit for a class. member Assigns a context to a resource class. Cisco ASA Series Command Reference, S Commands 4-109 Chapter show clns To show Connectionless-mode Network Service (CLNS) information for IS-IS, use the show clns command in privileged EXEC mode. show clns {filter-set | interface [interface_name] | is-neighbors [interface_name] [detail] | neighbors [areas] [interface_name] [detail] | protocol [domain] | traffic [since {bootup | show}]} Syntax Description areas (Optional) Shows CLNS multiarea adjacencies. bootup Shows CLNS protocol statistics since bootup. detail (Optional) Shows the areas associated with the intermediate systems. Otherwise, a summary display is provided. domain (Optional) Shows routing protocol process information for a CLNS domain. filter-set Shows CLNS filter sets. interface Shows CLNS interface status and configuration. interface_name (Optional) Specifies the interface name. is-neighbors Shows IS neighbor adjacencies. Neighbor entries are sorted according to the area in which they are located. neighbors Displays end system (ES), intermediate system (IS), and multitopology Integrated Intermediate System-to-Intermediate System (M-ISIS) neighbors protocol Shows CLNS routing protocol process information. There will always be at least two routing processes, a Level 1 and a Level 2, and there can be more. show Shows CLNS protocol statistics since the last time you used this show command. since (Optional) Shows CLNS protocol statistics since either bootup or the last time you used this show command. traffic Lists the CLNS packets that this router has seen. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • — Release Modification 9.6(1) We introduced this command. Cisco ASA Series Command Reference, S Commands 4-110 Yes Transparent Single • Yes Context • Yes System — Chapter Usage Guidelines This command shows CLNS information for IS-IS. Examples The following display assumes filter sets have been defined with the following commands: ciscoasa(config)# clns filter-set US-OR-NORDUNET 47.0005... ciscoasa(config)# clns filter-set US-OR-NORDUNET 47.0023... ciscoasa(config)# clns filter-set LOCAL 49.0003... The following is a sample output from the show clns filter-set command: ciscoasa# show clns filter-set CLNS filter set US-OR-NORDUNET permit 47.0005... permit 47.0023... CLNS filter set LOCAL permit 49.0003... The following is sample output from the show clns interface command that includes information for Token Ring and serial interfaces: ciscoasa# show clns interface GigabitEthernet0/1 is up, line protocol is up Checksums enabled, MTU 1500 ERPDUs enabled, min. interval 10 msec. DEC compatibility mode OFF for this interface Next ESH/ISH in 0 seconds Routing Protocol: IS-IS Circuit Type: level-1-2 Interface number 0x0, local circuit ID 0x1 Level-1 Metric: 10, Priority: 64, Circuit ID: c2.01 DR ID: c2.01 Level-1 IPv6 Metric: 10 Number of active level-1 adjacencies: 3 Level-2 Metric: 10, Priority: 64, Circuit ID: c2.01 DR ID: c2.01 Level-2 IPv6 Metric: 10 Number of active level-2 adjacencies: 3 Next IS-IS LAN Level-1 Hello in 1 seconds Next IS-IS LAN Level-2 Hello in 1 seconds Table 4-30 show clns interface fields Field Description GigabitEthernet0/1 is up, line protocol is up Shown to be up, and the line protocol is up. Checksums enabled Can be enabled or disabled. MTU The number following maximum transmission unit (MTU) is the maximum transmission size for a packet on this interface. ERPDUs Displays information about the generation of error protocol data units (ERPDUs). They can be either enabled or disabled. If they are enabled, they are sent out no more frequently than the specified interval. Cisco ASA Series Command Reference, S Commands 4-111 Chapter Table 4-30 show clns interface fields Field Description RDPDUs Provides information about the generation of redirect protocol data units (RDPDUs). They can be either enabled or disabled. If they are enabled, they are sent out no more frequently than the specified interval. If the address mask is enabled, redirects are sent out with an address mask. Congestion Experienced Tells when CLNS will turn on the congestion experienced bit. The default is to turn this bit on when there are more than four packets in a queue. DEC compatibility mode Indicates whether Digital Equipment Corporation (DEC) compatibility has been enabled. Next ESH/ISH Displays when the next end system (ES) hello or intermediate system (IS) hello will be sent on this interface. Routing Protocol Lists the areas that this interface is in. In most cases, an interface will be in only one area. Circuit Type Indicates whether the interface has been configured for local routing (level 1), area routing (level 2), or local and area routing (level 1-2). Interface number, local circuit ID; Level-1 Metric; DR ID; Level-1 IPv6 Metric; Number of active level-1 adjacencies; Level-2 Metric; DR ID; Level-2 IPv6 Metric; Number of active level-2 adjacencies; Next IS-IS LAN Level-1; Next IS-IS LAN Level-2 Last series of fields displays information pertaining to Intermediate System-to-Intermediate System (IS-IS). For IS-IS, the Level 1 and Level 2 metrics, priorities, circuit IDs, and number of active Level 1 and Level 2 adjacencies are specified. BFD enabled BFD has been enabled on the interface. The following is sample output from the show clns is-neighbors command: ciscoasa# show clns is-neighbors System Id CSR7001 CSR7002 Table 4-31 Interface inside inside State Up Up Format Phase V Phase V show clns is-neighbors Fields Field Description System Id Identification value of the system. Interface Interface on which the router was discovered. State Adjacency state. Up and Init are the states. See the show clns neighbors description. Type L1, L2, and L1L2 type adjacencies. See the show clns neighbors description. Priority IS-IS priority that the respective neighbor is advertising. The highest priority neighbor is elected the designated IS-IS router for the interface. Cisco ASA Series Command Reference, S Commands 4-112 Type Priority Circuit Id L1L2 64/64 ciscoasa.01 L1L2 64/64 ciscoasa.01 Chapter Table 4-31 show clns is-neighbors Fields Field Description Circuit Id Neighbor's idea of what the designated IS-IS router is for the interface. Format Indicates if the neighbor is either a Phase V (OSI) adjacency or Phase IV (DECnet) adjacency. The following is sample output from the show clns is-neighbors detail command: ciscoasa# show clns is-neighbors detail System Id Interface State CSR7001 inside Up Area Address(es): 49.0001 IP Address(es): 1.3.3.3* Uptime: 00:12:49 NSF capable Interface name: inside CSR7002 inside Up Area Address(es): 49.0001 IP Address(es): 20.3.3.3* Uptime: 00:12:50 NSF capable Interface name: inside Type Priority Circuit Id L1L2 64/64 ciscoasa.01 Format Phase V L1L2 64/64 Phase V ciscoasa.01 The following is sample output from the show clns neighbors detail command: ciscoasa# show clns neighbors detail System Id Interface SNPA CSR7001 inside 000c.2921.ff44 Area Address(es): 49.0001 IP Address(es): 1.3.3.3* Uptime: 01:16:33 NSF capable Interface name: inside CSR7002 inside 000c.2906.491c Area Address(es): 49.0001 IP Address(es): 20.3.3.3* Uptime: 01:16:33 NSF capable Interface name: inside State Up Up Holdtime 26 27 Type Protocol L1L2 L1L2 The following is sample output from the show clns neighbors command: ciscoasa# show clns neighbors System Id CSR7001 CSR7002 Table 4-32 Interface inside inside SNPA 000c.2921.ff44 000c.2906.491c State Up Up Holdtime 29 27 Type Protocol L1L2 L1L2 show clns neighbors Fields Field Description System Id Six-byte value that identifies a system in an area. Interface Interface name from which the system was learned. SNPA Subnetwork Point of Attachment. This is the data-link address. Cisco ASA Series Command Reference, S Commands 4-113 Chapter Table 4-32 show clns neighbors Fields Field Description State State of the ES, IS, or M-ISIS. • Init—System is an IS and is waiting for an IS-IS hello message. IS-IS regards the neighbor as not adjacent. • Up—Believes the ES or IS is reachable. Holdtime Number of seconds before this adjacency entry times out. Type The adjacency type. Possible values are as follows: Protocol • ES—End-system adjacency either discovered via the ES-IS protocol or statically configured. • IS—Router adjacency either discovered via the ES-IS protocol or statically configured. • M-ISIS—Router adjacency discovered via the multitopology IS-IS protocol. • L1—Router adjacency for Level 1 routing only. • L1L2—Router adjacency for Level 1 and Level 2 routing. • L2—Router adjacency for Level 2 only. Protocol through which the adjacency was learned. Valid protocol sources are ES-IS, IS-IS, ISO IGRP, Static, DECnet, and M-ISIS. The following is sample output from the show clns protocol command: ciscoasa# show clns protocol IS-IS Router System Id: 0050.0500.5008.00 IS-Type: level-1-2 Manual area address(es): 49.0001 Routing for area address(es): 49.0001 Interfaces supported by IS-IS: outside - IP Redistribute: static (on by default) Distance for L2 CLNS routes: 110 RRR level: none Generate narrow metrics: level-1-2 Accept narrow metrics: level-1-2 Generate wide metrics: none Accept wide metrics: none The following is sample output from the show clns traffic command: ciscoasa# show clns traffic CLNS: Time since last clear: never CLNS & ESIS Output: 0, Input: 8829 CLNS Local: 0, Forward: 0 CLNS Discards: Hdr Syntax: 0, Checksum: 0, Lifetime: 0, Output cngstn: 0 No Route: 0, Discard Route: 0, Dst Unreachable 0, Encaps. Failed: 0 NLP Unknown: 0, Not an IS: 0 CLNS Options: Packets 0, total 0 , bad 0, GQOS 0, cngstn exprncd 0 CLNS Segments: Segmented: 0, Failed: 0 Cisco ASA Series Command Reference, S Commands 4-114 Chapter CLNS Broadcasts: sent: 0, rcvd: 0 Echos: Rcvd 0 requests, 0 replies Sent 0 requests, 0 replies ESIS(sent/rcvd): ESHs: 0/0, ISHs: 0/0, RDs: 0/0, QCF: 0/0 Tunneling (sent/rcvd): IP: 0/0, IPv6: 0/0 Tunneling dropped (rcvd) IP/IPV6: 0 ISO-IGRP: Querys (sent/rcvd): 0/0 Updates (sent/rcvd): 0/0 ISO-IGRP: Router Hellos: (sent/rcvd): 0/0 ISO-IGRP Syntax Errors: 0 IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: Time since last clear: never Level-1 Hellos (sent/rcvd): 1928/1287 Level-2 Hellos (sent/rcvd): 1918/1283 PTP Hellos (sent/rcvd): 0/0 Level-1 LSPs sourced (new/refresh): 7/13 Level-2 LSPs sourced (new/refresh): 7/14 Level-1 LSPs flooded (sent/rcvd): 97/2675 Level-2 LSPs flooded (sent/rcvd): 73/2628 LSP Retransmissions: 0 Level-1 CSNPs (sent/rcvd): 642/0 Level-2 CSNPs (sent/rcvd): 639/0 Level-1 PSNPs (sent/rcvd): 0/554 Level-2 PSNPs (sent/rcvd): 0/390 Level-1 DR Elections: 1 Level-2 DR Elections: 1 Level-1 SPF Calculations: 9 Level-2 SPF Calculations: 8 Level-1 Partial Route Calculations: 0 Level-2 Partial Route Calculations: 0 LSP checksum errors received: 0 Update process queue depth: 0/200 Update process packets dropped: 0 Table 4-33 show clns traffic Fields Field Description CLNS & ESIS Output Total number of packets that this router has sent. Input Total number of packets that this router has received. CLNS Local Lists the number of packets that were generated by this router. Forward Lists the number of packets that this router has forwarded. CLNS Discards Lists the packets that CLNS has discarded, along with the reason for the discard. CLNS Options Lists the options seen in CLNS packets. CLNS Segments Lists the number of packets segmented and the number of failures that occurred because a packet could not be segmented. CLNS Broadcasts Lists the number of CLNS broadcasts sent and received. Echos Lists the number of echo request packets and echo reply packets received. The line following this field lists the number of echo request packets and echo reply packets sent. ESIS (sent/rcvd) Lists the number of End System Hello (ESH), Intermediate System Hello (ISH), and redirects sent and received. ISO IGRP Lists the number of ISO Interior Gateway Routing Protocol (IGRP) queries and updates sent and received. Cisco ASA Series Command Reference, S Commands 4-115 Chapter Table 4-33 Related Commands show clns traffic Fields Field Description Router Hellos Lists the number of ISO IGRP router hello packets sent and received. IS-IS: Level-1 hellos (sent/rcvd) Lists the number of Level 1 IS-IS hello packets sent and received. IS-IS: Level-2 hellos (sent/rcvd) Lists the number of Level 2 IS-IS hello packets sent and received. IS-IS: PTP hellos (sent/rcvd) Lists the number of point-to-point IS-IS hello packets sent and received over serial links. IS-IS: Level-1 LSPs (sent/rcvd) Lists the number of Level 1 link-state Protocol Data Unit (PDUs) sent and received. IS-IS: Level-2 LSPs (sent/rcvd) Lists the number of Level 2 link-state PDUs sent and received. IS-IS: Level-1 CSNPs (sent/rcvd) Lists the number of Level 1 Complete Sequence Number Packets (CSNP) sent and received. IS-IS: Level-2 CSNPs (sent/rcvd) Lists the number of Level 2 CSNPs sent and received. IS-IS: Level-1 PSNPs (sent/rcvd) Lists the number of Level 1 Partial Sequence Number Packets (PSNP) sent and received. IS-IS: Level-2 PSNPs (sent/rcvd) Lists the number of Level 2 PSNPs sent and received. IS-IS: Level-1 DR Elections Lists the number of times Level 1 designated router election occurred. IS-IS: Level-2 DR Elections Lists the number of times Level 2 designated router election occurred. IS-IS: Level-1 SPF Calculations Lists the number of times the Level 1 shortest-path-first (SPF) tree was computed. IS-IS: Level-2 SPF Calculations Lists the number of times the Level 2 SPF tree was computed. Command Description advertise passive-only Configures the ASA to advertise passive interfaces. area-password Configures an IS-IS area authentication password. authentication key Enables authentication for IS-IS globally. authentication mode Specifies the type of authentication mode used in IS-IS packets for the IS-IS instance globally. authentication send-only Configure the IS-IS instance globally to have authentication performed only on IS-IS packets being sent (not received). clear isis Clears IS-IS data structures. Cisco ASA Series Command Reference, S Commands 4-116 Chapter Command Description default-information originate Generates a default route into an IS-IS routing domain. distance Defines the administrative distance assigned to routes discovered by the IS-IS protocol. domain-password Configures an IS-IS domain authentication password. fast-flood Configures IS-IS LSPs to be full. hello padding Configures IS-IS hellos to the full MTU size. hostname dynamic Enables IS-IS dynamic hostname capability. ignore-lsp-errors Configures the ASA to ignore IS-IS LSPs that are received with internal checksum errors rather than purging the LSPs. isis adjacency-filter Filters the establishment of IS-IS adjacencies. isis advertise-prefix Advertises IS-IS prefixes of connected networks in LSP advertisements on an IS-IS interface. isis authentication key Enables authentication for an interface. isis authentication mode Specifies the type of authentication mode used in IS-IS packets for the IS-IS instance per interface isis authentication send-only Configure the IS-IS instance per interface to have authentication performed only on IS-IS packets being sent (not received). isis circuit-type Configures the type of adjacency used for the IS-IS. isis csnp-interval Configures the interval at which periodic CSNP packets are sent on broadcast interfaces. isis hello-interval Specifies the length of time between consecutive hello packets sent by IS-IS. isis hello-multiplier Specifies the number of IS-IS hello packets a neighbor must miss before the ASA declares the adjacency as down. isis hello padding Configures IS-IS hellos to the full MTU size per interface. isis lsp-interval Configures the time delay between successive IS-IS LSP transmissions per interface. isis metric Configures the value of an IS-IS metric. isis password Configures the authentication password for an interface. isis priority Configures the priority of designated ASAs on the interface. isis protocol shutdown Disables the IS-IS protocol per interface. isis retransmit-interval Configures the amount of time between retransmission of each IS-IS LSP on the interface. isis Configures the amount of time between retransmissions of each IS-IS LSP retransmit-throttle-int on the interface. erval isis tag Sets a tag on the IP address configured for an interface when the IP prefix is put into an LSP. is-type Assigns the routing level for the IS-IS routing process. log-adjacency-changes Enables the ASA to generate a log message when an NLSP IS-IS adjacency changes state (up or down). lsp-full suppress Configures which routes are suppressed when the PDU becomes full. lsp-gen-interval Customizes IS-IS throttling of LSP generation. Cisco ASA Series Command Reference, S Commands 4-117 Chapter Command Description lsp-refresh-interval Sets the LSP refresh interval. max-area-addresses Configures additional manual addresses for an IS-IS area. max-lsp-lifetime Sets the maximum time that LSPs persist in the ASA's database without being refreshed. maximum-paths Configures multi-path load sharing for IS-IS. metric Globally changes the metric value for all IS-IS interfaces. metric-style Configures an ASA running IS-IS so that it generates and only accepts new-style, length, value objects (TLVs). net Specifies the NET for the routing process. passive-interface Configures a passive interface. prc-interval Customizes IS-IS throttling of PRCs. protocol shutdown Disables the IS-IS protocol globally so that it cannot form any adjacency on any interface and will clear the LSP database. redistribute isis Redistributes IS-IS routes specifically from Level 1 into Level 2 or from Level 2 into Level 1. route priority high Assigns a high priority to an IS-IS IP prefix. router isis Enables IS-IS routing. set-attached-bit Specifies constraints for when a Level 1-Level 2 router should set its attached bit. set-overload-bit Configures the ASA to signal other routers not to use it as an intermediate hop in their SPF calculations. show isis Shows IS-IS information. show route isis Shows IS-IS routes. spf-interval Customizes IS-IS throttling of SPF calculations. summary-address Creates aggregate addresses for IS-IS. Cisco ASA Series Command Reference, S Commands 4-118 Chapter show clock To view the time on the ASA, use the show clock command in user EXEC mode. show clock [detail] Syntax Description detail Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Indicates the clock source (NTP or user configuration) and the current summer-time setting (if any). Firewall Mode Security Context Multiple Command Mode User EXEC Command History Examples Routed • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes The following is sample output from the show clock command: ciscoasa# show clock 12:35:45.205 EDT Tue Jul 27 2004 The following is sample output from the show clock detail command: ciscoasa# show clock detail 12:35:45.205 EDT Tue Jul 27 2004 Time source is user configuration Summer time starts 02:00:00 EST Sun Apr 4 2004 Summer time ends 02:00:00 EDT Sun Oct 31 2004 Related Commands Command Description clock set Manually sets the clock on the ASA. clock summer-time Sets the date range to show daylight saving time. clock timezone Sets the time zone. ntp server Identifies an NTP server. show ntp status Shows the status of the NTP association. Cisco ASA Series Command Reference, S Commands 4-119 Chapter show cluster To view aggregated data for the entire cluster or other information, use the show cluster command in privileged EXEC mode. show cluster [chassis] {access-list [acl_name] | conn [count] | cpu [usage] | history | interface-mode | memory | resource usage | service-policy | traffic | xlate count} Syntax Description access-list [acl_name] Shows hit counters for access policies. To see the counters for a specific ACL, enter the acl_name. chassis For the Firepower 9300 ASA security module, shows the cluster information for the chassis. conn [count] Shows the aggregated count of in-use connections for all units. If you enter the count keyword, only the connection count is shown. cpu [usage] Shows CPU usage information. history Shows cluster switching history. interface-mode Shows the cluster interface mode, either spanned or individual. memory Shows system memory utilization and other information. resource usage Shows system resources and usage. service-policy Shows the MPF service policy statistics. traffic Shows traffic statistics. xlate count Shows current translation information. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • • Yes • Release Modification 9.0(1) This command was added. 9.4(1) The service-policy keyword was added. 9.4(1.152) The chassis keyword was added. Yes See also the show cluster info and show cluster user-identity commands. Cisco ASA Series Command Reference, S Commands 4-120 Yes Transparent Single Context — System • Yes Chapter Examples The following is sample output from the show cluster access-list command: ciscoasa# show cluster access-list hitcnt display order: cluster-wide aggregated result, unit-A, unit-B, unit-C, unit-D access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list 101; 122 elements; name hash: 0xe7d586b5 access-list 101 line 1 extended permit tcp 192.168.143.0 255.255.255.0 any eq www (hitcnt=0, 0, 0, 0, 0) 0x207a2b7d access-list 101 line 2 extended permit tcp any 192.168.143.0 255.255.255.0 (hitcnt=0, 0, 0, 0, 0) 0xfe4f4947 access-list 101 line 3 extended permit tcp host 192.168.1.183 host 192.168.43.238 (hitcnt=1, 0, 0, 0, 1) 0x7b521307 access-list 101 line 4 extended permit tcp host 192.168.1.116 host 192.168.43.238 (hitcnt=0, 0, 0, 0, 0) 0x5795c069 access-list 101 line 5 extended permit tcp host 192.168.1.177 host 192.168.43.238 (hitcnt=1, 0, 0, 1, 0) 0x51bde7ee access list 101 line 6 extended permit tcp host 192.168.1.177 host 192.168.43.13 (hitcnt=0, 0, 0, 0, 0) 0x1e68697c access-list 101 line 7 extended permit tcp host 192.168.1.177 host 192.168.43.132 (hitcnt=2, 0, 0, 1, 1) 0xc1ce5c49 access-list 101 line 8 extended permit tcp host 192.168.1.177 host 192.168.43.192 (hitcnt=3, 0, 1, 1, 1) 0xb6f59512 access-list 101 line 9 extended permit tcp host 192.168.1.177 host 192.168.43.44 (hitcnt=0, 0, 0, 0, 0) 0xdc104200 access-list 101 line 10 extended permit tcp host 192.168.1.112 host 192.168.43.44 (hitcnt=429, 109, 107, 109, 104) 0xce4f281d access-list 101 line 11 extended permit tcp host 192.168.1.170 host 192.168.43.238 (hitcnt=3, 1, 0, 0, 2) 0x4143a818 access-list 101 line 12 extended permit tcp host 192.168.1.170 host 192.168.43.169 (hitcnt=2, 0, 1, 0, 1) 0xb18dfea4 access-list 101 line 13 extended permit tcp host 192.168.1.170 host 192.168.43.229 (hitcnt=1, 1, 0, 0, 0) 0x21557d71 access-list 101 line 14 extended permit tcp host 192.168.1.170 host 192.168.43.106 (hitcnt=0, 0, 0, 0, 0) 0x7316e016 access-list 101 line 15 extended permit tcp host 192.168.1.170 host 192.168.43.196 (hitcnt=0, 0, 0, 0, 0) 0x013fd5b8 access-list 101 line 16 extended permit tcp host 192.168.1.170 host 192.168.43.75 (hitcnt=0, 0, 0, 0, 0) 0x2c7dba0d To display the aggregated count of in-use connections for all units, enter: ciscoasa# show cluster conn count Usage Summary In Cluster:********************************************* 200 in use (cluster-wide aggregated) cl2(LOCAL):*********************************************************** 100 in use, 100 most used cl1:****************************************************************** 100 in use, 100 most used Related Commands Command Description show cluster info Shows cluster information. show cluster user-identity Shows cluster user identity information and statistics. Cisco ASA Series Command Reference, S Commands 4-121 Chapter show cluster info To view cluster information, use the show cluster info command in privileged EXEC mode. show cluster info [clients | conn-distribution | flow-mobility counters | goid [options] | health | incompatible-config | loadbalance | old-members | packet-distribution | trace [options] | transport {asp | cp}] Syntax Description clients (Optional) Shows the version of register clients. conn-distribution (Optional) Shows the connection distribution in the cluster. flow-mobility counters (Optional) Shows EID movement and flow owner movement information. goid [options] (Optional) Shows the global object ID database. Options include: classmap conn-set hwidb idfw-domain idfw-group interface policymap virtual-context health (Optional) Shows health monitoring information. incompatible-config (Optional) Shows commands that are incompatible with clustering in the current running configuration. This command is useful before you enable clustering. loadbalance (Optional) Shows load balancing information. old-members (Optional) Shows former members of the cluster. packet-distribution (Optional) Shows packet distribution in the cluster. trace [options] (Optional) Shows the clustering control module event trace. Options include: transport {asp | cp} • latest [number]—Displays the latest number events, where the number is from 1 to 2147483647. The default is to show all. • level level—Filters events by level where the level is one of the following: all, critical, debug, informational, or warning. • module module—Filters events by module where the module is one of the following: ccp, datapath, fsm, general, hc, license, rpc, or transport. • time {[month day] [hh:mm:ss]}—Shows events before the specified time or date. (Optional) Show transport related statistics for the following: • asp—Data plane transport statistics. • cp—Control plane transport statistics. Cisco ASA Series Command Reference, S Commands 4-122 Chapter Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Yes Transparent Single • Yes • Yes Context — System • Yes Release Modification 9.0(1) This command was added. 9.3(1) Improved support for modules in the show cluster info health command was added. 9.5(1) Site ID information was added to the output. 9.5(2) The flow-mobility counters keywords were added. If you do not specify any options, the show cluster info command shows general cluster information including the cluster name and status, the cluster members, the member states, and so on. Clear statistics using the clear cluster info command. See also the show cluster and show cluster user-identity commands. Examples The following is sample output from the show cluster info command: ciscoasa# show cluster info Cluster stbu: On This is "C" in state SLAVE ID : 0 Site ID : 1 Version : 9.5(1) Serial No.: P3000000025 CCL IP : 10.0.0.3 CCL MAC : 000b.fcf8.c192 Last join : 17:08:59 UTC Sep 26 2011 Last leave: N/A Other members in the cluster: Unit "D" in state SLAVE ID : 1 Site ID : 1 Version : 9.5(1) Serial No.: P3000000001 CCL IP : 10.0.0.4 CCL MAC : 000b.fcf8.c162 Last join : 19:13:11 UTC Sep 23 2011 Last leave: N/A Unit "A" in state MASTER ID : 2 Site ID : 2 Version : 9.5(1) Cisco ASA Series Command Reference, S Commands 4-123 Chapter Serial No.: JAB0815R0JY CCL IP : 10.0.0.1 CCL MAC : 000f.f775.541e Last join : 19:13:20 UTC Sep 23 2011 Last leave: N/A Unit "B" in state SLAVE ID : 3 Site ID : 2 Version : 9.5(1) Serial No.: P3000000191 CCL IP : 10.0.0.2 CCL MAC : 000b.fcf8.c61e Last join : 19:13:50 UTC Sep 23 2011 Last leave: 19:13:36 UTC Sep 23 2011 The following is sample output from the show cluster info incompatible-config command: ciscoasa(cfg-cluster)# show cluster info incompatible-config INFO: Clustering is not compatible with following commands which given a user's confirmation upon enabling clustering, can be removed automatically from running-config. policy-map global_policy class scansafe-http inspect scansafe http-map fail-close policy-map global_policy class scansafe-https inspect scansafe https-map fail-close INFO: No manually-correctable incompatible configuration is found. The following is sample output from the show cluster info trace command: ciscoasa# show cluster info trace Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE Feb 02 14:19:47.456 [DBUG]Send CCP message to all: CCP_MSG_KEEPALIVE from 80-1 at MASTER The following is sample output from the show cluster info health command on the ASA 5500-X: ciscoasa# show cluster info health Member ID to name mapping: 0 - A 1 - B(myself) GigabitEthernet0/0 Management0/0 0 up up 1 up up ips (policy off) sfr (policy off) Unit overall Cluster overall up None healthy healthy None up healthy The above output lists both ASA IPS (ips) and ASA FirePOWER (sfr) modules, and for each module the ASA shows “policy on” or “policy off” to show if you configured the module in the service policy. For example: class-map sfr-class match sfr-traffic policy-map sfr-policy class sfr-class sfr inline fail-close service-policy sfr interface inside Cisco ASA Series Command Reference, S Commands 4-124 Chapter With the above configuration, the ASA FirePOWER module (“sfr”) will be displayed as “policy on”. If one cluster member has a module as “up”, and the other member has the module as “down” or “None”, then the member with the down module will be kicked out of the cluster. However, if the service policy is not configured, then the cluster member would not be kicked out of the cluster; the module status is only relevant if the module is running. The following is sample output from the show cluster info health command on the ASA 5585-X: ciscoasa# show cluster info health spyker-13# sh clu info heal Member ID to name mapping: 0 - A(myself) 1 - B GigabitEthernet0/0 SSM Card (policy off) Unit overall Cluster overall 0 1 upup upup healthyhealth healthyhealth If you configure the module in the service policy, then the output shows “policy on”. If you do not configure the service policy, then the output shows “policy off”, even if a module is present in the chassis. The following is sample output from the show cluster info flow-mobility counters command: ciscoasa# show cluster info flow-mobility counters EID movement notification received : 0 EID movement notification processed : 0 Flow owner moving requested : 0 Related Commands Command Description show cluster Displays aggregated data for the entire cluster. show cluster user-identity Shows cluster user identity information and statistics. Cisco ASA Series Command Reference, S Commands 4-125 Chapter show cluster user-identity To view cluster-wide user identity information and statistics, use the show cluster user-identity command in privileged EXEC mode. show cluster user-identity {statistics [user name | user-group group_name] | user [active [domain name] | user name | user-group group_name] [list [detail] | all [list [detail] | inactive {domain name | user-group group_name] [list [detail]]} Syntax Description active Shows users with active IP-user mappings. all Shows all users in the user database. domain name Shows user info for a domain. inactive Shows users with inactive IP-user mappings. list [detail] Shows a list of users. statistics Shows cluster user identity statistics. user Shows the user database. user name Show information for a specific user. user-group group_name Shows information for each user of a specific group. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Usage Guidelines See also the show cluster info and show cluster commands. Related Commands Command Description show cluster Displays aggregated data for the entire cluster. show cluster info Shows cluster information. Cisco ASA Series Command Reference, S Commands 4-126 Context — System • Yes Chapter show compression svc To view compression statistics for SVC connections on the ASA, use the show compression svc command from privileged EXEC mode. show compression svc Defaults There is no default behavior for this command. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History Examples • — Release Modification 7.1(1) This command was added. • Context Yes System — The following example shows the output of the show compression svc command: ciscoasa# show compression svc Compression SVC Sessions Compressed Frames Compressed Data In (bytes) Compressed Data Out (bytes) Expanded Frames Compression Errors Compression Resets Compression Output Buf Too Small Compression Ratio Decompressed Frames Decompressed Data In Related Commands Yes Transparent Single 1 249756 0048042 4859704 1 0 0 0 2.06 876687 279300233 Command Description compression Enables compression for all SVC and WebVPN connections. svc compression Enables compression of http data over an SVC connection for a specific group or user. Cisco ASA Series Command Reference, S Commands 4-127 Chapter show configuration To display the configuration that is saved in flash memory on the ASA, use the show configuration command in privileged EXEC mode. show configuration Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Yes Release Modification 7.0(1) This command was modified. • Yes Context • Yes System • Yes The show configuration command displays the saved configuration in flash memory on the ASA. Unlike the show running-config command, the show configuration command does not use many CPU resources to run. To display the active configuration in memory (including saved configuration changes) on the ASA, use the show running-config command. Examples The following is sample output from the show configuration command: ciscoasa# show configuration : enable password 8Ry2YjIyt7RRXU24 encrypted names dns-guard ! interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.2.5 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 ip address 10.132.12.6 255.255.255.0 ! interface Ethernet0/2 nameif dmz Cisco ASA Series Command Reference, S Commands 4-128 Chapter security-level 50 ip address 10.0.0.5 255.255.0.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd 2KFQnbNIdI.2KYOU encrypted boot system disk0:/newImage ftp mode passive access-list acl1 extended permit ip any any access-list mgcpacl extended permit udp any any eq 2727 access-list mgcpacl extended permit udp any any eq 2427 access-list mgcpacl extended permit udp any any eq tftp access-list mgcpacl extended permit udp any any eq 1719 access-list permitIp extended permit ip any any pager lines 25 logging enable logging console debugging logging buffered debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 mtu management 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside icmp permit any dmz asdm image disk0:/pdm no asdm history enable arp timeout 14400 global (outside) 1 10.132.12.50-10.132.12.52 global (outside) 1 interface global (dmz) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 access-group permitIp in interface inside access-group permitIp in interface outside access-group mgcpacl in interface dmz ! router ospf 1 network 10.0.0.0 255.255.0.0 area 192.168.2.0 network 192.168.2.0 255.255.255.0 area 192.168.2.0 log-adj-changes redistribute static subnets default-information originate ! route outside 0.0.0.0 0.0.0.0 10.132.12.1 1 route outside 10.129.0.0 255.255.0.0 10.132.12.1 1 route outside 88.0.0.0 255.0.0.0 10.132.12.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy Cisco ASA Series Command Reference, S Commands 4-129 Chapter aaa authentication ssh console LOCAL http server enable http 10.132.12.0 255.255.255.0 outside http 192.168.2.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.2.0 255.255.255.0 inside telnet 10.132.12.0 255.255.255.0 outside telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect mgcp policy-map type inspect mgcp mgcpapp parameters call-agent 150.0.0.210 101 gateway 50.0.0.201 101 gateway 100.0.0.201 101 command-queue 150 ! service-policy global_policy global webvpn memory-size percent 25 enable inside internal-password enable onscreen-keyboard logon username snoopy password /JcYsjvxHfBHc4ZK encrypted prompt hostname context Cryptochecksum:62bf8f5de9466cdb64fe758079594635: end Cisco ASA Series Command Reference, S Commands 4-130 Chapter Related Commands Command Description configure Configures the ASA from the terminal. Cisco ASA Series Command Reference, S Commands 4-131 Chapter show configuration session To display the current configuration sessions and the changes within the sessions, use the show configuration session command in privileged EXEC mode. show configuration session [session_name] Syntax Description session_name Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: The name of an existing configuration session. If you omit this parameter, all existing sessions are shown. Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.3(2) This command was added. Yes • Yes Context • Yes System — Use this command in conjunction with the configure session command, which creates isolated sessions for editing ACLs and their objects. This command shows the names of the sessions, and all of the configuration changes that have been made in the sessions. If a session shows as committed, you can open the session and revert the changes if you decide they did not work as expected. Examples The following example shows all available sessions: ciscoasa# show configuration session config-session abc (un-committed) access-list abc permit ip any any access-list abc permit tcp any any config-session abc2 (un-committed) object network test host 1.1.1.1 object network test2 host 2.2.2.2 ciscoasa# Cisco ASA Series Command Reference, S Commands 4-132 Chapter Related Commands Command Description clear configuration session Deletes a configuration session and its contents. clear session Clears the contents of a configuration session or resets its access flag. configure session Creates or opens a session. Cisco ASA Series Command Reference, S Commands 4-133 Chapter show conn To display the connection state for the designated connection type, use the show conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses. show conn [count | [all] [detail] [long] [state state_type] [protocol {tcp | udp | sctp}] [scansafe] [address src_ip[-src_ip] [netmask mask]] [port src_port[-src_port]] [address dest_ip[-dest_ip] [netmask mask]] [port dest_port[-dest_port]] [user-identity | user [domain_nickname\]user_name | user-group [domain_nickname\\]user_group_name] | security-group] [zone zone_name [zone zone_name] [...]] Syntax Description address (Optional) Displays connections with the specified source or destination IP address. all (Optional) Displays connections that are to the device or from the device, in addition to through-traffic connections. count (Optional) Displays the number of active connections. dest_ip (Optional) Specifies the destination IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-). For example: 10.1.1.1-10.1.1.5 dest_port (Optional) Specifies the destination port number. To specify a range, separate the port numbers with a dash (-). For example: 1000-2000 detail (Optional) Displays connections in detail, including translation type and interface information. long (Optional) Displays connections in long format. netmask mask (Optional) Specifies a subnet mask for use with the given IP address. port (Optional) Displays connections with the specified source or destination port. protocol {tcp | udp | sctp} (Optional) Specifies the connection protocol. scansafe (Optional) Shows connections being forwarded to the Cloud Web Security server. security-group (Optional) Specifies that all connections displayed belong to the specified security group. src_ip (Optional) Specifies the source IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-). For example: 10.1.1.1-10.1.1.5 src_port (Optional) Specifies the source port number. To specify a range, separate the port numbers with a dash (-). For example: 1000-2000 state state_type (Optional) Specifies the connection state type. See Table 4-34 for a list of the keywords available for connection state types. user [domain_nickname\] user_name (Optional) Specifies that all connections displayed belong to the specified user. When you do not include the domain_nickname argument, the ASA displays information for the user in the default domain. Cisco ASA Series Command Reference, S Commands 4-134 Chapter user-group [domain_nickname\\] user_group_name (Optional) Specifies that all connections displayed belong to the specified user group. When you do not include the domain_nickname argument, the ASA displays information for the user group in the default domain. user-identity (Optional) Specifies that the ASA display all connections for the Identity Firewall feature. When displaying the connections, the ASA displays the user name and IP address when it identifies a matching user. Similarly, the ASA displays the host name and an IP address when it identifies a matching host. zone [zone_name] (Optional) Displays connections for a zone. The long and detail keywords show the primary interface on which the connection was built and the current interface used to forward the traffic. Defaults All through connections are shown by default. You need to use the all keyword to also view management connections to the device. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Yes • Yes Context • Yes System — Release Modification 7.0(8)/7.2(4)/8.0(4) The syntax was simplified to use source and destination concepts instead of “local” and “foreign.” In the new syntax, the source address is the first address entered and the destination is the second address. The old syntax used keywords like foreign and fport to determine the destination address and port. 7.2(5)/8.0(5)/8.1(2)/8.2(4)/ 8.3(2) The tcp_embryonic state type was added. This type shows all TCP connections with the i flag (incomplete connections); i flag connections for UDP are not shown. 8.2(1) The b flag was added for TCP state bypass. 8.4(2) The user-identity, user, and user-group keywords were added to support the Identity Firewall. 9.0(1) Support for clustering was added. We added the scansafe and security-group keywords. 9.3(2) The zone keyword was added. 9.5(2) The L flag was added for traffic subject to LISP flow-mobility. 9.5(2) The Q flag for detailed output was added for Diameter connections. The protocol sctp keyword was added. The o flag for detailed output was added for off-loaded flows. Cisco ASA Series Command Reference, S Commands 4-135 Chapter Usage Guidelines Note The show conn command displays the number of active TCP and UDP connections, and provides information about connections of various types. Use the show conn all command to see the entire table of connections. When the ASA creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear conn command. The connection types that you can specify using the show conn state command are defined in Table 4-34. When specifying multiple connection types, use commas without spaces to separate the keywords. Table 4-34 Connection State Types Keyword Connection Type Displayed up Connections in the up state. conn_inbound Inbound connections. ctiqbe CTIQBE connections data_in Inbound data connections. data_out Outbound data connections. finin FIN inbound connections. finout FIN outbound connections. h225 H.225 connections h323 H.323 connections http_get HTTP get connections. mgcp MGCP connections. nojava Connections that deny access to Java applets. rpc RPC connections. service_module Connections being scanned by an SSM. sip SIP connections. skinny SCCP connections. smtp_data SMTP mail data connections. sqlnet_fixup_data SQL*Net data inspection engine connections. tcp_embryonic TCP embryonic connections. vpn_orphan Orphaned VPN tunneled flows. When you use the detail option, the system displays information about the translation type and interface information using the connection flags defined in Table 4-35. Table 4-35 Connection Flags Flag Description a awaiting outside ACK to SYN A awaiting inside ACK to SYN Cisco ASA Series Command Reference, S Commands 4-136 Chapter Table 4-35 Connection Flags (continued) Flag Description b TCP state bypass B initial SYN from outside C Computer Telephony Interface Quick Buffer Encoding (CTIQBE) media connection d dump D DNS E outside back connection. This is a secondary data connection that must be initiated from the inside host. For example, using FTP, after the inside client issues the PASV command and the outside server accepts, the ASA preallocates an outside back connection with this flag set. If the inside client attempts to connect back to the server, then the ASA denies this connection attempt. Only the outside server can use the preallocated secondary connection. f inside FIN F outside FIN g Media Gateway Control Protocol (MGCP) connection G connection is part of a group1 h H.225 H H.323 i incomplete TCP or UDP connection I inbound data k Skinny Client Control Protocol (SCCP) media connection K GTP t3-response L traffic subject to LISP flow-mobility m SIP media connection M SMTP data o Off-loaded flow. O outbound data p replicated (unused) P inside back connection. This is a secondary data connection that must be initiated from the inside host. For example, using FTP, after the inside client issues the PORT command and the outside server accepts, the ASA preallocates an inside back connection with this flag set. If the outside server attempts to connect back to the client, then the ASA denies this connection attempt. Only the inside client can use the preallocated secondary connection. q SQL*Net data Q Diameter connection r inside acknowledged FIN R outside acknowledged FIN for TCP connection R UDP RPC2 s awaiting outside SYN S awaiting inside SYN Cisco ASA Series Command Reference, S Commands 4-137 Chapter Table 4-35 Connection Flags (continued) Flag Description t SIP transient connection3 T SIP connection4 U up V VPN orphan W WAAS X Inspected by the service module, such as a CSC SSM. y For clustering, identifies a backup owner flow. Y For clustering, identifies a director flow. z For clustering, identifies a forwarder flow. Z Cloud Web Security 1. The G flag indicates the connection is part of a group. It is set by the GRE and FTP Strict inspections to designate the control connection and all its associated secondary connections. If the control connection terminates, then all associated secondary connections are also terminated. 2. Because each row of show conn command output represents one connection (TCP or UDP), there will be only one R flag per row. 3. For UDP connections, the value t indicates that it will timeout after one minute. 4. For UDP connections, the value T indicates that the connection will timeout according to the value specified using the timeout sip command. Note For connections using a DNS server, the source port of the connection may be replaced by the IP address of DNS server in the show conn command output. A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently. Because the app_id expires independently, a legitimate DNS response can only pass through the ASA within a limited period of time and there is no resource build-up. However, when you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design. Note When there is no TCP traffic for the period of inactivity defined by the timeout conn command (by default, 1:00:00), the connection is closed and the corresponding conn flag entries are no longer displayed. If a LAN-to-LAN/Network-Extension Mode tunnel drops and does not come back, there might be a number of orphaned tunnel flows. These flows are not torn down as a result of the tunnel going down, but all the data attempting to flow through them is dropped. The show conn command output shows these orphaned flows with the V flag. Cisco ASA Series Command Reference, S Commands 4-138 Chapter When the following TCP connection directionality flags are applied to connections between same-security interfaces (see the same-security permit command), the direction in the flag is not relevant because for same-security interfaces, there is no “inside” or “outside.” Because the ASA has to use these flags for same-security connections, the ASA may choose one flag over another (for example, f vs. F) based on other connection characteristics, but you should ignore the directionality chosen. • B—Initial SYN from outside • a—Awaiting outside ACK to SYN • A—Awaiting inside ACK to SYN • f—Inside FIN • F—Outside FIN • s—Awaiting outside SYN • S—Awaiting inside SYN To display information for a specific connection, include the security-group keyword and specify a security group table value or security group name for both the source and destination of the connection. The ASA displays the connection matching the specific security group table values or security group names. When you specify the security-group keyword without specifying a source and destination security group table value or a source and destination security group name, the ASA displays data for all SXP connections. The ASA displays the connection data in the format security_group_name (SGT_value) or just as the SGT_value when the security group name is unknown. Note Security group data is not available for stub connections because stub connection do not go through the slow path. Stub connections maintain only the information necessary to forward packets to the owner of the connection. You can specify a single security group name to display all connections in a cluster; for example, the following example displays connections matching security-group mktg in all units of the cluster: ciscoasa# show cluster conn security-group name mktg Examples When specifying multiple connection types, use commas without spaces to separate the keywords. The following example displays information about RPC, H.323, and SIP connections in the Up state: ciscoasa# show conn state up,rpc,h323,sip The following is sample output from the show conn count command: ciscoasa# show conn count 54 in use, 123 most used The following is sample output from the show conn command. This example shows a TCP session connection from inside host 10.1.1.15 to the outside Telnet server at 10.10.49.10. Because there is no B flag, the connection is initiated from the inside. The “U”, “I”, and “O” flags denote that the connection is active and has received inbound and outbound data. ciscoasa# show conn 54 in use, 123 most used TCP out 10.10.49.10:23 in 10.1.1.15:1026 idle 0:00:22, bytes 1774, flags UIO Cisco ASA Series Command Reference, S Commands 4-139 Chapter UDP out 10.10.49.10:31649 in 10.1.1.15:1028 idle 0:00:14, bytes 0, flags DTCP dmz 10.10.10.50:50026 inside 192.168.1.22:5060, idle 0:00:24, bytes 1940435, flags UTIOB TCP dmz 10.10.10.50:49764 inside 192.168.1.21:5060, idle 0:00:42, bytes 2328346, flags UTIOB TCP dmz 10.10.10.51:50196 inside 192.168.1.22:2000, idle 0:00:04, bytes 31464, flags UIB TCP dmz 10.10.10.51:52738 inside 192.168.1.21:2000, idle 0:00:09, bytes 129156, flags UIOB TCP dmz 10.10.10.50:49764 inside 192.168.1.21:0, idle 0:00:42, bytes 0, flags Ti TCP outside 192.168.1.10(20.20.20.24):49736 inside 192.168.1.21:0, idle 0:01:32, bytes 0, flags Ti TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:00:24, bytes 0, flags Ti TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:01:34, bytes 0, flags Ti TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:02:24, bytes 0, flags Ti TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:03:34, bytes 0, flags Ti TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:04:24, bytes 0, flags Ti TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:05:34, bytes 0, flags Ti TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:06:24, bytes 0, flags Ti TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:07:34, bytes 0, flags Ti The following is sample output from the show conn command, whcih includes the “X” flag to indicate that the connection is being scanned by the SSM. ciscoasa# show conn address 10.0.0.122 state service_module TCP out 10.1.0.121:22 in 10.0.0.122:34446 idle 0:00:03, bytes 2733, flags UIOX The following is sample output from the show conn detail command. This example shows a UDP connection from outside host 10.10.49.10 to inside host 10.1.1.15. The D flag denotes that this is a DNS connection. The number 1028 is the DNS ID over the connection. ciscoasa# show conn detail 54 in use, 123 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, c - cluster centralized, D - DNS, d - dump, E - outside back connection, e - semi-distributed, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response k - Skinny media, L - LISP triggered flow owner mobility, M - SMTP data, m - SIP media, n - GUP O - outbound data, o - offloaded, P - inside back connection, Q - Diameter, q - SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, V - VPN orphan, W - WAAS, w - secondary domain backup, X - inspected by service module, x - per session, Y - director stub flow, y - backup stub flow, Z - Scansafe redirection, z - forwarding stub flow TCP outside:10.10.49.10/23 inside:10.1.1.15/1026, flags UIO, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435 UDP outside:10.10.49.10/31649 inside:10.1.1.15/1028, flags dD, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435 TCP dmz:10.10.10.50/50026 inside:192.168.1.22/5060, flags UTIOB, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435 TCP dmz:10.10.10.50/49764 inside:192.168.1.21/5060, flags UTIOB, idle 56s, uptime 1D19h, timeout 1h0m, bytes 2328346 TCP dmz:10.10.10.51/50196 inside:192.168.1.22/2000, Cisco ASA Series Command Reference, S Commands 4-140 Chapter flags UIB, idle 18s, uptime 1D19h, timeout 1h0m, bytes 31464 TCP dmz:10.10.10.51/52738 inside:192.168.1.21/2000, flags UIOB, idle 23s, uptime 1D19h, timeout 1h0m, bytes 129156 TCP outside:10.132.64.166/52510 inside:192.168.1.35/2000, flags UIOB, idle 3s, uptime 1D21h, timeout 1h0m, bytes 357405 TCP outside:10.132.64.81/5321 inside:192.168.1.22/5060, flags UTIOB, idle 1m48s, uptime 1D21h, timeout 1h0m, bytes 2083129 TCP outside:10.132.64.81/5320 inside:192.168.1.21/5060, flags UTIOB, idle 1m46s, uptime 1D21h, timeout 1h0m, bytes 2500529 TCP outside:10.132.64.81/5319 inside:192.168.1.22/2000, flags UIOB, idle 31s, uptime 1D21h, timeout 1h0m, bytes 32718 TCP outside:10.132.64.81/5315 inside:192.168.1.21/2000, flags UIOB, idle 14s, uptime 1D21h, timeout 1h0m, bytes 358694 TCP outside:10.132.64.80/52596 inside:192.168.1.22/2000, flags UIOB, idle 8s, uptime 1D21h, timeout 1h0m, bytes 32742 TCP outside:10.132.64.80/52834 inside:192.168.1.21/2000, flags UIOB, idle 6s, uptime 1D21h, timeout 1h0m, bytes 358582 TCP outside:10.132.64.167/50250 inside:192.168.1.35/2000, flags UIOB, idle 26s, uptime 1D21h, timeout 1h0m, bytes 375617 The following is sample output from the show conn command when an orphan flow exists, as indicated by the V flag: ciscoasa# show conn 16 in use, 19 most used TCP out 192.168.110.251:7393 in 192.168.150.252:21 idle 0:00:00, bytes 1048, flags UOVB TCP out 192.168.110.251:21137 in 192.168.150.252:21 idle 0:00:00, bytes 1048, flags UIOB To limit the report to those connections that have orphan flows, add the vpn_orphan option to the show conn state command, as in the following example: ciscoasa# show conn state vpn_orphan 14 in use, 19 most used TCP out 192.168.110.251:7393 in 192.168.150.252:5013, idle 0:00:00, bytes 2841019, flags UOVB For clustering, to troubleshoot the connection flow, first see connections on all units by entering the cluster exec show conn command on the master unit. Look for flows that have the following flags: director (Y), backup (y), and forwarder (z). The following example shows an SSH connection from 172.18.124.187:22 to 192.168.103.131:44727 on all three ASAs; ASA 1 has the z flag showing it is a forwarder for the connection, ASA3 has the Y flag showing it is the director for the connection, and ASA2 has no special flags showing it is the owner. In the outbound direction, the packets for this connection enter the inside interface on ASA2 and exit the outside interface. In the inbound direction, the packets for this connection enter the outside interface on ASA 1 and ASA3, are forwarded over the cluster control link to ASA2, and then exit the inside interface on ASA2. ciscoasa/ASA1/master# cluster exec show conn ASA1(LOCAL):********************************************************** 18 in use, 22 most used Cluster stub connections: 0 in use, 5 most used TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes 37240828, flags z ASA2:***************************************************************** 12 in use, 13 most used Cluster stub connections: 0 in use, 46 most used TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes 37240828, flags UIO ASA3:***************************************************************** 10 in use, 12 most used Cisco ASA Series Command Reference, S Commands 4-141 Chapter Cluster stub connections: 2 in use, 29 most used TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:03, bytes 0, flags Y The output of show conn detail on ASA2 shows that the most recent forwarder was ASA1: ciscoasa/ASA2/slave# show conn detail 12 in use, 13 most used Cluster stub connections: 0 in use, 46 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, c - cluster centralized, D - DNS, d - dump, E - outside back connection, e - semi-distributed, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response k - Skinny media, L - LISP triggered flow owner mobility, M - SMTP data, m - SIP media, n - GUP O - outbound data, o - offloaded, P - inside back connection, Q - Diameter, q - SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, V - VPN orphan, W - WAAS, w - secondary domain backup, X - inspected by service module, x - per session, Y - director stub flow, y - backup stub flow, Z - Scansafe redirection, z - forwarding stub flow TCP outside: 172.18.124.187/22 inside: 192.168.103.131/44727, flags UIO , idle 0s, uptime 25s, timeout 1h0m, bytes 1036044, cluster sent/rcvd bytes 0/1032983, cluster sent/rcvd total bytes 0/1080779, owners (1,255) Traffic received at interface outside Locally received: 0 (0 byte/s) From most recent forwarder ASA1: 1032983 (41319 byte/s) Traffic received at interface inside Locally received: 3061 (122 byte/s) The following examples show how to display connections for the Identity Firewall feature: ciscoasa# show conn user-identity 1219 in use, 1904 most used UDP inside (www.yahoo.com))10.0.0.2:1587 outside (user1)192.0.0.2:30000, idle 0:00:00, bytes 10, flags UDP inside (www.yahoo.com)10.0.0.2:1586 outside (user2)192.0.0.1:30000, idle 0:00:00, bytes 10, flags – UDP inside 10.0.0.34:1586 outside 192.0.0.25:30000, idle 0:00:00, bytes 10, flags – … ciscoasa# show conn user user1 2 in use UDP inside (www.yahoo.com))10.0.0.2:1587 outside (user1)192.0.0.2:30000, idle 0:00:00, bytes 10, flags – See the following output for the show conn long zone command: ciscoasa# show conn long zone zone-inside zone zone-outside TCP outside-zone:outside1(outside2): 10.122.122.1:1080 inside-zone:inside1(inside2): 10.121.121.1:34254, idle 0:00:02, bytes 10, flags UO Cisco ASA Series Command Reference, S Commands 4-142 Chapter Related Commands Commands Description clear conn Clears connections. Cisco ASA Series Command Reference, S Commands 4-143 Chapter show console-output To display the currently captured console output, use the show console-output command in privileged EXEC mode. show console-output Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes • Yes The following is sample output from the show console-output command, which displays the following message when there is no console output: ciscoasa# show console-output Sorry, there are no messages to display Related Commands Command Description clear configure console Restores the default console connection settings. clear configure timeout Restores the default idle time durations in the configuration. console timeout Sets the idle timeout for a console connection to the ASA. show running-config console timeout Displays the idle timeout for a console connection to the ASA. Cisco ASA Series Command Reference, S Commands 4-144 System Chapter show context To show context information including allocated interfaces and the configuration file URL, the number of contexts configured, or from the system execution space, a list of all contexts, use the show context command in privileged EXEC mode. show context [name | detail | count] Syntax Description count (Optional) Shows the number of contexts configured. detail (Optional) Shows additional detail about the context(s) including the running state and information for internal use. name (Optional) Sets the context name. If you do not specify a name, the ASA displays all contexts. Within a context, you can only enter the current context name. Defaults In the system execution space, the ASA displays all contexts if you do not specify a name. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Release Routed • Yes Transparent Single • Yes — Context • Yes System • Yes Modification 7.0(1) This command was added. 8.0(2) Information about assigned IPS virtual sensors was added. See the “Examples” section for a description of the display output. Cisco ASA Series Command Reference, S Commands 4-145 Chapter Examples The following is sample output from the show context command. The following sample display shows three contexts: ciscoasa# show context Context Name *admin Interfaces GigabitEthernet0/1.100 GigabitEthernet0/1.101 contexta GigabitEthernet0/1.200 GigabitEthernet0/1.201 contextb GigabitEthernet0/1.300 GigabitEthernet0/1.301 Total active Security Contexts: 3 URL flash:/admin.cfg flash:/contexta.cfg flash:/contextb.cfg Table 4-36 shows each field description. Table 4-36 show context Fields Field Description Context Name Lists all context names. The context name with the asterisk (*) is the admin context. Interfaces The interfaces assigned to the context. URL The URL from which the ASA loads the context configuration. The following is sample output from the show context detail command in the system execution space: ciscoasa# show context detail Context "admin", has been created, but initial ACL rules not complete Config URL: flash:/admin.cfg Real Interfaces: Management0/0 Mapped Interfaces: Management0/0 Real IPS Sensors: ips1, ips2 Mapped IPS Sensors: highsec, lowsec Flags: 0x00000013, ID: 1 Context "ctx", has been created, but initial ACL rules not complete Config URL: ctx.cfg Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20, GigabitEthernet0/2.30 Mapped Interfaces: int1, int2, int3 Real IPS Sensors: ips1, ips3 Mapped IPS Sensors: highsec, lowsec Flags: 0x00000011, ID: 2 Context "system", is a system resource Config URL: startup-config Real Interfaces: Mapped Interfaces: Control0/0, GigabitEthernet0/0, GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10, GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30, GigabitEthernet0/3, Management0/0, Management0/0.1 Flags: 0x00000019, ID: 257 Context "null", is a system resource Config URL: ... null ... Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 Cisco ASA Series Command Reference, S Commands 4-146 Chapter Table 4-37 shows each field description. Table 4-37 Context States Field Description Context The context name. The null context information is for internal use only. The system context represents the system execution space. State Message: The context state. See the possible messages below. Has been created, but initial ACL rules not complete The ASA parsed the configuration but has not yet downloaded the default ACLs to establish the default security policy. The default security policy applies to all contexts initially, and includes disallowing traffic from lower security levels to higher security levels, enabling application inspection, and other parameters. This security policy ensures that no traffic can pass through the ASA after the configuration is parsed but before the configuration ACLs are compiled. You are unlikely to see this state because the configuration ACLs are compiled very quickly. Has been created, but not initialized You entered the context name command, but have not yet entered the config-url command. Has been created, but the config hasn’t been parsed The default ACLs were downloaded, but the ASA has not parsed the configuration. This state might exist because the configuration download might have failed because of network connectivity issues, or you have not yet entered the config-url command. To reload the configuration, from within the context, enter copy startup-config running-config. From the system, reenter the config-url command. Alternatively, you can start configuring the blank running configuration. Is a system resource This state applies only to the system execution space and to the null context. The null context is used by the system, and the information is for internal use only. Is a zombie You deleted the context using the no context or clear context command, but the context information persists in memory until the ASA reuses the context ID for a new context, or you restart. Is active This context is currently running and can pass traffic according to the context configuration security policy. Is ADMIN and active This context is the admin context and is currently running. Was a former ADMIN, but You deleted the admin context using the clear configure context is now a zombie command, but the context information persists in memory until the ASA reuses the context ID for a new context, or you restart. Real Interfaces The interfaces assigned to the context. If you mapped the interface IDs in the allocate-interface command, this display shows the real name of the interface. Mapped Interfaces If you mapped the interface IDs in the allocate-interface command, this display shows the mapped names. If you did not map the interfaces, the display lists the real names again. Real IPS Sensors The IPS virtual sensors assigned to the context if you have an AIP SSM installed. If you mapped the sensor names in the allocate-ips command, this display shows the real name of the sensor. Cisco ASA Series Command Reference, S Commands 4-147 Chapter Table 4-37 Context States (continued) Field Description Mapped IPS Sensors If you mapped the sensor names in the allocate-ips command, this display shows the mapped names. If you did not map the sensor names, the display lists the real names again. Flag For internal use only. ID An internal ID for this context. The following is sample output from the show context count command: ciscoasa# show context count Total active contexts: 2 Related Commands Command Description admin-context Sets the admin context. allocate-interface Assigns interfaces to a context. changeto Changes between contexts or the system execution space. config-url Specifies the location of the context configuration. context Creates a security context in the system configuration and enters context configuration mode. Cisco ASA Series Command Reference, S Commands 4-148 Chapter show controller To view controller-specific information of all interfaces present, use the show controller command in privileged EXEC mode. show controller [slot] [physical_interface] [pci [bridge [bridge-id [port-num]]]] [detail] Syntax Description bridge (Optional) Displays PCI bridge-specific information for the ASA 5585-X. bridge-id (Optional) Displays each unique PCI bridge identifier for the ASA 5585-X. detail (Optional) Shows additional detail about the controller. pci (Optional) Displays a summary of PCI devices along with their first 256 bytes of PCI configuration space for the ASA 5585-X. physical_interface (Optional) Identifies the interface ID. port-num (Optional) Displays the unique port number within each PCI bridge for the ASA 5585-X adaptive ASA. slot (Optional) Displays PCI-e bus and slot information for the ASA 5580 only. Defaults If you do not identify an interface, this command shows information for all interfaces. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Yes • Yes Context • Yes System • Yes Release Modification 7.2(1) This command was added. 8.0(2) This command now applies to all platforms, and not just the ASA 5505. The detail keyword was added. 8.1(1) The slot keyword was added for the ASA 5580. 8.2(5) The pci, bridge, bridge-id, and port-num options were added for the ASA 5585-X with an IPS SSP installed. In addition, support for sending pause frames to enable flow control on 1 GigabitEthernet interfaces has been added for all ASA models. 8.6(1) Support was added for the detail keyword for the ASA 5512-X through ASA 5555-X Internal-Control0/0 interface, used for control traffic between the ASA and the software module, and for the Internal-Data0/1 interface used for data traffic to the ASA and the software module. Cisco ASA Series Command Reference, S Commands 4-149 Chapter Usage Guidelines This command helps Cisco TAC gather useful debug information about the controller when investigating internal and customer found defects. The actual output depends on the model and Ethernet controller. The command also displays information about all the PCI bridges of interest in the ASA 5585-X with an IPS SSP installed. For the ASA Services Module, the show controller command output does not show any PCIe slot information. Examples The following is sample output from the show controller command: ciscoasa# show controller Ethernet0/0: Marvell 88E6095 revision 2, switch port 7 PHY Register: Control: 0x3000 Status: 0x786d Identifier1: 0x0141 Identifier2: 0x0c85 Auto Neg: 0x01e1 LP Ability: 0x40a1 Auto Neg Ex: 0x0005 PHY Spec Ctrl: 0x0130 PHY Status: 0x4c00 PHY Intr En: 0x0400 Int Port Sum: 0x0000 Rcv Err Cnt: 0x0000 Led select: 0x1a34 Reg 29: 0x0003 Reg 30: 0x0000 Port Registers: Status: 0x0907 PCS Ctrl: 0x0003 Identifier: 0x0952 Port Ctrl: 0x0074 Port Ctrl-1: 0x0000 Vlan Map: 0x077f VID and PRI: 0x0001 Port Ctrl-2: 0x0cc8 Rate Ctrl: 0x0000 Rate Ctrl-2: 0x3000 Port Asc Vt: 0x0080 In Discard Lo: 0x0000 In Discard Hi: 0x0000 In Filtered: 0x0000 Out Filtered: 0x0000 Global Registers: Control: 0x0482 --------------------------------------------------------------------Number of VLANs: 1 --------------------------------------------------------------------Vlan[db]\Port| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | --------------------------------------------------------------------<0001[01]> | EUT| EUT| EUT| EUT| EUT| EUT| EUT| EUT| EUM| NM | NM | --------------------------------------------------------------------.... Ethernet0/6: Marvell 88E6095 revision 2, switch port 1 PHY Register: Control: 0x3000 Status: Identifier1: 0x0141 Identifier2: Auto Neg: 0x01e1 LP Ability: Auto Neg Ex: 0x0004 PHY Spec Ctrl: PHY Status: 0x0040 PHY Intr En: Int Port Sum: 0x0000 Rcv Err Cnt: Led select: 0x1a34 Reg 29: 0x0003 Reg 30: Port Registers: Status: 0x0007 PCS Ctrl: Identifier: 0x0952 Port Ctrl: Port Ctrl-1: 0x0000 Vlan Map: VID and PRI: 0x0001 Port Ctrl-2: Rate Ctrl: 0x0000 Rate Ctrl-2: Cisco ASA Series Command Reference, S Commands 4-150 0x7849 0x0c85 0x0000 0x8130 0x8400 0x0000 0x0000 0x0003 0x0077 0x07fd 0x0cc8 0x3000 Chapter Port Asc Vt: 0x0002 In Discard Lo: 0x0000 In Discard Hi: 0x0000 In Filtered: 0x0000 Out Filtered: 0x0000 ----Inline power related counters and registers---Power on fault: 0 Power off fault: 0 Detect enable fault: 0 Detect disable fault: 0 Faults: 0 Driver counters: I2C Read Fail: 0 I2C Write Fail: 0 Resets: 1 Initialized: 1 PHY reset error: 0 LTC4259 registers: INTRPT STATUS = 0x88 INTRPT MASK = 0x00 POWER EVENT DETECT EVENT = 0x03 FAULT EVENT = 0x00 TSTART EVENT SUPPLY EVENT = 0x02 PORT1 STATUS = 0x06 PORT2 STATUS PORT3 STATUS = 0x00 PORT4 STATUS = 0x00 POWER STATUS OPERATE MODE = 0x0f DISC. ENABLE = 0x30 DT/CLASS ENBL TIMING CONFIG = 0x00 MISC. CONFIG = 0x00 = = = = = 0x00 0x00 0x06 0x00 0x33 ... Internal-Data0/0: Y88ACS06 Register settings: rap ctrl_status irq_src irq_msk irq_hw_err_src irq_hw_err_msk bmu_cs_rxq bmu_cs_stxq bmu_cs_atxq 0xe0004000 0xe0004004 0xe0004008 0xe000400c 0xe0004010 0xe0004014 0xe0004060 0xe0004068 0xe000406c = = = = = = = = = 0x00000000 0x5501064a 0x00000000 0x00000000 0x00000000 0x00001000 0x002aaa80 0x01155540 0x012aaa80 Bank 2: MAC address registers: .... The following is sample output from the show controller detail command: ciscoasa# show controller gigabitethernet0/0 detail GigabitEthernet0/0: Intel i82546GB revision 03 Main Registers: Device Control: Device Status: Extended Control: RX Config: TX Config: RX Control: TX Control: TX Inter Packet Gap: RX Filter Cntlr: RX Chksum: 0xf8260000 0xf8260008 0xf8260018 0xf8260180 0xf8260178 0xf8260100 0xf8260400 0xf8260410 0xf8260150 0xf8265000 = = = = = = = = = = 0x003c0249 0x00003347 0x000000c0 0x0c000000 0x000001a0 0x04408002 0x000400fa 0x00602008 0x00000000 0x00000300 RX Descriptor Registers: RX Descriptor 0 Cntlr: RX Descriptor 0 AddrLo: RX Desccriptor 0 AddrHi: RX Descriptor 0 Length: RX Descriptor 0 Head: RX Descriptor 0 Tail: RX Descriptor 1 Cntlr: 0xf8262828 0xf8262800 0xf8262804 0xf8262808 0xf8262810 0xf8262818 0xf8262828 = = = = = = = 0x00010000 0x01985000 0x00000000 0x00001000 0x00000000 0x000000ff 0x00010000 Cisco ASA Series Command Reference, S Commands 4-151 Chapter RX RX RX RX RX Descriptor Descriptor Descriptor Descriptor Descriptor 1 1 1 1 1 AddrLo: AddrHi: Length: Head: Tail: 0xf8260138 0xf826013c 0xf8260140 0xf8260148 0xf8260150 = = = = = 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 TX Descriptor Registers: TX Descriptor 0 Cntlr: TX Descriptor 0 AddrLo: TX Descriptor 0 AddrHi: TX Descriptor 0 Length: TX Descriptor 0 Head: TX Descriptor 0 Tail: 0xf8263828 0xf8263800 0xf8263804 0xf8263808 0xf8263810 0xf8263818 = = = = = = 0x00000000 0x01987000 0x00000000 0x00001000 0x00000000 0x00000000 RX Address Array: Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address Ethernet Address 0012.d948.ef58 Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! Not Valid! 0: 1: 2: 3: 4: 5: 6: 7: 8: 9: a: b: c: d: e: f: PHY Registers: Phy Control: Phy Status: Phy ID 1: Phy ID 2: Phy Autoneg Advertise: Phy Link Partner Ability: Phy Autoneg Expansion: Phy Next Page TX: Phy Link Partnr Next Page: Phy 1000T Control: Phy 1000T Status: Phy Extended Status: 0x1140 0x7969 0x0141 0x0c25 0x01e1 0x41e1 0x0007 0x2801 0x0000 0x0200 0x4000 0x3000 Detailed Output - RX Descriptor Ring: rx_bd[000]: baddr pkt chksum rx_bd[001]: baddr pkt chksum = = = = 0x019823A2, 0x0000, 0x01981A62, 0x0000, length errors length errors = = = = 0x0000, 0x00, 0x0000, 0x00, status special status special = = = = 0x00 0x0000 0x00 0x0000 ........ The following is sample output from the show controller detail command for the Internal interfaces on the ASA 5512-X through ASA 5555-X: ciscoasa# show controller detail Internal-Control0/0: ASA IPS/VM Back Plane TunTap Interface , port id 9 Major Configuration Parameters Device Name : en_vtun Linux Tun/Tap Device : /dev/net/tun/tap1 Cisco ASA Series Command Reference, S Commands 4-152 Chapter Num of Transmit Rings Num of Receive Rings Ring Size Max Frame Length Out of Buffer Reset Drop Transmit Ring [0]: tx_pkts_in_queue tx_pkts tx_bytes Receive Ring [0]: rx_pkts_in_queue rx_pkts rx_bytes rx_drops : : : : : : : 1 1 128 1550 0 0 0 : 0 : 176 : 9664 : : : : 0 0 0 0 Internal-Data0/1: ASA IPS/VM Management Channel TunTap Interface , port id 9 Major Configuration Parameters Device Name : en_vtun Linux Tun/Tap Device : /dev/net/tun/tap2 Num of Transmit Rings : 1 Num of Receive Rings : 1 Ring Size : 128 Max Frame Length : 1550 Out of Buffer : 0 Reset : 0 Drop : 0 Transmit Ring [0]: tx_pkts_in_queue : 0 tx_pkts : 176 tx_bytes : 9664 Receive Ring [0]: rx_pkts_in_queue : 0 rx_pkts : 0 rx_bytes : 0 rx_drops : 0 The following is sample output from the show controller slot command: Slot ---3. Card Description ---------------ASA 5580 2 port 10GE SR Fiber Interface Card PCI-e Bandwidth Cap. ---------------------Bus: x4, Card: x8 4. ASA 5580 4 port GE Copper Interface Card Bus: x4, Card: x4 5. ASA 5580 2 port 10GE SR Fiber Interface Card Bus: x8, Card: x8 6. ASA 5580 4 port GE Fiber Interface Card Bus: x4, Card: x4 7. empty Bus: x8 8. empty Bus: x8 The following is sample output from the show controller pci command: ciscoasa# show controller pci PCI Evaluation Log: --------------------------------------------------------------------------Empty PCI Bus:Device.Function (hex): 00:00.0 Vendor ID: 0x8086 Device ID: 0x3406 Cisco ASA Series Command Reference, S Commands 4-153 Chapter --------------------------------------------------------------------------PCI Configuration 0x00: 86 80 06 34 0x10: 00 00 00 00 0x20: 00 00 00 00 0x30: 00 00 00 00 0x40: 00 00 00 00 0x50: 00 00 00 00 0x60: 05 90 02 01 0x70: 00 00 00 00 0x80: 00 00 00 00 0x90: 10 e0 42 00 0xa0: 00 00 41 30 0xb0: 00 00 00 00 0xc0: 01 00 00 00 0xd0: 00 00 00 00 0xe0: 01 00 03 c8 0xf0: 00 00 00 00 Space 00 00 00 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 20 80 00 00 3e 00 00 00 00 00 08 00 00 00 (hex): 10 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 10 00 86 05 00 00 00 00 00 41 00 00 00 00 00 00 00 00 80 01 00 00 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Link Capabilities: x4, Gen1 Link Status: x4, Gen1 Related Commands Command Description show interface Shows the interface statistics. show tech-support Shows information so Cisco TAC can diagnose problems. Cisco ASA Series Command Reference, S Commands 4-154 Chapter show coredump filesystem To show the contents of the coredump filesystem, enter the show coredump filesystem command. show coredump filesystem Syntax Description This command has no arguments or keywords. Defaults By default, coredumps are not enabled. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History • Yes Transparent Single • Release Modification 8.2(1) This command was added. Yes • Yes Context • Yes System — Usage Guidelines This command shows the contents of the coredump filesystem. Examples To show the contents of any recent coredumps generated, enter the show coredump filesystem command. ciscoasa(config)# show coredump filesystem Coredump Filesystem Size is 100 MB Filesystem type is FAT for disk0 Filesystem 1k-blocks Used Available Use% Mounted on /dev/loop0 102182 75240 26942 74% /mnt/disk0/coredumpfsys Directory of disk0:/coredumpfsys/ 246 -rwx 20205386 19:14:53 Nov 26 2008 core_lina.2008Nov26_191244.203.11.gz 247 -rwx 36707919 19:17:27 Nov 26 2008 core_lina.2008Nov26_191456.203.6.gz Related Commands Command Description coredump enable Enables the coredump feature. clear configure coredump Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change or affect the coredump configuration. Cisco ASA Series Command Reference, S Commands 4-155 Chapter Command Description clear coredump Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change/effect the coredump configuration. show coredump log Shows the coredump log. Cisco ASA Series Command Reference, S Commands 4-156 Chapter show coredump log To show the contents of the coredump log, newest first, enter the show coredump log command. To show the contents of the coredump log, oldest first, enter the show coredump log reverse command. show coredump log show coredump log [reverse] Syntax Description reverse Defaults By default, coredumps are not enabled. Command Modes The following table shows the modes in which you can enter the command: Shows the oldest coredump log. Firewall Mode Security Context Multiple Command Mode Global configuration Command History Routed • Yes Transparent Single • Release Modification 8.2(1) This command was added. Yes • Yes Context • Yes System — Usage Guidelines This command displays the contents of the coredump log. The logs should reflect what is currently on the disk. Examples The following example shows the output from these commands: ciscoasa(config)# show coredump log [ 1 ] Wed Feb 18 22:12:09 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_221032.203.6.gz', size 971722752 bytes, compressed size 21293688 [ 2 ] Wed Feb 18 22:11:01 2009: Filesystem full on 'disk0', removing module coredump record 'core_lina.2009Feb18_213558.203.11.gz' [ 3 ] Wed Feb 18 22:10:32 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_221032.203.6.gz' on 'disk0' [ 4 ] Wed Feb 18 21:37:35 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_213558.203.11.gz', size 971722752 bytes, compressed size 21286383 [ 5 ] Wed Feb 18 21:35:58 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_213558.203.11.gz' on 'disk0' Cisco ASA Series Command Reference, S Commands 4-157 Chapter Note The older coredump file is deleted to make room for the new coredump. This is done automatically by the ASA in the event the coredump filesystem fills and room is needed for the current coredump. This is why it is imperative to archive coredumps as soon as possible, to insure they don’t get overwritten in the event of a crash. ciscoasa(config)# show coredump log reverse [ 1 ] Wed Feb 18 21:35:58 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_213558.203.11.gz' on 'disk0'' [ 2 ] Wed Feb 18 21:37:35 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_213558.203.11.gz', size 971722752 bytes, compressed size 21286383 [ 3 ] Wed Feb 18 22:10:32 2009: Coredump started for module 'lina', generating coredump file 'core_lina.2009Feb18_221032.203.6.gz' on 'disk0' [ 4 ] Wed Feb 18 22:11:01 2009: Filesystem full on 'disk0', removing module coredump record 'core_lina.2009Feb18_213558.203.11.gz' [ 5 ] Wed Feb 18 22:12:09 2009: Coredump completed for module 'lina', coredump file 'core_lina.2009Feb18_221032.203.6.gz', size 971722752 bytes, compressed size 21293688 Related Commands Command Description coredump enable Enables the coredump feature. clear configure coredump Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change/effect the coredump configuration. clear coredump Removes any coredumps currently stored on the coredump filesystem and clears the coredump log. Does not touch the coredump filesystem itself and does not change or affect the coredump configuration. show coredump filesystem Shows the contents of the coredump filesystem. Cisco ASA Series Command Reference, S Commands 4-158 Chapter show counters To display the protocol stack counters, use the show counters command in privileged EXEC mode. show counters [all | context context-name | summary | top N ] [detail] [protocol protocol_name [:counter_name]] [ threshold N] Syntax Description all Displays the filter details. context context-name Specifies the context name. :counter_name Specifies a counter by name. detail Displays additional counters information. protocol protocol_name Displays the counters for the specified protocol. summary Displays a counter summary. threshold N Displays only those counters at or above the specified threshold. The range is 1 through 4294967295. top N Displays the counters at or above the specified threshold. The range is 1 through 4294967295. Defaults show counters summary detail threshold 1 Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Yes • Yes Release Modification 7.2(1) This command was added. 9.2(1) Counters for the event manager were added. Context • Yes System • Yes Cisco ASA Series Command Reference, S Commands 4-159 Chapter Examples The following example shows how to display all counters: ciscoasa# show counters all Protocol Counter IOS_IPC IN_PKTS IOS_IPC OUT_PKTS Value 2 2 Context single_vf single_vf ciscoasa# show counters Protocol Counter NPCP IN_PKTS NPCP OUT_PKTS IOS_IPC IN_PKTS IOS_IPC OUT_PKTS IP IN_PKTS IP OUT_PKTS IP TO_ARP IP TO_UDP UDP IN_PKTS UDP DROP_NO_APP FIXUP IN_PKTS UAUTH IPV6_UNSUPPORTED IDFW HIT_USER_LIMIT Value 7195 7603 869 865 380 411 105 9 9 9 202 27 2 Context Summary Summary Summary Summary Summary Summary Summary Summary Summary Summary Summary Summary Summary The following example shows how to display a summary of counters: ciscoasa# show counters summary Protocol Counter Value IOS_IPC IN_PKTS 2 IOS_IPC OUT_PKTS 2 Context Summary Summary The following example shows how to display counters for a context: ciscoasa# show counters context single_vf Protocol Counter Value Context IOS_IPC IN_PKTS 4 single_vf IOS_IPC OUT_PKTS 4 single_vf The following example shows how to display counters for the event manager: ciscoasa# show counters protocol eem Protocol Counter Value EEM SYSLOG 22 EEM COMMANDS 6 EEM FILES 3 Related Commands Command Description clear counters Clears the protocol stack counters. Cisco ASA Series Command Reference, S Commands 4-160 Context Summary Summary Summary Chapter show cpu To display the CPU utilization information, use the show cpu command in privileged EXEC mode. [cluster exec] show cpu [usage core-id | profile | dump | detailed] From the system configuration in multiple context mode: [cluster exec] show cpu [usage] [context {all | context_name}] Syntax Description all Specifies that the display show all contexts. cluster exec (Optional) In a clustering environment, enables you to issue the show cpu command in one unit and run the command in all the other units at the same time. context Specifies that the display show a context. context_name Specifies the name of the context to display. core-id Specifies the number of the processor core. detailed (Optional) Displays the CPU usage internal details. dump (Optional) Displays the dump profiling data to the TTY. profile (Optional) Displays the CPU profiling data. usage (Optional) Displays the CPU usage. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Release Routed • Yes Transparent Single • Yes • Yes Context • Yes System • Yes Modification 7.0(1) This command was added. 8.6(1) The core-id option was added to support the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X. 9.1(2) The output was updated for the show cpu profile and show cpu profile dump commands. 9.2(1) Virtual platform CPU usage was added to the output for the ASAv. Cisco ASA Series Command Reference, S Commands 4-161 Chapter Usage Guidelines The CPU usage is computed using an approximation of the load every five seconds, and by further feeding this approximation into two, following moving averages. You can use the show cpu command to find process related loads (that is, activity on behalf of items listed by the output of the show process command in both single mode and from the system configuration in multiple context mode). Further, you can request, when in multiple context mode, a breakdown of the process related load to CPU consumed by any configured contexts by changing to each context and entering the show cpu command or by entering the show cpu context command. While process related load is rounded to the nearest whole number, context related loads include one additional decimal digit of precision. For example, entering the show cpu command from the system context produces a different number than from entering the show cpu context system command. The former is an approximate summary of everything that appears in the show cpu context all command, and the latter is only a portion of that summary. You can use the show cpu profile dump command in conjunction with the cpu profile activate command to collect information for TAC use in troubleshooting CPU issues. The show cpu profile dump command output is in hexadecimal format. If the CPU profiler is waiting for a starting condition to occur, the show cpu profile command displays the following output: CPU profiling started: 12:45:57.209 UTC Wed Nov 14 2012 CPU Profiling waiting on starting condition. Core 0: 0 out of 10 samples collected. Core 1: 0 out of 10 samples collected. Core 2: 0 out of 10 samples collected. Core 3: 0 out of 10 samples collected. CP 0 out of 10 samples collected. For the ASAv, note the following licensing guidelines: • The number of allowed vCPUs is determined by the vCPU platform license installed. – If the number of licensed vCPUs matches the number of provisioned vCPUs, the state is Compliant. – If the number of licensed vCPUs is less than the number of provisioned vCPUs, the state is Noncompliant: Over-provisioned. – If the number of licensed vCPUs is more than the number of provisioned vCPUs, the state is Compliant: Under-provisioned. • The memory limit is determined by the number of vCPUs provisioned. – If the provisioned memory is at the allowed limit, the state is Compliant. – If the provisioned memory is above the allowed limit, the state is Noncompliant: Over-provisioned. – If the provisioned memory is below the allowed limit, the state is Compliant: Under-provisioned. • The Frequency Reservation limit is determined by the number of vCPUs provisioned. – If the frequency reservation memory is at or above the required minimum (1000 MHz), the state is Compliant. – If the frequency reservation memory is below the required minimum (1000 MHz), the state is Compliant: Under-provisioned. Cisco ASA Series Command Reference, S Commands 4-162 Chapter For example, the following output shows that no license has been applied. The number of allowed vCPUs refers to the number licensed, and Noncompliant: Over-provisioned indicates that the product is running with more resources than have been licensed. Virtual platform CPU resources -----------------------------Number of vCPUs : Number of allowed vCPUs : vCPU Status : Examples 1 0 Noncompliant: Over-provisioned The following example shows how to display the CPU utilization: ciscoasa# show cpu usage CPU utilization for 5 seconds = 18%; 1 minute: 18%; 5 minutes: 18% The following example shows how to display detailed CPU utilization information: ciscoasa# show cpu detailed Break down of per-core data path versus control point cpu usage: Core 5 sec 1 min 5 min Core 0 0.0 (0.0 + 0.0) 3.3 (0.0 + 3.3) 2.4 (0.0 + 2.4) Current control point elapsed versus the maximum control point elapsed for: 5 seconds = 99.0%; 1 minute: 99.8%; 5 minutes: 95.9% CPU utilization of external processes for: 5 seconds = 0.2%; 1 minute: 0.0%; 5 minutes: 0.0% Total CPU utilization for: 5 seconds = 0.2%; 1 minute: 3.3%; 5 minutes: 2.5% Note The “Current control point elapsed versus the maximum control point elapsed for” statement means that the current control point load is compared to the maximum load seen within the defined time period. This is a ratio instead of an absolute number. The figure of 99% for the 5-second interval means that the current control point load is at 99% of the maximum load that is visible over this 5-second interval. If the load continues to increase all the time, then it will always remain at 100%. However, the actual CPU may still have a lot of free capacity because the maximum absolute value has not been defined. The following example shows how to display the CPU utilization for the system context in multiple mode: ciscoasa# show cpu context system CPU utilization for 5 seconds = 9.1%; 1 minute: 9.2%; 5 minutes: 9.1% The following example shows how to display the CPU utilization for all contexts: ciscoasa# show cpu usage context all 5 sec 1 min 5 min Context Name 9.1% 9.2% 9.1% system 0.0% 0.0% 0.0% admin 5.0% 5.0% 5.0% one 4.2% 4.3% 4.2% two The following example shows how to display the CPU utilization for a context named “one”: ciscoasa/one# show cpu usage CPU utilization for 5 seconds = 5.0%; 1 minute: 5.0%; 5 minutes: 5.0% Cisco ASA Series Command Reference, S Commands 4-163 Chapter The following example activates the profiler and instructs it to store 1000 samples. ciscoasa# Activated Use "show profiling cpu CPU cpu and profile activate profiling for 1000 samples. profile" to display the progress or "show cpu profile dump" to interrupt display the incomplete results. The following examples show the status of the profiling (in-progress and completed): ciscoasa# show cpu profile CPU profiling started: 13:45:10.400 PST Fri Nov 16 2012 CPU profiling currently in progress: Core 0: 209 out of 1000 samples collected. Use "show cpu profile dump" to see the results after it is complete or to interrupt profiling and display the incomplete results. ciscoasa# show cpu profile dump Cisco Adaptive Security Appliance Software Version 9.1(2) Hardware: ASA5555 CPU profiling started: 09:13:32.079 UTC Wed Jan 30 2013 No CPU profiling process specified. No CPU profiling trigger specified. cores: 2 Process virtual address map: --------------------------… --------------------------End of process map Samples for core 0 - stopped {0x00000000007eadb6,0x000000000211ee7e} ... The following example shows CPU usage for the ASAv: ciscoasa# show cpu CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0% Virtual platform CPU resources -----------------------------Number of vCPUs : Number of allowed vCPUs : vCPU Status : 2 2 Compliant Frequency Reservation Minimum required Frequency Limit Maximum allowed Frequency Status Average Usage (30 seconds) 1000 MHz 1000 MHz 4000 MHz 56000 MHz Compliant 136 MHz : : : : : : The following example shows details of CPU usage for the ASAv: Break down of per-core data path versus control point cpu Core 5 sec 1 min 5 min Core 0 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0) 0.0 (0.0 + Core 1 0.0 (0.0 + 0.0) 0.2 (0.2 + 0.0) 0.0 (0.0 + Core 2 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0) 0.0 (0.0 + Core 3 0.0 (0.0 + 0.0) 0.1 (0.0 + 0.1) 0.0 (0.0 + usage: 0.0) 0.0) 0.0) 0.0) Current control point elapsed versus the maximum control point elapsed for: 5 seconds = 0.0%; 1 minute: 0.0%; 5 minutes: 0.0% CPU utilization of external processes for: Cisco ASA Series Command Reference, S Commands 4-164 Chapter 5 seconds = 0.0%; 1 minute: 0.0%; 5 minutes: 0.0% Total CPU utilization for: 5 seconds = 0.1%; 1 minute: 0.1%; 5 minutes: 0.1% Virtual platform CPU resources -----------------------------Number of vCPUs : Number of allowed vCPUs : vCPU Status : 4 4 Compliant Frequency Reservation Minimum required Frequency Limit Maximum allowed Frequency Status Average Usage (30 seconds) 1000 MHz 1000 MHz 20000 MHz 20000 MHz Compliant 99 MHz : : : : : : Copy this information and provide it to the TAC for decoding. Related Commands Command Description show counters Displays the protocol stack counters. cpu profile activate Activates CPU profiling. Cisco ASA Series Command Reference, S Commands 4-165 Chapter Cisco ASA Series Command Reference, S Commands 4-166 CH A P T E R 5 show crashinfo through show curpriv Commands Cisco ASA Series Command Reference, S Commands 5-1 Chapter show crashinfo To display the contents of the crash file stored in Flash memory, enter the show crashinfo command in privileged EXEC mode. show crashinfo [save] Syntax Description save Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Displays if the ASA is configured to save crash information to Flash memory or not. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Yes • Yes Context — System • Yes Release Modification 7.0(1) This command was added. 9.1(5) The output displays the thread ID (TID) in the show process command. 9.4(1) The output displays the most recent 50 lines of generated syslogs. Note that you must enable the logging buffer command to enable these results to appear. If the crash file is from a test crash (generated from the crashinfo test command), the first string of the crash file is “ : Saved_Test_Crash” and the last string is “: End_Test_Crash”. If the crash file is from a real crash, the first string of the crash file is “: Saved_Crash” and the last string is “: End_Crash”. (This includes crashes from use of the crashinfo force page-fault or crashinfo force watchdog commands). If there is no crash data saved in flash, or if the crash data has been cleared by entering the clear crashinfo command, the show crashinfo command displays an error message. Cisco ASA Series Command Reference, S Commands 5-2 Chapter Examples The following example shows how to display the current crash information configuration: ciscoasa# show crashinfo save crashinfo save enable The following example shows the output for a crash file test. (However, this test does not actually crash the ASA. It provides a simulated example file.) ciscoasa(config)# crashinfo test ciscoasa(config)# exit ciscoasa# show crashinfo : Saved_Test_Crash Thread Name: ci/console (Old pc 0x001a6ff5 ebp 0x00e88920) Traceback: 0: 00323143 1: 0032321b 2: 0010885c 3: 0010763c 4: 001078db 5: 00103585 6: 00000000 vector 0x000000ff (user defined) edi 0x004f20c4 esi 0x00000000 ebp 0x00e88c20 esp 0x00e88bd8 ebx 0x00000001 edx 0x00000074 ecx 0x00322f8b eax 0x00322f8b error code n/a eip 0x0010318c cs 0x00000008 eflags 0x00000000 CR2 0x00000000 F-flags : 0x2 F-flags2 : 0x0 F-flags3 : 0x10000 F-flags4 : 0x0 F-bytes : 0 Stack dump: base:0x00e8511c size:16384, active:1476 0x00e89118: 0x004f1bb4 0x00e89114: 0x001078b4 0x00e89110-0x00e8910c: 0x00000000 0x00e89108-0x00e890ec: 0x12345678 0x00e890e8: 0x004f1bb4 0x00e890e4: 0x00103585 0x00e890e0: 0x00e8910c 0x00e890dc-0x00e890cc: 0x12345678 0x00e890c8: 0x00000000 0x00e890c4-0x00e890bc: 0x12345678 0x00e890b8: 0x004f1bb4 0x00e890b4: 0x001078db 0x00e890b0: 0x00e890e0 0x00e890ac-0x00e890a8: 0x12345678 0x00e890a4: 0x001179b3 0x00e890a0: 0x00e890b0 0x00e8909c-0x00e89064: 0x12345678 0x00e89060: 0x12345600 0x00e8905c: 0x20232970 0x00e89058: 0x616d2d65 0x00e89054: 0x74002023 Cisco ASA Series Command Reference, S Commands 5-3 Chapter 0x00e89050: 0x29676966 0x00e8904c: 0x6e6f6328 0x00e89048: 0x31636573 0x00e89044: 0x7069636f 0x00e89040: 0x64786970 0x00e8903c-0x00e88e50: 0x00e88e4c: 0x000a7473 0x00e88e48: 0x6574206f 0x00e88e44: 0x666e6968 0x00e88e40: 0x73617263 0x00e88e3c-0x00e88e38: 0x00e88e34: 0x12345600 0x00e88e30-0x00e88dfc: 0x00e88df8: 0x00316761 0x00e88df4: 0x74706100 0x00e88df0: 0x12345600 0x00e88dec-0x00e88ddc: 0x00e88dd8: 0x00000070 0x00e88dd4: 0x616d2d65 0x00e88dd0: 0x74756f00 0x00e88dcc: 0x00000000 0x00e88dc8: 0x00e88e40 0x00e88dc4: 0x004f20c4 0x00e88dc0: 0x12345600 0x00e88dbc: 0x00000000 0x00e88db8: 0x00000035 0x00e88db4: 0x315f656c 0x00e88db0: 0x62616e65 0x00e88dac: 0x0030fcf0 0x00e88da8: 0x3011111f 0x00e88da4: 0x004df43c 0x00e88da0: 0x0053fef0 0x00e88d9c: 0x004f1bb4 0x00e88d98: 0x12345600 0x00e88d94: 0x00000000 0x00e88d90: 0x00000035 0x00e88d8c: 0x315f656c 0x00e88d88: 0x62616e65 0x00e88d84: 0x00000000 0x00e88d80: 0x004f20c4 0x00e88d7c: 0x00000001 0x00e88d78: 0x01345678 0x00e88d74: 0x00f53854 0x00e88d70: 0x00f7f754 0x00e88d6c: 0x00e88db0 0x00e88d68: 0x00e88d7b 0x00e88d64: 0x00f53874 0x00e88d60: 0x00e89040 0x00e88d5c-0x00e88d54: 0x00e88d50-0x00e88d4c: 0x00e88d48: 0x004f1bb4 0x00e88d44: 0x00e88d7c 0x00e88d40: 0x00e88e40 0x00e88d3c: 0x00f53874 0x00e88d38: 0x004f1bb4 0x00e88d34: 0x0010763c 0x00e88d30: 0x00e890b0 0x00e88d2c: 0x00e88db0 0x00e88d28: 0x00e88d88 0x00e88d24: 0x0010761a 0x00e88d20: 0x00e890b0 0x00e88d1c: 0x00e88e40 0x00e88d18: 0x00f53874 0x00e88d14: 0x0010166d 0x00000000 0x00000000 0x00000000 0x00000000 0x12345678 0x00000000 Cisco ASA Series Command Reference, S Commands 5-4 Chapter 0x00e88d10: 0x0000000e 0x00e88d0c: 0x00f53874 0x00e88d08: 0x00f53854 0x00e88d04: 0x0048b301 0x00e88d00: 0x00e88d30 0x00e88cfc: 0x0000000e 0x00e88cf8: 0x00f53854 0x00e88cf4: 0x0048a401 0x00e88cf0: 0x00f53854 0x00e88cec: 0x00f53874 0x00e88ce8: 0x0000000e 0x00e88ce4: 0x0048a64b 0x00e88ce0: 0x0000000e 0x00e88cdc: 0x00f53874 0x00e88cd8: 0x00f7f96c 0x00e88cd4: 0x0048b4f8 0x00e88cd0: 0x00e88d00 0x00e88ccc: 0x0000000f 0x00e88cc8: 0x00f7f96c 0x00e88cc4-0x00e88cc0: 0x0000000e 0x00e88cbc: 0x00e89040 0x00e88cb8: 0x00000000 0x00e88cb4: 0x00f5387e 0x00e88cb0: 0x00f53874 0x00e88cac: 0x00000002 0x00e88ca8: 0x00000001 0x00e88ca4: 0x00000009 0x00e88ca0-0x00e88c9c: 0x00000001 0x00e88c98: 0x00e88cb0 0x00e88c94: 0x004f20c4 0x00e88c90: 0x0000003a 0x00e88c8c: 0x00000000 0x00e88c88: 0x0000000a 0x00e88c84: 0x00489f3a 0x00e88c80: 0x00e88d88 0x00e88c7c: 0x00e88e40 0x00e88c78: 0x00e88d7c 0x00e88c74: 0x001087ed 0x00e88c70: 0x00000001 0x00e88c6c: 0x00e88cb0 0x00e88c68: 0x00000002 0x00e88c64: 0x0010885c 0x00e88c60: 0x00e88d30 0x00e88c5c: 0x00727334 0x00e88c58: 0xa0ffffff 0x00e88c54: 0x00e88cb0 0x00e88c50: 0x00000001 0x00e88c4c: 0x00e88cb0 0x00e88c48: 0x00000002 0x00e88c44: 0x0032321b 0x00e88c40: 0x00e88c60 0x00e88c3c: 0x00e88c7f 0x00e88c38: 0x00e88c5c 0x00e88c34: 0x004b1ad5 0x00e88c30: 0x00e88c60 0x00e88c2c: 0x00e88e40 0x00e88c28: 0xa0ffffff 0x00e88c24: 0x00323143 0x00e88c20: 0x00e88c40 0x00e88c1c: 0x00000000 0x00e88c18: 0x00000008 0x00e88c14: 0x0010318c 0x00e88c10-0x00e88c0c: 0x00322f8b 0x00e88c08: 0x00000074 Cisco ASA Series Command Reference, S Commands 5-5 Chapter 0x00e88c04: 0x00000001 0x00e88c00: 0x00e88bd8 0x00e88bfc: 0x00e88c20 0x00e88bf8: 0x00000000 0x00e88bf4: 0x004f20c4 0x00e88bf0: 0x000000ff 0x00e88bec: 0x00322f87 0x00e88be8: 0x00f5387e 0x00e88be4: 0x00323021 0x00e88be0: 0x00e88c10 0x00e88bdc: 0x004f20c4 0x00e88bd8: 0x00000000 * 0x00e88bd4: 0x004eabb0 0x00e88bd0: 0x00000001 0x00e88bcc: 0x00f5387e 0x00e88bc8-0x00e88bc4: 0x00000000 0x00e88bc0: 0x00000008 0x00e88bbc: 0x0010318c 0x00e88bb8-0x00e88bb4: 0x00322f8b 0x00e88bb0: 0x00000074 0x00e88bac: 0x00000001 0x00e88ba8: 0x00e88bd8 0x00e88ba4: 0x00e88c20 0x00e88ba0: 0x00000000 0x00e88b9c: 0x004f20c4 0x00e88b98: 0x000000ff 0x00e88b94: 0x001031f2 0x00e88b90: 0x00e88c20 0x00e88b8c: 0xffffffff 0x00e88b88: 0x00e88cb0 0x00e88b84: 0x00320032 0x00e88b80: 0x37303133 0x00e88b7c: 0x312f6574 0x00e88b78: 0x6972772f 0x00e88b74: 0x342f7665 0x00e88b70: 0x64736666 0x00e88b6c: 0x00020000 0x00e88b68: 0x00000010 0x00e88b64: 0x00000001 0x00e88b60: 0x123456cd 0x00e88b5c: 0x00000000 0x00e88b58: 0x00000008 Cisco XXX Firewall Version X.X Cisco XXX Device Manager Version X.X Compiled on Fri 15-Nov-04 14:35 by root hostname up 10 days 0 hours Hardware: XXX-XXX, 64 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0003.e300.73fd, irq 10 1: ethernet1: address is 0003.e300.73fe, irq 7 2: ethernet2: address is 00d0.b7c8.139e, irq 9 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Disabled Maximum Interfaces: 3 Cut-through Proxy: Enabled Guards: Enabled Cisco ASA Series Command Reference, S Commands 5-6 Chapter URL-filtering: Inside Hosts: Throughput: IKE peers: Enabled Unlimited Unlimited Unlimited This XXX has a Restricted (R) license. Serial Number: 480430455 (0x1ca2c977) Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734 Configuration last modified by enable_15 at 13:49:42.148 UTC Wed Nov 20 2004 ------------------ show clock -----------------15:34:28.129 UTC Sun Nov 24 2004 ------------------ show memory -----------------Free memory: Used memory: ------------Total memory: 50444824 bytes 16664040 bytes ---------------67108864 bytes ------------------ show conn count -----------------0 in use, 0 most used ------------------ show xlate count -----------------0 in use, 0 most used ------------------ show vpn-sessiondb summary -----------------Active Session Summary Sessions: SSL VPN Clientless only With client Email Proxy IPsec LAN-to-LAN IPsec Remote Access VPN Load Balancing Totals : : : : : : : : Active 2 0 2 0 1 0 0 3 : Cumulative : Peak Concurrent : Inactive : 2 : 2 : 0 : 0 : 2 : 2 : 0 : 0 : 0 : 1 : 1 : 0 : 0 : 0 : 0 : 3 License Information: Shared VPN License Information: SSL VPN : Allocated to this device : Allocated in network : Device limit : IPsec : SSL VPN : Configured : Configured : Active IPsec : 1 SSL VPN : 2 AnyConnect Mobile : 0 Linksys Phone : 0 Totals : 3 1500 50 50 750 750 52 : : : : : : 750 Active : 1 Load : 52 Active : 2 Load : Cumulative : Peak Concurrent 1 : 1 10 : 2 0 : 0 0 : 0 11 0% 4% Tunnels: IKE : Active : Cumulative : Peak Concurrent 1 : 1 : 1 Cisco ASA Series Command Reference, S Commands 5-7 Chapter IPsec : 1 : 1 : Clientless : 2 : 2 : SSL-Tunnel : 2 : 2 : DTLS-Tunnel : 2 : 2 : Totals : 8 : 8 ------------------ show blocks -----------------SIZE 4 80 256 1550 MAX 1600 400 500 1188 LOW 1600 400 499 795 1 2 2 2 CNT 1600 400 500 927 ------------------ show interface -----------------interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0003.e300.73fd IP address 172.23.59.232, subnet mask 255.255.0.0 MTU 1500 bytes, BW 10000 Kbit half duplex 6139 packets input, 830375 bytes, 0 no buffer Received 5990 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 90 packets output, 6160 bytes, 0 underruns 0 output errors, 13 collisions, 0 interface resets 0 babbles, 0 late collisions, 47 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (5/128) software (0/2) output queue (curr/max blocks): hardware (0/1) software (0/1) interface ethernet1 "inside" is up, line protocol is down Hardware is i82559 ethernet, address is 0003.e300.73fe IP address 10.1.1.1, subnet mask 255.255.255.0 MTU 1500 bytes, BW 10000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1 packets output, 60 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 1 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/1) software (0/1) interface ethernet2 "intf2" is administratively down, line protocol is down Hardware is i82559 ethernet, address is 00d0.b7c8.139e IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 10000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) ------------------ show cpu usage -----------------CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0% ------------------ show process -----------------PC SP STATE Runtime SBASE Stack Process TID Hsi 001e3329 00763e7c 0053e5c8 0 00762ef4 3784/4096 arp_timer 0x000000000000000a Lsi 001e80e9 00807074 0053e5c8 0 008060fc 3792/4096 FragDBGC 0x000000000000006b Cisco ASA Series Command Reference, S Commands 5-8 Chapter Lwe Lwe Hwe Hwe Lsi Lsi Mrd Lsi Hsi Hwe Lsi Hwe Mwe Hwe Mwe Lwe Lwe Hwe Hwe Hwe H* Csi Hwe Hwe Hwe Hsi Crd Lsi Hwe Cwe Hwe Hwe Hwe Hwe Cwe Hwe Hwe Hwe Hwe Cwe Hwe Hwe Hwe Hwe Mwe 00117e3a 003cee95 003d2d18 003d2c91 002ec97d 002ec88b 002e3a17 00423dd5 002d59fc 0020e301 002d377c 0020bd07 00205e25 003864e3 00255a65 002e450e 002e471e 001e5368 001e5368 001e5368 001a6ff5 002dd8ab 002cb4d1 003d17d1 003e71d4 001db3ca 001db37f 001db435 001e5398 001dcdad 001e5398 001e5398 001e5398 001e5398 001dcdad 001e5398 001e5398 001e5398 001e5398 001e542d 001e5398 001e5398 001e5398 003d1a65 0035cafa 009dc2e4 009de464 009e155c 009e360c 00b1a464 00b1b504 00c8f8d4 00d3a22c 00d3b2bc 00d5957c 00d7292c 00d9c12c 00d9e1ec 00db26bc 00dc9244 00e7bb94 00e7cc44 00e7ed44 00e80e14 00e82ee4 0009ff2c 00e8a124 00f2bfbc 00f2e0bc 00f2f20c 00f30fc4 00f32084 00f33124 00f441dc 00f4523c 00f4633c 00f47404 00f4849c 00f495bc 00f4a61c 00f4b71c 00f4c7e4 00f4d87c 00f4e99c 00f4fa6c 00f50afc 00f51bc4 00f52c5c 00f78284 00f7a63c 00541d18 00537718 005379c8 005379c8 0053e5c8 0053e5c8 0053e600 0053e5c8 0053e5c8 0053e5c8 0053e5c8 0050bb90 0053e5c8 00557920 0053e5c8 00552c30 00553368 00730674 007305d4 00730534 0053e5b0 0053e5c8 0051e360 00828cf0 00537d20 0053e5c8 0053ea40 0053e5c8 008121e0 00872b48 008121bc 00812198 00812174 00812150 008ea850 0081212c 00812108 008120e4 008120c0 00730534 0081209c 00812078 00812054 008140f8 0053e5c8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2470 4820 0 0 0 0 0 508286220 0 0 120 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 009db46c 009dc51c 009df5e4 009e1694 00b194dc 00b1a58c 00c8d93c 00d392a4 00d3a354 00d55614 00d719a4 00d9b1c4 00d9c274 00db0764 00dc8adc 00e7ad1c 00e7bdcc 00e7ce9c 00e7ef6c 00e8103c 00e8511c 00e891cc 00f2a134 00f2c1e4 00f2e294 00f3004c 00f310fc 00f321ac 00f43294 00f44344 00f453f4 00f464cc 00f475a4 00f48674 00f49724 00f4a7d4 00f4b8ac 00f4c984 00f4da54 00f4eb04 00f4fbb4 00f50c8c 00f51d64 00f77fdc 00f786c4 3704/4096 dbgtrace 8008/8192 Logger 8008/8192 tcp_fast 8008/8192 tcp_slow 3928/4096 xlate clean 3888/4096 uxlate clean 7908/8192 tcp_intercept_times 3900/4096 route_process 3780/4096 PIX Garbage Collecr 16048/16384 isakmp_time_keepr 3928/4096 perfmon 3944/4096 IPsec 7860/8192 IPsec timer handler 6904/8192 qos_metric_daemon 1436/2048 IP Background 3704/4096 pix/trace 3704/4096 pix/tconsole 7228/8192 pix/intf0 7228/8192 pix/intf1 4892/8192 pix/intf2 12860/16384 ci/console 3396/4096 update_cpu_usage 7692/8192 uauth_in 7896/8192 uauth_thread 3960/4096 udp_timer 3784/4096 557mcfix 3688/4096 557poll 3700/4096 557timer 3912/4096 fover_ip0 3528/4096 ip/0:0 3532/4096 icmp0 3896/4096 udp_thread/0 3456/4096 tcp_thread/0 3912/4096 fover_ip1 3832/4096 ip/1:1 3912/4096 icmp1 3896/4096 udp_thread/1 3832/4096 tcp_thread/1 3912/4096 fover_ip2 3944/4096 ip/2:2 3912/4096 icmp2 3896/4096 udp_thread/2 3832/4096 tcp_thread/2 300/1024 listen/http1 7640/8192 Crypto CA ------------------ show failover -----------------No license for Failover ------------------ show traffic -----------------outside: received (in 865565.090 secs): 6139 packets 830375 bytes 0 pkts/sec 0 bytes/sec transmitted (in 865565.090 secs): 90 packets 6160 bytes 0 pkts/sec 0 bytes/sec inside: received (in 865565.090 secs): 0 packets 0 bytes 0 pkts/sec 0 bytes/sec transmitted (in 865565.090 secs): Cisco ASA Series Command Reference, S Commands 5-9 Chapter 1 packets 0 pkts/sec 60 bytes 0 bytes/sec intf2: received (in 865565.090 secs): 0 packets 0 bytes 0 pkts/sec 0 bytes/sec transmitted (in 865565.090 secs): 0 packets 0 bytes 0 pkts/sec 0 bytes/sec ------------------ show perfmon ------------------ PERFMON STATS: Xlates Connections TCP Conns UDP Conns URL Access URL Server Req TCP Fixup TCPIntercept HTTP Fixup FTP Fixup AAA Authen AAA Author AAA Account : End_Test_Crash Related Commands Current 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s Command Description clear crashinfo Deletes the contents of the crash file. crashinfo force Forces a crash of the ASA. crashinfo save disable Disables crash information from writing to flash memory. crashinfo test Tests the ability of the ASA to save crash information to a file in flash memory. Cisco ASA Series Command Reference, S Commands 5-10 Average 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s 0/s Chapter show crashinfo console To display the configuration setting of the crashinfo console command, enter the show crashinfo console command. show crashinfo console Syntax Description This command has no arguments or keywords. Defaults This command has no default settings. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 7.0(4) This command was added. Yes • Yes Context — System • Yes Usage Guidelines Compliance with FIPS 140-2 prohibits the distribution of Critical Secu rity Parameters (keys, passwords, etc.) outside of the crypto boundary (chassis). When the device crashes, due to an assert or checkheaps failure, it is possible that the stack or memory regions dumped to the console contain sensitive data. This output must be suppressed in FIPS-mode. Examples sw8-5520(config)# show crashinfo console crashinfo console enable Related Commands Command Description clear configure fips Clears the system or module FIPS configuration information stored in NVRAM. crashinfo console disable Disables the reading, writing and configuration of crash write info to flash. fips enable Enables or disablea policy-checking to enforce FIPS compliance on the system or module. show running-config fips Displays the FIPS configuration that is running on the ASA. Cisco ASA Series Command Reference, S Commands 5-11 Chapter show crypto accelerator statistics To display the global and accelerator-specific statistics from the hardware crypto accelerator MIB, use the show crypto accelerator statistics command in global configuration or privileged EXEC mode. show crypto accelerator statistics Syntax Description This command has no keywords or variables. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Routed Transparent Single Context Global configuration • Yes • Yes • Yes • Privileged EXEC • Yes • Yes • Yes — Release Modification 7.0(1) This command was added. Yes System — — The output statistics are defined as follows: Accelerator 0 shows statistics for the software-based crypto engine. Accelerator 1 shows statistics for the hardware-based crypto engine. RSA statistics show RSA operations for 2048-bit keys, which are executed in software by default. This means that when you have a 2048-bit key, IKE/SSL VPN performs RSA operations in software during the IPsec/SSL negotiation phase. Actual IPsec/SSL traffic is still processed using hardware. This may cause high CPU if there are many simultaneous sessions starting at the same time, which may result in multiple RSA key operations and high CPU. If you run into a high CPU condition because of this, then you should use a 1024-bit key to process RSA key operations in hardware. To do so, you must reenroll the identity certificate. In releases 8.3(2) or later, you can also use the crypto engine large-mod-accel command on the 5510-5550 platforms to perform these operations in hardware. If you are using a 2048-bit RSA key and the RSA processing is performed in software, you can use CPU profiling to determine which functions are causing high CPU usage. Generally, the bn_* and BN_* functions are math operations on the large data sets used for RSA, and are the most useful when examining CPU usage during an RSA operation in software. For example: @@@@@@@@@@@@@@@@@@................................ 36.50% : _bn_mul_add_words @@@@@@@@@......................................... 19.75% : _bn_sqr_comba8 Cisco ASA Series Command Reference, S Commands 5-12 Chapter Diffie-Hellman statistics show that any crypto operation with a modulus size greater than 1024 is performed in software (for example, DH5 (Diffie-Hellman group 5 uses 1536)). If so, a 2048-bit key certificate will be processed in software, which can result in high CPU usage when a lot of sessions are running. Note The ASA 5505 (with a Cavium CN505 processor) only supports Diffie-Hellman Groups 1 and 2 for hardware-accelerated, 768-bit and 1024-bit key generation. Diffie-Hellman Group 5 (1536-bit key generation) is performed in software. A single crypto engine in the adaptive security appliance performs the IPsec and SSL operations. To display the versions of crypto (Cavium) microcode that are loaded into the hardware crypto accelerator at boot time, enter the show version command. For example: ciscoasa(config) show version Cisco Adaptive Security Appliance Software Version 8.0(4)8 Device Manager Version 6.1(5) Compiled on Wed 15-Oct-09 17:27 by builders System image file is “disk0:/interim/asa804-8-k8.bin” Config file at boot was "startup-config" asa up 5 days 17 hours Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz Internal ATA Compact Flash, 512MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03 IPsec microcode : CNlite-MC-IPSECm-MAIN-2.05 DSA statistics show key generation in two phases. The first phase is a choice of algorithm parameters, which may be shared between different users of the system. The second phase computes private and public keys for a single user. SSL statistics show records for the processor-intensive public key encryption algorithms involved in SSL transactions to the hardware crypto accelerator. RNG statistics show records for a sender and receiver, which can generate the same set of random numbers automatically to use as keys. Examples The following example, entered in global configuration mode, shows global crypto accelerator statistics: ciscoasa # show crypto accelerator statistics Crypto Accelerator Status ------------------------[Capacity] Supports hardware crypto: True Supports modular hardware crypto: False Max accelerators: 1 Max crypto throughput: 100 Mbps Max crypto connections: 750 [Global Statistics] Number of active accelerators: 1 Number of non-operational accelerators: 0 Input packets: 700 Input bytes: 753488 Output packets: 700 Output error packets: 0 Cisco ASA Series Command Reference, S Commands 5-13 Chapter Output bytes: 767496 [Accelerator 0] Status: Active Software crypto engine Slot: 0 Active time: 167 seconds Total crypto transforms: 7 Total dropped packets: 0 [Input statistics] Input packets: 0 Input bytes: 0 Input hashed packets: 0 Input hashed bytes: 0 Decrypted packets: 0 Decrypted bytes: 0 [Output statistics] Output packets: 0 Output bad packets: 0 Output bytes: 0 Output hashed packets: 0 Output hashed bytes: 0 Encrypted packets: 0 Encrypted bytes: 0 [Diffie-Hellman statistics] Keys generated: 0 Secret keys derived: 0 [RSA statistics] Keys generated: 0 Signatures: 0 Verifications: 0 Encrypted packets: 0 Encrypted bytes: 0 Decrypted packets: 0 Decrypted bytes: 0 [DSA statistics] Keys generated: 0 Signatures: 0 Verifications: 0 [SSL statistics] Outbound records: 0 Inbound records: 0 [RNG statistics] Random number requests: 98 Random number request failures: 0 [Accelerator 1] Status: Active Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot-Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03 IPsec microcode : CNlite-MC-IPSECm-MAIN-2.03 Slot: 1 Active time: 170 seconds Total crypto transforms: 1534 Total dropped packets: 0 [Input statistics] Input packets: 700 Input bytes: 753544 Input hashed packets: 700 Input hashed bytes: 736400 Decrypted packets: 700 Decrypted bytes: 719944 [Output statistics] Output packets: 700 Cisco ASA Series Command Reference, S Commands 5-14 Chapter Output bad packets: 0 Output bytes: 767552 Output hashed packets: 700 Output hashed bytes: 744800 Encrypted packets: 700 Encrypted bytes: 728352 [Diffie-Hellman statistics] Keys generated: 97 Secret keys derived: 1 [RSA statistics] Keys generated: 0 Signatures: 0 Verifications: 0 Encrypted packets: 0 Encrypted bytes: 0 Decrypted packets: 0 Decrypted bytes: 0 [DSA statistics] Keys generated: 0 Signatures: 0 Verifications: 0 [SSL statistics] Outbound records: 0 Inbound records: 0 [RNG statistics] Random number requests: 1 Random number request failures: 0 The following table describes what the output entries indicates. Output Description Capacity This section pertains to the crypto acceleration that the ASA can support. Supports hardware crypto (True/False) The ASA can support hardware crypto acceleration. Supports modular hardware crypto (True/False) Any supported hardware crypto accelerator can be inserted as a separate plug-in card or module. Max accelerators The maximum number of hardware crypto accelerators that the ASA supports. Mac crypto throughput The maximum rated VPN throughput for the ASA. Max crypto connections The maximum number of supported VPN tunnels for the ASA. Global Statistics This section pertains to the combined hardware crypto accelerators in the ASA. Number of active accelerators The number of active hardware accelerators. An active hardware accelerator has been initialized and is available to process crypto commands. Number of non-operational accelerators The number of inactive hardware accelerators. An inactive hardware accelerator has been detected, but either has not completed initialization or has failed and is no longer usable. Input packets The number of inbound packets processed by all hardware crypto accelerators. Input bytes The number of bytes of data in the processed inbound packets. Cisco ASA Series Command Reference, S Commands 5-15 Chapter Output (continued) Description (continued) Output packets The number of outbound packets processed by all hardware crypto accelerators. Output error packets The number of outbound packets processed by all hardware crypto accelerators in which an error has been detected. Output bytes The number of bytes of data in the processed outbound packets. Accelerator 0 Each of these sections pertains to a crypto accelerator. The first one (Accelerator 0) is always the software crypto engine. Although not a hardware accelerator, the ASA uses it to perform specific crypto tasks, and its statistics appear here. Accelerators 1 and higher are always hardware crypto accelerators. Status The status of the accelerator, which indicates whether the accelerator is being initialized, is active, or has failed. Software crypto engine The type of accelerator and firmware version (if applicable). Slot The slot number of the accelerator (if applicable). Active time The length of time that the accelerator has been in the active state. Total crypto transforms The total number of crypto commands that were performed by the accelerator. Total dropped packets The total number of packets that were dropped by the accelerator because of errors. Input statistics This section pertains to input traffic that was processed by the accelerator. Input traffic is considered to be ciphertext that must be decrypted and/or authenticated. Input packets The number of input packets that have been processed by the accelerator. Input bytes The number of input bytes that have been processed by the accelerator Input hashed packets The number of packets for which the accelerator has performed hash operations. Input hashed bytes The number of bytes over which the accelerator has performed hash operations. Decrypted packets The number of packets for which the accelerator has performed symmetric decryption operations. Decrypted bytes The number of bytes over which the accelerator has performed symmetric decryption operations. Output statistics This section pertains to output traffic that has been processed by the accelerator. Input traffic is considered clear text that must be encrypted and/or hashed. Output packets The number of output packets that have been processed by the accelerator. Output bad packets The number of output packets that have been processed by the accelerator in which an error has been detected. Cisco ASA Series Command Reference, S Commands 5-16 Chapter Output (continued) Description (continued) Output bytes The number of output bytes that have been processed by the accelerator. Output hashed packets The number of packets for which the accelerator has performed outbound hash operations. Output hashed bytes The number of bytes over which the accelerator has performed outbound hash operations. Encyrpted packets The number of packets for which the accelerator has performed symmetric encryption operations. Encyrpted bytes The number of bytes over which the accelerator has performed symmetric encryption operations. Diffie-Hellman statistics This section pertains to Diffie-Hellman key exchange operations. Keys generated The number of Diffie-Hellman key sets that have been generated by the accelerator. Secret keys derived The number of Diffie-Hellman shared secrets that have been derived by the accelerator. RSA statistics This section pertains to RSA crypto operations. Keys generated The number of RSA key sets that have been generated by the accelerator. Signatures The number of RSA signature operations that have been performed by the accelerator. Verifications The number of RSA signature verifications that have been performed by the accelerator. Encrypted packets The number of packets for which the accelerator has performed RSA encryption operations. Decrypted packets The number of packets for which the accelerator has performed RSA decryption operations. Decrypted bytes The number of bytes of data over which the accelerator has performed RSA decryption operations. DSA statistics This section pertains to DSA operations. Note that DSA is not supported as of Version 8.2, so these statistics are no longer displayed. Keys generated The number of DSA key sets that have been generated by the accelerator. Signatures The number of DSA signature operations that have been performed by the accelerator. Verifications The number of DSA signature verifications that have been performed by the accelerator. SSL statistics This section pertains to SSL record processing operations. Outbound records The number of SSL records that have been encrypted and authenticated by the accelerator. Inbound records The number of SSL records that have been decrypted and authenticated by the accelerator. Cisco ASA Series Command Reference, S Commands 5-17 Chapter Related Commands Output (continued) Description (continued) RNG statistics This section pertains to random number generation. Random number requests The number of requests to the accelerator for a random number. Random number request failures The number of random number requests to the accelerator that did not succeed. Command Description clear crypto accelerator statistics Clears the global and accelerator-specific statistics in the crypto accelerator MIB. clear crypto protocol statistics Clears the protocol-specific statistics in the crypto accelerator MIB. show crypto protocol statistics Displays the protocol-specific statistics from the crypto accelerator MIB. Cisco ASA Series Command Reference, S Commands 5-18 Chapter show crypto ca certificates To display the certificates associated with a specific trustpoint or to display all the certificates installed on the system, use the show crypto ca certificates command in global configuration or privileged EXEC mode. show crypto ca certificates [trustpointname] Syntax Description trustpointname Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) The name of a trustpoint. If you do not specify a name, this command displays all certificates installed on the ASA. Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Global configuration • Yes • Yes • Yes • Yes — Privileged EXEC • Yes • Yes • Yes • Yes — Release Modification 7.0(1) This command was added. The following is sample output from the show crypto ca certificates command: ciscoasa(config)# show crypto ca certificates tp1 CA Certificate Status: Available Certificate Serial Number 2957A3FF296EF854FD0D6732FE25B45 Certificate Usage: Signature Issuer: CN = ms-root-sha-06-2004 OU = rootou O = cisco L = franklin ST - massachusetts C = US EA = [email protected] Subject: CN = ms-root-sha-06-2004 OU = rootou O = cisco L = franklin ST = massachusetts C = US EA = example.com CRL Distribution Point Cisco ASA Series Command Reference, S Commands 5-19 Chapter ldap://w2kadvancedsrv/CertEnroll/ms-root-sha-06-2004.crl Validity Date: start date: 14:11:40 UTC Jun 26 2004 end date: 14:01:30 UTC Jun 4 2022 Associated Trustpoints: tp2 tp1 ciscoasa(config)# Related Commands Command Description crypto ca authenticate Obtains a CA certificate for a specified trustpoint. crypto ca crl request Requests a CRL based on the configuration parameters of a specified trustpoint. crypto ca enroll Initiates the enrollment process with a CA. crypto ca import Imports a certificate to a specified trustpoint. crypto ca trustpoint Enters trustpoint configuration mode for a specified trustpoint. Cisco ASA Series Command Reference, S Commands 5-20 Chapter show crypto ca crl To display all cached CRLs or to display all CRLs cached for a specified trustpoint, use the show crypto ca crl command in global configuration or privileged EXEC mode. show crypto ca crl [trustpool | trustpoint <trustpointname>] Syntax Description trustpoint trustpointname (Optional) The name of a trustpoint. If you do not specify a name, this command displays all CRLs cached on the ASA. trustpool The name of the trust pool. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Global configuration • Yes • Yes • Yes • Yes — Privileged EXEC • Yes • Yes • Yes • Yes — Release Modification 7.0(1) This command was added. The following is sample output from the show crypto ca crl command: ciscoasa(config)# show crypto ca crl tp1 CRL Issuer Name: cn=ms-sub1-ca-5-2004,ou=Franklin DevTest,o=Cisco Systems,l=Franklin,st=MA,c=US,[email protected] LastUpdate: 19:45:53 UTC Dec 24 2004 NextUpdate: 08:05:53 UTC Jan 1 2005 Retrieved from CRL Distribution Point: http://win2k-ad2.frk-ms-pki.cisco.com/CertEnroll/ms-sub1-ca-5-2004.crl Associated Trustpoints: tp1 ciscoasa(config)# Related Commands Command Description crypto ca authenticate Obtains a CA certificate for a specified trustpoint. crypto ca crl request Requests a CRL based on the configuration parameters of a specified trustpoint. crypto ca enroll Initiates the enrollment process with a CA. Cisco ASA Series Command Reference, S Commands 5-21 Chapter Command Description crypto ca import Imports a certificate to a specified trustpoint. crypto ca trustpoint Enters trustpoint configuration mode for a specified trustpoint. Cisco ASA Series Command Reference, S Commands 5-22 Chapter show crypto ca server To display the status of the local CA configuration on the ASA, use the show crypto ca server command in ca server configuration, global configuration, or privileged EXEC mode. show crypto ca server Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Ca server configuration • Yes — • Yes — — Global configuration • Yes — • Yes — — Privileged EXEC • Yes — • Yes — — Release Modification 8.0(2) This command was added. The following is sample output from the show crypto ca server command: ciscoasa# show crypto ca server #Certificate Server LOCAL-CA-SERVER: Status: disabled State: disabled Server's configuration is unlocked (enter "no shutdown" to lock it) Issuer name: CN=asa1.cisco.com CA cert fingerprint: -Not foundLast certificate issued serial number: 0x0 CA certificate expiration timer: 00:00:00 UTC Jan 1 2009 CRL not present. Current primary storage dir: nvram: ciscoasa# Related Commands Command Description crypto ca server Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage the local CA. debug crypto ca server Shows debugging messages when you configure the local CA server. Cisco ASA Series Command Reference, S Commands 5-23 Chapter Command Description show crypto ca server certificate Displays the certificate of the local CA in base64 format. show crypto ca server crl Displays the lifetime of the local CA CRL. Cisco ASA Series Command Reference, S Commands 5-24 Chapter show crypto ca server cert-db To display all or a subset of local CA server certificates, including those issued to a specific user, use the show crypto ca server cert-db command in ca server configuration, global configuration, or privileged EXEC mode. show crypto ca server cert-db [username username | allowed | enrolled | expired | on-hold] [serial certificate-serial-number] Syntax Description allowed enrolled Specifies that users who are allowed to enroll appear, regardless of the status of their certificate. Specifies that users with valid certificates appear. expired Specifies that users holding expired certificates appear. on-hold Specifies that users who have not yet enrolled appear. serial certificate-serial-number Specifies the serial number of a specific certificate that displays. The serial number must be in hexadecimal format. username username Specifies the certificate owner. The username may be a username or an e-mail address. For e-mail addresses, it is the e-mail address used to contact and deliver the one-time password (OTP) to the end user. An e-mail address is required to enable e-mail notifications for the end user. Defaults By default, if no username or certificate serial number is specified, the entire database of issued certificates appears. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Routed Transparent Single Context System Ca server configuration • Yes — • Yes — — Global configuration • Yes — • Yes — — Privileged EXEC • Yes — • Yes — — Release Modification 8.0(2) This command was added. The show crypto ca server cert-db command displays a list of the user certificates that are issued by the local CA server. You can display a subset of the certificate database by specifying a specific username with one or more of the optional certificate-type keywords, and/or with an optional certificate serial number. Cisco ASA Series Command Reference, S Commands 5-25 Chapter If you specify a username without a keyword or a serial number, all of the certificates issued for that user appear. For each user, the output shows the username, e-mail address, domain name, the time period for which enrollment is allowed, and the number of times that the user has been notified with an enrollment invitation. In addition, the following information appears in the output: • The NOTIFIED field is required to support multiple reminders. It tracks when a user needs to be notified of the OTP for enrollment and the reminder notification attempts. This field is set to 0 initially. It is incremented to 1 when the user entry is marked as being allowed to enroll. At this time, the initial OTP notification is generated. • The NOTIFY field is incremented each time a reminder is sent. Three notifications are sent before the OTP is due to expire. A notification is sent when the user is allowed to enroll, at the mid-point of the expiration, and when ¾ of the expiration time has passed. This field is used only for administrator-initiated enrollments. For automatic certificate renewals, the NOTIFY field in the certificate database is used. Note While the notification counter in this command is used to track the number of times a user is notified to renew a certificate before expiration, the notification counter in show crypto ca server user-db is used to track the number of times a user is notified to enroll for the certificate. Renewal notifications are tracked under cert-db and not included in user-db. Each certificate displays the certificate serial number, the issued and expired dates, and the certificate status (Revoked/Not Revoked). Examples The following example requests the display of all of the certificates issued for ASA by the CA server: ciscoasa# show crypto ca server cert-db username asa Username: asa Renewal allowed until: Not Allowed Number of times user notified: 0 PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013 Certificates Issued: serial: 0x2 issued: 10:28:04 UTC Tue Sep 24 2013 expired: 10:28:04 UTC Thu Sep 26 2013 status: Not Revoked The following example requests the display of all the certificates issued by the local CA server with a serial number of 0x2: ciscoasa# show crypto ca server cert-db serial 2 Username:asa Renewal allowed until: Not Allowed Number of times user notified: 0 PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013 Certificates Issued: serial: 0x2 issued: 10:28:04 UTC Tue Sep 24 2013 expired: 10:28:04 UTC Thu Sep 26 2013 status: Not Revoked The following example requests the display of all of the certificates issued by the local CA server: ciscoasa# show crypto ca server cert-db Username: asa Renewal allowed until: Not Allowed Cisco ASA Series Command Reference, S Commands 5-26 Chapter Number of times user notified: 0 PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013 Certificates Issued: serial: 0x2 issued: 10:28:04 UTC Tue Sep 24 2013 expired: 10:28:04 UTC Thu Sep 26 2013 status: Not Revoked Related Commands Command Description crypto ca server Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage the local CA. crypto ca server revoke Marks a certificate issued by the local CA server as revoked in both the certificate database and CRL. lifetime crl Specifies the lifetime of the CRL. Cisco ASA Series Command Reference, S Commands 5-27 Chapter show crypto ca server certificate To display the certificate for the local CA server in base64 format, use the show crypto ca server certificate command in ca server configuration, global configuration, or privileged EXEC mode. show crypto ca server certificate Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Routed Transparent Single Context System Ca server configuration • Yes — • Yes — — Global configuration • Yes — • Yes — — Privileged EXEC • Yes — • Yes — — Release Modification 8.0(2) This command was added. Usage Guidelines The show crypto ca server certificate command displays the local CA server certificate in base64 format. This display allows you to cut and paste a certificate while exporting it to other devices that need to trust the local CA server. Examples The following is sample output from the show crypto ca server certificate command: ciscoasa# show crypto ca server certificate The base64 encoded local CA certificate follows: MIIXlwIBAzCCF1EGCSqGSIb3DQEHAaCCF0IEghc+ MIIXOjCCFzYGCSqGSIb3DQEHBqCCFycwghcjAgEAM IIXHAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQ Ijph4SxJoyTgCAQGAghbw3v4bFy+GGG2dJnB4OLphs UM+IG3SDOiDwZG9n1SvtMieoxd7Hxknxbum06JDruj WKtHBIqkrm+td34qlNE1iGeP2YC94/NQ2z+4kS+uZzw cRhl1KEZTS1E4L0fSaC3uMTxJq2NUHYWmoc8pi4CIeL j3h7VVMy6qbx2AC8I+q57+QG5vG5l5Hi5imwtYfaWwP EdPQxaWZPrzoG1J8BFqdPa1jBGhAzzuSmElm3j/2dQ3 Atro1G9nIsRHgV39fcBgwz4fEabHG7/Vanb+fj81d 5nlOiJjDYYbP86tvbZ2yOVZR6aKFVI0b2AfCr6Pbw Cisco ASA Series Command Reference, S Commands 5-28 Chapter fC9U8Z/aF3BCyM2sN2xPJrXva94CaYrqyotZdAkSYA 5KWScyEcgdqmuBeGDKOncTknfgy0XM+fG5rb3qAXy1 GkjyFI5Bm9Do6RUROoG1DSrQrKeq/hj…. ciscoasa# Related Commands Command Description crypto ca server Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage a local CA. issuer-name Specifies the subject-name DN of the certificate authority certificate. keysize Specifies the size of the public and private keys generated at user certificate enrollment. lifetime Specifies the lifetime of the CA certificate and issued certificates. show crypto ca server Displays the local CA configuration in ASCII text format. Cisco ASA Series Command Reference, S Commands 5-29 Chapter show crypto ca server crl To display the current CRL of the local CA, use the show crypto ca server crl command in ca server configuration, global configuration, or privileged EXEC mode. show crypto ca server crl Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Ca server configuration • Yes — • Yes — — Global configuration • Yes — • Yes — — Privileged EXEC • Yes — • Yes — — Release Modification 8.0(2) This command was added. The following is sample output from the show crypto ca server crl command: ciscoasa# show crypto ca server crl asa5540(config)# sh cry ca ser crl Certificate Revocation List: Issuer: cn=asa5540.frqa.cisco.com This Update: 07:32:27 UTC Oct 16 2006 Next Update: 13:32:27 UTC Oct 16 2006 Number of CRL entries: 0 CRL size: 232 bytes asa5540(config)# ciscoasa# Related Commands Command Description cdp-url Specifies the CRL distribution point (CDP) to be included in the certificates issued by the CA. crypto ca server Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage the local CA. crypto ca server revoke Marks a certificate issued by the local CA server as revoked in the certificate database and CRL. Cisco ASA Series Command Reference, S Commands 5-30 Chapter Command Description lifetime crl Specifies the lifetime of the CRL. show crypto ca server Displays the status of the CA configuration. Cisco ASA Series Command Reference, S Commands 5-31 Chapter show crypto ca server user-db To display users included in the local CA server user database, use the show crypto ca server user-db command in ca server configuration, global configuration, or privileged EXEC mode. show crypto ca server user-db [ expired | allowed | on-hold | enrolled] Syntax Description allowed (Optional) Specifies that users who are allowed to enroll display, regardless of the status of their certificate. enrolled (Optional) Specifies that users with valid certificates display. expired (Optional) Specifies that users holding expired certificates display. on-hold (Optional) Specifies that users who have not enrolled yet display. Defaults By default, all users in the database display if no keywords are entered. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Ca server configuration • Yes — • Yes — — Global configuration • Yes — • Yes — — Privileged EXEC • Yes — • Yes — — Release Modification 8.0(2) This command was added. The following example displays currently enrolled users: ciscoasa# show crypto ca server user-db enrolled Username DN Certificate issued exampleusercn=Example User,o=...5/31/2009 ciscoasa# Cisco ASA Series Command Reference, S Commands 5-32 Certificate expiration 5/31/2010 Chapter Usage Guidelines While the notification counter in this command is used to track the number of times a user is notified to enroll for the certificate, the notification counter in show crypto ca server cert-db is used to track the number of times a user is notified to renew a certificate before expiration. Renewal notifications are tracked under cert-db and not included in user-db. Related Commands Command Description crypto ca server user-db add Adds a user to the CA server user database. crypto ca server user-db allow Allows a specific user or a subset of users in the CA server database to enroll with the local CA. crypto ca server user-db remove Removes a user from the CA server user database. crypto ca server user-db write Writes user information configured in the local CA database to storage. show crypto ca server cert-db Displays all certificates issued by the local CA. Cisco ASA Series Command Reference, S Commands 5-33 Chapter show crypto ca trustpool To display the certificates that constitute the trustpool, use the show crypto ca trustpool command in privileged EXEC mode. show crypto ca trustpool [detail] Syntax Description This command has no arguments or keywords. Defaults This command shows an abbreviated display of all the trustpool certificates. When the “detail” option is specified, more information is included. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context System — — Usage Guidelines The output of the show crypto ca trustpool command includes the fingerprint value of each certificate. These values are required for removal operation. Examples ciscoasa# show crypto ca trustpool CA Certificate Status: Available Certificate Serial Number: 6c386c409f4ff4944154635da520ed4c Certificate Usage: Signature Public Key Type: RSA (2048 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=bxb2008-root dc=bdb2008 dc=mycompany dc=com Subject Name: cn=bxb2008-root dc=bxb2008 dc=cisco dc=com Validity Date: start date:17:21:06 EST Jan 14 2009 end date:17:31:06 EST Jan 14 2024 Cisco ASA Series Command Reference, S Commands 5-34 Chapter CA Certificate Status: Available Certificate Serial Number: 58d1c756000000000059 Certificate Usage: Signature Public Key Type: RSA (2048 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=bxb2008-root dc=bxb2008 dc=mycompany dc=com Subject Name: cn=BXB2008SUB1-CA dc=bxb2008 dc=cisco dc=com OCSP AIA: URL: http://bxb2008-1.bxb2008.mycompany.com/ocsp CRL Distribution Points: (1) http://bxb2008-1.bxb2008.mycompany.com/CertEnroll/bxb2008-root.crl Validity Date: start date:11:54:34 EST May 18 2009 end date:12:04:34 EST May 18 2011 Related Commands Command Description clear crypto ca trustpool Removes all certificates from the trustpool. crypto ca trustpool import Imports certificates that constitute the PKI trustpool. crypto ca trustpool remove Removes a single specified certificate from the trustpool. Cisco ASA Series Command Reference, S Commands 5-35 Chapter show crypto ca trustpool policy To display the configured trustpool policy and process any applied certificate maps to show how those impact the policy, use the show crypto ca trustpool policy command in privileged EXEC mode. show crypto ca trustpool policy Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Yes Yes System — — Release Modification 9.0(1) This command was added. 9.5(2) The ability to show status and results of automatic import of trustpool certificates was added. ciscoasa(config)# sh run cry ca cert map crypto ca certificate map map1 1 issuer-name eq cn = mycompany manufacturing ca issuer-name eq cn = mycompany ca crypto ca certificate map map 2 1 issuer-name eq cn = mycompany manufacturing ca issuer-name eq cn = mycompany ca2 ciscoasa(config)# ciscoasa(config)# sh run crypto ca trustpool policy crypto ca trustpool policy auto-import url http://www.thawte.com revocation-check none match certificate map2 allow expired-certificate match certificate map1 skip revocation-check crl cache-time 123 crl enforcenextupdate auto-import auto-import url http://www.thawte.com auto-import time 22:00:00 ciscoasa(config)# ciscoasa# show crypto ca trustpool policy 800 trustpool certificates installed Cisco ASA Series Command Reference, S Commands 5-36 • Context Chapter Trustpool auto import statistics: Last import result: SUCCESS Next scheduled import at 22:00:00 Tues Jul 21 2015 Trustpool Policy Trustpool revocation checking is disabled CRL cache time: 123 seconds CRL next update field: required and forced Automatic import of trustpool certificates is enabled Automatic import URL: http://www.thawte.com Download time: 22:00:00 Policy overrides: map: map1 match:issuer-name eq cn=Mycompany Manufacturing CA match:issuer-name eq cn=Mycompany CA action:skip revocation-check map: map2 match: issuer-name eq cn=mycompany Manufacturing CA match: issuer-name eq cn=mycompany CA2 action: allowed expired certificates ciscoasa(config)# Related Commands Command Description crypto ca trustpool policy Enters a submode that provides the commands that define the trustpool policy. Cisco ASA Series Command Reference, S Commands 5-37 Chapter show crypto debug-condition To display the currently configured filters, the unmatched states, and the error states for IPsec and ISAKMP debugging messages, use the show crypto debug-condition command in global configuration mode. show crypto debug-condition Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Global configuration Command History Examples • Yes Transparent Single • Yes • Yes Release Modification 8.0(2) This command was added. 9.0(1) Support for multiple context mode was added. Context • Yes System — The following example shows the filtering conditions: ciscoasa(config)# show crypto debug-condition Crypto conditional debug is turned ON IKE debug context unmatched flag: OFF IPsec debug context unmatched flag: ON IKE peer IP address filters: 1.1.1.0/24 2.2.2.2 IKE user name filters: my_user Related Commands Command Description debug crypto condition Sets filtering conditions for IPsec and ISAKMP debugging messages. debug crypto condition error Shows debugging messages whether or not filtering conditions have been specified. debug crypto condition unmatched Cisco ASA Series Command Reference, S Commands 5-38 Shows debugging messages for IPsec and ISAKMP that do not include sufficient context information for filtering. Chapter show crypto ikev1 sa To display the IKEv1 runtime SA database, use the show crypto ikev1 sa command in global configuration mode or privileged EXEC mode. show crypto ikev1 sa [detail] Syntax Description detail Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Displays detailed output about the SA database. Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Routed Transparent Single Context Global configuration • Yes — • Yes • Privileged EXEC • Yes — • Yes — Release Modification 8.4(1) This command was added. 9.0(1) Support for multiple context mode was added. System Yes — — The output from this command includes the following fields: Detail not specified. IKE Peer Type Dir Rky State 209.165.200.225 L2L Init No MM_Active Type Dir Rky State Encrypt Hash Auth Lifetime 209.165.200.225 L2L Init No MM_Active 3des 86400 Detail specified. IKE Peer md5 preshrd Cisco ASA Series Command Reference, S Commands 5-39 Chapter Examples The following example, entered in global configuration mode, displays detailed information about the SA database: ciscoasa(config)# show crypto ikev1 sa detail IKE Peer Type Dir Rky State 1 209.165.200.225 User Resp No Encrypt Hash AM_Active 3des Auth SHA Lifetime preshrd 86400 IKE Peer Type Dir Rky State 2 209.165.200.226 User Resp No Encrypt Hash AM_ACTIVE 3des Auth SHA Lifetime preshrd 86400 IKE Peer Type Dir Rky State 3 209.165.200.227 User Resp No Encrypt Hash AM_ACTIVE 3des Auth SHA Lifetime preshrd 86400 IKE Peer Type Dir Rky State 4 209.165.200.228 User Resp No Encrypt Hash AM_ACTIVE 3des Auth SHA Lifetime preshrd 86400 ciscoasa(config)# Related Commands Command Description show crypto ikev2 sa Displays the IKEv2 runtime SA database. show running-config crypto isakmp Displays all the active ISAKMP configuration. Cisco ASA Series Command Reference, S Commands 5-40 Chapter show crypto ikev2 sa To display the IKEv2 runtime SA database, use the show crypto ikev2 sa command in global configuration mode or privileged EXEC mode. show crypto ikev2 sa [detail] Syntax Description detail Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Displays detailed output about the SA database. Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Routed Transparent Single Context Global configuration • Yes — • Yes • Privileged EXEC • Yes — • Yes — Release Modification 8.4(1) This command was added. 9.0(1) Support for multiple context mode was added. System Yes — — The output from this command includes the following fields: Detail not specified. IKE Peer Type Dir Rky State 209.165.200.225 L2L Init No MM_Active Type Dir Rky State Encrypt Hash Auth Lifetime 209.165.200.225 L2L Init No MM_Active 3des 86400 Detail specified. IKE Peer md5 preshrd Cisco ASA Series Command Reference, S Commands 5-41 Chapter Examples The following example, entered in global configuration mode, displays detailed information about the SA database: ciscoasa(config)# show crypto ikev2 sa detail IKEv2 SAs: Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote Status Role 671069399 10.0.0.0/500 10.255.255.255/500 READY INITIATOR Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:20, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/188 sec Session-id: 1 Status Description: Negotiation done Local spi: 80173A0373C2D403 Remote spi: AE8AEFA1B97DBB22 Local id: asa Remote id: asa1 Local req mess id: 8 Remote req mess id: 7 Local next mess id: 8 Remote next mess id: 7 Local req queued: 8 Remote req queued: 7 Local window: 1 Remote window: 1 DPD configured for 10 seconds, retry 2 NAT-T is not detected Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535 remote selector 0.0.0.0/0 - 255.255.255.255/65535 ESP spi in/out: 0x242a3da5/0xe6262034 AH spi in/out: 0x0/0x0 CPI in/out: 0x0/0x0 Encr: AES-GCM, keysize: 128, esp_hmac: N/A ah_hmac: None, comp: IPCOMP_NONE, mode tunnel Related Commands Command Description show crypto ikev1 sa Displays the IKEv1 runtime SA database. show running-config crypto isakmp Displays all the active ISAKMP configuration. Cisco ASA Series Command Reference, S Commands 5-42 Chapter show crypto ipsec df-bit To display the IPsec DF-bit policy for IPsec packets for a specified interface, use the show crypto ipsec df-bit command in global configuration mode and privileged EXEC mode. show crypto ipsec df-bit interface Syntax Description interface Defaults No default behaviors or values. Command Modes The following table shows the modes in which you can enter the command: Specifies an interface name. Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Global configuration • Yes • Yes • Yes — — Privileged EXEC • Yes • Yes • Yes — — Release Modification 7.0(1) This command was added. The following example displays the IPsec DF-bit policy for interface named inside: ciscoasa(config)# show crypto ipsec df-bit inside df-bit inside copy ciscoasa(config)# Related Commands Command Description crypto ipsec df-bit Configures the IPsec DF-bit policy for IPsec packets. crypto ipsec fragmentation Configures the fragmentation policy for IPsec packets. show crypto ipsec fragmentation Displays the fragmentation policy for IPsec packets. Cisco ASA Series Command Reference, S Commands 5-43 Chapter show crypto ipsec fragmentation To display the fragmentation policy for IPsec packets, use the show crypto ipsec fragmentation command in global configuration or privileged EXEC mode. show crypto ipsec fragmentation interface Syntax Description interface Command Modes The following table shows the modes in which you can enter the command: Specifies an interface name. Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Global configuration • Yes • Yes • Yes — — Privileged EXEC • Yes • Yes • Yes — — Release Modification 7.0(1) This command was added. The following example, entered in global configuration mode, displays the IPsec fragmentation policy for an interface named inside: ciscoasa(config)# show crypto ipsec fragmentation inside fragmentation inside before-encryption ciscoasa(config)# Related Commands Command Description crypto ipsec fragmentation Configures the fragmentation policy for IPsec packets. crypto ipsec df-bit Configures the DF-bit policy for IPsec packets. show crypto ipsec df-bit Displays the DF-bit policy for a specified interface. Cisco ASA Series Command Reference, S Commands 5-44 Chapter show crypto ipsec policy To display IPsec secure socket API (SS API) security policy information provided by OSPFv3, use the show crypto ipsec policy command in global configuration or privileged EXEC mode. You can also use the alternate form of this command: show ipsec policy. show crypto ipsec policy [name] Syntax Description name Command Modes The following table shows the modes in which you can enter the command: Specifies a policy name. Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Global configuration • Yes • Yes • Yes — — Privileged EXEC • Yes • Yes • Yes — — Release Modification 7.0(1) This command was added. The following example, entered in global configuration mode, displays the crypto secure socket API installed policy information for a policy named CSSU-UTF: ciscoasa(config)# show crypto ipsec policy Crypto IPsec client security policy data Policy name: CSSU-UTF Policy refcount: 0 Inbound ESP SPI: 1031 (0x407) Outbound ESP SPI: 1031 (0x407) Inbound ESP Auth Key: 0123456789abcdef Outbound ESP Auth Key: 0123456789abcdef Inbound ESP Cipher Key: Outbound ESP Cipher Key: Transform set: esp-sha-hmac Related Commands Command Description show crypto ipsec fragmentation Displays the fragmentation policy for IPsec packets. show crypto ipsec sa Displays a list of IPsec SA. show crypto ipsec df-bit Displays the DF-bit policy for a specified interface. show crypto sockets Displays crypto secure sockets and the socket state. Cisco ASA Series Command Reference, S Commands 5-45 Chapter show crypto ipsec sa To display a list of IPsec SAs, use the show crypto ipsec sa command in global configuration mode or privileged EXEC mode. You can also use the alternate form of this command: show ipsec sa. show crypto ipsec sa [entry | identity | map map-name | peer peer-addr] [detail] Syntax Description detail (Optional) Displays detailed error information on what is displayed. entry (Optional) Displays IPsec SAs sorted by peer address identity (Optional) Displays IPsec SAs for sorted by identity, not including ESPs. This is a condensed form. map map-name (Optional) Displays IPsec SAs for the specified crypto map. peer peer-addr (Optional) Displays IPsec SAs for specified peer IP addresses. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Global configuration • Yes • Yes • Yes — — Privileged EXEC • Yes • Yes • Yes — — Release Modification 7.0(1) This command was added. 9.0(1) Support for OSPFv3, multiple context mode, Suite B algorithm in the transform and IV size portion, and ESPV3 IPsec output were added. The following example, entered in global configuration mode, displays IPsec SAs that include a tunnel identified as OSPFv3. ciscoasa(config)# show crypto ipsec sa interface: outside2 Crypto map tag: def, local addr: 10.132.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0) current_peer: 172.20.0.21 dynamic allocated peer ip: 10.135.1.5 #pkts #pkts #pkts #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 Cisco ASA Series Command Reference, S Commands 5-46 Chapter #pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10 #PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 inbound esp sas: spi: 0x1E8246FC (511854332) transform: esp-3des esp-md5-hmac in use settings ={L2L, Transport, Manual slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xDC15BF68 (3692412776) transform: esp-3des esp-md5-hmac in use settings ={L2L, Transport, Manual slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): IV size: 8 bytes replay detection support: Y key, (OSPFv3), } 548 key, (OSPFv3), } 548 Crypto map tag: def, local addr: 10.132.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) ciscoasa(config)# Note Fragmentation statistics are pre-fragmentation statistics if the IPsec SA policy states that fragmentation occurs before IPsec processing. Post-fragmentation statistics appear if the SA policy states that fragmentation occurs after IPsec processing. The following example, entered in global configuration mode, displays IPsec SAs for a crypto map named def. ciscoasa(config)# show crypto ipsec sa map def cryptomap: def Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts #send encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1146, #pkts decrypt: 1146, #pkts verify: 1146 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 inbound esp sas: spi: 0x1E8246FC (511854332) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } Cisco ASA Series Command Reference, S Commands 5-47 Chapter slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 480 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xDC15BF68 (3692412776) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 480 IV size: 8 bytes replay detection support: Y Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #send encaps: 73672, #pkts encrypt: 73672, #pkts digest: 73672 decaps: 78824, #pkts decrypt: 78824, #pkts verify: 78824 compressed: 0, #pkts decompressed: 0 not compressed: 73672, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 inbound esp sas: spi: 0xB32CF0BD (3006066877) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 263 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x3B6F6A35 (997157429) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 263 IV size: 8 bytes replay detection support: Y ciscoasa(config)# The following example, entered in global configuration mode, shows IPsec SAs for the keyword entry. ciscoasa(config)# show crypto ipsec sa entry peer address: 10.132.0.21 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 Cisco ASA Series Command Reference, S Commands 5-48 Chapter #send errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 inbound esp sas: spi: 0x1E8246FC (511854332) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 429 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xDC15BF68 (3692412776) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 429 IV size: 8 bytes replay detection support: Y peer address: 10.135.1.8 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #send encaps: 73723, #pkts encrypt: 73723, #pkts digest: 73723 decaps: 78878, #pkts decrypt: 78878, #pkts verify: 78878 compressed: 0, #pkts decompressed: 0 not compressed: 73723, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 inbound esp sas: spi: 0xB32CF0BD (3006066877) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 212 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x3B6F6A35 (997157429) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 212 IV size: 8 bytes replay detection support: Y ciscoasa(config)# Cisco ASA Series Command Reference, S Commands 5-49 Chapter The following example, entered in global configuration mode, shows IPsec SAs with the keywords entry detail. ciscoasa(config)# show crypto ipsec sa entry detail peer address: 10.132.0.21 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1148, #pkts decrypt: 1148, #pkts verify: 1148 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 no sa (send): 0, #pkts invalid sa (rcv): 0 encaps failed (send): 0, #pkts decaps failed (rcv): 0 invalid prot (rcv): 0, #pkts verify failed: 0 invalid identity (rcv): 0, #pkts invalid len (rcv): 0 replay rollover (send): 0, #pkts replay rollover (rcv): 0 replay failed (rcv): 0 internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 inbound esp sas: spi: 0x1E8246FC (511854332) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 322 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xDC15BF68 (3692412776) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 322 IV size: 8 bytes replay detection support: Y peer address: 10.135.1.8 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts encaps: 73831, #pkts encrypt: 73831, #pkts digest: 73831 decaps: 78989, #pkts decrypt: 78989, #pkts verify: 78989 compressed: 0, #pkts decompressed: 0 not compressed: 73831, #pkts comp failed: 0, #pkts decomp failed: 0 no sa (send): 0, #pkts invalid sa (rcv): 0 encaps failed (send): 0, #pkts decaps failed (rcv): 0 invalid prot (rcv): 0, #pkts verify failed: 0 invalid identity (rcv): 0, #pkts invalid len (rcv): 0 replay rollover (send): 0, #pkts replay rollover (rcv): 0 replay failed (rcv): 0 Cisco ASA Series Command Reference, S Commands 5-50 Chapter #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 inbound esp sas: spi: 0xB32CF0BD (3006066877) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 104 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x3B6F6A35 (997157429) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 104 IV size: 8 bytes replay detection support: Y ciscoasa(config)# The following example shows IPsec SAs with the keyword identity. ciscoasa(config)# show crypto ipsec sa identity interface: outside2 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts #send encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #send encaps: 73756, #pkts encrypt: 73756, #pkts digest: 73756 decaps: 78911, #pkts decrypt: 78911, #pkts verify: 78911 compressed: 0, #pkts decompressed: 0 not compressed: 73756, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 Cisco ASA Series Command Reference, S Commands 5-51 Chapter The following example shows IPsec SAs with the keywords identity and detail. ciscoasa(config)# show crypto ipsec sa identity detail interface: outside2 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 no sa (send): 0, #pkts invalid sa (rcv): 0 encaps failed (send): 0, #pkts decaps failed (rcv): 0 invalid prot (rcv): 0, #pkts verify failed: 0 invalid identity (rcv): 0, #pkts invalid len (rcv): 0 replay rollover (send): 0, #pkts replay rollover (rcv): 0 replay failed (rcv): 0 internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts encaps: 73771, #pkts encrypt: 73771, #pkts digest: 73771 decaps: 78926, #pkts decrypt: 78926, #pkts verify: 78926 compressed: 0, #pkts decompressed: 0 not compressed: 73771, #pkts comp failed: 0, #pkts decomp failed: 0 no sa (send): 0, #pkts invalid sa (rcv): 0 encaps failed (send): 0, #pkts decaps failed (rcv): 0 invalid prot (rcv): 0, #pkts verify failed: 0 invalid identity (rcv): 0, #pkts invalid len (rcv): 0 replay rollover (send): 0, #pkts replay rollover (rcv): 0 replay failed (rcv): 0 internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 Related Commands Command Description clear configure isakmp Clears all the ISAKMP configuration. clear configure isakmp Clears all ISAKMP policy configuration. policy clear isakmp sa Clears the IKE runtime SA database. Cisco ASA Series Command Reference, S Commands 5-52 Chapter Command Description isakmp enable Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA. show running-config isakmp Displays all the active ISAKMP configuration. Cisco ASA Series Command Reference, S Commands 5-53 Chapter show crypto ipsec stats To display a list of IPsec statistics, use the show crypto ipsec stats command in global configuration mode or privileged EXEC mode. show crypto ipsec stats Syntax Description This command has no keywords or variables. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single System Global configuration • Yes • Yes • Yes — — Privileged EXEC • Yes • Yes • Yes — — Release Modification 7.0(1) This command was added. The following example, entered in global configuration mode, displays IPsec statistics: ciscoasa(config)# show crypto ipsec stats IPsec Global Statistics ----------------------Active tunnels: 2 Previous tunnels: 9 Inbound Bytes: 4933013 Decompressed bytes: 4933013 Packets: 80348 Dropped packets: 0 Replay failures: 0 Authentications: 80348 Authentication failures: 0 Decryptions: 80348 Decryption failures: 0 Decapsulated fragments needing reassembly: 0 Outbound Bytes: 4441740 Uncompressed bytes: 4441740 Packets: 74029 Dropped packets: 0 Authentications: 74029 Authentication failures: 0 Encryptions: 74029 Cisco ASA Series Command Reference, S Commands 5-54 Context Chapter Encryption failures: 0 Fragmentation successes: 3 Pre-fragmentation successes:2 Post-fragmentation successes: 1 Fragmentation failures: 2 Pre-fragmentation failures:1 Post-fragmentation failures: 1 Fragments created: 10 PMTUs sent: 1 PMTUs recvd: 2 Protocol failures: 0 Missing SA failures: 0 System capacity failures: 0 ciscoasa(config)# Related Commands Examples Command Description clear ipsec sa Clears IPsec SAs or counters based on specified parameters. crypto ipsec transform-set Defines a transform set. show ipsec sa Displays IPsec SAs based on specified parameters. show ipsec sa summary Displays a summary of IPsec SAs. The following example, issued in global configuration mode, displays ISAKMP statistics: ciscoasa(config)# show crypto isakmp stats Global IKE Statistics Active Tunnels: 132 Previous Tunnels: 132 In Octets: 195471 In Packets: 1854 In Drop Packets: 925 In Notifys: 0 In P2 Exchanges: 132 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 0 Out Octets: 119029 Out Packets: 796 Out Drop Packets: 0 Out Notifys: 264 Out P2 Exchanges: 0 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 0 Initiator Tunnels: 0 Initiator Fails: 0 Responder Fails: 0 System Capacity Fails: 0 Auth Fails: 0 Decrypt Fails: 0 Hash Valid Fails: 0 No Sa Fails: 0 ciscoasa(config)# Cisco ASA Series Command Reference, S Commands 5-55 Chapter Related Commands Command Description clear configure crypto Clears all the ISAKMP configuration. isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy clear crypto isakmp sa Clears the IKE runtime SA database. crypto isakmp enable Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA. show running-config crypto isakmp Displays all the active ISAKMP configuration. Cisco ASA Series Command Reference, S Commands 5-56 Chapter show crypto isakmp sa To display the IKE runtime SA database, use the show crypto isakmp sa command in global configuration mode or privileged EXEC mode. show crypto isakmp sa [detail] Syntax Description detail Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Displays detailed output about the SA database. Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Routed Transparent Single Context System Global configuration • Yes — • Yes — — Privileged EXEC • Yes — • Yes — — Release Modification 7.0(1) The show isakmp sa command was added. 7.2(1) This show isakmp sa command was deprecated. The show crypto isakmp sa command replaced it. 9.0(1) Support for multiple context mode was added. The output from this command includes the following fields: Detail not specified IKE Peer 209.165.200.225 Type—L2L or User Dir—Init Rky—No or Yes. If yes, a rekey is occurring, and a second matching SA will be in a different state until the rekey completes. Role—Initiator or Responder State. Tells the current state of the state machine for the SA. State—A tunnel up and passing data has a value of either MM_ACTIVE or AM_ACTIVE. Other active states include MM_BLD_MSG4, MM_BLD_MSG6, MM_FREE, MM_SND_MSG6_H, MM_START, MM_TM_INIT_MODECFG_H, MM_TM_PEND_QM, MM_WAIT_DELETE, MM_WAIT_MSG3, MM_WAIT_MSG5, and so on. Detail specified IKE Peer 209.165.200.225 Cisco ASA Series Command Reference, S Commands 5-57 Chapter Type—L2L or User Dir—Init Rky—No or Yes. If yes, a rekey is occurring, and a second matching SA will be in a different state until the rekey completes. Role—Initiator or Responder State. Tells the current state of the state machine for the SA. A tunnel up and passing data has a value of either MM_ACTIVE or AM_ACTIVE. State—Other than MM_ACTIVE or AM_ACTIVE, other active states include MM_BLD_MSG4, MM_BLD_MSG6, MM_FREE, MM_SND_MSG6_H, MM_START, MM_TM_INIT_MODECFG_H, MM_TM_PEND_QM, MM_WAIT_DELETE, MM_WAIT_MSG3, MM_WAIT_MSG5, and so on. Encrypt—3des Hash—md5 Auth—preshrd Lifetime—86400 Examples The following example, entered in global configuration mode, displays detailed information about the SA database: ciscoasa(config)# show crypto isakmp sa detail IKE Peer Type Dir Rky State 1 209.165.200.225 User Resp No Encrypt Hash AM_Active 3des Auth SHA Lifetime preshrd 86400 IKE Peer Type Dir Rky State 2 209.165.200.226 User Resp No Encrypt Hash AM_ACTIVE 3des Auth SHA Lifetime preshrd 86400 IKE Peer Type Dir Rky State 3 209.165.200.227 User Resp No Encrypt Hash AM_ACTIVE 3des Auth SHA Lifetime preshrd 86400 IKE Peer Type Dir Rky State 4 209.165.200.228 User Resp No Encrypt Hash AM_ACTIVE 3des Auth SHA Lifetime preshrd 86400 ciscoasa(config)# Related Commands Command Description clear configure crypto Clears all the ISAKMP configuration. isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy clear crypto isakmp sa Clears the IKE runtime SA database. crypto isakmp enable Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA. show running-config crypto isakmp Displays all the active ISAKMP configuration. Cisco ASA Series Command Reference, S Commands 5-58 Chapter show crypto isakmp stats To display runtime statistics, use the show crypto isakmp stats command in global configuration mode or privileged EXEC mode. show crypto isakmp stats Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Routed Transparent Single Context System Global configuration • Yes — • Yes — — Privileged EXEC • Yes — • Yes — — Release Modification 7.0(1) The show isakmp stats command was added. 7.2(1) The show isakmp stats command was deprecated. The show crypto isakmp stats command replaced it. The output from this command includes the following fields: • Global IKE Statistics • Active Tunnels • In Octets • In Packets • In Drop Packets • In Notifys • In P2 Exchanges • In P2 Exchange Invalids • In P2 Exchange Rejects • In P2 Sa Delete Requests • Out Octets • Out Packets Cisco ASA Series Command Reference, S Commands 5-59 Chapter Examples • Out Drop Packets • Out Notifys • Out P2 Exchanges • Out P2 Exchange Invalids • Out P2 Exchange Rejects • Out P2 Sa Delete Requests • Initiator Tunnels • Initiator Fails • Responder Fails • System Capacity Fails • Auth Fails • Decrypt Fails • Hash Valid Fails • No Sa Fails The following example, issued in global configuration mode, displays ISAKMP statistics: ciscoasa(config)# show crypto isakmp stats Global IKE Statistics Active Tunnels: 132 Previous Tunnels: 132 In Octets: 195471 In Packets: 1854 In Drop Packets: 925 In Notifys: 0 In P2 Exchanges: 132 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 0 Out Octets: 119029 Out Packets: 796 Out Drop Packets: 0 Out Notifys: 264 Out P2 Exchanges: 0 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 0 Initiator Tunnels: 0 Initiator Fails: 0 Responder Fails: 0 System Capacity Fails: 0 Auth Fails: 0 Decrypt Fails: 0 Hash Valid Fails: 0 No Sa Fails: 0 ciscoasa(config)# Cisco ASA Series Command Reference, S Commands 5-60 Chapter Related Commands Command Description clear configure crypto Clears all the ISAKMP configuration. isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy clear crypto isakmp sa Clears the IKE runtime SA database. crypto isakmp enable Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA. show running-config crypto isakmp Displays all the active ISAKMP configuration. Cisco ASA Series Command Reference, S Commands 5-61 Chapter show crypto key mypubkey To display the key name, usage, and elliptic curve size for ECDSA keys, use the show crypto key mypubkey command in global configuration mode or privileged EXEC mode. show crypto key mypubkey dsa | rsa Syntax Description Command Modes dsa Specifies the key name. rsa Specifies the key name. The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Routed Context System Global configuration • Yes — • Yes — — Privileged EXEC • Yes — • Yes — — Release Modification 7.0(1) This command was added. Cisco ASA Series Command Reference, S Commands 5-62 Transparent Single Chapter show crypto protocol statistics To display the protocol-specific statistics in the crypto accelerator MIB, use the show crypto protocol statistics command in global configuration or privileged EXEC mode. show crypto protocol statistics protocol Syntax Description protocol Specifies the name of the protocol for which to display statistics. Protocol choices are as follows: ikev1—Internet Key Exchange version 1. ipsec—IP Security Phase-2 protocols. ssl—Secure Sockets Layer. other—Reserved for new protocols. all—All protocols currently supported. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Global configuration • Yes • Yes • Yes — — Privileged EXEC • Yes • Yes • Yes — — Release Modification 7.0(1) This command was added. The following examples entered in global configuration mode, display crypto accelerator statistics for specified protocols: ciscoasa # show crypto protocol statistics ikev1 [IKEv1 statistics] Encrypt packet requests: 39 Encapsulate packet requests: 39 Decrypt packet requests: 35 Decapsulate packet requests: 35 HMAC calculation requests: 84 SA creation requests: 1 SA rekey requests: 3 SA deletion requests: 2 Cisco ASA Series Command Reference, S Commands 5-63 Chapter Next phase key allocation requests: 2 Random number generation requests: 0 Failed requests: 0 ciscoasa # show crypto protocol statistics ipsec [IPsec statistics] Encrypt packet requests: 700 Encapsulate packet requests: 700 Decrypt packet requests: 700 Decapsulate packet requests: 700 HMAC calculation requests: 1400 SA creation requests: 2 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 ciscoasa # show crypto protocol statistics ssl [SSL statistics] Encrypt packet requests: 0 Encapsulate packet requests: 0 Decrypt packet requests: 0 Decapsulate packet requests: 0 HMAC calculation requests: 0 SA creation requests: 0 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 ciscoasa # show crypto protocol statistics other [Other statistics] Encrypt packet requests: 0 Encapsulate packet requests: 0 Decrypt packet requests: 0 Decapsulate packet requests: 0 HMAC calculation requests: 0 SA creation requests: 0 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 99 Failed requests: 0 ciscoasa # show crypto protocol statistics all [IKEv1 statistics] Encrypt packet requests: 46 Encapsulate packet requests: 46 Decrypt packet requests: 40 Decapsulate packet requests: 40 HMAC calculation requests: 91 SA creation requests: 1 SA rekey requests: 3 SA deletion requests: 3 Next phase key allocation requests: 2 Random number generation requests: 0 Failed requests: 0 [IKEv2 statistics] Encrypt packet requests: 0 Encapsulate packet requests: 0 Decrypt packet requests: 0 Decapsulate packet requests: 0 Cisco ASA Series Command Reference, S Commands 5-64 Chapter HMAC calculation requests: 0 SA creation requests: 0 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 [IPsec statistics] Encrypt packet requests: 700 Encapsulate packet requests: 700 Decrypt packet requests: 700 Decapsulate packet requests: 700 HMAC calculation requests: 1400 SA creation requests: 2 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 [SSL statistics] Encrypt packet requests: 0 Encapsulate packet requests: 0 Decrypt packet requests: 0 Decapsulate packet requests: 0 HMAC calculation requests: 0 SA creation requests: 0 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 [SSH statistics are not supported] [SRTP statistics are not supported] [Other statistics] Encrypt packet requests: 0 Encapsulate packet requests: 0 Decrypt packet requests: 0 Decapsulate packet requests: 0 HMAC calculation requests: 0 SA creation requests: 0 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 99 Failed requests: 0 ciscoasa # Related Commands Command Description clear crypto accelerator statistics Clears the global and accelerator-specific statistics in the crypto accelerator MIB. clear crypto protocol statistics Clears the protocol-specific statistics in the crypto accelerator MIB. show crypto accelerator statistics Displays the global and accelerator-specific statistics from the crypto accelerator MIB. Cisco ASA Series Command Reference, S Commands 5-65 Chapter show crypto sockets To display crypto secure socket information, use the show crypto sockets command in global configuration mode or privileged EXEC mode. show crypto sockets Syntax Description This command has no keywords or variables. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Global configuration • Yes • Yes • Yes — — Privileged EXEC • Yes • Yes • Yes — — Release Modification 7.0(1) This command was added. The following example, entered in global configuration mode, displays crypto secure socket information: ciscoasa(config)# show crypto sockets Number of Crypto Socket connections 1 Gi0/1 Peers: (local): 2001:1::1 (remote): :: Local Ident (addr/plen/port/prot): (2001:1::1/64/0/89) Remote Ident (addr/plen/port/prot): (::/0/0/89) IPsec Profile: "CSSU-UTF" Socket State: Open Client: "CSSU_App(UTF)" (Client State: Active) Crypto Sockets in Listen state: The following table describes the fields in the show crypto sockets command output. Field Description Number of Crypto Socket connections Number of crypto sockets in the system. Cisco ASA Series Command Reference, S Commands 5-66 Chapter Related Commands Socket State This state can be Open, which means that active IPsec security associations (SAs) exist, or it can be Closed, which means that no active IPsec SAs exist. Client Application name and its state. Flags If this field says “shared,” the socket is shared with more than one tunnel interface. Crypto Sockets in Listen state Name of the crypto IPsec profile. Command Description show crypto ipsec policy Displays the crypto secure socket API installed policy information. Cisco ASA Series Command Reference, S Commands 5-67 Chapter show csc node-count To display the number of nodes for which the CSC SSM scanned traffic, use the show csc node-count command in privileged EXEC mode: show csc node-count [yesterday] Syntax Description yesterday Defaults By default, the node count displayed is the number of nodes scanned since midnight. Command Modes The following table shows the modes in which you can enter the command: (Optional) Shows the number of nodes for which the CSC SSM scanned traffic in the preceding 24-hour period, from midnight to midnight. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context — System • Yes Usage Guidelines A node is any distinct source IP address or the address of a device that is on a network protected by the ASA. The ASA keeps track of a daily node count and communicates this to the CSC SSM for user license enforcement. Examples The following is sample output of the show csc node-count command, which displays the number of nodes for which the CSC SSM has scanned traffic since midnight: ciscoasa# show csc node-count Current node count is 1 The following is sample output of the show csc node-count command, which displays the number of nodes for which the CSC SSM scanned traffic in the preceding 24-hour period, from midnight to midnight: ciscoasa(config)# show csc node-count yesterday Yesterday’s node count is 2 Cisco ASA Series Command Reference, S Commands 5-68 Chapter Related Commands csc Sends network traffic to the CSC SSM for scanning of FTP, HTTP, POP3, and SMTP, as configured on the CSC SSM. show running-config class-map Shows current class map configuration. show running-config policy-map Shows the current policy map configuration. show running-config service-policy Shows the current service policy configuration. Cisco ASA Series Command Reference, S Commands 5-69 Chapter show ctiqbe To display information about CTIQBE sessions established across the ASA, use the show ctiqbe command in privileged EXEC mode. show ctiqbe Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines Note Examples • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes • Yes System • Yes The show ctiqbe command displays information of CTIQBE sessions established across the ASA. Along with debug ctiqbe and show local-host, this command is used for troubleshooting CTIQBE inspection engine issues. We recommend that you have the pager command configured before using the show ctiqbe command. If there are a lot of CTIQBE sessions and the pager command is not configured, it can take a while for the show ctiqbe command output to reach the end. The following is sample output from the show ctiqbe command under the following conditions. There is only one active CTIQBE session setup across the ASA. It is established between an internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco Call Manager at 172.29.1.77, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the session is 120 seconds. ciscoasa# | show ctiqbe Total: 1 LOCAL FOREIGN STATE HEARTBEAT --------------------------------------------------------------1 10.0.0.99/1117 172.29.1.77/2748 1 120 ---------------------------------------------- Cisco ASA Series Command Reference, S Commands 5-70 Context Chapter RTP/RTCP: PAT xlates: mapped to 172.29.1.99(1028 - 1029) ---------------------------------------------MEDIA: Device ID 27 Call ID 0 Foreign 172.29.1.99 (1028 - 1029) Local 172.29.1.88 (26822 - 26823) ---------------------------------------------- The CTI device has already registered with the CallManager. The device internal address and RTP listening port is PATed to 172.29.1.99 UDP port 1028. Its RTCP listening port is PATed to UDP 1029. The line beginning with RTP/RTCP: PAT xlates: appears only if an internal CTI device has registered with an external CallManager and the CTI device address and ports are PATed to that external interface. This line does not appear if the CallManager is located on an internal interface, or if the internal CTI device address and ports are NATed to the same external interface that is used by the CallManager. The output indicates a call has been established between this CTI device and another phone at 172.29.1.88. The RTP and RTCP listening ports of the other phone are UDP 26822 and 26823. The other phone locates on the same interface as the CallManager because the ASA does not maintain a CTIQBE session record associated with the second phone and CallManager. The active call leg on the CTI device side can be identified with Device ID 27 and Call ID 0. Related Commands Commands Description inspect ctiqbe Enables CTIQBE application inspection. service-policy Applies a policy map to one or more interfaces. show conn Displays the connection state for different connection types. timeout Sets the maximum idle time duration for different protocols and session types. Cisco ASA Series Command Reference, S Commands 5-71 Chapter show ctl-file To show the contents of the CTL file used by the phone proxy, use the show ctl-file command in global configuration mode. show ctl-file filename [parsed] Syntax Description filename Displays the phones capable of secure mode stored in the database. parsed (Optional) Displays detailed information from the CTL file specified. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History • Yes Transparent Single Context System — — — Release Modification 8.2(1) The command was added. • Yes Usage Guidelines When specifying the filename of the CTL file stored in Flash memory, specify the disk number, filename, and extension; for example: disk0:/testctl.tlv. Using the show ctl-file command is useful for debugging when configuring the phone proxy instance. Examples The following example shows the use of the show ctl-file command to show general information about the CTL file: ciscoasa# show ctl-file disk0:/ctlfile.tlv Total Number of Records: 1 CTL Record Number 1 Subject Name: serialNumber=JMX1215L2TX+hostname=ciscoasa Issuer Name: serialNumber=JMX1215L2TX+hostname=ciscoasa Function: cucm IP Address: 192.168.52.102 Associated Trustpoint: cucm_primary Cisco ASA Series Command Reference, S Commands 5-72 Chapter The following example shows the use of the show ctl-file command to show detailed information about the CTL file: ciscoasa# show ctl-file disk0:/ctlfile.tlv parsed TAG 0x01: Version: Maj 1, Min 2 TAG 0x02: Header Len: Len 288 TAG 0x03: Signer ID: Len 103 TAG 0x04: Signer Name: Len 45 Name: <cn=_internal_myctl_SAST_0,ou=STG,o=Cisco Inc> TAG 0x05: Cert SN: Len 4 SN: c43c9048 TAG 0x06: CA Name: Len 45 Name: <cn=_internal_myctl_SAST_0,ou=STG,o=Cisco Inc> TAG 0x07: Signature: Len 15 TAG 0x08: Digest Alg: Len 1 Name: SHA-1 TAG 0x09: Sig Alg Info: Len 8 TAG 0x0A: Sig Alg: Len 1 Name: RSA TAG 0x0B: Modulus: Len 1 Name: 1024 TAG 0x0C: Sig Block: Len 128 Signature: 521debcf b7a77ea8 94eba5f7 f3c8b0d8 3337a9fa 267ce1a7 202b2c8b 2ac980d3 9608f64d e7cd82df e205e5bf 74a1d9c4 fae20f90 f3d2746a e90f439e ef93fca7 d4925551 72daa414 2c55f249 ef7e6dc2 bcb9f9b5 39be8238 5011eecb ce37e4d1 866e6550 6779c3fd 25c8bab0 6e9be32c 7f79fe34 5575e3af ea039145 45ce3158 TAG 0x0E: File Name: Len 12 Name: <CTLFile.tlv> TAG 0x0F: Timestamp: Len 4 Timestamp: 48903cc6 ### CTL RECORD No. 1 ### TAG 0x01: Rcd Len: Len 731 TAG 0x03: Sub Name: Len 43 Sub Name: <serialNumber=JMX1215L2TX+hostname=ciscoasa> TAG 0x04: Function: Len 2 Func: CCM TAG 0x05: Cert Issuer: Len 43 Issuer Name: <serialNumber=JMX1215L2TX+hostname=ciscoasa> TAG 0x06: Cert SN: Len 4 Cert SN: 15379048 TAG 0x07: Pub Key: Len 140 Pub Key: 30818902 818100ad a752b4e6 89769a49 13115e52 1209b3ef 96a179af 728c29d7 af7fed4e c759d0ea cebd7587 dd4f7c4c 322da86b 3a677c08 ce39ce60 2525f6d2 50fe87cf 2aea60a5 690ec985 10706e5a 30ad26db e6fdb243 159758ed bb487525 f901ef4a 658445de 29981546 3867d2d1 ce519ee4 62c7be32 51037c3c 751c0ad6 040bedbb 3e984502 03010001 TAG 0x09: Cert: Len 469 X.509v3 Cert: 308201d1 3082013a a0030201 02020415 37904830 0d06092a 864886f7 0d010104 0500302d 312b3012 06035504 05130b4a 4d583132 31354c32 54583015 06092a86 4886f70d 01090216 08636973 636f6173 61301e17 0d303830 37333030 39343033 375a170d 31383037 32383039 34303337 5a302d31 2b301206 03550405 130b4a4d 58313231 354c3254 58301506 092a8648 86f70d01 09021608 63697363 6f617361 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00ada752 b4e68976 9a491311 5e521209 b3ef96a1 79af728c 29d7af7f ed4ec759 d0eacebd 7587dd4f 7c4c322d a86b3a67 7c08ce39 ce602525 f6d250fe 87cf2aea 60a5690e c9851070 6e5a30ad 26dbe6fd b2431597 58edbb48 7525f901 ef4a6584 45de2998 15463867 d2d1ce51 9ee462c7 be325103 7c3c751c 0ad6040b edbb3e98 45020301 0001300d 06092a86 4886f70d 01010405 00038181 005d82b7 ac45dbf8 bd911d4d a330454a a2784a4b 5ef898b1 482e0bbf 4a86ed86 9019820b 00e80361 fd7b2518 9efa746c b98b1e23 fcc0793c de48de6d 6b1a4998 cd6f4e66 ba661d3a d200739a ae679c7c 94f550fb a6381b94 1eae389e a9ec4b11 30ba31f3 33cd184e 25647174 ce00231d 102d5db3 c9c111a6 df37eb43 66f3d2d5 46 TAG 0x0A: IP Addr: Len 4 IP Addr: 192.168.52.102 Related Commands Command Description ctl-file (global) Specifies the CTL instance to create for the phone proxy or parses the CTL file stored in Flash memory. ctl-file (phone-proxy) Specifies the CTL instance to use when configuring the phone proxy. phone proxy Configures the Phone Proxy instance. Cisco ASA Series Command Reference, S Commands 5-73 Chapter show cts environment-data To show the health and status of the environment data refresh operation on the ASA for Cisco TrustSec, use the show cts environment-data command in privileged EXEC mode. show cts environment-data Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context • Yes System — This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears: ERROR: This command is only permitted on the active device. This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears: This command is only permitted on the master device. Examples The following is sample output from the show cts environment-data command ciscoasa# show cts environment-data CTS Environment Data ==================== Status: Last download attempt: Environment Data Lifetime: Last update time: Env-data expires in: Env-data refreshes in: Active Successful 1200 secs 18:12:07 EST Feb 27 2012 0:00:12:24 (dd:hr:mm:sec) 0:00:02:24 (dd:hr:mm:sec) Cisco ASA Series Command Reference, S Commands 5-74 Chapter Related Commands Commands Description show running-config cts Shows the SXP connections for the running configuration. show cts pac Shows the components on the PAC. Cisco ASA Series Command Reference, S Commands 5-75 Chapter show cts environment-data sg-table To show the resident security group table on the ASA for Cisco TrustSec, use the show cts environment-data sg-table command in privileged EXEC mode. show cts environment-data sg-table Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines Yes • Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context • Yes System — This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears: ERROR: This command is only permitted on the active device. This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears: This command is only permitted on the master device. Examples The following is sample output from the show cts environment-data sg-table command ciscoasa# show cts environment-data sg-table Security Group Table: Valid until: 18:32:07 EST Feb 27 2012 Showing 9 of 9 entries SG Name ------ANY ExampleSG1 ExampleSG13 ExampleSG14 Cisco ASA Series Command Reference, S Commands 5-76 SG Tag -----65535 2 14 15 Type ------------unicast unicast unicast unicast Chapter ExampleSG15 ExampleSG16 ExampleSG17 ExampleSG18 Unknown Related Commands 16 17 18 19 0 unicast unicast unicast unicast unicast Commands Description show running-config cts Shows the SXP connections for the running configuration. show cts pac Shows the components on the PAC. Cisco ASA Series Command Reference, S Commands 5-77 Chapter show cts pac To show the components of the Protected Access Credential (PAC) on the ASA for Cisco TrustSec, use the show cts pac command in privileged EXEC mode. show cts pac Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 9.0(1) This command was added. Yes • Yes Context • Yes System — The show cts pac command displays PAC information, including the expiration time. The expiration time is important because the ASA cannot retrieve security group table updates after the PAC lifetime lapses. The administrator must request and install a new PAC before the old one expires to maintain synchronization with the security group table on the Identity Services Engine. This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears: ERROR: This command is only permitted on the active device. This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears: This command is only permitted on the master device. Examples The following is sample output from the show cts pac command ciscoasa# show cts pac PAC-Info: Valid until: Jul 28 2012 08:03:23 AID: 6499578bc0240a3d8bd6591127ab270c I-ID: BrianASA36 A-ID-Info: Identity Services Engine PAC-type: Cisco Trustsec Cisco ASA Series Command Reference, S Commands 5-78 Chapter PAC-Opaque: 000200b000030001000400106499578bc0240a3d8bd6591127ab270c00060094000301 00d75a3f2293ff3b1310803b9967540ff7000000134e2d2deb00093a803d227383e2b9 7db59ed2eeac4e469fcb1eeb0ac2dd84e76e13342a4c2f1081c06d493e192616d43611 8ff93d2af9b9135bb95127e8b9989db36cf1667b4fe6c284e220c11e1f7dbab91721d1 00e9f47231078288dab83a342ce176ed2410f1249780882a147cc087942f52238fc9b4 09100e1758 Related Commands Commands Description show running-config cts Shows the SXP connections for the running configuration. show cts environment Shows the health and status of the environment data refresh operation. Cisco ASA Series Command Reference, S Commands 5-79 Chapter show cts sgt-map To show the IP address-security group table manager entries in the control path, use the show cts sgt-map command in privileged EXEC mode. show cts sgt-map [sgt sgt] [address ipv4[/mask] | address ipv6 [/prefix] | ipv4 | ipv6] [name] [brief | detail] Syntax Description address {ipv4[/mask] Shows only IP address-security group table mapping for the specific IPv4 or /ipv6[/prefix]} IPv6 address. Include an IPv4 subnet mask or IPv6 prefix to see the mapping for a network. brief Shows the IP address-security group table mapping summary. detail Shows the IP address-security group table mapping. ipv4 Shows the IPv4 address-security group table mapping. By default, only the IPv4 address-security group table mapping is displayed. ipv6 Shows the IPv6 address-security group table mapping. name Shows IP address-security group table mapping with the matched security group name. sgt sgt Shows only IP address-security group table mapping with the matched security group table. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • • Yes • Yes Context • Yes System — Release Modification 9.01) The command was added. 9.3(1) The output was updated to include IP-SGT binding information from the “CLI-HI” source, which is populated by the cts role-based sgt-map command. 9.6(1) The ability to show network mappings was added. This command displays the IP address-security group table manager entries in the control path. Cisco ASA Series Command Reference, S Commands 5-80 Yes Transparent Single Chapter Examples The following is sample output from the show cts sgt-map command: ciscoasa# show cts sgt-map Active IP-SGT Bindings Information IP Address SGT Source ============================================ 1.1.1.1 7 CLI-HI 10.10.10.1 7 CLI-HI 10.10.10.10 3 LOCAL 10.10.100.1 7 CLI-HI 198.26.208.31 7 SXP IP-SGT Active Bindings Summary ============================================ Total number of LOCAL bindings = 1 Total number of CLI-HI bindings = 3 Total number of SXP bindings = 1 Total number of active bindings = 5 The following is sample output from the show cts sgt-map command with some network bindings. ciscoasa# show cts sgt-map Active IP-SGT Bindings Information IP Address SGT Source ============================================ 10.1.1.1 7 CLI-HI 10.252.10.0/24 7 CLI-HI 10.252.10.10 3 LOCAL 10.252.100.1 7 CLI-HI 172.26.0.0/16 7 SXP IP-SGT Active Bindings Summary ============================================ Total number of LOCAL bindings = 1 Total number of CLI-HI bindings = 3 Total number of SXP bindings = 1 Total number of active bindings = 5 The following is sample output from the show cts sgt-map ipv6 command: ciscoasa# show cts sgt-map ipv6 Active IP-SGT Bindings Information IP Address SGT Source ============================================================ 3330::1 17 SXP FE80::A8BB:CCFF:FE00:110 17 SXP IP-SGT Active Bindings Summary ============================================ Total number of SXP bindings = 2 Total number of active bindings = 2 The following is sample output from the show cts sgt-map ipv6 detail command: ciscoasa# show cts sgt-map ipv6 detail Active IP-SGT Bindings Information IP Address Security Group Source ========================================================================= 3330::1 2345 SXP 1280::A8BB:CCFF:FE00:110 Security Tech Business Unit(12345) SXP IP-SGT Active Bindings Summary =================================== Total number of SXP bindings = 2 Cisco ASA Series Command Reference, S Commands 5-81 Chapter Total number of active bindings = 2 The following is sample output from the show cts sgt-map ipv6 brief command: ciscoasa# show cts sgt-map ipv6 brief Active IP-SGT Bindings Information IP-SGT Active Bindings Summary ==================================== Total number of SXP bindings = 2 Total number of active bindings = 2 The following is sample output from the show cts sgt-map address command: ciscoasa# show cts sgt-map address 10.10.10.5 Active IP-SGT Bindings Information IP Address SGT Source ============================================================ 10.10.10.5 1234 SXP IP-SGT Active Bindings Summary ============================================ Total number of SXP bindings = 1 Total number of active bindings = 1 Related Commands Command Description show running-config cts Shows the SXP connections for the running configuration. show cts environment Shows the health and status of the environment data refresh operation. Cisco ASA Series Command Reference, S Commands 5-82 Chapter show cts sxp connections To show the Security eXchange Protocol (SXP) connections on the ASA, use the show cts sxp connections command in privileged EXEC mode. show cts sxp connections [peer peer addr] [local local addr] [ipv4 | ipv6] [status {on | off | delete-hold-down | pending-on}] [mode {speaker | listener}] [brief] Syntax Description brief (Optional) Shows the SXP connection summary. delete-hold-down (Optional) The TCP connection was terminated (TCP is down) when it was in the ON state. Only an ASA configured in listener mode can be in this state. ipv4 (Optional) Shows SXP connections with IPv4 addresses. ipv6 (Optional) Shows SXP connections with IPv6 addresses. listener (Optional) Shows the ASA configured in listener mode. local local addr (Optional) Shows SXP connections with the matched local IP addresses. mode (Optional) Shows SXP connections with the matched mode. off (Optional) The TCP connection has not been initiated. The ASA retries the TCP connection only in this state. on (Optional) An SXP OPEN or SXP OPEN RESP message has been received. The SXP connection has been successfully established. The ASA only exchanges SXP messages in this state. peer peer addr (Optional) Shows SXP connections with the matched peer IP addresses. pending-on (Optional) An SXP OPEN message has been sent to the peer; the response from the peer is being awaited. speaker (Optional) Shows the ASA configured in speaker mode. status (Optional) Shows SXP connections with the matched status. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Release Modification 9.0(1) The command was added. Yes • Yes Context • Yes System — Cisco ASA Series Command Reference, S Commands 5-83 Chapter Usage Guidelines The SXP states change under the following conditions: • If the SXP listener drops its SXP connection because its peer unconfigures SXP or disables SXP, then the SXP listener moves to the OFF state. • If the SXP listener drops its SXP connection because its peer crashes or has the interface shut down, then the SXP listener moves to the DELETE_HOLD_DOWN state. • The SXP speaker moves to the OFF state when either of the first two conditions occurs. This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears: ERROR: This command is only permitted on the active device. This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears: This command is only permitted on the master device. Examples The following is sample output from the show cts sxp connections command: ciscoasa# show cts sxp connections SXP : Enabled Highest version : 2 Default password : Set Default local IP : Not Set Reconcile period : 120 secs Retry open period : 10 secs Retry open timer : Not Running Total number of SXP connections : 3 Total number of SXP connection shown : 3 ---------------------------------------------Peer IP : 2.2.2.1 Local IP : 2.2.2.2 Conn status : On Local mode : Listener Ins number : 1 TCP conn password : Default Delete hold down timer : Not Running Reconciliation timer : Not Running Duration since last state change: 0:00:01:25 (dd:hr:mm:sec) ---------------------------------------------Peer IP : 3.3.3.1 Local IP : 3.3.3.2 Conn status : On Local mode : Listener Ins number : 2 TCP conn password : None Delete hold down timer : Not Running Reconciliation timer : Not Running Duration since last state change: 0:01:02:20 (dd:hr:mm:sec) ---------------------------------------------Peer IP : 4.4.4.1 Local IP : 4.4.4.2 Conn status : On Local mode : Speaker Ins number : 1 TCP conn password : Set Delete hold down timer : Not Running Reconciliation timer : Not Running Duration since last state change: 0:03:01:20 (dd:hr:mm:sec) Cisco ASA Series Command Reference, S Commands 5-84 Chapter Related Commands Command Description show running-config cts Shows the SXP connections for the running configuration. show cts environment Shows the health and status of the environment data refresh operation. Cisco ASA Series Command Reference, S Commands 5-85 Chapter show cts sxp sgt-map To show the current IP address-security group table mapping database entries in the Security eXchange Protocol (SXP) module on the ASA for Cisco TrustSec, use the show cts sxp sgt-map command in privileged EXEC mode. show cts sxp sgt-map [peer peer_addr] [sgt sgt] [address ipv4[/mask] | address ipv6[/prefix] | ipv4 | ipv6] [name] [brief | detail] [status] Syntax Description address {ipv4[/mask] Shows only IP address-security group table mapping for the specific IPv4 or /ipv6[/prefix]} IPv6 address. Include an IPv4 subnet mask or IPv6 prefix to see the mapping for a network. brief Shows the IP address-security group table mapping summary. detail Shows the security group table information. If a security group name is not available, only the security group table value is displayed without the bracket. ipv4 Shows the IP address-security group table mapping with IPv4 addresses. By default, only the IP address-security group table mapping with IPv4 addresses is displayed. ipv6 Shows the IP address-security group table mapping with IPv6 addresses. name Shows IP address-security group table mapping with the matched security group name. peer peer addr Shows only IP address-security group table mapping with the matched peer IP address. sgt sgt Shows only IP address-security group table mapping with the matched security group table. status Shows active or inactive mapped entries. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Release • • Yes • Yes Modification 9.01) The command was added. 9.6(1) The ability to show network mappings was added. Cisco ASA Series Command Reference, S Commands 5-86 Yes Transparent Single Context • Yes System — Chapter Usage Guidelines This command displays the active IP address-security group table mapped entries consolidated from SXP. This command is not supported on a standby device in a failover configuration. In a cluster, enter the command on the master unit. Examples The following is sample output from the show cts sxp sgt-map command: ciscoasa# show cts sxp sgt-map Total number of IP-SGT mappings : 3 SGT IPv4 Peer IP Ins Num : : : : 7 2.2.2.1 2.2.2.1 1 SGT IPv4 Peer IP Ins Num : : : : 7 2.2.2.0 3.3.3.1 1 SGT IPv6 Peer IP Ins Num : : : : 7 FE80::A8BB:CCFF:FE00:110 2.2.2.1 1 The following is sample output from the show cts sxp sgt-map detail command: ciscoasa# show cts sxp sgt-map detail Total number of IP-SGT mappings : 3 SGT IPv4 Peer IP Ins Num Status : : : : : STBU(7) 2.2.2.1 2.2.2.1 1 Active SGT IPv4 Peer IP Ins Num Status : : : : : STBU(7) 2.2.2.0 3.3.3.1 1 Inactive SGT IPv6 Peer IP Ins Num Status : : : : : 6 1234::A8BB:CCFF:FE00:110 2.2.2.1 1 Active The following is sample output from the show cts sxp sgt-map brief command. Some mappings are to networks. ciscoasa# show cts sxp sgt-map brief Total number of IP-SGT mappings : 3 SGT, IPv4: 7, 2.2.2.0/24 SGT, IPv4: 7, 3.3.3.3 SGT, IPv6: 7, FE80::0/64 Cisco ASA Series Command Reference, S Commands 5-87 Chapter Related Commands Command Description show running-config cts Shows the SXP connections for the running configuration. show cts environment Shows the health and status of the environment data refresh operation. Cisco ASA Series Command Reference, S Commands 5-88 Chapter show curpriv To display the current user privileges, use the show curpriv command: show curpriv Syntax Description This command has no arguments or keywords. Defaults No default behaviors or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Routed Transparent Single Context System Global configuration • Yes • Yes — — • Yes Privileged EXEC • Yes • Yes — — • Yes User EXEC • Yes • Yes — — • Yes Release Modification 7.0(1) Modified to conform to CLI guidelines. Usage Guidelines The show curpriv command displays the current privilege level. Lower privilege level numbers indicate lower privilege levels. Examples These examples show output from the show curpriv command when a user named enable_15 is at different privilege levels. The username indicates the name that the user entered when the user logged in. P_PRIV indicates that the user has entered the enable command. P_CONF indicates that the user has entered the config terminal command. ciscoasa(config)# show curpriv Username : enable_15 Current privilege level : 15 Current Mode/s : P_PRIV P_CONF ciscoasa(config)# exit ciscoasa(config)# show curpriv Username : enable_15 Current privilege level : 15 Current Mode/s : P_PRIV ciscoasa(config)# exit ciscoasa(config)# show curpriv Username : enable_1 Cisco ASA Series Command Reference, S Commands 5-89 Chapter Current privilege level : 1 Current Mode/s : P_UNPR ciscoasa(config)# The following example shows a known behavior. When you are in enable mode, then enter disable mode, the initial logged-in username is replaced with enable_1: ciscoasa(config)# show curpriv Username : enable_15 Current privilege level : 15 Current Mode/s : P_PRIV P_CONF ciscoasa(config)# exit ciscoasa# show curpriv Username : enable_15 Current privilege level : 15 Current Mode/s : P_PRIV ciscoasa# exit Logoff Type help or '?' for a list of available commands. ciscoasa# show curpriv Username : enable_1 Current privilege level : 1 Current Mode/s : P_UNPR ciscoasa# Related Commands Command Description clear configure privilege Remove privilege command statements from the configuration. show running-config privilege Display privilege levels for commands. Cisco ASA Series Command Reference, S Commands 5-90 CH A P T E R 6 show ddns update interface through show event manager Commands Cisco ASA Series Command Reference, S Commands 6-1 Chapter show ddns update interface To display the DDNS methods assigned to ASA interfaces, use the show ddns update interface command in privileged EXEC mode. show ddns update interface [interface-name] Syntax Description interface-name Defaults Omitting the interface-name string displays the DDNS method assigned to each interface. Command Modes The following table shows the modes in which you can enter the command: (Optional) The name of a network interface. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single — Release Modification 7.2(1) This command was added. • Yes Context • Yes System — The following example displays the DDNS method assigned to the inside interface: ciscoasa# show ddns update interface inside Dynamic DNS Update on inside: Update Method Name Update Destination ddns-2 not available ciscoasa# Related Commands Command Description ddns (DDNS-updatemethod mode) Specifies a DDNS update method type for a created DDNS method. ddns update (interface config mode) Associates an ASA interface with a DDNS update method or a DDNS update hostname. ddns update method (global config mode) Creates a method for dynamically updating DNS resource records. show ddns update method Displays the type and interval for each configured DDNS method. a DHCP server to perform DDNS updates. show running-config ddns Displays the type and interval of all configured DDNS methods in the running configuration. Cisco ASA Series Command Reference, S Commands 6-2 Chapter show ddns update method To display the DDNS update methods in the running configuration, use the show ddns update method command in privileged EXEC mode. show ddns update method [method-name] Syntax Description method-name Defaults Omitting the method-name string displays all configured DDNS update methods. Command Modes The following table shows the modes in which you can enter the command: (Optional) The name of a configured DDNS update method. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single — Release Modification 7.2(1) This command was added. • Yes Context • Yes System — The following example displays the DDNS method named ddns-2: ciscoasa(config)# show ddns update method ddns-2 Dynamic DNS Update Method: ddns-2 IETF standardized Dynamic DNS 'A' and 'PTR' records update Maximum update interval: 0 days 0 hours 10 minutes 0 seconds ciscoasa(config)# Related Commands Command Description ddns (DDNS-updatemethod mode) Specifies a DDNS update method type for a created DDNS method. ddns update (interface config mode) Associates a ASA interface with a Dynamic DNS (DDNS) update method or a DDNS update hostname. ddns update method (global config mode) Creates a method for dynamically updating DNS resource records. show ddns update interface Displays the interfaces associated with each configured DDNS method. show running-config ddns Displays the type and interval of all configured DDNS methods in the running configuration. Cisco ASA Series Command Reference, S Commands 6-3 Chapter show debug To show the current debugging configuration, use the show debug command. show debug [command [keywords]] Syntax Description command (Optional) Specifies the debug command whose current configuration you want to view. keywords (Optional) For each command, the keywords following the command are identical to the keywords supported by the associated debug command. Defaults This command has no default settings. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines Note Release • Yes • Yes • Yes Context • Yes System • Yes Modification 7.0(1) This command was added. 8.0(2) The eigrp keyword was added to the list of possible command values. 8.4(1) The route keyword was added to the list of possible command values. 9.2(1) The event manager keyword was added to the list of possible command values. 9.5(2) The output has been modified to include any debug persistent settings. 9.5(2) The ability to show debug logs by filtering, based on the filter condition sets was added. For each command, the keywords following the command are identical to the keywords supported by the associated debug command. For information about the supported syntax, see the associated debug command. The availability of each command depends on the command modes that support the applicable debug command. The valid command values are as follows: • aaa • appfw • arp Cisco ASA Series Command Reference, S Commands 6-4 Transparent Single Chapter • asdm • context • crypto • ctiqbe • ctm • cxsc • dhcpc • dhcpd • dhcprelay • disk • dns • eigrp • email • entity • event manager • fixup • fover • fsm • ftp • generic • gtp • h323 • http • http-map • icmp • igmp • ils • imagemgr • ipsec-over-tcp • ipv6 • iua-proxy • kerberos • ldap • mfib • mgcp • mmp • mrib • ntdomain Cisco ASA Series Command Reference, S Commands 6-5 Chapter Examples • ntp • ospf • parser • pim • pix • pptp • radius • rip • route • rtsp • sdi • sequence • sfr • sip • skinny • smtp • sqlnet • ssh • ssl • sunrpc • tacacs • timestamps • vpn-sessiondb • webvpn • xdmcp • xml You can use the show debug command to view all debugging configurations, a debugging configuration for a specific feature, and a debugging configuration for a portion of a feature. The following commands enable debugging for authentication, accounting, and flash memory: ciscoasa# debug aaa authentication debug aaa authentication enabled at level 1 ciscoasa# debug aaa accounting debug aaa accounting enabled at level 1 ciscoasa# debug disk filesystem debug disk filesystem enabled at level 1 ciscoasa# show debug debug aaa authentication enabled at level 1 debug aaa accounting enabled at level 1 debug disk filesystem enabled at level 1 ciscoasa# show debug aaa debug aaa authentication enabled at level 1 Cisco ASA Series Command Reference, S Commands 6-6 Chapter debug aaa debug aaa debug aaa debug aaa ciscoasa# debug aaa ciscoasa# Related Commands authorization is disabled. accounting enabled at level 1 internal is disabled. vpn is disabled. show debug aaa accounting accounting enabled at level 1 Command Description debug Displays all debug commands. Cisco ASA Series Command Reference, S Commands 6-7 Chapter show dhcpd To view DHCP binding, state, and statistical information, use the show dhcpd command in privileged EXEC or global configuration mode. show dhcpd {binding [IP_address] | state | statistics} Syntax Description binding Displays binding information for a given server IP address and its associated client hardware address and lease length. IP_address Shows the binding information for the specified IP address. state Displays the state of the DHCP server, such as whether it is enabled in the current context and whether it is enabled on each of the interfaces. statistics Displays statistical information, such as the number of address pools, bindings, expired bindings, malformed messages, sent messages, and received messages. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System — If you include the optional IP address in the show dhcpd binding command, only the binding for that IP address is shown. The show dhcpd binding | state | statistics commands are also available in global configuration mode. Examples The following is sample output from the show dhcpd binding command: ciscoasa# show dhcpd binding IP Address Client-id Lease Expiration Type 10.0.1.100 0100.a0c9.868e.43 84985 seconds automatic The following is sample output from the show dhcpd state command: ciscoasa# show dhcpd state Context Not Configured for DHCP Interface outside, Not Configured for DHCP Cisco ASA Series Command Reference, S Commands 6-8 Chapter Interface inside, Not Configured for DHCP The following is sample output from the show dhcpd statistics command: ciscoasa# show dhcpd statistics DHCP UDP Unreachable Errors: 0 DHCP Other UDP Errors: 0 Related Commands Address pools Automatic bindings Expired bindings Malformed messages 1 1 1 0 Message BOOTREQUEST DHCPDISCOVER DHCPREQUEST DHCPDECLINE DHCPRELEASE DHCPINFORM Received 0 1 2 0 0 0 Message BOOTREPLY DHCPOFFER DHCPACK DHCPNAK Sent 0 1 1 1 Command Description clear configure dhcpd Removes all DHCP server settings. clear dhcpd Clears the DHCP server bindings and statistic counters. dhcpd lease Defines the lease length for DHCP information granted to clients. show running-config dhcpd Displays the current DHCP server configuration. Cisco ASA Series Command Reference, S Commands 6-9 Chapter show dhcprelay state To view the state of the DHCP relay agent, use the show dhcprelay state command in privileged EXEC or global configuration mode. show dhcprelay state Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single — Release Modification 7.0(1) This command was added. • Yes Context • Yes System — Usage Guidelines This command displays the DHCP relay agent state information for the current context and each interface. Examples The following is sample output from the show dhcprelay state command: ciscoasa# show dhcprelay state Context Configured as DHCP Relay Interface outside, Not Configured for DHCP Interface infrastructure, Configured for DHCP RELAY SERVER Interface inside, Configured for DHCP RELAY Related Commands Command Description show dhcpd Displays DHCP server statistics and state information. show dhcprelay statistics Displays the DHCP relay statistics. show running-config dhcprelay Displays the current DHCP relay agent configuration. Cisco ASA Series Command Reference, S Commands 6-10 Chapter show dhcprelay statistics To display the DHCP relay statistics, use the show dhcprelay statistics command in privileged EXEC mode. show dhcprelay statistics Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single — Release Modification 7.0(1) This command was added. • Yes Context • Yes System — Usage Guidelines The output of the show dhcprelay statistics command increments until you enter the clear dhcprelay statistics command. Examples The following shows sample output for the show dhcprelay statistics command: ciscoasa# show dhcprelay statistics DHCP UDP Unreachable Errors: 0 DHCP Other UDP Errors: 0 Packets Relayed BOOTREQUEST DHCPDISCOVER DHCPREQUEST DHCPDECLINE DHCPRELEASE DHCPINFORM BOOTREPLY DHCPOFFER DHCPACK DHCPNAK ciscoasa# 0 7 3 0 0 0 0 7 3 0 Cisco ASA Series Command Reference, S Commands 6-11 Chapter Related Commands Command Description clear configure dhcprelay Removes all DHCP relay agent settings. clear dhcprelay statistics Clears the DHCP relay agent statistic counters. debug dhcprelay Displays debug information for the DHCP relay agent. show dhcprelay state Displays the state of the DHCP relay agent. show running-config dhcprelay Displays the current DHCP relay agent configuration. Cisco ASA Series Command Reference, S Commands 6-12 Chapter show diameter To display state information for each Diameter connection, use the show diameter command in privileged EXEC mode. show diameter Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Release Modification 9.5(2) This command was added. Yes • Yes Context • Yes Usage Guidelines To display Diameter connection state information, you must inspect Diameter traffic. Examples The following shows sample output for the show diameter command: System — ciscoasa# show diameter Total active diameter sessions: 5 Session 3638 ========== ref_count: 1 val = .; 1096298391; 2461; Protocol : diameter Context id : 0 From inside:211.1.1.10/45169 to outside:212.1.1.10/3868 ... Related Commands Command Description clear service-policy Clears service policy statistic. inspect diameter Inspects Diameter traffic. Cisco ASA Series Command Reference, S Commands 6-13 Chapter show disk To display the contents of the flash memory for the ASA only, use the show disk command in privileged EXEC mode. show disk[0 | 1] [filesys | all] controller Syntax Description 0|1 Specifies the internal flash memory (0, the default) or the external flash memory (1). all Shows the contents of flash memory plus the file system information. controller Specifies the flash controller model number. filesys Shows information about the compact flash card. Defaults By default, this command shows the internal flash memory. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • • Release Modification 7.0(1) This command was added. Yes The following is sample output from the show disk command: ciscoasa# show -#- --length-11 1301 12 1949 13 2551 14 609223 15 1619 16 3184 17 4787 20 1792 21 7765184 22 1674 23 1863 24 1197 25 608554 26 5124096 27 5124096 28 2074 29 5124096 disk -----date/time-----Feb 21 2005 18:01:34 Feb 21 2005 20:13:36 Jan 06 2005 10:07:36 Jan 21 2005 07:14:18 Jul 16 2004 16:06:48 Aug 03 2004 07:07:00 Mar 04 2005 12:32:18 Jan 21 2005 07:29:24 Mar 07 2005 19:38:30 Nov 11 2004 02:47:52 Jan 21 2005 07:29:18 Jan 19 2005 08:17:48 Jan 13 2005 06:20:54 Feb 20 2005 08:49:28 Mar 01 2005 17:59:56 Jan 13 2005 08:13:26 Mar 07 2005 19:56:58 Cisco ASA Series Command Reference, S Commands 6-14 Yes Transparent Single path test.cfg test1.cfg test2.cfg test3.cfg test4.cfg old_running.cfg test5.cfg test6.cfg test7.cfg test8.cfg test9.cfg test10.cfg backupconfig.cfg cdisk1 cdisk2 test11.cfg cdisk3 • Yes Context — System • Yes Chapter 30 31 32 33 34 35 1276 7756788 7579792 7764344 5124096 15322 Jan Feb Mar Mar Feb Mar 28 24 08 04 24 04 2005 2005 2005 2005 2005 2005 08:31:58 12:59:46 11:06:56 12:17:46 11:50:50 12:30:24 lead asdmfile.dbg asdmfile1.dbg asdmfile2.dbg cdisk4 hs_err.log 10170368 bytes available (52711424 bytes used) The following is sample output from the show disk filesys command: ciscoasa# show disk filesys ******** Flash Card Geometry/Format Info ******** COMPACT FLASH CARD GEOMETRY Number of Heads: 4 Number of Cylinders 978 Sectors per Cylinder 32 Sector Size 512 Total Sectors 125184 COMPACT FLASH CARD FORMAT Number of FAT Sectors 61 Sectors Per Cluster 8 Number of Clusters 15352 Number of Data Sectors 122976 Base Root Sector 123 Base FAT Sector 1 Base Data Sector 155 The following is sample output from the show disk controller command: ciscoasa# show disk:1 controller Flash Model: TOSHIBA THNCF064MBA Related Commands Command Description dir Displays the directory contents. Cisco ASA Series Command Reference, S Commands 6-15 Chapter show dns To show the current resolved DNS addresses for all or specified fully qualified domain name (FQDN) hosts, use the show dns command in privileged EXEC mode. show dns [host fqdn_name] Syntax Description fqdn_name (Optional) Specifies the FQDN of the selected host. host (Optional) Indicates the IP address of the specified host. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes The following is sample output from the show dns command: ciscoasa# show dns Name: www.example1.com Address: 10.1.3.1 Address: 10.1.3.3 Address: 10.4.1.2 Name: www.example2.com Address: 10.2.4.1 Address: 10.5.2.1 Name: server.ddns-exampleuser.com Address: fe80::21e:8cff:feb5:4faa Address: 10.10.10.2 Note TTL 00:03:01 TTL 00:00:36 TTL 00:01:01 TTL 00:25:13 TTL 00:25:01 TTL 00:00:41 TTL 00:25:01 If the FQDN host has not been activated yet, this command shows no output. The following is sample output from the show dns host command: ciscoasa# show dns host www.example.com Name: www.example.com Address: 10.1.3.1 TTL 00:03:01 Address: 10.1.9.5 TTL 00:00:36 Address: 10.1.1.2 TTL 00:01:01 Cisco ASA Series Command Reference, S Commands 6-16 Context • Yes System — Chapter Related Commands Command Description clear dns-hosts Clears the DNS cache. dns domain-lookup Enables the ASA to perform a name lookup. dns name-server Configures a DNS server address. Cisco ASA Series Command Reference, S Commands 6-17 Chapter show dns-hosts To show the DNS cache, use the show dns-hosts command in privileged EXEC mode. The DNS cache includes dynamically learned entries from a DNS server and manually entered names and IP addresses. show dns-hosts Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Privileged EXEC Command History Examples Yes • • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System — The following is sample output from the show dns-hosts command: ciscoasa# show dns-hosts Host ns2.example.com ns1.example.com snowmass.example.com server.example.com Related Commands Flags (temp, (temp, (temp, (temp, OK) OK) OK) OK) Age Type 0 IP 0 IP 0 IP 0 IP Address(es) 10.102.255.44 192.168.241.185 10.94.146.101 10.94.146.80 Command Description clear dns-hosts Clears the DNS cache. dns domain-lookup Enables the ASA to perform a name lookup. dns name-server Configures a DNS server address. dns retries Specifies the number of times to retry the list of DNS servers when the ASA does not receive a response. dns timeout Specifies the amount of time to wait before trying the next DNS server. Cisco ASA Series Command Reference, S Commands 6-18 Transparent Single Chapter Table 11 shows each field description. Table 6-1 Related Commands show dns-hosts Fields Field Description Host Shows the hostname. Flags Shows the entry status as a combination of the following: • temp—This entry is temporary because it comes from a DNS server. The ASA removes this entry after 72 hours of inactivity. • perm—This entry is permanent because it was added with the name command. • OK—This entry is valid. • ??—This entry is suspect and needs to be revalidated. • EX—This entry is expired. Age Shows the number of hours since this entry was last referenced. Type Shows the type of DNS record; this value is always IP. Address(es) The IP addresses. Command Description clear dns-hosts Clears the DNS cache. dns domain-lookup Enables the ASA to perform a name lookup. dns name-server Configures a DNS server address. dns retries Specifies the number of times to retry the list of DNS servers when the ASA does not receive a response. dns timeout Specifies the amount of time to wait before trying the next DNS server. Cisco ASA Series Command Reference, S Commands 6-19 Chapter show dynamic-filter data To show information about the Botnet Traffic Filter dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries, use the show dynamic-filter data command in privileged EXEC mode. show dynamic-filter data Syntax Description This command has no arguments or keywords. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History • Yes Transparent Single • Release Modification 8.2(1) This command was added. Yes • Yes Context — System • Yes Usage Guidelines To view dynamic database information, first enable use and download of the database with the dynamic-filter use-database and dynamic-filter updater-client enable commands. Examples The following is sample output from the show dynamic-filter data command: ciscoasa# show dynamic-filter data Traffic filter is using downloaded database version '907' Fetched at 18:00:16 UTC Jan 22 2009, size: 674381 Sample names from downloaded database: example.com, example.net, example.org, cisco.example, cisco.invalid, bad.example.com bad.example.net, bad.example.org, bad.cisco.example bad.cisco.ivalid Total entries in Dynamic Filter database: Dynamic data: 40909 domain names , 1080 IPv4 addresses Local data: 0 domain names , 0 IPv4 addresses Active rules in Dynamic Filter asp table: Dynamic data: 0 domain names , 1080 IPv4 addresses Local data: 0 domain names , 0 IPv4 addresses Cisco ASA Series Command Reference, S Commands 6-20 Chapter Related Commands Command Description address Adds an IP address to the blacklist or whitelist. clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration. clear dynamic-filter dns-snoop Clears Botnet Traffic Filter DNS snooping data. clear dynamic-filter reports Clears Botnet Traffic filter report data. clear dynamic-filter statistics Clears Botnet Traffic filter statistics. dns domain-lookup Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands. dns server-group Identifies a DNS server for the ASA. dynamic-filter ambiguous-is-black Treats greylisted traffic as blacklisted traffic for action purposes. dynamic-filter blacklist Edits the Botnet Traffic Filter blacklist. dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database. dynamic-filter database find Searches the dynamic database for a domain name or IP address. dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database. dynamic-filter drop blacklist Automatically drops blacklisted traffic. dynamic-filter enable Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list. dynamic-filter updater-client enable Enables downloading of the dynamic database. dynamic-filter use-database Enables use of the dynamic database. dynamic-filter whitelist Edits the Botnet Traffic Filter whitelist. inspect dns dynamic-filter-snoop Enables DNS inspection with Botnet Traffic Filter snooping. name Adds a name to the blacklist or whitelist. show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the accelerated security path. show dynamic-filter data Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries. show dynamic-filter reports Generates reports of the top 10 botnet sites, ports, and infected hosts. show dynamic-filter statistics Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist. show dynamic-filter updater-client Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed. show running-config dynamic-filter Shows the Botnet Traffic Filter running configuration. Cisco ASA Series Command Reference, S Commands 6-21 Chapter show dynamic-filter dns-snoop To show the Botnet Traffic Filter DNS snooping summary, or the actual IP addresses and names, use the show dynamic-filter dns-snoop command in privileged EXEC mode. show dynamic-filter dns-snoop [detail] Syntax Description detail Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Shows the IP addresses and names snooped from DNS responses. Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History Usage Guidelines • Yes Transparent Single • Release Modification 8.2(1) This command was added. Yes • Yes Context • Yes System — All inspected DNS data is included in this output, and not just matching names in the blacklist. DNS data from static entries are not included. To clear the DNS snooping data, enter the clear dynamic-filter dns-snoop command. Examples The following is sample output from the show dynamic-filter dns-snoop command: ciscoasa# show dynamic-filter dns-snoop DNS Reverse Cache Summary Information: 75 addresses, 124 names, 997 dnsrc address buckets The following is sample output from the show dynamic-filter dns-snoop detail command: ciscoasa# show dynamic-filter dns-snoop detail DNS Reverse Cache Summary Information: 75 addresses, 124 names, 997 dnsrc address buckets DNS reverse Cache Information: [10.67.22.34] flags=0x22, cat=2, unit=0 b:g:w=3:0:0, cookie=0xda148218 [www3.example.com] cat=2, ttl=3 [www.bad.example.com] cat=2, ttl=3 [www.example.com] cat=2, ttl=3 [10.6.68.133] flags=0x2, cat=2, unit=0 b:g:w=1:0:0, cookie=0xda13ed60 [cisco.example] cat=2, ttl=73 Cisco ASA Series Command Reference, S Commands 6-22 Chapter [10.166.226.25] flags=0x2, cat=2, unit=0 b:g:w=1:0:0, cookie=0xda608cb8 [cisco.invalid] cat=2, ttl=2 Related Commands Command Description address Adds an IP address to the blacklist or whitelist. clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration. clear dynamic-filter dns-snoop Clears Botnet Traffic Filter DNS snooping data. clear dynamic-filter reports Clears Botnet Traffic filter report data. clear dynamic-filter statistics Clears Botnet Traffic filter statistics. dns domain-lookup Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands. dns server-group Identifies a DNS server for the ASA. dynamic-filter ambiguous-is-black Treats greylisted traffic as blacklisted traffic for action purposes. dynamic-filter blacklist Edits the Botnet Traffic Filter blacklist. dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database. dynamic-filter database find Searches the dynamic database for a domain name or IP address. dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database. dynamic-filter drop blacklist Automatically drops blacklisted traffic. dynamic-filter enable Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list. dynamic-filter updater-client enable Enables downloading of the dynamic database. dynamic-filter use-database Enables use of the dynamic database. dynamic-filter whitelist Edits the Botnet Traffic Filter whitelist. inspect dns dynamic-filter-snoop Enables DNS inspection with Botnet Traffic Filter snooping. name Adds a name to the blacklist or whitelist. show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the accelerated security path. show dynamic-filter data Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries. show dynamic-filter reports Generates reports of the top 10 botnet sites, ports, and infected hosts. show dynamic-filter statistics Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist. show dynamic-filter updater-client Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed. show running-config dynamic-filter Shows the Botnet Traffic Filter running configuration. Cisco ASA Series Command Reference, S Commands 6-23 Chapter show dynamic-filter reports infected-hosts To generate reports about infected hosts classified by the Botnet Traffic Filter, use the show dynamic-filter reports infected-hosts command in privileged EXEC mode. show dynamic-filter reports infected-hosts {max-connections | latest-active | highest-threat | subnet ip_address netmask | all} Syntax Description all Shows all buffered infected-hosts information. This display might include thousands of entries. You might want to use ASDM to generate a PDF file instead of using the CLI. highest-threat Shows the 20 hosts that connected to the malware sites with the highest threat level. latest-active Shows the 20 hosts with the most recent activity. For each host, the display shows detailed information about 5 visited malware sites. max-connections Shows the 20 infected hosts with the most number of connections. subnet ip_address netmask Shows up to 20 hosts within the specified subnet. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 8.2(2) This command was added. Yes • Yes Context • Yes System — These reports contain detailed history about infected hosts, showing the correlation between infected hosts, visited malware sites, and malware ports. To clear the report data, enter the clear dynamic-filter reports infected-hosts command. Examples The following is sample output from the show dynamic-filter reports infected hosts all command: ciscoasa# show dynamic-filter reports infected-hosts all Total 2 infected-hosts in buffer Host (interface) Latest malicious conn time, filter action Cisco ASA Series Command Reference, S Commands 6-24 Conn logged, dropped Chapter ======================================================================================================= 192.168.1.4 (internal) 15:39:40 UTC Sep 17 2009, dropped 3 3 Malware-sites connected to (not ordered) Site Latest conn port, time, filter action Conn logged, dropped Threat-level Category ------------------------------------------------------------------------------------------------------10.73.210.27 (bad.example.com) 80, 15:39:31 UTC Sep 17 2009, dropped 2 2 very-high Malware 10.65.2.119 (bad2.example.com) 0, 15:39:40 UTC Sep 17 2009, dropped 1 1 very-high admin-added ======================================================================================================= 192.168.1.2 (internal) 15:39:01 UTC Sep 17 2009, dropped 5 5 Malware-sites connected to (not ordered) Site Latest conn port, time, filter action Conn logged, dropped Threat-level Category ------------------------------------------------------------------------------------------------------10.131.36.158 (bad.example.com) 0, 15:37:46 UTC Sep 17 2009, dropped 1 1 very-high admin-added 10.65.2.119 (bad2.example.com) 0, 15:37:53 UTC Sep 17 2009, dropped 1 1 very-high admin-added 20.73.210.27 (bad3.example.com) 80, 15:39:01 UTC Sep 17 2009, dropped 3 3 very-high Malware ======================================================================================================= Last clearing of the infected-hosts report: Never Related Commands Command Description address Adds an IP address to the blacklist or whitelist. clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration. clear dynamic-filter dns-snoop Clears Botnet Traffic Filter DNS snooping data. clear dynamic-filter reports Clears Botnet Traffic filter report data. clear dynamic-filter statistics Clears Botnet Traffic filter statistics. dns domain-lookup Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands. dns server-group Identifies a DNS server for the ASA. dynamic-filter ambiguous-is-black Treats greylisted traffic as blacklisted traffic for action purposes. dynamic-filter blacklist Edits the Botnet Traffic Filter blacklist. dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database. dynamic-filter database find Searches the dynamic database for a domain name or IP address. dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database. dynamic-filter drop blacklist Automatically drops blacklisted traffic. dynamic-filter enable Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list. dynamic-filter updater-client enable Enables downloading of the dynamic database. dynamic-filter use-database Enables use of the dynamic database. dynamic-filter whitelist Edits the Botnet Traffic Filter whitelist. inspect dns dynamic-filter-snoop Enables DNS inspection with Botnet Traffic Filter snooping. name Adds a name to the blacklist or whitelist. show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the accelerated security path. Cisco ASA Series Command Reference, S Commands 6-25 Chapter Command Description show dynamic-filter data Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries. show dynamic-filter dns-snoop Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names. show dynamic-filter statistics Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist. show dynamic-filter updater-client Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed. show running-config dynamic-filter Shows the Botnet Traffic Filter running configuration. Cisco ASA Series Command Reference, S Commands 6-26 Chapter show dynamic-filter reports top To generate reports of the top 10 malware sites, ports, and infected hosts classified by the Botnet Traffic Filter, use the show dynamic-filter reports top command in privileged EXEC mode. show dynamic-filter reports top [malware-sites | malware-ports | infected-hosts] Syntax Description malware-ports (Optional) Shows a report for the top 10 malware ports. malware-sites (Optional) Shows a report for the top 10 malware sites. infected-hosts (Optional) Shows a report for the top 10 infected hosts. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Release Routed • Yes Transparent Single • Yes • Yes Context • Yes System — Modification 8.2(1) This command was added. 8.2(2) The botnet-sites and botnet-ports keywords were changed to malware-sites and malware-ports. The malware-sites report now includes the number of connections dropped, and the threat level and category of each site. A last clear timestamp was added. For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes. This report is a snapshot of the data, and may not match the top 10 items since the statistics started to be collected. To clear the report data, enter the clear dynamic-filter reports top command. Examples The following is sample output from the show dynamic-filter reports top malware-sites command: ciscoasa# show dynamic-filter reports top malware-sites Site Connections logged dropped Threat Level Category -------------------------------------------------------------------------------------bad1.example.com (10.67.22.34) 11 0 2 Botnet bad2.example.com (209.165.200.225) 8 8 3 Virus bad1.cisco.example(10.131.36.158) 6 6 3 Virus bad2.cisco.example(209.165.201.1) 2 2 3 Trojan Cisco ASA Series Command Reference, S Commands 6-27 Chapter horrible.example.net(10.232.224.2) nono.example.org(209.165.202.130) 2 1 2 1 3 3 Botnet Virus Last clearing of the top sites report: at 13:41:06 UTC Jul 15 2009 The following is sample output from the show dynamic-filter reports top malware-ports command: ciscoasa# show dynamic-filter reports top malware-ports Port Connections logged ---------------------------------------------------------------------tcp 1000 617 tcp 2001 472 tcp 23 22 tcp 1001 19 udp 2000 17 udp 2001 17 tcp 8080 9 tcp 80 3 tcp >8192 2 Last clearing of the top ports report: at 13:41:06 UTC Jul 15 2009 The following is sample output from the show dynamic-filter reports top infected-hosts command: ciscoasa# show dynamic-filter reports top infected-hosts Host Connections logged ---------------------------------------------------------------------10.10.10.51(inside) 1190 10.12.10.10(inside) 10 10.10.11.10(inside) 5 Last clearing of the top infected-hosts report: at 13:41:06 UTC Jul 15 2009 Related Commands Command Description address Adds an IP address to the blacklist or whitelist. clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration. clear dynamic-filter dns-snoop Clears Botnet Traffic Filter DNS snooping data. clear dynamic-filter reports Clears Botnet Traffic filter report data. clear dynamic-filter statistics Clears Botnet Traffic filter statistics. dns domain-lookup Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands. dns server-group Identifies a DNS server for the ASA. dynamic-filter ambiguous-is-black Treats greylisted traffic as blacklisted traffic for action purposes. dynamic-filter blacklist Edits the Botnet Traffic Filter blacklist. dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database. dynamic-filter database find Searches the dynamic database for a domain name or IP address. dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database. dynamic-filter drop blacklist Automatically drops blacklisted traffic. dynamic-filter enable Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list. Cisco ASA Series Command Reference, S Commands 6-28 Chapter Command Description dynamic-filter updater-client enable Enables downloading of the dynamic database. dynamic-filter use-database Enables use of the dynamic database. dynamic-filter whitelist Edits the Botnet Traffic Filter whitelist. inspect dns dynamic-filter-snoop Enables DNS inspection with Botnet Traffic Filter snooping. name Adds a name to the blacklist or whitelist. show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the accelerated security path. show dynamic-filter data Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries. show dynamic-filter dns-snoop Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names. show dynamic-filter statistics Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist. show dynamic-filter updater-client Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed. show running-config dynamic-filter Shows the Botnet Traffic Filter running configuration. Cisco ASA Series Command Reference, S Commands 6-29 Chapter show dynamic-filter statistics To show how many connections were classified as whitelist, blacklist, and greylist connections using the Botnet Traffic Filter, use the show dynamic-filter statistics command in privileged EXEC mode. show dynamic-filter statistics [interface name] [detail] Syntax Description detail (Optional) Shows how many packets at each threat level were classified or dropped. interface name (Optional) Shows statistics for a particular interface. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Yes • Yes Context • Yes Modification 8.2(1) This command was added. 8.2(2) The detail keyword was added to show how many packets at each threat level were classified or dropped. For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes. The greylist includes addresses that are associated with multiple domain names, but not all of these domain names are on the blacklist. The following is sample output from the show dynamic-filter statistics command: ciscoasa# show dynamic-filter statistics Enabled on interface outside Total conns classified 11, ingress 11, egress 0 Total whitelist classified 0, ingress 0, egress 0 Total greylist classified 0, dropped 0, ingress 0, egress 0 Total blacklist classified 11, dropped 5, ingress 11, egress 0 Enabled on interface inside Total conns classified 1182, ingress 1182, egress 0 Total whitelist classified 3, ingress 3, egress 0 Total greylist classified 0, dropped 0, ingress 0, egress 0 Cisco ASA Series Command Reference, S Commands 6-30 — Release To clear the statistics, enter the clear dynamic-filter statistics command. Examples System Chapter Total blacklist classified 1179, dropped 1000, ingress 1179, egress 0 The following is sample output from the show dynamic-filter statistics interface outside detail command: ciscoasa# show dynamic-filter statistics interface outside detail Enabled on interface outside Total conns classified 2108, ingress 2108, egress 0 Total whitelist classified 0, ingress 0, egress 0 Total greylist classified 1, dropped 1, ingress 0, egress 0 Threat level 5 classified 1, dropped 1, ingress 0, egress 0 Threat level 4 classified 0, dropped 0, ingress 0, egress 0 ... Total blacklist classified 30, dropped 20, ingress 11, egress 2 Threat level 5 classified 6, dropped 6, ingress 4, egress 2 Threat level 4 classified 5, dropped 5, ingress 5, egress 0 Related Commands Command Description address Adds an IP address to the blacklist or whitelist. clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration. clear dynamic-filter dns-snoop Clears Botnet Traffic Filter DNS snooping data. clear dynamic-filter reports Clears Botnet Traffic filter report data. clear dynamic-filter statistics Clears Botnet Traffic filter statistics. dns domain-lookup Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands. dns server-group Identifies a DNS server for the ASA. dynamic-filter ambiguous-is-black Treats greylisted traffic as blacklisted traffic for action purposes. dynamic-filter blacklist Edits the Botnet Traffic Filter blacklist. dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database. dynamic-filter database find Searches the dynamic database for a domain name or IP address. dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database. dynamic-filter drop blacklist Automatically drops blacklisted traffic. dynamic-filter enable Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list. dynamic-filter updater-client enable Enables downloading of the dynamic database. dynamic-filter use-database Enables use of the dynamic database. dynamic-filter whitelist Edits the Botnet Traffic Filter whitelist. inspect dns dynamic-filter-snoop Enables DNS inspection with Botnet Traffic Filter snooping. name Adds a name to the blacklist or whitelist. show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the accelerated security path. Cisco ASA Series Command Reference, S Commands 6-31 Chapter Command Description show dynamic-filter data Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries. show dynamic-filter dns-snoop Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names. show dynamic-filter reports Generates reports of the top 10 Botnet sites, ports, and infected hosts. show dynamic-filter updater-client Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed. show running-config dynamic-filter Shows the Botnet Traffic Filter running configuration. Cisco ASA Series Command Reference, S Commands 6-32 Chapter show dynamic-filter updater-client To show information about the Botnet Traffic Filter updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed, use the show dynamic-filter updater-client command in privileged EXEC mode. show dynamic-filter updater-client Syntax Description This command has no arguments or keywords. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Global configuration Command History Examples • Yes Transparent Single • Release Modification 8.2(1) This command was added. Yes • Yes Context — System • Yes The following is sample output from the show dynamic-filter updater-client command: ciscoasa# show dynamic-filter updater-client Traffic Filter updater client is enabled Updater server url is https://10.15.80.240:446 Application name: trafmon, version: 1.0 Encrypted UDI: 0bb93985f42d941e50dc8f022350d1a8de96ba6c1f6d45f4bc0ead02a7d5990be32f483b 5715cd80a215cedadd4e5ffe Next update is in 00:02:00 Database file version is '907' fetched at 22:51:41 UTC Oct 16 2006, size: 521408 Related Commands Command Description address Adds an IP address to the blacklist or whitelist. clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration. clear dynamic-filter dns-snoop Clears Botnet Traffic Filter DNS snooping data. clear dynamic-filter reports Clears Botnet Traffic filter report data. clear dynamic-filter statistics Clears Botnet Traffic filter statistics. Cisco ASA Series Command Reference, S Commands 6-33 Chapter Command Description dns domain-lookup Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands. dns server-group Identifies a DNS server for the ASA. dynamic-filter ambiguous-is-black Treats greylisted traffic as blacklisted traffic for action purposes. dynamic-filter blacklist Edits the Botnet Traffic Filter blacklist. dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database. dynamic-filter database find Searches the dynamic database for a domain name or IP address. dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database. dynamic-filter drop blacklist Automatically drops blacklisted traffic. dynamic-filter enable Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list. dynamic-filter updater-client enable Enables downloading of the dynamic database. dynamic-filter use-database Enables use of the dynamic database. dynamic-filter whitelist Edits the Botnet Traffic Filter whitelist. inspect dns dynamic-filter-snoop Enables DNS inspection with Botnet Traffic Filter snooping. name Adds a name to the blacklist or whitelist. show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the accelerated security path. show dynamic-filter data Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries. show dynamic-filter dns-snoop Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names. show dynamic-filter reports Generates reports of the top 10 Botnet sites, ports, and infected hosts. show dynamic-filter statistics Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist. show running-config dynamic-filter Shows the Botnet Traffic Filter running configuration. Cisco ASA Series Command Reference, S Commands 6-34 Chapter show eigrp events To display the EIGRP event log, use the show eigrp events command in privileged EXEC mode. show eigrp [as-number] events [{start end} | type] Syntax Description as-number (Optional) Specifies the autonomous system number of the EIGRP process for which you are viewing the event log. Because the ASA only supports one EIGRP routing process, you do not need to specify the autonomous system number. end (Optional) Limits the output to the entries with starting with the start index number and ending with the end index number. start (Optional) A number specifying the log entry index number. Specifying a start number causes the output to start with the specified event and end with the event specified by the end argument. Valid values are from 1 to 4294967295. type (Optional) Displays the events that are being logged. Defaults If a start and end is not specified, all log entries are shown. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Yes Transparent Single — • Yes Release Modification 8.0(2) This command was added. 9.0(1) Support for multiple context mode was added. Context • Yes System — The show eigrp events output displays up to 500 events. Once the maximum number of events has been reached, new events are added to the bottom of the output and old events are removed from the top of the output. You can use the clear eigrp events command to clear the EIGRP event log. The show eigrp events type command displays the logging status of EIGRP events. By default, neighbor changes, neighbor warning, and DUAL FSM messages are logged. You can disable neighbor change event logging using the no eigrp log-neighbor-changes command. You can disable neighbor warning event logging using the no eigrp log-neighbor-warnings command. You cannot disable the logging of DUAL FSM events. Cisco ASA Series Command Reference, S Commands 6-35 Chapter Examples The following is sample output from the show eigrp events command: ciscoasa# show eigrp events Event information 1 12:11:23.500 2 12:11:23.500 3 12:11:23.500 4 12:11:23.500 5 12:11:23.500 6 12:11:23.500 7 12:11:23.500 8 12:11:23.500 9 12:11:23.500 10 12:11:23.500 11 12:11:23.500 for AS 100: Change queue emptied, entries: 4 Metric set: 10.1.0.0/16 53760 Update reason, delay: new if 4294967295 Update sent, RD: 10.1.0.0/16 4294967295 Update reason, delay: metric chg 4294967295 Update sent, RD: 10.1.0.0/16 4294967295 Route install: 10.1.0.0/16 10.130.60.248 Find FS: 10.1.0.0/16 4294967295 Rcv update met/succmet: 53760 28160 Rcv update dest/nh: 10.1.0.0/16 10.130.60.248 Metric set: 10.1.0.0/16 4294967295 The following is sample output from the show eigrp events command with a start and stop number defined: ciscoasa# show eigrp events 3 8 Event information 3 12:11:23.500 4 12:11:23.500 5 12:11:23.500 6 12:11:23.500 7 12:11:23.500 8 12:11:23.500 for AS 100: Update reason, delay: new if 4294967295 Update sent, RD: 10.1.0.0/16 4294967295 Update reason, delay: metric chg 4294967295 Update sent, RD: 10.1.0.0/16 4294967295 Route install: 10.1.0.0/16 10.130.60.248 Find FS: 10.1.0.0/16 4294967295 The following is sample output from the show eigrp events command when there are no entries in the EIGRP event log: ciscoasa# show eigrp events Event information for AS 100: Event log is empty. The following is sample output from the show eigrp events type command: ciscoasa# show eigrp events type EIGRP-IPv4 Event Logging for AS 100: Log Size 500 Neighbor Changes Enable Neighbor Warnings Enable Dual FSM Enable Related Commands Command Description clear eigrp events Clears the EIGRP event logging buffer. eigrp log-neighbor-changes Enables the logging of neighbor change events. eigrp log-neighbor-warnings Enables the logging of neighbor warning events. Cisco ASA Series Command Reference, S Commands 6-36 Chapter show eigrp interfaces To display the interfaces participating in EIGRP routing, use the show eigrp interfaces command in privileged EXEC mode. show eigrp [as-number] interfaces [if-name] [detail] Syntax Description as-number (Optional) Specifies the autonomous system number of the EIGRP process for which you are displaying active interfaces. Because the ASA only supports one EIGRP routing process, you do not need to specify the autonomous system number. detail (Optional) Displays detail information. if-name (Optional) The name of an interface as specified by the nameif command. Specifying an interface name limits the display to the specified interface. Defaults If you do not specify an interface name, information for all EIGRP interfaces is displayed. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single — • Yes Release Modification 8.0(2) This command was added. 9.0(1) Support for multiple context mode was added. Context • Yes System — Use the show eigrp interfaces command to determine on which interfaces EIGRP is active, and to learn information about EIGRP relating to those interfaces. If an interface is specified, only that interface is displayed. Otherwise, all interfaces on which EIGRP is running are displayed. If an autonomous system is specified, only the routing process for the specified autonomous system is displayed. Otherwise, all EIGRP processes are displayed. Examples The following is sample output from the show eigrp interfaces command: ciscoasa# show eigrp interfaces EIGRP-IPv4 interfaces for process 100 Cisco ASA Series Command Reference, S Commands 6-37 Chapter Interface mgmt outside inside Peers 0 1 1 Xmit Queue Un/Reliable 0/0 0/0 0/0 Mean SRTT 0 337 10 Pacing Time Un/Reliable 11/434 0/10 1/63 Multicast Flow Timer 0 0 103 Pending Routes 0 0 0 Table 6-2 describes the significant fields shown in the display. Table 6-2 Related Commands show eigrp interfaces Field Descriptions Field Description process Autonomous system number for the EIGRP routing process. Peers Number of directly-connected peers. Xmit Queue Un/Reliable Number of packets remaining in the Unreliable and Reliable transmit queues. Mean SRTT Mean smooth round-trip time interval (in seconds). Pacing Time Un/Reliable Pacing time (in seconds) used to determine when EIGRP packets should be sent out the interface (unreliable and reliable packets). Multicast Flow Timer Maximum number of seconds in which the ASA will send multicast EIGRP packets. Pending Routes Number of routes in the packets in the transmit queue waiting to be sent. Command Description network Defines the networks and interfaces that participate in the EIGRP routing process. Cisco ASA Series Command Reference, S Commands 6-38 Chapter show eigrp neighbors To display the EIGRP neighbor table, use the show eigrp neighbors command in privileged EXEC mode. show eigrp [as-number] neighbors [detail | static] [if-name] Syntax Description as-number (Optional) Specifies the autonomous system number of the EIGRP process for which you are deleting neighbor entries. Because the ASA only supports one EIGRP routing process, you do not need to specify the autonomous system number. detail (Optional) Displays detail neighbor information. if-name (Optional) The name of an interface as specified by the nameif command. Specifying an interface name displays all neighbor table entries that were learned through that interface. static (Optional) Displays EIGRP neighbors that are statically defined using the neighbor command. Defaults If you do not specify an interface name, the neighbors learned through all interfaces are displayed. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single — • Context Yes • Release Modification 8.0(2) This command was added. 9.0(1) Support for multiple context mode was added. System Yes — You can use the clear eigrp neighbors command to clear the dynamically learned neighbors from the EIGRP neighbor table. Static neighbors are not included in the output unless you use the static keyword. Examples The following is sample output from the show eigrp neighbors command: ciscoasa# show eigrp neighbors EIGRP-IPv4 Neighbors for process 100 Address Interface Holdtime Uptime Q Seq SRTT RTO Cisco ASA Series Command Reference, S Commands 6-39 Chapter 172.16.81.28 172.16.80.28 172.16.80.31 Ethernet1 Ethernet0 Ethernet0 (secs) 13 14 12 (h:m:s) 0:00:41 0:02:01 0:02:02 Count 0 0 0 Num 11 10 4 (ms) 4 12 5 (ms) 20 24 20 Table 6-2 describes the significant fields shown in the display. Table 6-3 show eigrp neighbors Field Descriptions Field Description process Autonomous system number for the EIGRP routing process. Address IP address of the EIGRP neighbor. Interface Interface on which the ASA receives hello packets from the neighbor. Holdtime Length of time (in seconds) that the ASA waits to hear from the neighbor before declaring it down. This hold time is received from the neighbor in the hello packet, and begins decreasing until another hello packet is received from the neighbor. If the neighbor is using the default hold time, this number will be less than 15. If the peer configures a non-default hold time, the non-default hold time will be displayed. If this value reaches 0, the ASA considers the neighbor unreachable. Uptime Elapsed time (in hours:minutes: seconds) since the ASA first heard from this neighbor. Q Count Number of EIGRP packets (update, query, and reply) that the ASA is waiting to send. Seq Num Sequence number of the last update, query, or reply packet that was received from the neighbor. SRTT Smooth round-trip time. This is the number of milliseconds required for an EIGRP packet to be sent to this neighbor and for the ASA to receive an acknowledgment of that packet. RTO Retransmission timeout (in milliseconds). This is the amount of time the ASA waits before resending a packet from the retransmission queue to a neighbor. The following is sample output from the show eigrp neighbors static command: ciscoasa# show eigrp neighbors static EIGRP-IPv4 neighbors for process 100 Static Address Interface 192.168.1.5 management Table 6-4 describes the significant fields shown in the display. Table 6-4 show ip eigrp neighbors static Field Descriptions Field Description process Autonomous system number for the EIGRP routing process. Static Address IP address of the EIGRP neighbor. Interface Interface on which the ASA receives hello packets from the neighbor. Cisco ASA Series Command Reference, S Commands 6-40 Chapter The following is sample output from the show eigrp neighbors detail command: ciscoasa# show eigrp neighbors detail EIGRP-IPv4 neighbors for process 100 H Address Interface 3 0 2 1 1.1.1.3 Et0/0 Version 12.2/1.2, Retrans: 0, Retries: Restart time 00:01:05 10.4.9.5 Fa0/0 Version 12.2/1.2, Retrans: 0, Retries: 10.4.9.10 Fa0/0 Version 12.2/1.2, Retrans: 1, Retries: 10.4.9.6 Fa0/0 Version 12.2/1.2, Retrans: 1, Retries: Hold Uptime SRTT (sec) (ms) 12 00:04:48 1832 RTO Q Seq Tye Cnt Num 5000 0 14 0 11 00:04:07 768 4608 0 4 S 13 1w0d 1 3000 0 6 S 12 1w0d 1 3000 0 4 S 0 0 0 Table 6-5 describes the significant fields shown in the display. Table 6-5 show ip eigrp neighbors details Field Descriptions Field Description process Autonomous system number for the EIGRP routing process. H This column lists the order in which a peering session was established with the specified neighbor. The order is specified with sequential numbering starting with 0. Address IP address of the EIGRP neighbor. Interface Interface on which the ASA receives hello packets from the neighbor. Holdtime Length of time (in seconds) that the ASA waits to hear from the neighbor before declaring it down. This hold time is received from the neighbor in the hello packet, and begins decreasing until another hello packet is received from the neighbor. If the neighbor is using the default hold time, this number will be less than 15. If the peer configures a non-default hold time, the non-default hold time will be displayed. If this value reaches 0, the ASA considers the neighbor unreachable. Uptime Elapsed time (in hours:minutes: seconds) since the ASA first heard from this neighbor. SRTT Smooth round-trip time. This is the number of milliseconds required for an EIGRP packet to be sent to this neighbor and for the ASA to receive an acknowledgment of that packet. RTO Retransmission timeout (in milliseconds). This is the amount of time the ASA waits before resending a packet from the retransmission queue to a neighbor. Q Count Number of EIGRP packets (update, query, and reply) that the ASA is waiting to send. Seq Num Sequence number of the last update, query, or reply packet that was received from the neighbor. Version The software version that the specified peer is running. Retrans The number of times that a packet has been retransmitted. Cisco ASA Series Command Reference, S Commands 6-41 Chapter Table 6-5 Related Commands show ip eigrp neighbors details Field Descriptions Field Description Retries The number of times an attempt was made to retransmit a packet. Restart time Elapsed time (in hours:minutes:seconds) since the specified neighbor has restarted. Command Description clear eigrp neighbors Clears the EIGRP neighbor table. debug eigrp neighbors Displays EIGRP neighbor debugging messages. debug ip eigrp Displays EIGRP packet debugging messages. Cisco ASA Series Command Reference, S Commands 6-42 Chapter show eigrp topology To display the EIGRP topology table, use the show eigrp topology command in privileged EXEC mode. show eigrp [as-number] topology [ip-addr [mask] | active | all-links | pending | summary | zero-successors] Syntax Description active (Optional) Displays only active entries in the EIGRP topology table. all-links (Optional) Displays all routes in the EIGRP topology table, even those that are not feasible successors. as-number (Optional) Specifies the autonomous system number of the EIGRP process. Because the ASA only supports one EIGRP routing process, you do not need to specify the autonomous system number. ip-addr (Optional) Defines the IP address from the topology table to display. When specified with a mask, a detailed description of the entry is provided. mask (Optional) Defines the network mask to apply to the ip-addr argument. pending (Optional) Displays all entries in the EIGRP topology table that are waiting for an update from a neighbor or are waiting to reply to a neighbor. summary (Optional) Displays a summary of the EIGRP topology table. zero-successors (Optional) Displays available routes in the EIGRP topology table. Defaults Only routes that are feasible successors are displayed. Use the all-links keyword to display all routes, including those that are not feasible successors. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Yes Transparent Single — • Yes Release Modification 8.0(2) This command was added. 9.0(1) Support for multiple context mode was added. Context • Yes System — You can use the clear eigrp topology command to remove the dynamic entries from the topology table. Cisco ASA Series Command Reference, S Commands 6-43 Chapter Examples The following is sample output from the show eigrp topology command: Command Historyci EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.1.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status P 10.2.1.0 255.255.255.0, 2 successors, FD is 0 via 10.16.80.28 (46251776/46226176), Ethernet0 via 10.16.81.28 (46251776/46226176), Ethernet1 P 10.2.1.0 255.255.255.0, 1 successors, FD is 307200 via Connected, Ethernet1 via 10.16.81.28 (307200/281600), Ethernet1 via 10.16.80.28 (307200/281600), Ethernet0 Table 6-6 describes the significant fields shown in the displays. Table 6-6 show eigrp topology Field Information Field Description Codes State of this topology table entry. Passive and Active refer to the EIGRP state with respect to this destination; Update, Query, and Reply refer to the type of packet that is being sent. P - Passive The route is known to be good and no EIGRP computations are being performed for this destination. A - Active EIGRP computations are being performed for this destination. U - Update Indicates that an update packet was sent to this destination. Q - Query Indicates that a query packet was sent to this destination. R - Reply Indicates that a reply packet was sent to this destination. r - Reply status Flag that is set after the software has sent a query and is waiting for a reply. address mask Destination IP address and mask. successors Number of successors. This number corresponds to the number of next hops in the IP routing table. If “successors” is capitalized, then the route or next hop is in a transition state. FD Feasible distance. The feasible distance is the best metric to reach the destination or the best metric that was known when the route went active. This value is used in the feasibility condition check. If the reported distance of the router (the metric after the slash) is less than the feasible distance, the feasibility condition is met and that path is a feasible successor. Once the software determines it has a feasible successor, it need not send a query for that destination. via IP address of the peer that told the software about this destination. The first n of these entries, where n is the number of successors, is the current successors. The remaining entries on the list are feasible successors. (cost/adv_cost) The first number is the EIGRP metric that represents the cost to the destination. The second number is the EIGRP metric that this peer advertised. interface The interface from which the information was learned. Cisco ASA Series Command Reference, S Commands 6-44 Chapter The following is sample output from the show eigrp topology used with an IP address. The output shown is for an internal route. ciscoasa# show eigrp topology 10.2.1.0 255.255.255.0 EIGRP-IPv4 (AS 100): Topology Default-IP-Routing-Table(0) entry for entry for 10.2.1.0 255.255.255.0 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 281600 Routing Descriptor Blocks: 0.0.0.0 (Ethernet0/0), from Connected, Send flag is 0x0 Composite metric is (281600/0), Route is Internal Vector metric: Minimum bandwidth is 10000 Kbit Total delay is 1000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 0 The following is sample output from the show eigrp topology used with an IP address. The output shown is for an external route. ciscoasa# show eigrp topology 10.4.80.0 255.255.255.0 EIGRP-IPv4 (AS 100): Topology Default-IP-Routing-Table(0) entry for entry for 10.4.80.0 255.255.255.0 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 409600 Routing Descriptor Blocks: 10.2.1.1 (Ethernet0/0), from 10.2.1.1, Send flag is 0x0 Composite metric is (409600/128256), Route is External Vector metric: Minimum bandwidth is 10000 Kbit Total delay is 6000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 1 External data: Originating router is 10.89.245.1 AS number of route is 0 External protocol is Connected, external metric is 0 Administrator tag is 0 (0x00000000) Related Commands Command Description clear eigrp topology Clears the dynamically discovered entries from the EIGRP topology table. Cisco ASA Series Command Reference, S Commands 6-45 Chapter show eigrp traffic To display the number of EIGRP packets sent and received, use the show eigrp traffic command in privileged EXEC mode. show eigrp [as-number] traffic Syntax Description as-number Defaults No default behaviors or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Specifies the autonomous system number of the EIGRP process for which you are viewing the event log. Because the ASA only supports one EIGRP routing process, you do not need to specify the autonomous system number. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single — • Yes Release Modification 8.0(2) This command was added. 9.0(1) Support for multiple context mode was added. Context • Yes Usage Guidelines You can use the clear eigrp traffic command to clear the EIGRP traffic statistics. Examples The following is sample output from the show eigrp traffic command: ciscoasa# show eigrp traffic EIGRP-IPv4 Traffic Statistics for AS 100 Hellos sent/received: 218/205 Updates sent/received: 7/23 Queries sent/received: 2/0 Replies sent/received: 0/2 Acks sent/received: 21/14 Input queue high water mark 0, 0 drops SIA-Queries sent/received: 0/0 SIA-Replies sent/received: 0/0 Hello Process ID: 1719439416 PDM Process ID: 1719439824 Cisco ASA Series Command Reference, S Commands 6-46 System — Chapter Table 6-4 describes the significant fields shown in the display. Table 6-7 Related Commands show eigrp traffic Field Descriptions Field Description process Autonomous system number for the EIGRP routing process. Hellos sent/received Number of hello packets sent and received. Updates sent/received Number of update packets sent and received. Queries sent/received Number of query packets sent and received. Replies sent/received Number of reply packets sent and received. Acks sent/received Number of acknowledgment packets sent and received. Input queue high water mark/drops Number of received packets that are approaching the maximum receive threshold and number of dropped packets. SIA-Queries sent/received Stuck-in-active queries sent and received. SIA-Replies sent/received Stuck-in-active replies sent and received. Command Description debug eigrp packets Displays debugging information for EIGRP packets sent and received. debug eigrp transmit Displays debugging information for EIGRP messages sent. Cisco ASA Series Command Reference, S Commands 6-47 Chapter show environment To display system environment information for system components, use the show environment command in privileged EXEC mode. show environment [driver | fans | power-supply | temperature] [chassis | cpu | voltage] Syntax Description chassis (Optional) Limits the temperature display to the chassis. cpu (Optional) Limits the temperature display to the processors. The ASA 5580-40 displays information for 4 processors. The ASA 5580-20 displays information for 2 processors. driver (Optional) Displays the environment monitoring (IPMI) driver status. The driver status can be one of the following: fans power-supply • RUNNING—The driver is operational. • STOPPED—An error has caused the driver to stop. (Optional) Displays the operational status of the cooling fans. The status is one of the following: • OK—The fan is operating normally. • Failed—The fan has failed and should be replaced. (Optional) Displays the operational status of the power supplies. The status for each power supply is one of the following: • OK—The power supply is operating normally. • Failed—The power supply has failed and should be replaced. • Not Present—The specified power supply is not installed. The power supply redundancy status also displays. The redundancy status is one of the following: temperature • OK—The unit is operating normally with full resources. • Lost—The unit has lost redundancy but is operating normally with minimum resources. Any further failures will result in a system shutdown. • N/A—The unit is not configured for power supply redundancy. (Optional) Displays the temperature and status of the processors and chassis. The temperature is given in celsius. The status is one of the following: • OK—The temperature is within normal operating range. • Critical—The temperature is outside of normal operating range. Operating ranges are categorized as follows: voltage • Less than 70 degrees—OK • 70-80—Warm • 80-90—Critical • Greater than 90—Unrecoverable (Optional) Displays the values for CPU voltage channels 1-24. Excludes the operational status. Cisco ASA Series Command Reference, S Commands 6-48 Chapter Defaults All operational information, except for the driver, is displayed if no keywords are specified. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines Note Examples • Yes Transparent Single • Yes • Yes Context System — • Yes Release Modification 8.1(1) This command was added. 8.4(2) The output for an ASA 5585-X SSP was added. In addition, support for a dual SSP installation was added. 8.4.4(1) Displayed power supply temperature values for the ASA 5515-X, ASA 5525-X, 5545-X, and ASA 5555-X have been changed in the output. 8.6(1) The output for CPU voltage regulator thermal events in the ASA 5545-X and ASA 5555-X was added. The output for power supply input status was added. The output for voltage sensors was added. You can display operating environment information on the ASA 5545-X, 5555-X, 5580 and 5585-X. This information includes the operational status of the fans and power supplies, and temperature and status of the CPUs and chassis. The ASA 5580-40 displays information for 4 CPUs; the ASA 5580-20 displays information for 2 CPUs. For a dual SSP installation, only the sensors for the chassis master show output for the cooling fans and power supplies. The following is sample generic output from the show environment command: ciscoasa# show environment Cooling Fans: ----------------------------------Power Supplies: -------------------------------Left Slot (PS0): 6900 RPM - OK (Power Supply Fan) Right Slot (PS1): 7000 RPM - OK (Power Supply Fan) Power Supplies: ----------------------------------Power Supply Unit Redundancy: OK Temperature: -------------------------------Left Slot (PS0): 26 C - OK (Power Supply Temperature) Right Slot (PS1): 27 C - OK (Power Supply Temperature) Cooling Fans: -------------------------------Left Slot (PS0): 6900 RPM - OK (Power Supply Fan) Cisco ASA Series Command Reference, S Commands 6-49 Chapter Right Slot (PS1): 7000 RPM - OK (Power Supply Fan) Temperature: ----------------------------------Processors: -------------------------------Processor 1: 44.0 C - OK (CPU1 Core Temperature) Processor 2: 45.0 C - OK (CPU2 Core Temperature) Chassis: -------------------------------Ambient 1: 28.0 C - OK (Chassis Front Temperature) Ambient 2: 40.5 C - OK (Chassis Back Temperature) Ambient 3: 28.0 C - OK (CPU1 Front Temperature) Ambient 4: 36.50 C - OK (CPU1 Back Temperature) Ambient 5: 34.50 C - OK (CPU2 Front Temperature) Ambient 6: 43.25 C - OK (CPU2 Back Temperature) Power Supplies: -------------------------------Left Slot (PS0): 26 C - OK (Power Supply Temperature) Right Slot (PS1): 27 C - OK (Power Supply Temperature) The following is sample output from the show environment driver command: ciscoasa# show environment driver Cooling Fans: ----------------------------------Chassis Fans: -------------------------------Cooling Fan 1: 5888 RPM - OK Cooling Fan 2: 5632 RPM - OK Cooling Fan 3: 5888 RPM - OK Power Supplies: -------------------------------Left Slot (PS0): N/A Right Slot (PS1): 8448 RPM - OK Power Supplies: ----------------------------------Left Slot (PS0): Not Present Right Slot (PS1): Present Left Slot (PS0): N/A Right Slot (PS1): 33 C - OK Left Slot (PS0): N/A Right Slot (PS1): 8448 RPM - OK Temperature: ----------------------------------Processors: -------------------------------Processor 1: 70.0 C - OK Chassis: -------------------------------Ambient 1: 36.0 C - OK (Chassis Back Temperature) Ambient 2: 31.0 C - OK (Chassis Front Temperature) Ambient 3: 39.0 C - OK (Chassis Back Left Temperature) Power Supplies: Cisco ASA Series Command Reference, S Commands 6-50 Chapter -------------------------------Left Slot (PS0): N/A Right Slot (PS1): 33 C - OK Voltage: ----------------------------------Channel 1: 1.168 V - (CPU Core 0.46V-1.4V) Channel 2: 11.954 V - (12V) Channel 3: 4.998 V - (5V) Channel 4: 3.296 V - (3.3V) Channel 5: 1.496 V - (DDR3 1.5V) Channel 6: 1.048 V - (PCH 1.5V) The following is sample output from the show environment command for an ASA 5555-X: ciscoasa# show environment Cooling Fans: ----------------------------------Chassis Fans: -------------------------------Power Supplies: -------------------------------Left Slot (PS0): 9728 RPM - OK Right Slot (PS1): 0 RPM - OK Power Supplies: ----------------------------------Left Slot (PS0): Present Right Slot (PS1): Present Power Input: -------------------------------Left Slot (PS0): OK Right Slot (PS1): Failure Detected Temperature: -------------------------------Left Slot (PS0): 29 C - OK Right Slot (PS1): N/A Processors: -------------------------------Processor 1: 81.0 C - OK Chassis: -------------------------------Ambient 1: 39.0 C - OK (Chassis Back Temperature) Ambient 2: 32.0 C - OK (Chassis Front Temperature) Ambient 3: 47.0 C - OK (Chassis Back Left Temperature) Power Supplies: -------------------------------Left Slot (PS0): 33 C - OK Right Slot (PS1): -128 C - OK The following is sample output from the show environment command for an ASA 5585-X chassis master in a dual SSP installation: ciscoasa(config)# show environment Cisco ASA Series Command Reference, S Commands 6-51 Chapter Cooling Fans: ----------------------------------Power Supplies: -------------------------------Left Slot (PS0): 7000 RPM - OK (Fan Module Fan) Right Slot (PS1): 6900 RPM - OK (Power Supply Fan) Power Supplies: ----------------------------------Power Supply Unit Redundancy: N/A Power Supplies: -------------------------------Left Slot (PS0): 64 C - OK (Fan Module Temperature) Right Slot (PS1): 64 C - OK (Power Supply Temperature) Power Supplies: -------------------------------Left Slot (PS0): 7000 RPM - OK (Fan Module Fan) Right Slot (PS1): 6900 RPM - OK (Power Supply Fan) Temperature: ----------------------------------Processors: -------------------------------Processor 1: 48.0 C - OK (CPU1 Core Temperature) Processor 2: 47.0 C - OK (CPU2 Core Temperature) Chassis: -------------------------------Ambient 1: 25.5 C - OK (Chassis Front Temperature) Ambient 2: 37.5 C - OK (Chassis Back Temperature) Ambient 3: 31.50 C - OK (CPU1 Back Temperature) Ambient 4: 27.75 C - OK (CPU1 Front Temperature) Ambient 5: 38.25 C - OK (CPU2 Back Temperature) Ambient 6: 34.0 C - OK (CPU2 Front Temperature) Power Supplies: -------------------------------Left Slot (PS0): 64 C - OK (Fan Module Temperature) Right Slot (PS1): 64 C - OK (Power Supply Temperature) Voltage: ----------------------------------Channel 1: 3.310 V - (3.3V (U142 VX1)) Channel 2: 1.492 V - (1.5V (U142 VX2)) Channel 3: 1.053 V - (1.05V (U142 VX3)) Channel 4: 3.328 V - (3.3V_STDBY (U142 VP1)) Channel 5: 11.675 V - (12V (U142 VP2)) Channel 6: 4.921 V - (5.0V (U142 VP3)) Channel 7: 6.713 V - (7.0V (U142 VP4)) Channel 8: 9.763 V - (IBV (U142 VH)) Channel 9: 1.048 V - (1.05VB (U209 VX2)) Channel 10: 1.209 V - (1.2V (U209 VX3)) Channel 11: 1.109 V - (1.1V (U209 VX4)) Channel 12: 0.999 V - (1.0V (U209 VX5)) Channel 13: 3.324 V - (3.3V STDBY (U209 VP1)) Channel 14: 2.504 V - (2.5V (U209 VP2)) Channel 15: 1.799 V - (1.8V (U209 VP3)) Channel 16: 1.899 V - (1.9V (U209 VP4)) Channel 17: 9.763 V - (IBV (U209 VH)) Channel 18: 2.048 V - (VTT CPU0 (U83 VX2)) Cisco ASA Series Command Reference, S Commands 6-52 Chapter Channel Channel Channel Channel Channel Channel 19: 20: 21: 22: 23: 24: 2.048 2.048 2.048 1.516 1.515 8.937 V V V V V V - (VTT CPU1 (U83 VX3)) (VCC CPU0 (U83 VX4)) (VCC CPU1 (U83 VX5)) (1.5VA (U83 VP1)) (1.5VB (U83 VP2)) (IBV (U83 VH)) If the ASA was shut down because of a CPU voltage regulator thermal event, the following warning message appears: WARNING: ASA was previously shut down due to a CPU Voltage Regulator running beyond the max thermal operating temperature. The chassis and CPU need to be inspected immediately for ventilation issues. For more information, see syslog message 735024 in the syslog messages guide. Related Commands Command Description show version Displays the hardware and software version. Cisco ASA Series Command Reference, S Commands 6-53 Chapter show event manager To show information about each configured event manager applet, use the show event manager command in privileged EXEC mode. show event manager Syntax Description This command has no arguments or keywords. Command Default No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Global configuration Command History Examples • Yes Transparent Single • Release Modification 9.2(1) This command was added. Yes • Yes Context — The following is sample output from the show event manager command: ciscoasa# show event manager event manager applet 21, hits 1, last 2014/01/19 06:47:46 last file disk0:/eem-21-20140119-064746.log event countdown 21 secs, left 0 secs, hits 1, last 2014/01/19 06:47:47 action 1 cli command "sh ver", hits 1, last 2014/01/19 06:47:46 Related Commands Command Description show running-config event manager Shows the event manager running configuration. Cisco ASA Series Command Reference, S Commands 6-54 System • Yes CH A P T E R 7 show failover through show ipsec stats Commands Cisco ASA Series Command Reference, S Commands 7-1 Chapter show failover To display information about the failover status of the unit, use the show failover command in privileged EXEC mode. show failover [group num | history | interface | state | statistics] Syntax Description group Displays the running state of the specified failover group. history Displays failover history. The failover history displays past failover state changes and the reason for the state change. History information is cleared with the device is rebooted. interface Displays failover and stateful link information. num Failover group number. state Displays the failover state of both failover units. The information displayed includes the primary or secondary status of the unit, the Active/Standby status of the unit, and the last reported reason for failover. The fail reason remains in the output even when the reason for failure is cleared. statistics Displays transmit and receive packet count of failover command interface. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • • Yes • Yes Context • Yes System • Yes Release Modification 7.0(1) This command was modified. The output includes additional information. 8.2(2) This command was modified. The output includes IPv6 addresses for firewall and failover interfaces. The Stateful Failover statistics output includes information for the IPv6 neighbor discover table (IPv6 ND tbl) updates. The show failover command displays the dynamic failover information, interface status, and Stateful Failover statistics. Cisco ASA Series Command Reference, S Commands 7-2 Yes Transparent Single Chapter If both IPv4 and IPv6 addresses are configured on an interface, both addresses appear in the output. Because an interface can have more than one IPv6 address configured on it, only the link-local address is displayed. If there is no IPv4 address configured on the interface, the IPv4 address in the output appears as 0.0.0.0. If there is no IPv6 address configured on an interface, the address is simply omitted from the output. The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled. The “xerr” and “rerr” values do not indicate errors in failover, but rather the number of packet transmit or receive errors. Note Stateful Failover, and therefore Stateful Failover statistics output, is not available on the ASA 5505. In the show failover command output, the stateful failover fields have the following values: • Stateful Obj has these values: – xmit—Indicates the number of packets transmitted. – xerr—Indicates the number of transmit errors. – rcv—Indicates the number of packets received. – rerr—Indicates the number of receive errors. • Each row is for a particular object static count as follows: – General—Indicates the sum of all stateful objects. – sys cmd—Refers to the logical update system commands, such as login or stay alive. – up time—Indicates the value for the ASA up time, which the active ASA passes on to the standby ASA. – RPC services—Remote Procedure Call connection information. – TCP conn—Dynamic TCP connection information. – UDP conn—Dynamic UDP connection information. – ARP tbl—Dynamic ARP table information. – Xlate_Timeout—Indicates connection translation timeout information. – IPv6 ND tbl—The IPv6 neighbor discovery table information. – VPN IKE upd—IKE connection information. – VPN IPSEC upd—IPsec connection information. – VPN CTCP upd—cTCP tunnel connection information. – VPN SDI upd—SDI AAA connection information. – VPN DHCP upd—Tunneled DHCP connection information. – SIP Session—SIP signalling session information. – Route Session—LU statistics of the route synhronization updates If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address, and monitoring of the interfaces remain in a “waiting” state. You must set a failover IP address for failover to work. Cisco ASA Series Command Reference, S Commands 7-3 Chapter Table 7-1 describes the interface states for failover. Table 7-1 Failover Interface States State Description Normal The interface is up and receiving hello packets from the corresponding interface on the peer unit. Normal (Waiting) The interface is up but has not yet received a hello packet from the corresponding interface on the peer unit. Verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces. Normal (Not-Monitored) The interface is up but is not monitored by the failover process. The failure of an interface that is not monitored does not trigger failover. No Link The physical link is down. No Link (Waiting) The physical link is down and the interface has not yet received a hello packet from the corresponding interface on the peer unit. After restoring the link, verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces. No Link (Not-Monitored) The physical link is down but is not monitored by the failover process. The failure of an interface that is not monitored does not trigger failover. Link Down The physical link is up, but the interface is administratively down. Link Down (Waiting) The physical link is up, but the interface is administratively down and the interface has not yet received a hello packet from the corresponding interface on the peer unit. After bringing the interface up (using the no shutdown command in interface configuration mode), verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces. Link Down (Not-Monitored) The physical link is up, but the interface is administratively down but is not monitored by the failover process. The failure of an interface that is not monitored does not trigger failover. Testing The interface is in testing mode due to missed hello packets from the corresponding interface on the peer unit. Failed Interface testing has failed and the interface is marked as failed. If the interface failure causes the failover criteria to be met, then the interface failure causes a failover to the secondary unit or failover group. In multiple configuration mode, only the show failover command is available in a security context; you cannot enter the optional keywords. Examples The following is sample output from the show failover command for Active/Standby Failover. The ASAs are ASA 5500 series ASAs, each equipped with a CSC SSM as shown in the details for slot 1 of each ASA. The security appliances use IPv6 addresses on the failover link (folink) and the inside interface. ciscoasa# show failover Failover On Cable status: N/A - LAN-based failover enabled Cisco ASA Series Command Reference, S Commands 7-4 Chapter Failover unit Primary Failover LAN Interface: folink Ethernet2 (up) Unit Poll frequency 1 seconds, holdtime 3 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum failover replication http Last Failover at: 22:44:03 UTC Dec 8 2004 This host: Primary - Active Active time: 13434 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.1(0)10) status (Up Sys) Interface inside (10.130.9.3/FE80::20d:29ff:fe1d:69f0): Normal Interface outside (10.132.9.3): Normal Interface folink (0.0.0.0/fe80::2a0:c9ff:fe03:101): Normal slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC-SSM 5.0 (Build#1176)) status (Up/Up) Logging port IP: 10.0.0.3/24 CSC-SSM, 5.0 (Build#1176) Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.1(0)10) status (Up Sys) Interface inside (10.130.9.4/FE80::20d:29ff:fe2b:7ba6): Normal Interface outside (10.132.9.4): Normal Interface folink (0.0.0.0/fe80::2e0:b6ff:fe07:3096): Normal slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC-SSM 5.0 (Build#1176)) status (Up/Up) Logging port IP: 10.0.0.4/24 CSC-SSM, 5.0 (Build#1176) Stateful Failover Logical Update Statistics Link : fover Ethernet2 (up) Stateful Obj xmit xerr rcv General 0 0 0 sys cmd 1733 0 1733 up time 0 0 0 RPC services 0 0 0 TCP conn 6 0 0 UDP conn 0 0 0 ARP tbl 106 0 0 Xlate_Timeout 0 0 0 IPv6 ND tbl 22 0 0 VPN IKE upd 15 0 0 VPN IPSEC upd 90 0 0 VPN CTCP upd 0 0 0 VPN SDI upd 0 0 0 VPN DHCP upd 0 0 0 SIP Session 0 0 0 Route Session 165 0 70 rerr 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 Logical Update Queue Information Cur Max Total Recv Q: 0 2 1733 Xmit Q: 0 2 15225 The following is sample output from the show failover command for Active/Active Failover. In this example, only the admin context has IPv6 addresses assigned to the interfaces. ciscoasa# show failover Failover On Failover unit Primary Failover LAN Interface: folink GigabitEthernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 4 seconds Interface Policy 1 Monitored Interfaces 8 of 250 maximum Cisco ASA Series Command Reference, S Commands 7-5 Chapter failover replication http Group 1 last failover at: 13:40:18 UTC Dec 9 2004 Group 2 last failover at: 13:40:06 UTC Dec 9 2004 This host: Group 1 Group 2 Primary State: Active time: State: Active time: Active 2896 (sec) Standby Ready 0 (sec) slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys) slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.11)S91(0.11)) status (Up) admin Interface outside (10.132.8.5): Normal admin Interface folink (10.132.9.5/fe80::2a0:c9ff:fe03:101): Normal admin Interface inside (10.130.8.5/fe80::2a0:c9ff:fe01:101): Normal admin Interface fourth (10.130.9.5/fe80::3eff:fe11:6670): Normal ctx1 Interface outside (10.1.1.1): Normal ctx1 Interface inside (10.2.2.1): Normal ctx2 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Group 1 Group 2 Secondary State: Active time: State: Active time: Standby Ready 190 (sec) Active 3322 (sec) slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys) slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.1)S91(0.1)) status (Up) admin Interface outside (10.132.8.6): Normal admin Interface folink (10.132.9.6/fe80::2a0:c9ff:fe03:102): Normal admin Interface inside (10.130.8.6/fe80::2a0:c9ff:fe01:102): Normal admin Interface fourth (10.130.9.6/fe80::3eff:fe11:6671): Normal ctx1 Interface outside (10.1.1.2): Normal ctx1 Interface inside (10.2.2.2): Normal ctx2 Interface outside (10.3.3.1): Normal ctx2 Interface inside (10.4.4.1): Normal Stateful Failover Logical Update Statistics Link : third GigabitEthernet0/2 (up) Stateful Obj xmit xerr rcv General 0 0 0 sys cmd 380 0 380 up time 0 0 0 RPC services 0 0 0 TCP conn 1435 0 1450 UDP conn 0 0 0 ARP tbl 124 0 65 Xlate_Timeout 0 0 0 IPv6 ND tbl 22 0 0 VPN IKE upd 15 0 0 VPN IPSEC upd 90 0 0 VPN CTCP upd 0 0 0 VPN SDI upd 0 0 0 VPN DHCP upd 0 0 0 SIP Session 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 1895 Xmit Q: 0 0 1940 Cisco ASA Series Command Reference, S Commands 7-6 rerr 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Chapter The following is sample output from the show failover command on the ASA 5505: Failover On Failover unit Primary Failover LAN Interface: fover Vlan150 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 7.2(0)55, Mate 7.2(0)55 Last Failover at: 19:59:58 PST Apr 6 2006 This host: Primary - Active Active time: 34 (sec) slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55) status (Up Sys) Interface inside (192.168.1.1): Normal Interface outside (192.168.2.201): Normal Interface dmz (172.16.0.1): Normal Interface test (172.23.62.138): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55) status (Up Sys) Interface inside (192.168.1.2): Normal Interface outside (192.168.2.211): Normal Interface dmz (172.16.0.2): Normal Interface test (172.23.62.137): Normal slot 1: empty The following is sample output from the show failover state command for an active-active setup: ciscoasa(config)# show failover state This host Group 1 Group 2 Other host Group 1 Group 2 State Secondary Failed Failed Primary Active Active Last Failure Reason Date/Time Backplane Failure Backplane Failure 03:42:29 UTC Apr 17 2009 03:42:29 UTC Apr 17 2009 Comm Failure Comm Failure 03:41:12 UTC Apr 17 2009 03:41:12 UTC Apr 17 2009 ====Configuration State=== Sync Done ====Communication State=== Mac set The following is sample output from the show failover state command for an active-standby setup: ciscoasa(config)# show failover state This host - Other host - State Primary Negotiation Secondary Not Detected Last Failure Reason Date/Time Backplane Failure 15:44:56 UTC Jun 20 2009 Comm Failure 15:36:30 UTC Jun 20 2009 ====Configuration State=== Sync Done ====Communication State=== Mac set Cisco ASA Series Command Reference, S Commands 7-7 Chapter Table 7-2 describes the output of the show failover state command. Table 7-2 show failover state Output Description Field Description Configuration State Displays the state of configuration synchronization. The following are possible configuration states for the standby unit: • Config Syncing - STANDBY—Set while the synchronized configuration is being executed. • Interface Config Syncing - STANDBY • Sync Done - STANDBY—Set when the standby unit has completed a configuration synchronization from the active unit. The following are possible configuration states for the active unit: Communication State • Config Syncing—Set on the active unit when it is performing a configuration synchronization to the standby unit. • Interface Config Syncing • Sync Done—Set when the active unit has completed a successful configuration synchronization to the standby unit. • Ready for Config Sync—Set on the active unit when the standby unit signals that it is ready to receive a configuration synchronization. Displays the status of the MAC address synchronization. • Mac set—The MAC addresses have been synchronized from the peer unit to this unit. • Updated Mac—Used when a MAC address is updated and needs to be synchronized to the other unit. Also used during the transition period where the unit is updating the local MAC addresses synchronized from the peer unit. Date/Time Displays a date and timestamp for the failure. Last Failure Reason Displays the reason for the last reported failure. This information is not cleared, even if the failure condition is cleared. This information changes only when a failover occurs. The following are possible fail reasons: • Ifc Failure—The number of interfaces that failed met the failover criteria and caused failover. • Comm Failure—The failover link failed or peer is down. • Backplane Failure State Displays the Primary/Secondary and Active/Standby status for the unit. This host/Other host This host indicates information for the device upon which the command was executed. Other host indicates information for the other device in the failover pair. The following is sample output from the show failover history command: ciscoasa(config)# show failover history ========================================================================== Cisco ASA Series Command Reference, S Commands 7-8 Chapter Group From State To State Reason ========================================================================== . . . 03:42:29 UTC Apr 17 2009 0 Sync Config Failed Backplane failed 03:42:29 UTC Apr 17 2009 1 Standby Ready Backplane failed Failed 03:42:29 UTC Apr 17 2009 2 Standby Ready Backplane failed Failed 03:44:39 UTC Apr 17 2009 0 Failed Backplane operational Negotiation 03:44:40 UTC Apr 17 2009 1 Failed Backplane operational Negotiation 03:44:40 UTC Apr 17 2009 2 Failed Backplane operational Negotiation ========================================================================== Each entry provides the time and date the state change occurred, the beginning state, the resulting state, and the reason for the state change. The newest entries are located at the bottom of the display. Older entries appear at the top. A maximum of 60 entries can be displayed. Once the maximum number of entries has been reached, the oldest entries are removed from the top of the output as new entries are added to the bottom. Table 7-3 shows the failover states. There are two types of states—stable and transient. Stable states are states that the unit can remain in until some occurrence, such as a failure, causes a state change. A transient state is a state that the unit passes through while reaching a stable state. Table 7-3 Failover States States Description Disabled Failover is disabled. This is a stable state. Failed The unit is in the failed state. This is a stable state. Negotiation The unit establishes the connection with peer and negotiates with peer to determine software version compatibility and Active/Standby role. Depending upon the role that is negotiated, the unit will go through the Standby Unit States or the Active Unit States or enter the failed state. This is a transient state. Not Detected The ASA cannot detect the presence of a peer. This can happen when the ASA boots up with failover enabled but the peer is not present or is powered down. Standby Unit States Cold Standby The unit waits for the peer to reach the Active state. When the peer unit reaches the Active state, this unit progresses to the Standby Config state. This is a transient state. Cisco ASA Series Command Reference, S Commands 7-9 Chapter Table 7-3 Failover States (continued) States Description Sync Config The unit requests the running configuration from the peer unit. If an error occurs during the configuration synchronization, the unit returns to the Initialization state. This is a transient state. Sync File System The unit synchronizes the file system with the peer unit. This is a transient state. Bulk Sync The unit receives state information from the peer. This state only occurs when Stateful Failover is enabled. This is a transient state. Standby Ready The unit is ready to take over if the active unit fails. This is a stable state. Active Unit States Just Active The first state the unit enters when becoming the active unit. During this state a message is sent to the peer alerting the peer that the unit is becoming active and the IP and MAC addresses are set for the interfaces. This is a transient state. Active Drain Queues messages from the peer are discarded. This is a transient state. Active Applying Config The unit is applying the system configuration. This is a transient state. Active Config Applied The unit has finished applying the system configuration. This is a transient state. Active The unit is active and processing traffic. This is a stable state. Each state change is followed by a reason for the state change. The reason typically remains the same as the unit progresses through the transient states to the stable state. The following are the possible state change reasons: • No Error • Set by the CI config cmd • Failover state check • Failover interface become OK • HELLO not heard from mate • Other unit has different software version • Other unit operating mode is different • Other unit license is different • Other unit chassis configuration is different • Other unit card configuration is different • Other unit want me Active • Other unit want me Standby • Other unit reports that I am failed • Other unit reports that it is failed • Configuration mismatch • Detected an Active mate • No Active unit found Cisco ASA Series Command Reference, S Commands 7-10 Chapter • Configuration synchronization done • Recovered from communication failure • Other unit has different set of vlans configured • Unable to verify vlan configuration • Incomplete configuration synchronization • Configuration synchronization failed • Interface check • My communication failed • ACK not received for failover message • Other unit got stuck in learn state after sync • No power detected from peer • No failover cable • HA state progression failed • Detect service card failure • Service card in other unit has failed • My service card is as good as peer • LAN Interface become un-configured • Peer unit just reloaded • Switch from Serial Cable to LAN-Based fover • Unable to verify state of config sync • Auto-update request • Unknown reason The following is sample output from the show failover interface command. The device has an IPv6 address configured on the failover interface. ciscoasa(config)# sh fail int interface folink GigabitEthernet0/2 System IP Address: 2001:a0a:b00::a0a:b70/64 My IP Address : 2001:a0a:b00::a0a:b70 Other IP Address : 2001:a0a:b00::a0a:b71 Related Commands Command Description show running-config failover Displays the failover commands in the current configuration. Cisco ASA Series Command Reference, S Commands 7-11 Chapter show failover exec To display the failover exec command mode for the specified unit, use the show failover exec command in privileged EXEC mode. show failover exec {active | standby | mate} Syntax Description active Displays the failover exec command mode for the active unit. mate Displays the failover exec command mode for the peer unit. standby Displays the failover exec command mode for the standby unit. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 8.0(2) This command was added. Yes • Yes Context • Yes System • Yes The failover exec command creates a session with the specified device. By default, that session is in global configuration mode. You can change the command mode of that session by sending the appropriate command (such as the interface command) using the failover exec command. Changing failover exec command modes for the specified device does not change the command mode for the session you are using to access the device. Changing commands modes for your current session to the device does not affect the command mode used by the failover exec command. The show failover exec command displays the command mode on the specified device in which commands sent with the failover exec command are executed. Examples The following is sample output from the show failover exec command. This example demonstrates that the command mode for the unit where the failover exec commands are being entered does not have to be the same as the failover exec command mode where the commands are being executed. In this example, an administrator logged into the standby unit adds a name to an interface on the active unit. The second time the show failover exec mate command is entered in this example shows the peer device in interface configuration mode. Commands sent to the device with the failover exec command are executed in that mode. ciscoasa(config)# show failover exec mate Cisco ASA Series Command Reference, S Commands 7-12 Chapter Active unit Failover EXEC is at config mode ! The following command changes the standby unit failover exec mode ! to interface configuration mode. ciscoasa(config)# failover exec mate interface GigabitEthernet0/1 ciscoasa(config)# show failover exec mate Active unit Failover EXEC is at interface sub-command mode ! Because the following command is sent to the active unit, it is replicated ! back to the standby unit. ciscoasa(config)# failover exec mate nameif test Related Commands Command Description failover exec Executes the supplied command on the designated unit in a failover pair. Cisco ASA Series Command Reference, S Commands 7-13 Chapter show file To display information about the file system, use the show file command in privileged EXEC mode. show file descriptors | system | information filename Syntax Description descriptors Displays all open file descriptors. filename Specifies the filename. information Displays information about a specific file, including partner application package files. system Displays the size, bytes available, type of media, flags, and prefix information about the disk file system. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Yes • • Yes System • Yes Release Modification 7.0(1) This command was added. 8.2(1) The capability to view information about partner application package files was added. The following is sample output from the show file descriptors command: ciscoasa# show file descriptors No open file descriptors ciscoasa# show file system File Systems: Size(b) Free(b) Type Flags * 60985344 60973056 disk rw Prefixes disk: The following is sample output fromthe show file info command: ciscoasa# show file info disk0:csc_embd1.0.1000.pkg type is package (csc) file size is 17204149 bytes version 1 Cisco ASA Series Command Reference, S Commands 7-14 Yes Context Chapter Related Commands Command Description dir Displays the directory contents. pwd Displays the current working directory. Cisco ASA Series Command Reference, S Commands 7-15 Chapter show firewall To show the current firewall mode (routed or transparent), use the show firewall command in privileged EXEC mode. show firewall Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Transparent Single Yes • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes The following is sample output from the show firewall command: ciscoasa# show firewall Firewall mode: Router Related Commands Command Description firewall transparent Sets the firewall mode. show mode Shows the current context mode, either single or multiple. Cisco ASA Series Command Reference, S Commands 7-16 System • Yes Chapter show flash To display the contents of the internal Flash memory, use the show flash: command in privileged EXEC mode. show flash: all | controller | filesys Note Syntax Description In the ASA, the flash keyword is aliased to disk0. all Displays all Flash information. controller Displays file system controller information. filesys Displays file system information. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes The following is sample output from the show flash: command: ciscoasa# show -#- --length-11 1301 12 1949 13 2551 14 609223 15 1619 16 3184 17 4787 20 1792 21 7765184 22 1674 23 1863 24 1197 25 608554 26 5124096 27 5124096 28 2074 29 5124096 flash: -----date/time-----Feb 21 2005 18:01:34 Feb 21 2005 20:13:36 Jan 06 2005 10:07:36 Jan 21 2005 07:14:18 Jul 16 2004 16:06:48 Aug 03 2004 07:07:00 Mar 04 2005 12:32:18 Jan 21 2005 07:29:24 Mar 07 2005 19:38:30 Nov 11 2004 02:47:52 Jan 21 2005 07:29:18 Jan 19 2005 08:17:48 Jan 13 2005 06:20:54 Feb 20 2005 08:49:28 Mar 01 2005 17:59:56 Jan 13 2005 08:13:26 Mar 07 2005 19:56:58 path test.cfg pepsi.cfg Leo.cfg rr.cfg hackers.cfg old_running.cfg admin.cfg Marketing.cfg asdmfile-RLK potts.cfg r.cfg tst.cfg 500kconfig cdisk70102 cdisk70104 negateACL cdisk70105 Cisco ASA Series Command Reference, S Commands 7-17 Chapter 30 31 32 33 34 35 1276 7756788 7579792 7764344 5124096 15322 Jan Feb Mar Mar Feb Mar 28 24 08 04 24 04 2005 2005 2005 2005 2005 2005 08:31:58 12:59:46 11:06:56 12:17:46 11:50:50 12:30:24 steel asdmfile.50074.dbg asdmfile.gusingh asdmfile.50075.dbg cdisk70103 hs_err_pid2240.log 10170368 bytes available (52711424 bytes used) Related Commands Command Description dir Displays the directory contents. show disk0: Displays the contents of the internal Flash memory. show disk1: Displays the contents of the external Flash memory card. Cisco ASA Series Command Reference, S Commands 7-18 Chapter show flow-export counters To display runtime counters associated with NetFlow data, use the show flow-export counters command in privileged EXEC mode. show flow-export counters Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Yes • Yes Context • Yes System — Release Modification 8.1(1) This command was added. 9.0(1) A new error counter was added for source port allocation failure. Usage Guidelines The runtime counters include statistical data as well as error data. Examples The following is sample output from the show flow-export counters command, which shows runtime counters that are associated with NetFlow data: ciscoasa# show flow-export counters destination: inside 209.165.200.224 2055 Statistics: packets sent 1000 Errors: block allocation failure 0 invalid interface 0 template send failure 0 no route to collector 0 source port allocation 0 Cisco ASA Series Command Reference, S Commands 7-19 Chapter Related Commands Commands Description clear flow-export counters Resets all runtime counters in NetFlow to zero. flow-export destination Specifies the IP address or hostname of the NetFlow collector, and the UDP port on which the NetFlow collector is listening. flow-export template timeout-rate Controls the interval at which the template information is sent to the NetFlow collector. logging Enables syslog messages after you have entered the logging flow-export-syslogs enable flow-export-syslogs disable command, and the syslog messages that are associated with NetFlow data. Cisco ASA Series Command Reference, S Commands 7-20 Chapter show flow-offload To display information about flow off-loading, use the show flow-offload command in privileged EXEC mode. show flow-offload {info [detail] | cpu | flow [count | detail] | statistics} Syntax Description info [detail] Shows basic information about the offload engine. Add the detail keyword to get additional information such as a summary of port usage. cpu Shows the load percentage on offload cores. flow [count | detail] Shows information on the active off-loaded flows. You can optionally add the following keywords: statistics • count—Shows the number of off-loaded active flows and offloaded flows created. • detail—Shows the active off-loaded flows and their rewrite rules and data. Shows the packet statistics of off-loaded flows. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Yes Transparent Single • Yes Release Modification 9.5(2) This command was introduced. • Yes Context • Yes System — If you enable flow off-loading, use this command to view information about the service and the off-loaded flows. Cisco ASA Series Command Reference, S Commands 7-21 Chapter Examples The following is sample output from the show flow-offload statistics command. The output shows counts for transmitted (Tx), received (Rx) and dropped packets, and statistics for the virtual NIC (VNIC) used. ciscoasa# show offload-engine statistics Packet stats of port : 0 Tx Packet count Rx Packet count Dropped Packet count VNIC transmitted packet VNIC transmitted bytes VNIC Dropped packets VNIC erroneous received VNIC CRC errors VNIC transmit failed VNIC multicast received Packet stats of port : 1 Tx Packet count Rx Packet count Dropped Packet count VNIC transmitted packet VNIC transmitted bytes VNIC Dropped packets VNIC erroneous received VNIC CRC errors VNIC transmit failed VNIC multicast received Related Commands 785807566 785807566 0 785807566 103726598712 0 0 0 0 0 : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 Command Description clear flow-offload Clears off-load statistics or flows. flow-offload Enables flow off-load. set-connection advanced-options flow-offload Identifies traffic flows as eligible for off-load. Cisco ASA Series Command Reference, S Commands 7-22 : : : : : : : : : : Chapter show fragment To display the operational data of the IP fragment reassembly module, enter the show fragment command in privileged EXEC mode. show fragment [interface] Syntax Description interface Defaults If an interface is not specified, the command applies to all interfaces. Command Modes The following table shows the modes in which you can enter the command: (Optional) Specifies the ASA interface. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC mode Command History Examples • Yes Transparent Single • Yes Yes • Yes System • Yes Release Modification 7.0(1) The command was separated into two commands, show fragment and show running-config fragment, to separate the configuration data from the operational data. This example shows how to display the operational data of the IP fragment reassembly module: ciscoasa# show fragment Interface: inside Size: 200, Chain: 24, Timeout: 5, Threshold: Queue: 0, Assembled: 0, Fail: 0, Overflow: 0 Interface: outside1 Size: 200, Chain: 24, Timeout: 5, Threshold: Queue: 0, Assembled: 0, Fail: 0, Overflow: 0 Interface: test1 Size: 200, Chain: 24, Timeout: 5, Threshold: Queue: 0, Assembled: 0, Fail: 0, Overflow: 0 Interface: test2 Size: 200, Chain: 24, Timeout: 5, Threshold: Queue: 0, Assembled: 0, Fail: 0, Overflow: 0 Related Commands • Context 133 133 133 133 Command Description clear configure fragment Clears the IP fragment reassembly configuration and resets the defaults. clear fragment Clears the operational data of the IP fragment reassembly module. Cisco ASA Series Command Reference, S Commands 7-23 Chapter Command Description fragment Provides additional management of packet fragmentation and improves compatibility with NFS. show running-config fragment Displays the IP fragment reassembly configuration. Cisco ASA Series Command Reference, S Commands 7-24 Chapter show gc To display the garbage collection process statistics, use the show gc command in privileged EXEC mode. show gc Syntax Description This command has no arguments or keywords. Defaults No default behaviors or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Examples Routed • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Context Yes • Yes System • Yes The following is sample output from the show gc command: ciscoasa# show gc Garbage collection process stats: Total tcp conn delete response Total udp conn delete response Total number of zombie cleaned Total number of embryonic conn cleaned Total error response Total queries generated Total queries with conn present response Total number of sweeps Total number of invalid vcid Total number of zombie vcid Related Commands : : : : : : : : : : 0 0 0 0 0 0 0 946 0 0 Command Description clear gc Removes the garbage collection process statistics. Cisco ASA Series Command Reference, S Commands 7-25 Chapter show h225 To display information for H.225 sessions established across the ASA, use the show h225 command in privileged EXEC mode. show h225 Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes The show h225 command displays information for H.225 sessions established across the ASA. Before using the show h225, show h245, or show h323 ras commands, we recommend that you configure the pager command. If there are a lot of session records and the pager command is not configured, it may take a while for the show output to reach its end. If there is an abnormally large number of connections, check that the sessions are timing out based on the default timeout values or the values set by you. If they are not, then there is a problem that needs to be investigated. Examples The following is sample output from the show h225 command: ciscoasa# show h225 Total H.323 Calls: 1 1 Concurrent Call(s) for Local: 10.130.56.3/1040 1. CRV 9861 Local: 10.130.56.3/1040 0 Concurrent Call(s) for Local: 10.130.56.4/1050 Foreign: 172.30.254.203/1720 Foreign: 172.30.254.203/1720 Foreign: 172.30.254.205/1720 This output indicates that there is currently 1 active H.323 call going through the ASA between the local endpoint 10.130.56.3 and foreign host 172.30.254.203, and for these particular endpoints, there is 1 concurrent call between them, with a CRV (Call Reference Value) for that call of 9861. Cisco ASA Series Command Reference, S Commands 7-26 Chapter For the local endpoint 10.130.56.4 and foreign host 172.30.254.205, there are 0 concurrent Calls. This means that there is no active call between the endpoints even though the H.225 session still exists. This could happen if, at the time of the show h225 command, the call has already ended but the H.225 session has not yet been deleted. Alternately, it could mean that the two endpoints still have a TCP connection opened between them because they set “maintainConnection” to TRUE, so the session is kept open until they set it to FALSE again, or until the session times out based on the H.225 timeout value in your configuration. Related Commands Commands Description inspect h323 Enables H.323 application inspection. show h245 Displays information for H.245 sessions established across the ASA by endpoints using slow start. show h323 ras Displays information for H.323 RAS sessions established across the ASA. timeout h225 | h323 Configures idle time after which an H.225 signaling connection or an H.323 control connection will be closed. Cisco ASA Series Command Reference, S Commands 7-27 Chapter show h245 To display information for H.245 sessions established across the ASA by endpoints using slow start, use the show h245 command in privileged EXEC mode. show h245 Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Privileged EXEC Command History • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes Usage Guidelines The show h245 command displays information for H.245 sessions established across the ASA by endpoints using slow start. (Slow start is when the two endpoints of a call open another TCP control channel for H.245. Fast start is where the H.245 messages are exchanged as part of the H.225 messages on the H.225 control channel.) Examples The following is sample output from the show h245 command: ciscoasa# show h245 Total: 1 LOCAL TPKT FOREIGN TPKT 1 10.130.56.3/1041 0 172.30.254.203/1245 0 MEDIA: LCN 258 Foreign 172.30.254.203 RTP 49608 RTCP 49609 Local 10.130.56.3 RTP 49608 RTCP 49609 MEDIA: LCN 259 Foreign 172.30.254.203 RTP 49606 RTCP 49607 Local 10.130.56.3 RTP 49606 RTCP 49607 There is currently one H.245 control session active across the ASA. The local endpoint is 10.130.56.3, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0. (The TKTP header is a 4-byte header preceding each H.225/H.245 message. It gives the length of the message, including the 4-byte header.) The foreign host endpoint is 172.30.254.203, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0. Cisco ASA Series Command Reference, S Commands 7-28 Chapter The media negotiated between these endpoints have a LCN (logical channel number) of 258 with the foreign RTP IP address/port pair of 172.30.254.203/49608 and a RTCP IP address/port of 172.30.254.203/49609 with a local RTP IP address/port pair of 10.130.56.3/49608 and a RTCP port of 49609. The second LCN of 259 has a foreign RTP IP address/port pair of 172.30.254.203/49606 and a RTCP IP address/port pair of 172.30.254.203/49607 with a local RTP IP address/port pair of 10.130.56.3/49606 and RTCP port of 49607. Related Commands Commands Description inspect h323 Enables H.323 application inspection. show h245 Displays information for H.245 sessions established across the ASA by endpoints using slow start. show h323 ras Displays information for H.323 RAS sessions established across the ASA. timeout h225 | h323 Configures idle time after which an H.225 signaling connection or an H.323 control connection will be closed. Cisco ASA Series Command Reference, S Commands 7-29 Chapter show h323 To display information for H.323 connections, use the show h323 command in privileged EXEC mode. show h323 {ras | gup} Syntax Description ras Displays the H323 RAS sessions established across the ASA between a gatekeeper and its H.323 endpoint. gup Displays information about the H323 gateway updated protocol connections. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes Usage Guidelines The show h323 ras command displays information for H.323 RAS sessions established across the ASA between a gatekeeper and its H.323 endpoint. Examples The following is sample output from the show h323 ras command: ciscoasa# show h323 ras ciscoasa# Total: 1 GK Caller 172.30.254.214 10.130.56.14 This output shows that there is one active registration between the gatekeeper 172.30.254.214 and its client 10.130.56.14. Related Commands Cisco ASA Series Command Reference, S Commands 7-30 Chapter Commands Description inspect h323 Enables H.323 application inspection. show h245 Displays information for H.245 sessions established across the ASA by endpoints using slow start. timeout h225 | h323 Configures idle time after which an H.225 signaling connection or an H.323 control connection will be closed. Cisco ASA Series Command Reference, S Commands 7-31 Chapter show history To display the previously entered commands, use the show history command in user EXEC mode. show history Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command. Firewall Mode Security Context Multiple Command Mode Routed User EXEC Command History • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System • Yes Usage Guidelines The show history command lets you display previously entered commands. You can examine commands individually with the up and down arrows, enter ^p to display previously entered lines, or enter ^n to display the next line. Examples The following example shows sample output from the show history command in user EXEC mode: ciscoasa> show history show history help show history The following example shows sample output from the show history command in privileged EXEC mode: ciscoasa# show history show history help show history enable show history The following example shows sample output from the show history command in global configuration mode: ciscoasa(config)# show history show history Cisco ASA Series Command Reference, S Commands 7-32 Chapter help show history enable show history config t show history Related Commands Command Description help Displays help information for the command specified. Cisco ASA Series Command Reference, S Commands 7-33 Chapter show icmp To display the ICMP configuration, use the show icmp command in privileged EXEC mode. show icmp Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines Examples • Yes Transparent Single • Yes Release Modification 7.0(1) This command already existed. • Yes Context • Yes System • The show icmp command displays the ICMP configuration. The following example shows the ICMP configuration: ciscoasa# show icmp Related Commands clear configure icmp Clears the ICMP configuration. debug icmp Enables the display of debugging information for ICMP. icmp Configures access rules for ICMP traffic that terminates at an ASA interface. inspect icmp Enables or disables the ICMP inspection engine. timeout icmp Configures the idle timeout for ICMP. Cisco ASA Series Command Reference, S Commands 7-34 Yes Chapter show idb To display information about the status of interface descriptor blocks, use the show idb command in privileged EXEC mode. show idb Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed User EXEC Command History • Yes Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context — System • Yes Usage Guidelines IDBs are the internal data structure representing interface resources. See the “Examples” section for a description of the display output. Examples The following is sample output from the show idb command: ciscoasa# show idb Maximum number of Software IDBs 280. In use 23. Active Inactive Total IDBs Size each (bytes) Total bytes 0xbb68ebc 0xcd47d84 0xcd4c1dc 0xcd5063c 0xcd54a9c 0xcd58f04 HWIDBs 6 1 7 116 812 SWIDBs 21 2 23 212 4876 HWIDB# HWIDB# HWIDB# HWIDB# HWIDB# HWIDB# 1 2 3 4 5 6 Control0/0 GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/3 Management0/0 SWIDB# SWIDB# SWIDB# 1 0x0bb68f54 0x01010001 Control0/0 2 0x0cd47e1c 0xffffffff GigabitEthernet0/0 3 0x0cd772b4 0xffffffff GigabitEthernet0/0.1 Cisco ASA Series Command Reference, S Commands 7-35 Chapter PEER PEER PEER SWIDB# SWIDB# SWIDB# PEER SWIDB# PEER SWIDB# PEER SWIDB# SWIDB# PEER PEER PEER SWIDB# PEER IDB# 1 0x0d44109c 0xffffffff 3 GigabitEthernet0/0.1 IDB# 2 0x0d2c0674 0x00020002 2 GigabitEthernet0/0.1 IDB# 3 0x0d05a084 0x00010001 1 GigabitEthernet0/0.1 4 0x0bb7501c 0xffffffff GigabitEthernet0/0.2 5 0x0cd4c274 0xffffffff GigabitEthernet0/1 6 0x0bb75704 0xffffffff GigabitEthernet0/1.1 IDB# 1 0x0cf8686c 0x00020003 2 GigabitEthernet0/1.1 7 0x0bb75dec 0xffffffff GigabitEthernet0/1.2 IDB# 1 0x0d2c08ac 0xffffffff 2 GigabitEthernet0/1.2 8 0x0bb764d4 0xffffffff GigabitEthernet0/1.3 IDB# 1 0x0d441294 0x00030001 3 GigabitEthernet0/1.3 9 0x0cd506d4 0x01010002 GigabitEthernet0/2 10 0x0cd54b34 0xffffffff GigabitEthernet0/3 IDB# 1 0x0d3291ec 0x00030002 3 GigabitEthernet0/3 IDB# 2 0x0d2c0aa4 0x00020001 2 GigabitEthernet0/3 IDB# 3 0x0d05a474 0x00010002 1 GigabitEthernet0/3 11 0x0cd58f9c 0xffffffff Management0/0 IDB# 1 0x0d05a65c 0x00010003 1 Management0/0 Table 7-4 shows each field description. Table 7-4 show idb stats Fields Field Description HWIDBs Shows the statistics for all HWIDBs. HWIDBs are created for each hardware port in the system. SWIDBs Shows the statistics for all SWIDBs. SWIDBs are created for each main and subinterface in the system, and for each interface that is allocated to a context. Some other internal software modules also create IDBs. Related Commands HWIDB# Specifies a hardware interface entry. The IDB sequence number, address, and interface name is displayed in each line. SWIDB# Specifies a software interface entry. The IDB sequence number, address, corresponding vPif id, and interface name are displayed in each line. PEER IDB# Specifies an interface allocated to a context. The IDB sequence number, address, corresponding vPif id, context id and interface name are displayed in each line. Command Description interface Configures an interface and enters interface configuration mode. show interface Displays the runtime status and statistics of interfaces. Cisco ASA Series Command Reference, S Commands 7-36 Chapter show igmp groups To display the multicast groups with receivers that are directly connected to the ASA and that were learned through IGMP, use the show igmp groups command in privileged EXEC mode. show igmp groups [[reserved | group] [if_name] [detail]] | summary] Syntax Description detail (Optional) Provides a detailed description of the sources. group (Optional) The address of an IGMP group. Including this optional argument limits the display to the specified group. if_name (Optional) Displays group information for the specified interface. reserved (Optional) Displays information about reserved groups. summary (Optional) Displays group joins summary information. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Yes Transparent Single Context System — — — Release Modification 7.0(1) This command was added. • Yes If you omit all optional arguments and keywords, the show igmp groups command displays all directly connected multicast groups by group address, interface type, and interface number. Cisco ASA Series Command Reference, S Commands 7-37 Chapter Examples The following is sample output from the show igmp groups command: ciscoasa# show igmp groups IGMP Connected Group Membership Group Address Interface 224.1.1.1 inside Related Commands Expires 00:03:26 Last Reporter 192.168.1.6 Command Description show igmp interface Displays multicast information for an interface. Cisco ASA Series Command Reference, S Commands 7-38 Uptime 00:00:53 Chapter show igmp interface To display multicast information for an interface, use the show igmp interface command in privileged EXEC mode. show igmp interface [if_name] Syntax Description if_name Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Displays IGMP group information for the selected interface. Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single Context System — — — • Yes Release Modification 7.0(1) This command was modified. The detail keyword was removed. Usage Guidelines If you omit the optional if_name argument, the show igmp interface command displays information about all interfaces. Examples The following is sample output from the show igmp interface command: ciscoasa# show igmp interface inside inside is up, line protocol is up Internet address is 192.168.37.6, subnet mask is 255.255.255.0 IGMP is enabled on interface IGMP query interval is 60 seconds Inbound IGMP access group is not set Multicast routing is enabled on interface Multicast TTL threshold is 0 Multicast designated router (DR) is 192.168.37.33 No multicast groups joined Related Commands Command Description show igmp groups Displays the multicast groups with receivers that are directly connected to the ASA and that were learned through IGMP. Cisco ASA Series Command Reference, S Commands 7-39 Chapter show igmp traffic To display IGMP traffic statistics, use the show igmp traffic command in privileged EXEC mode. show igmp traffic Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Examples • Yes Transparent Single Context System — — — Release Modification 7.0(1) This command was added. Yes The following is sample output from the show igmp traffic command: ciscoasa# show igmp traffic IGMP Traffic Counters Elapsed time since counters cleared: 00:02:30 Received Sent Valid IGMP Packets 3 6 Queries 2 6 Reports 1 0 Leaves 0 0 Mtrace packets 0 0 DVMRP packets 0 0 PIM packets 0 0 Errors: Malformed Packets Martian source Bad Checksums Related Commands 0 0 0 Command Description clear igmp counters Clears all IGMP statistic counters. clear igmp traffic Clears the IGMP traffic counters. Cisco ASA Series Command Reference, S Commands 7-40 • Chapter show import webvpn To list the files, customization objects, translation tables, or plug-ins in flash memory that customize and localize the ASA or the AnyConnect Secure Mobility Client, use the show import webvpn command in privileged EXEC mode. show import webvpn {AnyConnect-customization | customization | mst-translation | plug-in | translation-table | url-list | webcontent}[detailed | xml-output] Syntax Description AnyConnect-customization Displays resource files, executable files, and MS transforms in the ASA flash memory that customize the AnyConnect client GUI. customization Displays XML customization objects in the ASA flash memory that customize the clientless VPN portal (filenames base64 decoded). mst-translation Displays MS transforms in the ASA flash memory that translate the AnyConnect client installer program. plug-in Displays plug-in modules in the ASA flash memory (third-party Java-based client applications, including SSH, VNC, and RDP). translation-table Displays translation tables in the ASA flash memory that translate the language of user messages displayed by the clientless portal, Secure Desktop, and plug-ins. url-list Displays URL lists in the ASA flash memory used by the clientless portal (filenames base64 decoded). webcontent Displays content in ASA flash memory used by the clientless portal, clientless applications, and plugins for online help visible to end users. detailed Displays the path in flash memory of the file(s) and the hash. xml-output Displays the XML of the file(s). Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC mode Command History Release Routed • Yes Transparent Single Context System — — — • Yes Modification 8.0(2) This command was added. 8.2(1) The AnyConnect-customization keyword was added. Cisco ASA Series Command Reference, S Commands 7-41 Chapter Usage Guidelines Use the show import webvpn command to identify the custom data and the Java-based client applications available to clientless SSL VPN users. The displayed list itemizes all of the requested data types that are in flash memory on the ASA. Example The following illustrates the WebVPN data displayed by various show import webvpn command: ciscoasa# show import webvpn plug ssh rdp vnc ciscoasa# ciscoasa#show import webvpn plug detail post GXN2BIGGOAOkBMibDQsMu2GWZ3Q= Tue, 29 Apr 2008 19:57:03 GMT rdp fHeyReIOUwDCgAL9HdTsPnjdBOo= Tue, 15 Sep 2009 23:23:56 GMT rdp2 shw8c22T2SsILLk6zyCd6H6VOz8= Wed, 11 Feb 2009 21:17:54 GMT ciscoasa# show import webvpn customization Template DfltCustomization ciscoasa# ciscoasa# show import webvpn translation-table Translation Tables' Templates: AnyConnect PortForwarder banners csd customization url-list webvpn Translation Tables: ru ua ciscoasa# customization customization ciscoasa# show import webvpn url-list Template No bookmarks are currently defined ciscoasa# ciscoasa# show import webvpn webcontent No custom webcontent is loaded ciscoasa# Related Commands Command Description revert webvpn all Removes all WebVPN data and plug-in current on the ASA. Cisco ASA Series Command Reference, S Commands 7-42 Chapter show interface To view interface statistics, use the show interface command in privileged EXEC mode. show interface [{physical_interface | redundantnumber}[.subinterface] | mapped_name | interface_name | vlan number | vni id [summary]] [stats | detail] Syntax Description detail (Optional) Shows detailed interface information, including the order in which the interface was added, the configured state, the actual state, and asymmetrical routing statistics, if enabled by the asr-group command. If you show all interfaces, then information about the internal interfaces for SSMs displays, if installed on the ASA 5500 series adaptive security appliance. The internal interface is not user-configurable, and the information is for debugging purposes only. interface_name (Optional) Identifies the interface name set with the nameif command. mapped_name (Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command. physical_interface (Optional) Identifies the interface ID, such as gigabitethernet 0/1. See the interface command for accepted values. redundantnumber (Optional) Identifies the redundant interface ID, such as redundant1. stats (Default) Shows interface information and statistics. This keyword is the default, so this keyword is optional. summary (Optional) For a VNI interface, shows only the VNI interface parameters. subinterface (Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface. vlan number (Optional) For the ASA 5505 or ASASM, specifies the VLAN interface. vni id (Optional) Shows the parameters, status and statistics of a VNI interface, status of its bridged interface (if configured), and NVE interface it is associated with. Defaults If you do not identify any options, this command shows basic statistics for all interfaces. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Routed • Yes Transparent Single • Yes • Yes Context • Yes System • Yes Cisco ASA Series Command Reference, S Commands 7-43 Chapter Command History Usage Guidelines Release Modification 7.0(1) This command was modified to include the new interface numbering scheme, and to add the stats keyword for clarity, and the detail keyword. 7.0(4) Support for the 4GE SSM interfaces was added. 7.2(1) Support for switch interfaces was added. 8.0(2) Support for redundant interfaces was added. Also, the delay is added for subinterfaces. Two new counters were added: input reset drops and output reset drops. 8.2(1) The no buffer number was changed to show the number of failures from block allocations. 8.6(1) Support for the ASA 5512-X through ASA 5555-X shared management interface and the control plane interface for the software module were added. The management interface is displayed using the show interface detail command as Internal-Data0/1; the control plane interface is displayed as Internal-Control0/0. 9.4(1) The vni interface type was added. 9.5(1) Clustering site-specific MAC addresses were added to the output. If an interface is shared among contexts, and you enter this command within a context, the ASA shows only statistics for the current context. When you enter this command in the system execution space for a physical interface, the ASA shows the combined statistics for all contexts. The number of statistics shown for subinterfaces is a subset of the number of statistics shown for a physical interface. You cannot use the interface name in the system execution space, because the nameif command is only available within a context. Similarly, if you mapped the interface ID to a mapped name using the allocate-interface command, you can only use the mapped name in a context. If you set the visible keyword in the allocate-interface command, the ASA shows the interface ID in the output of the show interface command. Note The number of bytes transmitted or received in the Hardware count and the Traffic Statistics count are different. In the hardware count, the amount is retrieved directly from hardware, and reflects the Layer 2 packet size. While in traffic statistics, it reflects the Layer 3 packet size. The count difference is varied based upon the design of the interface card hardware. For example, for a Fast Ethernet card, the Layer 2 count is 14 bytes greater than the traffic count, because it includes the Ethernet header. On the Gigabit Ethernet card, the Layer 2 count is 18 bytes greater than the traffic count, because it includes both the Ethernet header and the CRC. See the “Examples” section for a description of the display output. Examples The following is sample output from the show interface command: ciscoasa# show interface Cisco ASA Series Command Reference, S Commands 7-44 Chapter Interface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) MAC address 000b.fcf8.c44e, MTU 1500 IP address 10.86.194.60, subnet mask 255.255.254.0 1328522 packets input, 124426545 bytes, 0 no buffer Received 1215464 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 9 L2 decode drops 124606 packets output, 86803402 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops input queue (curr/max packets): hardware (0/7) output queue (curr/max packets): hardware (0/13) Traffic Statistics for "outside": 1328509 packets input, 99873203 bytes 124606 packets output, 84502975 bytes 524605 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec Interface GigabitEthernet0/1 "inside", is administratively down, line protocol is down Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec Auto-Duplex, Auto-Speed MAC address 000b.fcf8.c44f, MTU 1500 IP address 10.10.0.1, subnet mask 255.255.0.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops input queue (curr/max packets): hardware (0/0) output queue (curr/max packets): hardware (0/0) Traffic Statistics for "inside": 0 packets input, 0 bytes 0 packets output, 0 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec Interface GigabitEthernet0/2 "faillink", is administratively down, line protocol is down Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec Auto-Duplex, Auto-Speed Description: LAN/STATE Failover Interface MAC address 000b.fcf8.c450, MTU 1500 IP address 192.168.1.1, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops Cisco ASA Series Command Reference, S Commands 7-45 Chapter input queue (curr/max packets): hardware (0/0) output queue (curr/max packets): hardware (0/0) Traffic Statistics for "faillink": 0 packets input, 0 bytes 1 packets output, 28 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec Interface GigabitEthernet0/3 "", is administratively down, line protocol is down Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec Auto-Duplex, Auto-Speed Active member of Redundant5 MAC address 000b.fcf8.c451, MTU not set IP address unassigned 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops input queue (curr/max packets): hardware (0/0) output queue (curr/max packets): hardware (0/0) Interface Management0/0 "", is administratively down, line protocol is down Hardware is i82557, BW 100 Mbps, DLY 1000 usec Auto-Duplex, Auto-Speed Available but not configured via nameif MAC address 000b.fcf8.c44d, MTU not set IP address unassigned 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max packets): hardware (128/128) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Interface Redundant1 "", is down, line protocol is down Redundancy Information: Members unassigned Interface Redundant5 "redundant", is administratively down, line protocol is down Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec Auto-Duplex, Auto-Speed MAC address 000b.fcf8.c451, MTU 1500 IP address 10.2.3.5, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops input queue (curr/max packets): hardware (0/0) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Traffic Statistics for "redundant": 0 packets input, 0 bytes Cisco ASA Series Command Reference, S Commands 7-46 Chapter 0 packets output, 0 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec Redundancy Information: Member GigabitEthernet0/3(Active), GigabitEthernet0/2 Last switchover at 15:15:26 UTC Oct 24 2006 Interface Redundant5.1 "", is down, line protocol is down VLAN identifier none Available but not configured with VLAN or via nameif The following output shows the use of the site MAC address when in use: ciscoasa# show interface port-channel1.3151 Interface Port-channel1.3151 "inside", is up, line protocol is up Hardware is EtherChannel/LACP, BW 1000 Mbps, DLY 10 usec VLAN identifier 3151 MAC address aaaa.1111.1234, MTU 1500 Site Specific MAC address aaaa.1111.aaaa IP address 10.3.1.1, subnet mask 255.255.255.0 Traffic Statistics for "inside": 132269 packets input, 6483425 bytes 1062 packets output, 110448 bytes 98530 packets dropped Table 7-5 shows each field description. Table 7-5 show interface Fields Field Description Interface ID The interface ID. Within a context, the ASA shows the mapped name (if configured), unless you set the allocate-interface command visible keyword. “interface_name” The interface name set with the nameif command. In the system execution space, this field is blank because you cannot set the name in the system. If you do not configure a name, the following message appears after the Hardware line: Available but not configured via nameif is state Line protocol is state VLAN identifier The administrative state, as follows: • up—The interface is not shut down. • administratively down—The interface is shut down with the shutdown command. The line status, as follows: • up—A working cable is plugged into the network interface. • down—Either the cable is incorrect or not plugged into the interface connector. For subinterfaces, the VLAN ID. Cisco ASA Series Command Reference, S Commands 7-47 Chapter Table 7-5 show interface Fields (continued) Field Description Hardware The interface type, maximum bandwidth, delay, duplex, and speed. When the link is down, the duplex and speed show the configured values. When the link is up, these fields show the configured values with the actual settings in parentheses. The following list describes the common hardware types: • i82542 - Intel PCI Fiber Gigabit card used on PIX platforms • i82543 - Intel PCI-X Fiber Gigabit card used on PIX platforms • i82546GB - Intel PCI-X Copper Gigabit used on ASA platforms • i82547GI - Intel CSA Copper Gigabit used as backplane on ASA platforms • i82557 - Intel PCI Copper Fast Ethernet used on ASA platforms • i82559 - Intel PCI Copper Fast Ethernet used on PIX platforms • VCS7380 - Vitesse Four Port Gigabit Switch used in SSM-4GE Media-type (For 4GE SSM interfaces only) Shows if the interface is set as RJ-45 or SFP. message area A message might be displayed in some circumstances. See the following examples: • In the system execution space, you might see the following message: Available for allocation to a context • If you do not configure a name, you see the following message: Available but not configured via nameif • If an interface is a member of a redundant interface, you see the following message: Active member of Redundant5 MAC address The interface MAC address. Site Specific MAC For clustering, shows an in-use site-specific MAC address. address MTU The maximum size, in bytes, of packets allowed on this interface. If you do not set the interface name, this field shows “MTU not set.” IP address The interface IP address set using the ip address command or received from a DHCP server. In the system execution space, this field shows “IP address unassigned” because you cannot set the IP address in the system. Subnet mask The subnet mask for the IP address. Packets input The number of packets received on this interface. Bytes The number of bytes received on this interface. No buffer The number of failures from block allocations. Received: Broadcasts Input errors The number of broadcasts received. The number of total input errors, including the types listed below. Other input-related errors can also cause the input error count to increase, and some datagrams might have more than one error; therefore, this sum might exceed the number of errors listed for the types below. Cisco ASA Series Command Reference, S Commands 7-48 Chapter Table 7-5 show interface Fields (continued) Field Description Runts The number of packets that are discarded because they are smaller than the minimum packet size, which is 64 bytes. Runts are usually caused by collisions. They might also be caused by poor wiring and electrical interference. Giants The number of packets that are discarded because they exceed the maximum packet size. For example, any Ethernet packet that is greater than 1518 bytes is considered a giant. CRC The number of Cyclical Redundancy Check errors. When a station sends a frame, it appends a CRC to the end of the frame. This CRC is generated from an algorithm based on the data in the frame. If the frame is altered between the source and destination, the ASA notes that the CRC does not match. A high number of CRCs is usually the result of collisions or a station transmitting bad data. Frame The number of frame errors. Bad frames include packets with an incorrect length or bad frame checksums. This error is usually the result of collisions or a malfunctioning Ethernet device. Overrun The number of times that the ASA was incapable of handing received data to a hardware buffer because the input rate exceeded the ASA capability to handle the data. Ignored This field is not used. The value is always 0. Abort This field is not used. The value is always 0. L2 decode drops The number of packets dropped because the name is not configured (nameif command) or a frame with an invalid VLAN id is received. On a standby interface in a redundant interface configuration, this counter may increase because this interface has no name (nameif command) configured. Packets output The number of packets sent on this interface. Bytes The number of bytes sent on this interface. Underruns The number of times that the transmitter ran faster than the ASA could handle. Output Errors The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic. Collisions The number of messages retransmitted due to an Ethernet collision (single and multiple collisions). This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets. Interface resets The number of times an interface has been reset. If an interface is unable to transmit for three seconds, the ASA resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down. Babbles Unused. (“babble” means that the transmitter has been on the interface longer than the time taken to transmit the largest frame.) Cisco ASA Series Command Reference, S Commands 7-49 Chapter Table 7-5 show interface Fields (continued) Field Description Late collisions The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait. If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet while the ASA is partly finished sending the packet. The ASA does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification. Deferred The number of frames that were deferred before transmission due to activity on the link. input reset drops Counts the number of packets dropped in the RX ring when a reset occurs. output reset drops Counts the number of packets dropped in the TX ring when a reset occurs. Rate limit drops (For 4GE SSM interfaces only) The number of packets dropped if you configured the interface at non-Gigabit speeds and attempted to transmit more than 10 Mbps or 100 Mbps, depending on configuration.. Lost carrier The number of times the carrier signal was lost during transmission. No carrier Unused. Input queue (curr/max packets): The number of packets in the input queue, the current and the maximum. Hardware The number of packets in the hardware queue. Software The number of packets in the software queue. Not available for Gigabit Ethernet interfaces. Output queue (curr/max packets): The number of packets in the output queue, the current and the maximum. Hardware The number of packets in the hardware queue. Software The number of packets in the software queue. input queue (blocks free curr/low) The curr/low entry indicates the number of current and all-time-lowest available slots on the interface's Receive (input) descriptor ring. These are updated by the main CPU, so the all-time-lowest (until the interface statistics are cleared or the device is reloaded) watermarks are not highly accurate. output queue (blocks free curr/low) The curr/low entry indicates the number of current and all-time-lowest available slots on the interface's Transmit (output) descriptor rings. These are updated by the main CPU, so the all-time-lowest (until the interface statistics are cleared or the device is reloaded) watermarks are not highly accurate. Traffic Statistics: The number of packets received, transmitted, or dropped. Packets input The number of packets received and the number of bytes. Packets output The number of packets transmitted and the number of bytes. Cisco ASA Series Command Reference, S Commands 7-50 Chapter Table 7-5 Field Packets dropped show interface Fields (continued) Description The number of packets dropped. Typically this counter increments for packets dropped on the accelerated security path (ASP), for example, if a packet is dropped due to an access list deny. See the show asp drop command for reasons for potential drops on an interface. 1 minute input The number of packets received in packets/sec and bytes/sec over the last minute. rate 1 minute output rate The number of packets transmitted in packets/sec and bytes/sec over the last minute. 1 minute drop The number of packets dropped in packets/sec over the last minute. rate 5 minute input The number of packets received in packets/sec and bytes/sec over the last 5 rate minutes. 5 minute output rate The number of packets transmitted in packets/sec and bytes/sec over the last 5 minutes. 5 minute drop The number of packets dropped in packets/sec over the last 5 minutes. rate Redundancy Information: For redundant interfaces, shows the member physical interfaces. The active interface has “(Active)” after the interface ID. If you have not yet assigned members, you see the following output: Members unassigned Last switchover For redundant interfaces, shows the last time the active interface failed over to the standby interface. Cisco ASA Series Command Reference, S Commands 7-51 Chapter The following is sample output from the show interface command on the ASA 5505, which includes switch ports: ciscoasa# show interface Interface Vlan1 "inside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 00d0.2bff.449f, MTU 1500 IP address 1.1.1.1, subnet mask 255.0.0.0 Traffic Statistics for "inside": 0 packets input, 0 bytes 0 packets output, 0 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec Interface Ethernet0/0 "", is up, line protocol is up Hardware is 88E6095, BW 100 Mbps, DLY 1000 usec Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps) Available but not configured via nameif MAC address 00d0.2bfd.6ec5, MTU not set IP address unassigned 407 packets input, 53587 bytes, 0 no buffer Received 103 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 43 switch ingress policy drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier 0 rate limit drops 0 switch egress policy drops Cisco ASA Series Command Reference, S Commands 7-52 Chapter Table 7-7 shows each field description for the show interface command for switch interfaces, such as those for the ASA 5505 adaptive security appliance. See Table 7-6 for fields that are also shown for the show interface command. Table 7-6 show interface for Switch Interfaces Fields Field Description switch ingress policy drops This drop is usually seen when a port is not configured correctly. This drop is incremented when a packet cannot be successfully forwarded within switch ports as a result of the default or user configured switch port settings. The following configurations are the likely reasons for this drop: • Note switch egress policy drops The nameif command was not configured on the VLAN interface. For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment. • The VLAN is shut down. • An access port received an 802.1Q-tagged packet. • A trunk port received a tag that is not allowed or an untagged packet. • The ASA is connected to another Cisco device that has Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback packets to ensure interface health. This packet is not intended to be received by any other device; the health is ensured just by being able to send the packet. These types of packets are dropped at the switch port, and the counter increments. Not currently in use. The following is sample output from the show interface detail command. The following example shows detailed interface statistics for all interfaces, including the internal interfaces (if present for your platform) and asymmetrical routing statistics, if enabled by the asr-group command: ciscoasa# show interface detail Interface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) MAC address 000b.fcf8.c44e, MTU 1500 IP address 10.86.194.60, subnet mask 255.255.254.0 1330214 packets input, 124580214 bytes, 0 no buffer Received 1216917 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 9 L2 decode drops 124863 packets output, 86956597 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max packets): hardware (0/7) output queue (curr/max packets): hardware (0/13) Traffic Statistics for "outside": 1330201 packets input, 99995120 bytes 124863 packets output, 84651382 bytes 525233 packets dropped Control Point Interface States: Interface number is 1 Interface config status is active Interface state is active Cisco ASA Series Command Reference, S Commands 7-53 Chapter Interface Internal-Data0/0 "", is up, line protocol is up Hardware is i82547GI rev00, BW 1000 Mbps, DLY 1000 usec (Full-duplex), (1000 Mbps) MAC address 0000.0001.0002, MTU not set IP address unassigned 6 packets input, 1094 bytes, 0 no buffer Received 6 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops, 0 demux drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max packets): hardware (0/2) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Control Point Interface States: Interface number is unassigned ... Table 7-7 shows each field description for the show interface detail command. See Table 7-7 for fields that are also shown for the show interface command. Table 7-7 show interface detail Fields Field Description Demux drops (On Internal-Data interface only) The number of packets dropped because the ASA was unable to demultiplex packets from SSM interfaces. SSM interfaces communicate with the native interfaces across the backplane, and packets from all SSM interfaces are multiplexed on the backplane. Control Point Interface States: Interface number A number used for debugging that indicates in what order this interface was created, starting with 0. Interface config status The administrative state, as follows: • active—The interface is not shut down. • not active—The interface is shut down with the shutdown command. Interface state The actual state of the interface. In most cases, this state matches the config status above. If you configure high availability, it is possible there can be a mismatch because the ASA brings the interfaces up or down as needed. Asymmetrical Routing Statistics: Received X1 packets Number of ASR packets received on this interface. Transmitted X2 packets Number of ASR packets sent on this interfaces. Dropped X3 packets Number of ASR packets dropped on this interface. The packets might be dropped if the interface is down when trying to forward the packet. Cisco ASA Series Command Reference, S Commands 7-54 Chapter The following is sample output from the show interface detail command on the ASA 5512-X through ASA 5555-X, which shows combined statistics for the Management 0/0 interface (shown as “Internal-Data0/1”) for both the ASA and the software module. The output also shows the Internal-Control0/0 interface, which is used for control traffic between the software module and the ASA. Interface Internal-Data0/1 "ipsmgmt", is down, line protocol is up Hardware is , BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Input flow control is unsupported, output flow control is unsupported MAC address 0100.0100.0000, MTU not set IP address 127.0.1.1, subnet mask 255.255.0.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input 0 L2 decode drops 182 packets output, 9992 bytes, 0 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops input queue (blocks free curr/low): hardware (0/0) output queue (blocks free curr/low): hardware (0/0) Traffic Statistics for "ipsmgmt": 0 packets input, 0 bytes 0 packets output, 0 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec Control Point Interface States: Interface number is 11 Interface config status is active Interface state is active Interface Internal-Control0/0 "cplane", is down, line protocol is up Hardware is , BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Input flow control is unsupported, output flow control is unsupported MAC address 0100.0100.0000, MTU not set IP address 127.0.1.1, subnet mask 255.255.0.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input 0 L2 decode drops 182 packets output, 9992 bytes, 0 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops input queue (blocks free curr/low): hardware (0/0) output queue (blocks free curr/low): hardware (0/0) Traffic Statistics for "cplane": 0 packets input, 0 bytes 0 packets output, 0 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec Cisco ASA Series Command Reference, S Commands 7-55 Chapter 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec Control Point Interface States: Interface number is 11 Interface config status is active Interface state is active See the following output for the show interface vni 1 command: ciscoasa# show interface vni 1 Interface vni1 "vni-inside", is up, line protocol is up VTEP-NVE 1 Segment-id 5001 Tag-switching: disabled MTU: 1500 MAC: aaaa.bbbb.1234 IP address 192.168.0.1, subnet mask 255.255.255.0 Multicast group 239.1.3.3 Traffic Statistics for "vni-inside": 235 packets input, 23606 bytes 524 packets output, 32364 bytes 14 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 2 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec See the following output for the show interface vni 1 summary command: ciscoasa# show interface vni 1 summary Interface vni1 "vni-inside", is up, line protocol is up VTEP-NVE 1 Segment-id 5001 Tag-switching: disabled MTU: 1500 MAC: aaaa.bbbb.1234 IP address 192.168.0.1, subnet mask 255.255.255.0 Multicast group not configured Related Commands Command Description allocate-interface Assigns interfaces and subinterfaces to a security context. clear interface Clears counters for the show interface command. delay Changes the delay metric for an interface. interface Configures an interface and enters interface configuration mode. nameif Sets the interface name. show interface ip brief Shows the interface IP address and status. Cisco ASA Series Command Reference, S Commands 7-56 Chapter show interface ip brief To view interface IP addresses and status, use the show interface ip brief command in privileged EXEC mode. show interface [physical_interface[.subinterface] | mapped_name | interface_name | vlan number] ip brief Syntax Description interface_name (Optional) Identifies the interface name set with the nameif command. mapped_name (Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command. physical_interface (Optional) Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values. subinterface (Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface. vlan number (Optional) For models with a built-in switch, such as the ASA 5505 adaptive security appliance, specifies the VLAN interface. Defaults If you do not specify an interface, the ASA shows all interfaces. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Routed • Yes Transparent • Yes 1 Single • Yes Context • Yes System — 1. Available for the Management 0/0 interface or subinterface only. Command History Usage Guidelines Release Modification 7.0(1) This command was added. 7.2(1) Support for VLAN interfaces and for the Management 0/0 interface or subinterface in transparent mode was added. In multiple context mode, if you mapped the interface ID in the allocate-interface command, you can only specify the mapped name or the interface name in a context. See the “Examples” section for a description of the display output. Examples The following is sample output from the show ip brief command: ciscoasa# show interface ip brief Cisco ASA Series Command Reference, S Commands 7-57 Chapter Interface Control0/0 GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/3 Management0/0 IP-Address 127.0.1.1 209.165.200.226 unassigned 10.1.1.50 192.168.2.6 209.165.201.3 OK? YES YES YES YES YES YES Method CONFIG CONFIG unset manual DHCP CONFIG Status Protocol up up up up administratively down down administratively down down administratively down down up Table 7-7 shows each field description. Table 7-8 show interface ip brief Fields Field Description Interface The interface ID or, in multiple context mode, the mapped name if you configured it using the allocate-interface command. If you show all interfaces, then information about the internal interface for the AIP SSM displays, if installed on the ASA. The internal interface is not user-configurable, and the information is for debugging purposes only. IP-Address The interface IP address. OK? This column is not currently used, and always shows “Yes.” Method The method by which the interface received the IP address. Values include the following: Status Protocol • unset—No IP address configured. • manual—Configured the running configuration. • CONFIG—Loaded from the startup configuration. • DHCP—Received from a DHCP server. The administrative state, as follows: • up—The interface is not shut down. • administratively down—The interface is shut down with the shutdown command. The line status, as follows: • up—A working cable is plugged into the network interface. • down—Either the cable is incorrect or not plugged into the interface connector. Cisco ASA Series Command Reference, S Commands 7-58 Chapter Related Commands Command Description allocate-interface Assigns interfaces and subinterfaces to a security context. interface Configures an interface and enters interface configuration mode. ip address Sets the IP address for the interface or sets the management IP address for a transparent firewall. nameif Sets the interface name. show interface Displays the runtime status and statistics of interfaces. Cisco ASA Series Command Reference, S Commands 7-59 Chapter show inventory To display information about all of the Cisco products installed in the networking device that are assigned a product identifier (PID), version identifier (VID), and serial number (SN), use the show inventory command in user EXEC or privileged EXEC mode. show inventory [mod_id] Syntax Description mod_id Defaults If you do not specify a slot to show inventory for an item, the inventory information of all modules (including the power supply) is displayed. Command Modes The following table shows the modes in which you can enter the command. (Optional) Specifies the module ID or slot number, 0-3. Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Routed Transparent Single Context System Privileged EXEC • Yes • Yes — — • Yes User EXEC • Yes • Yes — — • Yes Release Modification 7.0(1) Minor editorial changes. 8.4(2) The output for an SSP was added. In addition, support for a dual SSP installation was added. 8.6(1) The output for the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X (the chassis, redundant power supplies, and I/O expansion card) was added. 9.1(1) The output for the ASA CX module was added. The show inventory command retrieves and displays inventory information about each Cisco product in the form of a UDI, which is a combination of three separate data elements: the product identifier (PID), the version identifier (VID), and the serial number (SN). The PID is the name by which the product can be ordered; it has been historically called the “Product Name” or “Part Number.” This is the identifier that you use to order an exact replacement part. The VID is the version of the product. Whenever a product has been revised, the VID is incremented according to a rigorous process derived from Telcordia GR-209-CORE, an industry guideline that governs product change notices. The SN is the vendor-unique serialization of the product. Each manufactured product has a unique serial number assigned at the factory, which cannot be changed in the field. The serial number is the means by which to identify an individual, specific instance of a product. The serial number can be different lengths for the various components of the device. Cisco ASA Series Command Reference, S Commands 7-60 Chapter The UDI refers to each product as an entity. Some entities, such as a chassis, have sub-entities like slots. Each entity appears on a separate line in a logically ordered presentation that is arranged hierarchically by Cisco entities. Use the show inventory command without options to display a list of Cisco entities installed in the networking device that are assigned a PID. If a Cisco entity is not assigned a PID, that entity is not retrieved or displayed. Note When two SSPs are installed in the same chassis, the number of the module indicates the physical location of the module in the chassis. The chassis master is always the SSP installed in slot 0. Only those sensors with which the SSP is associated are displayed in the output. The term module in the output is equivalent to physical slot. In the description of the SSP itself, the output includes module: 0 when it is installed in physical slot 0, and module: 1 otherwise. When the target SSP is the chassis master, the show inventory command output includes the power supplies and/or cooling fans. Otherwise, these components are omitted. The serial number may not display because of hardware limitations on the ASA 5500-X series. For the UDI display of the PCI-E I/O (NIC) option cards in these models, there are six possible outputs according to the chassis type, although there are only two different card types. This is because there are different PCI-E bracket assemblies used according to the specified chassis. The following examples show the expected outputs for each PCI-E I/O card assembly. For example, if a Silicom SFP NIC card is detected, the UDI display is determined by the device on which it is installed. The VID and S/N values are N/A, because there is no electronic storage of these values. For a 6-port SFP Ethernet NIC card in an ASA 5512-X or 5515-X: Name: "module1", DESCR: "ASA 5512-X/5515-X Interface Card 6-port GE SFP, SX/LX" PID: ASA-IC-6GE-SFP-A , VID: N/A, SN: N/A For a 6-port SFP Ethernet NIC card in an ASA 5525-X: Name: "module1", DESCR: "ASA 5525-X Interface Card 6-port GE SFP, SX/LX" PID: ASA-IC-6GE-SFP-B , VID: N/A, SN: N/A For a 6-port SFP Ethernet NIC card in an ASA 5545-X or 5555-X: Name: "module1", DESCR: "ASA 5545-X/5555-X Interface Card 6-port GE SFP, SX/LX" PID: ASA-IC-6GE-SFP-C , VID: N/A, SN: N/A For a 6-port Copper Ethernet NIC card in an ASA 5512-X or 5515-X: Name: "module1", DESCR: "ASA 5512-X/5515-X Interface Card 6-port 10/100/1000, RJ-45" PID: ASA-IC-6GE-CU-A , VID: N/A, SN: N/A For a 6-port Copper Ethernet NIC card in an ASA 5525-X: Name: "module1", DESCR: "ASA 5525-X Interface Card 6-port 10/100/1000, RJ-45" PID: ASA-IC-6GE-CU-B , VID: N/A, SN: N/A For a 6-port Copper Ethernet NIC card in an ASA 5545-X or 5555-X: Name: "module1", DESCR: "ASA 5545-X/5555-X Interface Card 6-port 10/100/1000, RJ-45" PID: ASA-IC-6GE-CU-C , VID: N/A, SN: N/A Cisco ASA Series Command Reference, S Commands 7-61 Chapter Examples The following is sample output from the show inventory command without any keywords or arguments. This sample output displays a list of Cisco entities installed in an ASA that are each assigned a PID, including a storage device used for an ASA CX module. ciscoasa> show inventory Name: "Chassis", DESCR: "ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt" PID: ASA5555 , VID: V01 , SN: FGL170441BU Name: "power supply 1", DESCR: "ASA 5545-X/5555-X AC Power Supply" PID: ASA-PWR-AC , VID: N/A , SN: 2CS1AX Name: "Storage Device 1", DESCR: "Micron 128 GB SSD MLC, Model Number: C400-MTFDDAC128MAM" PID: N/A , VID: N/A , SN: MXA174201RR The following example shows the output of the show inventory command on a chassis master for a dual SSP installation: ciscoasa(config)# show inventory Name: "module 0", DESCR: "ASA 5585-X Security Services Processor-40 w 6GE,4 SFP+" PID: ASA5585-SSP-40 , VID: V01 , SN: JAF1436ACLJ Name: "Chassis", DESCR: "ASA 5585-X" PID: ASA5585 , VID: V01 , SN: 123456789AB Name: "fan", DESCR: "ASA 5585-X Fan Module" PID: ASA5585-FAN , VID: V01 , SN: POG1434000G Name: "power supply 0", DESCR: "ASA 5585-X AC Power Supply" PID: ASA5585-PWR-AC , VID: V01 , SN: POG1434002K Table 7-9 describes the fields shown in the display. Table 7-9 Related Commands Field Descriptions for show inventory Field Description Name Physical name (text string) assigned to the Cisco entity. For example, console, SSP, or a simple component number (port or module number), such as “1,” depending on the physical component naming syntax of the device. Equivalent to the entPhysicalName MIB variable in RFC 2737. DESCR Physical description of the Cisco entity that characterizes the object. Equivalent to the entPhysicalDesc MIB variable in RFC 2737. PID Entity product identifier. Equivalent to the entPhysicalModelName MIB variable in RFC 2737. VID Entity version identifier. Equivalent to the entPhysicalHardwareRev MIB variable in RFC 2737. SN Entity serial number. Equivalent to the entPhysicalSerialNum MIB variable in RFC 2737. Command Description show diag Displays diagnostic information about the controller, interface processor, and port adapters for a networking device. show tech-support Displays general information about the router when it reports a problem. Cisco ASA Series Command Reference, S Commands 7-62 Chapter show ip address To view interface IP addresses or, for transparent mode, the management IP address, use the show ip address command in privileged EXEC mode. show ip address [physical_interface[.subinterface] | mapped_name | interface_name | vlan number] Syntax Description interface_name (Optional) Identifies the interface name set with the nameif command. mapped_name (Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command. physical_interface (Optional) Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values. subinterface (Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface. vlan number (Optional) For models with a built-in switch, such as the ASA 5505 adaptive security appliance, specifies the VLAN interface. Defaults If you do not specify an interface, the ASA shows all interface IP addresses. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single • Yes • Yes Release Modification 7.2(1) Support for VLAN interfaces was added. Context • Yes System — Usage Guidelines This command shows the primary IP addresses (called “System” in the display) for when you configure high availability as well as the current IP addresses. If the unit is active, then the system and current IP addresses match. If the unit is standby, then the current IP addresses show the standby addresses. Examples The following is sample output from the show ip address command: ciscoasa# show ip address System IP Addresses: Interface Name GigabitEthernet0/0 mgmt GigabitEthernet0/1 inside GigabitEthernet0/2.40 outside IP address 10.7.12.100 10.1.1.100 209.165.201.2 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.224 Method CONFIG CONFIG DHCP Cisco ASA Series Command Reference, S Commands 7-63 Chapter GigabitEthernet0/3 Current IP Addresses: Interface GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2.40 GigabitEthernet0/3 dmz 209.165.200.225 255.255.255.224 manual Name mgmt inside outside dmz IP address 10.7.12.100 10.1.1.100 209.165.201.2 209.165.200.225 Method CONFIG CONFIG DHCP manual Subnet mask 255.255.255.0 255.255.255.0 255.255.255.224 255.255.255.224 Table 7-7 shows each field description. Table 7-10 Related Commands show ip address Fields Field Description Interface The interface ID or, in multiple context mode, the mapped name if you configured it using the allocate-interface command. Name The interface name set with the nameif command. IP address The interface IP address. Subnet mask The IP address subnet mask. Method The method by which the interface received the IP address. Values include the following: • unset—No IP address configured. • manual—Configured the running configuration. • CONFIG—Loaded from the startup configuration. • DHCP—Received from a DHCP server. Command Description allocate-interface Assigns interfaces and subinterfaces to a security context. interface Configures an interface and enters interface configuration mode. nameif Sets the interface name. show interface Displays the runtime status and statistics of interfaces. show interface ip brief Shows the interface IP address and status. Cisco ASA Series Command Reference, S Commands 7-64 Chapter show ip address dhcp To view detailed information about the DHCP lease or server for an interface, use the show ip address dhcp command in privileged EXEC mode. show ip address {physical_interface[.subinterface] | mapped_name | interface_name} dhcp {lease | server} show ip address {physical_interface[.subinterface] | mapped_name | interface_name} dhcp lease {proxy | server} {summary} Syntax Description interface_name Identifies the interface name set with the nameif command. lease Shows information about the DHCP lease. mapped_name In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command. physical_interface Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values. proxy Shows proxy entries in the IPL table. server Shows server entries in the IPL table. subinterface Identifies an integer between 1 and 4294967293 designating a logical subinterface. summary Shows summary for the entry. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Routed • Yes Transparent — 1 Single • Yes Context • Yes System — 1. Available for the Management 0/0 interface or subinterface only. Command History Release Modification 7.0(1) The lease and server keywords to accommodate the new server functionality were added. 7.2(1) Support for VLAN interfaces and for the Management 0/0 interface or subinterface in transparent mode was added. 9.1(4) The proxy and summary keywords to accommodate the new server functionality were added. Cisco ASA Series Command Reference, S Commands 7-65 Chapter Usage Guidelines See the “Examples” section for a description of the display output. Examples The following is sample output from the show ip address dhcp lease command: ciscoasa# show ip address outside dhcp lease Temp IP Addr:209.165.201.57 for peer on interface:outside Temp sub net mask:255.255.255.224 DHCP Lease server:209.165.200.225, state:3 Bound DHCP Transaction id:0x4123 Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs Temp default-gateway addr:209.165.201.1 Temp ip static route0: dest 10.9.0.0 router 10.7.12.255 Next timer fires after:111797 secs Retry count:0, Client-ID:cisco-0000.0000.0000-outside Proxy: TRUE Proxy Network: 10.1.1.1 Hostname: device1 Table 7-7 shows each field description. Table 7-11 show ip address dhcp lease Fields Field Description Temp IP Addr The IP address assigned to the interface. Temp sub net mask The subnet mask assigned to the interface. DHCP Lease server The DHCP server address. state The state of the DHCP lease, as follows: DHCP transaction id • Initial—The initialization state, where the ASA begins the process of acquiring a lease. This state is also shown when a lease ends or when a lease negotiation fails. • Selecting—The ASA is waiting to receive DHCPOFFER messages from one or more DHCP servers, so it can choose one. • Requesting—The ASA is waiting to hear back from the server to which it sent its request. • Purging—The ASA is removing the lease because the client has released the IP address or there was some other error. • Bound—The ASA has a valid lease and is operating normally. • Renewing—The ASA is trying to renew the lease. It regularly sends DHCPREQUEST messages to the current DHCP server, and waits for a reply. • Rebinding—The ASA failed to renew the lease with the original server, and now sends DHCPREQUEST messages until it gets a reply from any server or the lease ends. • Holddown—The ASA started the process to remove the lease. • Releasing—The ASA sends release messages to the server indicating that the IP address is no longer needed. A random number chosen by the client, used by the client and server to associate the request messages. Cisco ASA Series Command Reference, S Commands 7-66 Chapter Table 7-11 show ip address dhcp lease Fields (continued) Field Description Lease The length of time, specified by the DHCP server, that the interface can use this IP address. Renewal The length of time until the interface automatically attempts to renew this lease. Rebind The length of time until the ASA attempts to rebind to a DHCP server. Rebinding occurs if the ASA cannot communicate with the original DHCP server, and 87.5 percent of the lease time has expired. The ASA then attempts to contact any available DHCP server by broadcasting DHCP requests. Temp default-gateway addr The default gateway address supplied by the DHCP server. Temp ip static route0 The default static route. Next timer fires after The number of seconds until the internal timer triggers. Retry count If the ASA is attempting to establish a lease, this field shows the number of times the ASA tried sending a DHCP message. For example, if the ASA is in the Selecting state, this value shows the number of times the ASA sent discover messages. If the ASA is in the Requesting state, this value shows the number of times the ASA sent request messages. Client-ID The client ID used in all communication with the server. Proxy Specifies if this interface is a proxy DHCP client for VPN clients, True or False. Proxy Network The requested network. Hostname The client hostname. The following is sample output from the show ip address dhcp server command: ciscoasa# show ip address outside dhcp server DHCP server: ANY (255.255.255.255) Leases: 0 Offers: 0 Requests: 0 Acks: 0 Declines: 0 Releases: 0 Bad: 0 DHCP server: 40.7.12.6 Leases: 1 Offers: 1 Requests: 17 Acks: 17 Declines: 0 Releases: 0 Bad: 0 DNS0: 171.69.161.23, DNS1: 171.69.161.24 WINS0: 172.69.161.23, WINS1: 172.69.161.23 Subnet: 255.255.0.0 DNS Domain: cisco.com Naks: 0 Naks: 0 Cisco ASA Series Command Reference, S Commands 7-67 Chapter Table 7-12 shows each field description. Table 7-12 Related Commands show ip address dhcp server Fields Field Description DHCP server The DHCP server address from which this interface obtained a lease. The top entry (“ANY”) is the default server and is always present. Leases The number of leases obtained from the server. For an interface, the number of leases is typically 1. If the server is providing address for an interface that is running proxy for VPN, there will be several leases. Offers The number of offers from the server. Requests The number of requests sent to the server. Acks The number of acknowledgments received from the server. Naks The number of negative acknowledgments received from the server. Declines The number of declines received from the server. Releases The number of releases sent to the server. Bad The number of bad packets received from the server. DNS0 The primary DNS server address obtained from the DHCP server. DNS1 The secondary DNS server address obtained from the DHCP server. WINS0 The primary WINS server address obtained from the DHCP server. WINS1 The secondary WINS server address obtained from the DHCP server. Subnet The subnet address obtained from the DHCP server. DNS Domain The domain obtained from the DHCP server. Command Description interface Configures an interface and enters interface configuration mode. ip address dhcp Sets the interface to obtain an IP address from a DHCP server. nameif Sets the interface name. show interface ip brief Shows the interface IP address and status. show ip address Displays the IP addresses of interfaces. Cisco ASA Series Command Reference, S Commands 7-68 Chapter show ip address pppoe To view detailed information about the PPPoE connection, use the show ip address pppoe command in privileged EXEC mode. show ip address {physical_interface[.subinterface] | mapped_name | interface_name | vlan number} pppoe Syntax Description interface_name Identifies the interface name set with the nameif command. mapped_name In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command. physical_interface Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values. subinterface Identifies an integer between 1 and 4294967293 designating a logical subinterface. vlan number (Optional) For models with a built-in switch, such as the ASA 5505 adaptive security appliance, specifies the VLAN interface. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Routed • Yes Transparent • Yes 1 Single • Yes Context • Yes System — 1. Available for the Management 0/0 interface or subinterface only. Command History Release Modification 7.2(1) This command was added. Usage Guidelines See the “Examples” section for a description of the display output. Examples The following is sample output from the show ip address pppoe command: ciscoasa# show ip address outside pppoe Cisco ASA Series Command Reference, S Commands 7-69 Chapter Related Commands Command Description interface Configures an interface and enters interface configuration mode. ip address ppoe Sets the interface to obtain an IP address from a PPPoE server. nameif Sets the interface name. show interface ip brief Shows the interface IP address and status. show ip address Displays the IP addresses of interfaces. Cisco ASA Series Command Reference, S Commands 7-70 Chapter show ip audit count To show the number of signature matches when you apply an audit policy to an interface, use the show ip audit count command in privileged EXEC mode. show ip audit count [global | interface interface_name] Syntax Description global (Default) Shows the number of matches for all interfaces. interface interface_name (Optional) Shows the number of matches for the specified interface. Defaults If you do not specify a keyword, this command shows the matches for all interfaces (global). Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Yes • Transparent Single • Release Modification 7.0(1) This command was added. Yes • Yes Context • Yes System — Usage Guidelines To create an audit policy, use the ip audit name command, and to apply the policy, use the ip audit interface command. Examples The following is sample output from the show ip audit count command: ciscoasa# show ip audit count IP AUDIT GLOBAL COUNTERS 1000 1001 1002 1003 1004 1005 1006 1100 1102 1103 2000 2001 2002 2003 I I I I I I I A A A I I I I Bad IP Options List Record Packet Route Timestamp Provide s,c,h,tcc Loose Source Route SATNET ID Strict Source Route IP Fragment Attack Impossible IP Packet IP Teardrop ICMP Echo Reply ICMP Unreachable ICMP Source Quench ICMP Redirect 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Cisco ASA Series Command Reference, S Commands 7-71 Chapter 2004 2005 2006 2007 2008 2009 2010 2011 2012 2150 2151 2154 3040 3041 3042 3153 3154 4050 4051 4052 6050 6051 6052 6053 6100 6101 6102 6103 6150 6151 6152 6153 6154 6155 6175 6180 6190 I I I I I I I I I A A A A A A A A A A A I I I I I I I A I I I I I I I I A ICMP Echo Request ICMP Time Exceed ICMP Parameter Problem ICMP Time Request ICMP Time Reply ICMP Info Request ICMP Info Reply ICMP Address Mask Request ICMP Address Mask Reply Fragmented ICMP Large ICMP Ping of Death TCP No Flags TCP SYN & FIN Flags Only TCP FIN Flag Only FTP Improper Address FTP Improper Port Bomb Snork Chargen DNS Host Info DNS Zone Xfer DNS Zone Xfer High Port DNS All Records RPC Port Registration RPC Port Unregistration RPC Dump Proxied RPC ypserv Portmap Request ypbind Portmap Request yppasswdd Portmap Request ypupdated Portmap Request ypxfrd Portmap Request mountd Portmap Request rexd Portmap Request rexd Attempt statd Buffer Overflow 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IP AUDIT INTERFACE COUNTERS: inside ... Related Commands Command Description clear ip audit count Clears the count of signature matches for an audit policy. ip audit interface Assigns an audit policy to an interface. ip audit name Creates a named audit policy that identifies the actions to take when a packet matches an attack signature or an informational signature. show running-config ip audit attack Shows the configuration for the ip audit attack command. Cisco ASA Series Command Reference, S Commands 7-72 Chapter show ip verify statistics To show the number of packets dropped because of the Unicast RPF feature, use the show ip verify statistics command in privileged EXEC mode. Use the ip verify reverse-path command to enable Unicast RPF. show ip verify statistics [interface interface_name] Syntax Description interface interface_name Defaults This command shows statistics for all interfaces. Command Modes The following table shows the modes in which you can enter the command: (Optional) Shows statistics for the specified interface. Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Examples • Yes Transparent Single — Release Modification 7.0(1) This command was added. • Context Yes • Yes System — The following is sample output from the show ip verify statistics command: ciscoasa# interface interface interface Related Commands Routed show ip verify statistics outside: 2 unicast rpf drops inside: 1 unicast rpf drops intf2: 3 unicast rpf drops Command Description clear configure ip verify reverse-path Clears the ip verify reverse-path configuration. clear ip verify statistics Clears the Unicast RPF statistics. ip verify reverse-path Enables the Unicast Reverse Path Forwarding feature to prevent IP spoofing. show running-config ip verify reverse-path Shows the ip verify reverse-path configuration. Cisco ASA Series Command Reference, S Commands 7-73 Chapter show ips To show all available IPS virtual sensors that are configured on the AIP SSM, use the show ips command in privileged EXEC mode. show ips [detail] Syntax Description detail Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Shows the sensor ID number as well as the name. Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History Usage Guidelines • Yes Transparent Single • Release Modification 8.0(2) This command was added. Yes Yes • Yes System • Yes In multiple context mode, this command shows all virtual sensors when entered in the system execution space, but only shows the virtual sensors assigned to the context in the context execution space. See the allocate-ips command to assign virtual sensors to contexts. Virtual sensors are available in IPS Version 6.0 and above. Cisco ASA Series Command Reference, S Commands 7-74 • Context Chapter Examples The following is sample output from the show ips command: ciscoasa# show ips Sensor name -----------ips1 ips2 The following is sample output from the show ips detail command: ciscoasa# show ips detail Sensor name Sensor ID -------------------ips1 1 ips2 2 Related Commands Command Description allocate-ips Assigns a virtual sensor to a security context. ips Diverts traffic to the AIP SSM. Cisco ASA Series Command Reference, S Commands 7-75 Chapter show ipsec sa To display a list of IPsec SAs, use the show ipsec sa command in global configuration mode or privileged EXEC mode. You can also use the alternate form of this command: show crypto ipsec sa. show ipsec sa [assigned-address hostname or IP address | entry | identity | inactive | map map-name | peer peer-addr] [detail] Syntax Description assigned-address (Optional) Displays IPsec SAs for the specified hostname or IP address. detail (Optional) Displays detailed error information on what is displayed. entry (Optional) Displays IPsec SAs sorted by peer address identity (Optional) Displays IPsec SAs for sorted by identity, not including ESPs. This is a condensed form. inactive (Optional) Displays IPsec SAs that are unable to pass traffic. map map-name (Optional) Displays IPsec SAs for the specified crypto map. peer peer-addr (Optional) Displays IPsec SAs for specified peer IP addresses. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context Global configuration • Yes • Yes • Yes • Yes — Privileged EXEC • Yes • Yes • Yes • Yes — Release Modification 7.0(1) This command was added. 9.0(1) Support for OSPFv3 and multiple context mode was added. 9.1(4) Output has been updated to reflect the assigned IPv6 address and to indicate the GRE Transport Mode security association when doing IKEv2 dual traffic. The following example, entered in global configuration mode, displays IPsec SAs, including the assigned IPv6 address and the Tansport Mode and GRE encapsulation indication. ciscoasa(config)# sho ipsec sa interface: outside Crypto map tag: def, seq num: 1, local addr: 75.2.1.23 local ident (addr/mask/prot/port): (75.2.1.23/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (75.2.1.60/255.255.255.255/47/0) Cisco ASA Series Command Reference, S Commands 7-76 System Chapter current_peer: 75.2.1.60, username: rashmi dynamic allocated peer ip: 65.2.1.100 dynamic allocated peer ip(ipv6): 2001:1000::10 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 4 local crypto endpt.: 75.2.1.23/4500, remote crypto endpt.: 75.2.1.60/64251 path mtu 1342, ipsec overhead 62(44), override mtu 1280, media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: D9C00FC2 current inbound spi : 4FCB6624 inbound esp sas: spi: 0x4FCB6624 (1338730020) transform: esp-3des esp-sha-hmac no compression in use settings ={RA, Transport, NAT-T-Encaps, GRE, IKEv2, } slot: 0, conn_id: 8192, crypto-map: def sa timing: remaining key lifetime (sec): 28387 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x0003FFFF 0xFFFFFFFF outbound esp sas: spi: 0xD9C00FC2 (3653242818) transform: esp-3des esp-sha-hmac no compression in use settings ={RA, Transport, NAT-T-Encaps, GRE, IKEv2, } slot: 0, conn_id: 8192, crypto-map: def sa timing: remaining key lifetime (sec): 28387 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 The following example, entered in global configuration mode, displays IPsec SAs, including an in-use setting to identify a tunnel as OSPFv3. ciscoasa(config)# show ipsec sa interface: outside2 Crypto map tag: def, local addr: 10.132.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0) current_peer: 172.20.0.21 dynamic allocated peer ip: 10.135.1.5 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10 #PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21 Cisco ASA Series Command Reference, S Commands 7-77 Chapter path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 inbound esp sas: spi: 0x1E8246FC (511854332) transform: esp-3des esp-md5-hmac in use settings ={L2L, Transport, Manual slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xDC15BF68 (3692412776) transform: esp-3des esp-md5-hmac in use settings ={L2L, Transport, Manual slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): IV size: 8 bytes replay detection support: Y key (OSPFv3),} 548 key (OSPFv3), } 548 Crypto map tag: def, local addr: 10.132.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) ciscoasa(config)# Note Fragmentation statistics are pre-fragmentation statistics if the IPsec SA policy states that fragmentation occurs before IPsec processing. Post-fragmentation statistics appear if the SA policy states that fragmentation occurs after IPsec processing. The following example, entered in global configuration mode, displays IPsec SAs for a crypto map named def. ciscoasa(config)# show ipsec sa map def cryptomap: def Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts #send encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1146, #pkts decrypt: 1146, #pkts verify: 1146 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 inbound esp sas: spi: 0x1E8246FC (511854332) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 480 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xDC15BF68 (3692412776) Cisco ASA Series Command Reference, S Commands 7-78 Chapter transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 480 IV size: 8 bytes replay detection support: Y Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #send encaps: 73672, #pkts encrypt: 73672, #pkts digest: 73672 decaps: 78824, #pkts decrypt: 78824, #pkts verify: 78824 compressed: 0, #pkts decompressed: 0 not compressed: 73672, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 inbound esp sas: spi: 0xB32CF0BD (3006066877) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 263 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x3B6F6A35 (997157429) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 263 IV size: 8 bytes replay detection support: Y ciscoasa(config)# The following example, entered in global configuration mode, shows IPsec SAs for the keyword entry. ciscoasa(config)# show ipsec sa entry peer address: 10.132.0.21 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts #send encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 Cisco ASA Series Command Reference, S Commands 7-79 Chapter inbound esp sas: spi: 0x1E8246FC (511854332) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 429 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xDC15BF68 (3692412776) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 429 IV size: 8 bytes replay detection support: Y peer address: 10.135.1.8 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #send encaps: 73723, #pkts encrypt: 73723, #pkts digest: 73723 decaps: 78878, #pkts decrypt: 78878, #pkts verify: 78878 compressed: 0, #pkts decompressed: 0 not compressed: 73723, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 inbound esp sas: spi: 0xB32CF0BD (3006066877) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 212 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x3B6F6A35 (997157429) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 212 IV size: 8 bytes replay detection support: Y ciscoasa(config)# The following example, entered in global configuration mode, shows IPsec SAs with the keywords entry detail. ciscoasa(config)# show ipsec sa entry detail peer address: 10.132.0.21 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) Cisco ASA Series Command Reference, S Commands 7-80 Chapter current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1148, #pkts decrypt: 1148, #pkts verify: 1148 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 no sa (send): 0, #pkts invalid sa (rcv): 0 encaps failed (send): 0, #pkts decaps failed (rcv): 0 invalid prot (rcv): 0, #pkts verify failed: 0 invalid identity (rcv): 0, #pkts invalid len (rcv): 0 replay rollover (send): 0, #pkts replay rollover (rcv): 0 replay failed (rcv): 0 internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 inbound esp sas: spi: 0x1E8246FC (511854332) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 322 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xDC15BF68 (3692412776) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 3, crypto-map: def sa timing: remaining key lifetime (sec): 322 IV size: 8 bytes replay detection support: Y peer address: 10.135.1.8 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts encaps: 73831, #pkts encrypt: 73831, #pkts digest: 73831 decaps: 78989, #pkts decrypt: 78989, #pkts verify: 78989 compressed: 0, #pkts decompressed: 0 not compressed: 73831, #pkts comp failed: 0, #pkts decomp failed: 0 no sa (send): 0, #pkts invalid sa (rcv): 0 encaps failed (send): 0, #pkts decaps failed (rcv): 0 invalid prot (rcv): 0, #pkts verify failed: 0 invalid identity (rcv): 0, #pkts invalid len (rcv): 0 replay rollover (send): 0, #pkts replay rollover (rcv): 0 replay failed (rcv): 0 internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 inbound esp sas: spi: 0xB32CF0BD (3006066877) Cisco ASA Series Command Reference, S Commands 7-81 Chapter transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 104 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x3B6F6A35 (997157429) transform: esp-3des esp-md5-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 4, crypto-map: def sa timing: remaining key lifetime (sec): 104 IV size: 8 bytes replay detection support: Y ciscoasa(config)# The following example shows IPsec SAs with the keyword identity. ciscoasa(config)# show ipsec sa identity interface: outside2 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts #send encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #send encaps: 73756, #pkts encrypt: 73756, #pkts digest: 73756 decaps: 78911, #pkts decrypt: 78911, #pkts verify: 78911 compressed: 0, #pkts decompressed: 0 not compressed: 73756, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 The following example shows IPsec SAs with the keywords identity and detail. ciscoasa(config)# show ipsec sa identity detail interface: outside2 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0) Cisco ASA Series Command Reference, S Commands 7-82 Chapter current_peer: 10.132.0.21 dynamic allocated peer ip: 90.135.1.5 #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 no sa (send): 0, #pkts invalid sa (rcv): 0 encaps failed (send): 0, #pkts decaps failed (rcv): 0 invalid prot (rcv): 0, #pkts verify failed: 0 invalid identity (rcv): 0, #pkts invalid len (rcv): 0 replay rollover (send): 0, #pkts replay rollover (rcv): 0 replay failed (rcv): 0 internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: DC15BF68 Crypto map tag: def, local addr: 172.20.0.17 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0) current_peer: 10.135.1.8 dynamic allocated peer ip: 0.0.0.0 #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts #pkts encaps: 73771, #pkts encrypt: 73771, #pkts digest: 73771 decaps: 78926, #pkts decrypt: 78926, #pkts verify: 78926 compressed: 0, #pkts decompressed: 0 not compressed: 73771, #pkts comp failed: 0, #pkts decomp failed: 0 no sa (send): 0, #pkts invalid sa (rcv): 0 encaps failed (send): 0, #pkts decaps failed (rcv): 0 invalid prot (rcv): 0, #pkts verify failed: 0 invalid identity (rcv): 0, #pkts invalid len (rcv): 0 replay rollover (send): 0, #pkts replay rollover (rcv): 0 replay failed (rcv): 0 internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 3B6F6A35 The following example displays IPSec SAs based on IPv6 assigned address: ciscoasa(config)# sho ipsec sa assigned-address 2001:1000::10 assigned address: 2001:1000::10 Crypto map tag: def, seq num: 1, local addr: 75.2.1.23 local ident (addr/mask/prot/port): (75.2.1.23/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (75.2.1.60/255.255.255.255/47/0) current_peer: 75.2.1.60, username: rashmi dynamic allocated peer ip: 65.2.1.100 dynamic allocated peer ip(ipv6): 2001:1000::10 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 326, #pkts decrypt: 326, #pkts verify: 326 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #TFC Cisco ASA Series Command Reference, S Commands 7-83 Chapter #send errors: 0, #recv errors: 35 local crypto endpt.: 75.2.1.23/4500, remote crypto endpt.: 75.2.1.60/64251 path mtu 1342, ipsec overhead 62(44), override mtu 1280, media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: D9C00FC2 current inbound spi : 4FCB6624 inbound esp sas: spi: 0x4FCB6624 (1338730020) transform: esp-3des esp-sha-hmac no compression in use settings ={RA, Transport, NAT-T-Encaps, GRE, IKEv2, } slot: 0, conn_id: 8192, crypto-map: def sa timing: remaining key lifetime (sec): 28108 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xD9C00FC2 (3653242818) transform: esp-3des esp-sha-hmac no compression in use settings ={RA, Transport, NAT-T-Encaps, GRE, IKEv2, } slot: 0, conn_id: 8192, crypto-map: def sa timing: remaining key lifetime (sec): 28108 IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Related Commands Command Description clear configure isakmp Clears all the ISAKMP configuration. clear configure isakmp Clears all ISAKMP policy configuration. policy clear isakmp sa Clears the IKE runtime SA database. isakmp enable Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA. show running-config isakmp Displays all the active ISAKMP configuration. Cisco ASA Series Command Reference, S Commands 7-84 Chapter show ipsec sa summary To display a summary of IPsec SAs, use the show ipsec sa summary command in global configuration mode or privileged EXEC mode. show ipsec sa summary Syntax Description This command has no arguments or variables. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Examples Routed Transparent Single Context System Global configuration • Yes • Yes • Yes • Yes — Privileged EXEC • Yes • Yes • Yes • Yes — Release Modification 7.0(1) This command was added. 9.0(1) Support for multiple context mode was added. The following example, entered in global configuration mode, displays a summary of IPsec SAs by the following connection types: • IPsec • IPsec over UDP • IPsec over NAT-T • IPsec over TCP • IPsec VPN load balancing ciscoasa(config)# show ipsec sa summary Current IPsec SA's: IPsec : IPsec over UDP : IPsec over NAT-T : IPsec over TCP : IPsec VPN LB : Total : ciscoasa(config)# 2 2 4 6 0 14 Peak IPsec SA's: Peak Concurrent SA : Peak Concurrent L2L : Peak Concurrent RA : 14 0 14 Cisco ASA Series Command Reference, S Commands 7-85 Chapter Related Commands Command Description clear ipsec sa Removes IPsec SAs entirely or based on specific parameters. show ipsec sa Displays a list of IPsec SAs. show ipsec stats Displays a list of IPsec statistics. Cisco ASA Series Command Reference, S Commands 7-86 Chapter show ipsec stats To display a list of IPsec statistics, use the show ipsec stats command in global configuration mode or privileged EXEC mode. show ipsec stats Syntax Description This command has no keywords or variables. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Routed Transparent Single Context System Global configuration • Yes • Yes • Yes • Yes — Privileged EXEC • Yes • Yes • Yes • Yes — Release Modification 7.0(1) This command was added. 9.0(1) ESPv3 statistics are shown with IPsec subsystems, and support for multiple context mode was added. The following table describes what the output entries indicate. Output Description IPsec Global Statistics This section pertains to the total number of IPsec tunnels that the ASA supports. Active tunnels The number of IPsec tunnels that are currently connected. Previous tunnels The number of IPsec tunnels that have been connected, including the active ones. Inbound This section pertains to inbound encrypted traffic that is received through IPsec tunnels. Bytes The number of bytes of encrypted traffic that has been received. Decompressed bytes The number of bytes of encrypted traffic that were received after decompression was performed, if applicable. This counter should always be equal to the previous one if compression is not enabled. Cisco ASA Series Command Reference, S Commands 7-87 Chapter Output (continued) Description (continued) Packets The number of encrypted IPsec packets that were received. Dropped packets The number of encrypted IPsec packets that were received and dropped because of errors. Replay failures The number of anti-replay failure that were detected on received, encrypted IPsec packets. Authentications The number of successful authentications performed on received, encrypted IPsec packets. Authentication failures The number of authentications failure detected on received, encrypted IPsec packets. Decryptions The number of successful decryptions performed on received, encrypted IPsec packets. Decryption failures The number of decryptions failures detected on received, encrypted IPsec packets. Decapsulated fragments needing reassembly The number of decryption IPsec packets that include IP fragments to be reassembled. Outbound This section pertains to outbound cleartext traffic to be transmitted through IPsec traffic. Bytes The number of bytes of cleartext traffic to be encrypted and transmitted through IPsec tunnels. Uncompressed bytes The number of bytes of uncompressed cleartext traffic to be encrypted and transmitted through IPsec tunnels. The counter should always be equal to the previous one if compression is not enabled Packets The number of cleartext packets to be encrypted and transmitted through IPsec tunnels. Dropped packets The number of cleartext packets to be encrypted and transmitted through IPsec tunnels that have been dropped because of errors. Authentications The number of successful authentications performed on packets to be transmitted through IPsec tunnels. Authentication failures The number of authentication failures that were detected on packets to be transmitted through IPsec tunnels. Encryptions The number of successful encryptions that were performed on packets to be transmitted through IPsec tunnels. Encryption failures The number of encryption failures that were detected on packets to be transmitted through IPsec tunnels. Fragmentation successes The number of successful fragmentation operations that were performed as part of outbound IPsec packet transformation. Pre-fragmentation successes The number of successful prefragmentation operations that were performed as part of outbound IPsec packet transformation. Prefragmentation occurs before the cleartext packet is encrypted and encapsulated as one or more IPsec packets. Cisco ASA Series Command Reference, S Commands 7-88 Chapter Examples Output (continued) Description (continued) Post-fragmentation successes The number of successful prefragmentation operations that were performed as part of outbound IPsec packet transformation. Post-fragmentation occurs after the cleartext packet is encrypted and encapsulated as an IPsec packet, which results in multiple IP fragments. These fragments must be reassembled before decryption. Fragmentation failures The number of fragmentation failures that have occurred during outbound IPsec packet transformation. Pre-fragmentation failures The number of prefragmentation failures that have occurred during outbound IPsec packet transformation. Prefragmentation occurs before the cleartext packet is encrypted and encapsulated as one or more IPsec packets. Post-fragmentation failure The number of post-fragmentation failure that have occurred during outbound IPsec packet transformation. Post-fragmentation occurs after the cleartext packet is encrypted and encapsulated as an IPsec packet, which results in multiple IP fragments. These fragments must be reassembled before decryption. Fragments created The number of fragments that were created as part of IPsec transformation. PMTUs sent The number of path MTU messages that were sent by the IPsec system. IPsec will send a PMTU message to an inside host that is sending packets that are too large to be transmitted through an IPsec tunnel after encapsulation. The PMTU message is a request for the host to lower its MTU and send smaller packets for transmission through the IPsec tunnel. PMTUs recvd The number of path MTU messages that were received by the IPsec system. IPsec will receive a path MTU message from a downstream network element if the packets it is sending through the tunnel are too large to traverse that network element. IPsec will usually lower its tunnel MTU when a path MTU message is received. Protocol failures The number of malformed IPsec packets that have been received. Missing SA failures The number of IPsec operations that have been requested for which the specified IPsec security association does not exist. System capacity failures The number of IPsec operations that cannot be completed because the capacity of the IPsec system is not high enough to support the data rate. The following example, entered in global configuration mode, displays IPsec statistics: ciscoasa(config)# show ipsec stats IPsec Global Statistics ----------------------Active tunnels: 2 Previous tunnels: 9 Cisco ASA Series Command Reference, S Commands 7-89 Chapter Inbound Bytes: 4933013 Decompressed bytes: 4933013 Packets: 80348 Dropped packets: 0 Replay failures: 0 Authentications: 80348 Authentication failures: 0 Decryptions: 80348 Decryption failures: 0 Decapsulated fragments needing reassembly: 0 Outbound Bytes: 4441740 Uncompressed bytes: 4441740 Packets: 74029 Dropped packets: 0 Authentications: 74029 Authentication failures: 0 Encryptions: 74029 Encryption failures: 0 Fragmentation successes: 3 Pre-fragmentation successes:2 Post-fragmentation successes: 1 Fragmentation failures: 2 Pre-fragmentation failures:1 Post-fragmentation failures: 1 Fragments created: 10 PMTUs sent: 1 PMTUs recvd: 2 Protocol failures: 0 Missing SA failures: 0 System capacity failures: 0 ciscoasa(config)# Related Commands Command Description clear ipsec sa Clears IPsec SAs or counters based on specified parameters. crypto ipsec transform-set Defines a transform set. show ipsec sa Displays IPsec SAs based on specified parameters. show ipsec sa summary Displays a summary of IPsec SAs. Cisco ASA Series Command Reference, S Commands 7-90 CH A P T E R 8 show ipv6 access-list through show ipv6 traffic Commands Cisco ASA Series Command Reference, S Commands 8-1 Chapter show ipv6 access-list To display the IPv6 access list, use the show ipv6 access-list command in privileged EXEC mode. The IPv6 access list determines what IPv6 traffic can pass through the ASA. show ipv6 access-list [id [source-ipv6-prefix/prefix-length | any | host source-ipv6-address]] Syntax Description any (Optional) An abbreviation for the IPv6 prefix ::/0. host source-ipv6-address (Optional) IPv6 address of a specific host. When provided, only the access rules for the specified host are displayed. id (Optional) The access list name. When provided, only the specified access list is displayed. source-ipv6-prefix /prefix-length (Optional) IPv6 network address and prefix. When provided, only the access rules for the specified IPv6 network are displayed. Defaults Displays all IPv6 access lists. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single — Release Modification 7.0(1) This command was added. • Yes Context • Yes System — Usage Guidelines The show ipv6 access-list command provides output similar to the show ip access-list command, except that it is IPv6-specific. Examples The following is sample output from the show ipv6 access-list command. It shows IPv6 access lists named inbound, tcptraffic, and outbound. ciscoasa# show ipv6 access-list IPv6 access list inbound permit tcp any any eq bgp reflect tcptraffic (8 matches) sequence 10 permit tcp any any eq telnet reflect tcptraffic (15 matches) sequence 20 permit udp any any reflect udptraffic sequence 30 IPv6 access list tcptraffic (reflexive) (per-user) permit tcp host 2001:0DB8:1::1 eq bgp host 2001:0DB8:1::2 eq 11000 timeout 300 (time left 243) sequence 1 permit tcp host 2001:0DB8:1::1 eq telnet host 2001:0DB8:1::2 eq 11001 timeout 300 (time left 296) sequence 2 Cisco ASA Series Command Reference, S Commands 8-2 Chapter IPv6 access list outbound evaluate udptraffic evaluate tcptraffic Related Commands Command Description ipv6 access-list Creates an IPv6 access list. Cisco ASA Series Command Reference, S Commands 8-3 Chapter show ipv6 dhcprelay binding To display the relay binding entries created by the relay agent, use the show ipv6 dhcprelay binding command in privileged EXEC mode. show ipv6 dhcprelay binding Syntax Description This command has no keywords or variables. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Routed Privileged EXEC Command History • Yes Transparent Single — Release Modification 9.0(1) This command was added. • Yes Context • Yes System — Usage Guidelines The show ipv6 dhcprelay binding command allows you to check the relay binding entries that the relay agent has created. Examples The following is sample output from the show ipv6 dhcprelay binding command: ciscoasa# show ipv6 dhcprelay binding 1 in use, 2 most used Client: fe80::204:23ff:febb:b094 (inside) DUID: 000100010f9a59d1000423bbb094, Timeout in 60 seconds Above binding is created for client with link local address of fe80::204:23ff:febb:b094 on the inside interface using DHCPv6 id of 000100010f9a59d1000423bbb094, and will timeout in 60 seconds. There will be limit of 1000 bindings for each context. Related Commands Command Description show ipv6 dhcprelay statistics Shows the IPv6 DHCP relay agent information. Cisco ASA Series Command Reference, S Commands 8-4 Chapter show ipv6 dhcprelay statistics To display the IPv6 DHCP relay agent statistics, use the show ipv6 dhcprelay statistics command in privileged EXEC mode. show ipv6 dhcprelay statistics Syntax Description This command has no keywords or variables. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Routed • Yes Transparent Single — • Release Modification 9.0(1) This command was added. Yes Context • Yes System — Usage Guidelines The show ipv6 dhcprelay statistics command allows you to view IPv6 DHCP relay agent information. Examples The following is sample output from the show ipv6 dhcprelay statistics command: ciscoasa# show ipv6 dhcprelay statistics Relay Messages: SOLICIT ADVERTISE REQUEST CONFIRM RENEW REBIND REPLY RELEASE DECLINE RECONFIGURE INFORMATION-REQUEST RELAY-FORWARD RELAY-REPLY 1 2 1 1 496 0 498 0 0 0 0 499 500 Relay Errors: Malformed message: Block allocation/duplication failures: Hop count limit exceeded: Forward binding creation failures: 0 0 0 0 Cisco ASA Series Command Reference, S Commands 8-5 Chapter Reply binding lookup failures: No output route: Conflict relay server route: Failed to add server NP rule: Unit or context is not active: Total Relay Bindings Created: Related Commands 498 Command Description show ipv6 dhcprelay binding Shows the relay binding entries created by the relay agent. Cisco ASA Series Command Reference, S Commands 8-6 0 0 0 0 0 Chapter show ipv6 interface To display the status of interfaces configured for IPv6, use the show ipv6 interface command in privileged EXEC mode. show ipv6 interface [brief] [if_name [prefix]] Syntax Description brief Displays a brief summary of IPv6 status and configuration for each interface. if_name (Optional) The internal or external interface name, as designated by the nameif command. The status and configuration for only the designated interface is shown. prefix (Optional) Prefix generated from a local IPv6 prefix pool. The prefix is the network portion of the IPv6 address. Defaults Displays all IPv6 interfaces. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Yes Transparent Single — Release Modification 7.0(1) This command was added. • Context Yes • Yes System — The show ipv6 interface command provides output similar to the show interface command, except that it is IPv6-specific. If the interface hardware is usable, the interface is marked up. If the interface can provide two-way communication, the line protocol is marked up. When an interface name is not specified, information on all IPv6 interfaces is displayed. Specifying an interface name displays information about the specified interface. Examples The following is sample output from the show ipv6 interface command: ciscoasa# show ipv6 interface outside interface ethernet0 “outside” is up, line protocol is up IPv6 is enabled, link-local address is 2001:0DB8::/29 [TENTATIVE] Global unicast address(es): 2000::2, subnet is 2000::/64 Joined group address(es): FF02::1 Cisco ASA Series Command Reference, S Commands 8-7 Chapter FF02::1:FF11:6770 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds The following is sample output from the show ipv6 interface command when entered with the brief keyword: ciscoasa# show ipv6 interface brief outside [up/up] unassigned inside [up/up] fe80::20d:29ff:fe1d:69f0 fec0::a:0:0:a0a:a70 vlan101 [up/up] fe80::20d:29ff:fe1d:69f0 fec0::65:0:0:a0a:6570 dmz-ca [up/up] unassigned The following is sample output from the show ipv6 interface command. It shows the characteristics of an interface which has generated a prefix from an address. ciscoasa# show ipv6 interface inside prefix IPv6 Prefix Advertisements inside Codes: A - Address, P - Prefix-Advertisement, O - Pool U - Per-user prefix, D - Default N - Not advertised, C - Calendar AD fec0:0:0:a::/64 [LA] Valid lifetime 2592000, preferred lifetime 604800 Cisco ASA Series Command Reference, S Commands 8-8 Chapter show ipv6 mld traffic To display the Multicast Listener Discovery (MLD) traffic counter information, use the show ipv6 mld traffic command in privileged EXEC mode. show ipv6 mld traffic Syntax Description This command has no keywords or variables. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Yes Transparent Single — Release Modification 7.2(4) This command was added. • Context Yes • Yes System — The show ipv6 mld traffic command allows you to check if the expected number of MLD messages have been received and sent. The following information is provided by the show ipv6 mld traffic command: Examples • Elapsed time since counters cleared—The amount of time since the counters were cleared. • Valid MLD Packets—The number of valid MLD packets that are received and sent. • Queries—The number of valid queries that are received and sent. • Reports—The number of valid reports that are received and sent. • Leaves—The number of valid leaves received and sent. • Mtraee packets—The number of multicast trace packets that are received and sent. • Errors—The types of errors and the number of errors that have occurred. The following is sample output from the show ipv6 mld traffic command: ciscoasa# show ipv6 mld traffic show ipv6 mld traffic MLD Traffic Counters Elapsed time since counters cleared: 00:01:19 Received Sent Valid MLD Packets 1 3 Cisco ASA Series Command Reference, S Commands 8-9 Chapter Queries 1 Reports 0 Leaves 0 Mtrace packets 0 Errors: Malformed Packets 0 Martian source 0 Non link-local source 0 Hop limit is not equal to 1 0 Related Commands 0 Command Description clear ipv6 mld traffic Resets all MLD traffic counters. Cisco ASA Series Command Reference, S Commands 8-10 0 3 0 Chapter show ipv6 neighbor To display the IPv6 neighbor discovery cache information, use the show ipv6 neighbor command in privileged EXEC mode. show ipv6 neighbor [if_name | address] Syntax Description address (Optional) Displays neighbor discovery cache information for the supplied IPv6 address only. if_name (Optional) Displays cache information for the supplied interface name, as configured by the nameif command only. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Privileged EXEC Command History Usage Guidelines Routed • Yes Transparent Single — Release Modification 7.0(1) This command was added. • Yes Context • Yes System — The following information is provided by the show ipv6 neighbor command: • IPv6 Address—The IPv6 address of the neighbor or interface. • Age—The time (in minutes) since the address was confirmed to be reachable. A hyphen (-) indicates a static entry. • Link-layer Addr—The MAC address. If the address is unknown, a hyphen (-) is displayed. • State—The state of the neighbor cache entry. Note Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache; therefore, the descriptions for the INCMP (Incomplete) and REACH (Reachable) states are different for dynamic and static cache entries. The following are possible states for dynamic entries in the IPv6 neighbor discovery cache: – INCMP—(Incomplete) Address resolution is being performed on the entry. A neighbor solicitation message has been sent to the solicited-node multicast address of the target, but the corresponding neighbor advertisement message has not yet been received. Cisco ASA Series Command Reference, S Commands 8-11 Chapter – REACH—(Reachable) Positive confirmation was received within the last ReachableTime milliseconds that the forward path to the neighbor was functioning properly. While in REACH state, the device takes no special action as packets are sent. – STALE—More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. While in STALE state, the device takes no action until a packet is sent. – DELAY—More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. A packet was sent within the last DELAY_FIRST_PROBE_TIME seconds. If no reachability confirmation is received within DELAY_FIRST_PROBE_TIME seconds of entering the DELAY state, send a neighbor solicitation message and change the state to PROBE. – PROBE—A reachability confirmation is actively sought by resending neighbor solicitation messages every RetransTimer milliseconds until a reachability confirmation is received. – ????—Unknown state. The following are possible states for static entries in the IPv6 neighbor discovery cache: – INCMP—(Incomplete) The interface for this entry is down. – REACH—(Reachable) The interface for this entry is up. • Interface The interface from which the address was reachable. Examples The following is sample output from the show ipv6 neighbor command when entered with an interface: ciscoasa# show ipv6 neighbor inside IPv6 Address 2000:0:0:4::2 FE80::203:A0FF:FED6:141E 3001:1::45a Age 0 0 - Link-layer Addr 0003.a0d6.141e 0003.a0d6.141e 0002.7d1a.9472 State REACH REACH REACH Interface inside inside inside The following is sample output from the show ipv6 neighbor command when entered with an IPv6 address: ciscoasa# show ipv6 neighbor 2000:0:0:4::2 IPv6 Address Age Link-layer Addr State Interface 2000:0:0:4::2 0 0003.a0d6.141e REACH inside Related Commands Command Description clear ipv6 neighbors Deletes all entries in the IPv6 neighbor discovery cache, except static entries. ipv6 neighbor Configures a static entry in the IPv6 neighbor discovery cache. Cisco ASA Series Command Reference, S Commands 8-12 Chapter show ipv6 ospf To display general information about OSPFv3 routing processes, use the show ipv6 ospf command in user EXEC or privileged EXEC mode. show ipv6 ospf [process_id] [area_id] Syntax Description area_id (Optional) Shows information about a specified area only. process_id (Optional) Specifies an internal ID that is locally assigned and can be any positive integer. This ID is the number assigned administratively when the OSPFv3 routing process is enabled. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Examples Routed Transparent Single Context System Privileged EXEC • Yes — • Yes — — User EXEC • Yes — • Yes — — Release Modification 9.0(1) This command was added. The show ipv6 ospf command lists the following settings: • Event logging • Router type • Redistribution route type • SPF schedule delay • Hold time between two consecutive SPFs • Wait time between two consecutive SPFs • Minimum LSA interval • Minimum LSA arrival The following is sample output from the show ipv6 ospf command: ciscoasa# show ipv6 ospf Cisco ASA Series Command Reference, S Commands 8-13 Chapter Routing Process “ospfv3 1” with ID 10.9.4.1 Event-log enabled, Maximum number of events: 1000, Mode: cyclic It is an autonomous system boundary router Redistributing External Routes from, ospf 2 Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs Related Commands Command Description show ipv6 ospf border-routers Shows the internal OSPFv3 routing table entries to an area border router (ABR) and an autonomous system boundary router (ASBR). show ipv6 ospf database Shows lists of information related to the OSPFv3 database for a specific router. Cisco ASA Series Command Reference, S Commands 8-14 Chapter show ipv6 ospf border-routers To display the internal OSPFv3 routing table entries to an area border router (ABR) and an autonomous system boundary router (ASBR), use the show ipv6 ospf border-routers command in user EXEC or privileged EXEC mode. show ipv6 ospf [process_id] border-routers Syntax Description process_id Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Specifies an internal ID that is locally assigned and can be any positive integer. This ID is the number assigned administratively when the OSPFv3 routing process is enabled. Firewall Mode Security Context Multiple Command Mode Command History Usage Guidelines Examples Routed Transparent Single Context System Privileged EXEC • Yes — • Yes — — User EXEC • Yes — • Yes — — Release Modification 9.0(1) This command was added. The show ipv6 ospf border-routers command lists the following settings: • Intra-area route • Inter-area route • IPv6 address • Interface type • Area ID • SPF number The following is sample output from the show ipv6 ospf border-routers command: ciscoasa# show ipv6 ospf border-routers OSPFv3 Process 1 internal Routing Table Codes: i - Intra-area route, I - Inter-area route Cisco ASA Series Command Reference, S Commands 8-15 Chapter i 172.16.4.4 [2] via FE80::205:5FFF:FED3:5808, FastEthernet0/0, ABR, Area 1, SPF 13 i 172.16.4.4 [1] via FE80::205:5FFF:FED3:5406, POS4/0, ABR, Area 0, SPF 8 i 172.16.3.3 [1] via FE80::205:5FFF:FED3:5808, FastEthernet0/0, ASBR, Area 1, SPF 3 Related Commands Command Description show ipv6 ospf Shows all IPv6 settings in the OSPFv3 routing process. show ipv6 ospf database Shows lists of information related to the OSPFv3 database for a specific router. Cisco ASA Series Command Reference, S Commands 8-16 Chapter show ipv6 ospf database To display lists of information related to the OSPFv3 database for a specific router, use the show ipv6 ospf database command in user EXEC or privileged EXEC mode. show ipv6 ospf [process_id] [area_id] database [external | inter-area prefix | inter-area-router | network | nssa-external | router | area | as | ref-lsa | [destination-router-id] [prefix ipv6-prefix] [link-state-id]] [link [interface interface-name] [adv-router router-id] | self-originate] [internal] [database-summary] Syntax Description adv-router router-id (Optional) Displays all the LSAs of the advertising router. The router ID must be in the form documented in RFC 2740, in which the address is specified in hexadecimal using 16-bit values between colons. area (Optional) Displays information only about area LSAs. area_id (Optional) Displays information about a specified area only. as (Optional) Filters unknown autonomous system (AS) LSAs. database-summary (Optional) Displays how many of each type of LSA exists for each area in the database and the total. destination-router-id (Optional) Displays information about a specified destination router only. external (Optional) Displays information only about the external LSAs. interface Optional) Displays information about the LSAs filtered by interface context. interface-name (Optional) Specifies the LSA interface name. internal (Optional) Displays information only about the internal LSAs. inter-area prefix (Optional) Displays information only about LSAs based on inter-area prefix. inter-area router (Optional) Displays information only about LSAs based on inter-area router LSAs. link (Optional) Displays information about link LSAs. When it follows the unknown keyword, the link keyword filters link-scope LSAs. link-state-id (Optional) Specifies an integer used to differentiate LSAs. In network and link LSAs, the link-state ID matches the interface index. network (Optional) Displays information about network LSAs. nssa-external (Optional) Displays information only about the not so stubby area (NSSA) external LSAs. prefix ipv6-prefix (Optional) Displays the link-local IPv6 address of the neighbor. The IPv6 prefix must be in the form documented in RFC 2373, in which the address is specified in hexadecimal using 16-bit values between colons. process_id (Optional) Specifies an internal ID that is locally assigned and can be any positive integer. This ID is the number assigned administratively when the OSPF routing process is enabled. ref-lsa (Optional) Further filters the prefix LSA type. router (Optional) Displays information about router LSAs. self-originate (Optional) Displays only self-originated LSAs from the local router. Cisco ASA Series Command Reference, S Commands 8-17 Chapter Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Routed Transparent Single Context System Privileged EXEC • Yes — • Yes — — User EXEC • Yes — • Yes — — Release Modification 9.0(1) This command was added. Usage Guidelines The various forms of the command provide information about different OSPFv3 LSAs. Examples The following is sample output from the show ipv6 ospf database command: ciscoasa# show ipv6 ospf database OSPFv3 Router with ID (172.16.4.4) (Process ID 1) Router Link States (Area 0) ADV Router 172.16.4.4 172.16.6.6 Age 239 239 Seq# 0x80000003 0x80000003 Fragment ID 0 0 Link count 1 1 Bits B B Inter Area Prefix Link States (Area 0) ADV Router 172.16.4.4 172.16.4.4 172.16.6.6 172.16.6.6 172.16.6.6 Age 249 219 247 193 82 Seq# 0x80000001 0x80000001 0x80000001 0x80000001 0x80000001 Prefix FEC0:3344::/32 FEC0:3366::/32 FEC0:3366::/32 FEC0:3344::/32 FEC0::/32 Inter Area Router Link States (Area 0) ADV Router 172.16.4.4 172.16.6.6 ADV Router 172.16.4.4 172.16.6.6 Age 219 193 Link (Type-8) Link Age 242 252 Seq# Link ID 0x80000001 50529027 0x80000001 50529027 States (Area 0) Dest RtrID 172.16.3.3 172.16.3.3 Seq# 0x80000002 0x80000002 Interface PO4/0 PO4/0 Link ID 14 14 Intra Area Prefix Link States (Area 0) ADV Router 172.16.4.4 Age 242 Cisco ASA Series Command Reference, S Commands 8-18 Seq# 0x80000002 Link ID 0 Ref-lstype 0x2001 Ref-LSID 0 Chapter 172.16.6.6 Related Commands 252 0x80000002 0 0x2001 0 Command Description show ipv6 ospf Shows all IPv6 settings in the OSPFv3 routing process. show ipv6 ospf border-routers Shows the internal OSPFv3 routing table entries to an area border router (ABR) and an autonomous system boundary router (ASBR). Cisco ASA Series Command Reference, S Commands 8-19 Chapter show ipv6 ospf events To display OSPFv3 internal event information, use the show ipv6 ospf events command in user EXEC or privileged EXEC mode. show ipv6 ospf [process_id] events Syntax Description process_id Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: (Optional) Specifies an internal ID that is locally assigned and can be any positive integer. This ID is the number assigned administratively when the OSPF routing process is enabled. Firewall Mode Security Context Multiple Command Mode Command History Routed Transparent Single Context System Privileged EXEC • Yes — • Yes — — User EXEC • Yes — • Yes — — Release Modification 9.0(1) This command was added. Usage Guidelines Use this command to display OSPFv3 events information. Examples The following is sample output from the show ipv6 ospf events command: ciscoasa# show ipv6 ospf events OSPFv3 Router with ID (10.1.3.2) (Process ID 10) 1 Jul 9 18:49:34.071: Timer Exp: ospfv3_if_ack_delayed 0xda05fad8 2 Jul 9 18:49:31.571: Rcv Unchanged Type-0x2001 LSA, LSID 0.0.0.0, Adv-Rtr 10.1.1.2, Seq# 80000008, Age 1, Area 10 3 Jul 9 18:48:13.241: Generate Changed Type-0x8 LSA, LSID 2.0.0.0, Seq# 80000004, Age 0, Area 10 4 Jul 9 18:48:13.241: Generate Changed Type-0x2001 LSA, LSID 0.0.0.0, Seq# 80000005, Age 0, Area 10 5 Jul 9 18:41:18.901: End of SPF, SPF time 0ms, next wait-interval 10000ms 6 Jul 9 18:41:18.902: Starting External processing in area 10 7 Jul 9 18:41:18.902: Starting External processing 8 Jul 9 18:41:18.902: Starting Inter-Area SPF in area 10 9 Jul 9 18:41:18.902: Generic: post_spf_intra 0x0 10 Jul 9 18:41:18.902: RIB Delete (All Paths), Prefix 2002::/64, type Intra Cisco ASA Series Command Reference, S Commands 8-20 Chapter 11 Jul 9 18:41:18.902: RIB Update, Prefix 5005::/64, gw ::, via inside, type Intra 12 Jul 9 18:41:18.902: Starting Intra-Area SPF in Area 10 13 Jul 9 18:41:18.903: Starting SPF, wait-interval 5000ms 14 Jul 9 18:41:16.403: Timer Exp: ospfv3_if_ack_delayed 0xda05fad8 15 Jul 9 18:41:13.903: Schedule SPF, Area 10, Change in LSA type PLSID 0.8.0.0, Adv-Rtr 50.100.168.192 16 Jul 9 18:41:13.903: Rcv Changed Type-0x2009 LSA, LSID 0.8.0.0, Adv-Rtr 10.1.2.3, Seq# 80000003, Age 1, Area 10 Related Commands Command Description show ipv6 ospf Shows all IPv6 settings in the OSPFv3 routing process. show ipv6 ospf border-routers Shows the internal OSPFv3 routing table entries to an area border router (ABR) and an autonomous system boundary router (ASBR). Cisco ASA Series Command Reference, S Commands 8-21 Chapter show ipv6 ospf flood-list To display a list of OSPFv3 LSAs waiting to be flooded over an interface, use the show ipv6 ospf flood-list command in user EXEC or privileged EXEC mode. show ipv6 ospf [process_id] [area_id] flood-list interface-type interface-number Syntax Description area_id (Optional) Displays information about a specified area only. interface-number Specifies the interface number over which the LSAs are flooded. interface-type Specifies the interface type over which the LSAs are flooded. process_id (Optional) Specifies an internal ID that is locally assigned and can be any positive integer. This ID is the number assigned administratively when the OSPFv3 routing process is enabled. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Routed Transparent Single Context System Privileged EXEC • Yes — • Yes — — User EXEC • Yes — • Yes — — Release Modification 9.0(1) This command was added. Usage Guidelines Use this command to display OSPFv3 packet pacing information. Examples The following is sample output from the show ipv6 ospf flood-list command: ciscoasa# show ipv6 ospf flood-list OSPFv3 Router with ID (172.16.6.6) (Process ID 1) Interface POS4/0, Queue length 1 Link state retransmission due in 14 msec Type 0x2001 LS ID 0 ADV RTR 172.16.6.6 Seq NO 0x80000031 Interface FastEthernet0/0, Queue length 0 Cisco ASA Series Command Reference, S Commands 8-22 Age 0 Checksum 0x1971 Chapter Interface ATM3/0, Queue length 0 Related Commands Command Description show ipv6 ospf Shows all IPv6 settings in the OSPFv3 routing process. show ipv6 ospf border-routers Shows the internal OSPFv3 routing table entries to an area border router (ABR) and an autonomous system boundary router (ASBR). Cisco ASA Series Command Reference, S Commands 8-23 Chapter show ipv6 ospf graceful-restart To display information about OSPFv3 graceful-restart, use the show ipv6 ospf graceful-restart command in privileged EXEC mode. show ipv6 ospf graceful-restart Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Routed Command Mode Privileged EXEC Command History Examples • Yes Transparent Single — Release Modification 9.3(1) This command was added. • Yes Context • Yes The following is sample output from the show ipv6 ospf graceful-restart command: ciscoasa# show ipv6 ospf graceful-restart Routing Process "ospfv3 10" Graceful Restart enabled restart-interval limit: 240 sec Clustering is not configured in spanned etherchannel mode Graceful Restart helper support enabled Number of neighbors performing Graceful Restart is 0 Related Commands Command Description show ipv6 ospf Shows all IPv6 settings in the OSPFv3 routing process. Cisco ASA Series Command Reference, S Commands 8-24 System — Chapter show ipv6 ospf interface To display OSPFv3-related interface information, use the show ipv6 ospf interface command in user EXEC or privileged EXEC mode. show ipv6 ospf [process_id] [area_id] interface [type-number] [brief] Syntax Description area_id (Optional) Displays information about a specified area only. brief (Optional) Displays brief overview information for OSPFv3 interfaces, states, addresses and masks, and areas on the router. process_id (Optional) Specifies an internal ID that is locally assigned and can be any positive integer. This ID is the number assigned administratively when the OSPF routing process is enabled. type-number (Optional) Specifies the interface type and number. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Routed Transparent Single Context System Privileged EXEC • Yes — • Yes — — User EXEC • Yes — • Yes — — Release Modification 9.0(1) This command was added. Usage Guidelines Use this command to display overview information for OSPFv3 interfaces, states, addresses and masks, and areas on the router. Examples The following is sample output from the show ipv6 ospf interface command: ciscoasa# show ipv6 ospf interface ATM3/0 is up, line protocol is up Link Local Address 2001:0DB1:205:5FFF:FED3:5808, Interface ID 13 Area 1, Process ID 1, Instance ID 0, Router ID 172.16.3.3 Network Type POINT_TO_POINT, Cost: 1 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:06 Index 1/2/2, flood queue length 0 Cisco ASA Series Command Reference, S Commands 8-25 Chapter Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 12, maximum is 12 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 172.16.4.4 Suppress hello for 0 neighbor(s) FastEthernet0/0 is up, line protocol is up Link Local Address 2001:0DB1:205:5FFF:FED3:5808, Interface ID 3 Area 1, Process ID 1, Instance ID 0, Router ID 172.16.3.3 Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 172.16.6.6, local address 2001:0DB1:205:5FFF:FED3:6408 Backup Designated router (ID) 172.16.3.3, local address 2001:0DB1:205:5FFF:FED3:5808 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05 Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 12, maximum is 12 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 172.16.6.6 (Designated Router) Suppress hello for 0 neighbor(s) Related Commands Command Description show ipv6 ospf Shows all IPv6 settings in the OSPFv3 routing process. show ipv6 ospf border-routers Shows the internal OSPFv3 routing table entries to an area border router (ABR) and an autonomous system boundary router (ASBR). Cisco ASA Series Command Reference, S Commands 8-26 Chapter show ipv6 ospf neighbor To display OSPFv3 neighbor information on a per-interface basis, use the show ipv6 ospf neighbor command in user EXEC or privileged EXEC mode. show ipv6 ospf [process_id] [area_id] neighbor [interface-type interface-number] [neighbor-id] [detail] Syntax Description area_id (Optional) Displays information about a specified area only. detail (Optional) Displays all neighbors information in detail. interface-type interface-number (Optional) Specifies the interface type and number. neighbor-id (Optional) Specifies the neighbor ID. process_id (Optional) Specifies an internal ID that is locally assigned and can be any positive integer. This ID is the number assigned administratively when the OSPF routing process is enabled. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Command Mode Command History Routed Transparent Single Context System Privileged EXEC • Yes — • Yes — — User EXEC • Yes — • Yes — — Release Modification 9.0(1) This command was added. Usage Guidelines Use this command to display detailed information for OSPFv3 neighbors by interface. Examples The following is sample output from the show ipv6 ospf neighbor command: ciscoasa# show ipv6 ospf neighbor Neighbor ID 172.16.4.4 172.16.3.3 172.16.5.5 Pri 1 1 1 State FULL/ FULL/BDR FULL/ - Dead Time 00:00:31 00:00:30 00:00:33 Interface ID 14 3 13 Interface POS4/0 FastEthernet00 ATM3/0 Cisco ASA Series Command Reference, S Commands 8-27 Chapter The following is sample output from the show ipv6 ospf neighbor detail command: Neighbor 172.16.4.4 In the area 0 via interface POS4/0 Neighbor: interface-id 14, link-local address FE80::205:5FFF:FED3:5406 Neighbor priority is 1, State is FULL, 6 state change
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement