advertisement
▼
Scroll to page 2
of 1322
Cisco ASA Series Command Reference,
S Commands
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Text Part Number: N/A, Online only
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Cisco ASA Series Command Reference, S Commands
© 2015 Cisco Systems, Inc. All rights reserved.
CH A P T E R
1
same-security-traffic through shape Commands
Cisco ASA Series Command Reference, S Commands
1-1
Chapter
same-security-traffic
To permit communication between interfaces with equal security levels, or to allow traffic to enter
anciscoasad exit the same interface, use the same-security-traffic command in global configuration
mode. To disable the same-security traffic, use the no form of this command.
same-security-traffic permit {inter-interface | intra-interface}
no same-security-traffic permit {inter-interface | intra-interface}
Syntax Description
inter-interface
Permits communication between different interfaces that have the same
security level.
intra-interface
Permits communication in and out of the same interface.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Release
Modification
7.0(1)
This command was added.
7.2(1)
The intra-interface keyword now allows all traffic to enter and exit the same
interface, and not just IPsec traffic.
Allowing communication between same security interfaces (enabled by the same-security-traffic
inter-interface command) provides the following benefits:
•
You can configure more than 101 communicating interfaces. If you use different levels for each
interface, you can configure only one interface per level (0 to 100).
•
You can allow traffic to flow freely between all same security interfaces without access lists.
The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which
is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then
routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be
reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where
the ASA is the hub, and remote VPN networks are spokes, for one spoke to communicate with another
spoke, traffic must go into the ASA and then out again to the other spoke.
Cisco ASA Series Command Reference, S Commands
1-2
Chapter
Note
Examples
All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall
rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse
the ASA.
The following example shows how to enable the same-security interface communication:
ciscoasa(config)# same-security-traffic permit inter-interface
The following example shows how to enable traffic to enter and exit the same interface:
ciscoasa(config)# same-security-traffic permit intra-interface
Related Commands
Related Commandss
Command
Description
show running-config
same-security-traffic
Displays the same-security-traffic configuration.
To specify a SASL (Simple Authentication and Security Layer) mechanism for authenticating an LDAP
client to an LDAP server, use the sasl-mechanism command in aaa-server host configuration mode. The
SASL authentication mechanism options are digest-md5 and kerberos.
To disable an authentication mechanism, use the no form of this command.
sasl-mechanism {digest-md5 | kerberos server-group-name}
no sasl-mechanism {digest-md5 | kerberos server-group-name}
Note
Syntax Description
Defaults
Because the ASA serves as a client proxy to the LDAP server for VPN users, the LDAP client referred
to here is the ASA.
digest-md5
The ASA responds with an MD5 value computed from the username and
password.
kerberos
The ASA responds by sending the username and realm using the GSSAPI
(Generic Security Services Application Programming Interface) Kerberos
mechanism.
server-group-name
Specifies the Kerberos aaa-server group, up to 64 characters.
No default behavior or values. The ASA passes the authentication parameters to the LDAP server in plain
text.
Note
We recommend that you secure LDAP communications with SSL using the ldap-over-ssl command if
you have not configured SASL.
Cisco ASA Series Command Reference, S Commands
1-3
Chapter
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
aaa-server host configuration
Command History
Usage Guidelines
Yes
•
Transparent Single
•
Release
Modification
7.1(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Use this command to specify ASA authentication to an LDAP server using SASL mechanisms.
Both the ASA and the LDAP server can support multiple SASL authentication mechanisms. When
negotiating SASL authentication, the ASA retrieves the list of SASL mechanisms configured on the
server and sets the authentication mechanism to the strongest mechanism configured on both the ASA
and the server. The Kerberos mechanism is stronger than the Digest-MD5 mechanism. To illustrate, if
both the LDAP server and the ASA support both mechanisms, the ASA selects Kerberos, the stronger of
the mechanisms.
When disabling the SASL mechanisms, you must enter a separate no command for each mechanism you
want to disable because they are configured independently. Mechanisms that you do not specifically
disable remain in effect. For example, you must enter both of the following commands to disable both
SASL mechanisms:
no sasl-mechanism digest-md5
no sasl-mechanism kerberos server-group-name
Examples
The following examples, entered in aaa-server host configuration mode, enable the SASL mechanisms
for authentication to an LDAP server named ldapsvr1 with an IP address of 10.10.0.1. This example
enables the SASL digest-md5 authentication mechanism:
ciscoasa(config)# aaa-server ldapsvr1 protocol ldap
ciscoasa(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1
ciscoasa(config-aaa-server-host)# sasl-mechanism digest-md5
The following example enables the SASL Kerberos authentication mechanism and specifies kerb-servr1
as the Kerberos AAA server:
ciscoasa(config)# aaa-server ldapsvr1 protocol ldap
ciscoasa(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1
ciscoasa(config-aaa-server-host)# sasl-mechanism kerberos kerbsvr1
Related Commands
Command
Description
ldap-over-ssl
Specifies that SSL secures the LDAP client-server connection.
Cisco ASA Series Command Reference, S Commands
1-4
Chapter
Command
Description
server-type
Specifies the LDAP server vendor as either Microsoft or Sun.
ldap attribute-map (global
configuration mode)
Creates and names an LDAP attribute map for mapping
user-defined attribute names to Cisco LDAP attribute names.
Cisco ASA Series Command Reference, S Commands
1-5
Chapter
saml idp
To add a new SAML IdP, use the saml idp command in webvpn configuration mode. To remove a SAML
IdP, use the no form of this command.
saml idp idp-entityID
no saml idp idp-entityID
Syntax Description
idp-entityID
Defaults
None.
Command Modes
The following table shows the modes in which you can enter the command:
The entity ID of the SAML Idp you are configuring the ASA to use.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
webvpn
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.5(2)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
This command configures one or more third party SAML identity provider's settings. The IdP settings
are not used until they are applied in a tunnel group.
The SAML IdP's sign-in url, sign-out url, signing certificate can be found on the vendor's website. You
must create a trustpoint to hold the IdP's signing certificate. The trustpoint name will be used by
trustpoint idp.
Creating an Idp in webvpn mode puts you into saml-idp sub-mode, where you configure the following
settings for this Idp:
•
url sign-in—URL to sign in to the Idp.
•
url sign-out—URL for redirecting to when signing out of the IdP.
•
signature—Enable or disable signature in SAML request. By default, the signature is disabled.
•
time-out—SAML timeout value in seconds.
•
base-url—URL is provided to third-party IdPs to redirect end-users back to the ASA.
•
trustpoint—Assigns an existing trustpoint based on the ASA (SP)'s or IDP certificate that the IdP
can use to verify ASA's signature or encrypt SAML assertion.
Cisco ASA Series Command Reference, S Commands
1-6
Chapter
Examples
The following example shows how to define an Idp, and configure the Idp settings:
ciscoasa(config)# same-security-traffic permit inter-interface
ciscoasa(config-webvpn)# saml idp salesforce_idp
ciscoasa(config-webvpn-saml-idp)# url sign-in
https://asa-dev-ed.my.salesforce.com/idp/endpoint/HttpRedirect
ciscoasa(config-webvpn-saml-idp)# url sign-out
https://asa-dev-ed.my.salesforce.com/idp/endpoint/HttpRedirect
ciscoasa(config-webvpn-saml-idp)# trustpoint idp salesforce_trustpoint
ciscoasa(config-webvpn-saml-idp)# trustpoint sp asa_trustpoint
ciscoasa(config-webvpn)# saml idp feide_idp
ciscoasa(config-webvpn-saml-idp)# url sign-in
http://cisco.feide.no/simplesaml/saml2/idp/SSOService.php
ciscoasa(config-webvpn-saml-idp)# trustpoint idp feide_trustpoint
ciscoasa(config-webvpn-saml-idp)# trustpoint sp asa_trustpoint
ciscoasa(config-webvpn-saml-idp)# signature
ciscoasa(config-webvpn-saml-idp)# timeout assertion 120
ciscoasa(config-webvpn-saml-idp)# base-url https://ssl-vpn.cisco.com
Related Commands
Command
Description
authentication
Sets the authentication type for a tunnel group, such as saml.
identity-provider
Names this configuration of a third-party SAML identity provider in the
ASA.
Cisco ASA Series Command Reference, S Commands
1-7
Chapter
saml identity-provider
Use this CLI in config-tunnel-webvpn mode to assign a SAML IdP to a tunnel group (connection profile)
saml identity-provider name
no saml identity-provider name
Syntax Description
name
Defaults
None.
Command Modes
The following table shows the modes in which you can enter the command:
The name of the SAML Idp you are configuring the ASA to use.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
webvpn
Command History
•
Yes
Transparent Single
•
Release
Modification
9.5(2)
This command was added.
Yes
•
Yes
Context
•
Yes
Usage Guidelines
This names this configuration of a third-party SAML identity provider in the ASA.
Related Commands
Command
Description
authentication
Sets the authentication type for a tunnel group, such as saml.
idp
Sets the Idp for a third-party SAML identity provider.
Cisco ASA Series Command Reference, S Commands
1-8
System
—
Chapter
sast
To specify the number of SAST certificates to create in the CTL record, use the sast command in ctl-file
configuration mode. To set the number of SAST certificates in the CTL file back to the default value of
2, use the no form of this command.
sast number_sasts
no sast number_sasts
Syntax Description
number_sasts
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the number of SAST keys to create. The default is 2. The maximum
allowed is 5.
Firewall Mode
Security Context
Multiple
Command Mode
Ctl-file configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
8.0(4)
The command was added.
•
Yes
CTL files are signed by a System Administrator Security Token (SAST).
Because the Phone Proxy generates the CTL file, it needs to create the SAST key to sign the CTL file
itself. This key can be generated on the ASA. A SAST is created as a self-signed certificate.
Typically, a CTL file contains more than one SAST. In case a SAST is not recoverable, the other one can
be used to sign the file later.
Examples
The following example shows the use of the sast command to create 5 SAST certificates in the CTL file:
ciscoasa(config-ctl-file)# sast 5
Cisco ASA Series Command Reference, S Commands
1-9
Chapter
Related Commands
Command
Description
ctl-file (global)
Specifies the CTL file to create for Phone Proxy configuration or the CTL file
to parse from Flash memory.
ctl-file
(phone-proxy)
Specifies the CTL file to use for Phone Proxy configuration.
phone-proxy
Configures the Phone Proxy instance.
Cisco ASA Series Command Reference, S Commands
1-10
Chapter
scansafe
To enable Cloud Web Security inspection for a context, use the scansafe command in context
configuration mode. To disable Cloud Web Security, use the no form of this command.
scansafe [license key]
no scansafe [license key]
Syntax Description
license key
Command Default
By default, the context uses the license entered in the system configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Enters an authentication key for this context. If you do not specify a key, the
context uses the license configured in the system configuration. The ASA
sends the authentication key to the Cloud Web Security proxy servers to
indicate from which organization the request comes. The authentication key
is a 16-byte hexadecimal number.
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Routed
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Usage Guidelines
In multiple context mode, you must allow Cloud Web Security per context.
Examples
The following sample configuration enables Cloud Web Security in context one with the default license
and in context two with the license key override:
! System Context
!
scansafe general-options
server primary ip 180.24.0.62 port 8080
retry-count 5
license 366C1D3F5CE67D33D3E9ACEC265261E5
!
context one
allocate-interface GigabitEthernet0/0.1
allocate-interface GigabitEthernet0/1.1
allocate-interface GigabitEthernet0/3.1
scansafe
Cisco ASA Series Command Reference, S Commands
1-11
Chapter
config-url disk0:/one_ctx.cfg
!
context two
allocate-interface GigabitEthernet0/0.2
allocate-interface GigabitEthernet0/1.2
allocate-interface GigabitEthernet0/3.2
scansafe license 366C1D3F5CE67D33D3E9ACEC26789534
config-url disk0:/two_ctx.cfg
!
Related Commands
Command
Description
class-map type inspect Creates an inspection class map for whitelisted users and groups.
scansafe
default user group
Specifies the default username and/or group if the ASA cannot determine the
identity of the user coming into the ASA.
http[s] (parameters)
Specifies the service type for the inspection policy map, either HTTP or
HTTPS.
inspect scansafe
Enables Cloud Web Security inspection on the traffic in a class.
license
Configures the authentication key that the ASA sends to the Cloud Web
Security proxy servers to indicate from which organization the request
comes.
match user group
Matches a user or group for a whitelist.
policy-map type
inspect scansafe
Creates an inspection policy map so you can configure essential parameters
for the rule and also optionally identify the whitelist.
retry-count
Enters the retry counter value, which is the amount of time that the ASA
waits before polling the Cloud Web Security proxy server to check its
availability.
scansafe
general-options
Configures general Cloud Web Security server options.
server {primary |
backup}
Configures the fully qualified domain name or IP address of the primary or
backup Cloud Web Security proxy servers.
show conn scansafe
Shows all Cloud Web Security connections, as noted by the capitol Z flag.
show scansafe server
Shows the status of the server, whether it’s the current active server, the
backup server, or unreachable.
show scansafe
statistics
Shows total and current http connections.
user-identity monitor
Downloads the specified user or group information from the AD agent.
whitelist
Performs the whitelist action on the class of traffic.
Cisco ASA Series Command Reference, S Commands
1-12
Chapter
scansafe general-options
To configure communication with the Cloud Web Security proxy server, use the scansafe
general-options command in global configuration mode. To remove the server configuration, use the no
form of this command.
scansafe general-options
no scansafe general-options
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Routed
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
—
Usage Guidelines
You can configure a primary and backup proxy server for Cloud Web Security.
Examples
The following example configures a primary server:
System
•
Yes
scansafe general-options
server primary ip 180.24.0.62 port 8080
retry-count 5
license 366C1D3F5CE67D33D3E9ACEC265261E5
Related Commands
Command
Description
class-map type inspect Creates an inspection class map for whitelisted users and groups.
scansafe
default user group
Specifies the default username and/or group if the ASA cannot determine the
identity of the user coming into the ASA.
http[s] (parameters)
Specifies the service type for the inspection policy map, either HTTP or
HTTPS.
Cisco ASA Series Command Reference, S Commands
1-13
Chapter
Command
Description
inspect scansafe
Enables Cloud Web Security inspection on the traffic in a class.
license
Configures the authentication key that the ASA sends to the Cloud Web
Security proxy servers to indicate from which organization the request
comes.
match user group
Matches a user or group for a whitelist.
policy-map type
inspect scansafe
Creates an inspection policy map so you can configure essential parameters
for the rule and also optionally identify the whitelist.
retry-count
Enters the retry counter value, which is the amount of time that the ASA
waits before polling the Cloud Web Security proxy server to check its
availability.
scansafe
In multiple context mode, allows Cloud Web Security per context.
server {primary |
backup}
Configures the fully qualified domain name or IP address of the primary or
backup Cloud Web Security proxy servers.
show conn scansafe
Shows all Cloud Web Security connections, as noted by the capitol Z flag.
show scansafe server
Shows the status of the server, whether it’s the current active server, the
backup server, or unreachable.
show scansafe
statistics
Shows total and current http connections.
user-identity monitor
Downloads the specified user or group information from the AD agent.
whitelist
Performs the whitelist action on the class of traffic.
Cisco ASA Series Command Reference, S Commands
1-14
Chapter
scep-enrollment enable
To enable or disable the Simple Certificate Enrollment Protocol for a tunnel group, use the
scep-enrollment enable command in tunnel-group general-attributes mode.
To remove the command from the configuration, use the no form of this command.
scep-enrollment enable
no scep-enrollment enable
Syntax Description
This command has no arguments or keywords.
Defaults
By default, this command is not present in the tunnel group configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Tunnel-group general-attributes
configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
8.4(1)
This command was added.
•
Yes
Only the Cisco AnyConnect Secure Mobility Client, Release 3.0 and later, supports this feature.
The ASA can proxy SCEP requests between AnyConnect and a third-party certificate authority. The
certificate authority only needs to be accessible to the ASA if it is acting as the proxy. For the ASA to
provide this service, the user must authenticate using any of the methods supported by AAA before the
ASA sends an enrollment request. You can also use Host Scan and dynamic access policies to enforce
rules of eligibility to enroll.
The ASA supports this feature only with an AnyConnect SSL or IKEv2 VPN session. It supports all
SCEP-compliant certificate authorities, including IOS CS, Windows Server 2003 CA, and Windows
Server 2008 CA.
Clientless (browser-based) access does not support SCEP Proxy, although
WebLaunch—clientless-initiated AnyConnect—does support it.
The ASA does not support polling for certificates.
The ASA supports load balancing for this feature.
Cisco ASA Series Command Reference, S Commands
1-15
Chapter
Example
The following example, entered in global configuration mode, creates a remote access tunnel group
named remotegrp and enables SCEP for the group policy:
ciscoasa(config)# tunnel-group remotegrp type remote-access
ciscoasa(config)# tunnel-group remotegrp general-attributes
ciscoasa(config-tunnel-general)# scep-enrollment enable
INFO: 'authentication aaa certificate' must be configured to complete setup of this
option.
Related Commands
Command
Description
crypto ikev2 enable
Enables IKEv2 negotiation on the interface on which IPsec peers
communicate.
scep-forwarding-url
Enrolls the SCEP certificate authority for the group policy.
secondary-pre-fill-username
clientless
Supplies a common, secondary password when a certificate is
unavailable for WebLaunch support of the SCEP proxy.
secondary-authentication-server- Supplies the username when a certificate is unavailable.
group
Cisco ASA Series Command Reference, S Commands
1-16
Chapter
scep-forwarding-url
To enroll an SCEP certificate authority for a group policy, use the scep-forwarding-url command in
group-policy configuration mode.
To remove the command from the configuration, use the no form of this command.
scep-forwarding-url {none | value [URL]}
no scep-forwarding-url
Syntax Description
none
Specifies no certificate authority for the group policy.
URL
Specifies the SCEP URL of the certificate authority.
value
Enables this feature for clientless connections.
Defaults
By default, this command is not present.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Group-policy configuration
Command History
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
8.4(1)
This command was added.
•
Yes
Usage Guidelines
Enter this command once per group policy to support a third-party digital certificate.
Example
The following example, entered in global configuration mode, creates a group policy named FirstGroup
and enrolls a certificate authority for the group policy:
ciscoasa(config)# group-policy FirstGroup internal
ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# scep-forwarding-url value http://ca.example.com:80/
Attempting to retrieve the CA/RA certificate(s) using the URL. Please wait ...
Related Commands
Cisco ASA Series Command Reference, S Commands
1-17
Chapter
Command
Description
crypto ikev2 enable
Enables IKEv2 negotiation on the interface on which IPsec peers
communicate.
scep-enrollment enable
Enables Simple Certificate Enrollment Protocol for a tunnel
group.
secondary-pre-fill-username
clientless
Supplies a common, secondary password when a certificate is
unavailable for WebLaunch support of the SCEP proxy.
secondary-authentication-server- Supplies the username when a certificate is unavailable.
group
Cisco ASA Series Command Reference, S Commands
1-18
Chapter
secondary
To give the secondary unit higher priority in a failover group, use the secondary command in failover
group configuration mode. To restore the default, use the no form of this command.
secondary
no secondary
Syntax Description
This command has no arguments or keywords.
Defaults
If primary or secondary is not specified for a failover group, the failover group defaults to primary.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Failover group configuration
Command History
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
—
Context
—
System
•
Yes
Usage Guidelines
Assigning a primary or secondary priority to a failover group specifies which unit the failover group
becomes active on when both units boot simultaneously (within a unit polltime). If one unit boots before
the other, then both failover groups become active on that unit. When the other unit comes online, any
failover groups that have the second unit as a priority do not become active on the second unit unless the
failover group is configured with the preempt command or is manually forced to the other unit with the
no failover active command.
Examples
The following example configures failover group 1 with the primary unit as the higher priority and
failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with
the preempt command, so the groups will automatically become active on their preferred unit as the
units become available.
ciscoasa(config)# failover group 1
ciscoasa(config-fover-group)# primary
ciscoasa(config-fover-group)# preempt 100
ciscoasa(config-fover-group)# exit
ciscoasa(config)# failover group 2
ciscoasa(config-fover-group)# secondary
ciscoasa(config-fover-group)# preempt 100
ciscoasa(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012
ciscoasa(config-fover-group)# exit
Cisco ASA Series Command Reference, S Commands
1-19
Chapter
ciscoasa(config)#
Related Commands
Command
Description
failover group
Defines a failover group for Active/Active failover.
preempt
Forces the failover group to become active on its preferred unit when the
unit becomes available.
primary
Gives the primary unit a higher priority than the secondary unit.
Cisco ASA Series Command Reference, S Commands
1-20
Chapter
secondary-authentication-server-group
To specify a secondary authentication server group to associate with the session when double
authentication is enabled, use the secondary-authentication-server-group command in tunnel-group
general-attributes mode. To remove the attribute from the configuration, use the no form of this
command.
secondary-authentication-server-group [interface_name] {none | LOCAL | groupname
[LOCAL]} [use-primary-username]}
no secondary-authentication-server-group
Syntax Description
interface_name
(Optional) Specifies the interface where the IPsec tunnel terminates.
LOCAL
(Optional) Requires authentication against the local user database if all of
the servers in the server group have been deactivated due to communication
failures. If the server group name is either LOCAL or NONE, do not use
the LOCAL keyword here.
none
(Optional) Specifies the server group name as NONE, indicating that
authentication is not required.
groupname [LOCAL]
Identifies the previously configured authentication server or group of
servers. Optionally, this can be the LOCAL group.
use-primary-username Use the primary username as the username for the secondary authentication.
Defaults
The default value is none.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Tunnel-group general-attributes
configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
8.2(1)
This command was added.
•
Yes
This command is meaningful only when double authentication is enabled. The
secondary-authentication-server-group command specifies the secondary AAA server group. The
secondary server group cannot be an SDI server group.
If the use-primary-username keyword is configured, then only one username is requested in the login
dialog.
Cisco ASA Series Command Reference, S Commands
1-21
Chapter
If the usernames are extracted from a digital certificate, only the primary username is used for
authentication.
Examples
The following example, entered in global configuration mode, creates a remote access tunnel group
named remotegrp and specifies the use of the group sdi_server as the primary server group and the group
ldap_ server as the secondary authentication server group for the connection:
ciscoasa(config)# tunnel-group remotegrp type remote-access
ciscoasa(config)# tunnel-group remotegrp general-attributes
ciscoasa(config-tunnel-webvpn)# authentication-server-group sdi_server
ciscoasa(config-tunnel-webvpn)# secondary-authentication-server-group ldap_server
ciscoasa(config-tunnel-webvpn)#
Related Commands
Command
Description
pre-fill-username
Enables the pre-fill username feature.
show running-config
tunnel-group
Shows the indicated tunnel-group configuration.
tunnel-group
general-attributes
Specifies the general attributes for the named tunnel-group.
username-from-certificate
Specifies the field in a certificate to use as the username for
authorization.
Cisco ASA Series Command Reference, S Commands
1-22
Chapter
secondary-color
To set a secondary color for the WebVPN login, home page, and file access page, use the
secondary-color command in webvpn configuration mode. To remove a color from the configuration
and reset the default, use the no form of this command.
secondary-color [color]
no secondary-color
Syntax Description
color
(Optional) Specifies the color. You can use a comma separated RGB value,
an HTML color value, or the name of the color if recognized in HTML.
•
RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each
color (red, green, blue); the comma separated entry indicates the level
of intensity of each color to combine with the others.
•
HTML format is #000000, six digits in hexadecimal format; the first
and second represent red, the third and fourth green, and the fifth and
sixth represent blue.
•
Name length maximum is 32 characters
Defaults
The default secondary color is HTML #CCCCFF, a lavender shade.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Webvpn configuration
Command History
Routed
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
—
Context
—
System
•
Yes
Usage Guidelines
The number of RGB values recommended for use is 216, many fewer than the mathematical possibilities.
Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best
results, check published RGB tables. To find RGB tables online, enter RGB in a search engine.
Examples
The following example shows how to set an HTML color value of #5F9EAO, which is a teal shade:
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# secondary-color #5F9EAO
Cisco ASA Series Command Reference, S Commands
1-23
Chapter
Related Commands
Command
Description
title-color
Sets a color for the WebVPN title bar on the login, home page, and file
access page
Cisco ASA Series Command Reference, S Commands
1-24
Chapter
secondary-pre-fill-username
To enable the extraction of a username from a client certificate for use in double authentication for a
clientless or an AnyConnect connection, use the secondary-pre-fill-username command in
tunnel-group webvpn-attributes mode. To remove the attribute from the configuration, use the no form
of this command.
secondary-pre-fill-username {clientless | ssl-client} [hide]
secondary-pre-fill-username {clientless | ssl-client} hide [use-primary-password |
use-common-password [type_num] password]
no secondary-no pre-fill-username
Syntax Description
clientless
Enables this feature for clientless connections.
hide
Hides the username to be used for authentication from the VPN user.
password
Enter the password string.
ssl-client
Enables this feature for AnyConnect VPN client connections.
type_num
Enter one of the following options:
•
0 if the password to be entered is plain text.
•
8 if the password to be entered is encrypted. The password appears as
asterisks as you type.
use-common-password Specifies a common secondary authentication password to use without
prompting the user for it.
use-primary-password Reuses the primary authentication password for secondary authentication
without prompting the user for it.
Defaults
This feature is disabled by default. Entering this command without the hide keyword reveals the
extracted username to the VPN user. The user receives a password prompt if you specify neither the
use-primary-password nor the use-common-password keywords. The default value of type_num is 8.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Tunnel-group webvpn-attributes
configuration
Routed
•
Yes
Transparent Single
Context
System
—
—
—
•
Yes
Cisco ASA Series Command Reference, S Commands
1-25
Chapter
Command History
Usage Guidelines
Release
Modification
8.2(1)
This command was added.
8.3(2)
The [use-primary-password | use-common-password [type_num]
password] option was added.
To enable this feature, you must also enter the secondary-username-from-certificate command in
tunnel-group general-attributes mode.
This command is meaningful only if double authentication is enabled. The
secondary-pre-fill-username command enables the use of a username extracted from the certificate
field specified in the secondary-username-from-certificate command as the username for secondary
username/password authentication. To use this secondary-pre-fill username-from-certificate feature, you
must configure both commands.
Note
Clientless and SSL-client connections are not mutually exclusive options. Only one can be specified per
command line, but both can be enabled at the same time.
If you hide the second username and use a primary or common password, the user experience is similar
to single authentication. Using the primary or common password makes the use of device certificates to
authenticate a device a seamless user experience.
The use-primary-password keyword specifies the use of the primary password as the secondary
password for all authentications.
The use-common-password keyword specifies the use of a common secondary password for all
secondary authentications. If a device certificate installed on the endpoint contains a BIOS ID or some
other identifier, a secondary authentication request can use the pre-filled BIOS ID as the second
username and use a common password configured for all authentications in that tunnel group.
Examples
The following example creates an IPsec remote access tunnel group named remotegrp, and specifies the
reuse of a name from the digital certificate on the endpoint as the name to be used for an authentication
or authorization query when the connections are browser-based.
ciscoasa(config)# tunnel-group remotegrp type ipsec_ra
ciscoasa(config)# tunnel-group remotegrp webvpn-attributes
ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username clientless
The following example performs the same function as the previous command, but hides the extracted
username from the user:
ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username clientless hide
The following example performs the same function as the previous command, except that it applies only
to AnyConnect connections:
ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username ssl-client hide
The following example hides the username and reuses the primary authentication password for
secondary authentication without prompting the user:
ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username ssl-client hide
use-primary-password
Cisco ASA Series Command Reference, S Commands
1-26
Chapter
The following example hides the username and uses the password you enter for secondary
authentication:
ciscoasa(config-tunnel-webvpn)# secondary-pre-fill-username ssl-client hide
use-common-password **********
Related Commands
Command
Description
pre-fill-username
Enables the pre-fill username feature.
show running-config
tunnel-group
Shows the indicated tunnel-group configuration.
tunnel-group
general-attributes
Specifies the general attributes for the named tunnel-group.
username-from-certificate
Specifies the field in a certificate to use as the username for
authorization.
Cisco ASA Series Command Reference, S Commands
1-27
Chapter
secondary-text-color
To set the secondary text color for the WebVPN login, home page and file access page, use the
secondary-text-color command in webvpn mode. To remove the color from the configuration and reset
the default, use the no form of this command.
secondary-text-color [black | white]
no secondary-text-color
Syntax Description
auto
Chooses black or white based on the settings for the text-color command.
That is, if the primary color is black, this value is white.
black
The default secondary text color is black.
white
You can change the text color to white.
Defaults
The default secondary text color is black.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Webvpn
Command History
Examples
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was added.
•
Yes
The following example shows how to set the secondary text color to white:
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# secondary-text-color white
Related Commands
Command
Description
text-color
Sets a color for text in the WebVPN title bar on the login, home page and
file access page
Cisco ASA Series Command Reference, S Commands
1-28
Chapter
secondary-username-from-certificate
To specify the field in a certificate to use as the secondary username for double authentication for a
clientless or AnyConnect (SSL-client) connection, use the secondary-username-from-certificate
command in tunnel-group general-attributes mode.
To remove the attribute from the configuration and restore default values, use the no form of this
command.
secondary-username-from-certificate {primary-attr [secondary-attr] | use-entire-name |
use-script}
no secondary-username-from-certificate
Syntax Description
primary-attr
Specifies the attribute to use to derive a username for an authorization query
from a certificate. If pre-fill-username is enabled, the derived name can also
be used in an authentication query.
secondary-attr
(Optional) Specifies an additional attribute to use with the primary attribute
to derive a username for an authentication or authorization query from a
digital certificate. If pre-fill-username is enable, the derived name can also
be used in an authentication query.
use-entire-name
Specifies that the ASA must use the entire subject DN (RFC1779) to derive
a name for an authorization query from a digital certificate.
use-script
Specifies the use of a script file generated by ASDM to extract the DN fields
from a certificate for use as a username.
Defaults
This feature is disabled by default and is meaningful only when double authentication is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Tunnel-group general-attributes
configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
8.2(1)
This command was added.
•
Yes
This command is meaningful only when double authentication is enabled.
Cisco ASA Series Command Reference, S Commands
1-29
Chapter
When double authentication is enabled. this command selects one or more fields in a certificate to use
as the username. The secondary-username-from-certificate command forces the security appliance to
use the specified certificate field as the second username for the second username/password
authentication.
To use this derived username in the pre-fill username from certificate feature for the secondary
username/password authentication or authorization, you must also configure the pre-fill-username and
secondary-pre-fill-username commands in tunnel-group webvpn-attributes mode. That is, to use the
secondary pre-fill username feature, you must configure both commands.
Possible values for primary and secondary attributes include the following:
Note
Examples
Attribute
Definition
C
Country: the two-letter country abbreviation. These codes conform to ISO
3166 country abbreviations.
CN
Common Name: the name of a person, system, or other entity. Not available
a s a secondary attribute.
DNQ
Domain Name Qualifier.
EA
E-mail address.
GENQ
Generational Qualifier.
GN
Given Name.
I
Initials.
L
Locality: the city or town where the organization is located.
N
Name.
O
Organization: the name of the company, institution, agency, association or
other entity.
OU
Organizational Unit: the subgroup within the organization (O).
SER
Serial Number.
SN
Surname.
SP
State/Province: the state or province where the organization is located
T
Title.
UID
User Identifier.
UPN
User Principal Name.
use-entire-name
Use entire DN name. Not available a s a secondary attribute.
use-script
Use a script file generated by ASDM.
If you also specify the secondary-authentication-server-group command, along with the
secondary-username-from-certificate command, only the primary username is used for
authentication.
The following example, entered in global configuration mode, creates a remote access tunnel group
named remotegrp and specifies the use of CN (Common Name) as the primary attribute and OU as the
secondary attribute to use to derive a name for an authorization query from a digital certificate:
ciscoasa(config)# tunnel-group remotegrp type remote-access
ciscoasa(config)# tunnel-group remotegrp general-attributes
ciscoasa(config-tunnel-general)# username-from-certificate CN
ciscoasa(config-tunnel-general)# secondary-username-from-certificate OU
Cisco ASA Series Command Reference, S Commands
1-30
Chapter
ciscoasa(config-tunnel-general)#
The following example shows how to modify the tunnel-group attributes to configure the pre-fill
username.
username-from-certificate {use-entire-name | use-script | <primary-attr>} [secondary-attr]
secondary-username-from-certificate {use-entire-name | use-script | <primary-attr>}
[secondary-attr] ; used only for double-authentication
Related Commands
Command
Description
pre-fill-username
Enables the pre-fill username feature.
secondary-pre-fill-username
Enables username extraction for clientless or AnyConnect client
connection
username-from-certificate
Specifies the field in a certificate to use as the username for
authorization.
show running-config
tunnel-group
Shows the indicated tunnel-group configuration.
secondary-authentication-server- Specifies the secondary AAA server group. If the usernames are
group
extracted from a digital certificate, only the primary username is
used for authentication.
Cisco ASA Series Command Reference, S Commands
1-31
Chapter
secure-unit-authentication
To enable secure unit authentication, use the secure-unit-authentication enable command in
group-policy configuration mode. To disable secure unit authentication, use the
secure-unit-authentication disable command. To remove the secure unit authentication attribute from
the running configuration, use the no form of this command. secure-unit-authentication {enable |
disable}
no secure-unit-authentication
Syntax Description
disable
Disables secure unit authentication.
enable
Enables secure unit authentication.
Defaults
Secure unit authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Group-policy configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was added.
•
Yes
Secure unit authentication requires that you have an authentication server group configured for the
tunnel group the hardware client(s) use.
If you require secure unit authentication on the primary ASA, be sure to configure it on any backup
servers as well.
The no option allows inheritance of a value for secure unit authentication from another group policy.
Secure unit authentication provides additional security by requiring VPN hardware clients to
authenticate with a username and password each time the client initiates a tunnel. With this feature
enabled, the hardware client does not have a saved username and password.
Note
With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and
password.
Cisco ASA Series Command Reference, S Commands
1-32
Chapter
Examples
The following example shows how to enable secure unit authentication for the group policy named
FirstGroup:
ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# secure-unit-authentication enable
Related Commands
Command
Description
ip-phone-bypass
Lets IP phones connect without undergoing user authentication.
Secure unit authentication remains in effect.
leap-bypass
Lets LEAP packets from wireless devices behind a VPN hardware
client travel across a VPN tunnel prior to user authentication, when
enabled. This lets workstations using Cisco wireless access point
devices establish LEAP authentication. Then they authenticate
again per user authentication.
user-authentication
Requires users behind a hardware client to identify themselves to
the ASA before connecting.
Cisco ASA Series Command Reference, S Commands
1-33
Chapter
security-group
To add a security group to a security object group for use with Cisco TrustSec, use the security-group
command in object-group security configuration mode. To remove the security group, use the no form
of this command.
security-group {tag sgt# | name sg_name}
no security-group {tag sgt# | name sg_name}
Syntax Description
tag sgt#
Specifies the security group object as an inline tag. Enter a number from 1
to 65533 for a Tag security type.
An SGT is assigned to a device through IEEE 802.1X authentication, web
authentication, or MAC authentication bypass (MAB) by the ISE. Security
group names are created on the ISE and provide user-friendly names for
security groups. The security group table maps SGTs to security group
names.
name sg_name
Specifies the security group object as a named object. Enter a 32-byte
case-sensitive string for a Name security type. The sg_name can contain any
character including [a-z], [A-Z], [0-9], [!@#$%^&()-_{}. ].
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Object-group security
configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
You can create security group object groups for use in features that support Cisco TrustSec by including
the group in an extended ACL, which in turn can be used in an access rule, for example.
When integrated with Cisco TrustSec, the ASA downloads security group information from the ISE. The
ISE acts as an identity repository, by providing Cisco TrustSec tag to user identity mapping and Cisco
TrustSec tag to server resource mapping. You provision and manage security group access lists centrally
on the ISE.
Cisco ASA Series Command Reference, S Commands
1-34
Chapter
However, the ASA might have localized network resources that are not defined globally that require local
security groups with localized security policies. Local security groups can contain nested security
groups that are downloaded from the ISE. The ASA consolidates local and central security groups.
To create local security groups on the ASA, you create a local security object group. A local security
object group can contain one or more nested security object groups or Security IDs or security group
names. User can also create a new Security ID or security group name that does not exist on the ASA.
You can use the security object groups you create on the ASA to control access to network resources.
You can use the security object group as part of an access group or service policy.
Examples
The following example shows how to configure a security group object:
ciscoasa(config)# object-group security mktg-sg
ciscoasa(config)# security-group name mktg
ciscoasa(config)# security-group tag 1
The following example shows how to configure a security group object:
ciscoasa(config)# object-group security mktg-sg-all
ciscoasa(config)# security-group name mktg-managers
ciscoasa(config)# group-object mktg-sg // nested object-group
Related Commands
Command
Description
object-group security
Creates a security group object.
Cisco ASA Series Command Reference, S Commands
1-35
Chapter
security-group-tag
To configure a security group tag attribute in a remote access VPN group policy or for a user in the
LOCAL user database, use the security-group-tag value command in group-policy or username
configuration mode. To remove the security group tag attribute, use the no form of this command.
security-group-tag {none | value sgt}
no security-group-tag {none | value sgt}
Syntax Description
none
Do not set a security group tag for this group policy or user.
value sgt
Specifies the security group tag number.
Command Default
The default is security-group-tag none, which means that there is no security group tag in this attribute
set.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Group-policy or username
configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.3(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
ASA supports security group tagging of VPN sessions. You can assign a Security Group Tag (SGT) to a
VPN session using an external AAA server, or by configuring a security group tag for a local user or for
a VPN group policy. This tag can then be propagated through the Cisco TrustSec system over Layer 2
Ethernet. Security group tags are useful on group policies and for local users when the AAA server
cannot provide an SGT.
Following is the typical process for assigning an SGT to a VPN user:
1.
A user connects to a remote access VPN that uses a AAA server group containing ISE servers.
2.
The ASA requests AAA information from ISE, which might include an SGT. The ASA also assigns
an IP address for the user’s tunneled traffic.
3.
The ASA uses AAA information to authenticate the user and creates a tunnel.
4.
The ASA uses the SGT from AAA information and the assigned IP address to add an SGT in the
Layer 2 header.
5.
Packets that include the SGT are passed to the next peer device in the Cisco TrustSec network.
Cisco ASA Series Command Reference, S Commands
1-36
Chapter
If there is no SGT in the attributes from the AAA server to assign to a VPN user, then the ASA uses the
SGT in the group policy. If there is no SGT in the group policy, then tag 0x0 is assigned.
Examples
The following example shows how to configure SGT attributes for a group policy.
ciscoasa(config-group-policy)# security-group-tag value 101
Related Commands
Command
Description
show asp table cts
sgt-map
Displays the IP address-security group table mapping entries from the IP
address-security group table mapping database maintained in the datapath.
show cts sgt-map
Displays the IP address-security group table manager entries in the control
path.
Cisco ASA Series Command Reference, S Commands
1-37
Chapter
security-level
To set the security level of an interface, use the security-level command in interface configuration mode.
To set the security level to the default, use the no form of this command. The security level protects
higher security networks from lower security networks by imposing additional protection between the
two.
security-level number
no security-level
Syntax Description
number
Defaults
By default, the security level is 0.
An integer between 0 (lowest) and 100 (highest).
If you name an interface “inside” and you do not set the security level explicitly, then the ASA sets the
security level to 100 (see the nameif command). You can change this level if desired.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Interface configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Release
Modification
7.0(1)
This command was moved from a keyword of the nameif command to an
interface configuration mode command.
The level controls the following behavior:
•
Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
For same security interfaces, there is an implicit permit for interfaces to access other interfaces on
the same security level or lower.
•
Inspection engines—Some inspection engines are dependent on the security level. For same security
interfaces, inspection engines apply to traffic in either direction.
– NetBIOS inspection engine—Applied only for outbound connections.
– OraServ inspection engine—If a control connection for the OraServ port exists between a pair
of hosts, then only an inbound data connection is permitted through the ASA.
Cisco ASA Series Command Reference, S Commands
1-38
Chapter
•
Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
For same security interfaces, you can filter traffic in either direction.
•
NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
•
established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.
Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same
security level to communicate, see the same-security-traffic command. You might want to assign two
interfaces to the same level and allow them to communicate if you want to create more than 101
communicating interfaces, or you want protection features to be applied equally for traffic between two
interfaces; for example, you have two departments that are equally secure.
If you change the security level of an interface, and you do not want to wait for existing connections to
time out before the new security information is used, you can clear the connections using the
clear local-host command.
Examples
The following example configures the security levels for two interfaces to be 100 and 0:
ciscoasa(config)# interface gigabitethernet0/0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gigabitethernet0/1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 10.1.2.1 255.255.255.0
ciscoasa(config-if)# no shutdown
Related Commands
Command
Description
clear local-host
Resets all connections.
interface
Configures an interface and enters interface configuration mode.
nameif
Sets the interface name.
vlan
Assigns a VLAN ID to a subinterface.
Cisco ASA Series Command Reference, S Commands
1-39
Chapter
segment-id
To specify the VXLAN ID for a VNI interface, use the segment-id command in interface configuration
mode. To remove the ID, use the no form of this command.
segment-id id
no segment-id id
Syntax Description
id
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Sets the ID between 1 and 16777215.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Interface configuration
Command History
•
Yes
Transparent Single
•
Release
Modification
9.4(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Usage Guidelines
The segment ID is used for VXLAN tagging.
Examples
The following example configures the VNI 1 interface and specifies a segment ID of 1000:
ciscoasa(config)# interface vni 1
ciscoasa(config-if)# segment-id 1000
ciscoasa(config-if)# vtep-nve 1
ciscoasa(config-if)# nameif vxlan1000
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
ciscoasa(config-if)# ipv6 address 2001:0DB8::BA98:0:3210/48
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# mcast-group 236.0.0.100
Related Commands
Command
Description
debug vxlan
Debugs VXLAN traffic.
default-mcast-group
Specifies a default multicast group for all VNI interfaces associated with the
VTEP source interface.
Cisco ASA Series Command Reference, S Commands
1-40
Chapter
Command
Description
encapsulation vxlan
Sets the NVE instance to VXLAN encapsulation.
inspect vxlan
Enforces compliance with the standard VXLAN header format.
interface vni
Creates the VNI interface for VXLAN tagging.
mcast-group
Sets the multicast group address for the VNI interface.
nve
Specifies the Network Virtualization Endpoint instance.
nve-only
Specifies that the VXLAN source interface is NVE-only.
peer ip
Manually specifies the peer VTEP IP address.
show arp
vtep-mapping
Displays MAC addresses cached on the VNI interface for IP addresses
located in the remote segment domain and the remote VTEP IP addresses.
show interface vni
Shows the parameters, status and statistics of a VNI interface, status of its
bridged interface (if configured), and NVE interface it is associated with.
show
mac-address-table
vtep-mapping
Displays the Layer 2 forwarding table (MAC address table) on the VNI
interface with the remote VTEP IP addresses.
show nve
Shows the parameters, status and statistics of a NVE interface, status of its
carrier interface (source interface), IP address of the carrier interface, VNIs
that use this NVE as the VXLAN VTEP, and peer VTEP IP addresses
associated with this NVE interface.
show vni
vlan-mapping
Shows the mapping between VNI segment IDs and VLAN interfaces or
physical interfaces in transparent mode.
source-interface
Specifies the VTEP source interface.
vtep-nve
Associates a VNI interface with the VTEP source interface.
vxlan port
Sets the VXLAN UDP port. By default, the VTEP source interface accepts
VXLAN traffic to UDP port 4789.
Cisco ASA Series Command Reference, S Commands
1-41
Chapter
send response
To send a RADIUS Accounting-Response Start and Accounting-Response Stop message to the sender
of the RADIUS Accounting-Request Start and Stop messages, use the send response command in
radius-accounting parameter configuration mode, which is accessed by using the inspect
radius-accounting command.
This option is disabled by default.
send response
no send response
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Radius-accounting parameter
configuration
Command History
Examples
•
Yes
Release
Modification
7.2(1)
This command was added.
Transparent Single
•
Yes
•
Yes
•
Yes
The following example shows how to send a response with RADIUS accounting:
hostname(config)# policy-map type inspect radius-accounting ra
ciscoasa(config-pmap)# send response
ciscoasa(config-pmap-p)# send response
Related Commands
Commands
Description
inspect
radius-accounting
Sets inspection for RADIUS accounting.
parameters
Sets parameters for an inspection policy map.
Cisco ASA Series Command Reference, S Commands
1-42
Context
System
—
Chapter
seq-past-window
To set the action for packets that have past-window sequence numbers (the sequence number of a
received TCP packet is greater than the right edge of the TCP receiving window), use the
seq-past-window command in tcp-map configuration mode. To set the value back to the default, use the
no form of this command. This command is part of the TCP normalization policy enabled using the set
connection advanced-options command.
seq-past-window {allow | drop}
no seq-past-window
Syntax Description
allow
Allows packets that have past-window sequence numbers. This action is only
allowed if the queue-limit command is set to 0 (disabled).
drop
Drops packets that have past-window sequence numbers.
Defaults
The default action is to drop packets that have past-window sequence numbers.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Tcp-map configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
•
Release
Modification
7.2(4)/8.0(4)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
To enable TCP normalization, use the Modular Policy Framework:
1.
tcp-map—Identifies the TCP normalization actions.
a. seq-past-window—In tcp-map configuration mode, you can enter the seq-past-window
command and many others.
2.
class-map—Identify the traffic on which you want to perform TCP normalization.
3.
policy-map—Identify the actions associated with each class map.
a. class—Identify the class map on which you want to perform actions.
b. set connection advanced-options—Identify the tcp-map you created.
4.
service-policy—Assigns the policy map to an interface or globally.
Cisco ASA Series Command Reference, S Commands
1-43
Chapter
Examples
The following example sets the ASA to allow packets that have past-window sequence numbers:
ciscoasa(config)# tcp-map tmap
ciscoasa(config-tcp-map)# seq-past-window allow
ciscoasa(config)# class-map cmap
ciscoasa(config-cmap)# match any
ciscoasa(config)# policy-map pmap
ciscoasa(config-pmap)# class cmap
ciscoasa(config-pmap)# set connection advanced-options tmap
ciscoasa(config)# service-policy pmap global
ciscoasa(config)#
Related Commands
Command
Description
class-map
Identifies traffic for a service policy.
policy-map
dentifies actions to apply to traffic in a service policy.
queue-limit
Sets the out-of-order packet limit.
set connection
advanced-options
Enables TCP normalization.
service-policy
Applies a service policy to interface(s).
show running-config
tcp-map
Shows the TCP map configuration.
tcp-map
Creates a TCP map and allows access to tcp-map configuration mode.
Cisco ASA Series Command Reference, S Commands
1-44
Chapter
serial-number
To include the ASA serial number in the certificate during enrollment, use the serial-number command
in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the
command.
serial-number
no serial-number
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is to not include the serial number.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Crypto ca trustpoint
configuration
Command History
Examples
Routed
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and
includes the ASA serial number in the enrollment request for trustpoint central:
ciscoasa(config)# crypto ca trustpoint central
ciscoasa(ca-trustpoint)# serial-number
Related Commands
Command
Description
crypto ca trustpoint
Enters trustpoint configuration mode.
Cisco ASA Series Command Reference, S Commands
1-45
Chapter
server (pop3s, imap4s, smtps) (Deprecated)
Note
The last supported release for this command was Version 9.5(1).
To specify a default e-mail proxy server, use the server command in the applicable e-mail proxy
configuration mode. To remove the attribute from the configuration, use the no version of this command.
The ASA sends requests to the default e-mail server when the user connects to the e-mail proxy without
specifying a server. If you do not configure a default server, and a user does not specify a server, the ASA
returns an error.
server {ipaddr or hostname}
no server
Syntax Description
hostname
The DNS name of the default e-mail proxy server.
ipaddr
The IP address of the default e-mail proxy server.
Defaults
There is no default e-mail proxy server by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Context
System
Pop3s configuration
•
Yes
•
Yes
—
—
•
Yes
Imap4s configuration
•
Yes
•
Yes
—
—
•
Yes
Smtps configuration
•
Yes
•
Yes
—
—
•
Yes
Release
Modification
7.0(1)
This command was added.
9.5.2
This command was deprecated.
The following example shows how to set a default POP3S e-mail server with an IP address. of 10.1.1.7:
ciscoasa(config)# pop3s
ciscoasa(config-pop3s)# server 10.1.1.7
Cisco ASA Series Command Reference, S Commands
1-46
Transparent Single
Chapter
server (scansafe general-options)
To configure the primary and backup Cloud Web Security proxy servers, use the server command in
scansafe general-options configuration mode. To remove the server, use the no form of this command.
server {primary | backup} {ip ip_address | fqdn fqdn} [port port]
no server {primary | backup} {ip ip_address | fqdn fqdn} [port port]
Syntax Description
backup
Specifies that you are identifying the backup server.
ip ip_address
Specifies the server IP address.
fqdn fqdn
Specifies the server fully-qualified domain name (FQDN).
port port
(Optional) By default, the Cloud Web Security proxy server uses port 8080
for both HTTP and HTTPS traffic; do not change this value unless directed
to do so.
primary
Specifies that you are identifying the primary server.
Command Default
The default port is 8080.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Scansafe general-options
configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web
Security proxy server and backup proxy server. These servers are routinely polled to check for their
availability. If your ASA is unable to reach the Cloud Web Security proxy server (for example, if no
SYN/ACK packets arrive from the proxy server), then the proxy server is polled through a TCP
three-way handshake to check its availability. If the proxy server is unavailable after a configured
number of retries (the default is five), the server is declared as unreachable, and the backup proxy server
becomes active.
Cisco ASA Series Command Reference, S Commands
1-47
Chapter
Note
You can further refine failover by checking the health of the Cloud Web Security application. In some
cases, the server can complete the TCP three-way handshake, yet the Cloud Web Security application on
the server is not functioning correctly. If you enable application health checking, the system can fail over
to the backup server even if the three-way handshake completes, if the application itself does not
respond. This provides a more reliable failover setup. Use the health-check application command to
enable this extra check.
The ASA automatically falls back to the primary Cloud Web Security proxy server from the backup
server after continued polling shows that the primary server is active for two consecutive retry count
periods. You can change this polling interval using the retry-count command.
Traffic Conditions Under Which
Proxy Server Is Not Reachable
Examples
Server Timeout Calculation
Connection Timeout Result
High traffic
Client half open connection
timeout + ASA TCP connection
timeout
(30 + 30) = 60 seconds
Single connection failure
(30 + ((5-1) x (30)) = 150
Client half open connection
timeout + ((retry threshold - 1) x seconds
(ASA TCP connection timeout))
Idle—No connections are
passing
15 minutes + ((retry threshold) x 900 + (5 x (30) = 1050 seconds
(ASA TCP connection timeout))
The following example configures a primary and backup server. You must enter the command separately
for the primary and backup server.
scansafe general-options
server primary ip 10.24.0.62 port 8080
server backup ip 10.10.0.7 port 8080
retry-count 7
license 366C1D3F5CE67D33D3E9ACEC265261E5
Related Commands
Command
Description
class-map type inspect Creates an inspection class map for whitelisted users and groups.
scansafe
default user group
Specifies the default username and/or group if the ASA cannot determine the
identity of the user coming into the ASA.
http[s] (parameters)
Specifies the service type for the inspection policy map, either HTTP or
HTTPS.
inspect scansafe
Enables Cloud Web Security inspection on the traffic in a class.
license
Configures the authentication key that the ASA sends to the Cloud Web
Security proxy servers to indicate from which organization the request
comes.
match user group
Matches a user or group for a whitelist.
policy-map type
inspect scansafe
Creates an inspection policy map so you can configure essential parameters
for the rule and also optionally identify the whitelist.
Cisco ASA Series Command Reference, S Commands
1-48
Chapter
Command
Description
retry-count
Enters the retry counter value, which is the amount of time that the ASA
waits before polling the Cloud Web Security proxy server to check its
availability.
scansafe
In multiple context mode, allows Cloud Web Security per context.
scansafe
general-options
Configures general Cloud Web Security server options.
server {primary |
backup}
Configures the fully qualified domain name or IP address of the primary or
backup Cloud Web Security proxy servers.
show conn scansafe
Shows all Cloud Web Security connections, as noted by the capitol Z flag.
show scansafe server
Shows the status of the server, whether it’s the current active server, the
backup server, or unreachable.
show scansafe
statistics
Shows total and current HTTP(S) connections.
user-identity monitor
Downloads the specified user or group information from the AD agent.
whitelist
Performs the whitelist action on the class of traffic.
Cisco ASA Series Command Reference, S Commands
1-49
Chapter
server (ssh pubkey-chain)
To manually add or delete SSH servers and their keys from the ASA database for the on-board Secure
Copy (SCP) client, use the server command in ssh pubkey-chain configuration mode. To remove a server
and its host key, use the no form of this command.
server ip_address
no server ip_address
Syntax Description
ip_address
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the SSH server IP address.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Ssh pubkey-chain configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.1(5)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
You can copy files to and from the ASA using the on-board SCP client. The ASA stores the SSH host
key for each SCP server to which it connects. You can manually add or delete servers and their keys from
the ASA database if desired.
For each server, you can specify the key-string (public key) or key-hash (hashed value) of the SSH host.
Examples
The following example adds an already hashed host key for the server at 10.86.94.170:
ciscoasa(config)# ssh pubkey-chain
ciscoasa(config-ssh-pubkey-chain)# server 10.86.94.170
ciscoasa(config-ssh-pubkey-server)# key-hash sha256
65:d9:9d:fe:1a:bc:61:aa:64:9d:fc:ee:99:87:38:df:a8:8e:d9:e9:ff:42:de:e8:8d:2d:bf:a9:2b:85:
2e:19
Cisco ASA Series Command Reference, S Commands
1-50
Chapter
The following example adds a host string key for the server at 10.7.8.9:
ciscoasa(config)# ssh pubkey-chain
ciscoasa(config-ssh-pubkey-chain)# server 10.7.8.9
ciscoasa(config-ssh-pubkey-server)# key-string
Enter the base 64 encoded RSA public key.
End with the word "exit" on a line by itself
ciscoasa(config-ssh-pubkey-server-string)# c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:87
ciscoasa(config-ssh-pubkey-server-string)# exit
Related Commands
Command
Description
copy
Copies a file to or from the ASA.
key-hash
Enters a hashed SSH host key.
key-string
Enters a public SSH host key.
ssh pubkey-chain
Manually adds or deletes servers and their keys from the ASA database.
ssh stricthostkeycheck Enables SSH host key checking for the on-board Secure Copy (SCP) client.
Cisco ASA Series Command Reference, S Commands
1-51
Chapter
server authenticate-client
To enable the ASA to authenticate the TLS client during TLS handshake, use the server
authenticate-client command in tls-proxy configuration mode.
To bypass client authentication, use the no form of this command.
server authenticate-client
no server authenticate-client
Syntax Description
This command has arguments or keywords.
Defaults
This command is enabled by default, which means the TLS client is required to present a certificate
during handshake with the ASA.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Tls-proxy configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
8.0(4)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Use the server authenticate-client command to control whether a client authentication is required
during TLS Proxy handshake. When enabled (by default), the security appliance sends a Certificate
Request TLS handshake message to the TLS client, and the TLS client is required to present its
certificate.
Use the no form of this command to disable client authentication. Disabling TLS client authentication
is suitable when the ASA must interoperate with CUMA client or clients such as a Web browser that are
incapable of sending a client certificate.
Examples
The following example configures a TLS proxy instance with client authentication disabled:
ciscoasa(config)# tls-proxy mmp_tls
ciscoasa(config-tlsp)# no server authenticate-client
ciscoasa(config-tlsp)# server trust-point cuma_server_proxy
Cisco ASA Series Command Reference, S Commands
1-52
Chapter
Related Commands
Command
Description
tls-proxy
Configures the TLS proxy instance.
Cisco ASA Series Command Reference, S Commands
1-53
Chapter
server-port
To configure a AAA server port for a host, use the server-port command in aaa-server host mode. To
remove the designated server port, use the no form of this command.
server-port port-number
no server-port port-number
Syntax Description
port-number
Defaults
The default server ports are as follows:
Command Modes
•
SDI—5500
•
LDAP—389
•
Kerberos—88
•
NT—139
•
TACACS+—49
A port number in the range of 0 through 65535.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Aaa-server group
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
—
The following example configures an SDI AAA server named srvgrp1 to use server port number 8888:
ciscoasa(config)# aaa-server srvgrp1 protocol sdi
ciscoasa(config-aaa-server-group)# aaa-server srvgrp1 host 192.168.10.10
ciscoasa(config-aaa-server-host)# server-port 8888
Related Commands
Command
Description
aaa-server host
Configures host-specific AAA server parameters.
Cisco ASA Series Command Reference, S Commands
1-54
System
Chapter
clear configure
aaa-server
Removes all AAA server configurations.
show running-config
aaa-server
Displays AAA server statistics for all AAA servers, for a particular server
group, for a particular server within a particular group, or for a particular
protocol.
Cisco ASA Series Command Reference, S Commands
1-55
Chapter
server-separator (pop3s, imap4s, smtps) (Deprecated)
Note
The last supported release for this command was Version 9.5(1).
To specify a character as a delimiter between the e-mail and VPN server names, use server-separator
command in the applicable e-mail proxy mode. To revert to the default, “:”, use the no form of this
command.
server-separator {symbol}
no server-separator
Syntax Description
symbol
Defaults
The default is “@” (at).
Command Modes
The following table shows the modes in which you can enter the command:
The character that separates the e-mail and VPN server names. Choices are
“@,” (at) “|” (pipe), “:”(colon), “#” (hash), “,” (comma), and “;”
(semi-colon).
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Transparent Single
Context
System
Pop3s
•
Yes
—
•
Yes
—
—
Imap4s
•
Yes
—
•
Yes
—
—
Smtps
•
Yes
—
•
Yes
—
—
Release
Modification
7.0(1)
This command was added.
9.5.2
This command was deprecated.
Usage Guidelines
The server separator must be different from the name separator.
Examples
The following example shows how to set a pipe (|) as the server separator for IMAP4S:
ciscoasa(config)# imap4s
ciscoasa(config-imap4s)# server-separator |
Cisco ASA Series Command Reference, S Commands
1-56
Chapter
Related Commands
Command
Description
name-separator
Separates the e-mail and VPN usernames and passwords.
Cisco ASA Series Command Reference, S Commands
1-57
Chapter
server trust-point
To specify the proxy trustpoint certificate to present during TLS handshake, use the server trust-point
command in TLS server configuration mode.
server trust-point proxy_trustpoint
Syntax Description
proxy_trustpoint
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the trustpoint defined by the crypto ca trustpoint command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
TLS-proxy configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
8.0(4)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
The trustpoint can be self-signed, enrolled with a certificate authority, or from an imported credential.
The server trust-point command has precedence over the global ssl trust-point command.
The server trust-point command specifies the proxy trustpoint certificate presented during TLS
handshake. The certificate must be owned by the ASA (identity certificate). The certificate can be
self-signed, enrolled with a certificate authority, or from an imported credential.
Create TLS proxy instances for each entity that can initiate a connection. The entity that initiates the
TLS connection is in the role of TLS client. Because the TLS Proxy has strict definition of client proxy
and server proxy, two TLS proxy instances must be defined if either of the entities could initiate the
connection.
Note
Examples
When you are creating the TLS proxy instance to use with the Phone Proxy, the server trustpoint is the
internal Phone Proxy trustpoint created the CTL file instance. The trustpoint name is in the form
internal_PP_<ctl-file_instance_name>
The following example shows the use of the server trust-point command to specify the proxy trustpoint
certificate to present during TLS handshake:
ciscoasa(config-tlsp)# server trust-point ent_y_proxy
Cisco ASA Series Command Reference, S Commands
1-58
Chapter
Related Commands
Command
Description
client (tls-proxy)
Configures trustpoints, keypairs, and cipher suites for a TLS proxy instance.
client trust-point
Specifies the proxy trustpoint certificate to present during TLS handshake.
ssl trust-point
Specifies the certificate trustpoint that represents the SSL certificate for an
interface.
tls-proxy
Configures a TLS proxy instance.
Cisco ASA Series Command Reference, S Commands
1-59
Chapter
server-type
To manually configure the LDAP server model, use the server-type command in aaa-server host
configuration mode. The ASA supports the following server models:
•
Microsoft Active Directory
•
Sun Microsystems JAVA System Directory Server, formerly named the Sun ONE Directory Server
•
Generic LDAP directory servers that comply with LDAPv3 (no password management)
To disable this command, use the no form of this command.
server-type {auto-detect | microsoft | sun | generic | openldap | novell}
no server-type {auto-detect | microsoft | sun | generic | openldap | novell}
Syntax Description
auto-detect
Specifies that the ASA determines the LDAP server type through
auto-detection.
generic
Specifies LDAP v3-compliant directory servers other than Sun and Microsoft
LDAP directory servers. Password management is not supported with generic
LDAP servers.
microsoft
Specifies that the LDAP server is a Microsoft Active Directory.
openldap
Specifies that the LDAP server is an OpenLDAP server.
novell
Specifies that the LDAP server is a Novell server.
sun
Specifies that the LDAP server is a Sun Microsystems JAVA System Directory
Server.
Defaults
By default, auto-detection attempts to determine the server type.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Aaa-server host configuration
Command History
Usage Guidelines
Yes
•
Yes
•
Yes
Context
•
Yes
Release
Modification
7.1(1)
This command was added.
8.0(2)
Support for the OpenLDAP and Novell server types was added.
System
—
The ASA supports LDAP version 3 and is compatible with the Sun Microsystems JAVA System
Directory Server, the Microsoft Active Directory, and other LDAPv3 directory servers.
Cisco ASA Series Command Reference, S Commands
1-60
•
Transparent Single
Chapter
Note
•
Sun—The DN configured on the ASA to access a Sun directory server must be able to access the
default password policy on that server. We recommend using the directory administrator, or a user
with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the
default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.
• Generic—Password management features are not supported.
•
By default, the ASA auto-detects whether it is connected to a Microsoft directory server, a Sun LDAP
directory server, or a generic LDAPv3 server. However, if auto-detection fails to determine the LDAP
server type and if you know the server is either a Microsoft or Sun server, you can use the server-type
command to manually configure the server as either a Microsoft or a Sun Microsystems LDAP server.
Examples
The following example, entered in aaa-server host configuration mode, configures the server type for the
LDAP server ldapsvr1 at IP address 10.10.0.1. The first example configures a Sun Microsystems LDAP
server.
ciscoasa(config)# aaa-server ldapsvr1 protocol ldap
ciscoasa(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1
ciscoasa(config-aaa-server-host)# server-type sun
The following example specifies that the ASA use auto-detection to determine the server type:
ciscoasa(config)# aaa-server ldapsvr1 protocol LDAP
ciscoasa(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1
ciscoasa(config-aaa-server-host)# server-type auto-detect
Related Commands
Command
Description
ldap-over-ssl
Specifies that SSL secures the LDAP client-server connection.
sasl-mechanism
Configures SASL authentication between the LDAP client and
server.
ldap attribute-map (global
configuration mode)
Creates and names an LDAP attribute map for mapping
user-defined attribute names to Cisco LDAP attribute names.
Cisco ASA Series Command Reference, S Commands
1-61
Chapter
service (ctl-provider)
To specify the port to which the Certificate Trust List provider listens, use the service command in CTL
provider configuration mode. To remove the configuration, use the no form of this command.
service port listening_port
no service port listening_port
Syntax Description
port listening_port
Defaults
Default port is 2444.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the certificate to be exported to the client.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Ctl provider configuration
Command History
•
Yes
Transparent Single
•
Release
Modification
8.0(2)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Usage Guidelines
Use the service command in CTL provider configuration mode to specify the port to which the CTL
provider listens. The port must be the one listened to by the CallManager servers in the cluster (as
configured under Enterprise Parameters on the CallManager administration page). The default port is
2444.
Examples
The following example shows how to create a CTL provider instance:
ciscoasa(config)# ctl-provider
ciscoasa(config-ctl-provider)#
ciscoasa(config-ctl-provider)#
ciscoasa(config-ctl-provider)#
ciscoasa(config-ctl-provider)#
Related Commands
Commands
Description
client
Specifies clients allowed to connect to the CTL provider and also username
and password for client authentication.
ctl
Parses the CTL file from the CTL client and install trustpoints.
Cisco ASA Series Command Reference, S Commands
1-62
my_ctl
client interface inside 172.23.45.1
client username CCMAdministrator password XXXXXX encrypted
export certificate ccm_proxy
ctl install
Chapter
Commands
Description
ctl-provider
Configures a CTL provider instance in CTL provider mode.
export
Specifies the certificate to be exported to the client
tls-proxy
Defines a TLS proxy instance and sets the maximum sessions.
Cisco ASA Series Command Reference, S Commands
1-63
Chapter
service (global)
To enable resets for denied TCP connections, use the service command in global configuration mode.
To disable resets, use the no form of this command.
service {resetinbound [interface interface_name] | resetoutbound [interface interface_name] |
resetoutside}
no service {resetinbound [interface interface_name] | resetoutbound [interface interface_name]
| resetoutside}
Syntax Description
interface
interface_name
Enables or disables resets for the specified interface.
resetinbound
Sends TCP resets for all inbound TCP sessions that attempt to transit the ASA and
are denied by the ASA based on access lists or AAA settings. The ASA also sends
resets for packets that are allowed by an access list or AAA, but do not belong to an
existing connection and are denied by the stateful firewall. Traffic between same
security level interfaces is also affected. When this option is not enabled, the ASA
silently discards denied packets. If you do not specify an interface, then this setting
applies to all interfaces.
resetoutbound
Sends TCP resets for all outbound TCP sessions that attempt to transit the ASA and
are denied by the ASA based on access lists or AAA settings. The ASA also sends
resets for packets that are allowed by an access list or AAA, but do not belong to an
existing connection and are denied by the stateful firewall. Traffic between same
security level interfaces is also affected. When this option is not enabled, the ASA
silently discards denied packets. This option is enabled by default. You might want
to disable outbound resets to reduce the CPU load during traffic storms, for
example.
resetoutside
Enables resets for TCP packets that terminate at the least secure interface and are
denied by the ASA based on access lists or AAA settings. The ASA also sends
resets for packets that are allowed by an access list or AAA, but do not belong to an
existing connection and are denied by the stateful firewall. When this option is not
enabled, the ASA silently discards the packets of denied packets. We recommend
that you use the resetoutside keyword with interface PAT. This keyword allows the
ASA to terminate the IDENT from an external SMTP or FTP server. Actively
resetting these connections avoids the 30-second timeout delay.
Defaults
By default, service resetoutbound is enabled for all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Cisco ASA Series Command Reference, S Commands
1-64
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Chapter
Command History
Release
Modification
7.1(1)
The interface keyword and the resetoutbound command were added.
Usage Guidelines
You might want to explicitly send resets for inbound traffic if you need to reset identity request (IDENT)
connections. When you send a TCP RST (reset flag in the TCP header) to the denied host, the RST stops
the incoming IDENT process so that you do not have to wait for IDENT to time out. Waiting for IDENT
to time out can cause traffic to slow because outside hosts keep retransmitting the SYN until the IDENT
times out, so the service resetinbound command might improve performance.
Examples
The following example disables outbound resets for all interfaces except for the inside interface:
ciscoasa(config)# no service resetoutbound
ciscoasa(config)# service resetoutbound interface inside
The following example enables inbound resets for all interfaces except for the DMZ interface:
ciscoasa(config)# service resetinbound
ciscoasa(config)# no service resetinbound interface dmz
The following example enables resets for connections that terminate on the outside interface:
ciscoasa(config)# service resetoutside
Related Commands
Command
Description
show running-config
service
Displays the service configuration.
Cisco ASA Series Command Reference, S Commands
1-65
Chapter
service (object service)
To define the protocol and optional attributes for a service object, use the service command in object
service configuration mode. Use the no form of this command to remove the definition.
service {protocol | {tcp | udp | sctp} [source operator number] [destination operator number] |
{icmp | icmp6} [icmp_type [icmp_code]]}
no service {protocol | {tcp | udp | sctp} [source operator number] [destination operator number]
| {icmp | icmp6} [icmp_type [icmp_code]]}
Syntax Description
destination operator
number
(Optional; tcp, udp, sctp only.) Specifies the destination port name or
number, between 0 and 65535. For a list of supported names, see the CLI
help. Operators include:
•
eq—Equals the port number.
•
gt—Greater than the port number.
•
lt—Less than the port number.
•
neq—Not equal to the port number.
•
range—A range of ports. Specify two numbers separated by a space,
such as range 1024 4500.
{icmp | icmp6} [icmp_ Specifies that the service type is for ICMP or ICMP version 6 connections.
type [icmp_code]]
You can optionally specify the ICMP type by name or number, between 0 and
255. (For available optional ICMP type names, see the CLI help.) If you
specify a type, you can optionally include an ICMP code, between 1 and 255.
protocol
Identifies the protocol name or number, between 0 and 255. For a list of
supported names, see the CLI help.
sctp
Specifies that the service type is for Stream Control Transmission Protocol
(SCTP) connections.
source operator number (Optional; tcp, udp, sctp only.) Specifies the source port name or number,
between 0 and 65535. For a list of supported names, see the CLI help. The
operators are the same as those for destination.
tcp
Specifies that the service type is for TCP connections.
udp
Specifies that the service type is for UDP connections.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Object service configuration
Cisco ASA Series Command Reference, S Commands
1-66
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Chapter
Command History
Usage Guidelines
Release
Modification
8.3(1)
This command was added.
9.0(1)
Support for ICMP code was added.
9.5(2)
Support for SCTP was added.
You can use service objects by name in other parts of your configuration, for example ACLs (the
access-list command) and NAT (the nat command).
If you configure an existing service object with a different protocol and port, the new configuration
replaces the existing protocol and port with the new ones.
Examples
The following example shows how to create a service object for SSH traffic:
ciscoasa(config)# service object SSH
ciscoasa(config-service-object)# service tcp destination eq ssh
The following example shows how to create a service object for EIGRP traffic:
ciscoasa(config)# service object EIGRP
ciscoasa(config-service-object)# service eigrp
The following example shows how to create a service object for traffic coming from port 0 through 1024
to HTTPS:
ciscoasa(config)# service object HTTPS
ciscoasa(config-service-object)# service tcp source range 0 1024 destination eq https
Related Commands
Command
Description
clear configure object
Clears all objects created.
object-group service
Configures a service object.
show running-config
object service
Shows the current service object configuration.
Cisco ASA Series Command Reference, S Commands
1-67
Chapter
service call-home
To enable the Call Home service, use the service call-home command in global configuration mode. To
disable the Call Home service, use the no form of this command.
service call-home
no service call-home
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the service Call Home command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Examples
•
Transparent Single
Yes
•
Release
Modification
8.2(2)
This command was added.
Yes
•
Yes
Context
System
—
The following example shows how to enable the Call Home service:
ciscoasa(config)# service call-home
The following example shows how to disable the Call Home service:
hostname(config)# no service call-home
Related Commands
Command
Description
call-home (global configuration)
Enters Call Home configuration mode.
call-home test
Manually sends a Call Home test message.
show call-home
Displays Call Home configuration information.
Cisco ASA Series Command Reference, S Commands
1-68
•
Yes
Chapter
service-object
To add a service or service object to a service object group that is not pre-defined as TCP, UDP, or
TCP-UDP, use the service-object command in object-group service configuration mode. To remove a
service, use the no form of this command.
service-object {protocol | {tcp | udp | tcp-udp | sctp} [source operator number]
[destination operator number] | {icmp | icmp6} [icmp_type [icmp_code]] | object name}
no service-object {protocol | {tcp | udp | tcp-udp | sctp} [source operator number]
[destination operator number] | {icmp | icmp6} [icmp_type [icmp_code]] | object name}
Syntax Description
destination operator
number
(Optional; tcp, udp, tcp-udp, sctp only.) Specifies the destination port name
or number, between 0 and 65535. For a list of supported names, see the CLI
help. Operators include:
•
eq—Equals the port number.
•
gt—Greater than the port number.
•
lt—Less than the port number.
•
neq—Not equal to the port number.
•
range—A range of ports. Specify two numbers separated by a space,
such as range 1024 4500.
{icmp | icmp6} [icmp_ Specifies that the service type is for ICMP or ICMP version 6 connections.
type [icmp_code]]
You can optionally specify the ICMP type by name or number, between 0 and
255. (For available optional ICMP type names, see the CLI help.) If you
specify a type, you can optionally include an ICMP code, between 1 and 255.
object name
Adds the named object or group to the object.
protocol
Identifies the protocol name or number, between 0 and 255. For a list of
supported names, see the CLI help.
sctp
Specifies that the service type is for Stream Control Transmission Protocol
(SCTP) connections.
source operator number (Optional; tcp, udp, tcp-udp, sctp only.) Specifies the source port name or
number, between 0 and 65535. For a list of supported names, see the CLI
help. The operators are the same as those for destination.
Defaults
tcp
Specifies that the service type is for TCP connections.
tcp-udp
Specifies that the service type is for TCP or UDP connections.
udp
Specifies that the service type is for UDP connections.
No default behavior or values.
Cisco ASA Series Command Reference, S Commands
1-69
Chapter
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Object-group service
configuration
Command History
Release
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Modification
8.0(1)
This command was added.
8.3(1)
The object keyword was added to support service objects (the object service
command).
9.0(1)
Support for ICMP code was added.
9.5(2)
Support for SCTP was added.
Usage Guidelines
When you create a service object group with the object-group service command, and you do not
pre-define the protocol type for the whole group, then you can add multiple services and service objects
to the group of various protocols, including ports, using the service-object command. When you create
a service object group for a specific protocol type using the object-group service [tcp | udp | tcp-udp]
command, then you can only identify the destination ports for the object group using the port-object
command.
Examples
The following example shows how to add both TCP and UDP services to a service object group:
ciscoasa(config)# object-group service
ciscoasa(config-service-object-group)#
ciscoasa(config-service-object-group)#
ciscoasa(config-service-object-group)#
ciscoasa(config-service-object-group)#
ciscoasa(config-service-object-group)#
CommonApps
service-object
service-object
service-object
service-object
service-object
tcp destination eq ftp
tcp-udp destination eq www
tcp destination eq h323
tcp destination eq https
udp destination eq ntp
The following example shows how to add multiple service objects to a service object group:
hostname(config)# service object SSH
hostname(config-service-object)# service tcp destination eq ssh
hostname(config)# service object EIGRP
hostname(config-service-object)# service eigrp
hostname(config)# service object HTTPS
hostname(config-service-object)# service tcp source range 0 1024 destination eq https
ciscoasa(config)# object-group service
ciscoasa(config-service-object-group)#
ciscoasa(config-service-object-group)#
ciscoasa(config-service-object-group)#
Related Commands
Cisco ASA Series Command Reference, S Commands
1-70
Group1
service-object object SSH
service-object object EIGRP
service-object object HTTPS
Chapter
Command
Description
clear configure
object-group
Removes all the object-group commands from the configuration.
network-object
Adds a network object to a network object group.
object service
Adds a service object.
object-group
Defines object groups to optimize your configuration.
port-object
Adds a port object to a service object group.
show running-config
object-group
Displays the current object groups.
Cisco ASA Series Command Reference, S Commands
1-71
Chapter
service password-recovery
To enable password recovery, use the service password-recovery command in global configuration
mode. To disable password recovery, use the no form of this command. Password recovery is enabled by
default, but you might want to disable it to ensure that unauthorized users cannot use the password
recovery mechanism to compromise the ASA.
service password-recovery
no service password-recovery
Syntax Description
This command has no arguments or keywords.
Defaults
Password recovery is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
On the ASA 5500 series adaptive security appliance, if you forget the passwords, you can boot the ASA
into ROMMON by pressing the Escape key on the terminal keyboard when prompted during startup.
Then set the ASA to ignore the startup configuration by changing the configuration register (see the
config-register command). For example if your configuration register is the default 0x1, then change
the value to 0x41 by entering the confreg 0x41 command. After reloading the ASA, it loads a default
configuration, and you can enter privileged EXEC mode using the default passwords. Then load the
startup configuration by copying it to the running configuration and reset the passwords. Finally, set the
ASA to boot as before by setting the configuration register to the original setting. For example, enter the
config-register 0x1 command in global configuration mode.
On the PIX 500 series security appliance, boot the ASA into monitor mode by pressing the Escape key
on the terminal keyboard when prompted during startup. Then download the PIX password tool to the
ASA, which erases all passwords and aaa authentication commands.
On the ASA 5500 series adaptive security appliance, the no service password-recovery command
prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON,
the ASA prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first
performing this erasure. If a user chooses not to erase the Flash file system, the ASA reloads. Because
password recovery depends on using ROMMON and maintaining the existing configuration, this erasure
prevents you from recovering a password. However, disabling password recovery prevents unauthorized
Cisco ASA Series Command Reference, S Commands
1-72
Chapter
users from viewing the configuration or inserting different passwords. In this case, to recover the system
to an operating state, load a new image and a backup configuration file, if available. The service
password-recovery command appears in the configuration file for informational purposes only; when
you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the
setting is to enter the command at the CLI prompt. Loading a new configuration with a different version
of the command does not change the setting. If you disable password recovery when the ASA is
configured to ignore the startup configuration at startup (in preparation for password recovery), then the
ASA changes the setting to boot the startup configuration as usual. If you use failover, and the standby
unit is configured to ignore the startup configuration, then the same change is made to the configuration
register when the no service password recovery command replicates to the standby unit.
On the PIX 500 series security appliance, the no service password-recovery command forces the PIX
password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password
tool without first performing this erasure. If a user chooses not to erase the Flash file system, the ASA
reloads. Because password recovery depends on maintaining the existing configuration, this erasure
prevents you from recovering a password. However, disabling password recovery prevents unauthorized
users from viewing the configuration or inserting different passwords. In this case, to recover the system
to an operating state, load a new image and a backup configuration file, if available.
Examples
The following example disables password recovery for the ASA 5500 series:
ciscoasa(config)# no service password-recovery
WARNING: Executing "no service password-recovery" has disabled the password recovery
mechanism and disabled access to ROMMON. The only means of recovering from lost or
forgotten passwords will be for ROMMON to erase all file systems including configuration
files and images. You should make a backup of your configuration and have a mechanism to
restore images from the ROMMON command line.
The following example for the ASA 5500 series shows when to enter ROMMON at startup and how to
complete a password recovery operation.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
Use ? for help.
rommon #0> confreg
Current Configuration Register: 0x00000001
Configuration Summary:
boot default image from Flash
Do you wish to change this configuration? y/n [n]: n
rommon #1> confreg 0x41
Update Config Register (0x41) in NVRAM...
rommon #2> boot
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/ASA_7.0.bin... Booting...
###################
...
Ignoring startup configuration as instructed by configuration register.
Type help or '?' for a list of available commands.
Cisco ASA Series Command Reference, S Commands
1-73
Chapter
ciscoasa> enable
Password:
ciscoasa# configure terminal
ciscoasa(config)# copy startup-config running-config
Destination filename [running-config]?
Cryptochecksum(unchanged): 7708b94c e0e3f0d5 c94dde05 594fbee9
892 bytes copied in 6.300 secs (148 bytes/sec)
ciscoasa(config)# enable password NewPassword
ciscoasa(config)# config-register 0x1
Related Commands
Command
Description
config-register
Sets the ASA to ignore the startup configuration when it reloads.
enable password
Sets the enable password.
password
Sets the login password.
Cisco ASA Series Command Reference, S Commands
1-74
Chapter
service-policy (class)
To apply a hierarchical policy map under another policy map, use the service-policy command in class
configuration mode. To disable the service policy, use the no form of this command. Hierarchical
policies are supported only for QoS traffic shaping when you want to perform priority queuing on a
subset of shaped traffic.
service-policy policymap_name
no service-policy policymap_name
Syntax Description
policymap_name
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the policy map name that you configured in the policy-map
command. You can only specify a Layer 3/4 policy map that includes the
priority command.
Firewall Mode
Security Context
Multiple
Command Mode
Class configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
•
Release
Modification
7.2(4)/8.0(4)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Hierarchical priority queuing is used on interfaces on which you enable a traffic shaping queue. A subset
of the shaped traffic can be prioritized. The standard priority queue is not used (the priority-queue
command).
For hierarchical priority-queuing, perform the following tasks using Modular Policy Framework:
1.
class-map—Identify the traffic on which you want to perform priority queuing.
2.
policy-map (for priority queuing)—Identify the actions associated with each class map.
a. class—Identify the class map on which you want to perform actions.
b. priority—Enable priority queuing for the class map. You can only include the priority
command in this policy map if you want to use is hierarchically.
3.
policy-map (for traffic shaping)—Identify the actions associated with the class-default class map.
a. class class-default—Identify the class-default class map on which you want to perform
actions.
b. shape—Apply traffic shaping to the class map.
Cisco ASA Series Command Reference, S Commands
1-75
Chapter
c. service-policy—Call the priority queuing policy map in which you configured the priority
command so you can apply priority queuing to a subset of shaped traffic.
4.
Examples
service-policy—Assigns the policy map to an interface or globally.
The following example enables traffic shaping for all traffic on the outside interface, and prioritizes
traffic within VPN tunnel-grp1 with the DSCP bit set to ef:
ciscoasa(config)# class-map TG1-voice
ciscoasa(config-cmap)# match tunnel-group tunnel-grp1
ciscoasa(config-cmap)# match dscp ef
ciscoasa(config)# policy-map priority-sub-policy
ciscoasa(config-pmap)# class TG1-voice
ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap-c)# policy-map shape_policy
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# shape
ciscoasa(config-pmap-c)# service-policy priority-sub-policy
ciscoasa(config-pmap-c)# service-policy shape_policy interface outside
Related Commands
Command
Description
class (policy-map)
Identifies a class map for a policy map.
clear configure
service-policy
Clears service policy configurations.
clear service-policy
Clears service policy statistics.
policy-map
Identifies actions to perform on class maps.
priority
Enables priority queuing.
service-policy (global)
Applies a policy map to an interface.
shape
Enables traffic shaping.
show running-config
service-policy
Displays the service policies configured in the running configuration.
show service-policy
Displays the service policy statistics.
Cisco ASA Series Command Reference, S Commands
1-76
Chapter
service-policy (global)
To activate a policy map globally on all interfaces or on a targeted interface, use the service-policy
command in global configuration mode. To disable the service policy, use the no form of this command.
Use the service-policy command to enable a set of policies on an interface.
service-policy policymap_name [global | interface intf ] [fail-close]
no service-policy policymap_name [global | interface intf ] [fail-close]
Syntax Description
fail-close
Generates a syslog (767001) for IPv6 traffic that is dropped by application
inspections that do not support IPv6 traffic. By default, syslogs are not
generated.
global
Applies the policy map to all interfaces.
interface intf
Applies the policy map to a specific interface.
policymap_name
Specifies the policy map name that you configured in the policy-map
command. You can only specify a Layer 3/4 policy map, and not an
inspection policy map (policy-map type inspect).
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
•
Yes
Release
Modification
7.0(1)
This command was added.
9.0(1)
The fail-close keyword was added.
•
Yes
Context
•
Yes
System
—
To enable the service policy, use the Modular Policy Framework:
1.
class-map—Identify the traffic on which you want to perform priority queuing.
2.
policy-map—Identify the actions associated with each class map.
a. class—Identify the class map on which you want to perform actions.
b. commands for supported features—For a given class map, you can configure many actions for
various features, including QoS, application inspection, CSC or AIP SSM, TCP and UDP
connections limits and timeout, and TCP normalization. See the CLI configuration guide for
more details about the commands available for each feature.
Cisco ASA Series Command Reference, S Commands
1-77
Chapter
3.
service-policy—Assigns the policy map to an interface or globally.
Interface service policies take precedence over the global service policy for a given feature. For example,
if you have a global policy with inspections, and an interface policy with TCP normalization, then both
inspections and TCP normalization are applied to the interface. However, if you have a global policy
with inspections, and an interface policy with inspections, then only the interface policy inspections are
applied to that interface.
By default, the configuration includes a global policy that matches all default application inspection
traffic and applies inspection to the traffic globally. You can only apply one global policy, so if you want
to alter the global policy, you need to either edit the default policy or disable it and apply a new one.
The default service policy includes the following command:
service-policy global_policy global
Examples
The following example shows how to enable the inbound_policy policy map on the outside interface:
ciscoasa(config)# service-policy inbound_policy interface outside
The following commands disable the default global policy, and enables a new one called
new_global_policy on all other ASA interfaces:
ciscoasa(config)# no service-policy global_policy global
ciscoasa(config)# service-policy new_global_policy global
Related Commands
Command
Description
clear configure
service-policy
Clears service policy configurations.
clear service-policy
Clears service policy statistics.
service-policy (class)
Applies a hierarchical policy under another policy map.
show running-config
service-policy
Displays the service policies configured in the running configuration.
show service-policy
Displays the service policy statistics.
Cisco ASA Series Command Reference, S Commands
1-78
Chapter
service sw-reset-button
To enable the reset button on the ASA 5506-X and ASA 5508-X series security appliances, use the
service sw-reset-button command in global configuration mode. To disable the reset button, use the no
form of this command.
service sw-reset-button
no service sw-reset-button
Syntax Description
This command has no arguments or keywords.
Defaults
By default, service sw-reset-button is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Examples
Routed
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
The following example enables the software reset button:
ciscoasa(config)# service sw-reset-button
ciscoasa# show sw-reset-button
Software Reset Button is configured.
The following example disables the software reset button:
ciscoasa(config)# no service sw-reset-button
ciscoasa(config)# show sw-reset-button
Software Reset Button is not configured.
Related Commands
Command
Description
show running-config
service
Displays the service configuration.
Cisco ASA Series Command Reference, S Commands
1-79
Chapter
session
To establish a Telnet session from the ASA to a module, such as an IPS SSP or a CSC SSM, to access
the module CLI, use the session command in privileged EXEC mode.
session id
Syntax Description
id
Specifies the module ID:
•
Physical module—1 (for slot number 1)
•
Software module, ASA FirePOWER—sfr
•
Software module, IPS—ips
•
Software module, ASA CX—cxsc
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
•
Yes
Context
—
Yes
Modification
7.0(1)
This command was added.
8.6(1)
The ips module ID for the IPS SSP software module was added.
9.1(1)
Support for the ASA CX module was added (the cxsc keyword).
9.2(1)
Support for the ASA FirePOWER module was added (the sfr keyword).
This command is only available when the module is in the Up state. See the show module command for
state information.
Note that the session 1 command does not work with the following hardware modules:
•
ASA CX
•
ASA FirePOWER
The following example sessions to a module in slot 1:
ciscoasa# session 1
Cisco ASA Series Command Reference, S Commands
1-80
•
Release
To end a session, enter exit or Ctrl-Shift-6, then the x key.
Examples
System
Chapter
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Related Commands
Command
Description
debug session-command
Shows debugging messages for sessions.
Cisco ASA Series Command Reference, S Commands
1-81
Chapter
session console
To establish a virtual console session from the ASA to a software module, such as an IPS SSP software
module, use the session console command in privileged EXEC mode. This command might be useful if
you cannot establish a Telnet session using the session command because the control plane is down.
session id console
Syntax Description
id
Specifies the module ID:
•
ASA FirePOWER module—sfr
•
IPS module—ips
•
ASA CX module—cxsc
•
ASA 5506W-X wireless access point—wlan
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
•
Yes
Context
System
—
Release
Modification
8.6(1)
This command was added.
9.1(1)
Support for the ASA CX module was added (the cxsc keyword).
•
Yes
9.2(1)
Support for the ASA FirePOWER module was added (the sfr keyword).
9.4(1)
Support for the ASA 5506W-X wireless access point (the wlan keyword) was
added.
To end a session, enter Ctrl-Shift-6, then the x key.
Do not use this command in conjunction with a terminal server where Ctrl-Shift-6, x is the escape
sequence to return to the terminal server prompt. Ctrl-Shift-6, x is also the sequence to escape the
module console and return to the ASA prompt. Therefore, if you try to exit the module console in this
situation, you instead exit all the way to the terminal server prompt. If you reconnect the terminal server
to the ASA, the module console session is still active; you can never exit to the ASA prompt. You must
use a direct serial connection to return the console to the ASA prompt.
Use the session command instead.
Cisco ASA Series Command Reference, S Commands
1-82
Chapter
Examples
The following example creates a console session to the IPS module:
ciscoasa# session ips console
Establishing console session with slot 1
Opening console session with module ips.
Connected to module ips. Escape character sequence is 'CTRL-SHIFT-6 then x'.
sensor login: service
Password: test
The following example creates a console session to the wireless access point:
ciscoasa# session wlan console
opening console session with module wlan
connected to module wlan. Escape character sequence is ‘CTRL-^X’
ap>
Related Commands
Command
Description
session
Initiates a Telnet session to a module.
show module log console
Displays console log information.
Cisco ASA Series Command Reference, S Commands
1-83
Chapter
session do
To establish a Telnet session and perform a command from the ASA to a module, use the session do
command in privileged EXEC mode.
session id do command
Syntax Description
id
command
Specifies the module ID:
•
Physical module—1 (for slot number 1)
•
Software module, ASA FirePOWER—sfr
•
Software module, IPS—ips
•
Software module, ASA CX—cxsc
Performs a command on the module. Supported commands include:
•
setup host ip ip_address/mask,gateway_ip—Sets the management IP
address and gateway.
•
get-config—Gets the module configuration.
•
password-reset—Resets the module password to the default.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
Release
•
Yes
Transparent Single
•
Yes
Yes
System
—
•
Yes
Modification
7.1(1)
This command was added.
8.6(1)
The ips module ID for the IPS SSP software module was added.
8.4(4.1)
Support for the ASA CX module was added.
9.2(1)
Support for the ASA FirePOWER module, including the sfr keyword was
added.
This command is only available when the module is in the Up state. See the show module command for
state information.
To end a session, enter exit or Ctrl-Shift-6, then the X key.
Cisco ASA Series Command Reference, S Commands
1-84
•
Context
Chapter
Examples
The following example sets the management IP address to 10.1.1.2/24, with a default gateway of
10.1.1.1:
ciscoasa# session 1 do setup host ip 10.1.1.2/24,10.1.1.1
Related Commands
Command
Description
debug session-command
Shows debugging messages for sessions.
Cisco ASA Series Command Reference, S Commands
1-85
Chapter
session ip
To configure logging IP addresses for the module, such as an IPS SSP or a CSC SSM, use the session ip
command in privileged EXEC mode.
session id ip {address address mask | gateway address}
Syntax Description
id
Specifies the module ID:
•
Physical module—1 (for slot number 1)
•
Software module, IPS—ips
address address
Sets the syslog server address.
gateway address
Sets the gateway to the syslog server.
mask
Sets the subnet mask.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
—
Modification
7.1(1)
This command was added.
8.4(4.1)
Support for the ASA CX module was added.
8.6(1)
The ips module ID for the IPS SSP software module was added.
•
Yes
This command is only available when the module is in the Up state. See the show module command for
state information.
The following example sessions to a module in slot 1:
ciscoasa# session 1 ip address
Cisco ASA Series Command Reference, S Commands
1-86
Yes
System
Release
To end a session, enter exit or Ctrl-Shift-6, then the X key.
Examples
•
Context
Chapter
Related Commands
Command
Description
debug session-command
Shows debugging messages for sessions.
Cisco ASA Series Command Reference, S Commands
1-87
Chapter
set as-path
To modify an autonomous system path for BGP routes, use the set as-path command in route-map
configuration mode. To not modify the autonomous system path, use the no form of this command.
set as-path {tag | prepend as-path-string}
no set as-path {tag | prepend as-path-string}
Syntax Description
as-path-string
Number of an autonomous system to prepend to the AS_PATH attribute. The
range of values for this argument is any valid autonomous system number
from 1 to 65535. Multiple values can be entered; up to 10 AS numbers can
be entered.
For more details about autonomous system number formats, see the router
bgp command.
prepend
Appends the string following the keyword prepend to the autonomous
system path of the route that is matched by the route map. Applies to inbound
and outbound BGP route maps.
tag
Converts the tag of a route into an autonomous system path. Applies only when
redistributing routes into BGP.
Defaults
An autonomous system path is not modified.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Route-map configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
—
Release
Modification
9.2(1)
This command was added.
•
Yes
Context
•
Yes
System
—
The only global BGP metric available to influence the best path selection is the autonomous system path
length. By varying the length of the autonomous system path, a BGP speaker can influence the best path
selection by a peer further away.
By allowing you to convert the tag into an autonomous system path, the set as-path tag variation of this
command modifies the autonomous system length. The set as-path prepend variation allows you to
"prepend" an arbitrary autonomous system path string to BGP routes. Usually the local autonomous
system number is prepended multiple times, increasing the autonomous system path length.
Cisco ASA Series Command Reference, S Commands
1-88
Chapter
Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the
default regular expression match and output display format for autonomous system numbers, but you can
configure 4-byte autonomous system numbers in both the asplain format and the asdot format as
described in RFC 5396. To change the default regular expression match and output display of 4-byte
autonomous system numbers to asdot format, use the bgp asnotation dot command followed by
the clear bgp * command to perform a hard reset of all current BGP sessions.
Examples
The following example converts the tag of a redistributed route into an autonomous system path:
ciscoasa(config)# route-map set-as-path-from-tag
ciscoasa(config-route-map)# set as-path tag
ciscoasa(config-route-map)# router bgp 100
ciscoasa(config-router)# address-family ipv4
ciscoasa(config-router-af)# redistribute ospf 109 route-map set-as-path-from-tag
The following example prepends 100 100 100 to all the routes that are advertised to 10.108.1.1:
ciscoasa(config)# route-map set-as-path
ciscoasa(config-route-map)# match as-path 1
ciscoasa(config-route-map)# set as-path prepend 100 100 100
ciscoasa(config-route-map)# router bgp 100
ciscoasa(config-router)# address-family ipv4
ciscoasa(config-router-af)# neighbor 10.108.1.1 route-map set-as-path out
Related Commands
Command
Description
clear bgp
Resets BGP connections using hard or soft reconfiguration.
bgp asnotation dot
Changes the default display and regular expression match format of Border
Gateway Protocol (BGP) 4-byte autonomous system numbers from asplain
format (decimal values) to dot notation.
Cisco ASA Series Command Reference, S Commands
1-89
Chapter
set automatic-tag
To automatically compute the tag value, use the set automatic-tag command in route-map configuration
mode. To disable this function, use the no form of this command.
set automatic-tag
no set automatic-tag
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Route-map configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
—
Release
Modification
9.2(1)
This command was added.
•
Yes
Context
•
Yes
System
—
You must have a match clause (even if it points permit everything) if you want to set tags.
Use the route-map global configuration command and the match and set route-map configuration
commands, to define the conditions for redistributing routes from one routing protocol into another. Each
route-map command has a list of match and set commands associated with it. The match commands
specify the match criteria--the conditions under which redistribution is allowed for the current
route-map command. The set commands specify the set actions--the particular redistribution actions to
perform if the criteria enforced by the match commands are met. The no route-map command deletes
the route map.
The set route-map configuration commands specify the redistribution set actions to be performed when
all the match criteria of a route map are met. When all match criteria are met, all set actions are
performed.
Examples
The following example configures the Cisco ASA software to automatically compute the tag value for
the Border Gateway Protocol (BGP) learned routes:
ciscoasa(config-route-map)# route-map tag
ciscoasa(config-route-map)# match as-path 10
iscoasa(config-route-map)# set automatic-tag
ciscoasa(config-route-map)# router bgp 100
Cisco ASA Series Command Reference, S Commands
1-90
Chapter
ciscoasa(config-router)# address-family ipv4
ciscoasa(config-router-af)# table-map tag
Cisco ASA Series Command Reference, S Commands
1-91
Chapter
set community
To set the BGP communities attribute, use the set community route map configuration command. To
delete the entry, use the no form of this command.
set community {community-number [additive] | [well-known-community] [additive] | none}
no set community
Syntax Description
additive
(Optional) Adds the community to the already existing community.
community-number
Specifies that community number. Valid values are from 1 to
4294967200, no-export, or no-advertise.
none
(Optional) Removes the community attribute from the prefixes that pass the
route map.
well-known-community
(Optional) Well-known communities can be specified by using the following
keywords:
•
internet
•
local-as
•
no-advertise
•
no-export
Defaults
No BGP communities attributes exist.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Route-map configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
—
Release
Modification
9.2(1)
This command was added.
•
Yes
Context
•
Yes
System
—
You must have a match clause (even if it points to a “permit everything” list) if you want to set tags.
Use the route-map global configuration command, and the match and set route map configuration
commands, to define the conditions for redistributing routes from one routing protocol into another.
Each route-map command has a list of match and set commands associated with it.
The match commands specify the match criteria—the conditions under which redistribution is allowed
for the current route-map command. The set commands specify the set actions—the particular
redistribution actions to perform if the criteria enforced by the match commands are met.
The no route-map command deletes the route map.
Cisco ASA Series Command Reference, S Commands
1-92
Chapter
The set route map configuration commands specify the redistribution set actions to be performed when
all of the match criteria of a route map are met. When all match criteria are met, all set actions are
performed.
Examples
In the following example, routes that pass the autonomous system path access list 1 have the community
set to 109. Routes that pass the autonomous system path access list 2 have the community set to
no-export (these routes will not be advertised to any external BGP [eBGP] peers).
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
Related Commands
set community
match as-path
set community
set community
match as-path
set community
10
1
109
20
2
no-export
Command
Description
match as-path
Match a BGP autonomous system path that is specified by an access list.
Cisco ASA Series Command Reference, S Commands
1-93
Chapter
set connection
To specify connection limits within a policy map for a traffic class, use the set connection command in
class configuration mode. To remove these specifications, thereby allowing unlimited connections, use
the no form of this command.
set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n]
[per-client-max n] [random-sequence-number {enable | disable}]}
no set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n]
[per-client-max n] [random-sequence-number {enable | disable}]}
Syntax Description
conn-max n
(TCP, UDP, SCTP) Sets the maximum number of simultaneous
connections that are allowed, between 0 and 2000000. The default is
0, which allows unlimited connections. For example, if two servers are
configured to allow simultaneous connections, the connection limit is
applied to each configured server separately. When configured under
a class, this argument restricts the maximum number of simultaneous
connections that are allowed for the entire class. In this case, one
attack host can consume all the connections and leave none of the rest
of the hosts matched in the access list under the class.
embryonic-conn-max n
Sets the maximum number of simultaneous embryonic TCP connections allowed, between 0 and 2000000. The default is 0, which allows
unlimited connections.
per-client-embryonic-max n
Sets the maximum number of simultaneous embryonic TCP
connections allowed per client, between 0 and 2000000. A client is
defined as the host that sends the initial packet of a connection (that
builds the new connection) through the ASA. If an access-list is used
with a class-map to match traffic for this feature, the embryonic limit
is applied per-host, and not the cumulative embryonic connections of
all clients that match the access list. The default is 0, which allows
unlimited connections. This keyword is not available for management
class maps.
per-client-max n
(TCP, UDP, SCTP) Sets the maximum number of simultaneous
connections allowed per client, between 0 and 2000000. A client is
defined as the host that sends the initial packet of a connection (that
builds the new connection) through the ASA. If an access-list is used
with a class-map to match traffic for this feature, the connection limit
is applied per-host, and not the cumulative connections of all clients
that match the access list. The default is 0, which allows unlimited
connections. This keyword is not available for management class
maps. When configured under a class, this keyword restricts the
maximum number of simultaneous connections that are allowed for
each host that is matched through an access list under the class.
random-sequence-number
{enable | disable}
Enables or disables TCP sequence number randomization. This
keyword is not available for management class maps. See the “Usage
Guidelines” section for more information.
Cisco ASA Series Command Reference, S Commands
1-94
Chapter
Defaults
For the conn-max, embryonic-conn-max, per-client-embryonic-max, and per-client-max
parameters, the default value of n is 0, which allows unlimited connections.
Sequence number randomization is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Class configuration
Command History
Usage Guidelines
Note
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Release
Modification
7.0(1)
This command was added.
7.1(1)
The per-client-embryonic-max and per-client-max keywords were added.
8.0(2)
This command is now available for a Layer 3/4 management class map, for
to-the-ASA management traffic. Only the conn-max and embryonic-conn-max
keywords are available.
9.0(1)
The maximum number of connections was increased from 65535 to 2000000.
9.5(2)
The conn-max and per-client-max keywords now apply to SCTP as well as TCP and
UDP.
Configure this command using Modular Policy Framework. First define the traffic to which you want to
apply the timeout using the class-map command (for through traffic) or class-map type management
command (for management traffic). Then enter the policy-map command to define the policy, and enter
the class command to reference the class map. In class configuration mode, you can enter the set
connection command. Finally, apply the policy map to an interface using the service-policy command.
For more information about how Modular Policy Framework works, see the CLI configuration guide.
Depending on the number of CPU cores on your ASA model, the maximum concurrent and embryonic
connections may exceed the configured numbers due to the way each core manages connections. In the
worst case scenario, the ASA allows up to n-1 extra connections and embryonic connections, where n is
the number of cores. For example, if your model has 4 cores, if you configure 6 concurrent connections
and 4 embryonic connections, you could have an additional 3 of each type. To determine the number of
cores for your model, enter the show cpu core command.
TCP Intercept Overview
Limiting the number of embryonic connections protects you from a DoS attack. The ASA uses the
per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects inside
systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic
connection is a connection request that has not finished the necessary handshake between source and
destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A
SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses.
The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing
Cisco ASA Series Command Reference, S Commands
1-95
Chapter
connection requests. When the embryonic connection threshold of a connection is crossed, the ASA acts
as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the ASA
receives an ACK back from the client, it can then authenticate the client and allow the connection to the
server.
TCP Sequence Randomization
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new
connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
Examples
•
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both
firewalls to be performing this action, even though this action does not affect the traffic.
•
If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization
breaks the MD5 checksum.
•
You use a WAAS device that requires the ASA not to randomize the sequence numbers of
connections.
The following is an example of the use of the set connection command configure the maximum number
of simultaneous connections as 256 and to disable TCP sequence number randomization:
ciscoasa(config)# policy-map localpolicy1
ciscoasa(config-pmap)# class local_server
ciscoasa(config-pmap-c)# set connection conn-max 256 random-sequence-number disable
ciscoasa(config-pmap-c)#
You can enter this command with multiple parameters or you can enter each parameter as a separate
command. The ASA combines the commands into one line in the running configuration. For example, if
you entered the following two commands in class configuration mode:
ciscoasa(config-pmap-c)# set connection conn-max 600
ciscoasa(config-pmap-c)# set connection embryonic-conn-max 50
The output of the show running-config policy-map command would display the result of the two
commands in a single, combined command:
set connection conn-max 600 embryonic-conn-max 50
Related Commands
Command
Description
class
Specifies a class-map to use for traffic classification.
clear configure poli- Removes all policy-map configuration, except that if a policy-map is in use in
cy-map
a service-policy command, that policy-map is not removed.
policy-map
Configures a policy; that is, an association of a traffic class and one or more
actions.
show running-config Displays all current policy-map configurations.
policy-map
show service-policy
Displays service policy configuration. Use the set connection keyword to
view policies that include the set connection command.
Cisco ASA Series Command Reference, S Commands
1-96
Chapter
set connection advanced-options
To configure advanced connection settings, use the set connection advanced-options command in class
configuration mode. To remove the options, use the no form of this command.
set connection advanced-options {tcp_mapname | tcp-state-bypass | sctp-state-bypass |
flow-offload}
no set connection advanced-options {tcp_mapname | tcp-state-bypass | sctp-state-bypass |
flow-offload}
Syntax Description
flow-offload
Identify matching flows as eligible for off-loading from the ASA and
switched directly in the NIC. This provides improved performance for
large data flows in data centers. Flow off-load is available for the
Firepower 9300 series running FXOS 1.1.3+, or the Firepower 4100 series
running FXOS 1.1.4+.
You must also enable flow off-loading before this option works. Use the
flow-offload enable command.
sctp-state-bypass
Implements SCTP State Bypass to turn off SCTP stateful inspection.
SCTP traffic is not validated for protocol conformance.
tcp_mapname
Name of a TCP map created by the tcp-map command. Use this option to
customize TCP normalization.
tcp-state-bypass
Bypass TCP state checking if you use asymmetrical routing in your
network. See the Usage section below for detail information and
guidelines for using TCP State Bypass.
Defaults
No default behavior or values. No options are enabled by default, although all TCP Normalizer options
(within a TCP map) have default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Class configuration
Command History
•
Yes
Transparent Single
•
Yes
Release
Modification
7.0(1)
This command was added.
8.2(1)
The tcp-state-bypass keyword was added.
9.5(2)
The sctp-state-bypass keyword was added.
•
Yes
Context
•
Yes
System
—
Cisco ASA Series Command Reference, S Commands
1-97
Chapter
Usage Guidelines
Release
Modification
9.5(2)
The flow-offload keyword was added. The option also requires Firepower
eXtensible Operating System 1.1.3+, and is available for the Firepower 9300 series.
9.6(1)
Flow offload support was added for the Firepower 4100 series running FXOS
1.1.4+.
To customize TCP normalization with a TCP map, use the Modular Policy Framework:
1.
tcp-map—Identify the TCP normalization actions if you intend to modify them.
2.
class-map—Identify the traffic on which you want to perform TCP normalization actions.
3.
policy-map—Identify the actions associated with the class map.
a. class—Identify the class map on which you want to perform actions.
b. set connection advanced options—Apply a TCP map or another option to the class map.
4.
service-policy—Assigns the policy map to an interface or globally.
TCP State Bypass: Allowing Outbound and Inbound Flows through Separate Devices
By default, all traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and
is either allowed through or dropped based on the security policy. The ASA maximizes the firewall
performance by checking the state of each packet (is this a new connection or an established
connection?) and assigning it to either the session management path (a new connection SYN packet), the
fast path (an established connection), or the control plane path (advanced inspection).
TCP packets that match existing connections in the fast path can pass through the ASA without
rechecking every aspect of the security policy. This feature maximizes performance. However, the
method of establishing the session in the fast path using the SYN packet, and the checks that occur in
the fast path (such as TCP sequence number), can stand in the way of asymmetrical routing solutions:
both the outbound and inbound flow of a connection must pass through the same ASA.
For example, a new connection goes to ASA 1. The SYN packet goes through the session management
path, and an entry for the connection is added to the fast path table. If subsequent packets of this
connection go through ASA 1, then the packets will match the entry in the fast path, and are passed
through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through
the session management path, then there is no entry in the fast path for the connection, and the packets
are dropped.
If you have asymmetric routing configured on upstream routers, and traffic alternates between two
ASAs, then you can configure TCP state bypass for specific traffic. TCP state bypass alters the way
sessions are established in the fast path and disables the fast path checks. This feature treats TCP traffic
much as it treats a UDP connection: when a non-SYN packet matching the specified networks enters the
ASA, and there is not a fast path entry, then the packet goes through the session management path to
establish the connection in the fast path. Once in the fast path, the traffic bypasses the fast path checks.
Unsupported Features for TCP State Bypass
The following features are not supported when you use TCP state bypass:
•
Application inspection—Application inspection requires both inbound and outbound traffic to go
through the same ASA, so application inspection is not supported with TCP state bypass.
•
AAA authenticated sessions—When a user authenticates with one ASA, traffic returning via the
other ASA will be denied because the user did not authenticate with that ASA.
Cisco ASA Series Command Reference, S Commands
1-98
Chapter
•
TCP Intercept, maximum embryonic connection limit, TCP sequence number randomization—The
ASA does not keep track of the state of the connection, so these features are not applied.
•
TCP normalization—The TCP normalizer is disabled.
•
SSM functionality—You cannot use TCP state bypass and any application running on an SSM, such
as IPS or CSC.
NAT Guidelines for TCP State Bypass
Because the translation session is established separately for each ASA, be sure to configure static NAT
on both ASAs for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session
on ASA 1 will differ from the address chosen for the session on ASA 2.
Connection Timeout Guidelines
If there is no traffic on a given connection for 2 minutes, the connection times out. You can override this
default using the set connection timeout tcp command. Normal TCP connections timeout by default
after 60 minutes.
Examples
The following example shows the use of the set connection advanced-options command to specify the
use of a TCP map named localmap:
ciscoasa(config)# access-list http-server permit tcp any host 10.1.1.1
ciscoasa(config)# class-map http-server
ciscoasa(config-cmap)# match access-list http-server
ciscoasa(config-cmap)# exit
ciscoasa(config)# tcp-map localmap
ciscoasa(config)# policy-map global_policy global
ciscoasa(config-pmap)# description This policy map defines a policy concerning connection
to http server.
ciscoasa(config-pmap)# class http-server
ciscoasa(config-pmap-c)# set connection advanced-options localmap
ciscoasa(config-pmap-c)#
The following is an example configuration for TCP state bypass:
ciscoasa(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any
ciscoasa(config)# class-map tcp_bypass
ciscoasa(config-cmap)# description "TCP traffic that bypasses stateful firewall"
ciscoasa(config-cmap)# match access-list tcp_bypass
ciscoasa(config-cmap)# policy-map tcp_bypass_policy
ciscoasa(config-pmap)# class tcp_bypass
ciscoasa(config-pmap-c)# set connection advanced-options tcp-state-bypass
ciscoasa(config-pmap-c)# service-policy tcp_bypass_policy outside
The following is an example configuration for SCTP state bypass:
ciscoasa(config)# access-list sctp_bypass extended permit sctp
10.1.1.0 255.255.255.224 any
ciscoasa(config)# class-map sctp_bypass
ciscoasa(config-cmap)# description "SCTP traffic that bypasses stateful inspection"
ciscoasa(config-cmap)# match access-list sctp_bypass
ciscoasa(config-cmap)# policy-map sctp_bypass_policy
ciscoasa(config-pmap)# class sctp_bypass
ciscoasa(config-pmap-c)# set connection advanced-options sctp-state-bypass
Cisco ASA Series Command Reference, S Commands
1-99
Chapter
ciscoasa(config-pmap-c)# service-policy sctp_bypass_policy outside
Related Commands
Command
Description
class
Identifies a class map in the policy map.
class-map
Creates a class map for use in a service policy.
flow-offload
Enables flow offload.
policy-map
Configures a policy map that associates a class map and one or more actions.
service-policy
Assigns a policy map to an interface.
set connection
timeout
Sets the connection timeouts.
show running-config Display all current policy-map configurations.
policy-map
tcp-map
Creates a TCP map.
Cisco ASA Series Command Reference, S Commands
1-100
Chapter
set connection decrement-ttl
To decrement the time to live value within a policy map for a traffic class, use the set connection
decrement-ttl command in class configuration mode. To not decrement the time to live, use the no form
of this command.
set connection decrement-ttl
no set connection decrement-ttl
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the ASA does not decrement the time to live.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Class configuration
Command History
Usage Guidelines
•
Yes
Release
Modification
7.2(2)
This command was added.
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
This command, along with the icmp unreachable command, is required to allow a traceroute through
the ASA that shows the ASA as one of the hops.
If you decrement time to live, packets with a TTL of 1 will be dropped, but a connection will be opened
for the session on the assumption that the connection might contain packets with a greater TTL. Note
that some packets, such as OSPF hello packets, are sent with TTL = 1, so decrementing time to live can
have unexpected consequences.
Examples
The following example enables time to live decrements and sets the ICMP unreachable rate limit:
ciscoasa(config)# policy-map localpolicy1
ciscoasa(config-pmap)# class local_server
ciscoasa(config-pmap-c)# set connection decrement-ttl
ciscoasa(config-pmap-c)# exit
ciscoasa(config)# icmp unreachable rate-limit 50 burst-size 6
Related Commands
Cisco ASA Series Command Reference, S Commands
1-101
Chapter
Command
Description
class
Specifies a class map to use for traffic classification.
icmp unreachable
Controls the rate at which ICMP unreachables are allowed through the ASA.
policy-map
Configures a policy; that is, an association of a traffic class and one or more
actions.
show running-config Displays all current policy map configurations.
policy-map
show service-policy
Displays service policy configuration.
Cisco ASA Series Command Reference, S Commands
1-102
Chapter
set connection timeout
To specify connection timeouts within a policy map for a traffic class, use the set connection timeout
command in class configuration mode. To remove the timeout, use the no form of this command.
set connection timeout {[embryonic hh:mm:ss] [idle hh:mm:ss [reset]] [half-closed hh:mm:ss]
[dcd [retry_interval [max_retries]]]}
no set connection timeout {[embryonic hh:mm:ss] [idle hh:mm:ss [reset]] [half-closed hh:mm:ss]
[dcd [retry_interval [max_retries]]]}
Syntax Description
Defaults
dcd
Enables dead connection detection (DCD). DCD detects a dead connection and
allows it to expire, without expiring connections that can still handle traffic. You
configure DCD when you want idle, but valid connections to persist. After a
TCP connection times out, the ASA sends DCD probes to the end hosts to
determine the validity of the connection. If one of the end hosts fails to respond
after the maximum retries are exhausted, the ASA frees the connection. If both
end hosts respond that the connection is valid, the ASA updates the activity
timeout to the current time and reschedules the idle timeout accordingly.
embryonic
hh:mm:ss
Sets the timeout period until a TCP embryonic (half-open) connection is closed,
between 0:0:5 and 1193:0:0. The default is 0:0:30. You can also set the value to
0, which means the connection never times out. A TCP connection for which a
three-way handshake is not complete is an embryonic connection.
half-closed
hh:mm:ss
Sets the idle timeout period until a half-closed connection is closed, between
0:5:0 (for 9.1(1) and earlier) or 0:0:30 (for 9.1(2) and later) and 1193:0:0. The
default is 0:10:0. You can also set the value to 0, which means the connection
never times out. Half-closed connections are not affected by DCD. Also, the
ASA does not send a reset when taking down half-closed connections.
idle hh:mm:ss
Sets the idle timeout period after which an established connection of any
protocol closes. The valid range is from 0:0:1 to 1193:0:0.
max_retries
Sets the number of consecutive failed retries for DCD before declaring the connection as dead. The minimum value is 1 and the maximum value is 255. The
default is 5.
reset
For TCP traffic only, sends a TCP RST packet to both end systems after idle connections are removed.
retry_interval
Time duration in hh:mm:ss format to wait after each unresponsive DCD probe
before sending another probe, between 0:0:1 and 24:0:0. The default is 0:0:15.
Unless you change the default globally using the timeout command, the defaults are:
•
The default embryonic timeout is 30 seconds.
•
The default half-closed idle timeout is 10 minutes.
•
The default dcd max_retries value is 5.
•
The default dcd retry_interval value is 15 seconds.
•
The default idle timeout is 1 hour.
•
The default udp idle timeout is 2 minutes.
Cisco ASA Series Command Reference, S Commands
1-103
Chapter
Command Modes
•
The default icmp idle timeout is 2 seconds.
•
The default esp and ha idle timeout is 30 seconds.
•
For all other protocols, the default idle timeout is 2 minutes.
•
To never time out, enter 0:0:0.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Class configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Release
Modification
7.0(1)
This command was added.
7.2(1)
Support for DCD was added.
8.2(2)
The tcp keyword was deprecated in favor of the idle keyword, which controls the
idle timeout for all protocols.
9.1(2)
The minimum half-closed value was lowered to 30 seconds (0:0:30).
Configure this command using Modular Policy Framework. First define the traffic to which you want to
apply the timeout using the class-map command. Then enter the policy-map command to define the
policy, and enter the class command to reference the class map. In class configuration mode, you can
enter the set connection timeout command. Finally, apply the policy map to an interface using the
service-policy command. For more information about how Modular Policy Framework works, see the
CLI configuration guide.
The show service-policy command to includes counters to show the amount of activity from DCD.
Examples
The following example sets the connection timeouts for all traffic:
ciscoasa(config)# class-map CONNS
ciscoasa(config-cmap)# match any
ciscoasa(config-cmap)# policy-map CONNS
ciscoasa(config-pmap)# class CONNS
ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 embryonic 0:40:0 half-closed
0:20:0 dcd
ciscoasa(config-pmap-c)# service-policy CONNS interface outside
You can enter set connection commands with multiple parameters, or you can enter each parameter as
a separate command. The ASA combines the commands into one line in the running configuration. For
example, if you entered the following two commands in class configuration mode:
ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0
ciscoasa(config-pmap-c)# set connection timeout embryonic 0:40:0
Cisco ASA Series Command Reference, S Commands
1-104
Chapter
Then the output of the show running-config policy-map command would display the result of the two
commands in the following single, combined command:
set connection timeout idle 2:0:0 embryonic 0:40:0
Related Commands
Command
Description
class
Specifies a class-map to use for traffic classification.
clear configure poli- Remove all policy-map configuration, except that if a policy-map is in use in
cy-map
a service-policy command, that policy-map is not removed.
policy-map
Configures a policy; that is, an association of a traffic class and one or more
actions.
set connection
Configure connection values.
show running-config Display all current policy-map configurations.
policy-map
show service-policy
Displays counters for DCD and other service activity.
Cisco ASA Series Command Reference, S Commands
1-105
Chapter
set default interface
The set interface command when used with default option will imply that the first attempt to route the
matching traffic has to be done through normal route-lookup by looking up for an explicit route. Only
when normal route-lookup fails, PBR will forward the traffic using the interface specified. Since both
‘default’ triggered lookup and the interface option triggered lookup depend on the presence of an explicit
route to destination. Always ‘default’ lookup will succeed. When ‘default’ lookup fails, it means there
is no explicit route to destination. So, interface action cannot be applied. When “set default interface” is
configured, only ‘Null0’ can be configured as interface. When this option is configured, if normal route
lookup does not yield an explicit route (non-default route) to the destination, traffic will be dropped.
set default interface Null0
no set default interface Null0
Syntax Description
interface
Interface to which packets are forwarded.
Defaults
There is no default for this command and Null0 interface has to be specified as set action.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Route-map configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
—
Release
Modification
9.4(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Use this command to provide certain users a different default route. If the Cisco ASA has no explicit
route for the destination, then it routes the packet to this interface. The first interface specified with the
set default interface command that is up is used. The optionally specified interfaces are tried in turn.
Use the ip policy route-map interface configuration command, the route-map global configuration
command, and the match and set route-map configuration commands to define the conditions for policy
routing packets. The ip policy route-map command identifies a route map by name. Each route-map
command has a list of match and set commands associated with it. The match commands specify the
match criteria—the conditions under which policy routing occurs. The set commands specify the set
actions—the particular routing actions to perform if the criteria enforced by the match commands are
met.
In PBR for IPv6, use the ipv6 policy route-map or ipv6 local policy route-map command with match
and set route map configuration commands to define conditions for policy routing packets.
Cisco ASA Series Command Reference, S Commands
1-106
Chapter
The set clauses can be used in conjunction with one another. They are evaluated in the following order:
Examples
1.
set ip next-hop
2.
set interface
3.
set ip default next-hop
4.
set default interface
(config)# route-map testmap
(config-route-map)# set default interface Null0
(config)# show run route-map
!
route-map testmap permit 10
set default interface Null0
!
(config)# show route-map testmap
route-map testmap, permit, sequence 10
Match clauses:
Set clauses:
default interface Null0
Cisco ASA Series Command Reference, S Commands
1-107
Chapter
set dscp
The set dscp command is used to set the QoS bits in the matching IP packets.
set ip dscp {0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2
| cs3 | cs4 | cs5 | cs6 | cs7 | default | ef }
no set ip dscp
set ipv6 dscp {0-63 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 |
cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef }
no set ipv6 dscp
Syntax Description
0-63
numeric range of dscp value.
af
assured forwarding class
ef
expedited forwarding
default
cs
Defaults
The DSCP value in the ToS byte is not set.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Route-map configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
—
Release
Modification
9.4(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Once the DSCP bit is set, other quality of service (QoS) features can then operate on the bit settings.
DSCP and Precedence Values Are Mutually Exclusive
The set dscp command cannot be used with the set precedence command to mark the same packet. The
two values, DSCP and precedence, are mutually exclusive. A packet can have one value or the other, but
not both.
Precedence Value and Queuing
Cisco ASA Series Command Reference, S Commands
1-108
Chapter
The network gives priority (or some type of expedited handling) to marked traffic. Typically, you set the
precedence value at the edge of the network (or administrative domain); data then is queued according
to the precedence. Weighted fair queueing (WFQ) can speed up handling for high-precedence traffic at
congestion points. Weighted Random Early Detection (WRED) ensures that high-precedence traffic has
lower loss rates than other traffic during times of congestion.
Use of the “from-field” Packet-marking Category
If you are using this command as part of the Enhanced Packet Marking feature, it can specify the
“from-field” packet-marking category to be used for mapping and setting the DSCP value. The
“from-field” packet-marking categories are as follows:
•
Class of service (CoS)
•
QoS group
If you specify a “from-field” category but do not specify the table keyword and the applicable
table-map-name argument, the default action will be to copy the value associated with the “from-field”
category as the DSCP value. For instance, if you configure the set dscp cos command, the CoS value will
be copied and used as the DSCP value.
Note
The CoS field is a three-bit field, and the DSCP field is a six-bit field. If you configure the set dscp cos
command, only the three bits of the CoS field will be used.
If you configure the set dscp qos-group command, the QoS group value will be copied and used as the
DSCP value.
The valid value range for the DSCP is a number from 0 to 63. The valid value range for the QoS group
is a number from 0 to 99. Therefore, when configuring the set dscp qos-group command, note the
following points:
•
If a QoS group value falls within both value ranges (for example, 44), the packet-marking value will
be copied and the packets will be marked.
•
If QoS group value exceeds the DSCP range (for example, 77), the packet-marking value will not
be copied and the packet will not be marked. No action is taken.
Set DSCP Values in IPv6 Environments
When this command is used in IPv6 environments, the default match occurs on both IP and IPv6 packets.
However, the actual packets set by this function are only those that meet the match criteria of the class
map containing this function.
Set DSCP Values for IPv6 Packets Only
To set DSCP values for IPv6 values only, you must also use the match protocol ipv6 command. Without
that command, the precedence match defaults to match both IPv4 and IPv6 packets.
Set DSCP Values for IPv4 Packets Only
To set DSCP values for IPv4 values only, you must use the appropriate match ip command. Without this
command, the class map may match both IPv6 and IPv4 packets, depending on the other match criteria,
and the DSCP values may act upon both types of packets.
Cisco ASA Series Command Reference, S Commands
1-109
Chapter
Examples
(config)# route-map testmapv4
(config-route-map)# set ip dscp af22
(config)# show run route-map
!
route-map testmapv4 permit 10
set ip dscp af22
!
(config)# show route-map testmapv4
route-map testmapv4, permit, sequence 10
Match clauses:
Set clauses:
ip dscp af22
(config)# route-map testmapv6
(config-route-map)# set ipv6 dscp cs6
(config)# show run route-map
!
route-map testmapv6 permit 10
set ipv6 dscp cs6
!
(config)# show route-map testmap
route-map testmap, permit, sequence 10
Match clauses:
Set clauses:
ipv6 dscp cs6
Cisco ASA Series Command Reference, S Commands
1-110
Chapter
set interface
The set interface command is used to configure the interface through which the matching traffic has to
be forwarded. It is allowed to configure multiple interfaces in which case they are evaluated in the
specified order until a valid up and running interface to forward the packets is found. When the interface
name is specified as ‘Null0’, all traffic matching the route-map will be dropped.
set interface [...interface]
no set interface [...interface]
Syntax Description
interface
Interface to which packets are forwarded.
Defaults
No command defaults.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Route-map configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
—
Release
Modification
9.4(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Use the ip policy route-map interface configuration command, the route-map global configuration
command, and the match and set route-map configuration commands to define the conditions for
policy-routing packets. The ip policy route-map command identifies a route map by name. Each
route-map command has a list of match and set commands associated with it. The match commands
specify the match criteria—the conditions under which policy routing occurs. The set commands specify
the set actions—the particular routing actions to perform if the criteria enforced by the match commands
are met.
In PBR for IPv6, use the ipv6 policy route-map or ipv6 local policy route-map command with match
and set route-map configuration commands to define conditions for policy-routing packets.
If the first interface specified with the set interface command is down, the optionally specified interfaces
are tried in turn.
The set clauses can be used in conjunction with one another. They are evaluated in the following order:
1.
set ip next-hop
2.
set interface
3.
set ip default next-hop
4.
set default interface
Cisco ASA Series Command Reference, S Commands
1-111
Chapter
A useful next hop implies an interface. As soon as a next hop and an interface are found, the packet is
routed.
Examples
ciscoasa(config)# route-map testmap
ciscoasa(config-route-map)# set interface outside
ciscoasa(config)# show run route-map
!
route-map testmap permit 10
set interface outside
!
ciscoasa(config)# show route-map testmap
route-map testmap, permit, sequence 10
Match clauses:
Set clauses:
interface outside
Cisco ASA Series Command Reference, S Commands
1-112
Chapter
set ip df
The set ip df command is used to set the df (do-not-fragment) bit in the matching IP packets..
set ip df [0|1]
no set ip df
Syntax Description
0
Sets the df bit to 0 (clears the df bit), allows packets fragmentation.
1
Sets the DF bit to 1 which prohibits packet fragmentation.
Defaults
There is no default for this command and either 0 or 1 has to be specified as DF bit, in the set action.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Route-map configuration
Command History
Usage Guidelines
Note
Examples
Routed
•
Yes
Transparent Single
—
Release
Modification
9.4(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Using Path MTU Discovery (PMTUD) you can determine an MTU value for IP packets that avoids
fragmentation. If ICMP messages are blocked by a router, the path MTU is broken and packets with the
DF bit set are discarded. Use the set ip df command to clear the DF bit and allow the packet to be
fragmented and sent. Fragmentation can slow the speed of packet forwarding on the network but access
lists can be used to limit the number of packets on which the DF bit will be cleared.
Some IP transmitters (notably some versions of Linux) may set the identification field in the IP header
(IPid) to zero when the DF bit is set. If the router should clear the DF bit on such a packet and if that
packet should subsequently be fragmented, then the IP receiver will probably be unable to correctly
reassemble the original IP packet.
(config)# route-map testmap
(config-route-map)# set ip df 1
(config)# show run route-map
!
route-map testmap permit 10
set ip df 1
!
(config)# show route-map testmap
Cisco ASA Series Command Reference, S Commands
1-113
Chapter
route-map testmap, permit, sequence 10
Match clauses:
Set clauses:
ip df 1
Cisco ASA Series Command Reference, S Commands
1-114
Chapter
set ip default next-hop
The set ip next-hop command when used with the default option implies that the first attempt to route
the matching traffic has to be done through normal route-lookup by looking for an explicit route. Only
when normal route-lookup fails, Policy Based Routing (PBR) will forward the traffic using the specified
next-hop ip address.
set ip default next-hop ip-address [... ip-address]
no set ip default next-hop ip-address [... ip-address]
set default ipv6next-hop ip-address [... ip-address]
no set default ipv6 next-hop ip-address [... ip-address]
Syntax Description
ip-address
IP address of the next hop to which packets are output. It need not be an
adjacent router.
ipv6-address
IPv6 address of the next hop to which packets are output. It need not be an
adjacent router.
Defaults
This command is disabled by default and at least one next-hop ip address has to be specified for the set
action.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Route-map configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
—
Release
Modification
9.4(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Use this command to provide certain users a different default route. If the software has no explicit route
for the destination in the packet, then it routes the packet to this next hop. The first next hop specified
with the set ip default next-hop command needs to be adjacent to the router. The optional specified IP
addresses are tried in turn.
Use the ip policy route-map interface configuration command, the route-map global configuration
command, and the match and set route-map configuration commands to define the conditions for policy
routing packets. The ip policy route-map command identifies a route map by name. Each route-map
command has a list of match and set commands associated with it. The match commands specify the
Cisco ASA Series Command Reference, S Commands
1-115
Chapter
match criteria--the conditions under which policy routing occurs. The set commands specify the set
actions--the particular routing actions to perform if the criteria enforced by the match commands are
met.
If the first next hop specified with the set next-hop command is down, the optionally specified IP
addresses are tried in turn.
The set clauses can be used in conjunction with one another. They are evaluated in the following order:
Note
Examples
1.
set next-hop
2.
set interface
3.
set default next-hop
4.
set default interface
The set ip next-hop and set ip default next-hop are similar commands but have a different order of
operations. Configuring the set ip next-hop command causes the system to use policy routing first and
then use the routing table. Configuring the set ip default next-hop command causes the system to use the
routing table first and then policy route the specified next hop.
(config)# route-map testmapv4
(config-route-map)# set ip default next-hop 1.1.1.1
(config)# show run route-map
!
route-map testmapv4 permit 10
set ip default next-hop 1.1.1.1
!
(config)# show route-map testmapv4
route-map testmapv4, permit, sequence 10
Match clauses:
Set clauses:
ip default next-hop 1.1.1.1
(config)# route-map testmapv6
(config-route-map)# set ipv6 default next-hop 2001::1
(config)# show run route-map
!
route-map testmapv6 permit 10
set ipv6 default next-hop 2001::1
!
(config)# show route-map testmapv6
route-map testmapv6, permit, sequence 10
Match clauses:
Set clauses:
ipv6 default next-hop 2001::1
Cisco ASA Series Command Reference, S Commands
1-116
Chapter
set ip next-hop
To indicate where to output packets that pass a match clause of a route map for policy routing, use the set
ip next-hop command in route-map configuration mode. To delete an entry, use the no form of this
command.
set ip next-hop ip-address [... ip-address] [peer-address]
no set ip next-hop ip-address [... ip-address] [peer-address]
set ipv6 next-hop
Syntax Description
ip-address
IP address of the next hop to which packets are output. It need not be an
adjacent router.
peer-address
(Optional) Sets the next hop to be the BGP peering address.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Route-map configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
—
Release
Modification
9.2(1)
This command was added.
•
Yes
Context
•
Yes
System
—
An ellipsis (...) in the command syntax indicates that your command input can include multiple values
for the ip-address argument.
Use the ip policy route-map interface configuration command, the route-map global configuration
command, and the match and set route-map configuration commands to define the conditions for policy
routing packets. The ip policy route-map command identifies a route map by name.
Each route-map command has a list of match and set commands associated with it. The match
commands specify the match criteria—the conditions under which policy routing occurs.
The set commands specify the set actions—the particular routing actions to perform if the criteria
enforced by the match commands are met.
If the first next hop specified with the set next-hop command is down, the optionally specified IP
addresses are tried in turn.
Cisco ASA Series Command Reference, S Commands
1-117
Chapter
When the set next-hop command is used with the peer-address keyword in an inbound route map of a
BGP peer, the next hop of the received matching routes will be set to be the neighbor peering address,
overriding any third-party next hops. So the same route map can be applied to multiple BGP peers to
override third-party next hops.
When the set next-hop command is used with the peer-address keyword in an outbound route map of
a BGP peer, the next hop of the advertised matching routes will be set to be the peering address of the
local router, thus disabling the next hop calculation. The set next-hop command has finer granularity
than the (per-neighbor) neighbor next-hop-self command, because you can set the next hop for some
routes, but not others. The neighbor next-hop-self command sets the next hop for all routes sent to that
neighbor.
The set clauses can be used in conjunction with one another. They are evaluated in the following order:
Note
Examples
1.
set next-hop
2.
set interface
3.
set default next-hop
4.
set default interface
To avoid a common configuration error for reflected routes, do not use the set next-hop command in a
route map to be applied to BGP route reflector clients.
In the following example, three routers are on the same LAN (with IP addresses 10.1.1.1, 10.1.1.2, and
10.1.1.3). Each is in a different autonomous system. The set ip next-hop peer-address command
specifies that traffic from the router (10.1.1.3) in remote autonomous system 300 for the router (10.1.1.1)
in remote autonomous system 100 that matches the route map is passed through the router bgp 200,
rather than sent directly to the router (10.1.1.1) in autonomous system 100 over their mutual connection
to the LAN.
ciscoasa(config)# router bgp 200
ciscoasa(config-router)# address-family ipv4
ciscoasa(config-router-af)# neighbor 10.1.1.3 remote-as 300
ciscoasa(config-router-af)# neighbor 10.1.1.3 route-map set-peer-address out
ciscoasa(config-router-af)# neighbor 10.1.1.1 remote-as 100
ciscoasa(config-route-af)# route-map set-peer-address permit 10
ciscoasa(config-route-map)# set ip next-hop peer-address
Cisco ASA Series Command Reference, S Commands
1-118
Chapter
set ip next-hop recursive
Both set ip next-hop and set ip default next-hop require that the next-hop be found on a directly
connected subnet. With set ip next-hop recursive, the next-hop address does not need to be directly
connected. Instead a recursive lookup is performed on the next-hop address, and matching traffic is
forwarded to the next-hop used by that route entry according to the routing path in use on the router.
Recursive next-hop lookup is not applicable for IPv6 or when default keyword is specified.
set ip next-hop recursive [ipv4-address]
no set ip next-hop recursive [ipv4-address]
Syntax Description
ipv4-address
IP address of the next hop to which packets are output. It need not be an
adjacent router.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Route-map configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
—
Release
Modification
9.4(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Use the ip policy route-map interface configuration command, the route-map global configuration
command, and the match and set route-map configuration commands to define the conditions for policy
routing packets. The ip policy route-map command identifies a route map by name. Each route-map
command has a list of match and set commands associated with it. The match commands specify the
match criteria—the conditions under which policy routing occurs. The set commands specify the set
actions—the particular routing actions to perform if the criteria enforced by the match commands are
met.
If the interface associated with the first next hop specified with the set ip next-hop command is down,
the optionally specified IP addresses are tried in turn.
The set clauses can be used in conjunction with one another. They are evaluated in the following order:
1.
set ip next-hop
2.
set interface
3.
set ip default next-hop
4.
set default interface
Cisco ASA Series Command Reference, S Commands
1-119
Chapter
Note
Examples
The set ip next-hop and set ip default next-hop are similar commands but have a different order of
operations. Configuring the set ip next-hop command causes the system to use policy routing first and
then use the routing table. Configuring the set ip default next-hop command causes the system to use the
routing table first and then policy route the specified next hop.
(config)# route-map testmapv4
(config-route-map)# set ip next-hop recursive 1.1.1.1
(config)# show run route-map
!
route-map testmapv4 permit 10
set ip next-hop recursive 1.1.1.1
!
(config)# show route-map testmapv4
route-map testmapv4, permit, sequence 10
Match clauses:
Set clauses:
ip next-hop recursive 1.1.1.1
Cisco ASA Series Command Reference, S Commands
1-120
Chapter
set ip next-hop verify-availability
The set ip next-hop verify-availability can be configured with an SLA monitor tracking object to verify
the reachability of the next-hop. To verify the availability of multiple next-hops, multiple set ip
next-hop verify-availability commands can be configured with different sequence numbers and
different tracking objects.
set ip next-hop verify-availability [sequence number] track [tracked-object-number]
no set ip next-hop verify-availability [sequence number] track [tracked-object-number]
Syntax Description
sequence-number
Sequence of next hops. The acceptable range is from 1-65535.
track
The tracking method is track.
tracked-object-number
Object number that the tracking subsystem is tracking. The acceptable range
is from 1 to 500.
Defaults
No command defaults.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Route-map configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
9.4(1)
This command was added.
•
Yes
The set ip next-hop verify-availability command can be used in the following two ways:
•
With policy-based routing (PBR) to verify next hop reachability using Cisco Discovery Protocol
(CDP).
•
With optional arguments to support object tracking using Internet Control Message Protocol (ICMP)
ping or an HTTP GET request to verify if a remote device is reachable.
Using CDP Verification
This command is used to verify that the next hop is reachable before the router tries to policy route to it.
This command has the following characteristics:
•
It causes some performance degradation.
•
CDP must be configured on the interface.
•
The next hop must be a Cisco device with CDP enabled.
Cisco ASA Series Command Reference, S Commands
1-121
Chapter
•
It is supported in process switching and Cisco Express Forwarding (CEF) policy routing, but is not
available in distributed CEF (dCEF) because of the dependency of the CDP neighbor database.
If the router is policy routing packets to the next hop and the next hop is down, the router will try
unsuccessfully to use Address Resolution Protocol (ARP) for the next hop (which is down). This
behavior will continue indefinitely. To prevent this situation from occurring, use the set ip next-hop
verify-availability command to configure the router to verify that the next hop of the route map is a CDP
neighbor before routing to that next hop.
This command is optional because some media or encapsulations do not support CDP, or it may not be
a Cisco device that is sending traffic to the router.
If this command is set and the next hop is not a CDP neighbor, then the router looks to the subsequent
next hop, if there is one. If there is no next hop, the packets are not policy routed.
If this command is not set, the packets are either successfully policy routed or remain forever unrouted.
If you want to selectively verify availability of only some next hops, you can configure different route
map entries (under the same route map name) with different criteria (using access list matching or packet
size matching), and then use the set ip next-hop verify-availability command selectively.
Using Object Tracking
With optional arguments to support object tracking, this command allows PBR to make decisions based
on the following criteria:
•
ICMP ping reachability to a remote device.
•
Application running on a remote device (for example, the device responds to an HTTP GET
request).
•
A route exists in the Routing Information Base (RIB) (for example, policy route only if 10.2.2.0/24
is in the RIB).
•
Interface state (for example, packets received on E0 should be policy routed out E1 only if E2 is
down).
Object tracking functions in the following manner. PBR will inform the tracking process that it is
interested in tracking a certain object. The tracking process will in turn notify PBR when the state of the
object changes. This notification is done via registries and is event driven.
The tracking subsystem is responsible for tracking the state of an object. The object can be an IP address
that is periodically being pinged by the tracking process. The state of the object (up or down) is stored
in a track report data structure. The tracking process will create the tracking object report. Then the exec
process that is configuring the route map can query the tracking process to determine if a given object
exists. If the object exists, the tracking subsystem can start tracking it and read the initial state of the
object. If the object changes state, the tracking process will notify all the clients that are tracking this
process that the state of the object has changed. So, the route map structure that PBR is using can be
updated to reflect the current state of the object in the track report. This interprocess communication is
done by means of registries and the shared track report.
Note
Examples
If the CDP and object tracking commands are mixed, the tracked next hops will be tried first.
ciscoasa(config)# sla monitor 1
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 1.1.1.1 interface outside
ciscoasa(config)# sla monitor schedule 1 life forever start-time now
ciscoasa(config)#
ciscoasa(config)# route-map testmapv4
ciscoasa(config-route-map)# set ip next-hop verify-availability 10 track 1
Cisco ASA Series Command Reference, S Commands
1-122
Chapter
ciscoasa(config)# show run route-map
!
route-map testmapv4 permit 10
set ip next-hop verify-availability 1.1.1.1 10 track 1
!
ciscoasa(config)# show route-map testmap
route-map testmapv4, permit, sequence 10
Match clauses:
Set clauses:
ip next-hop verify-availability 1.1.1.1 10 track 1
Cisco ASA Series Command Reference, S Commands
1-123
Chapter
set local-preference
To specify a preference value for the autonomous system path, use the set local-preference command in
route-map configuration mode. To delete an entry, use the no form of this command.
set local-preference number-value
no set local-preference number-value
Syntax Description
number-value
Defaults
Preference value is 100.
Command Modes
The following table shows the modes in which you can enter the command:
Preference value. An integer from 0 to 4294967295.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Route-map configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
—
Release
Modification
9.2(1)
This command was added.
•
Yes
Context
•
Yes
System
—
The preference is sent only to all routers in the local autonomous system.
Use the route-map global configuration command, and the match and set route-map configuration
commands, to define the conditions for redistributing routes from one routing protocol into another. Each
route-map command has a list of match and set commands associated with it. The match commands
specify the match criteria--the conditions under which redistribution is allowed for the current
route-map command. The set commands specify the set actions--the particular redistribution actions to
perform if the criteria enforced by the match commands are met. The no route-map command deletes
the route map.
The set route-map configuration commands specify the redistribution set actions to be performed when
all the match criteria of a route map are met. When all match criteria are met, all set actions are
performed.
You can change the default preference value with the bgp default local-preference command.
Examples
The following example sets the local preference to 100 for all routes that are included in access list 1:
ciscoasa(config-route-map)# route-map map-preference
ciscoasa(config-route-map)# match as-path 1
ciscoasa(config-route-map)# set local-preference 100
Cisco ASA Series Command Reference, S Commands
1-124
Chapter
set metric
To set the metric value of a route for OSPF and other dynamic routing protocols in a route map, use the
set metric command in route-map configuration mode. To return to the default metric value for OSPF
and other dynamic routing protocols, use the no form of this command.
set metric metric-value | [bandwidth delay reliability loading mtu]
no set metric metric-value | [bandwidth delay reliability loading mtu]
Syntax Description
bandwidth
EIGRP bandwidth of a route, in kbps. Valid values range from 0 to
4294967295.
delay
EIGRP route delay, in tens of microseconds. Valid values range from 0 to
4294967295.
loading
Effective EIGRP bandwidth of a route expressed as a number from 0 to 255.
The value 255 means 100 percent loading.
metric-value
Metric value of a route for OSPF and other dynamic routing protocols
(except for EIGRP), expressed as a number. Valid values range from 0 to
4294967295.
mtu
Minimum MTU size of a route for EIGRP, in bytes. Valid values range from
0 to 4294967295.
reliability
Likelihood of successful packet transmission for EIGRP expressed as a
number from 0 to 255. The value 255 means 100 percent reliability; 0 means
no reliability.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Route-map configuration
Command History
Release
Routed
•
Yes
Transparent Single
—
•
Yes
Context
•
Yes
System
—
Modification
7.0(1)
This command was added.
8.2(5)
The bandwidth, delay, reliability, loading, and mtu arguments to support
EIGRP in a route map were added.
9.0(1)
Support for multiple context mode was added.
Cisco ASA Series Command Reference, S Commands
1-125
Chapter
Usage Guidelines
The no set metric command allows you to return to the default metric value for OSPF and other dynamic
routing protocols. In this context, the metric-value argument is an integer from 0 to 4294967295.
Examples
The following example shows how to configure a route map for OSPF routing:
ciscoasa(config)# route-map
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
route-map maptag1 permit 8
set metric 5
match metric 5
maptag1 permit 8
set metric 5
match metric 5
show route-map
The following example shows how to set the metric value for EIGRP in a route map:
ciscoasa(config)# access-list route-out line 1 standard permit 10.1.1.0 255.255.255.0
ciscoasa(config)# route-map rmap permit 10
ciscoasa(config-route-map)# set metric 10000 60 100 1 1500
ciscoasa(config-route-map)# show route-map rmap
route-map rmap, permit, sequence 10
Match clauses:
ip address (access-lists): route-out
Set clauses:
metric 10000 60 100 1 1500
ciscoasa(config-route-map)# show running-config route-map
route-map rmap permit 10
match ip address route-out
set metric 10000 60 100 1 1500
Related Commands
Command
Description
match interface
Distributes any routes that have their next hop out of one of the interfaces
specified,
match ip next-hop
Distributes any routes that have a next-hop router address that is passed by
one of the access lists specified.
route-map
Defines the conditions for redistributing routes from one routing protocol
into another.
Cisco ASA Series Command Reference, S Commands
1-126
Chapter
set metric-type
To specify the type of OSPF metric routes, use the set metric-type command in route-map configuration
mode. To return to the default setting, use the no form of this command.
set metric-type{type-1 | type-2}
no set metric-type
Syntax Description
type-1
Specifies the type of OSPF metric routes that are external to a specified
autonomous system.
type-2
Specifies the type of OSPF metric routes that are external to a specified
autonomous system.
Defaults
The default is type-2.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Route-map configuration
Command History
Routed
•
Yes
Transparent Single
—
•
Yes
Release
Modification
7.0(1)
This command was added.
9.0(1)
Support for multiple context mode was added.
Context
•
Yes
System
—
Cisco ASA Series Command Reference, S Commands
1-127
Chapter
Examples
The following example shows how to configure a route map for OSPF routing:
ciscoasa(config)# route-map
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
ciscoasa(config-route-map)#
route-map maptag1 permit 8
set metric 5
set metric-type type-2
match metric 5
ciscoasa(config-route-map)#
ciscoasa(config)#
Related Commands
maptag1 permit 8
set metric 5
match metric 5
set metric-type type-2
show route-map
exit
Command
Description
match interface
Distributes any routes that have their next hop out one of the interfaces
specified,
route-map
Defines the conditions for redistributing routes from one routing protocol
into another.
set metric
Specifies the metric value in the destination routing protocol for a route
map.
Cisco ASA Series Command Reference, S Commands
1-128
Chapter
set metric-type internal
To set the Multi Exit Discriminator (MED) value on prefixes advertised to external BGP (eBGP)
neighbors to match the Interior Gateway Protocol (IGP) metric of the next hop, use the set metric-type
internal command in route-map configuration mode. To return to the default, use the no form of this
command.
set metric-type internal
no set metric-type internal
Syntax Description
This command has no arguments or keywords.
Command Default
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Route-map configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
—
Release
Modification
9.2(1)
We added this command.
•
Yes
Context
•
Yes
System
—
This command will cause BGP to advertise a MED value that corresponds to the IGP metric associated
with the next hop of the route. This command applies to generated, internal BGP (iBGP)-, and
eBGP-derived routes.
If this command is used, multiple BGP speakers in a common autonomous system can advertise different
MED values for a particular prefix. Also, note that if the IGP metric changes, BGP will readvertise the
route every 10 minutes.
Use the route-map global configuration command and the match and set route-map configuration
commands to define the conditions for redistributing routes from one routing protocol into another.
Each route-map command has a list of match and set commands associated with it.
The match commands specify the match criteria—the conditions under which redistribution is allowed
for the current route-map command. The set commands specify the set actions—the particular
redistribution actions to perform if the criteria enforced by the match commands are met. The no
route-map command deletes the route map.
The set route-map configuration commands specify the redistribution set actions to be performed when
all of the match criteria of the route map are met. When all match criteria are met, all set actions are
performed.
Cisco ASA Series Command Reference, S Commands
1-129
Chapter
Note
Examples
This command is not supported for redistributing routes into the Border Gateway Protocol (BGP).
In the following example, the MED value for all the advertised routes to neighbor 172.16.2.3 is set to
the corresponding IGP metric of the next hop:
ciscoasa(config)# router bgp 109
ciscoasa(config-router)# address-family ipv4
ciscoasa(config-router-af)# network 172.16.0.0
ciscoasa(config-router-af)# neighbor 172.16.2.3 remote-as 200
ciscoasa(config-router-af)# neighbor 172.16.2.3 route-map setMED out
ciscoasa(config-route-map)# route-map setMED permit 10
ciscoasa(config-route-map)# match as-path as-path-acl
ciscoasa(config-route-map)# set metric-type internal
ciscoasa(config-route-map)# ip as-path access-list as-path-acl permit .*
Cisco ASA Series Command Reference, S Commands
1-130
Chapter
set origin
To set the BGP origin code, use the set origin command in route-map configuration mode. To delete an
entry, use the no form of this command.
set origin {igp | egp autonomous-system-number | incomplete}
no set origin {igp | egp autonomous-system-number | incomplete}
Syntax Description
autonomous-system- Number of a remote autonomous system number. The range of values for this
number
argument is any valid autonomous system number from 1 to 65535.
egp
Local External Gateway Protocol (EGP) system.
igp
Remote Interior Gateway Protocol (IGP) system.
incomplete
Unknown heritage.
Defaults
The origin of the route is based on the path information of the route in the main IP routing table.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Route-map configuration
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
—
Release
Modification
9.2(1)
This command was added.
•
Yes
Context
•
Yes
System
—
You must have a match clause (even if it points to a “permit everything” list) if you want to set the origin
of a route. Use this command to set a specific origin when a route is redistributed into BGP. When routes
are redistributed, the origin is usually recorded as incomplete, identified with a ? in the BGP table.
Use the route-map global configuration command, and the match and set route-map configuration
commands, to define the conditions for redistributing routes from one routing protocol into another.
Each route-map command has a list of match and set commands associated with it.
The match commands specify the match criteria—the conditions under which redistribution is allowed
for the current route-map command. The set commands specify the set actions—the particular
redistribution actions to perform if the criteria enforced by the match commands are met. The no
route-map command deletes the route map.
The set route-map configuration commands specify the redistribution set actions to be performed when
all of the match criteria of a route map are met. When all match criteria are met, all set actions are
performed.
Cisco ASA Series Command Reference, S Commands
1-131
Chapter
Examples
The following example sets the origin of routes that pass the route map to IGP:
ciscoasa(config-route-map)# route-map set_origin
ciscoasa(config-route-map)# match as-path 10
ciscoasa(config-route-map)# set origin igp
Cisco ASA Series Command Reference, S Commands
1-132
Chapter
setup
To configure a minimal configuration for the ASA using interactive prompts, enter the setup command
in global configuration mode.
setup
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
•
Yes
Release
Modification
7.0(1)
This command was added.
8.4(1)
In routed mode for the ASA 5510 and higher, the interface configured is now the
Management slot/port interface, and not the “inside” interface. For the ASA 5505,
the interface configured is the VLAN 1 interface, not “inside”.
9.0(1)
The default configuration prompt was changed, and Ctrl + Z to exit the setup process
was enabled.
The setup prompt automatically appears at boot time if there is no startup configuration in flash memory.
The setup command walks you through minimal configuration to establish ASDM connectivity. This
command is designed for a unit that has either no configuration or a partial configuration. If your model
supports a factory default configuration, we recommend using the factory default configuration instead
of the setup command (to restore the default configuration, use the configure factory-default
command).
The setup command requires an already-named interface called “management.”
When you enter the setup command, you are asked for the information in Table 1-1. If there is already
a configuration for the listed parameter, it appears in brackets, so you can either accept it as the default
or override it by entering a new value. The exact prompts available may differ per model. The system
setup command includes a subset of these prompts.
Cisco ASA Series Command Reference, S Commands
1-133
Chapter
Table 1-1
Setup Prompts
Prompt
Description
Pre-configure Firewall
now through
interactive prompts
[yes]?
Enter yes or no. If you enter yes, the setup continues. If no, the setup stops
and the global configuration prompt (ciscoasa(config)#) appears.
Firewall Mode
[Routed]:
Enter routed or transparent.
Enable password:
Enter an enable password. (The password must have at least three
characters.)
Allow password
recovery [yes]?
Enter yes or no.
Clock (UTC):
You cannot enter anything in this field. The UTC time is used by default.
Year:
Enter the year using four digits, for example, 2005. The year range is 1993
to 2035.
Month:
Enter the month using the first three characters of its name, for example,
Sep for September.
Day:
Enter the day of the month, from 1 to 31.
Time:
Enter the hour, minutes, and seconds in 24-hour time format, for example,
enter 20:54:44 for 8:54 p.m and 44 seconds.
Host name:
Enter the hostname that you want to display in the command line prompt.
Domain name:
Enter the domain name of the network on which the ASA runs.
IP address of host
running Device
Manager:
Enter the IP address of the host that needs to access ASDM.
Use this configuration
and save to flash
(yes)?
Enter yes or no. If you enter yes, the inside interface is enabled and the
requested configuration is written to the Flash partition.
If you enter no, the setup prompt repeats, beginning with the first question:
Pre-configure Firewall now through interactive prompts [yes]?
Enter Ctrl + Z to exit the setup or yes to repeat the prompt.
Examples
The following example shows how to complete the setup command:
ciscoasa(config)# setup
Pre-configure Firewall now through interactive prompts [yes]? yes
Firewall Mode [Routed]: routed
Enable password [<use current password>]: writer
Allow password recovery [yes]? yes
Clock (UTC):
Year: 2005
Month: Nov
Day: 15
Time: 10:0:0
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: tech_pubs
Domain name: example.com
IP address of host running Device Manager: 10.1.1.1
Cisco ASA Series Command Reference, S Commands
1-134
Chapter
The following configuration will be used:
Enable password: writer
Allow password recovery: yes
Clock (UTC): 20:54:44 Sep 17 2005
Firewall Mode: Routed
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: tech_pubs
Domain name: example.com
IP address of host running Device Manager: 10.1.1.1
Use this configuration and write to flash? yes
Related Commands
Command
Description
configure
factory-default
Restores the default configuration.
Cisco ASA Series Command Reference, S Commands
1-135
Chapter
set weight
To specify the BGP weight for the routing table, use the set weight command in route-map configuration
mode. To delete an entry, use the no form of this command.
set weight number
no set weight number
Syntax Description
number
Defaults
The weight is not changed by the specified route map.
Command Modes
The following table shows the modes in which you can enter the command:
Weight value. It can be an integer ranging from 0 to 65535.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Route-map configuration
Command History
•
Yes
Transparent Single
—
Release
Modification
9.2(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Usage Guidelines
The implemented weight is based on the first matched autonomous system path. Weights indicated when
an autonomous system path is matched override the weights assigned by global neighbor commands. In
other words, the weights assigned with the set weight route-map configuration command override the
weights assigned using the neighbor weight command.
Examples
The following example sets the BGP weight for the routes matching the autonomous system path access
list to 200:
ciscoasa(config-route-map)# route-map set-weight
ciscoasa(config-route-map)# match as-path as_path_acl
iscoasa(config-route-map)# set weight 200
Cisco ASA Series Command Reference, S Commands
1-136
Chapter
sfr
To redirect traffic to the ASA FirePOWER module, use the sfr command in class configuration mode.
To remove the redirect, use the no form of this command.
sfr {fail-close | fail-open} [monitor-only]
no sfr {fail-close | fail-open} [monitor-only]
Syntax Description
fail-close
Sets the ASA to block the traffic if the module is unavailable.
fail-open
Sets the ASA to allow the traffic through, applying ASA policies only, if the
module is unavailable.
monitor-only
Sends a read-only copy of traffic to the module, i.e. passive mode. If you do
not include the keyword, the traffic is sent in inline mode.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Class configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
You can access the class configuration mode by first entering the policy-map command.
Before or after you configure the sfr command on the ASA, configure the security policy on the module
using Firepower Management Center.
To configure the sfr command, you must first configure the class-map command, policy-map command,
and the class command.
Traffic Flow
The ASA FirePOWER module runs a separate application from the ASA. It is, however, integrated into
the ASA traffic flow. When you apply the sfr command for a class of traffic on the ASA, traffic flows
through the ASA and the module in the following way:
1.
Traffic enters the ASA.
2.
Incoming VPN traffic is decrypted.
3.
Firewall policies are applied.
Cisco ASA Series Command Reference, S Commands
1-137
Chapter
4.
Traffic is sent to the ASA FirePOWER module over the backplane.
5.
The module applies its security policy to the traffic and takes appropriate actions.
6.
In inline mode, valid traffic is sent back to the ASA over the backplane; the ASA FirePOWER
module might block some traffic according to its security policy, and that traffic is not passed on. In
passive mode, no traffic is returned, and the module cannot block traffic.
7.
Outgoing VPN traffic is encrypted.
8.
Traffic exits the ASA.
Compatibility with ASA Features
The ASA includes many advanced application inspection features, including HTTP inspection.
However, the ASA FirePOWER module provides more advanced HTTP inspection than the ASA
provides, as well as additional features for other applications, including monitoring and controlling
application usage.
To take full advantage of the ASA FirePOWER module features, see the following guidelines for traffic
that you send to the ASA FirePOWER module:
•
Do not configure ASA inspection on HTTP traffic.
•
Do not configure Cloud Web Security (ScanSafe) inspection. If you configure both ASA
FirePOWER inspection and Cloud Web Security inspection for the same traffic, the ASA only
performs ASA FirePOWER inspection.
•
Other application inspections on the ASA are compatible with the ASA FirePOWER module,
including the default inspections.
•
Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA
FirePOWER module.
•
If you enable failover, when the ASA fails over, any existing ASA FirePOWER flows are transferred
to the new ASA. The ASA FirePOWER module in the new ASA begins inspecting the traffic from
that point forward; old inspection states are not transferred.
Monitor-Only Mode
The traffic flow in monitor-only mode is the same as it is for inline mode. The only difference is that the
ASA FirePOWER module does not pass traffic back to the ASA. Instead, the module applies the security
policy to the traffic and lets you know what it would have done if it were operating in inline mode, e.g.
traffic might be marked “would have dropped” in events. You can use this information for traffic analysis
and to help you decide if inline mode is desirable.
Note
Examples
You cannot configure both monitor-only mode and normal inline mode at the same time on the ASA.
Only one type of security policy is allowed. In multiple context mode, you cannot configure
monitor-only mode for some contexts, and regular inline mode for others.
The following example diverts all HTTP traffic to the ASA FirePOWER module, and blocks all HTTP
traffic if the module fails for any reason:
ciscoasa(config)# access-list ASASFR permit tcp any any eq port 80
ciscoasa(config)# class-map my-sfr-class
ciscoasa(config-cmap)# match access-list ASASFR
ciscoasa(config-cmap)# policy-map my-sfr-policy
ciscoasa(config-pmap)# class my-sfr-class
ciscoasa(config-pmap-c)# sfr fail-close
Cisco ASA Series Command Reference, S Commands
1-138
Chapter
ciscoasa(config-pmap-c)# service-policy my-cx-policy global
The following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network
to the ASA FirePOWER module, and allows all traffic through if the module fails for any reason.
ciscoasa(config)# access-list my-sfr-acl permit ip any 10.1.1.0 255.255.255.0
ciscoasa(config)# access-list my-sfr-acl2 permit ip any 10.2.1.0 255.255.255.0
ciscoasa(config)# class-map my-sfr-class
ciscoasa(config-cmap)# match access-list my-sfr-acl
ciscoasa(config)# class-map my-sfr-class2
ciscoasa(config-cmap)# match access-list my-sfr-acl2
ciscoasa(config-cmap)# policy-map my-sfr-policy
ciscoasa(config-pmap)# class my-sfr-class
ciscoasa(config-pmap-c)# sfr fail-open
ciscoasa(config-pmap)# class my-sfr-class2
ciscoasa(config-pmap-c)# sfr fail-open
ciscoasa(config-pmap-c)# service-policy my-sfr-policy interface outside
Related Commands
Command
Description
class
Specifies a class map to use for traffic classification.
class-map
Identifies traffic for use in a policy map.
hw-module module reload
Reloads the module.
hw-module module reset
Performs a reset and then reloads the module.
hw-module module shutdown
Shuts down the module.
policy-map
Configures a policy; that is, an association of a traffic class and
one or more actions.
show asp table classify domain sfr
Shows the NP rules created to send traffic to the ASA
FirePOWER module.
show module
Shows the module status.
show running-config policy-map
Displays all current policy map configurations.
show service-policy
Shows service policy statistics.
sw-module module sfr reload
Reloads the software module.
sw-module module sfr reset
Resets the software module.
sw-module module sfr recover
Installs the software module boot image.
sw-module module sfr shutdown
Shuts down the software module.
Cisco ASA Series Command Reference, S Commands
1-139
Chapter
shape
To enable QoS traffic shaping, use the shape command in class configuration mode. If you have a device
that transmits packets at a high speed, such as a ASA with Fast Ethernet, and it is connected to a low
speed device such as a cable modem, then the cable modem is a bottleneck at which packets are
frequently dropped. To manage networks with differing line speeds, you can configure the ASA to
transmit packets at a fixed slower rate, called traffic shaping. To remove this configuration, use the no
form of this command.
Note
Traffic shaping is only supported on the ASA 5505, 5510, 5520, 5540, and 5550. Multi-core models
(such as the ASA 5500-X) do not support shaping.
shape average rate [burst_size]
no shape average rate [burst_size]
Syntax Description
average rate
Sets the average rate of traffic in bits per second over a given fixed time
period, between 64000 and 154400000. Specify a value that is a multiple of
8000. See the “Usage Guidelines” section for more information about how
the time period is calculated.
burst_size
Sets the average burst size in bits that can be transmitted over a given fixed
time period, between 2048 and 154400000. Specify a value that is a multiple
of 128. If you do not specify the burst_size, the default value is equivalent to
4-milliseconds of traffic at the specified average rate. For example, if the
average rate is 1000000 bits per second, 4 ms worth = 1000000 * 4/1000 =
4000.
Defaults
If you do not specify the burst_size, the default value is equivalent to 4-milliseconds of traffic at the
specified average rate. For example, if the average rate is 1000000 bits per second, 4 ms worth = 1000000
* 4/1000 = 4000.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Class configuration
Command History
•
Context
System
—
—
—
Release
Modification
7.2(4)/8.0(4)
This command was added.
Cisco ASA Series Command Reference, S Commands
1-140
Yes
Transparent Single
•
Yes
Chapter
Usage Guidelines
To enable traffic shaping, use the Modular Policy Framework:
1.
policy-map—Identify the actions associated with the class-default class map.
a. class class-default—Identify the class-default class map on which you want to perform
actions.
b. shape—Apply traffic shaping to the class map.
c. (Optional) service-policy—Call a different policy map in which you configured the priority
command so you can apply priority queueing to a subset of shaped traffic.
2.
service-policy—Assigns the policy map to an interface or globally.
Traffic Shaping Overview
Traffic shaping is used to match device and link speeds, thereby controlling packet loss, variable delay,
and link saturation, which can cause jitter and delay.
•
Traffic shaping must be applied to all outgoing traffic on a physical interface or in the case of the
ASA 5505, on a VLAN. You cannot configure traffic shaping for specific types of traffic.
•
Traffic shaping is implemented when packets are ready to be transmitted on an interface, so the rate
calculation is performed based on the actual size of a packet to be transmitted, including all the
possible overhead such as the IPsec header and L2 header.
•
The shaped traffic includes both through-the-box and from-the-box traffic.
•
The shape rate calculation is based on the standard token bucket algorithm. The token bucket size is
twice the burst size value. See the CLI configuration guide for more information about the token
bucket.
•
When bursty traffic exceeds the specified shape rate, packets are queued and transmitted later.
Following are some characteristics regarding the shape queue (for information about hierarchical
priority queuing, see the priority command):
– The queue size is calculated based on the shape rate. The queue can hold the equivalent of
200-milliseconds worth of shape rate traffic, assuming a 1500-byte packet. The minimum queue
size is 64.
– When the queue limit is reached, packets are tail-dropped.
– Certain critical keep-alive packets such as OSPF Hello packets are never dropped.
– The time interval is derived by time_interval = burst_size / average_rate. The larger the time
interval is, the burstier the shaped traffic might be, and the longer the link might be idle. The
effect can be best understood using the following exaggerated example:
Average Rate = 1000000
Burst Size = 1000000
In the above example, the time interval is 1 second, which means, 1 Mbps of traffic can be
bursted out within the first 10 milliseconds of the 1-second interval on a 100 Mbps FE link and
leave the remaining 990 milliseconds idle without being able to send any packets until the next
time interval. So if there is delay-sensitive traffic such as voice traffic, the Burst Size should be
reduced compared to the average rate so the time interval is reduced.
How QoS Features Interact
You can configure each of the QoS features alone if desired for the ASA. Often, though, you configure
multiple QoS features on the ASA so you can prioritize some traffic, for example, and prevent other
traffic from causing bandwidth problems.
Cisco ASA Series Command Reference, S Commands
1-141
Chapter
See the following supported feature combinations per interface:
•
Standard priority queuing (for specific traffic) + Policing (for the rest of the traffic).
You cannot configure priority queuing and policing for the same set of traffic.
•
Traffic shaping (for all traffic on an interface) + Hierarchical priority queuing (for a subset of
traffic).
You cannot configure traffic shaping and standard priority queuing for the same interface; only
hierarchical priority queuing is allowed. For example, if you configure standard priority queuing for the
global policy, and then configure traffic shaping for a specific interface, the feature you configured last
is rejected because the global policy overlaps the interface policy.
Typically, if you enable traffic shaping, you do not also enable policing for the same traffic, although the
ASA does not restrict you from configuring this.
Examples
The following example enables traffic shaping for all traffic on the outside interface, and prioritizes
traffic within VPN tunnel-grp1 with the DSCP bit set to ef:
ciscoasa(config)# class-map TG1-voice
ciscoasa(config-cmap)# match tunnel-group tunnel-grp1
ciscoasa(config-cmap)# match dscp ef
ciscoasa(config)# policy-map priority-sub-policy
ciscoasa(config-pmap)# class TG1-voice
ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap-c)# policy-map shape_policy
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# shape
ciscoasa(config-pmap-c)# service-policy priority-sub-policy
ciscoasa(config-pmap-c)# service-policy shape_policy interface outside
Related Commands
Command
Description
class
Identifies the class map on which you want to perform actions in a policy
map.
police
Enables QoS policing.
policy-map
Identifies actions to apply to traffic in a service policy.
priority
Enables QoS priority queuing.
service-policy (class)
Applies a hierarchical policy map.
service-policy (global)
Applies a service policy to interface(s).
show service-policy
Shows QoS statistics.
Cisco ASA Series Command Reference, S Commands
1-142
CH A P T E R
2
show aaa kerberos through show asdm sessions
Commands
Cisco ASA Series Command Reference, S Commands
2-1
Chapter
show aaa kerberos
To display all the Kerberos tickets cached on the ASA, use the show aaa kerberos command in webvpn
configuration mode.
show aaa kerberos [username user | host ip | hostname]
Syntax Description
host
Specifies the specific host that you want to view.
hostname
Specifies the hostname.
ip
Specifies the IP address for the host.
username
Specifies the specific user that you want to view.
Defaults
No defaults exist for this command.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Webvpn configuration
Command History
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
8.4(1)
This command was added.
•
Yes
Usage Guidelines
Use the show aaa kerberos command in webvpn configuration mode to view all the Kerberos tickets
cached on the ASA. The username and host keywords are used to view the Kerberos tickets of a specific
user or host.
Examples
The following example shows the usage of the show aaa kerberos command:
ciscoasa(config)# show aaa kerberos
Default Principal
Valid Starting Expires
Service Principal
[email protected]
06/29/10 17:33:00 06/30/10 17:33:00 asa$/[email protected]
[email protected]
06/29/10 17:33:00 06/30/10 17:33:00
http/[email protected]
Related Commands
Command
Description
clear aaa kerberos
Clears all the Kerberos tickets cached on the ASA.
Cisco ASA Series Command Reference, S Commands
2-2
Chapter
clear configure
aaa-server
Removes all AAA command statements from the configuration.
show running-config
aaa-server
Displays AAA server statistics for all AAA servers, for a particular
server group, for a particular server within a particular group, or for a
particular protocol.
Cisco ASA Series Command Reference, S Commands
2-3
Chapter
show aaa local user
To show the list of usernames that are currently locked, or to show details about the username, use the
show aaa local user command in global configuration mode.
show aaa local user [locked]
Syntax Description
locked
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Shows the list of usernames that are currently locked.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
If you omit the optional keyword locked, the ASA displays the failed-attempts and lockout status details
for all AAA local users.
You can specify a single user by using the username option or all users with the all option.
This command affects only the status of users that are locked out.
The administrator cannot be locked out of the device.
Examples
The following example shows use of the show aaa local user command to display the lockout status of
all usernames:
This example shows the use of the show aaa local user command to display the number of failed
authentication attempts and lockout status details for all AAA local users, after the limit has been set
to 5:
ciscoasa(config)# aaa local authentication attempts max-fail 5
ciscoasa(config)# show aaa local user
Lock-time Failed-attempts
Locked User
6
Y
test
2
N
mona
1
N
cisco
4
N
newuser
ciscoasa(config)#
Cisco ASA Series Command Reference, S Commands
2-4
Chapter
This example shows the use of the show aaa local user command with the lockout keyword to display
the number of failed authentication attempts and lockout status details only for any locked-out AAA
local users, after the limit has been set to 5:
ciscoasa(config)# aaa local authentication attempts max-fail 5
ciscoasa(config)# show aaa local user
Lock-time Failed-attempts
Locked User
6
Y
test
ciscoasa(config)#
Related Commands
Command
Description
aaa local authentication Configures the maximum number of times a user can enter a wrong
attempts max-fail
password before being locked out.
clear aaa local user
fail-attempts
Resets the number of failed attempts to 0 without modifying the lockout
status.
clear aaa local user
lockout
Clears th e lockout status of the specified user or all users and sets their
failed attempts counters to 0.
Cisco ASA Series Command Reference, S Commands
2-5
Chapter
show aaa-server
To display AAA server statistics for AAA servers, use the show aaa-server command in privileged
EXEC mode.
show aaa-server [LOCAL | groupname [host hostname] | protocol protocol]
Syntax Description
LOCAL
(Optional) Shows statistics for the LOCAL user database.
groupname
(Optional) Shows statistics for servers in a group.
host hostname
(Optional) Shows statistics for a particular server in the group.
protocol protocol
(Optional) Shows statistics for servers of the following specified protocols:
•
kerberos
•
ldap
•
nt
•
radius
•
sdi
•
tacacs+
Defaults
By default, all AAA server statistics display.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Yes
•
Yes
•
Yes
System
—
Release
Modification
7.1(1)
The http-form protocol was added.
8.0(2)
The server status shows if the status was changed manually using the
aaa-server active command or fail command.
The following is sample output from the show aaa-server command:
ciscoasa(config)# show aaa-server group1 host 192.68.125.60
Server Group: group1
Server Protocol: RADIUS
Server Address: 192.68.125.60
Server port: 1645
Server status: ACTIVE. Last transaction (success) at 11:10:08 UTC
Number of pending requests
20
Cisco ASA Series Command Reference, S Commands
2-6
Context
Fri Aug 22
Chapter
Average round trip time
Number of authentication requests
Number of authorization requests
Number of accounting requests
Number of retransmissions
Number of accepts
Number of rejects
Number of challenges
Number of malformed responses
Number of bad authenticators
Number of timeouts
Number of unrecognized responses
4ms
20
0
0
1
16
4
5
0
0
0
0
The following table shows field descriptions for the show aaa-server command:
Field
Description
Server Group
The server group name specified by the aaa-server command.
Server Protocol
The server protocol for the server group specified by the
aaa-server command.
Server Address
The IP address of the AAA server.
Server port
The communication port used by the ASA and the AAA server.
You can specify the RADIUS authentication port using the
authentication-port command. You can specify the RADIUS
accounting port using the accounting-port command. For
non-RADIUS servers, the port is set by the server-port
command.
Server status
The status of the server. One of the following values appears:
•
ACTIVE—The ASA will communicate with this AAA
server.
•
FAILED—The ASA cannot communicate with the AAA
server. Servers that are put into this state remain there for
some period of time, depending on the policy configured,
and are then reactivated.
If the status is followed by “(admin initiated),” then the server
was manually failed or reactivated using the aaa-server active
command or fail command.
The date and time of the last transaction appear in the following
form:
Last transaction ({success | failure}) at time timezone
date
If the ASA has never communicated with the server, the message
shows as the following:
Last transaction at Unknown
Number of pending requests
The number of requests that are still in progress.
Average round trip time
The average time that it takes to complete a transaction with the
server.
Number of authentication requests
The number of authentication requests sent by the ASA. This
value does not include retransmissions after a timeout.
Cisco ASA Series Command Reference, S Commands
2-7
Chapter
Field
Description
Number of authorization requests
The number of authorization requests. This value refers to
authorization requests due to command authorization,
authorization for through-the-box traffic (for TACACS+ servers),
or for WebVPN and IPsec authorization functionality enabled for
a tunnel group. This value does not include retransmissions after
a timeout.
Number of accounting requests
The number of accounting requests. This value does not include
retransmissions after a timeout.
Number of retransmissions
The number of times a message was retransmitted after an
internal timeout. This value applies only to Kerberos and
RADIUS servers (UDP).
Number of accepts
The number of successful authentication requests.
Number of rejects
The number of rejected requests. This value includes error
conditions as well as true credential rejections from the AAA
server.
Number of challenges
The number of times the AAA server required additional
information from the user after receiving the initial username and
password information.
Number of malformed responses
N/A. Reserved for future use.
Number of bad authenticators
The number of times that one of the following occurs:
•
The “authenticator” string in the RADIUS packet is
corrupted (rare).
•
The shared secret key on the ASA does not match the one on
the RADIUS server. To fix this problem, enter the correct
server key.
This value only applies to RADIUS.
Number of timeouts
The number of times the ASA has detected that a AAA server is
not responsive or otherwise misbehaving and has declared it
offline.
Number of unrecognized responses The number of times that the ASA received a response from the
AAA server that it could not recognize or support. For example,
the RADIUS packet code from the server was an unknown type,
something other than the known “access-accept,” “access-reject,”
“access-challenge,” or “accounting-response” types. Typically,
this means that the RADIUS response packet from the server was
corrupted, which is rare.
Cisco ASA Series Command Reference, S Commands
2-8
Chapter
Related Commands
Command
Description
show running-config
aaa-server
Displays statistics for all servers in the indicated server group or for a
particular server.
clear aaa-server
statistics
Clears the AAA server statistics.
Cisco ASA Series Command Reference, S Commands
2-9
Chapter
show access-list
To display the hit counters and a timestamp value for an access list, use the show access-list command
in privileged EXEC mode.
show access-list id_1 [...[id_2]] [brief]
Syntax Description
brief
(Optional) Displays the access list identifiers, the hit count, and the
timestamp of the last rule hit, all in hexadecimal format.
id_1
A name or set of characters that identifies an existing access list.
id_2
(Optional) A name or set of characters that identifies an existing access list.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
Release
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Modification
8.0(2)
Support for the brief keyword was added.
8.3(1)
The ACE show pattern to display ACL timestamp was modified.
You can display multiple access lists at one time by entering the access list identifiers in one command.
You can specify the brief keyword to display access list hit count, identifiers, and timestamp information
in hexadecimal format. The configuration identifiers displayed in hexadecimal format are presented in
three columns, and they are the same identifiers used in syslogs 106023 and 106100.
If an access list has been changed recently, the list is excluded from the output. A message will indicate
when this happens.
Clustering Guidelines
When using ASA clustering, if traffic is received by a single unit, the other units may still show a hit
count for the ACL due to the clustering director logic. This is an expected behavior. Because the unit
that did not receive any packets directly from the client may receive forwarded packets over the cluster
control link for an owner request, the unit may check the ACL before sending the packet back to the
receiving unit. As a result, the ACL hit count will be increased even though the unit did not pass the
traffic.
Cisco ASA Series Command Reference, S Commands
2-10
Chapter
Examples
The following examples show brief information about the specified access policy in hexadecimal format
(ACEs in which the hitcount is not zero). The first two columns display identifiers in hexadecimal
format, the third column lists the hit count, and the fourth column displays the timestamp value, also in
hexadecimal format. The hit count value represents the number of times the rule has been hit by traffic.
The timestamp value reports the time of the last hit. If the hit count is zero, no information is displayed.
The following is sample output from the show access-list command and shows the access list name
“test,” which is applied on an outside interface in the “IN” direction:
ciscoasa# show access-list test
access-list test; 3 elements; name hash: 0xcb4257a3
access-list test line 1 extended permit icmp any any (hitcnt=0) 0xb422e9c2
access-list test line 2 extended permit object-group TELNET-SSH object-group S1
object-group D1 0x44ae5901
access-list test line 2 extended permit tcp 100.100.100.0 255.255.255.0 10.10.10.0
255.255.255.0 eq telnet (hitcnt=1) 0xca10ca21
access-list test line 2 extended permit tcp 100.100.100.0 255.255.255.0 10.10.10.0
255.255.255.0 eq ssh(hitcnt=1) 0x5b704158
The following is sample output from the show access-list command when object-group-search group
is not enabled:
ciscoasa# show access-list KH-BLK-Tunnel
access-list KH-BLK-Tunnel; 9 elements
access-list KH-BLK-Tunnel line 1 extended permit ip object-group KH-LAN object-group
BLK-LAN 0x724c956b
access-list KH-BLK-Tunnel line 1 extended permit ip 192.168.97.0 255.255.255.0
192.168.4.0 255.255.255.0 (hitcnt=10) 0x30fe29a6
access-list KH-BLK-Tunnel line 1 extended permit ip 13.13.13.0 255.255.255.0
192.168.4.0 255.255.255.0 (hitcnt=4) 0xc6ef2338
access-list KH-BLK-Tunnel line 1 extended permit ip 192.168.97.0 255.255.255.0
14.14.14.0 255.255.255.0 (hitcnt=2) 0xce8596ec
access-list KH-BLK-Tunnel line 1 extended permit ip 13.13.13.0 255.255.255.0 14.14.14.0
255.255.255.0 (hitcnt=0) 0x9a2f1c4d
access-list KH-BLK-Tunnel line 2 extended permit ospf interface pppoe1 host 87.139.87.200
(hitcnt=0) 0xb62d5832
access-list KH-BLK-Tunnel line 3 extended permit ip interface pppoe1 any (hitcnt=0)
0xa2c9ed34
access-list KH-BLK-Tunnel line 4 extended permit ip host 1.1.1.1 any (hitcnt=0) 0xd06f7e6b
access-list KH-BLK-Tunnel line 5 extended deny ip 1.1.0.0 255.255.0.0 any (hitcnt=0)
0x9d979934
access-list KH-BLK-Tunnel line 6 extended permit ip 1.1.1.0 255.255.255.0 any (hitcnt=0)
0xa52a0761
The following is sample output from the show access-list command when object-group-search group
is enabled:
ciscoasa# show access-list KH-BLK-Tunnel
access-list KH-BLK-Tunnel; 6 elements
access-list KH-BLK-Tunnel line 1 extended
BLK-LAN(2)(hitcount=16) 0x724c956b
access-list KH-BLK-Tunnel line 2 extended
(hitcnt=0) 0xb62d5832
access-list KH-BLK-Tunnel line 3 extended
0xa2c9ed34
access-list KH-BLK-Tunnel line 4 extended
access-list KH-BLK-Tunnel line 5 extended
0x9d979934
access-list KH-BLK-Tunnel line 6 extended
0xa52a0761
permit ip object-group KH-LAN(1) object-group
permit ospf interface pppoe1 host 87.139.87.200
permit ip interface pppoe1 any (hitcnt=0)
permit ip host 1.1.1.1 any (hitcnt=0) 0xd06f7e6b
deny ip 1.1.0.0 255.255.0.0 any (hitcnt=0)
permit ip 1.1.1.0 255.255.255.0 any (hitcnt=0)
Cisco ASA Series Command Reference, S Commands
2-11
Chapter
The following is sample output from the show access-list brief command when Telnet traffic is passed:
ciscoasa (config)# sh access-list test brief
access-list test; 3 elements; name hash: 0xcb4257a3
ca10ca21 44ae5901 00000001 4a68aa7e
The following is sample output from the show access-list brief command when SSH traffic is passed:
ciscoasa (config)# sh access-list test brief
access-list test; 3 elements; name hash: 0xcb4257a3
ca10ca21 44ae5901 00000001 4a68aa7e
5b704158 44ae5901 00000001 4a68aaa9
The following is sample output from the show access-list command and shows the access list name
“test,” which is applied on an outside interface in the “IN” direction, with ACL Optimization enabled:
ciscoasa# show access-list test
access-list test; 3 elements; name hash: 0xcb4257a3
access-list test line 1 extended permit icmp any any (hitcnt=0) 0xb422e9c2
access-list test line 2 extended permit object-group TELNET-SSH object-group S1
object-group D1 0x44ae5901
access-list test line 2 extended permit tcp object-group S1(1) object-group D1(2) eq
telnet (hitcnt=1) 0x7b1c1660
access-list test line 2 extended permit tcp object-group S1(1) object-group D1(2) eq ssh
(hitcnt=1) 0x3666f922
The following is sample output from the show access-list brief command when Telnet traffic is passed:
ciscoasa (config)# sh access-list test brief
access-list test; 3 elements; name hash: 0xcb4257a3
7b1c1660 44ae5901 00000001 4a68ab51
The following is sample output from the show access-list brief command when SSH traffic is passed:
ciscoasa (config)# sh access-list test brief
access-list test; 3 elements; name hash: 0xcb4257a3
7b1c1660 44ae5901 00000001 4a68ab51
3666f922 44ae5901 00000001 4a68ab66
Related Commands
Command
Description
access-list ethertype
Configures an access list that controls traffic based on its EtherType.
access-list extended
Adds an access list to the configuration and configures policy for IP traffic
through the firewall.
clear access-list
Clears an access list counter.
clear configure
access-list
Clears an access list from the running configuration.
show running-config
access-list
Displays the current running access-list configuration.
Cisco ASA Series Command Reference, S Commands
2-12
Chapter
show activation-key
To display the permanent license, active time-based licenses, and the running license, which is a
combination of the permanent license and active time-based licenses. use the show activation-key
command in privileged EXEC mode. For failover units, this command also shows the “Failover cluster”
license, which is the combined keys of the primary and secondary units.
show activation-key [detail]
Syntax Description
detail
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Shows inactive time-based licenses.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
•
Context
Yes
•
Yes
System
•
Yes
Release
Modification
7.0(1)
This command was added.
8.0(4)
The detail keyword was added.
8.2(1)
The output was modified to include additional licensing information.
8.3(1)
The output now includes whether a feature uses the permanent or time-based key, as
well as the duration of the time-based key in use. It also shows all installed
time-based keys, both active and inactive.
8.4(1)
Support for No Payload Encryption models was added.
Some permanent licenses require you to reload the ASA after you activate them. Table 2-1 lists the
licenses that require reloading.
Table 2-1
Permanent License Reloading Requirements
Model
License Action Requiring Reload
All models
Downgrading the Encryption license.
ASAv
Downgrading the vCPU license.
If you need to reload, then the show activation-key output reads as follows:
The flash activation key is DIFFERENT from the running key.
Cisco ASA Series Command Reference, S Commands
2-13
Chapter
The flash activation key takes effect after the next reload.
If you have a No Payload Encryption model, then when you view the license, VPN and Unified
Communications licenses will not be listed.
Examples
Example 2-1
Standalone Unit Output for the show activation-key command
The following is sample output from the show activation-key command for a standalone unit that shows
the running license (the combined permanent license and time-based licenses), as well as each active
time-based license:
ciscoasa# show activation-key
Serial Number: JMX1232L11M
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Running Timebased Activation Key: 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
: 10
GTP/GPRS
: Enabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Enabled
Shared AnyConnect Premium Peers : 12000
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 12
Total UC Proxy Sessions
: 12
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Disabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
62 days
62 days
646 days
perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key:
0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter
: Enabled
646 days
0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2
Total UC Proxy Sessions
: 10
62 days
Example 2-2
Standalone Unit Output for show activation-key detail
The following is sample output from the show activation-key detail command for a standalone unit that
shows the running license (the combined permanent license and time-based licenses), as well as the
permanent license and each installed time-based license (active and inactive):
ciscoasa# show activation-key detail
Cisco ASA Series Command Reference, S Commands
2-14
Chapter
Serial Number: 88810093382
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Licensed features for this platform:
Maximum Physical Interfaces
: 8
VLANs
: 20
Dual ISPs
: Enabled
VLAN Trunk Ports
: 8
Inside Hosts
: Unlimited
Failover
: Active/Standby
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 25
Total VPN Peers
: 25
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Disabled
perpetual
DMZ Unrestricted
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
39 days
perpetual
This platform has an ASA 5505 Security Plus license.
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Licensed features for this platform:
Maximum Physical Interfaces
: 8
VLANs
: 20
Dual ISPs
: Enabled
VLAN Trunk Ports
: 8
Inside Hosts
: Unlimited
Failover
: Active/Standby
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 25
Total VPN Peers
: 25
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Disabled
perpetual
DMZ Unrestricted
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
39 days
perpetual
The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key:
0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter
: Enabled
39 days
Inactive Timebased Activation Key:
0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3
AnyConnect Premium Peers
: 25
7 days
Cisco ASA Series Command Reference, S Commands
2-15
Chapter
Example 2-3
Primary Unit Output in a Failover Pair for show activation-key detail
The following is sample output from the show activation-key detail command for the primary failover
unit that shows:
•
The primary unit license (the combined permanent license and time-based licenses).
•
The “Failover Cluster” license, which is the combined licenses from the primary and secondary
units. This is the license that is actually running on the ASA. The values in this license that reflect
the combination of the primary and secondary licenses are in bold.
•
The primary unit permanent license.
•
The primary unit installed time-based licenses (active and inactive).
ciscoasa# show activation-key detail
Serial Number: P3000000171
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
: 12
GTP/GPRS
: Enabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Disabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
33 days
perpetual
This platform has an ASA 5520 VPN Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
perpetual
Maximum VLANs
: 150
perpetual
Inside Hosts
: Unlimited
perpetual
Failover
: Active/Active perpetual
VPN-DES
: Enabled
perpetual
VPN-3DES-AES
: Enabled
perpetual
Security Contexts
: 12
perpetual
GTP/GPRS
: Enabled
perpetual
AnyConnect Premium Peers
: 4
perpetual
AnyConnect Essentials
: Disabled
perpetual
Other VPN Peers
: 750
perpetual
Total VPN Peers
: 750
perpetual
Shared License
: Disabled
perpetual
AnyConnect for Mobile
: Disabled
perpetual
AnyConnect for Cisco VPN Phone
: Disabled
perpetual
Advanced Endpoint Assessment
: Disabled
perpetual
UC Phone Proxy Sessions
: 4
perpetual
Total UC Proxy Sessions
: 4
perpetual
Botnet Traffic Filter
: Enabled
33 days
Cisco ASA Series Command Reference, S Commands
2-16
Chapter
Intercompany Media Engine
: Disabled
perpetual
This platform has an ASA 5520 VPN Plus license.
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Disabled
Security Contexts
: 2
GTP/GPRS
: Disabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Disabled
Intercompany Media Engine
: Disabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key:
0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter
: Enabled
33 days
Inactive Timebased Activation Key:
0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3
Security Contexts
: 2
7 days
AnyConnect Premium Peers
: 100
7 days
0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4
Total UC Proxy Sessions
: 100
14 days
Example 2-4
Secondary Unit Output in a Failover Pair for show activation-key detail
The following is sample output from the show activation-key detail command for the secondary
failover unit that shows:
•
The secondary unit license (the combined permanent license and time-based licenses).
•
The “Failover Cluster” license, which is the combined licenses from the primary and secondary
units. This is the license that is actually running on the ASA. The values in this license that reflect
the combination of the primary and secondary licenses are in bold.
•
The secondary unit permanent license.
•
The secondary installed time-based licenses (active and inactive). This unit does not have any
time-based licenses, so none display in this sample output.
ciscoasa# show activation-key detail
Serial Number: P3000000011
Running Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1
Cisco ASA Series Command Reference, S Commands
2-17
Chapter
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Disabled
Security Contexts
: 2
GTP/GPRS
: Disabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Disabled
Intercompany Media Engine
: Disabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
This platform has an ASA 5520 VPN Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
perpetual
Maximum VLANs
: 150
perpetual
Inside Hosts
: Unlimited
perpetual
Failover
: Active/Active perpetual
VPN-DES
: Enabled
perpetual
VPN-3DES-AES
: Enabled
perpetual
Security Contexts
: 10
perpetual
GTP/GPRS
: Enabled
perpetual
AnyConnect Premium Peers
: 4
perpetual
AnyConnect Essentials
: Disabled
perpetual
Other VPN Peers
: 750
perpetual
Total VPN Peers
: 750
perpetual
Shared License
: Disabled
perpetual
AnyConnect for Mobile
: Disabled
perpetual
AnyConnect for Cisco VPN Phone
: Disabled
perpetual
Advanced Endpoint Assessment
: Disabled
perpetual
UC Phone Proxy Sessions
: 4
perpetual
Total UC Proxy Sessions
: 4
perpetual
Botnet Traffic Filter
: Enabled
33 days
Intercompany Media Engine
: Disabled
perpetual
This platform has an ASA 5520 VPN Plus license.
Running Permanent Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Disabled
Security Contexts
: 2
GTP/GPRS
: Disabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Disabled
Cisco ASA Series Command Reference, S Commands
2-18
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
Chapter
AnyConnect for Mobile
AnyConnect for Cisco VPN Phone
Advanced Endpoint Assessment
UC Phone Proxy Sessions
Total UC Proxy Sessions
Botnet Traffic Filter
Intercompany Media Engine
:
:
:
:
: Disabled
: Disabled
: Disabled
2
2
Disabled
Disabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
The flash permanent activation key is the SAME as the running permanent key.
Example 2-5
Standalone Unit Output for the ASAv without a License for show activation-key
The following output for a deployed 1 vCPU ASAv shows a blank activation key, an Unlicensed status,
and a message to install a 1 vCPU license.
Note
The command output shows, “This platform has an ASAv VPN Premium license.” This message
specifies that the ASAv can perform payload encryption; it does not refer to the ASAv Standard vs.
Premium licenses.
ciscoasa# show activation-key
Serial Number: 9APM1G4RV41
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
ASAv Platform License State: Unlicensed
*Install 1 vCPU ASAv platform license for full functionality.
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Virtual CPUs
: 0
Maximum Physical Interfaces
: 10
Maximum VLANs
: 50
Inside Hosts
: Unlimited
Failover
: Active/Standby
Encryption-DES
: Enabled
Encryption-3DES-AES
: Enabled
Security Contexts
: 0
GTP/GPRS
: Disabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 250
Total VPN Peers
: 250
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Disabled
Cluster
: Disabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
This platform has an ASAv VPN Premium license.
Failed to retrieve flash permanent activation key.
The flash permanent activation key is the SAME as the running permanent key.
Cisco ASA Series Command Reference, S Commands
2-19
Chapter
Example 2-6
Note
Standalone Unit Output for the ASAv with a 4 vCPU Standard License for show
activation-key
The command output shows, “This platform has an ASAv VPN Premium license.” This message
specifies that the ASAv can perform payload encryption; it does not refer to the ASAv Standard vs.
Premium licenses.
ciscoasa# show activation-key
Serial Number: 9ALQ8W1XCJ7
Running Permanent Activation Key: 0x0013e945 0x685a232c 0x1153fdac 0xeae8b068 0x4413f4ae
ASAv Platform License State: Compliant
Licensed features for this platform:
Virtual CPUs
: 4
Maximum Physical Interfaces
: 10
Maximum VLANs
: 200
Inside Hosts
: Unlimited
Failover
: Active/Standby
Encryption-DES
: Enabled
Encryption-3DES-AES
: Enabled
Security Contexts
: 0
GTP/GPRS
: Enabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 1000
Total UC Proxy Sessions
: 1000
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Enabled
Cluster
: Disabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
This platform has an ASAv VPN Premium license.
The flash permanent activation key is the SAME as the running permanent key.
Example 2-7
Note
Standalone Unit Output for the ASAv with a 4 vCPU Premium License for show
activation-key
The command output shows, “This platform has an ASAv VPN Premium license.” This message
specifies that the ASAv can perform payload encryption; it does not refer to the ASAv Standard vs.
Premium licenses.
ciscoasa# show activation-key
Serial Number: 9ALQ8W1XCJ7
Running Permanent Activation Key: 0x8224dd7d 0x943ed77c 0x9d71cdd0 0xd90474d0 0xcb04df82
ASAv Platform License State: Compliant
Licensed features for this platform:
Virtual CPUs
: 4
Maximum Physical Interfaces
: 10
Cisco ASA Series Command Reference, S Commands
2-20
perpetual
perpetual
Chapter
Maximum VLANs
Inside Hosts
Failover
Encryption-DES
Encryption-3DES-AES
Security Contexts
GTP/GPRS
AnyConnect Premium Peers
AnyConnect Essentials
Other VPN Peers
Total VPN Peers
Shared License
AnyConnect for Mobile
AnyConnect for Cisco VPN Phone
Advanced Endpoint Assessment
UC Phone Proxy Sessions
Total UC Proxy Sessions
Botnet Traffic Filter
Intercompany Media Engine
Cluster
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
200
Unlimited
Active/Standby
Enabled
Enabled
0
Enabled
750
Disabled
750
750
Disabled
Enabled
Enabled
Enabled
1000
1000
Enabled
Enabled
Disabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
This platform has an ASAv VPN Premium license.
The flash permanent activation key is the SAME as the running permanent key.
ciscoasa#
Example 2-8
Primary Unit Output for the ASA Services Module in a Failover Pair for show
activation-key
The following is sample output from the show activation-key command for the primary failover unit
that shows:
•
The primary unit license (the combined permanent license and time-based licenses).
•
The “Failover Cluster” license, which is the combined licenses from the primary and secondary
units. This is the license that is actually running on the ASA. The values in this license that reflect
the combination of the primary and secondary licenses are in bold.
•
The primary unit installed time-based licenses (active and inactive).
ciscoasa# show activation-key
erial Number: SAL144705BF
Running Permanent Activation Key: 0x4d1ed752 0xc8cfeb37 0xf4c38198 0x93c04c28 0x4a1c049a
Running Timebased Activation Key: 0xbc07bbd7 0xb15591e0 0xed68c013 0xd79374ff 0x44f87880
Licensed features for this platform:
Maximum Interfaces
: 1024
Inside Hosts
: Unlimited
Failover
: Active/Active
DES
: Enabled
3DES-AES
: Enabled
Security Contexts
: 25
GTP/GPRS
: Enabled
Botnet Traffic Filter
: Enabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
330 days
This platform has an WS-SVC-ASA-SM1 No Payload Encryption license.
Failover cluster licensed features for this platform:
Maximum Interfaces
: 1024
perpetual
Inside Hosts
: Unlimited
perpetual
Cisco ASA Series Command Reference, S Commands
2-21
Chapter
Failover
DES
3DES-AES
Security Contexts
GTP/GPRS
Botnet Traffic Filter
:
:
:
:
:
:
Active/Active
Enabled
Enabled
50
Enabled
Enabled
perpetual
perpetual
perpetual
perpetual
perpetual
330 days
This platform has an WS-SVC-ASA-SM1 No Payload Encryption license.
The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key:
0xbc07bbd7 0xb15591e0 0xed68c013 0xd79374ff 0x44f87880
Botnet Traffic Filter
: Enabled
330 days
Example 2-9
Secondary Unit Output for the ASA Services Module in a Failover Pair for show
activation-key
The following is sample output from the show activation-key command for the secondary failover unit
that shows:
•
The secondary unit license (the combined permanent license and time-based licenses).
•
The “Failover Cluster” license, which is the combined licenses from the primary and secondary
units. This is the license that is actually running on the ASA. The values in this license that reflect
the combination of the primary and secondary licenses are in bold.
•
The secondary installed time-based licenses (active and inactive). This unit does not have any
time-based licenses, so none display in this sample output.
ciscoasa# show activation-key detail
Serial Number: SAD143502E3
Running Permanent Activation Key: 0xf404c46a 0xb8e5bd84 0x28c1b900 0x92eca09c 0x4e2a0683
Licensed features for this platform:
Maximum Interfaces
: 1024
Inside Hosts
: Unlimited
Failover
: Active/Active
DES
: Enabled
3DES-AES
: Enabled
Security Contexts
: 25
GTP/GPRS
: Disabled
Botnet Traffic Filter
: Disabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
This platform has an WS-SVC-ASA-SM1 No Payload Encryption license.
Failover cluster licensed features for this platform:
Maximum Interfaces
: 1024
perpetual
Inside Hosts
: Unlimited
perpetual
Failover
: Active/Active perpetual
DES
: Enabled
perpetual
3DES-AES
: Enabled
perpetual
Security Contexts
: 50
perpetual
GTP/GPRS
: Enabled
perpetual
Botnet Traffic Filter
: Enabled
330 days
This platform has an WS-SVC-ASA-SM1 No Payload Encryption license.
The flash permanent activation key is the SAME as the running permanent key.
Cisco ASA Series Command Reference, S Commands
2-22
Chapter
Example 2-10 Output in a Cluster for show activation-key
ciscoasa# show activation-key
Serial Number: JMX1504L2TD
Running Permanent Activation Key: 0x4a3eea7b 0x54b9f61a 0x4143a90c 0xe5849088 0x4412d4a9
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Enabled perpetual
This platform has an ASA 5585-X base license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Enabled perpetual
This platform has an ASA 5585-X base license.
The flash permanent activation key is the SAME as the running permanent key.
Serial Number: JMX1232L11M
Running Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1
Running Activation Key: 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2
Cisco ASA Series Command Reference, S Commands
2-23
Chapter
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs
: 50
Inside Hosts
: Unlimited
Failover
: Disabled
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
: 0
GTP/GPRS
: Disabled
SSL VPN Peers
: 2
Total VPN Peers
: 250
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials
: Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions
: 12
Total UC Proxy Sessions
: 12
Botnet Traffic Filter
: Enabled
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
62 days
62 days
646 days
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key:
0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1
Botnet Traffic Filter
: Enabled
646 days
0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2
Total UC Proxy Sessions
: 10
62 days
Inactive Timebased Activation Key:
0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3
SSL VPN Peers
: 100
108 days
Related Commands
Command
Description
activation-key
Changes the activation key.
Cisco ASA Series Command Reference, S Commands
2-24
Chapter
show ad-groups
To display groups that are listed on an Active Directory server, use the show ad-groups command in
privileged EXEC mode:
show ad-groups name [filter string]
Syntax Description
name
The name of the Active Directory server group to query.
string
A string within quotes specifying all or part of the group name to search for.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC mode
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
8.0(4)
This command was added.
•
Yes
The show ad-groups command applies only to Active Directory servers that use the LDAP protocol to
retrieve groups. Use this command to display AD groups that you can use for dynamic access policy
AAA selection criteria.
When the LDAP attribute type = LDAP, the default time that the ASA waits for a response from the
server is 10 seconds. You can adjust this time using the group-search-timeout command in aaa-server host
configuration mode.
Note
If the Active Directory server has a large number of groups, the output of the show ad-groups command
may be truncated based on limitations of the amount of data the server can fit into a response packet. To
avoid this problem, use the filter option to reduce the number of groups reported by the server.
Cisco ASA Series Command Reference, S Commands
2-25
Chapter
Examples
ciscoasa# show ad-groups LDAP-AD17
Server Group
LDAP-AD17
Group list retrieved successfully
Number of Active Directory Groups
46
Account Operators
Administrators
APP-SSL-VPN CIO Users
Backup Operators
Cert Publishers
CERTSVC_DCOM_ACCESS
Cisco-Eng
DHCP Administrators
DHCP Users
Distributed COM Users
DnsAdmins
DnsUpdateProxy
Doctors
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Employees
Engineering
Engineering1
Engineering2
Enterprise Admins
Group Policy Creator Owners
Guests
HelpServicesGroup
The next example shows the same command with the filter option:
ciscoasa(config)# show ad-groups LDAP-AD17 filter “Eng”
.
Server Group
LDAP-AD17
Group list retrieved successfully
Number of Active Directory Groups
4
Cisco-Eng
Engineering
Engineering1
Engineering2
Related Commands
Command
Description
ldap-group-base-dn
Specifies a level in the Active Directory hierarchy where the server begins
searching for groups that are used by dynamic group policies.
group-search-timeout
Adjusts the time the ASA waits for a response from an Active Directory
server for a list of groups.
Cisco ASA Series Command Reference, S Commands
2-26
Chapter
show admin-context
To display the context name currently assigned as the admin context, use the show admin-context
command in privileged EXEC mode.
show admin-context
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Transparent Single
Yes
•
Release
Modification
7.0(1)
This command was added.
Yes
—
Context
—
System
•
Yes
The following is sample output from the show admin-context command. The following example shows
the admin context called “admin” and stored in the root directory of flash:
ciscoasa# show admin-context
Admin: admin flash:/admin.cfg
Related Commands
Command
Description
admin-context
Sets the admin context.
changeto
Changes between contexts or the system execution space.
clear configure context Removes all contexts.
mode
Sets the context mode to single or multiple.
show context
Shows a list of contexts (system execution space) or information about the
current context.
Cisco ASA Series Command Reference, S Commands
2-27
Chapter
show arp
To view the ARP table, use the show arp command in privileged EXEC mode.
show arp
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Yes
•
Yes
Release
Modification
7.0(8)/7.2(4)/8.0(4)
Dynamic ARP age was added to the display.
Context
•
Yes
System
—
Usage Guidelines
The display output shows dynamic, static, and proxy ARP entries. Dynamic ARP entries include the age
of the ARP entry in seconds. Static ARP entries include a dash (-) instead of the age, and proxy ARP
entries state “alias.”
Examples
The following is sample output from the show arp command. The first entry is a dynamic entry aged 2
seconds. The second entry is a static entry, and the third entry is from proxy ARP.
ciscoasa# show arp
outside 10.86.194.61 0011.2094.1d2b 2
outside 10.86.194.1 001a.300c.8000 outside 10.86.195.2 00d0.02a8.440a alias
Related Commands
Command
Description
arp
Adds a static ARP entry.
arp-inspection
For transparent firewall mode, inspects ARP packets to prevent ARP
spoofing.
clear arp statistics
Clears ARP statistics.
show arp statistics
Shows ARP statistics.
show running-config
arp
Shows the current configuration of the ARP timeout.
Cisco ASA Series Command Reference, S Commands
2-28
Chapter
show arp-inspection
To view the ARP inspection setting for each interface, use the show arp-inspection command in
privileged EXEC mode.
show arp-inspection
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command History
Examples
Command Mode
Routed
Privileged EXEC
—
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
The following is sample output from the show arp-inspection command:
ciscoasa# show arp-inspection
interface
arp-inspection
miss
---------------------------------------------------inside1
enabled
flood
outside
disabled
-
The miss column shows the default action to take for non-matching packets when ARP inspection is
enabled, either “flood” or “no-flood.”
Related Commands
Command
Description
arp
Adds a static ARP entry.
arp-inspection
For transparent firewall mode, inspects ARP packets to prevent ARP
spoofing.
clear arp statistics
Clears ARP statistics.
show arp statistics
Shows ARP statistics.
show running-config
arp
Shows the current configuration of the ARP timeout.
Cisco ASA Series Command Reference, S Commands
2-29
Chapter
show arp statistics
To view ARP statistics, use the show arp statistics command in privileged EXEC mode.
show arp statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Privileged EXEC
Command History
Examples
Yes
•
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
The following is sample output from the show arp statistics command:
ciscoasa# show arp statistics
Number of ARP entries:
ASA : 6
Dropped blocks in ARP: 6
Maximum Queued blocks: 3
Queued blocks: 1
Interface collision ARPs Received: 5
ARP-defense Gratuitous ARPS sent: 4
Total ARP retries: 15
Unresolved hosts: 1
Maximum Unresolved hosts: 2
Table 2 shows each field description.
Table 2-2
show arp statistics Fields
Field
Description
Number of ARP entries
The total number of ARP table entries.
Dropped blocks in ARP
The number of blocks that were dropped while IP addresses
were being resolved to their corresponding hardware addresses.
Maximum queued blocks
The maximum number of blocks that were ever queued in the
ARP module, while waiting for the IP address to be resolved.
Cisco ASA Series Command Reference, S Commands
2-30
Chapter
Table 2-2
Related Commands
show arp statistics Fields (continued)
Field
Description
Queued blocks
The number of blocks currently queued in the ARP module.
Interface collision ARPs received
The number of ARP packets received at all ASA interfaces that
were from the same IP address as that of an ASA interface.
ARP-defense gratuitous ARPs sent
The number of gratuitous ARPs sent by the ASA as part of the
ARP-Defense mechanism.
Total ARP retries
The total number of ARP requests sent by the ARP module
when the address was not resolved in response to first ARP
request.
Unresolved hosts
The number of unresolved hosts for which ARP requests are still
being sent out by the ARP module.
Maximum unresolved hosts
The maximum number of unresolved hosts that ever were in the
ARP module since it was last cleared or the ASA booted up.
Command
Description
arp-inspection
For transparent firewall mode, inspects ARP packets to prevent ARP
spoofing.
clear arp statistics
Clears ARP statistics and resets the values to zero.
show arp
Shows the ARP table.
show running-config
arp
Shows the current configuration of the ARP timeout.
Cisco ASA Series Command Reference, S Commands
2-31
Chapter
show arp vtep-mapping
To display MAC addresses cached on the VNI interface for IP addresses located in the remote segment
domain and the remote VTEP IP addresses, use the show arp vtep-mapping command in privileged
EXEC mode.
show arp vtep-mapping
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Transparent Single
Yes
•
Release
Modification
9.4(1)
This command was added.
Yes
•
Context
Yes
•
Yes
System
—
When the ASA sends a packet to a device behind a peer VTEP, the ASA needs two important pieces of
information:
•
The destination MAC address of the remote device
•
The destination IP address of the peer VTEP
There are two ways in which the ASA can find this information:
•
A single peer VTEP IP address can be statically configured on the ASA.
You cannot manually define multiple peers.
The ASA then sends a VXLAN-encapsulated ARP broadcast to the VTEP to learn the end node
MAC address.
•
A multicast group can be configured on each VNI interface (or on the VTEP as a whole).
The ASA sends a VXLAN-encapsulated ARP broadcast packet within an IP multicast packet
through the VTEP source interface. The response to this ARP request enables the ASA to learn both
the remote VTEP IP address along with the destination MAC address of the remote end node.
The ASA maintains a mapping of destination MAC addresses to remote VTEP IP addresses for the VNI
interfaces.
Cisco ASA Series Command Reference, S Commands
2-32
Chapter
Examples
See the following output for the show arp vtep-mapping command:
ciscoasa# show arp vtep-mapping
vni-outside 192.168.1.4 0012.0100.0003 577 15.1.2.3
vni-inside 192.168.0.4 0014.0100.0003 577 15.1.2.3
Related Commands
Command
Description
debug vxlan
Debugs VXLAN traffic.
default-mcast-group
Specifies a default multicast group for all VNI interfaces associated with the
VTEP source interface.
encapsulation vxlan
Sets the NVE instance to VXLAN encapsulation.
inspect vxlan
Enforces compliance with the standard VXLAN header format.
interface vni
Creates the VNI interface for VXLAN tagging.
mcast-group
Sets the multicast group address for the VNI interface.
nve
Specifies the Network Virtualization Endpoint instance.
nve-only
Specifies that the VXLAN source interface is NVE-only.
peer ip
Manually specifies the peer VTEP IP address.
segment-id
Specifies the VXLAN segment ID for a VNI interface.
show interface vni
Shows the parameters, status and statistics of a VNI interface, status of its
bridged interface (if configured), and NVE interface it is associated with.
show
mac-address-table
vtep-mapping
Displays the Layer 2 forwarding table (MAC address table) on the VNI
interface with the remote VTEP IP addresses.
show nve
Shows the parameters, status and statistics of a NVE interface, status of its
carrier interface (source interface), IP address of the carrier interface, VNIs
that use this NVE as the VXLAN VTEP, and peer VTEP IP addresses
associated with this NVE interface.
show vni
vlan-mapping
Shows the mapping between VNI segment IDs and VLAN interfaces or
physical interfaces in transparent mode.
source-interface
Specifies the VTEP source interface.
vtep-nve
Associates a VNI interface with the VTEP source interface.
vxlan port
Sets the VXLAN UDP port. By default, the VTEP source interface accepts
VXLAN traffic to UDP port 4789.
Cisco ASA Series Command Reference, S Commands
2-33
Chapter
show asdm history
To display the contents of the ASDM history buffer, use the show asdm history command in privileged
EXEC mode.
show asdm history [view timeframe] [snapshot] [feature feature] [asdmclient]
Syntax Description
Defaults
asdmclient
(Optional) Displays the ASDM history data formatted for the ASDM client.
feature feature
(Optional) Limits the history display to the specified feature. The following
are valid values for the feature argument:
•
all—Displays the history for all features (default).
•
blocks—Displays the history for the system buffers.
•
cpu—Displays the history for CPU usage.
•
failover—Displays the history for failover.
•
ids—Displays the history for IDS.
•
interface if_name—Displays the history for the specified interface. The
if_name argument is the name of the interface as specified by the nameif
command.
•
memory—Displays memory usage history.
•
perfmon—Displays performance history.
•
sas—Displays the history for Security Associations.
•
tunnels—Displays the history for tunnels.
•
xlates—Displays translation slot history.
snapshot
(Optional) Displays only the last ASDM history data point.
view timeframe
(Optional) Limits the history display to the specified time period. Valid
values for the timeframe argument are:
•
all—all contents in the history buffer (default).
•
12h—12 hours
•
5d—5 days
•
60m—60 minutes
•
10m—10 minutes
If no arguments or keywords are specified, all history information for all features is displayed.
Cisco ASA Series Command Reference, S Commands
2-34
Chapter
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Transparent Single
Yes
•
Yes
•
Context
Yes
•
System
Yes
•
Yes
Release
Modification
7.0(1)
This command was changed from the show pdm history command to the
show asdm history command.
Usage Guidelines
The show asdm history command displays the contents of the ASDM history buffer. Before you can
view ASDM history information, you must enable ASDM history tracking using the asdm history
enable command.
Examples
The following is sample output from the show asdm history command. It limits the output to data for
the outside interface collected during the last 10 minutes.
ciscoasa# show asdm history view 10m feature interface outside
Input KByte Count:
[ 10s:12:46:41 Mar
Output KByte Count:
[ 10s:12:46:41 Mar
Input KPacket Count:
[ 10s:12:46:41 Mar
Output KPacket Count:
[ 10s:12:46:41 Mar
Input Bit Rate:
[ 10s:12:46:41 Mar
Output Bit Rate:
[ 10s:12:46:41 Mar
Input Packet Rate:
[ 10s:12:46:41 Mar
Output Packet Rate:
[ 10s:12:46:41 Mar
Input Error Packet Count:
[ 10s:12:46:41 Mar
No Buffer:
[ 10s:12:46:41 Mar
Received Broadcasts:
[ 10s:12:46:41 Mar
Runts:
[ 10s:12:46:41 Mar
Giants:
[ 10s:12:46:41 Mar
CRC:
[ 10s:12:46:41 Mar
Frames:
[ 10s:12:46:41 Mar
Overruns:
[ 10s:12:46:41 Mar
Underruns:
1 2005
] 62640 62636 62633 62628 62622 62616 62609
1 2005
] 25178 25169 25165 25161 25157 25151 25147
1 2005
]
752
752
751
751
751
751
751
1 2005
]
55
55
55
55
55
55
55
1 2005
]
3397
2843
3764
4515
4932
5728
4186
1 2005
]
7316
3292
3349
3298
5212
3349
3301
1 2005
]
5
4
6
7
6
8
6
1 2005
]
1
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
] 375974 375954 375935 375902 375863 375833 375794
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
Cisco ASA Series Command Reference, S Commands
2-35
Chapter
[ 10s:12:46:41 Mar
Output Error Packet Count:
[ 10s:12:46:41 Mar
Collisions:
[ 10s:12:46:41 Mar
LCOLL:
[ 10s:12:46:41 Mar
Reset:
[ 10s:12:46:41 Mar
Deferred:
[ 10s:12:46:41 Mar
Lost Carrier:
[ 10s:12:46:41 Mar
Hardware Input Queue:
[ 10s:12:46:41 Mar
Software Input Queue:
[ 10s:12:46:41 Mar
Hardware Output Queue:
[ 10s:12:46:41 Mar
Software Output Queue:
[ 10s:12:46:41 Mar
Drop KPacket Count:
[ 10s:12:46:41 Mar
ciscoasa#
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
128
128
128
128
128
128
128
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
1 2005
]
0
0
0
0
0
0
0
The following is sample output from the show asdm history command. Like the previous example, it
limits the output to data for the outside interface collected during the last 10 minutes. However, in this
example the output is formatted for the ASDM client.
ciscoasa# show asdm history view 10m feature interface outside asdmclient
MH|IBC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|62439|62445|62453|62457|62464|
62469|62474|62486|62489|62496|62501|62506|62511|62518|62522|62530|62534|62539|62542|62547|
62553|62556|62562|62568|62574|62581|62585|62593|62598|62604|62609|62616|62622|62628|62633|
62636|62640|62653|62657|62665|62672|62678|62681|62686|62691|62695|62700|62704|62711|62718|
62723|62728|62733|62738|62742|62747|62751|62761|62770|62775|
...
The following is sample output from the show asdm history command using the snapshot keyword:
ciscoasa# show asdm history view 10m snapshot
Available 4 byte Blocks: [ 10s] : 100
Used 4 byte Blocks: [ 10s] : 0
Available 80 byte Blocks: [ 10s] : 100
Used 80 byte Blocks: [ 10s] : 0
Available 256 byte Blocks: [ 10s] : 2100
Used 256 byte Blocks: [ 10s] : 0
Available 1550 byte Blocks: [ 10s] : 7425
Used 1550 byte Blocks: [ 10s] : 1279
Available 2560 byte Blocks: [ 10s] : 40
Used 2560 byte Blocks: [ 10s] : 0
Available 4096 byte Blocks: [ 10s] : 30
Used 4096 byte Blocks: [ 10s] : 0
Available 8192 byte Blocks: [ 10s] : 60
Used 8192 byte Blocks: [ 10s] : 0
Available 16384 byte Blocks: [ 10s] : 100
Used 16384 byte Blocks: [ 10s] : 0
Available 65536 byte Blocks: [ 10s] : 10
Used 65536 byte Blocks: [ 10s] : 0
CPU Utilization: [ 10s] : 31
Input KByte Count: [ 10s] : 62930
Output KByte Count: [ 10s] : 26620
Input KPacket Count: [ 10s] : 755
Cisco ASA Series Command Reference, S Commands
2-36
Chapter
Output KPacket Count: [ 10s] : 58
Input Bit Rate: [ 10s] : 24561
Output Bit Rate: [ 10s] : 518897
Input Packet Rate: [ 10s] : 48
Output Packet Rate: [ 10s] : 114
Input Error Packet Count: [ 10s] : 0
No Buffer: [ 10s] : 0
Received Broadcasts: [ 10s] : 377331
Runts: [ 10s] : 0
Giants: [ 10s] : 0
CRC: [ 10s] : 0
Frames: [ 10s] : 0
Overruns: [ 10s] : 0
Underruns: [ 10s] : 0
Output Error Packet Count: [ 10s] : 0
Collisions: [ 10s] : 0
LCOLL: [ 10s] : 0
Reset: [ 10s] : 0
Deferred: [ 10s] : 0
Lost Carrier: [ 10s] : 0
Hardware Input Queue: [ 10s] : 128
Software Input Queue: [ 10s] : 0
Hardware Output Queue: [ 10s] : 0
Software Output Queue: [ 10s] : 0
Drop KPacket Count: [ 10s] : 0
Input KByte Count: [ 10s] : 3672
Output KByte Count: [ 10s] : 4051
Input KPacket Count: [ 10s] : 19
Output KPacket Count: [ 10s] : 20
Input Bit Rate: [ 10s] : 0
Output Bit Rate: [ 10s] : 0
Input Packet Rate: [ 10s] : 0
Output Packet Rate: [ 10s] : 0
Input Error Packet Count: [ 10s] : 0
No Buffer: [ 10s] : 0
Received Broadcasts: [ 10s] : 1458
Runts: [ 10s] : 1
Giants: [ 10s] : 0
CRC: [ 10s] : 0
Frames: [ 10s] : 0
Overruns: [ 10s] : 0
Underruns: [ 10s] : 0
Output Error Packet Count: [ 10s] : 0
Collisions: [ 10s] : 63
LCOLL: [ 10s] : 0
Reset: [ 10s] : 0
Deferred: [ 10s] : 15
Lost Carrier: [ 10s] : 0
Hardware Input Queue: [ 10s] : 128
Software Input Queue: [ 10s] : 0
Hardware Output Queue: [ 10s] : 0
Software Output Queue: [ 10s] : 0
Drop KPacket Count: [ 10s] : 0
Input KByte Count: [ 10s] : 0
Output KByte Count: [ 10s] : 0
Input KPacket Count: [ 10s] : 0
Output KPacket Count: [ 10s] : 0
Input Bit Rate: [ 10s] : 0
Output Bit Rate: [ 10s] : 0
Input Packet Rate: [ 10s] : 0
Output Packet Rate: [ 10s] : 0
Input Error Packet Count: [ 10s] : 0
No Buffer: [ 10s] : 0
Received Broadcasts: [ 10s] : 0
Cisco ASA Series Command Reference, S Commands
2-37
Chapter
Runts: [ 10s] : 0
Giants: [ 10s] : 0
CRC: [ 10s] : 0
Frames: [ 10s] : 0
Overruns: [ 10s] : 0
Underruns: [ 10s] : 0
Output Error Packet Count: [ 10s] : 0
Collisions: [ 10s] : 0
LCOLL: [ 10s] : 0
Reset: [ 10s] : 0
Deferred: [ 10s] : 0
Lost Carrier: [ 10s] : 0
Hardware Input Queue: [ 10s] : 128
Software Input Queue: [ 10s] : 0
Hardware Output Queue: [ 10s] : 0
Software Output Queue: [ 10s] : 0
Drop KPacket Count: [ 10s] : 0
Input KByte Count: [ 10s] : 0
Output KByte Count: [ 10s] : 0
Input KPacket Count: [ 10s] : 0
Output KPacket Count: [ 10s] : 0
Input Bit Rate: [ 10s] : 0
Output Bit Rate: [ 10s] : 0
Input Packet Rate: [ 10s] : 0
Output Packet Rate: [ 10s] : 0
Input Error Packet Count: [ 10s] : 0
No Buffer: [ 10s] : 0
Received Broadcasts: [ 10s] : 0
Runts: [ 10s] : 0
Giants: [ 10s] : 0
CRC: [ 10s] : 0
Frames: [ 10s] : 0
Overruns: [ 10s] : 0
Underruns: [ 10s] : 0
Output Error Packet Count: [ 10s] : 0
Collisions: [ 10s] : 0
LCOLL: [ 10s] : 0
Reset: [ 10s] : 0
Deferred: [ 10s] : 0
Lost Carrier: [ 10s] : 0
Hardware Input Queue: [ 10s] : 128
Software Input Queue: [ 10s] : 0
Hardware Output Queue: [ 10s] : 0
Software Output Queue: [ 10s] : 0
Drop KPacket Count: [ 10s] : 0
Available Memory: [ 10s] : 205149944
Used Memory: [ 10s] : 63285512
Xlate Count: [ 10s] : 0
Connection Count: [ 10s] : 0
TCP Connection Count: [ 10s] : 0
UDP Connection Count: [ 10s] : 0
URL Filtering Count: [ 10s] : 0
URL Server Filtering Count: [ 10s] : 0
TCP Fixup Count: [ 10s] : 0
TCP Intercept Count: [ 10s] : 0
HTTP Fixup Count: [ 10s] : 0
FTP Fixup Count: [ 10s] : 0
AAA Authentication Count: [ 10s] : 0
AAA Authorzation Count: [ 10s] : 0
AAA Accounting Count: [ 10s] : 0
Current Xlates: [ 10s] : 0
Max Xlates: [ 10s] : 0
ISAKMP SAs: [ 10s] : 0
IPsec SAs: [ 10s] : 0
Cisco ASA Series Command Reference, S Commands
2-38
Chapter
L2TP Sessions: [ 10s] : 0
L2TP Tunnels: [ 10s] : 0
ciscoasa#
Related Commands
Command
Description
asdm history enable
Enables ASDM history tracking.
Cisco ASA Series Command Reference, S Commands
2-39
Chapter
show asdm image
To the current ASDM software image file, use the show asdm image command in privileged EXEC
mode.
show asdm image
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Yes
•
•
Yes
Modification
7.0(1)
This command was changed from the show pdm image command to the
show asdm image command.
The following is sample output from the show asdm image command:
Device Manager image file, flash:/ASDM
Related Commands
—
System
Release
ciscoasa# show asdm image
Command
Description
asdm image
Specifies the current ASDM image file.
Cisco ASA Series Command Reference, S Commands
2-40
Yes
Context
Chapter
show asdm log_sessions
To display a list of active ASDM logging sessions and their associated session IDs, use the show asdm
log_sessions command in privileged EXEC mode.
show asdm log_sessions
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Note
Routed
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Each active ASDM session has one or more associated ASDM logging sessions. ASDM uses the logging
session to retrieve syslog messages from the ASA. Each ASDM logging session is assigned a unique
session ID. You can use this session ID with the asdm disconnect log_session command to terminate
the specified session.
Because each ASDM session has at least one ASDM logging session, the output for the show asdm
sessions and show asdm log_sessions may appear to be the same.
Cisco ASA Series Command Reference, S Commands
2-41
Chapter
Examples
The following is sample output from the show asdm log_sessions command:
ciscoasa# show asdm log_sessions
0 192.168.1.1
1 192.168.1.2
Related Commands
Command
Description
asdm disconnect
log_session
Terminates an active ASDM logging session.
Cisco ASA Series Command Reference, S Commands
2-42
Chapter
show asdm sessions
To display a list of active ASDM sessions and their associated session IDs, use the show asdm sessions
command in privileged EXEC mode.
show asdm sessions
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Release
Modification
7.0(1)
This command was changed from the show pdm sessions command to the
show asdm sessions command.
Usage Guidelines
Each active ASDM session is assigned a unique session ID. You can use this session ID with the asdm
disconnect command to terminate the specified session.
Examples
The following is sample output from the show asdm sessions command:
ciscoasa# show asdm sessions
0 192.168.1.1
1 192.168.1.2
Related Commands
Command
Description
asdm disconnect
Terminates an active ASDM session.
Cisco ASA Series Command Reference, S Commands
2-43
Chapter
Cisco ASA Series Command Reference, S Commands
2-44
CH A P T E R
3
show as-path-access-list through show
auto-update Commands
Cisco ASA Series Command Reference, S Commands
3-1
Chapter
show as-path-access-list
To display the contents of all current autonomous system (AS) path access lists, use the show
as-path-access-list command in user EXEC or privileged EXEC mode
show as-path-access-list [name]
Syntax Description
name
Defaults
If the name argument is not specified, command output is displayed for all AS path access lists.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Specifies the AS path access list name..
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show as-path-access-list command:
ciscoasa# show as-path-access-list
AS path access list as-path-acl-1
deny RTR$
AS path access list as-path-acl-2
permit 100$
Table 3-1 shows each field description.
Table 3-1
show as-path-access-list Fields
Field
Description
AS path
access list
Indicates the AS path access list name.
deny
Indicates the number of packets that are rejected since the regular expression failed to match
the representation of the AS path of the route as an ASCII string.
permit
Indicates the number of packets that are forwarded since the regular expression matched the
representation of the AS path of the route as an ASCII string.
Cisco ASA Series Command Reference, S Commands
3-2
Chapter
show asp cluster counter
To debug global or context-specific information in a clustering environment, use the show asp cluster
counter command in privileged EXEC mode.
show asp cluster counter
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The show asp cluster counter command shows the global and context-specific DP counters, which
might help you troubleshoot a problem. This information is used for debugging purposes only, and the
information output is subject to change. Consult the Cisco TAC to help you debug your system with this
command.
Examples
The following is sample output from the show asp cluster counter command:
ciscoasa# show asp cluster counter
Global dp-counters:
Context specific dp-counters:
MCAST_FP_TO_SP
MCAST_SP_TOTAL
MCAST_SP_PKTS
MCAST_SP_PKTS_TO_CP
MCAST_FP_CHK_FAIL_NO_HANDLE
MCAST_FP_CHK_FAIL_NO_ACCEPT_IFC
MCAST_FP_CHK_FAIL_NO_FP_FWD
361136
361136
143327
143327
217809
81192
62135
Cisco ASA Series Command Reference, S Commands
3-3
Chapter
Related Commands
Command
Description
show asp drop
Shows the accelerated security path counters for dropped packets.
Cisco ASA Series Command Reference, S Commands
3-4
Chapter
show asp drop
To debug the accelerated security path dropped packets or connections, use the show asp drop command
in privileged EXEC mode.
show asp drop [flow [flow_drop_reason] | frame [frame_drop_reason]]
Syntax Description
flow
[flow_drop_reason]
(Optional) Shows the dropped flows (connections). You can specify a
particular reason by using the flow_drop_reason argument. Use ? to see a list
of possible flow drop reasons.
frame
[frame_drop_reason]
(Optional) Shows the dropped packets. You can specify a particular reason
by using the frame_drop_reason argument. Use ? to see a list of possible
frame drop reasons.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
•
Yes
Release
Modification
7.0(1)
This command was added.
7.0(8)/7.2(4)/8.0(4)
Output includes a timestamp indicating when the counters were last cleared
(see the clear asp drop command). It also displays the drop reason keywords
next to the description, so you can easily use the capture asp-drop command
with the associated keyword.
The show asp drop command shows the packets or connections dropped by the accelerated security
path, which might help you troubleshoot a problem. See the general operations configuration guide for
more information about the accelerated security path. This information is used for debugging purposes
only, and the information output is subject to change. Consult Cisco TAC to help you debug your system
with this command.
For detailed descriptions of each drop reason name and description, including recommendations, see
show asp drop Command Usage.
Examples
The following is sample output from the show asp drop command, with the time stamp indicating the
last time the counters were cleared:
Cisco ASA Series Command Reference, S Commands
3-5
Chapter
ciscoasa# show asp drop
Frame drop:
Flow is denied by configured rule (acl-drop)
Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)
L2 Src/Dst same LAN port (l2_same-lan-port)
Expired flow (flow-expired)
3
4110
760
1
Last clearing: Never
Flow drop:
Flow is denied by access rule (acl-drop)
NAT failed (nat-failed)
NAT reverse path failed (nat-rpf-failed)
Inspection failure (inspect-fail)
24
28739
22266
19433
Last clearing: 17:02:12 UTC Jan 17 2012 by enable_15
Related Commands
Command
Description
capture
Captures packets, including the option to capture packets based on an ASP
drop code.
clear asp drop
Clears drop statistics for the accelerated security path.
show conn
Shows information about connections.
Cisco ASA Series Command Reference, S Commands
3-6
Chapter
show asp event dp-cp
To debug the data path or control path event queues, use the show asp event dp-cp command in
privileged EXEC mode.
show asp event dp-cp [cxsc msg]
Syntax Description
cxsc msg
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Identifies the CXSC event messages that are sent to the CXSC
event queue.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
Yes
•
•
Release
Modification
9.0(1)
This command was added.
9.1(3)
A routing event queue entry was added.
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The show asp event dp-cp command shows the contents of the data path and control path, which might
help you troubleshoot a problem. See the CLI configuration guide for more information about the data
path and control path. These tables are used for debugging purposes only, and the information output is
subject to change. Consult Cisco TAC to help you debug your system with this command.
Examples
The following is sample output from the show asp event dp-cp command:
ciscoasa# show asp event dp-cp
DP-CP EVENT QUEUE
Punt Event Queue
Routing Event Queue
Identity-Traffic Event Queue
General Event Queue
Syslog Event Queue
Non-Blocking Event Queue
Midpath High Event Queue
Midpath Norm Event Queue
SRTP Event Queue
HA Event Queue
Threat-Detection Event Queue
QUEUE-LEN
0
0
0
0
0
0
0
0
0
0
0
HIGH-WATER
2048
1
17
0
3192
4
0
0
0
3
3
Cisco ASA Series Command Reference, S Commands
3-7
Chapter
ARP Event Queue
IDFW Event Queue
CXSC Event Queue
EVENT-TYPE
punt
inspect-sunrp
routing
arp-in
identity-traffic
syslog
threat-detection
ips-cplane
ha-msg
cxsc-msg
0
0
0
ALLOC ALLOC-FAIL ENQUEUED ENQ-FAIL
4005920
0
935295 3070625
4005920
0
935295 3070625
77
0
77
0
618
0
618
0
1519
0
1519
0
5501
0
5501
0
12
0
12
0
1047
0
1047
0
520
0
520
0
127
0
127
0
Cisco ASA Series Command Reference, S Commands
3-8
3
0
0
RETIRED 15SEC-RATE
4005920
4372
4005920
4372
77
0
618
0
1519
0
5501
0
12
0
1047
0
520
0
127
0
Chapter
show asp load-balance
To display a histogram of the load balancer queue sizes, use the show asp load-balance command in
privileged EXEC mode.
show asp load-balance [detail]
Syntax Description
detail
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Shows detailed information about hash buckets.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
8.1(1)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
Usage Guidelines
The show asp load-balance command might help you troubleshoot a problem. Normally a packet will
be processed by the same core that pulled it in from the interface receive ring. However, if another core
is already processing the same connection as the packet just received, then the packet will be queued to
that core. This queuing can cause the load balancer queue to grow while other cores are idle. See the asp
load-balance per-packet command for more information.
Examples
The following is sample output from the show asp load-balance command. The X-axis represents the
number of packets queued in different queues. The Y-axis represents the number of load balancer hash
buckets (not to be confused with the bucket in the histogram title, which refers to the histogram bucket)
that has packets queued. To know the exact number of hash buckets having the queue, use the detail
keyword.
ciscoasa# show asp load-balance
Histogram of 'ASP load balancer queue sizes'
64 buckets sampling from 1 to 65 (1 per bucket)
6 samples within range (average=23)
ASP load balancer queue sizes
100 +
|
|
|
Cisco ASA Series Command Reference, S Commands
3-9
Chapter
S
a
m
p
l
e
s
|
|
|
|
10 +
|
|
|
|
|
#
|
# #
# #
#
|
# #
# #
#
+---------+---------+---------+---------+---------+---------+---10
20
30
40
50
60
# of queued jobs per queue
The following is sample output from the show asp load-balance detail command.
ciscoasa# show asp load-balance detail
<Same histogram output as before with the addition of the following values for the
histogram>
Data points:
<snip>
bucket[1-1] =
bucket[2-2] =
bucket[3-3] =
bucket[4-4] =
bucket[5-5] =
bucket[6-6] =
<snip>
bucket[28-28]
bucket[29-29]
bucket[30-30]
<snip>
bucket[41-41]
bucket[42-42]
RelatedCommands
0
0
0
1
0
1
samples
samples
samples
samples
samples
samples
= 2 samples
= 0 samples
= 1 samples
= 0 samples
= 1 samples
Command
Description
asp load-balance
per-packet
Changes the core load balancing method for multi-core ASA models.
Cisco ASA Series Command Reference, S Commands
3-10
Chapter
show asp load-balance per-packet
To display specific statistics for ASP load balancing per packet, use the show asp load-balance
per-packet command in privileged EXEC mode.
show asp load-balance per-packet [history]
Syntax Description
history
Defaults
If you do not specify any options, this command shows the basic status, related values, and statistics of
ASP load balancing per packet.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Shows the configuration status (enabled, disabled, or auto),
current status (enabled or disabled), high and low watermarks, the global
threshold, the number of times an automatic switch occurred, the minimum
and maximum wait times with automatic switching enabled, the history of
ASP load balancing per packet with time stamps, and the reasons for
switching it on and off.
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Transparent Single
Yes
•
Release
Modification
9.3(1)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
The show asp load-balance per-packet command shows the configuration status (enabled, disabled, or
auto), current status (enabled or disabled), high and low watermarks, the global threshold, the number
of times an automatic switch occurred, and the minimum and maximum wait times with automatic
switching enabled, for ASP load balancing per packet.
The information appears in the following format:
Config mode
: [ enabled | disabled | auto ]
Current status : [ enabled | disabled ]
RX ring Blocks low/high watermark
: [RX ring Blocks low watermark in percentage] /
[RX ring Blocks high watermark in percentage]
System RX ring count low threshold
: [System RX ring count low threshold] / [Total
number of RX rings in the system]
System RX ring count high threshold
: [System RX ring count high threshold] / [Total
number of RX rings in the system]
Cisco ASA Series Command Reference, S Commands
3-11
Chapter
Auto mode
Current RX ring count threshold status : [Number of RX rings crossed watermark] / [Total
number of RX rings in the system]
Number of times auto switched
: [Number of times ASP load-balance per-packet has
been switched]
Min/max wait time with auto enabled
: [Minimal wait time with auto enabled] / [Maximal
wait time with auto enabled] (ms)
Manual mode
Current RX ring count threshold status : N/A
Only the ASA 5585-X and the ASASM support the use of this command.
Examples
The following is sample output from the show asp load-balance per-packet command:
ciscoasa# show asp load-balance per-packet
Config status : auto
Current status : disabled
RX ring Blocks low/high watermark
System RX ring count low threshold
System RX ring count high threshold
Current RX ring count threshold status
Number of times auto switched
Min/max wait time with auto enabled
:
:
:
:
:
:
50%
1 /
7 /
0 /
17
200
/ 75%
33
33
33
/ 6400 (ms)
The following is sample output from the show asp load-balance per-packet history command:
ciscoasa# show asp load-balance per-packet history
Config status : auto
Current status : disabled
RX ring Blocks low/high watermark
System RX ring count low threshold
System RX ring count high threshold
Current RX ring count threshold status
Number of times auto switched
Min/max wait time with auto enabled
:
:
:
:
:
:
50%
1 /
7 /
0 /
17
200
/ 75%
33
33
33
/ 6400 (ms)
===================================================================================================
From State
To State
Reason
===================================================================================================
15:07:13 UTC Dec 17 2013
Manually Disabled
Manually Disabled
Disabled at startup
15:09:14 UTC Dec 17 2013
Manually Disabled
Manually Enabled
Config
15:09:15 UTC Dec 17 2013
Manually Enabled
Auto Disabled
0/33 of the ring(s) crossed the watermark
15:10:16 UTC Dec 17 2013
Auto Disabled
Auto Enabled
15:10:16 UTC Dec 17 2013
Auto Enabled
Auto Enabled
1/33 of the ring(s) crossed the watermark
Internal-Data0/0 RX[01] crossed above high watermark
2/33 of the ring(s) crossed the watermark
Internal-Data0/1 RX[04] crossed above high watermark
Cisco ASA Series Command Reference, S Commands
3-12
Chapter
15:10:16 UTC Dec 17 2013
Auto Enabled
Auto Enabled
15:10:16 UTC Dec 17 2013
Auto Enabled
Auto Enabled
15:10:17 UTC Dec 17 2013
Auto Enabled
Auto Enabled
3/33 of the ring(s) crossed the watermark
Internal-Data0/1 RX[05] crossed above high watermark
2/33 of the ring(s) crossed the watermark
Internal-Data0/0 RX[01] dropped below low watermark
3/33 of the ring(s) crossed the watermark
Internal-Data0/2 RX[01] crossed above high watermark
(---More---)
15:14:01 UTC Dec 17 2013
Auto Enabled
Auto Disabled
15:14:01 UTC Dec 17 2013
Auto Disabled
Auto Enabled
8/33 of the ring(s) crossed the watermark
Internal-Data0/3 RX[01] crossed above high watermark
7/33 of the ring(s) crossed the watermark
Internal-Data0/3 RX[01] dropped below low watermark
(---More---)
15:20:11 UTC Dec 17 2013
Auto Enabled
Auto Disabled
0/33 of the ring(s) crossed the watermark
Internal-Data0/2 RX[01] dropped below low watermark
(---More---)
Related Commands
Command
Description
asp load-balance
per-packet auto
Automatically switches ASP load balancing per packet on and off on each
interface receive ring or set of flows.
clear asp load-balance Clears the history of ASP load balancing per packet and reset the number of
history
times an automatic switch occurred.
Cisco ASA Series Command Reference, S Commands
3-13
Chapter
show asp table arp
To debug the accelerated security path ARP tables, use the show asp table arp command in privileged
EXEC mode.
show asp table arp [interface interface_name] [address ip_address [netmask mask]]
Syntax Description
address ip_address
(Optional) Identifies an IP address for which you want to view ARP table
entries.
interface
interface_name
(Optional) Identifies a specific interface for which you want to view the ARP
table.
netmask mask
(Optional) Sets the subnet mask for the IP address.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The show arp command shows the contents of the control plane, while the show asp table arp command
shows the contents of the accelerated security path, which might help you troubleshoot a problem. See
the CLI configuration guide for more information about the accelerated security path. These tables are
used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC
to help you debug your system with this command.
Examples
The following is sample output from the show asp table arp command:
ciscoasa# show asp table arp
Context: single_vf, Interface: inside
10.86.194.50
10.86.194.1
10.86.194.172
10.86.194.204
10.86.194.188
Context: single_vf, Interface: identity
Cisco ASA Series Command Reference, S Commands
3-14
Active
Active
Active
Active
Active
000f.66ce.5d46
00b0.64ea.91a2
0001.03cf.9e79
000f.66ce.5d3c
000f.904b.80d7
hits
hits
hits
hits
hits
0
638
0
0
0
Chapter
::
0.0.0.0
Related Commands
Active
Active
Command
Description
show arp
Shows the ARP table.
show arp statistics
Shows ARP statistics.
0000.0000.0000 hits 0
0000.0000.0000 hits 50208
Cisco ASA Series Command Reference, S Commands
3-15
Chapter
show asp table classify
To debug the accelerated security path classifier tables, use the show asp table classify command in
privileged EXEC mode.
show asp table classify [interface interface_name] [crypto | domain domain_name] [hits] [match
regexp] [user-statistics]
Syntax Description
crypto
(Optional) Shows the encrypt, decrypt, and ipsec tunnel flow domains only.
domain domain_name
(Optional) Shows entries for a specific classifier domain. See the CLI help
for a list of the available domains.
hits
(Optional) Shows classifier entries that have non-zero hits values.
interface
interface_name
(Optional) Identifies a specific interface for which you want to view the
classifier table.
match regexp
(Optional) Shows classifier entries that match the regular expression. Use
quotes when regular expressions include spaces.
user-statistics
(Optional) Specifies user and group information.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
•
Yes
•
Yes
Context
•
Yes
System
•
Yes
Release
Modification
7.0(1)
This command was added.
7.2(4)
The hits option and the timestamp were added to indicate the last time the
ASP table counters were cleared.
8.0(2)
A new counter was added to show the number of times a match compilation
was aborted. This counter is shown only if the value is greater than 0.
8.2(2)
The match regexp option was added.
8.4(4.1)
The csxc and cxsc-auth-proxy domains for the ASA CX module was added.
9.0(1)
The user-statistics keyword was added. The output was updated to add
security group names and source and destination tags.
Cisco ASA Series Command Reference, S Commands
3-16
Yes
Transparent Single
Chapter
Release
Modification
9.2(1)
Added the sfr domain for the ASA FirePOWER module.
9.3(1)
The security group tag (SGT) value has been modified in the output. The tag
value “tag=0” indicates an exact match to 0x0, which is the reserved SGT
value for “unknown.” The SGT value “tag=any” indicates a value that you do
not need to consider in the rule.
Usage Guidelines
The show asp table classify command shows the classifier contents of the accelerated security path,
which might help you troubleshoot a problem. See the CLI configuration guide for more information
about the accelerated security path. The classifier examines properties of incoming packets, such as
protocol, and source and destination address, to match each packet to an appropriate classification rule.
Each rule is labeled with a classification domain that determines what types of actions are performed,
such as dropping a packet or allowing it through. The information shown is used for debugging purposes
only, and the output is subject to change. Consult Cisco TAC to help you debug your system with this
command.
Examples
The following is sample output from the show asp table classify command:
ciscoasa# show asp table classify
Interface test:
No. of aborted compiles for input action table 0x33b3d70: 29
in id=0x36f3800, priority=10, domain=punt, deny=false
hits=0, user_data=0x0, flags=0x0
src ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip=10.86.194.60, mask=255.255.255.255, port=0, tag=any
in id=0x33d3508, priority=99, domain=inspect, deny=false
hits=0, user_data=0x0, use_real_addr, flags=0x0
src ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any
in id=0x33d3978, priority=99, domain=inspect, deny=false
hits=0, user_data=0x0, use_real_addr, flags=0x0
src ip=0.0.0.0, mask=0.0.0.0, port=53, tag=any
dst ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any
...
The following is sample output from the show asp table classify hits command with a record of the last
clearing hits counters:
Interface mgmt:
in id=0x494cd88, priority=210, domain=permit, deny=true
hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0,
mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0,
dscp=0x0
in id=0x494d1b8, priority=112, domain=permit, deny=false
hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0,
mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Interface inside:
in id=0x48f1580, priority=210, domain=permit, deny=true
hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0,
mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0,
dscp=0x0
in id=0x48f09e0, priority=1, domain=permit, deny=false
hits=101, user_data=0x0, cs_id=0x0, l3_type=0x608 src mac=0000.0000.0000,
mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000
Cisco ASA Series Command Reference, S Commands
3-17
Chapter
Interface outside:
in id=0x48c0970, priority=210, domain=permit, deny=true
hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0,
mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, dscp=0x0
The following is sample output from the show asp table classify hits command that includes Layer 2
information:
Input Table
in id=0x7fff2de10ae0, priority=120, domain=permit, deny=false
hits=4, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=LAN-SEGMENT, output_ifc=identity in id=0x7fff2de135c0, priority=0,
domain=inspect-ip-options, deny=true
hits=41, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=LAN-SEGMENT, output_ifc=any
.
.
.
Output Table:
L2 - Output Table:
L2 - Input Table:
in id=0x7fff2de0e080, priority=1, domain=permit, deny=false
hits=30, user_data=0x0, cs_id=0x0, l3_type=0x608
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=LAN-SEGMENT, output_ifc=any
in id=0x7fff2de0e580, priority=1, domain=permit, deny=false
hits=382, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=LAN-SEGMENT, output_ifc=any
in id=0x7fff2de0e800, priority=1, domain=permit, deny=false
hits=312, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=ffff.ffff.ffff, mask=ffff.ffff.ffff
input_ifc=LAN-SEGMENT, output_ifc=any
The following is sample output from the show asp table classify command when a security group is not
specified in the access list:
ciscoasa# show asp table classify
in id=0x7ffedb54cfe0, priority=500, domain=permit, deny=true
hits=0, user_data=0x6, cs_id=0x0, flags=0x0, protocol=0
src ip/id=224.0.0.0, mask=240.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=management, output_ifc=any
Related Commands
Command
Description
show asp drop
Shows the accelerated security path counters for dropped packets.
Cisco ASA Series Command Reference, S Commands
3-18
Chapter
show asp table cluster chash-table
To debug the accelerated security path cHash tables for clustering, use the show asp table cluster
chash-table command in privileged EXEC mode.
show asp table cluster chash-table
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The show asp table cluster chash-table command shows the contents of the accelerated security path,
which might help you troubleshoot a problem. See the CLI configuration guide for more information
about the accelerated security path. These tables are used for debugging purposes only, and the
information output is subject to change. Consult Cisco TAC to help you debug your system with this
command.
Examples
The following is sample output from the show asp table cluster chash-table command:
ciscoasa# show asp table cluster chash-table
Cluster current chash table:
00003333
21001200
22000033
02222223
33331111
21110000
00133103
22222223
30000102
11222222
23222331
00002223
33111111
Cisco ASA Series Command Reference, S Commands
3-19
Chapter
11000112
22332000
00231121
11222220
33330223
31013211
11101111
13111111
11023133
30001100
00000111
12022222
00133333
33222000
00022222
33011333
11110002
33333322
13333030
Related Commands
Command
Description
show asp cluster
counter
Shows cluster datapath counter information.
Cisco ASA Series Command Reference, S Commands
3-20
Chapter
show asp table cts sgt-map
To show the IP address-security group table mapping from the IP address-security group table database
that is maintained in the data path for Cisco TrustSec, use the show asp table cts sgt-map command in
privileged EXEC mode.
show asp table cts sgt-map [address ipv4[/mask] | address ipv6[/prefix] | ipv4 | ipv6 | sgt sgt]
Syntax Description
address {ipv4[/mask]
/ipv6[/prefix]}
(Optional.) Shows only IP address-security group table mapping for the
specific IPv4 or IPv6 address. Include an IPv4 subnet mask or IPv6 prefix to
see the mapping for a network.
ipv4
(Optional) Shows all of the IP address-security group table mapping for IPv4
addresses.
ipv6
(Optional) Shows all of the IP address-security group table mapping for IPv6
addresses.
sgt sgt
(Optional) Shows the IP address-security group table mapping for the
specified security group table.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Yes
•
Context
Yes
Release
Modification
9.0(1)
This command was added.
9.6(1)
The ability to show network mappings was added.
•
Yes
System
—
Usage Guidelines
If the address is not specified, then all the entries in the IP address-security group table database in the
data path appear. In addition, the security group names appear when available.
Examples
The following is sample output from the show asp table cts sgt-map command:
Cisco ASA Series Command Reference, S Commands
3-21
Chapter
ciscoasa# show asp table cts sgt-map
IP Address
SGT
==================================================
10.10.10.5
1234:Marketing
10.34.89.12
5:Engineering
10.67.0.0\16
338:HR
192.4.4.4
345:Finance
Total number of entries shown = 4
The following is sample output from the show asp table cts sgt-map address command:
ciscoasa# show asp table cts sgt-map address 10.10.10.5
IP Address
SGT
=================================================
10.10.10.5
1234:Marketing
Total number of entries shown = 1
The following is sample output from the show asp table cts sgt-map ipv6 command:
ciscoasa# show asp table cts sgt-map ipv6
IP Address
SGT
=============================================================
FE80::A8BB:CCFF:FE00:110
17:Marketing-Servers
FE80::A8BB:CCFF:FE00:120
18:Eng-Servers
Total number of entries shown = 2
The following is sample output from the show asp table cts sgt-map sgt command:
ciscoasa# show asp table cts sgt-map sgt 17
IP Address
SGT
==============================================
FE80::A8BB:CCFF:FE00:110
17
Total number of entries shown = 1
Related Commands
Command
Description
show running-config cts
Shows the SXP connections for the running configuration.
show cts environment
Shows the health and status of the environment data refresh
operation.
Cisco ASA Series Command Reference, S Commands
3-22
Chapter
show asp table dynamic-filter
To debug the accelerated security path Botnet Traffic Filter tables, use the show asp table
dynamic-filter command in privileged EXEC mode.
show asp table dynamic-filter [hits]
Syntax Description
hits
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Shows classifier entries which have non-zero hits values.
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Release
Modification
8.2(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Usage Guidelines
The show asp table dynamic-filter command shows the Botnet Traffic Filter rules in the accelerated
security path, which might help you troubleshoot a problem. See the CLI configuration guide for more
information about the accelerated security path. These tables are used for debugging purposes only, and
the information output is subject to change. Consult Cisco TAC to help you debug your system with this
command.
Examples
The following is sample output from the show asp table dynamic-filter command:
ciscoasa# show asp table dynamic-filter
Context: admin
Address 10.246.235.42 mask 255.255.255.255 name: example.info
flags: 0x44 hits 0
Address 10.40.9.250 mask 255.255.255.255 name: bad3.example.com
flags: 0x44 hits 0
Address 10.64.147.20 mask 255.255.255.255 name: bad2.example.com flags: 0x44
hits 0
Address 10.73.210.121 mask 255.255.255.255 name: bad1.example.com flags:
0x44 hits 0
Address 10.34.131.135 mask 255.255.255.255 name: bad.example.com flags:
0x44 hits 0
Address 10.64.147.16 mask 255.255.255.255 name:
1st-software-downloads.com flags: 0x44 hits 2
Address 10.131.36.158 mask 255.255.255.255 name: www.example.com flags: 0x41 hits 0
Cisco ASA Series Command Reference, S Commands
3-23
Chapter
Address 10.129.205.209 mask 255.255.255.255 flags: 0x1 hits 0
Address 10.166.20.10 mask 255.255.255.255 flags: 0x1 hits 0
...
Related Commands
Command
Description
address
Adds an IP address to the blacklist or whitelist.
clear configure dynamic-filter
Clears the running Botnet Traffic Filter configuration.
clear dynamic-filter dns-snoop
Clears Botnet Traffic Filter DNS snooping data.
clear dynamic-filter reports
Clears Botnet Traffic filter report data.
clear dynamic-filter statistics
Clears Botnet Traffic filter statistics.
dns domain-lookup
Enables the ASA to send DNS requests to a DNS server to perform
a name lookup for supported commands.
dns server-group
Identifies a DNS server for the ASA.
dynamic-filter
ambiguous-is-black
Treats greylisted traffic as blacklisted traffic for action purposes.
dynamic-filter blacklist
Edits the Botnet Traffic Filter blacklist.
dynamic-filter database fetch
Manually retrieves the Botnet Traffic Filter dynamic database.
dynamic-filter database find
Searches the dynamic database for a domain name or IP address.
dynamic-filter database purge
Manually deletes the Botnet Traffic Filter dynamic database.
dynamic-filter drop blacklist
Automatically drops blacklisted traffic.
dynamic-filter enable
Enables the Botnet Traffic Filter for a class of traffic or for all
traffic if you do not specify an access list.
dynamic-filter updater-client
enable
Enables downloading of the dynamic database.
dynamic-filter use-database
Enables use of the dynamic database.
dynamic-filter whitelist
Edits the Botnet Traffic Filter whitelist.
inspect dns
dynamic-filter-snoop
Enables DNS inspection with Botnet Traffic Filter snooping.
name
Adds a name to the blacklist or whitelist.
show dynamic-filter data
Shows information about the dynamic database, including when the
dynamic database was last downloaded, the version of the database,
how many entries the database contains, and 10 sample entries.
show dynamic-filter dns-snoop
Shows the Botnet Traffic Filter DNS snooping summary, or with
the detail keyword, the actual IP addresses and names.
show dynamic-filter reports
Generates reports of the top 10 botnet sites, ports, and infected
hosts.
show dynamic-filter statistics
Shows how many connections were monitored with the Botnet
Traffic Filter, and how many of those connections match the
whitelist, blacklist, and greylist.
show dynamic-filter
updater-client
Shows information about the updater server, including the server IP
address, the next time the ASA will connect with the server, and the
database version last installed.
show running-config
dynamic-filter
Shows the Botnet Traffic Filter running configuration.
Cisco ASA Series Command Reference, S Commands
3-24
Chapter
show asp table filter
To debug the accelerated security path filter tables, use the show asp table filter command in privileged
EXEC mode.
show asp table filter [access-list acl-name] [hits] [match regexp]
Syntax Description
acl-name
(Optional) Specifies the installed filter for a specified access list.
hits
(Optional) Specifies the filter rules that have non-zero hits values.
match regexp
(optional) Shows classifier entries that match the regular expression. Use
quotes when regular expressions include spaces.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
8.2(2)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Usage Guidelines
When a filter has been applied to a VPN tunnel, the filter rules are installed into the filter table. If the
tunnel has a filter specified, then the filter table is checked before encryption and after decryption to
determine whether the inner packet should be permitted or denied.
Examples
The following is sample output from the show asp table filter command before a user1 connects. Only
the implicit deny rules are installed for IPv4 and IPv6 in both the inbound and outbound directions.
ciscoasa# show asp table filter
Global Filter Table:
in id=0xd616ef20, priority=11, domain=vpn-user, deny=true
hits=0, user_data=0xd613ea60, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0xd616f420, priority=11, domain=vpn-user, deny=true
hits=0, user_data=0xd615ef70, filter_id=0x0(-implicit deny-), protocol=0
src ip=::/0, port=0
dst ip=::/0, port=0
out id=0xd616f1a0, priority=11, domain=vpn-user, deny=true
hits=0, user_data=0xd614d900, filter_id=0x0(-implicit deny-), protocol=0
Cisco ASA Series Command Reference, S Commands
3-25
Chapter
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
out id=0xd616f6d0, priority=11, domain=vpn-user, deny=true
hits=0, user_data=0xd6161638, filter_id=0x0(-implicit deny-), protocol=0
src ip=::/0, port=0
dst ip=::/0, port=0
The following is sample output from the show asp table filter command after a user1 has connected.
VPN filter ACLs are defined based on the inbound direction—the source represents the peer and the
destination represents inside resources. The outbound rules are derived by swapping the source and
destination for the inbound rule.
ciscoasa# show asp table filter
Global Filter Table:
in id=0xd682f4a0, priority=12, domain=vpn-user, deny=false
hits=0, user_data=0xd682f460, filter_id=0x2(vpnfilter), protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=95.1.224.100, mask=255.255.255.255, port=21
in id=0xd68366a0, priority=12, domain=vpn-user, deny=false
hits=0, user_data=0xd6d89050, filter_id=0x2(vpnfilter), protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=95.1.224.100, mask=255.255.255.255, port=5001
in id=0xd45d5b08, priority=12, domain=vpn-user, deny=false
hits=0, user_data=0xd45d5ac8, filter_id=0x2(vpnfilter), protocol=17
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=95.1.224.100, mask=255.255.255.255, port=5002
in id=0xd6244f30, priority=12, domain=vpn-user, deny=false
hits=0, user_data=0xd6244ef0, filter_id=0x2(vpnfilter), protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=95.1.224.100, mask=255.255.255.255, port=0
in id=0xd64edca8, priority=12, domain=vpn-user, deny=true
hits=0, user_data=0xd64edc68, filter_id=0x2(vpnfilter), protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0xd616f018, priority=11, domain=vpn-user, deny=true
hits=43, user_data=0xd613eb58, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0xd616f518, priority=11, domain=vpn-user, deny=true
hits=0, user_data=0xd615f068, filter_id=0x0(-implicit deny-), protocol=0
src ip=::/0, port=0
dst ip=::/0, port=0
out id=0xd7395650, priority=12, domain=vpn-user, deny=false
hits=0, user_data=0xd7395610, filter_id=0x2(vpnfilter), protocol=6
src ip=95.1.224.100, mask=255.255.255.255, port=21
dst ip=0.0.0.0, mask=0.0.0.0, port=0
out id=0xd45d49b8, priority=12, domain=vpn-user, deny=false
hits=0, user_data=0xd45d4978, filter_id=0x2(vpnfilter), protocol=6
src ip=95.1.224.100, mask=255.255.255.255, port=5001
dst ip=0.0.0.0, mask=0.0.0.0, port=0
out id=0xd45d5cf0, priority=12, domain=vpn-user, deny=false
hits=0, user_data=0xd45d5cb0, filter_id=0x2(vpnfilter), protocol=17
src ip=95.1.224.100, mask=255.255.255.255, port=5002
dst ip=0.0.0.0, mask=0.0.0.0, port=0
out id=0xd6245118, priority=12, domain=vpn-user, deny=false
hits=0, user_data=0xd62450d8, filter_id=0x2(vpnfilter), protocol=1
src ip=95.1.224.100, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
out id=0xd64ede90, priority=12, domain=vpn-user, deny=true
hits=0, user_data=0xd64ede50, filter_id=0x2(vpnfilter), protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Cisco ASA Series Command Reference, S Commands
3-26
Chapter
out id=0xd616f298, priority=11, domain=vpn-user, deny=true
hits=0, user_data=0xd614d9f8, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
out id=0xd616f7c8, priority=11, domain=vpn-user, deny=true
hits=0, user_data=0xd6161730, filter_id=0x0(-implicit deny-), protocol=0
src ip=::/0, port=0
dst ip=::/0, port=0
Related Commands
Command
Description
show asp drop
Shows the accelerated security path counters for dropped packets.
show asp table classifier
Shows the classifier contents of the accelerated security path.
Cisco ASA Series Command Reference, S Commands
3-27
Chapter
show asp table interfaces
To debug the accelerated security path interface tables, use the show asp table interfaces command in
privileged EXEC mode.
show asp table interfaces
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The show asp table interfaces command shows the interface table contents of the accelerated security
path, which might help you troubleshoot a problem. See the CLI configuration guide for more
information about the accelerated security path. These tables are used for debugging purposes only, and
the information output is subject to change. Consult Cisco TAC to help you debug your system with this
command.
Examples
The following is sample output from the show asp table interfaces command:
ciscoasa# show asp table interfaces
** Flags: 0x0001-DHCP, 0x0002-VMAC, 0x0010-Ident Ifc, 0x0020-HDB Initd,
0x0040-RPF Enabled
Soft-np interface 'dmz' is up
context single_vf, nicnum 0, mtu 1500
vlan 300, Not shared, seclvl 50
0 packets input, 1 packets output
flags 0x20
Soft-np interface 'foo' is down
context single_vf, nicnum 2, mtu 1500
vlan <None>, Not shared, seclvl 0
0 packets input, 0 packets output
flags 0x20
Cisco ASA Series Command Reference, S Commands
3-28
Chapter
Soft-np interface 'outside' is down
context single_vf, nicnum 1, mtu 1500
vlan <None>, Not shared, seclvl 50
0 packets input, 0 packets output
flags 0x20
Soft-np interface 'inside' is up
context single_vf, nicnum 0, mtu 1500
vlan <None>, Not shared, seclvl 100
680277 packets input, 92501 packets output
flags 0x20
...
Related Commands
Command
Description
interface
Configures an interface and enters interface configuration mode.
show interface
Displays the runtime status and statistics of interfaces.
Cisco ASA Series Command Reference, S Commands
3-29
Chapter
show asp table routing management-only
To debug the accelerated security path routing tables, use the show asp table routing command in
privileged EXEC mode. This command supports IPv4 and IPv6 addresses. The management-only
keyword, displays the number portability routes in the management routing table.
show asp table routing [input | output] [address ip_address [netmask mask] |
interface interface_name] management-only
Syntax Description
address ip_address
Sets the IP address for which you want to view routing entries. For IPv6
addresses, you can include the subnet mask as a slash (/) followed by the
prefix (0 to 128). For example, enter the following:
fe80::2e0:b6ff:fe01:3b7a/128
input
Shows the entries from the input route table.
interface
interface_name
(Optional) Identifies a specific interface for which you want to view the
routing table.
netmask mask
For IPv4 addresses, specifies the subnet mask.
output
Shows the entries from the output route table.
management-only
Shows the number portability routes in the management routing table.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
9.3(2)
Routing per zone information was added.
9.5(1)
The management-only keyword to support management routing table was
added.
The show asp table routing command shows the routing table contents of the accelerated security path,
which might help you troubleshoot a problem. See the CLI configuration guide for more information
about the accelerated security path. These tables are used for debugging purposes only, and the
information output is subject to change. Consult Cisco TAC to help you debug your system with this
command. The management-only keyword, displays the number-portability routes in the management
routing table.
Cisco ASA Series Command Reference, S Commands
3-30
Yes
Transparent Single
Chapter
Note
Examples
Invalid entries may appear in the show asp table routing command output on the ASA 5505.
The following is sample output from the show asp table routing command:
ciscoasa# show asp table routing
in
in
in
in
in
in
in
in
in
in
in
in
out
out
out
out
out
out
out
out
out
out
Note
Related Commands
255.255.255.255
224.0.0.9
10.86.194.60
10.86.195.255
10.86.194.0
209.165.202.159
209.165.202.255
209.165.201.30
209.165.201.0
10.86.194.0
224.0.0.0
0.0.0.0
255.255.255.255
224.0.0.0
255.255.255.255
224.0.0.0
255.255.255.255
10.86.194.0
224.0.0.0
0.0.0.0
0.0.0.0
::
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.254.0
240.0.0.0
0.0.0.0
255.255.255.255
240.0.0.0
255.255.255.255
240.0.0.0
255.255.255.255
255.255.254.0
240.0.0.0
0.0.0.0
0.0.0.0
::
identity
identity
identity
identity
identity
identity
identity
identity
identity
inside
identity
inside
foo
foo
test
test
inside
inside
inside
via 10.86.194.1, inside
via 0.0.0.0, identity
via 0.0.0.0, identity
Invalid entries in the show asp table routing command output may appear on the ASA 5505 platform.
Ignore these entries; they have no effect.
Command
Description
show route
Shows the routing table in the control plane.
Cisco ASA Series Command Reference, S Commands
3-31
Chapter
show asp table socket
To help debug the accelerated security path socket information, use the show asp table socket command
in privileged EXEC mode.
show asp table socket [socket handle] [stats]
Syntax Description
socket handle
Specifies the length of the socket.
stats
Shows the statistics from the accelerated security path socket table.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
8.0(2)
This command was added.
Yes
•
Context
Yes
•
Yes
System
•
Yes
Usage Guidelines
The show asp table socket command shows the accelerated security path socket information, which
might help in troubleshooting accelerated security path socket problems. See the CLI configuration
guide for more information about the accelerated security path. These tables are used for debugging
purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug
your system with this command.
Examples
The following is sample output from the show asp table socket command.
Protocol
TCP
TCP
SSL
SSL
DTLS
SSL
DTLS
TCP
Socket
00012bac
0001c124
00023b84
0002d01c
00032b1c
0003a3d4
00046074
02c08aec
Local Address
10.86.194.224:23
10.86.194.224:22
10.86.194.224:443
192.168.1.1:443
10.86.194.224:443
0.0.0.0:443
0.0.0.0:443
10.86.194.224:22
Foreign Address
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
171.69.137.139:4190
The following is sample output from the show asp table socket stats command.
TCP Statistics:
Rcvd:
total14794
Cisco ASA Series Command Reference, S Commands
3-32
State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
ESTAB
Chapter
checksum errors0
no port0
Sent:
total0
UDP Statistics:
Rcvd:
total0
checksum errors0
Sent:
total0
copied0
NP SSL System Stats:
Handshake Started:33
Handshake Complete:33
SSL Open:4
SSL Close:117
SSL Server:58
SSL Server Verify:0
SSL Client:0
TCP/UDP statistics are packet counters representing the number of packets sent or received that are
directed to a service that is running or listening on the ASA, such as Telnet, SSH, or HTTPS. Checksum
errors are the number of packets dropped because the calculated packet checksum did not match the
checksum value stored in the packet (that is, the packet was corrupted). The NP SSL statistics indicate
the number of each type of message received. Most indicate the start and completion of new SSL
connections to either the SSL server or SSL client.
Related Commands
Command
Description
show asp table vpn-context
Shows the accelerated security path VPN context tables.
Cisco ASA Series Command Reference, S Commands
3-33
Chapter
show asp table vpn-context
To debug the accelerated security path VPN context tables, use the show asp table vpn-context
command in privileged EXEC mode.
show asp table vpn-context [detail]
Syntax Description
detail
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Shows additional detail for the VPN context tables.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Yes
•
Transparent Single
•
Yes
•
Context
Yes
•
Yes
System
•
Yes
Release
Modification
7.0(1)
This command was added.
8.0(4)
The +PRESERVE flag for each context that maintains stateful flows after the
tunnel drops was added.
9.0(1)
Support for multiple context mode was added.
Usage Guidelines
The show asp table vpn-context command shows the VPN context contents of the accelerated security
path, which might help you troubleshoot a problem. See the CLI configuration guide for more
information about the accelerated security path. These tables are used for debugging purposes only, and
the information output is subject to change. Consult Cisco TAC to help you debug your system with this
command.
Examples
The following is sample output from the show asp table vpn-context command:
ciscoasa# show asp table vpn-context
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
...
ID=0058070576,
ID=0058193920,
ID=0058168568,
ID=0058161168,
ID=0058153728,
ID=0058150440,
ID=0058102088,
ID=0058134088,
ID=0058103216,
DECR+ESP,
ENCR+ESP,
DECR+ESP,
ENCR+ESP,
DECR+ESP,
ENCR+ESP,
DECR+ESP,
ENCR+ESP,
DECR+ESP,
Cisco ASA Series Command Reference, S Commands
3-34
UP,
UP,
UP,
UP,
UP,
UP,
UP,
UP,
UP,
pk=0000000000,
pk=0000000000,
pk=0000299627,
pk=0000305043,
pk=0000271432,
pk=0000285328,
pk=0000268550,
pk=0000274673,
pk=0000252854,
rk=0000000000,
rk=0000000000,
rk=0000000061,
rk=0000000061,
rk=0000000061,
rk=0000000061,
rk=0000000061,
rk=0000000061,
rk=0000000061,
gc=0
gc=0
gc=2
gc=1
gc=2
gc=1
gc=2
gc=1
gc=2
Chapter
The following is sample output from the show asp table vpn-context command when the persistent
IPsec tunneled flows feature is enabled, as shown by the PRESERVE flag:
ciscoasa(config)# show asp table vpn-context
VPN CTX=0x0005FF54, Ptr=0x6DE62DA0, DECR+ESP+PRESERVE, UP, pk=0000000000, rk=0000000000,
gc=0
VPN CTX=0x0005B234, Ptr=0x6DE635E0, ENCR+ESP+PRESERVE, UP, pk=0000000000, rk=0000000000,
gc=0
The following is sample output from the show asp table vpn-context detail command:
ciscoasa# show asp table vpn-context detail
VPN Ctx =
State
=
Flags
=
SA
=
SPI
=
Group
=
Pkts
=
Bad Pkts =
Bad SPI =
Spoof
=
Bad Crypto
Rekey Pkt
Rekey Call
0058070576 [0x03761630]
UP
DECR+ESP
0x037928F0
0xEA0F21F0
0
0
0
0
0
= 0
= 0
= 0
VPN Ctx =
State
=
Flags
=
SA
=
SPI
=
Group
=
Pkts
=
Bad Pkts =
Bad SPI =
Spoof
=
Bad Crypto
Rekey Pkt
Rekey Call
...
0058193920 [0x0377F800]
UP
ENCR+ESP
0x037B4B70
0x900FDC32
0
0
0
0
0
= 0
= 0
= 0
The following is sample output from the show asp table vpn-context detail command when the
persistent IPsec tunneled flows feature is enabled, as shown by the PRESERVE flag.:
ciscoasa(config)# show asp table vpn-context detail
VPN CTX
= 0x0005FF54
Peer IP =
Pointer =
State
=
Flags
=
SA
=
SPI
=
Group
=
Pkts
=
Bad Pkts =
Bad SPI =
Spoof
=
Bad Crypto
Rekey Pkt
Rekey Call
ASA_Private
0x6DE62DA0
UP
DECR+ESP+PRESERVE
0x001659BF
0xB326496C
0
0
0
0
0
= 0
= 0
= 0
Cisco ASA Series Command Reference, S Commands
3-35
Chapter
VPN CTX
= 0x0005B234
Peer IP = ASA_Private
Pointer = 0x6DE635E0
State
= UP
Flags
= ENCR+ESP+PRESERVE
SA
= 0x0017988D
SPI
= 0x9AA50F43
Group
= 0
Pkts
= 0
Bad Pkts = 0
Bad SPI = 0
Spoof
= 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
ciscoasa(config)#
Configuration and Restrictions
This configuration option is subject to the same CLI configuration restrictions as other
sysopt VPN CLI.
Related Commands
Command
Description
show asp drop
Shows the accelerated security path counters for dropped packets.
Cisco ASA Series Command Reference, S Commands
3-36
Chapter
show asp table zone
To debug the accelerated security path zone table, use the show asp table zone command in privileged
EXEC mode.
show asp table zone [zone_name]
Syntax Description
zone_name
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Identifies the zone name.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
—
Release
Modification
9.3(2)
This command was added.
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The show asp table zone command shows the contents of the accelerated security path, which might
help you troubleshoot a problem. See the CLI configuration guide for more information about the
accelerated security path. These tables are used for debugging purposes only, and the information output
is subject to change. Consult Cisco TAC to help you debug your system with this command.
Examples
The following is sample output from the show asp table zone command:
ciscoasa# show asp table zone
Zone: outside-zone id: 2
Context: test-ctx
Zone Member(s) : 2
outside1
GigabitEthernet0/0
outside2
GigabitEthernet0/1
Related Commands
Command
Description
show asp table routing Shows the accelerated security path tables for debugging purposes, and
shows the zone associated with each route.
show zone
Shows zone ID, context, security level, and members.
Cisco ASA Series Command Reference, S Commands
3-37
Chapter
show auto-update
To see the Auto Update Server status, use the show auto-update command in privileged EXEC mode.
show auto-update
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Global configuration
Command History
•
Yes
Transparent Single
•
Yes
Release
Modification
7.2(1)
This command was added..
•
Yes
Usage Guidelines
Use this command to view Auto Update Server status.
Examples
The following is sample output from the show auto-update command:
Context
System
—
—
ciscoasa(config)# show auto-update
Poll period: 720 minutes, retry count: 0, retry period: 5 minutes
Timeout: none
Device ID: host name [ciscoasa]
Related Commands
auto-update device-id
Sets the ASA device ID for use with an Auto Update Server.
auto-update poll-period
Sets how often the ASA checks for updates from an Auto Update
Server.
auto-update server
Identifies the Auto Update Server.
auto-update timeout
Stops traffic from passing through the ASA if the Auto Update Server
is not contacted within the timeout period.
clear configure auto-update
Clears the Auto Update Server configuration.
show running-config
auto-update
Shows the Auto Update Server configuration.
Cisco ASA Series Command Reference, S Commands
3-38
CH A P T E R
4
show bgp through show cpu Commands
Cisco ASA Series Command Reference, S Commands
4-1
Chapter
show bgp
To display entries in the Border Gateway Protocol (BGP) routing table, use the show bgp command in user
EXEC or privileged EXEC mode.
show bgp [ip-address [mask [longer-prefixes [injected] | shorter-prefixes [length]
| bestpath | multipaths | subnets] | bestpath | multipaths]
| all | prefix-list name | pending-prefixes | route-map name]]
Syntax Description
Command Modes
ip-address
(Optional) Specifies the AS path access list name..
mask
(Optional) Mask to filter or match hosts that are part of the specified network.
longer-prefixes
(Optional) Displays the specified route and all more specific routes.
injected
(Optional) Displays more specific prefixes injected into the BGP routing
table.
shorter-prefixes
(Optional) Displays the specified route and all less specific routes.
length
(Optional) The prefix length. The value for this argument is a number from
0 to 32.
bestpath
(Optional) Displays the bestpath for this prefix
multipaths
(Optional) Displays multipaths for this prefix.
subnets
(Optional) Displays the subnet routes for the specified prefix.
all
(Optional) Displays all address family information in the BGP routing table.
prefix-list name
(Optional) Filters the output based on the specified prefix list.
pending-prefixes
(Optional) Displays prefixes that are pending deletion from the BGP routing
table.
route-map name
(Optional) Filters the output based on the specified route map.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Usage Guidelines
Yes
—
Release
Modification
9.2(1)
This command was added
•
Yes
Context
•
Yes
System
—
The show bgp command is used to display the contents of the BGP routing table. The output can be
filtered to display entries for a specific prefix, prefix length, and prefixes injected through a prefix list,
route map, or conditional advertisement.
Cisco ASA Series Command Reference, S Commands
4-2
•
Transparent Single
Chapter
In Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS
XE Release 2.4, and later releases, the Cisco implementation of 4-byte autonomous system numbers uses
asplain—65538 for example—as the default regular expression match and output display format for
autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the
asplain format and the asdot format as described in RFC 5396. To change the default regular expression
match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation
dot command followed by the clear bgp * command to perform a hard reset of all current BGP sessions.
Examples
The following sample output shows the BGP routing table:
Router# show bgp
BGP table version is 22, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 10.1.1.1/32
0.0.0.0
0
32768 i
*>i10.2.2.2/32
172.16.1.2
0
100
0 i
*bi10.9.9.9/32
192.168.3.2
0
100
0 10 10 i
*>
192.168.1.2
0 10 10 i
* i172.16.1.0/24
172.16.1.2
0
100
0 i
*>
0.0.0.0
0
32768 i
*> 192.168.1.0
0.0.0.0
0
32768 i
*>i192.168.3.0
172.16.1.2
0
100
0 i
*bi192.168.9.0
192.168.3.2
0
100
0 10 10 i
*>
192.168.1.2
0 10 10 i
*bi192.168.13.0
192.168.3.2
0
100
0 10 10 i
*>
192.168.1.2
0 10 10 i
Table 4-1 shows each field description.
Table 4-1
show bgp Fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table
changes.
local
router ID
IP address of the router.
Cisco ASA Series Command Reference, S Commands
4-3
Chapter
Field
Description
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
Origin
codes
•
s—The table entry is suppressed.
•
d—The table entry is dampened.
•
h—The table entry history.
•
*—The table entry is valid.
•
>—The table entry is the best entry to use for that network.
•
i—The table entry was learned via an internal BGP (iBGP) session.
•
r—The table entry is a RIB-failure.
•
S—The table entry is stale.
•
m—The table entry has multipath to use for that network.
•
b—The table entry has backup path to use for that network.
•
x—The table entry has best external route to use for the network.
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
•
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
•
e—Entry originated from an Exterior Gateway Protocol (EGP).
•
?—Origin of the path is not clear. Usually, this is a router that is redistributed into
BGP from an IGP.
Network
IP address of a network entity.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the router has some non-BGP routes to this
network.
Metric
If shown, the value of the interautonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path.
(stale)
Indicates that the following path for the specified autonomous system is marked as "stale"
during a graceful restart process.
show bgp (4-Byte Autonomous System Numbers): Example
The following sample output shows the BGP routing table with 4-byte autonomous system numbers,
65536 and 65550, shown under the Path field. This example requires Cisco IOS Release 12.0(32)SY8,
12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS XE Release 2.4, or a later release.
RouterB# show bgp
BGP table version is 4, local router ID is 172.17.1.99
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Cisco ASA Series Command Reference, S Commands
4-4
Chapter
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 10.1.1.0/24
*> 10.2.2.0/24
*> 172.17.1.0/24
Next Hop
192.168.1.2
192.168.3.2
0.0.0.0
Metric LocPrf Weight Path
0
0 65536
0
0 65550
0
32768 i
i
i
show bgp ip-address: Example
The following sample output displays information about the 192.168.1.0 entry in the BGP routing table:
Router# show bgp 192.168.1.0
BGP routing table entry for 192.168.1.0/24, version 22
Paths: (2 available, best #2, table default)
Additional-path
Advertised to update-groups:
3
10 10
192.168.3.2 from 172.16.1.2 (10.2.2.2)
Origin IGP, metric 0, localpref 100, valid, internal, backup/repair
10 10
192.168.1.2 from 192.168.1.2 (10.3.3.3)
Origin IGP, localpref 100, valid, external, best , recursive-via-connected
The following sample output displays information about the 10.3.3.3 255.255.255.255 entry in the BGP
routing table:
Router# show bgp 10.3.3.3 255.255.255.255
BGP routing table entry for 10.3.3.3/32, version 35
Paths: (3 available, best #2, table default)
Multipath: eBGP
Flag: 0x860
Advertised to update-groups:
1
200
10.71.8.165 from 10.71.8.165 (192.168.0.102)
Origin incomplete, localpref 100, valid, external, backup/repair
Only allowed to recurse through connected route
200
10.71.11.165 from 10.71.11.165 (192.168.0.102)
Origin incomplete, localpref 100, weight 100, valid, external, best
Only allowed to recurse through connected route
200
10.71.10.165 from 10.71.10.165 (192.168.0.104)
Origin incomplete, localpref 100, valid, external,
Only allowed to recurse through connected route
Table 4-2 shows each field description.
Table 4-2
show bgp (4 byte autonomous system numbers) Fields
Field
Description
BGP routing table
entry fo
IP address or network number of the routing table entry.
version
Internal version number of the table. This number is incremented whenever the
table changes.
Paths
The number of available paths, and the number of installed best paths. This line
displays “Default-IP-Routing-Table” when the best path is installed in the IP routing
table.
Cisco ASA Series Command Reference, S Commands
4-5
Chapter
Field
Description
Multipath
This field is displayed when multipath loadsharing is enabled. This field will indicate
if the multipaths are iBGP or eBGP.
Advertised to
update-groups
The number of each update group for which advertisements are processed.
Origin
Origin of the entry. The origin can be IGP, EGP, or incomplete. This line displays the
configured metric (0 if no metric is configured), the local preference value (100 is
default), and the status and type of route (internal, external, multipath, best).
Extended
Community
This field is displayed if the route carries an extended community attribute. The
attribute code is displayed on this line. Information about the extended community is
displayed on a subsequent line.
show bgp all: Example
The following is sample output from the show bgp command entered with the all keyword. Information
about all configured address families is displayed.
Router# show bgp all
For address family: IPv4 Unicast
*****
BGP table version is 27, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 10.1.1.0/24
*> 10.13.13.0/24
*> 10.15.15.0/24
*>i10.18.18.0/24
*>i10.100.0.0/16
*>i10.100.0.0/16
*>i10.101.0.0/16
*>i10.103.0.0/16
*>i10.104.0.0/16
*>i10.100.0.0/16
*>i10.101.0.0/16
* 10.100.0.0/16
*>
* 10.101.0.0/16
*>
*> 10.102.0.0/16
*> 172.16.14.0/24
*> 192.168.5.0
*> 10.80.0.0/16
*> 10.80.0.0/16
Next Hop
0.0.0.0
0.0.0.0
0.0.0.0
172.16.14.105
172.16.14.107
172.16.14.105
172.16.14.105
172.16.14.101
172.16.14.101
172.16.14.106
172.16.14.106
172.16.14.109
172.16.14.108
172.16.14.109
172.16.14.108
172.16.14.108
0.0.0.0
0.0.0.0
172.16.14.108
172.16.14.108
Metric LocPrf Weight Path
0
32768 ?
0
32768 ?
0
32768 ?
1388 91351
0 100 e
262
272
0 1 2 3 i
1388 91351
0 100 e
1388 91351
0 100 e
1388
173
173 100 e
1388
173
173 100 e
2219 20889
0 53285 33299 51178 47751 e
2219 20889
0 53285 33299 51178 47751 e
2309
0 200 300 e
1388
0 100 e
2309
0 200 300 e
1388
0 100 e
1388
0 100 e
0
32768 ?
0
32768 ?
1388
0 50 e
1388
0 50 e
show bgp longer-prefixes: Example
The following is sample output from the show bgp command entered with the longer-prefixes keyword:
Router# show bgp 10.92.0.0 255.255.0.0 longer-prefixes
BGP table version is 1738, local router ID is 192.168.72.24
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 10.92.0.0
Next Hop
10.92.72.30
Cisco ASA Series Command Reference, S Commands
4-6
Metric LocPrf Weight Path
8896
32768 ?
Chapter
*
*>
*
*>
*
*>
*
*>
*
*>
*
*>
*
*>
*
*>
*
10.92.1.0
10.92.11.0
10.92.14.0
10.92.15.0
10.92.16.0
10.92.17.0
10.92.18.0
10.92.19.0
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
10.92.72.30
0
32768
0
32768
0
32768
0
32768
0
32768
0
32768
0
32768
0
32768
0
8796
42482
8796
8696
1400
1400
8876
8876
109
?
109
?
109
?
109
?
109
?
109
?
109
?
109
?
109
108 ?
108 ?
108 ?
108 ?
108 ?
108 ?
108 ?
108 ?
108 ?
show bgp shorter-prefixes: Example
The following is sample output from the show bgp command entered with
the shorter-prefixes keyword. An 8-bit prefix length is specified.
Router# show bgp 172.16.0.0/16 shorter-prefixes 8
*> 172.16.0.0
*
10.0.0.2
10.0.0.2
0
0 ?
0 200 ?
show bgp prefix-list: Example
The following is sample output from the show bgp command entered with the prefix-list keyword:
Router# show bgp prefix-list ROUTE
BGP table version is 39, local router ID is 10.0.0.1
Status codes:s suppressed, d damped, h history, * valid, > best, i internal
Origin codes:i - IGP, e - EGP, ? - incomplete
Network
*> 192.168.1.0
Next Hop
10.0.0.2
*
10.0.0.2
Metric LocPrf Weight Path
0 ?
0
0 200 ?
show bgp route-map: Example
The following is sample output from the show bgp command entered with the route-map keyword:
Router# show bgp route-map LEARNED_PATH
BGP table version is 40, local router ID is 10.0.0.1
Status codes:s suppressed, d damped, h history, * valid, > best, i internal
Origin codes:i - IGP, e - EGP, ? - incomplete
Network
*> 192.168.1.0
*
Next Hop
10.0.0.2
10.0.0.2
Metric LocPrf Weight Path
0 ?
0
0 200 ?
Cisco ASA Series Command Reference, S Commands
4-7
Chapter
show bgp all community
To display routes for all address families belonging to a particular Border Gateway Protocol (BGP)
community, use the show bgp all community command in user EXEC or privileged EXEC
configuration mode.
show bgp all community [community-number...[community-number]] [local-as] [no-advertise]
[no-export] [exact-match]
Syntax Description
community-number.
(Optional) Displays the routes pertaining to the community numbers
specified.
You can specify multiple community numbers. The range is from 1 to
4294967295 or AA:NN (autonomous system:community number, which is a
2-byte number).
local-as
(Optional) Displays only routes that are not sent outside of the local
autonomous system (well-known community).
no-advertise
(Optional) Displays only routes that are not advertised to any peer
(well-known community).
no-export
(Optional) Displays only routes that are not exported outside of the local
autonomous system (well-known community).
exact-match
(Optional) Displays only routes that match exactly with the BGP community
list specified.
Note
The availability of keywords in the command depends on the
command mode. The exact-match keyword is not available in user
EXEC mode.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Usage Guidelines
Yes
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
User can enter the local-as, no-advertise and no-export keywords in any order. When using the bgp all
community command, be sure to enter the numerical communities before the well-known communities.
Cisco ASA Series Command Reference, S Commands
4-8
•
Transparent Single
Chapter
.For example, the following string is not valid:
ciscoasa# show bgp all community local-as 111:12345
Use the following string instead:
ciscoasa# show bgp all community 111:12345 local-as
Examples
The following is sample output from the show bgp all community command, specifying communities
of 1, 2345, and 6789012:
ciscoasa# show bgp all community 1 2345 6789012 no-advertise local-as no-export
exact-match
For address family: IPv4 Unicast
BGP table version is 5, local router ID is 30.0.0.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop
*> 10.0.3.0/24
10.0.0.4
*> 10.1.0.0/16
10.0.0.4
*> 10.12.34.0/24
10.0.0.6
Metric LocPrf Weight Path
0
0
0 4 3 ?
0 4 ?
0 6 ?
Table 4-26 shows each field description.
Table 4-3
show bgp all community Fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table
changes
local
router ID
The router ID of the router on which the BGP communities are set to display. A 32-bit number
written as 4 octets separated by periods (dotted-decimal format).
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
d—The table entry is dampened.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP session.
Origin
codes
Indicates the origin of the entry. The origin code is placed at the end of each line in the
table. It can be one of the following values:
i—Entry originated from the Interior Gateway Protocol (IGP) and was advertised with a
network router configuration command.
e—Entry originated from the Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a route that is redistributed into BGP from
an IGP.
Network
The network address and network mask of a network entity. The type of address depends on
the address family.
Cisco ASA Series Command Reference, S Commands
4-9
Chapter
Table 4-3
show bgp all community Fields (continued)
Field
Description
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. The type of address depends on the address family
Metric
The value of the inter autonomous system metric. This field is not used frequently.
LocPrf
Local preference value as set with the set local-preference command. The default value is
100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field for
each autonomous system in the path.
Cisco ASA Series Command Reference, S Commands
4-10
Chapter
show bgp all neighbors
To display information about Border Gateway Protocol (BGP) connections to neighbors of all address
families, use the show bgp all neighbors command in user EXEC or privileged EXEC mode.
show bgp all neighbors [ip-address ] [advertised-routes | paths [reg-exp] | policy [detail]
| received prefix-filter | received-routes | routes]
Syntax Description
ip-address
(Optional) IP address of a neighbor. If this argument is omitted, information
about all neighbors is displayed.
advertised-routes
Optional) Displays all routes that have been advertised to neighbors.
paths reg-exp
(Optional) Displays autonomous system paths learned from the specified
neighbor. An optional regular expression can be used to filter the output.
policy
(Optional) Displays the policies applied to neighbor per address family.
detail
(Optional) Displays detailed policy information such as route maps, prefix lists,
community lists, Access Control Lists (ACLs), and autonomous system path
filter lists.
received prefix-filter
(Optional) Displays the prefix-list (outbound route filter [ORF]) sent from
the specified neighbor.
received-routes
(Optional) Displays all received routes (both accepted and rejected) from the
specified neighbor.
routes
(Optional) Displays all routes that are received and accepted. The output
displayed when this keyword is entered is a subset of the output displayed by
the received-routes keyword.
Defaults
The output of this command displays information for all neighbors.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
Use the show bgp all neighbors command to display BGP and TCP connection information for
neighbor sessions specific to address families such as IPv4.
Cisco ASA Series Command Reference, S Commands
4-11
Chapter
Examples
The following example shows output of the show bgp all neighbors command:
ciscoasa# show bgp all neighbors
For address family: IPv4 Unicast
BGP neighbor is 172.16.232.53, remote AS 100, external link
Member of peer-group internal for session parameters
BGP version 4, remote router ID 172.16.232.53
BGP state = Established, up for 13:40:17
Last read 00:00:09, hold time is 180, keepalive interval is 60 seconds
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
3
3
Notifications:
0
0
Updates:
0
0
Keepalives:
113
112
Route Refresh:
0
0
Total:
116
11
Default minimum time between advertisement runs is 5 seconds
Connections established 22; dropped 21
Last reset 13:47:05, due to BGP Notification sent, hold time expired
External BGP neighbor may be up to 2 hops away.
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Enqueued packets for retransmit: 0, input: 0
Event Timers (current time is 0x1A0D543C):
Timer
Starts
Wakeups
Retrans
1218
5
TimeWait
0
0
AckHold
3327
3051
SendWnd
0
0
KeepAlive
0
0
GiveUp
0
0
PmtuAger
0
0
DeadWait
0
0
iss: 1805423033
irs: 821333727
snduna: 1805489354
rcvnxt: 821591465
mis-ordered: 0 (0 bytes)
Next
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
sndnxt: 1805489354
rcvwnd:
15547
sndwnd:
delrcvwnd:
15531
837
SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms
minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms
Flags: higher precedence, nagle
Datagrams (max data segment is 1420 bytes):
Rcvd: 4252 (out of order: 0), with data: 3328, total data bytes: 257737
Sent:4445 (retransmit: 5), with data: 4445, total data bytes;244128
Table 4-4 shows each field description.
Table 4-4
show bgp all neighbor Fields
Field
Description
For address family
Address family to which the following fields refer.
BGP neighbor
IP address of the BGP neighbor and its autonomous system number.
remote AS
Autonomous system number of the neighbor.
Cisco ASA Series Command Reference, S Commands
4-12
Chapter
Table 4-4
show bgp all neighbor Fields (continued)
Field
Description
external link
External Border Gateway Protocol (eBGP) peerP.
BGP version
BGP version being used to communicate with the remote router.
remote router ID
IP address of the neighbor.
BGP state
State of this BGP connection
up for
Time, in hh:mm:ss, that the underlying TCP connection has been in existence.
Last read
Time, in hh:mm:ss, since BGP last received a message from this neighbor.
hold time
Time, in seconds, that BGP will maintain the session with this neighbor without
receiving messages.
keepalive interval
Time interval, in seconds, at which keepalive messages are transmitted to this
neighbor.
Message statistics
Statistics organized by message type.
InQ depth is
Number of messages in the input queue.
OutQ depth is
Number of messages in the output queue.
Sent
Total number of transmitted messages.
Rcvd
Total number of received messages.
Opens
Number of open messages sent and received.
Notifications
Number of notification (error) messages sent and received.
Updates
Number of update messages sent and received.
Keepalives
Number of keepalive messages sent and received.
Route Refresh
Number of route refresh request messages sent and received.
Total
Total number of messages sent and received.
Default minimum
time between...
Time, in seconds, between advertisement transmissions.
Connections
established
Number of times a TCP and BGP connection has been successfully established.
dropped
Number of times that a valid session has failed or been taken down.
Last reset
Time, in hh:mm:ss, since this peering session was last reset. The reason for the reset
is displayed on this line.
External BGP
neighbor may be...
Indicates that the BGP Time-to-live (TTL) security check is enabled. The maximum
number of hops that can separate the local and remote peer is displayed on this line.
Connection state
Connection status of the BGP peer.
Local host, Local
IP address of the local BGP speaker and the port number.
Foreign host,
Foreign port
Neighbor address and BGP destination port number.
Enqueued packets
for retransmit:
Packets queued for retransmission by TCP.
Event Timers
TCP event timers. Counters are provided for starts and wakeups (expired timers).
Retrans
Number of times a packet has been retransmitted.
Cisco ASA Series Command Reference, S Commands
4-13
Chapter
Table 4-4
show bgp all neighbor Fields (continued)
Field
Description
TimeWait
Time waiting for the retransmission timers to expire.
AckHold
Acknowledgment hold timer.
SendWnd
Transmission (send) window.
KeepAlive
Number of keepalive packets.
GiveUp
Number times a packet is dropped due to no acknowledgment.
PmtuAger
Path MTU discovery timer.
DeadWait
Expiration timer for dead segments.
iss:
Initial packet transmission sequence number.
snduna:
Last transmission sequence number that has not been acknowledged
sndnxt:
Next packet sequence number to be transmitted.
sndwnd:
TCP window size of the remote host.
irs:
Initial packet receives sequence number.
rcvnxt:
Last receive sequence number that has been locally acknowledged.
rcvwnd:
TCP window size of the local host.
delrcvwnd:
Delayed receive window—data the local host has read from the connection, but has
not yet subtracted from the receive window the host has advertised to the remote host.
The value in this field gradually increases until it is larger than a full-sized packet, at
which point it is applied to the rcvwnd field.
SRTT:
A calculated smoothed round-trip timeout.
RTTO:
Round-trip timeout.
RTV:
Variance of the round-trip time.
KRTT:
New round-trip timeout (using the Karn algorithm). This field separately tracks the
round-trip time of packets that have been re-sent.
minRTT:
Smallest recorded round-trip timeout (hard-wire value used for calculation).
maxRTT:
Largest recorded round-trip timeout.
ACK hold
Length of time the local host will delay an acknowledgment to carry (piggyback)
additional data.
IP Precedence value IP precedence of the BGP packets.
Datagrams
Number of update packets received from a neighbor.
Rcvd:
Number of received packets.
with data
Number of update packets sent with data.
total data bytes
Total amount of data received, in bytes.
Sent
Number of update packets sent.
with data
Number of update packets received with data.
total data bytes
Total amount of data sent, in bytes.
Cisco ASA Series Command Reference, S Commands
4-14
Chapter
show bgp cidr-only
To display routes with classless inter domain routing (CIDR), use the show bgp cidr-only command in
EXEC mode.
show bgp cidr-only
Syntax Description
This command has no arguments or keywords.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show bgp cidr-only command:
ciscoasa# show bgp cidr-only
BGP table version is 220, local router ID is 172.16.73.131
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 192.168.0.0/8
*> 172.16.0.0/16
Next Hop
172.16.72.24
172.16.72.30
Metric LocPrf Weight Path
0 1878 ?
0 108 ?
Table 4-5 shows each field description.
Table 4-5
show bgp cidr-only Fields
Field
Description
BGP table
version is
220
Internal version number of the table. This number is incremented whenever the table changes..
local
router ID
IP address of the router.
Cisco ASA Series Command Reference, S Commands
4-15
Chapter
Table 4-5
show bgp cidr-only Fields (continued)
Field
Description
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP..
Cisco ASA Series Command Reference, S Commands
4-16
Chapter
show bgp community
To display routes that belong to specified BGP communities, use the show bgp community command
in EXEC mode.
show bgp community community-number [exact]
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Transparent Single
Yes
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
System
Yes
•
Yes
The following is sample output from the show bgp community command in privileged EXEC mode:
ciscoasa# show bgp community 111:12345 local-as
BGP table version is 10, local router ID is 224.0.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
*>
*>
*>
*>
*
*>
*>
*>
Network
172.16.2.2/32
10.0.0.0
10.43.0.0
10.43.44.44/32
10.43.222.0/24
172.17.240.0/21
192.168.212.0
172.31.1.0
Next Hop
10.43.222.2
10.43.222.2
10.43.222.2
10.43.222.2
10.43.222.2
10.43.222.2
10.43.222.2
10.43.222.2
Metric LocPrf Weight Path
0
0 222 ?
0
0 222 ?
0
0 222 ?
0
0 222 ?
0
0 222 i
0
0 222 ?
0
0 222 i
0
0 222 ?
Table 4-6 shows each field description.
Table 4-6
show bgp community Fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
IP address of the router.
Cisco ASA Series Command Reference, S Commands
4-17
Chapter
Table 4-6
show bgp community Fields (continued)
Field
Description
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-18
Chapter
show bgp community-list
To display routes that are permitted by the Border Gateway Protocol (BGP) community list, use the show
bgp community-list command in user or privileged EXEC mode.
show bgp community-list {community-list-number | community-list-name [exact-match]}
Syntax Description
Command Modes
community-list-number
A standard or expanded community list number in the range from 1 to 500.
community-list-name
Community list name. The community list name can be standard or
expanded.
exact-match
(Optional) Displays only routes that have an exact match.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
This command requires you to specify an argument when used. The exact-match keyword is optional.
Examples
The following is sample output of the show bgp community-list command in privileged EXEC mode:
ciscoasa# show bgp community-list 20
BGP table version is 716977, local router ID is 192.168.32.1
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
* i10.3.0.0
*>i
* i10.6.0.0
*>i
* i10.7.0.0
*>i
*
* i10.8.0.0
*>i
*
* i10.13.0.0
Next Hop
10.0.22.1
10.0.16.1
10.0.22.1
10.0.16.1
10.0.22.1
10.0.16.1
10.92.72.24
10.0.22.1
10.0.16.1
10.92.72.24
10.0.22.1
Metric LocPrf Weight Path
0
100
0 1800 1239 ?
0
100
0 1800 1239 ?
0
100
0 1800 690 568 ?
0
100
0 1800 690 568 ?
0
100
0 1800 701 35 ?
0
100
0 1800 701 35 ?
0 1878 704 701 35 ?
0
100
0 1800 690 560 ?
0
100
0 1800 690 560 ?
0 1878 704 701 560 ?
0
100
0 1800 690 200 ?
Cisco ASA Series Command Reference, S Commands
4-19
Chapter
*>i
*
* i10.15.0.0
*>i
* i10.16.0.0
*>i
*
10.0.16.1
10.92.72.24
10.0.22.1
10.0.16.1
10.0.22.1
10.0.16.1
10.92.72.24
0
100
0
0
0
0
100
100
100
100
0
0
0
0
0
0
0
1800
1878
1800
1800
1800
1800
1878
690
704
174
174
701
701
704
200 ?
701 200 ?
?
?
i
i
701 i
Table 4-7 shows each field description.
Table 4-7
show bgp community-list Fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
IP address of the router.
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP..
Cisco ASA Series Command Reference, S Commands
4-20
Chapter
show bgp filter-list
To display routes that conform to a specified filter list, use the show bgp filter-list command in EXEC mode.
show bgp filter-list access-list-name
Syntax Description
access-list-name
Command Modes
Name of an autonomous system path access list.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output of the show bgp filter-list command in privileged EXEC mode:
ciscoasa# show bgp filter-list filter-list-acl
BGP table version is 1738, local router ID is 172.16.72.24
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Network
172.16.0.0
172.16.1.0
172.16.11.0
172.16.14.0
172.16.15.0
172.16.16.0
172.16.17.0
172.16.18.0
172.16.19.0
172.16.24.0
172.16.29.0
172.16.30.0
172.16.33.0
172.16.35.0
172.16.36.0
172.16.37.0
172.16.38.0
172.16.39.0
Next Hop
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
Metric LocPrf Weight
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Path
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
109 108
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
Cisco ASA Series Command Reference, S Commands
4-21
Chapter
Table 4-8 shows each field description.
Table 4-8
show bgp filter-list Fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
IP address of the router.
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP..
Cisco ASA Series Command Reference, S Commands
4-22
Chapter
show bgp injected-paths
To display all the injected paths in the Border Gateway Protocol (BGP) routing table, use the show bgp
injected-paths command in user or privileged EXEC mode.
show bgp injected-paths
Syntax Description
This command has no arguments or keywords.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Privileged EXEC, User EXEC
Command History
Examples
•
Transparent Single
Yes
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show bgp injected-paths command in EXEC mode:
ciscoasa# show bgp injected-paths
BGP table version is 11, local router ID is 10.0.0.1
Status codes:s suppressed, d damped, h history, * valid, > best, i internal
Origin codes:i - IGP, e - EGP, ? - incomplete
Network
*> 172.16.0.0
*> 172.17.0.0/16
Next Hop
10.0.0.2
10.0.0.2
Metric LocPrf Weight Path
0 ?
0 ?
Table 4-9 shows each field description.
Table 4-9
show bgp injected-path Fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
IP address of the router.
Cisco ASA Series Command Reference, S Commands
4-23
Chapter
Table 4-9
show bgp injected-path Fields (continued)
Field
Description
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-24
Chapter
show bgp ipv4
To display entries in the IP version 4 (IPv4) Border Gateway Protocol (BGP) routing table, use the show bgp
ipv4 command in privileged EXEC mode.
show bgp ipv4
Syntax Description
This command has no arguments or keywords.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show bgp ipv4 unicast command:
ciscoasa# show bgp ipv4 unicast
BGP table version is 4, local router ID is 10.0.40.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 10.10.10.0/24
*> 10.10.20.0/24
* 10.20.10.0/24
Next Hop
172.16.10.1
172.16.10.1
172.16.10.1
Metric LocPrf Weight Path
0
0 300 i
0
0 300 i
0
0 300 i
The following is sample output from the show bgp ipv4 multicast command:
Router# show bgp ipv4 multicast
BGP table version is 4, local router ID is 10.0.40.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 10.10.10.0/24
*> 10.10.20.0/24
* 10.20.10.0/24
Next Hop
172.16.10.1
172.16.10.1
172.16.10.1
Metric LocPrf Weight Path
0
0 300 i
0
0 300 i
0
0 300 i
Cisco ASA Series Command Reference, S Commands
4-25
Chapter
Table 4-10 shows each field description.
Table 4-10
show bgp ipv4 Fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
IP address of the router.
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP..
Cisco ASA Series Command Reference, S Commands
4-26
Chapter
show bgp ipv6
To display entries in the IPv6 Border Gateway Protocol (BGP) routing table, use the show bgp ipv6
command in user EXEC or privileged EXEC mode.
show bgp ipv6 unicast [ipv6-prefix/prefix-length] [longer-prefixes] [labels]
Syntax Description
unicast
Specifies IPv6 unicast address prefixes.
ipv6-prefix
(Optional) IPv6 network number, entered to display a particular network in
the IPv6 BGP routing table.
This argument must be in the form documented in RFC 2373 where the
address is specified in hexadecimal using 16-bit values between colons.
Command Modes
/prefix-length
(Optional) The length of the IPv6 prefix. A decimal value that indicates how
many of the high-order contiguous bits of the address comprise the prefix
(the network portion of the address). A slash mark must precede the decimal
value.
longer-prefixes
(Optional) Displays the route and more specific routes.
labels
(Optional) Displays the policies applied to this neighbor per address family.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Transparent Single
Yes
•
Release
Modification
9.3(2)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show bgp ipv6 command:
ciscoasa# show bgp ipv6 unicast
BGP table version is 12612, local router ID is 172.16.7.225
Status codes: s suppressed, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
*> 10.10.10.0/24
172.16.10.1
*> 10.10.20.0/24
172.16.10.1
* 10.20.10.0/24
172.16.10.1
Metric LocPrf Weight Path
0
0 300 i
0
0 300 i
0
0 300 i
Cisco ASA Series Command Reference, S Commands
4-27
Chapter
The following is sample output from the show bgp ipv4 multicast command:
Router# show bgp ipv4 multicast
BGP table version is 4, local router ID is 10.0.40.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*
*
Next Hop
Metric LocPrf Weight Path
3FFE:C00:E:C::2
0 3748 4697 1752 i
3FFE:1100:0:CC00::1
0 1849 1273 1752 i
* 2001:618:3::/48 3FFE:C00:E:4::2
1
0 4554 1849 65002 i
*>
3FFE:1100:0:CC00::1
0 1849 65002 i
* 2001:620::/35
2001:0DB8:0:F004::1
0 3320 1275 559 i
*
3FFE:C00:E:9::2
0 1251 1930 559 i
*
3FFE:3600::A
0 3462 10566 1930 559 i
*
3FFE:700:20:1::11
0 293 1275 559 i
*
3FFE:C00:E:4::2
1
0 4554 1849 1273 559 i
*
3FFE:C00:E:B::2
0 237 3748 1275 559 i
Table 4-10 shows each field description.
Table 4-11
show bgp ipv6 Fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
IP address of the router.
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Cisco ASA Series Command Reference, S Commands
4-28
Chapter
Table 4-11
show bgp ipv6 Fields (continued)
Field
Description
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
The following is sample output from the show bgp ipv6 command, showing information for prefix
3FFE:500::/24:
ciscoasa# show bgp ipv6 unicast 3FFE:500::/24
BGP routing table entry for 3FFE:500::/24, version 19421
Paths: (6 available, best #1)
293 3425 2500
3FFE:700:20:1::11 from 3FFE:700:20:1::11 (192.168.2.27)
Origin IGP, localpref 100, valid, external, best
4554 293 3425 2500
3FFE:C00:E:4::2 from 3FFE:C00:E:4::2 (192.168.1.1)
Origin IGP, metric 1, localpref 100, valid, external
33 293 3425 2500
3FFE:C00:E:5::2 from 3FFE:C00:E:5::2 (209.165.18.254)
Origin IGP, localpref 100, valid, external
6175 7580 2500
3FFE:C00:E:1::2 from 3FFE:C00:E:1::2 (209.165.223.204)
Origin IGP, localpref 100, valid, external
1849 4697 2500, (suppressed due to dampening)
3FFE:1100:0:CC00::1 from 3FFE:1100:0:CC00::1 (172.31.38.102)
Origin IGP, localpref 100, valid, external
237 10566 4697 2500
3FFE:C00:E:B::2 from 3FFE:C00:E:B::2 (172.31.0.3)
Origin IGP, localpref 100, valid, external
ciscoasa# show bgp ipv6 unicast
BGP table version is 28, local router ID is 172.10.10.1
Status codes:s suppressed, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes:i - IGP, e - EGP, ? - incomplete
Network
*>i4004::/64
Next Hop
::FFFF:172.11.11.1
* i
::FFFF:172.30.30.1
Metric LocPrf Weight Path
0
100
0 ?
0
100
0 ?
Cisco ASA Series Command Reference, S Commands
4-29
Chapter
show bgp ipv6 community
To display entries in the IPv6 Border Gateway Protocol (BGP) routing table, use the show bgp
ipv6community command in user EXEC or privileged EXEC mode.
show bgp ipv6 unicast community [community-number] [exact-match] [local-as | no-advertise |
no-export]
Syntax Description
Command Modes
unicast
Specifies IPv6 unicast address prefixes.
community-number
(Optional) Valid value is a community number in the range from 1 to
4294967295 or AA:NN (autonomous system-community number:2-byte
number).
exact-match
(Optional) Displays only routes that have an exact match.
local-as
(Optional) Displays only routes that are not sent outside of the local
autonomous system (well-known community).
no-advertise
(Optional) Displays only routes that are not advertised to any peer
(well-known community).
no-export
(Optional) Displays only routes that are not exported outside of the local
autonomous system (well-known community).
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The show bgp ipv6 community command provides output similar to the show ip bgp community
command, except it is IPv6-specific.
Communities are set with the set community route-map configuration command. You must enter the
numerical communities before the well-known communities. For example, the following string is not
valid:
ciscoasa# show ipv6 bgp unicast community local-as 111:12345
Use following strings instead:
ciscoasa# show ipv6 bgp unicast community 111:12345 local-as
Examples
Cisco ASA Series Command Reference, S Commands
4-30
Chapter
The following is sample output from the show bgp ipv6 community command:
BGP table version is 69, local router ID is 10.2.64.5
Status codes:s suppressed, h history, * valid, > best, i - internal
Origin codes:i - IGP, e - EGP, ? - incomplete
Network
*> 2001:0DB8:0:1::1/64
*> 2001:0DB8:0:1:1::/80
*> 2001:0DB8:0:2::/64
*> 2001:0DB8:0:2:1::/80
* 2001:0DB8:0:3::1/64
*>
*> 2001:0DB8:0:4::/64
*> 2001:0DB8:0:5::1/64
*> 2001:0DB8:0:6::/64
*> 2010::/64
*> 2020::/64
*> 2030::/64
*> 2040::/64
*> 2050::/64
Table 4-12
Next Hop
::
::
2001:0DB8:0:3::2
2001:0DB8:0:3::2
2001:0DB8:0:3::2
::
2001:0DB8:0:3::2
::
2000:0:0:3::2
::
::
::
::
::
Metric LocPrf Weight Path
0 32768 i
0 32768 ?
0 2 i
0 2 ?
0 2 ?
0 32768 ?
0 2 ?
0 32768 ?
0 2 3 i
0 32768 ?
0 32768 ?
0 32768 ?
0 32768 ?
0 32768 ?
show bgp ipv6 community fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Cisco ASA Series Command Reference, S Commands
4-31
Chapter
Table 4-12
show bgp ipv6 community fields (continued)
Field
Description
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-32
Chapter
show bgp ipv6 community-list
To display routes that are permitted by the IPv6 Border Gateway Protocol (BGP) community list, use the
show bgp ipv6 community-list command in user EXEC or privileged EXEC mode.
show bgp ipv6 unicast community-list {number | name} [exact-match]
Syntax Description
Command Modes
unicast
Specifies IPv6 unicast address prefixes.
number
Community list number in the range from 1 to 199.
name
Community list name.
exact-match
(Optional) Displays only routes that have an exact match.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Context
Yes
•
Yes
System
•
Yes
The show bgp ipv6 unicast community-list command provide output similar to the show ip bgp
community-list command, except they are IPv6-specific.
Examples
The following is sample output of the show bgp ipv6 community-list command for community list
number 3:
ciscoasa# show bgp ipv6 unicast community-list 3
BGP table version is 14, local router ID is 10.2.64.6
Status codes:s suppressed, h history, * valid, > best, i - internal
Origin codes:i - IGP, e - EGP, ? - incomplete
Network
*> 2001:0DB8:0:1::/64
*> 2001:0DB8:0:1:1::/80
*> 2001:0DB8:0:2::1/64
*> 2001:0DB8:0:2:1::/80
* 2001:0DB8:0:3::2/64
*>
*> 2001:0DB8:0:4::2/64
*> 2001:0DB8:0:5::/64
Next Hop
2001:0DB8:0:3::1
2001:0DB8:0:3::1
::
::
2001:0DB8:0:3::1
::
::
2001:0DB8:0:3::1
Metric LocPrf Weight Path
0 1 i
0 1 i
0 32768 i
0 32768 ?
0 1 ?
0 32768 ?
0 32768 ?
0 1 ?
Cisco ASA Series Command Reference, S Commands
4-33
Chapter
*>
*>
*>
*>
*>
2010::/64
2020::/64
2030::/64
2040::/64
2050::/64
2001:0DB8:0:3::1
2001:0DB8:0:3::1
2001:0DB8:0:3::1
2001:0DB8:0:3::1
2001:0DB8:0:3::1
0
0
0
0
0
1
1
1
1
1
?
?
?
?
?
Table below describes the significant fields shown in the display.
Table 4-13
show bgp ipv6 community-list fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-34
Chapter
show bgp ipv6 filter-list
To display routes that conform to a specified IPv6 filter list, use the show bgp ipv6 filter-list command in
user EXEC or privileged EXEC mode.
show bgp ipv6 unicast filter-list access-list-number
Syntax Description
Command Modes
unicast
Specifies IPv6 unicast address prefixes.
access-list-number
Number of an IPv6 autonomous system path access list. It can be a number from
1 to 199.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Context
Yes
•
Yes
System
•
Yes
The show bgp ipv6 filter-list command provides output similar to the show ip bgp filter-list command,
except that it is IPv6-specific.
Examples:
The following is sample output from the show bgp ipv6 filter-list command for IPv6 autonomous
system path access list number 1:
ciscoasa# show bgp ipv6 unicast filter-list 1
BGP table version is 26, local router ID is 192.168.0.2
Status codes:s suppressed, h history, * valid, > best, i - internal
Origin codes:i - IGP, e - EGP, ? - incomplete
*>
*>
*>
*>
*>
*
*>
*
*>
*>
*>
Network
2001:0DB8:0:1::/64
2001:0DB8:0:1:1::/80
2001:0DB8:0:2:1::/80
2001:0DB8:0:3::/64
2001:0DB8:0:4::/64
2001:0DB8:0:5::/64
2001:0DB8:0:6::1/64
2030::/64
2040::/64
Next Hop
2001:0DB8:0:4::2
2001:0DB8:0:4::2
2001:0DB8:0:4::2
2001:0DB8:0:4::2
::
2001:0DB8:0:4::2
::
2001:0DB8:0:4::2
::
2001:0DB8:0:4::2
2001:0DB8:0:4::2
Metric LocPrf Weight Path
0 2 1 i
0 2 1 i
0 2 ?
0 2 ?
32768 ?
0 2 ?
32768 ?
0 2 1 ?
32768 i
0 1
0 2 1 ?
Cisco ASA Series Command Reference, S Commands
4-35
Chapter
*> 2050::/64
2001:0DB8:0:4::2
0 2 1 ?
Table below describes the significant fields shown in the display.
Table 4-14
show bgp ipv6 community-list fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-36
Chapter
show bgp ipv6 inconsistent-as
To display IPv6 Border Gateway Protocol (BGP) routes with inconsistent originating autonomous
systems, use the show bgp ipv6 inconsistent-as command in user EXEC or privileged EXEC mode.
show bgp ipv6 unicast inconsistent-as
Syntax Description
unicast
Command Modes
Specifies IPv6 unicast address prefixes.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The show bgp ipv6 unicast inconsistent-as command provide output similar to the show ip bgp
inconsistent-as command, except they are IPv6-specific.
Examples
The following is sample output from the show bgp ipv6 inconsistent-as command:
ciscoasa# show bgp ipv6 unicast inconsistent-as
BGP table version is 12612, local router ID is 192.168.7.225
Status codes: s suppressed, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
*
*
*
*
Network
3FFE:1300::/24
Next Hop
Metric LocPrf Weight Path
2001:0DB8:0:F004::1
0 3320 293 6175 ?
3FFE:C00:E:9::2
0 1251 4270 10318 ?
3FFE:3600::A
0 3462 6175 ?
3FFE:700:20:1::11
0 293 6175 ?
Table 4-15 below describes the significant fields shown in the display.
Table 4-15
show bgp ipv6 community-list fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
Cisco ASA Series Command Reference, S Commands
4-37
Chapter
Table 4-15
show bgp ipv6 community-list fields (continued)
Field
Description
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-38
Chapter
show bgp ipv6 neighbors
To display information about IPv6 Border Gateway Protocol (BGP) connections to neighbors, use the
show bgp ipv6 neighbors command in user EXEC or privileged EXEC mode.
show bgp ipv6 unicast neighbors [ipv6-address] [ received-routes | routes | advertised-routes |
paths regular-expression ]
Syntax Description
unicast
Specifies IPv6 unicast address prefixes.
ipv6-address
(Optional) Address of the IPv6 BGP-speaking neighbor. If you omit this
argument, all IPv6 neighbors are displayed.
This argument must be in the form documented in RFC 2373 where the
address is specified in hexadecimal using 16-bit values between colons.
Command Modes
received-routes
(Optional) Displays all received routes (both accepted and rejected) from the
specified neighbor.
routes
(Optional) Displays all routes received and accepted. This is a subset of the
output from the received-routes keyword.
advertised-routes
(Optional) Displays all the routes the networking device advertised to the
neighbor.
paths
regular-expression
(Optional) Regular expression used to match the paths received.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added.
Yes
•
Context
Yes
•
Yes
System
•
Yes
The show bgp ipv6 unicast neighbors provide output similar to the show ip bgp neighbors command,
except they are IPv6-specific.
Examples
The following is sample output from the show bgp ipv6 neighbors command:
ciscoasa# show bgp ipv6 unicast neighbors
BGP neighbor is 3FFE:700:20:1::11, remote AS 65003, external link
BGP version 4, remote router ID 192.168.2.27
Cisco ASA Series Command Reference, S Commands
4-39
Chapter
BGP state = Established, up for 13:40:17
Last read 00:00:09, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received
Address family IPv6 Unicast: advertised and received
Received 31306 messages, 20 notifications, 0 in queue
Sent 14298 messages, 1 notifications, 0 in queue
Default minimum time between advertisement runs is 30 seconds
For address family: IPv6 Unicast
BGP table version 21880, neighbor version 21880
Index 1, Offset 0, Mask 0x2
Route refresh request: received 0, sent 0
Community attribute sent to this neighbor
Outbound path policy configured
Incoming update prefix filter list is bgp-in
Outgoing update prefix filter list is aggregate
Route map for outgoing advertisements is uni-out
77 accepted prefixes consume 4928 bytes
Prefix advertised 4303, suppressed 0, withdrawn 1328
Number of NLRIs in the update sent: max 1, min 0
1 history paths consume 64 bytes
Connections established 22; dropped 21
Last reset 13:47:05, due to BGP Notification sent, hold time expired
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 3FFE:700:20:1::12, Local port: 55345
Foreign host: 3FFE:700:20:1::11, Foreign port: 179
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x1A0D543C):
Timer
Starts
Wakeups
Next
Retrans
1218
5
0x0
TimeWait
0
0
0x0
AckHold
3327
3051
0x0
SendWnd
0
0
0x0
KeepAlive
0
0
0x0
GiveUp
0
0
0x0
PmtuAger
0
0
0x0
DeadWait
0
0
0x0
iss: 1805423033 snduna: 1805489354 sndnxt: 1805489354
sndwnd: 15531
irs: 821333727 rcvnxt: 821591465 rcvwnd:
15547 delrcvwnd:
837
SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms
minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms
Flags: higher precedence, nagle
Datagrams (max data segment is 1420 bytes):
Rcvd: 4252 (out of order: 0), with data: 3328, total data bytes: 257737
Sent: 4445 (retransmit: 5), with data: 4445, total data bytes: 244128
The table below describes the significant fields shown in the display.
Table 4-16
show bgp ipv6 community-list fields
Field
Description
BGP
neighbor
IP address of the BGP neighbor and its autonomous system number. If the neighbor is in
the same autonomous system as the router, then the link between them is internal;
otherwise, it is considered external.
remote AS Autonomous system of the neighbor.
internal
link
Indicates that this peer is an interior Border Gateway Protocol (iBGP) peer.
Cisco ASA Series Command Reference, S Commands
4-40
Chapter
Table 4-16
show bgp ipv6 community-list fields (continued)
Field
Description
BGP
version
BGP version being used to communicate with the remote router; the router ID (an IP
address) of the neighbor is also specified.
remote
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
BGP state
Internal state of this BGP connection.
up for
Amount of time that the underlying TCP connection has been in existence.
Last read
Time that BGP last read a message from this neighbor.
hold time
Maximum amount of time that can elapse between messages from the peer.
keepalive
interval
Time period between sending keepalive packets, which help ensure that the TCP
connection is up.
Neighbor
capabilitie
s
BGP capabilities advertised and received from this neighbor.
Route
refresh
Indicates that the neighbor supports dynamic soft reset using the route refresh capability.
Address
family
IPv6
Unicast
Indicates that BGP peers are exchanging IPv6 reachability information.
Received
Number of total BGP messages received from this peer, including keepalives.
notification Number of error messages received from the peer .
s
Sent
Total number of BGP messages that have been sent to this peer, including keepalives.
notificatio
ns
Number of error messages the router has sent to this peer.
advertisem Value of the minimum advertisement interval.
ent runs
For address Address family to which the following fields refer.
family
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
neighbor
version
Number used by the software to track the prefixes that have been sent and those that must be
sent to this neighbor.
Route
refresh
request
Number of route refresh requests sent and received from this neighbor. .
Communit Appears if the neighbor send-community command is configured for this neighbor. .
y attribute
(not shown
in sample
output)
Cisco ASA Series Command Reference, S Commands
4-41
Chapter
Table 4-16
Field
show bgp ipv6 community-list fields (continued)
Description
Indicates whether an inbound filter list or route map is configured.
Inbound
path policy
(not shown
in sample
output)
Outbound Indicates whether an outbound filter list, route map, or unsuppress map is configured.
path policy
(not shown
in sample
output)
bgp-in (not Name of the inbound update prefix filter list for the IPv6 unicast address family.
shown in
sample
output)
aggregate Name of the outbound update prefix filter list for the IPv6 unicast address family.
(not shown
in sample
output)
Name of the outbound route map for the IPv6 unicast address family.
uni-out
(not shown
in sample
output)
accepted
prefixes
Number of prefixes accepted.
Prefix
advertised
Number of prefixes advertised.
suppressed Number of prefixes suppressed
withdrawn Number of prefixes withdrawn.
history
paths (not
shown in
sample
output)
Number of path entries held to remember history.
Connectio Number of times the router has established a TCP connection and the two peers have
ns
agreed to speak BGP with each other.
established
dropped
Number of times that a good connection has failed or been taken down.
Last reset
Elapsed time (in hours:minutes:seconds) since this peering session was last reset.
Connectio
n state
State of the BGP Peer
unread
Number of bytes of packets still to be processed.
input bytes
Local host, Peering address of the local router, plus the port.
Local port
Cisco ASA Series Command Reference, S Commands
4-42
Chapter
Table 4-16
show bgp ipv6 community-list fields (continued)
Field
Description
Foreign
host,
Foreign
port
Peering address of the neighbor.
Event
Timers
Table that displays the number of starts and wakeups for each timer.
snduna
Last send sequence number for which the local host sent but has not received an
acknowledgment.
sndnxt
Sequence number the local host will send next.
sndwnd
TCP window size of the remote host.
irs
Initial receive sequence number.
rcvnxt
Last receive sequence number the local host has acknowledged.
rcvwnd
TCP window size of the local host.
delrecvwn
d
Delayed receive window--data the local host has read from the connection, but has not yet
subtracted from the receive window the host has advertised to the remote host. The value
in this field gradually increases until it is larger than a full-sized packet, at which point it
is applied to the rcvwnd field.
SRTT
A calculated smoothed round-trip timeout (in milliseconds).
RTTO
Round-trip timeout (in milliseconds).
RTV
Variance of the round-trip time (in milliseconds).
KRTT
New round-trip timeout (in milliseconds) using the Karn algorithm. This field separately
tracks the round-trip time of packets that have been re-sent.
minRTT
Smallest recorded round-trip timeout (in milliseconds) with hard wire value used for
calculation.
maxRTT
Largest recorded round-trip timeout (in milliseconds).
ACK hold
Time (in milliseconds) the local host will delay an acknowledgment in order to
"piggyback" data on it.
Flags
IP precedence of the BGP packets.
Datagrams Number of update packets received from neighbor.
: Rcvd
with data
Number of update packets received with data.
total data
bytes
Total number of bytes of data.
Sent
Number of update packets sent.
with data
Number of update packets with data sent.
total data
bytes
Total number of data bytes.
The following is sample output from the show bgp ipv6 neighbors command with the advertised-routes
keyword:
ciscoasa# show bgp ipv6 unicast neighbors 3FFE:700:20:1::11 advertised-routes
Cisco ASA Series Command Reference, S Commands
4-43
Chapter
BGP table version is 21880, local router ID is 192.168.7.225
Status codes: s suppressed, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 2001:200::/35
3FFE:700:20:1::11
0 293 3425 2500 i
*> 2001:208::/35
3FFE:C00:E:B::2
0 237 7610 i
*> 2001:218::/35
3FFE:C00:E:C::2
0 3748 4697 i
The following is sample output from the show bgp ipv6 neighbors command with the routes keyword:
ciscoasa# show bgp ipv6 unicast neighbors 3FFE:700:20:1::11 routes
BGP table version is 21885, local router ID is 192.168.7.225
Status codes: s suppressed, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 2001:200::/35
3FFE:700:20:1::11
0 293 3425
* 2001:208::/35
3FFE:700:20:1::11
0 293 7610
* 2001:218::/35
3FFE:700:20:1::11
0 293 3425
* 2001:230::/35
3FFE:700:20:1::11
0 293 1275
2500 i
i
4697 i
3748 i
Table below describes the significant fields shown in the display.
Table 4-17
show bgp ipv6 neighbors advertised-routes and routes fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Cisco ASA Series Command Reference, S Commands
4-44
Chapter
Table 4-17
show bgp ipv6 neighbors advertised-routes and routes fields (continued)
Field
Description
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
The following is sample output from the show bgp ipv6 neighbors command with the paths keyword:
ciscoasa# show bgp ipv6 unicast neighbors 3FFE:700:20:1::11 paths ^293
Address
Refcount Metric Path
0x6131D7DC
2
0 293 3425 2500 i
0x6132861C
2
0 293 7610 i
0x6131AD18
2
0 293 3425 4697 i
0x61324084
2
0 293 1275 3748 i
0x61320E0C
1
0 293 3425 2500 2497 i
0x61326928
1
0 293 3425 2513 i
0x61327BC0
2
0 293 i
0x61321758
1
0 293 145 i
0x61320BEC
1
0 293 3425 6509 i
0x6131AAF8
2
0 293 1849 2914 ?
0x61320FE8
1
0 293 1849 1273 209 i
0x613260A8
2
0 293 1849 i
0x6132586C
1
0 293 1849 5539 i
0x6131BBF8
2
0 293 1849 1103 i
0x6132344C
1
0 293 4554 1103 1849 1752 i
0x61324150
2
0 293 1275 559 i
0x6131E5AC
2
0 293 1849 786 i
0x613235E4
1
0 293 1849 1273 i
0x6131D028
1
0 293 4554 5539 8627 i
0x613279E4
1
0 293 1275 3748 4697 3257 i
0x61320328
1
0 293 1849 1273 790 i
0x6131EC0C
2
0 293 1275 5409 i
The table below describes the significant fields shown in the display.
show bgp ipv6 neighbors paths fields
Field
Description
Address
Internal address where the path is stored.
Refcount
Number of routes using that path.
Metric
The Multi Exit Discriminator (MED) metric for the path. (The name of this metric for
BGP versions 2 and 3 is INTER_AS.)
Path
The autonomous system path for that route, followed by the origin code for that route.
The following sample output from the show bgp ipv6 neighbors command shows the received routes for
IPv6 address 2000:0:0:4::2:
Cisco ASA Series Command Reference, S Commands
4-45
Chapter
ciscoasa# show bgp ipv6 unicast neighbors 2000:0:0:4::2 received-routes
BGP table version is 2443, local router ID is 192.168.0.2
Status codes:s suppressed, h history, * valid, > best, i - internal
Origin codes:i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*> 2000:0:0:1::/64
2000:0:0:4::2
0 2 1 i
*> 2000:0:0:2::/64
2000:0:0:4::2
0 2 i
*> 2000:0:0:2:1::/80
2000:0:0:4::2
0 2 ?
*> 2000:0:0:3::/64
2000:0:0:4::2
0 2 ?
* 2000:0:0:4::1/64
2000:0:0:4::2
0 2 ?
Cisco ASA Series Command Reference, S Commands
4-46
Chapter
show bgp ipv6 paths
To display all the IPv6 Border Gateway Protocol (BGP) paths in the database, use the show bgp ipv6 paths
command in user EXEC or privileged EXEC mode.
show bgp ipv6 unicast paths regular-expression
Syntax Description
Command Modes
unicast
Specifies IPv6 unicast address prefixes.
regular-expression
Regular expression that is used to match the received paths in the database.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The show bgp ipv6 unicast paths command provide output similar to the show ip bgp paths command,
except they are IPv6-specific.
Examples
The following is sample output from the show bgp ipv6 paths command:
ciscoasa# show bgp ipv6 unicast
Address
Hash Refcount Metric
0x61322A78
0
2
0
0x6131C214
3
2
0
0x6131D600
13
1
0
0x613229F0
17
1
0
0x61324AE0
18
1
1
0x61326818
32
1
1
0x61324728
34
1
0
0x61323804
35
1
0
0x61327918
35
1
0
0x61320504
38
2
0
0x61320988
41
2
0
0x6132245C
46
1
0
paths
Path
i
6346 8664 786 i
3748 1275 8319 1273 209 i
3748 1275 8319 12853 i
4554 3748 4697 5408 i
4554 5609 i
6346 8664 9009 ?
3748 1275 8319 i
237 2839 8664 ?
3748 4697 1752 i
1849 786 i
6346 8664 4927 i
Table below describes the significant fields shown in the display.
Cisco ASA Series Command Reference, S Commands
4-47
Chapter
Field
Description
Address
Internal address where the path is stored.
Refcount
Number of routes using that path.
Metric
The Multi Exit Discriminator (MED) metric for the path. (The name of this metric for
BGP versions 2 and 3 is INTER_AS.)
Path
The autonomous system path for that route, followed by the origin code for that route.
Cisco ASA Series Command Reference, S Commands
4-48
Chapter
show bgp ipv6 prefix-list
To display routes that match a prefix list, use the show bgp ipv6 prefix-list command in user EXEC or
privileged EXEC mode.
show bgp ipv6 unicast prefix-list name
Syntax Description
Command Modes
unicast
Specifies IPv6 unicast address prefixes.
name
The specified prefix-list
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The specified prefix list must be an IPv6 prefix list, which is similar in format to an IPv4 prefix list.
Example
The following is sample output from the show bgp ipv6 prefix-list command:
Router# show bgp ipv6 unicast prefix-list pin
ipv6 prefix-list pin:
count:4, range entries:3, sequences:5 - 20, refcount:2
seq 5 permit 747::/16 (hit count:1, refcount:2)
seq 10 permit 747:1::/32 ge 64 le 64 (hit count:2, refcount:2)
seq 15 permit 747::/32 ge 33 (hit count:1, refcount:1)
seq 20 permit 777::/16 le 124 (hit count:2, refcount:1)
The ipv6 prefix-list match the following prefixes:
seq 5: matches the exact match 747::/16
seq 10:first 32 bits in prefix must match with a prefixlen of /64
seq 15:first 32 bits in prefix must match with any prefixlen up to /128
seq 20:first 16 bits in prefix must match with any prefixlen up to /124
Table below describes the significant fields shown in the display.
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
Cisco ASA Series Command Reference, S Commands
4-49
Chapter
Field
Description
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-50
Chapter
show bgp ipv6 quote-regexp
To display IPv6 Border Gateway Protocol (BGP) routes matching the autonomous system path regular
expression as a quoted string of characters, use the show bgp ipv6 quote-regexp command in user EXEC or
privileged EXEC mode.
show bgp ipv6 unicast quote-regexp regular expression
Syntax Description
Command Modes
unicast
Specifies IPv6 unicast address prefixes.
regular expression
Regular expression that is used to match the BGP autonomous system paths
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The show bgp ipv6 unicast quote-regexp command provide output similar to the show ip bgp
quote-regexp command, except they are IPv6-specific.
Example
The following is sample output from the show bgp ipv6 quote-regexp command that shows paths
beginning with 33 or containing 293:
Router# show bgp ipv6 unicast quote-regexp ^33|293
BGP table version is 69964, local router ID is 192.31.7.225
Status codes: s suppressed, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
* 2001:200::/35
3FFE:C00:E:4::2
1
0 4554 293 3425 2500 i
*
2001:0DB8:0:F004::1
0 3320 293 3425 2500 i
* 2001:208::/35
3FFE:C00:E:4::2
1
0 4554 293 7610 i
* 2001:228::/35
3FFE:C00:E:F::2
0 6389 1849 293 2713 i
* 3FFE::/24
3FFE:C00:E:5::2
0 33 1849 4554 i
* 3FFE:100::/24
3FFE:C00:E:5::2
0 33 1849 3263 i
* 3FFE:300::/24
3FFE:C00:E:5::2
0 33 293 1275 1717 i
* 3FFE:C00:E:F::2
0 6389 1849 293 1275
Table below describes the significant fields shown in the display.
Cisco ASA Series Command Reference, S Commands
4-51
Chapter
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-52
Chapter
show bgp ipv6 regexp
To display IPv6 Border Gateway Protocol (BGP) routes matching the autonomous system path regular
expression, use the show bgp ipv6 regexp command in user EXEC or privileged EXEC mode.
show bgp ipv6 unicast regexp regular-expression
Syntax Description
Command Modes
unicast
Specifies IPv6 unicast address prefixes.
regular-expression
Regular expression that is used to match the BGP autonomous system paths
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The show bgp ipv6 unicast regexp command provide output similar to the show ip bgp regexp command,
except they are IPv6-specific.
Example
The following is sample output from the show bgp ipv6 regexp command that shows paths beginning
with 33 or containing 293:
Router# show bgp ipv6 unicast regexp ^33|293
BGP table version is 69964, local router ID is 192.168.7.225
Status codes: s suppressed, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
* 2001:200::/35
3FFE:C00:E:4::2
1
0 4554 293 3425 2500 i
*
2001:0DB8:0:F004::1
0 3320 293 3425 2500 i
* 2001:208::/35
3FFE:C00:E:4::2
1
0 4554 293 7610 i
* 2001:228::/35
3FFE:C00:E:F::2
0 6389 1849 293 2713 i
* 3FFE::/24
3FFE:C00:E:5::2
0 33 1849 4554 i
* 3FFE:100::/24
3FFE:C00:E:5::2
0 33 1849 3263 i
* 3FFE:300::/24
3FFE:C00:E:5::2
0 33 293 1275 1717 i
*
3FFE:C00:E:F::2
0 6389 1849 293 1275
Table below describes the significant fields shown in the display.
Cisco ASA Series Command Reference, S Commands
4-53
Chapter
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-54
Chapter
show bgp ipv6 route-map
To display IPv6 Border Gateway Protocol (BGP) routes that failed to install in the routing table, use the
show bgp ipv6 route-map command in user EXEC or privileged EXEC mode.
show bgp ipv6 unicast route-map name
Syntax Description
Command Modes
unicast
Specifies IPv6 unicast address prefixes.
name
A specified route map to match.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show bgp ipv6 route-map command for a route map named
rmap:
Router# show bgp ipv6 unicast route-map rmap
BGP table version is 16, local router ID is 172.30.242.1
Status codes:s suppressed, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes:i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*>i12:12::/64
2001:0DB8:101::1
0
100
50 ?
*>i12:13::/64
2001:0DB8:101::1
0
100
50 ?
*>i12:14::/64
2001:0DB8:101::1
0
100
50 ?
*>i543::/64
2001:0DB8:101::1
0
100
50 ?
The table below describes the significant fields shown in the display:
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
A 32-bit number written as 4 octets separated by periods (dotted-decimal format).
Cisco ASA Series Command Reference, S Commands
4-55
Chapter
Field
Description
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
h—The table entry is history.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP.
Cisco ASA Series Command Reference, S Commands
4-56
Chapter
show bgp ipv6 summary
To display the status of all IPv6 Border Gateway Protocol (BGP) connections, use the show bgp ipv6
summary command in user EXEC or privileged EXEC mode.
show bgp ipv6 unicast summary
Syntax Description
unicast
Command Modes
Specifies IPv6 unicast address prefixes.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added
Yes
•
Context
Yes
•
System
Yes
•
Yes
The show bgp ipv6 unicast summary command provides output similar to the show ip bgp summary
command, except they are IPv6-specific.
Examples
The following is sample output from the show bgp ipv6 summary command:
ciscoasa# show bgp ipv6 unicast summary
BGP device identifier 172.30.4.4, local AS number 200
BGP table version is 1, main routing table version 1
Neighbor
V
AS MsgRcvd MsgSent
TblVer
2001:0DB8:101::2
4
200
6869
6882
0
InQ
0
OutQ
0
Up/Down
06:25:24
State/PfxRcd
Active
The table below describes the significant fields shown in the display.
Field
Description
BGP
device
identifier
IP address of the networking device.
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
Cisco ASA Series Command Reference, S Commands
4-57
Chapter
Field
Description
main
routing
table
version
Last version of BGP database that was injected into the main routing table.
Neighbor
IPv6 address of a neighbor.
V
BGP version number spoken to that neighbor.
AS
Autonomous System
MsgRcvd
BGP messages received from that neighbor.
MsgSent
BGP messages sent to that neighbor
TblVer
Last version of the BGP database that was sent to that neighbor.
InQ
Number of messages from that neighbor waiting to be processed.
OutQ
Number of messages waiting to be sent to that neighbor.
Up/Down
The length of time that the BGP session has been in state Established, or the current state
if it is not Established.
State/PfxR Current state of the BGP session/the number of prefixes the device has received from a
cd
neighbor. When the maximum number (as set by the neighbor maximum-prefix
command) is reached, the string "PfxRcd" appears in the entry, the neighbor is shut down,
and the connection is Idle.
An (Admin) entry with Idle status indicates that the connection has been shut down using
the neighbor shutdown command.
Cisco ASA Series Command Reference, S Commands
4-58
Chapter
show bgp neighbors
To display information about Border Gateway Protocol (BGP) and TCP connections to neighbors, use
the show bgp neighbors command in user or privileged EXEC mode.
show bgp neighbors [slow | ip-address [advertised-routes | | paths [reg-exp] |policy [detail]
| received prefix-filter | received-routes | routes]]
Syntax Description
slow
(Optional) Displays information about dynamically configured slow peers
ip-address
(Optional) Displays information about the IPv4 neighbor. If this argument is
omitted, information about all neighbors is displayed.
advertised-routes
(Optional) Displays all routes that have been advertised to neighbors.
paths reg-exp
(Optional) Displays autonomous system paths learned from the specified
neighbor. An optional regular expression can be used to filter the output.
policy
(Optional) Displays the policies applied to this neighbor per address family.
detail
(Optional) Displays detailed policy information such as route maps, prefix
lists, community lists, access control lists (ACLs), and autonomous system
path filter lists.
received prefix-filter
(Optional) Displays the prefix-list (outbound route filter [ORF]) sent from
the specified neighbor.
received-routes
(Optional) Displays all received routes (both accepted and rejected) from the
specified neighbor.
routes
(Optional) Displays all routes that are received and accepted. The output
displayed when this keyword is entered is a subset of the output displayed by
the received-routes keyword.
Command Default
The output of this command displays information for all neighbors.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
Cisco ASA Series Command Reference, S Commands
4-59
Chapter
Usage Guidelines
Use the show bgp neighbors command to display BGP and TCP connection information for neighbor
sessions. For BGP, this includes detailed neighbor attribute, capability, path, and prefix information. For
TCP, this includes statistics related to BGP neighbor session establishment and maintenance.
Prefix activity is displayed based on the number of prefixes that are advertised and withdrawn. Policy
denials display the number of routes that were advertised but then ignored based on the function or
attribute that is displayed in the output.
Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the
default regular expression match and output display format for autonomous system numbers, but you can
configure 4-byte autonomous system numbers in both the asplain format and the asdot format as
described in RFC 5396. To change the default regular expression match and output display of 4-byte
autonomous system numbers to asdot format, use the bgp asnotation dot command followed by
the clear bgp * command to perform a hard reset of all current BGP sessions.
Examples
Example output is different for the various keywords available for the show bgp neighbors command.
Examples using the various keywords appear in the following sections:
show bgp neighbors: Example
The following example shows output for the BGP neighbor at 10.108.50.2. This neighbor is an internal
BGP (iBGP) peer. This neighbor supports the route refresh and graceful restart capabilities.
ciscoasa# show bgp neighbors 10.108.50.2
BGP neighbor is 10.108.50.2, remote AS 1, internal link
BGP version 4, remote router ID 192.168.252.252
BGP state = Established, up for 00:24:25
Last read 00:00:24, last write 00:00:24, hold time is 180, keepalive interval is
60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
MPLS Label capability: advertised and received
Graceful Restart Capability: advertised
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
3
3
Notifications:
0
0
Updates:
0
0
Keepalives:
113
112
Route Refresh:
0
0
Total:
116
115
Default minimum time between advertisement runs is 5 seconds
For address family: IPv4 Unicast
BGP additional-paths computation is enabled
BGP advertise-best-external is enabled
BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent
Rcvd
Prefix activity:
------Prefixes Current:
0
0
Prefixes Total:
0
0
Implicit Withdraw:
0
0
Explicit Withdraw:
0
0
Cisco ASA Series Command Reference, S Commands
4-60
Chapter
Used as bestpath:
Used as multipath:
n/a
n/a
0
0
Outbound
Inbound
Local Policy Denied Prefixes:
-------------Total:
0
0
Number of NLRIs in the update sent: max 0, min 0
Connections established 3; dropped 2
Last reset 00:24:26, due to Peer closed the session
External BGP neighbor may be up to 2 hops away.
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Local host: 10.108.50.1, Local port: 179
Foreign host: 10.108.50.2, Foreign port: 42698
Enqueued packets for retransmit: 0, input: 0
Event Timers (current time is 0x68B944):
Timer
Starts
Wakeups
Retrans
27
0
TimeWait
0
0
AckHold
27
18
SendWnd
0
0
KeepAlive
0
0
GiveUp
0
0
PmtuAger
0
0
DeadWait
0
0
iss: 3915509457
irs: 233567076
snduna: 3915510016
rcvnxt: 233567616
mis-ordered: 0 (0 bytes)
Next
0x0
0x0
0x0
0x0
0x0
0x0
0x0
0x0
sndnxt: 3915510016
rcvwnd:
15845
sndwnd:
delrcvwnd:
15826
539
SRTT: 292 ms, RTTO: 359 ms, RTV: 67 ms, KRTT: 0 ms
minRTT: 12 ms, maxRTT: 300 ms, ACK hold: 200 ms
Flags: passive open, nagle, gen tcbs
IP Precedence value : 6
Datagrams (max data segment is 1460 bytes):
Rcvd: 38 (out of order: 0), with data: 27, total data bytes: 539
Sent: 45 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 08
Below table describes the significant fields shown in the display. Fields that are preceded by the asterisk
character (*) are displayed only when the counter has a nonzero value.
Table 4-10 shows each field description.
Table 4-18
show bgp ipv4 Fields
Field
Description
BGP neighbor
IP address of the BGP neighbor and its autonomous system number.
remote AS
Autonomous system number of the neighbor.
local AS 300
no-prepend (not
shown in display)
Verifies that the local autonomous system number is not prepended to received
external routes. This output supports the hiding of the local autonomous
systems when migrating autonomous systems.
internal link
"internal link" is displayed for iBGP neighbors. "external link" is displayed for
external BGP (eBGP) neighbors.
BGP version
BGP version being used to communicate with the remote router.
Cisco ASA Series Command Reference, S Commands
4-61
Chapter
Table 4-18
show bgp ipv4 Fields (continued)
Field
Description
remote router ID
IP address of the neighbor.
BGP state
Finite state machine (FSM) stage of session negotiation.
up for
Time, in hhmmss, that the underlying TCP connection has been in existence.
Last read
Time, in hhmmss, since BGP last received a message from this neighbor.
last write
Time, in hhmmss, since BGP last sent a message to this neighbor.
hold time
Time, in seconds, that BGP will maintain the session with this neighbor without
receiving a messages.
keepalive interval
Time interval, in seconds, at which keepalive messages are transmitted to this
neighbor.
Neighbor
capabilities
BGP capabilities advertised and received from this neighbor. “advertised and
received” is displayed when a capability is successfully exchanged between two
routers
Route Refresh
Status of the route refresh capability.
Graceful Restart
Capability
Status of the graceful restart capability.
Address family IPv4 IP Version 4 unicast-specific properties of this neighbor.
Unicast
Message statistics
Statistics organized by message type.
InQ depth is
Number of messages in the input queue.
OutQ depth is
Number of messages in the output queue.
Sent
Total number of transmitted messages.
Received
Total number of received messages.
Opens
Number of open messages sent and received.
notifications
Number of notification (error) messages sent and received.
Updates
Number of update messages sent and received.
Keepalives
Number of keepalive messages sent and received.
Route Refresh
Number of route refresh request messages sent and received.
Total
Total number of messages sent and received.
Default minimum
time between...
Time, in seconds, between advertisement transmissions.
For address family:
Address family to which the following fields refer.
BGP table version
Internal version number of the table. This number is incremented whenever the
table changes.
neighbor version
Number used by the software to track prefixes that have been sent and those that
need to be sent.
update-group
Number of update-group member for this address family
Prefix activity
Prefix statistics for this address family.
Prefixes current
Number of prefixes accepted for this address family.
Prefixes total
Total number of received prefixes.
Cisco ASA Series Command Reference, S Commands
4-62
Chapter
Table 4-18
show bgp ipv4 Fields (continued)
Field
Description
Implicit Withdraw
Number of times that a prefix has been withdrawn and readvertised.
Explicit Withdraw
Number of times that prefix has been withdrawn because it is no longer feasible.
Used as bestpath
Number of received prefixes installed as bestpaths.
Used as multipath
Number of received prefixes installed as multipaths.
* Saved
(soft-reconfig)
Number of soft resets performed with a neighbor that supports soft
reconfiguration. This field is displayed only if the counter has a nonzero value.
* History paths
This field is displayed only if the counter has a nonzero value.
* Invalid paths
Number of invalid paths. This field is displayed only if the counter has a
nonzero value.
Local Policy Denied Prefixes denied due to local policy configuration. Counters are updated for
Prefixes
inbound and outbound policy denials. The fields under this heading are
displayed only if the counter has a nonzero value.
* route-map
Displays inbound and outbound route-map policy denials.
* filter-list
Displays inbound and outbound filter-list policy denials.
* prefix-list
Displays inbound and outbound prefix-list policy denials.
* AS_PATH too long Displays outbound AS-path length policy denials.
* AS_PATH loop
Displays outbound AS-path loop policy denials.
* AS_PATH confed
info
Displays outbound confederation policy denials.
* AS_PATH contains Displays outbound denials of autonomous system (AS) 0.
AS 0
* NEXT_HOP
Martian
Displays outbound martian denials.
* NEXT_HOP
non-local
Displays outbound non-local next-hop denials.
* NEXT_HOP is us
Displays outbound next-hop-self denials.
* CLUSTER_LIST
loop
Displays outbound cluster-list loop denials.
* ORIGINATOR
loop
Displays outbound denials of local originated routes.
* unsuppress-map
Displays inbound denials due to an unsuppress-map.
* advertise-map
Displays inbound denials due to an advertise-map.
* Well-known
Community
Displays inbound denials of well-known communities.
* SOO loop
Displays inbound denials due to site-of-origin.
* Bestpath from this
peer
Displays inbound denials because the bestpath came from the local router.
* Suppressed due to
dampening
Displays inbound denials because the neighbor or link is in a dampening state.
Cisco ASA Series Command Reference, S Commands
4-63
Chapter
Table 4-18
show bgp ipv4 Fields (continued)
Field
Description
* Bestpath from
iBGP peer
Deploys inbound denials because the bestpath came from an iBGP neighbor.
* Incorrect RIB for
CE
Deploys inbound denials due to RIB errors for a CE router.
* BGP distribute-list Displays inbound denials due to a distribute list.
Number of NLRIs...
Number of network layer reachability attributes in updates.
Connections
established
Number of times a TCP and BGP connection has been successfully established.
dropped
Number of times that a valid session has failed or been taken down.
Last reset
Time since this peering session was last reset. The reason for the reset is
displayed on this line.
External BGP
neighbor may be...
(not shown in the
display)
Indicates that the BGP TTL security check is enabled. The maximum number
of hops that can separate the local and remote peer is displayed on this line.
Connection state
Connection status of the BGP peer.
Connection is ECN
Disabled
Explicit congestion notification status (enabled or disabled).
Local host:
10.108.50.1, Local
port: 179
IP address of the local BGP speaker. BGP port number 179.
Foreign host:
Neighbor address and BGP destination port number.
10.108.50.2, Foreign
port: 42698
Enqueued packets
for retransmit:
Packets queued for retransmission by TCP.
Event Timers
TCP event timers. Counters are provided for starts and wakeups (expired
timers).
Retrans
Number of times a packet has been retransmitted.
TimeWait
Time waiting for the retransmission timers to expire.
AckHold
Acknowledgment hold timer.
SendWnd
Transmission (send) window.
KeepAlive
Number of keepalive packets.
GiveUp
Number times a packet is dropped due to no acknowledgment.
PmtuAger
Path MTU discovery timer
DeadWait
Expiration timer for dead segments.
iss:
Initial packet transmission sequence number.
snduna
Last transmission sequence number that has not been acknowledged.
sndnxt:
Next packet sequence number to be transmitted.
sndwnd:
TCP window size of the remote neighbor.
Cisco ASA Series Command Reference, S Commands
4-64
Chapter
Table 4-18
show bgp ipv4 Fields (continued)
Field
Description
irs:
Initial packet receive sequence number.
rcvnxt:
Last receive sequence number that has been locally acknowledged.
rcvwnd:
TCP window size of the local host.
delrcvwnd:
Delayed receive window—data the local host has read from the connection, but
has not yet subtracted from the receive window the host has advertised to the
remote host. The value in this field gradually increases until it is larger than a
full-sized packet, at which point it is applied to the rcvwnd field.
SRTT:
A calculated smoothed round-trip timeout.
RTTO:
Round-trip timeout.
RTV:
Variance of the round-trip time.
KRTT:
New round-trip timeout (using the Karn algorithm). This field separately tracks
the round-trip time of packets that have been re-sent.
minRTT:
Smallest recorded round-trip timeout (hard-wire value used for calculation).
maxRTT:
Largest recorded round-trip timeout.
ACK hold:
Length of time the local host will delay an acknowledgment to carry
(piggyback) additional data.
IP Precedence value: IP precedence of the BGP packets.
Datagrams
Number of update packets received from a neighbor.
Rcvd:
Number of received packets.
with data
Number of update packets sent with data.
total data bytes
Total amount of data received, in bytes.
Sent
Number of update packets sent.
Second Congestion
Number of second retransmissions sent due to congestion.
Datagrams: Rcvd
Number of update packets received from a neighbor.
out of order:
Number of packets received out of sequence.
with data
Number of update packets received with data.
Last reset
Elapsed time since this peering session was last reset.
unread input bytes
Number of bytes of packets still to be processed.
retransmit
Number of packets retransmitted.
fastretransmit
Number of duplicate acknowledgments retransmitted for an out of order segment
before the retransmission timer expires.
partialack
Number of retransmissions for partial acknowledgments (transmissions before or
without subsequent acknowledgments).
show bgp neighbors advertised-routes: Example
The following example displays routes advertised for only the 172.16.232.178 neighbor:
ciscoasa# show bgp neighbors 172.16.232.178 advertised-routes
BGP table version is 27, local router ID is 172.16.232.181
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Cisco ASA Series Command Reference, S Commands
4-65
Chapter
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*>i10.0.0.0
*> 10.20.2.0
Next Hop
172.16.232.179
10.0.0.0
Metric LocPrf Weight Path
0
100
0 ?
0
32768 i
Table 4-19 shows each field description.
Table 4-19
show bgp neighbors advertised routes Fields
Field
Description
BGP table
version
Internal version number of the table. This number is incremented whenever the table changes.
local
router ID
IP address of the router.
Status
codes
Status of the table entry. The status is displayed at the beginning of each line in the table.
It can be one of the following values:
s—The table entry is suppressed.
*—The table entry is valid.
>—The table entry is the best entry to use for that network.
i—The table entry was learned via an internal BGP (iBGP) session.
Origin
codes
Origin of the entry. The origin code is placed at the end of each line in the table. It can be
one of the following values:
i—Entry originated from an Interior Gateway Protocol (IGP) and was advertised with
a network router configuration command.
e—Entry originated from an Exterior Gateway Protocol (EGP).
?—Origin of the path is not clear. Usually, this is a router that is redistributed into BGP
from an IGP.
Network
Internet address of the network the entry describes.
Next Hop
IP address of the next system that is used when forwarding a packet to the destination
network. An entry of 0.0.0.0 indicates that the access server has some non-BGP route to
this network.
Metric
If shown, the value of the inter autonomous system metric.
LocPrf
Local preference value as set with the set local-preference route-map configuration
command. The default value is 100.
Weight
Weight of the route as set via autonomous system filters.
Path
Autonomous system paths to the destination network. There can be one entry in this field
for each autonomous system in the path. At the end of the path is the origin code for the
path:
i—The entry was originated with the IGP and advertised with a network router
configuration command.
e—The route originated with EGP.
?—The origin of the path is not clear. Usually this is a path that is redistributed into BGP from
an IGP..
Cisco ASA Series Command Reference, S Commands
4-66
Chapter
show bgp neighbors paths: Example
The following is example output from the show bgp neighbors command entered with
the paths keyword:
ciscoasa# show bgp neighbors 172.29.232.178 paths ^10
Address
Refcount Metric Path
0x60E577B0
2
40 10 ?
Table 4-20 shows each field description.
Table 4-20
show bgp neighbors paths Fields
Field
Description
Address
Internal address where the path is stored.
Refcount
Number of routes using that path..
Metric
Multi Exit Discriminator (MED) metric for the path. (The name of this metric for BGP
versions 2 and 3 is INTER_AS.).
Path
Autonomous system path for that route, followed by the origin code for that route..
show bgp neighbors received prefix-filter: Example
The following example shows that a prefix-list that filters all routes in the 10.0.0.0 network has been
received from the 192.168.20.72 neighbor:
ciscoasa# show bgp neighbors 192.168.20.72 received prefix-filter
Address family:IPv4 Unicast
ip prefix-list 192.168.20.72:1 entries
seq 5 deny 10.0.0.0/8 le 32
Table 4-21 shows each field description.
Table 4-21
show bgp neighbors received prefix filter Fields
Field
Description
Address
family
Address family mode in which the prefix filter is received.
ip
prefix-list
Prefix list sent from the specified neighbor.
show bgp neighbors policy: Example
The following sample output shows the policies applied to the neighbor at 192.168.1.2. The output
displays policies configured on the neighbor device.
ciscoasa# show bgp neighbors 192.168.1.2 policy
Neighbor: 192.168.1.2, Address-Family: IPv4 Unicast
Locally configured policies:
route-map ROUTE in
Inherited polices:
prefix-list NO-MARKETING in
route-map ROUTE in
weight 300
maximum-prefix 10000
Cisco ASA Series Command Reference, S Commands
4-67
Chapter
show bgp neighbors: Example
The following is sample output from the show bgp neighbors command that verifies that BGP TCP path
maximum transmission unit (MTU) discovery is enabled for the BGP neighbor at 172.16.1.2:
ciscoasa# show bgp neighbors 172.16.1.2
BGP neighbor is 172.16.1.2, remote AS 45000, internal link
BGP version 4, remote router ID 172.16.1.99
.
.
.
For address family: IPv4 Unicast
BGP table version 5, neighbor version 5/0
.
.
.
Address tracking is enabled, the RIB does have a route to 172.16.1.2
Address tracking requires at least a /24 route to the peer
Connections established 3; dropped 2
Last reset 00:00:35, due to Router ID changed
Transport(tcp) path-mtu-discovery is enabled
.
.
.
SRTT: 146 ms, RTTO: 1283 ms, RTV: 1137 ms, KRTT: 0 ms
minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms
Flags: higher precedence, retransmission timeout, nagle, path mtu capable
The following is partial output from the show bgp neighbors command that verifies the status of the
BGP graceful restart capability for the external BGP peer at 192.168.3.2. Graceful restart is shown as
disabled for this BGP peer.
ciscoasa# show bgp neighbors 192.168.3.2
BGP neighbor is 192.168.3.2, remote AS 50000, external link
Inherits from template S2 for session parameters
BGP version 4, remote router ID 192.168.3.2
BGP state = Established, up for 00:01:41
Last read 00:00:45, last write 00:00:45, hold time is 180, keepalive intervals
Neighbor sessions:
1 active, is multisession capable
Neighbor capabilities:
Route refresh: advertised and received(new)
Address family IPv4 Unicast: advertised and received
.
.
.
Address tracking is enabled, the RIB does have a route to 192.168.3.2
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Cisco ASA Series Command Reference, S Commands
4-68
Chapter
show bgp paths
To display all the BGP paths in the database, use the show bgp paths command in EXEC mode.
show bgp paths
Cisco 10000 Series Router
show bgp paths regexp
Syntax Description
regexp
Command Modes
Regular expression to match the BGP autonomous system paths.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show bgp paths command in privileged EXEC mode:
ciscoasa# show bgp paths
Address
Hash Refcount Metric Path
0x60E5742C
0
1
0 i
0x60E3D7AC
2
1
0 ?
0x60E5C6C0
11
3
0 10 ?
0x60E577B0
35
2
40 10 ?
Table 4-22 shows each field description.
Table 4-22
show bgp paths Fields
Field
Description
Address
Internal address where the path is stored.
Hash
Hash bucket where path is stored.
Refcount
Number of routes using that path.
Metric
The Multi Exit Discriminator (MED) metric for the path. (The name of this metric for BGP
versions 2 and 3 is INTER_AS.)
Path
The autonomous system path for that route, followed by the origin code for that route.
Cisco ASA Series Command Reference, S Commands
4-69
Chapter
show bgp policy-list
To display information about a configured policy list and policy list entries, use the show bgp policy-list
command in user EXEC mode.
show bgp policy-list [policy-list-name]
Syntax Description
policy-list-name
Command Modes
(Optional) Displays information about the specified policy list with this
argument.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show bgp policy-list command. The output of this command
will display the policy-list name and configured match clauses. The following sample output is similar
to the output that will be displayed:
ciscoasa# show bgp policy-list
policy-list POLICY-LIST-NAME-1 permit
Match clauses:
metric 20
policy-list POLICY-LIST-NAME-2 permit
Match clauses:
as-path (as-path filter): 1
Cisco ASA Series Command Reference, S Commands
4-70
Transparent Single
Chapter
show bgp prefix-list
To display information about a prefix list or prefix list entries, use the show bgp prefix-list command in user
or privileged EXEC mode
show bgp prefix-list [detail | summary][prefix-list-name [seq sequence-number |
network/length [longer| first-match]]]
Syntax Description
Command Modes
detail | summary
(Optional) Displays detailed or summarized information about all prefix
lists.
first-match
(Optional) Displays the first entry of the specified prefix list that matches the
given network/length.
longer
(Optional) Displays all entries of the specified prefix list that match or are
more specific than the given network/length.
network/length
(Optional) Displays all entries in the specified prefix list that use this
network address and netmask length (in bits).
prefix-list-name
(Optional) Displays the entries in a specific prefix list.
seq sequence-number
(Optional) Displays only the prefix list entry with the specified sequence
number in the specified prefix-list.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following example shows the output of the show bgp prefix-list command with details about the
prefix list named test:
ciscoasa# show bgp prefix-list detail test
ip prefix-list test:
Description: test-list
count: 1, range entries: 0, sequences: 10 - 10, refcount: 3
seq 10 permit 10.0.0.0/8 (hit count: 0, refcount: 1)
Cisco ASA Series Command Reference, S Commands
4-71
Chapter
show bgp regexp
To display routes matching the autonomous system path regular expression, use the show bgp
regexp command in EXEC mode.
show bgp regexp regexp
Syntax Description
regexp
Regular expression to match the BGP autonomous system paths.
For more details about autonomous system number formats, see the router
bgp command.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the
default regular expression match and output display format for autonomous system numbers, but you can
configure 4-byte autonomous system numbers in both the asplain format and the asdot format as
described in RFC 5396. To change the default regular expression match and output display of 4-byte
autonomous system numbers to asdot format, use the bgp asnotation dot command followed by
the clear bgp * command to perform a hard reset of all current BGP sessions.
To ensure a smooth transition we recommend that all BGP speakers within an autonomous system that
is identified using a 4-byte autonomous system number, are upgraded to support 4-byte autonomous
system numbers.
Examples
The following is sample output from the show bgp regexp command in privileged EXEC mode:
Router# show bgp regexp 108$
BGP table version is 1738, local router ID is 172.16.72.24
Status codes: s suppressed, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight
* 172.16.0.0
172.16.72.30
0
* 172.16.1.0
172.16.72.30
0
* 172.16.11.0
172.16.72.30
0
* 172.16.14.0
172.16.72.30
0
Cisco ASA Series Command Reference, S Commands
4-72
Path
109 108
109 108
109 108
109 108
?
?
?
?
Chapter
*
*
*
*
*
*
*
*
*
*
*
*
*
*
172.16.15.0
172.16.16.0
172.16.17.0
172.16.18.0
172.16.19.0
172.16.24.0
172.16.29.0
172.16.30.0
172.16.33.0
172.16.35.0
172.16.36.0
172.16.37.0
172.16.38.0
172.16.39.0
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
172.16.72.30
0
0
0
0
0
0
0
0
0
0
0
0
0
0
109
109
109
109
109
109
109
109
109
109
109
109
109
109
108
108
108
108
108
108
108
108
108
108
108
108
108
108
?
?
?
?
?
?
?
?
?
?
?
?
?
?
After the bgp asnotation dot command is configured, the regular expression match format for 4-byte
autonomous system paths is changed to asdot notation format. Although a 4-byte autonomous system
number can be configured in a regular expression using either asplain or asdot format, only 4-byte
autonomous system numbers configured using the current default format are matched. In the first
example, the show bgp regexp command is configured with a 4-byte autonomous system number in
asplain format. The match fails because the default format is currently asdot format and there is no
output. In the second example using asdot format, the match passes and the information about the 4-byte
autonomous system path is shown using the asdot notation.
Note
The asdot notation uses a period which is a special character in Cisco regular expressions. to remove the
special meaning, use a backslash before the period.
Router# show bgp regexp ^65536$
Router# show bgp regexp ^1\.0$
BGP table version is 2, local router ID is 172.17.1.99
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 10.1.1.0/24
Next Hop
192.168.1.2
Metric LocPrf Weight Path
0
0 1.0 i
The following is sample output from the show bgp regexp command after the bgp asnotation
dot command has been entered to display 4-byte autonomous system numbers
Note
The asdot notation uses a period which is a special character in Cisco regular expressions. to remove the
special meaning, use a backslash before the period.
Router# show bgp regexp ^1\.14$
BGP table version is 4, local router ID is 172.17.1.99
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 10.1.1.0/24
Next Hop
192.168.1.2
Metric LocPrf Weight Path
0
0 1.14
i
Cisco ASA Series Command Reference, S Commands
4-73
Chapter
show bgp replication
To display update replication statistics for Border Gateway Protocol (BGP) update groups, use the show bgp
replication command in EXEC mode.
show bgp replication [index-group | ip-address]
Syntax Description
Command Modes
index-group
(Optional) Displays update replication statistics for the update group with the
corresponding index number. The range of update-group index numbers is
from 1 to 4294967295.
ip-address
(Optional) Displays update replication statistics for this neighbor.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Usage Guidelines
•
Transparent Single
Yes
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The output of this command displays BGP update-group replication statistics.
When a change to outbound policy occurs, the router automatically recalculates update-group
memberships and applies the changes by triggering an outbound soft reset after a 3-minute timer expires.
This behavior is designed to provide the network operator with time to change the configuration if a
mistake is made. You can manually enable an outbound soft reset before the timer expires by entering
the clearbgp ip-address soft out command.
Examples
The following sample output from the show bgp replication command shows update-group replication
information for all neighbors:
ciscoasa# show bgp replication
BGP Total Messages Formatted/Enqueued : 0/0
Index
Type Members
Leader
MsgFmt MsgRepl Csize Qsize
1 internal
1
10.4.9.21
0
0
0
0
2 internal
2
10.4.9.5
0
0
0
0
The following sample output from the show bgp replication command shows update-group
statistics for the 10.4.9.5 neighbor:
Router# show bgp replication 10.4.9.5
Cisco ASA Series Command Reference, S Commands
4-74
Chapter
Index
Type
2 internal
Members
2
Leader
10.4.9.5
MsgFmt
0
MsgRepl
0
Csize
0
Qsize
0
Table 4-23 shows each field description.
Table 4-23
show bgp replication Fields
Field
Description
Index
Index number of the update group.
Type
Type of peer (internal or external).
Members
Number of members in the dynamic update peer group.
Leader
First member of the dynamic update peer group.
Cisco ASA Series Command Reference, S Commands
4-75
Chapter
show bgp rib-failure
To display Border Gateway Protocol (BGP) routes that failed to install in the Routing Information Base (RIB)
table, use the show bgp rib-failure command in privileged EXEC mode.
show bgp rib-failure
Syntax Description
This command has no keywords or arguments.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Privileged EXEC, User EXEC
Command History
Examples
•
Transparent Single
Yes
•
Release
Modification
9.2(1)
This command was added
Yes
•
Context
Yes
•
Yes
System
•
Yes
The following is a sample output from the show bgp rib-failure command:
ciscoasa# show bgp rib-failure
Network
10.1.15.0/24
10.1.16.0/24
Next Hop
10.1.35.5
10.1.15.1
RIB-failure
Higher admin distance
Higher admin distance
RIB-NH Matches
n/a
n/a
Table 4-24 shows each field description.
Table 4-24
show bgp rib-failure Fields
Field
Description
Network
IP address of a network entity
Next Hop
IP address of the next system that is used when forwarding a packet to the destination network.
An entry of 0.0.0.0 indicates that the router has some non-BGP routes to this network.
Cisco ASA Series Command Reference, S Commands
4-76
Chapter
Table 4-24
Field
show bgp rib-failure Fields (continued)
Description
RIB-failure Cause of RIB failure. Higher admin distance means that a route with a better (lower)
administrative distance such as a static route already exists in the IP routing table.
RIB-NH
Matches
Route status that applies only when Higher admin distance appears in the RIB-failure column
and bgp suppress-inactive is configured for the address family being used. There are three
choices:
• Yes—Means that the route in the RIB has the same next hop as the BGP route or next
hop recurses down to the same adjacency as the BGP nexthop.
•
No—Means that the next hop in the RIB recurses down differently from the next hop
of the BGP route.
•
n/a—Means that bgp suppress-inactive is not configured for the address family
being used.
Cisco ASA Series Command Reference, S Commands
4-77
Chapter
show bgp summary
To display the status of all Border Gateway Protocol (BGP) connections, use the show bgp
summary command in user EXEC or privileged EXEC mode.
show bgp summary
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
•
Yes
System
•
Yes
The show bgp summary command is used to display BGP path, prefix, and attribute information for all
connections to BGP neighbors.
A prefix is an IP address and network mask. It can represent an entire network, a subset of a network, or
a single host route. A path is a route to a given destination. By default, BGP will install only a single
path for each destination. If multipath routes are configured, BGP will install a path entry for each
multipath route, and only one multipath route will be marked as the bestpath.
BGP attribute and cache entries are displayed individually and in combinations that affect the bestpath
selection process. The fields for this output are displayed when the related BGP feature is configured or
attribute is received. Memory usage is displayed in bytes.
The Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as
the default regular expression match and output display format for autonomous system numbers, but you
can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as
described in RFC 5396. To change the default regular expression match and output display of 4-byte
autonomous system numbers to asdot format, use the bgp asnotation dot command followed by
the clear bgp * command to perform a hard reset of all current BGP sessions.
Examples
The following is sample output from the show bgp summary command in privileged EXEC mode:
Router# show bgp summary
BGP router identifier 172.16.1.1, local AS number 100
BGP table version is 199, main routing table version 199
37 network entries using 2850 bytes of memory
59 path entries using 5713 bytes of memory
18 BGP path attribute entries using 936 bytes of memory
2 multipath network entries and 4 multipath paths
10 BGP AS-PATH entries using 240 bytes of memory
7 BGP community entries using 168 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
Cisco ASA Series Command Reference, S Commands
4-78
Chapter
0 BGP filter-list cache entries using 0 bytes of memory
90 BGP advertise-bit cache entries using 1784 bytes of memory
36 received paths for inbound soft reconfiguration
BGP using 34249 total bytes of memory
Dampening enabled. 4 history paths, 0 dampened paths
BGP activity 37/2849 prefixes, 60/1 paths, scan interval 15 secs
Neighbor
V
AS MsgRcvd MsgSent
TblVer InQ OutQ Up/Down State/PfxRcd
10.100.1.1
4
200
26
22
199
0
0 00:14:23 23
10.200.1.1
4
300
21
51
199
0
0 00:13:40 0
Table 4-25 shows each field description.
Table 4-25
show bgp summary Fields
Field
Description
BGP router
identifier
In order of precedence and availability, the router identifier specified by the bgp
router-id command, a loopback address, or the highest IP address.
BGP table
version
Internal version number of BGP database.
main routing
table version
Last version of BGP database that was injected into the main routing table.
...network entries Number of unique prefix entries in the BGP database.
...using ... bytes
of memory
Amount of memory, in bytes, that is consumed for the path, prefix, or attribute
entry displayed on the same line.
...path entries
using
Number of path entries in the BGP database. Only a single path entry will be
installed for a given destination. If multipath routes are configured, a path entry
will be installed for each multipath route.
...multipath
network entries
using
Number of multipath entries installed for a given destination.
* ...BGP
path/bestpath
attribute entries
using
Number of unique BGP attribute combinations for which a path is selected as the
bestpath.
* ...BGP rrinfo
entries using
Number of unique ORIGINATOR and CLUSTER_LIST attribute combinations.
...BGP AS-PATH Number of unique AS_PATH entries.
entries using
...BGP
community
entries using
Number of unique BGP community attribute combinations.
*...BGP extended Number of unique extended community attribute combinations.
community
entries using
BGP route-map
cache entries
using
Number of BGP route-map match and set clause combinations. A value of 0
indicates that the route cache is empty.
Cisco ASA Series Command Reference, S Commands
4-79
Chapter
Table 4-25
show bgp summary Fields (continued)
Field
Description
...BGP filter-list
cache entries
using
Number of filter-list entries that match an AS-path access list permit or deny
statements. A value of 0 indicates that the filter-list cache is empty.
BGP
advertise-bit
cache entries
using
(Cisco IOS Release 12.4(11)T and later releases only) Number of advertised
bitfield entries and the associated memory usage. A bitfield entry represents a
piece of information (one bit) that is generated when a prefix is advertised to a peer.
The advertised bit cache is built dynamically when required
...received paths
for inbound soft
reconfiguration
Number paths received and stored for inbound soft reconfiguration.
BGP using...
Total amount of memory, in bytes, used by the BGP process.
Dampening
enabled...
Indicates that BGP dampening is enabled. The number of paths that carry an
accumulated penalty and the number of dampened paths are displayed on this line.
BGP activity...
Displays the number of times that memory has been allocated or released for a path
or prefix.
Neighbor
IP address of the neighbor.
V
BGP version number spoken to the neighbor.
AS
Autonomous system number.
MsgRcvd
Number of messages received from the neighbor.
MsgSent
Number of messages sent to the neighbor.
TblVer
Last version of the BGP database that was sent to the neighbor.
InQ
Number of messages queued to be processed from the neighbor.
OutQ
Number of messages queued to be sent to the neighbor.
Up/Down
The length of time that the BGP session has been in the Established state, or the
current status if not in the Established state.
State/PfxRcd
Current state of the BGP session, and the number of prefixes that have been
received from a neighbor or peer group. When the maximum number (as set by
the neighbor maximum-prefix command) is reached, the string "PfxRcd" appears
in the entry, the neighbor is shut down, and the connection is set to Idle.
An (Admin) entry with Idle status indicates that the connection has been shut down
using the neighbor shutdown command.
The following output from the show bgp summary command shows that the BGP neighbor 192.168.3.2
was dynamically created and is a member of the listen range group, group192. The output also shows
that the IP prefix range of 192.168.0.0/16 is defined for the listen range group named group192. In
Cisco IOS Release 12.2(33)SXH and later releases, the BGP dynamic neighbor feature added the ability
to support the dynamic creation of BGP neighbor peers using a subnet range associated with a peer group
(listen range group).
ciscoasa# show bgp summary
BGP router identifier 192.168.3.1, local AS number 45000
BGP table version is 1, main routing table version 1
Neighbor
V
AS MsgRcvd MsgSent
Cisco ASA Series Command Reference, S Commands
4-80
TblVer
InQ OutQ Up/Down
State/PfxRcd
Chapter
*192.168.3.2
4 50000
2
2
0
0
0 00:00:37
* Dynamically created based on a listen range command
Dynamically created neighbors: 1/(200 max), Subnet ranges: 1
0
BGP peergroup group192 listen range group members:
192.168.0.0/16
The following output from the show bgp summary command shows two BGP neighbors, 192.168.1.2
and 192.168.3.2, in different 4-byte autonomous system numbers, 65536 and 65550. The local
autonomous system 65538 is also a 4-byte autonomous system number and the numbers are displayed
in the default asplain format.
Router# show bgp summary
BGP router identifier 172.17.1.99, local AS number 65538
BGP table version is 1, main routing table version 1
Neighbor
192.168.1.2
192.168.3.2
V
4
4
AS MsgRcvd MsgSent
65536
7
7
65550
4
4
TblVer
1
1
InQ OutQ Up/Down
0
0 00:03:04
0
0 00:00:15
Statd
0
0
The following output from the show bgp summary command shows the same two BGP neighbors, but
the 4-byte autonomous system numbers are displayed in asdot notation format. To change the display
format the bgp asnotation dot command must be configured in router configuration mode.
Router# show bgp summary
BGP router identifier 172.17.1.99, local AS number 1.2
BGP table version is 1, main routing table version 1
Neighbor
192.168.1.2
192.168.3.2
V
4
4
AS MsgRcvd MsgSent
1.0
9
9
1.14
6
6
TblVer
1
1
InQ OutQ Up/Down
0
0 00:04:13
0
0 00:01:24
Statd
0
0
The following example displays sample output of the show bgp summary slow command:
ciscoasa> show bgp summary slow
BGP router identifier 2.2.2.2, local AS number 100
BGP table version is 37, main routing table version 37
36 network entries using 4608 bytes of memory
36 path entries using 1872 bytes of memory
1/1 BGP path/bestpath attribute entries using 124 bytes of memory
1 BGP rrinfo entries using 24 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
1 BGP extended community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 6700 total bytes of memory
BGP activity 46/0 prefixes, 48/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
6.6.6.6 4 100 11 10 1 0 0 00:44:20 0
Cisco ASA Series Command Reference, S Commands
4-81
Chapter
show bgp system-config
To display running configuration for bgp of system context in user context, use the show bgp
system-config command in user or privileged EXEC mode.
show bgp system-config
Syntax Description
This command has no arguments or keywords.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC, User EXEC
Command History
•
Transparent Single
Yes
•
Release
Modification
9.2(1)
This command was added
Yes
•
Yes
Context
System
—
—
Usage Guidelines
This command can be used only in user context without any arguments or keywords. This command can
be useful for checking the running configuration enforced on user context by system context.
Examples
The following sample output is similar to the output that will be displayed when the show bgp
system-config command is entered in user EXEC mode:
ciscoasa/c1(config)# show bgp system-config
router bgp 1
bgp log-neighbor-changes
no bgp always-compare-med
no bgp asnotation dot
no bgp bestpath med
no bgp bestpath compare-routerid
bgp default local-preference 100
no bgp deterministic-med
bgp enforce-first-as
bgp maxas-limit 0
bgp transport path-mtu-discovery
timers bgp 60 180 0
address-family ipv4 unicast
bgp scan-time 0
bgp nexthop trigger enable
bgp nexthop trigger delay 5
exit-address-family
Cisco ASA Series Command Reference, S Commands
4-82
Chapter
show blocks
To show the packet buffer utilization, use the show blocks command in privileged EXEC mode.
show blocks [{address hex | all | assigned | free | old | pool size [summary]} [diagnostics |
dump | header | packet] | queue history | [exhaustion snapshot | history [list]
[1-MAX_NUM_SNAPSHOT | index] [detail]]
Syntax Description
address hex
(Optional) Shows a block corresponding to this address, in
hexadecimal.
all
(Optional) Shows all blocks.
assigned
(Optional) Shows blocks that are assigned and in use by an application.
detail
(Optional) Shows a portion (128 bytes) of the first block for each unique
queue type.
dump
(Optional) Shows the entire block contents, including the header and
packet information. The difference between dump and packet is that
dump includes additional information between the header and the
packet.
diagnostics
(Optional) Shows block diagnostics.
exhaustion snapshot
(Optional) Prints the last x number (x is currently 10) of snapshots that
were taken and the time stamp of the last snapshot). After a snapshot is
taken, another snapshot is not taken if less than 5 minutes has passed.
free
(Optional) Shows blocks that are available for use.
header
(Optional) Shows the header of the block.
history
1-MAX_NUM_SNAPSHOT
The history option displays recent and all snapshots in the history.
history index
Defaults
The history list option displays a summary of snapshots in the history.
The history index option displays the index of snapshots in the history.
history list
The history 1-MAX_NUM_SNAPSHOT option displays only one
snapshot in the history.
old
(Optional) Shows blocks that were assigned more than a minute ago.
packet
(Optional) Shows the header of the block as well as the packet contents.
pool size
(Optional) Shows blocks of a specific size.
queue history
(Optional) Shows where blocks are assigned when the ASA runs out of
blocks. Sometimes, a block is allocated from the pool but never assigned
to a queue. In that case, the location is the code address that allocated
the block.
summary
(Optional) Shows detailed information about block usage sorted by the
program addresses of applications that allocated blocks in this class,
program addresses of applications that released blocks in this class, and
the queues to which valid blocks in this class belong.
No default behavior or values.
Cisco ASA Series Command Reference, S Commands
4-83
Chapter
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Release
Modification
Transparent Single
Yes
•
Yes
•
Yes
Context
•
Yes
System
•
Yes
7.0(1)
The pool summary option was added.
8.0(2)
The dupb block uses 0 length blocks now instead of 4 byte blocks. An
additional line was added for 0 byte blocks.
9.1(5)
The exhaustion snapshot, history list, history index, and history
1-MAX_NUM_SNAPSHOT options were added.
The show blocks command helps you determine if the ASA is overloaded. This command lists
preallocated system buffer utilization. A full memory condition is not a problem as long as traffic is
moving through the ASA. You can use the show conn command to see if traffic is moving. If traffic is
not moving and the memory is full, there may be a problem.
You can also view this information using SNMP.
The information shown in a security context includes the system-wide information as well as
context-specific information about the blocks in use and the high water mark for block usage.
See the “Examples” section for a description of the display output.
Examples
The following is sample output from the show blocks command in single mode:
ciscoasa# show blocks
SIZE
MAX
LOW
0
100
99
4
1600
1598
80
400
398
256
3600
3540
1550
4716
3177
16384
10
10
2048
1000
1000
CNT
100
1599
399
3542
3184
10
1000
Table 4-26 shows each field description.
Table 4-26
show blocks Fields
Field
Description
SIZE
Size, in bytes, of the block pool. Each size represents a particular type.
0
Used by dupb blocks.
4
Duplicates existing blocks in applications such as DNS, ISAKMP, URL filtering, uauth,
TFTP, and TCP modules. Also, this sized block can be used normally by code to send
packets to drivers, etc.
Cisco ASA Series Command Reference, S Commands
4-84
Chapter
Table 4-26
show blocks Fields (continued)
Field
Description
80
Used in TCP intercept to generate acknowledgment packets and for failover hello
messages.
256
Used for Stateful Failover updates, syslogging, and other TCP functions.
These blocks are mainly used for Stateful Failover messages. The active ASA generates
and sends packets to the standby ASA to update the translation and connection table. In
bursty traffic, where high rates of connections are created or torn down, the number of
available blocks might drop to 0. This situation indicates that one or more connections
were not updated to the standby ASA. The Stateful Failover protocol catches the missing
translation or connection the next time. If the CNT column for 256-byte blocks stays at or
near 0 for extended periods of time, then the ASA is having trouble keeping the translation
and connection tables synchronized because of the number of connections per second that
the ASA is processing.
Syslog messages sent out from the ASA also use the 256-byte blocks, but they are
generally not released in such quantity to cause a depletion of the 256-byte block pool. If
the CNT column shows that the number of 256-byte blocks is near 0, ensure that you are
not logging at Debugging (level 7) to the syslog server. This is indicated by the logging
trap line in the ASA configuration. We recommend that you set logging at Notification
(level 5) or lower, unless you require additional information for debugging purposes.
1550
Used to store Ethernet packets for processing through the ASA.
When a packet enters an ASA interface, it is placed on the input interface queue, passed
up to the operating system, and placed in a block. The ASA determines whether the packet
should be permitted or denied based on the security policy and processes the packet
through to the output queue on the outbound interface. If the ASA is having trouble
keeping up with the traffic load, the number of available blocks will hover close to 0 (as
shown in the CNT column of the command output). When the CNT column is zero, the
ASA attempts to allocate more blocks. The maximum can be greater than 8192 for
1550-byte blocks if you issue this command. If no more blocks are available, the ASA
drops the packet.
16384
Only used for the 64-bit, 66-MHz Gigabit Ethernet cards (i82543).
See the description for 1550 for more information about Ethernet packets.
2048
Control or guided frames used for control updates.
MAX
Maximum number of blocks available for the specified byte block pool. The maximum
number of blocks are carved out of memory at bootup. Typically, the maximum number
of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the
ASA can dynamically create more when needed. The maximum can be greater than 8192
for 1550-byte blocks if you issue this command.
LOW
Low-water mark. This number indicates the lowest number of this size blocks available
since the ASA was powered up, or since the last clearing of the blocks (with the clear
blocks command). A zero in the LOW column indicates a previous event where memory
was full.
CNT
Current number of blocks available for that specific size block pool. A zero in the CNT
column means memory is full now.
The following is sample output from the show blocks all command:
ciscoasa# show blocks all
Cisco ASA Series Command Reference, S Commands
4-85
Chapter
Class 0, size 4
Block
allocd_by
0x01799940 0x00000000
0x01798e80 0x00000000
0x017983c0 0x00000000
freed_by
0x00101603
0x00101603
0x00101603
data size
0
0
0
alloccnt
0
0
0
dup_cnt oper location
0 alloc not_specified
0 alloc not_specified
0 alloc not_specified
...
Found 1000 of 1000 blocks
Displaying 1000 of 1000 blocks
Table 4-27 shows each field description.
Table 4-27
show blocks all Fields
Field
Description
Block
The block address.
allocd_by
The program address of the application that last used the block (0 if not used).
freed_by
The program address of the application that last released the block.
data size
The size of the application buffer/packet data that is inside the block.
alloccnt
The number of times this block has been used since the block came into existence.
dup_cnt
The current number of references to this block if used: 0 means 1 reference, 1 means 2
references.
oper
One of the four operations that was last performed on the block: alloc, get, put, or free.
location
The application that uses the block, or the program address of the application that last
allocated the block (same as the allocd_by field).
The following is sample output from the show blocks command in a context:
ciscoasa/contexta# show blocks
SIZE
MAX
LOW
CNT INUSE
4
1600
1599
1599
0
80
400
400
400
0
256
3600
3538
3540
0
1550
4616
3077
3085
0
HIGH
0
0
1
0
The following is sample output from the show blocks queue history command:
ciscoasa# show blocks queue history
Each Summary for User and Queue_type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type
User
Context
186
1 put
contexta
15
1 put
contexta
1
1 put
contexta
1
1 put
contextb
1
1 put
contextc
Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type
User
Context
21
1 put
contexta
1
1 put
contexta
1
1 put
contexta
1
1 put
contextb
1
1 put
contextc
Blk_cnt Q_cnt Last_Op Queue_Type
User
Context
200
1 alloc
ip_rx
tcp
contexta
Cisco ASA Series Command Reference, S Commands
4-86
Chapter
108
85
42
1 get
1 free
1 put
ip_rx
fixup
fixup
udp
h323_ras
skinny
contexta
contextb
contextb
Block Size: 1550
Summary for User "http", Queue "tcp_unp_c_in", Blocks 1595, Queues 1000
Blk_cnt Q_cnt Last_Op Queue_Type
User
Context
186
1 put
contexta
15
1 put
contexta
1
1 put
contexta
1
1 put
contextb
1
1 put
contextc
...
The following is sample output from the show blocks queue history detail command:
ciscoasa# show blocks queue history detail
History buffer memory usage: 2136 bytes (default)
Each Summary for User and Queue type is followed its top 5 individual queues
Block Size: 4
Summary for User "http", Queue_Type "tcp_unp_c_in", Blocks 1595, Queues 1396
Blk_cnt Q_cnt Last_Op Queue_Type
User
Context
186
1 put
contexta
15
1 put
contexta
1
1 put
contexta
1
1 put
contextb
1
1 put
contextc
First Block information for Block at 0x.....
dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
urgent_addr 0xefb118c, end_addr 0xefb17b2
0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00 | ....G.a....8v...
0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3 | ....E...........
0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62 | .......P...=..`b
0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49 | ~sU.P...E...-- I
0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09 | P --..10.7.13.1.
0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d | ==>.10.7.0.80...
Summary for User "aaa", Queue "tcp_unp_c_in", Blocks 220, Queues 200
Blk_cnt Q_cnt Last_Op Queue_Type
User
Context
21
1 put
contexta
1
1 put
contexta
1
1 put
contexta
1
1 put
contextb
1
1 put
contextc
First Block information for Block at 0x.....
dup_count 0, flags 0x8000000, alloc_pc 0x43ea2a,
start_addr 0xefb1074, read_addr 0xefb118c, write_addr 0xefb1193
urgent_addr 0xefb118c, end_addr 0xefb17b2
0efb1150: 00 00 00 03 47 c5 61 c5 00 05 9a 38 76 80 a3 00 | ....G.a....8v...
0efb1160: 00 0a 08 00 45 00 05 dc 9b c9 00 00 ff 06 f8 f3 | ....E...........
0efb1170: 0a 07 0d 01 0a 07 00 50 00 17 cb 3d c7 e5 60 62 | .......P...=..`b
0efb1180: 7e 73 55 82 50 18 10 00 45 ca 00 00 2d 2d 20 49 | ~sU.P...E...-- I
0efb1190: 50 20 2d 2d 0d 0a 31 30 2e 37 2e 31 33 2e 31 09 | P --..10.7.13.1.
0efb11a0: 3d 3d 3e 09 31 30 2e 37 2e 30 2e 38 30 0d 0a 0d | ==>.10.7.0.80...
...
total_count: total buffers in this class
The following is sample output from the show blocks pool summary command:
ciscoasa# show blocks pool 1550 summary
Class 3, size 1550
Cisco ASA Series Command Reference, S Commands
4-87
Chapter
=================================================
total_count=1531
miss_count=0
Alloc_pc
valid_cnt
invalid_cnt
0x3b0a18
00000256
00000000
0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000 0x00000000
0x3a8f6b
00001275
00000012
0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000
0x00000000
=================================================
total_count=9716
miss_count=0
Freed_pc
valid_cnt
invalid_cnt
0x9a81f3
00000104
00000007
0x05006140 0x05000380 0x04fffa20 0x04ffde00 00000000
0x9a0326
00000053
00000033
0x05006aa0 0x050057e0 0x05004e80 0x05003260 00000000
0x4605a2
00000005
00000000
0x04ff5ac0 0x01e8e2e0 0x01e2eac0 0x01e17d20 00000000
...
=================================================
total_count=1531
miss_count=0
Queue
valid_cnt
invalid_cnt
0x3b0a18
00000256
00000000 Invalid Bad qtype
0x01ad0760 0x01acfe00 0x01acf4a0 0x01aceb40 00000000
0x3a8f6b
00001275
00000000 Invalid Bad qtype
0x05006aa0 0x05006140 0x050057e0 0x05004520 00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
=================================================
free_cnt=8185 fails=0 actual_free=8185 hash_miss=0
03a8d3e0 03a8b7c0 03a7fc40 03a6ff20 03a6f5c0 03a6ec60 kao-f1#
The following is sample output from the show blocks exhaustion history list command:
ciscoasa# show blocks exhaustion history list
1 Snapshot created at 18:01:03 UTC Feb 19 2014:
Snapshot created due to 16384 blocks running out
2 Snapshot created at 18:02:03 UTC Feb 19 2014:
Snapshot created due to 16384 blocks running out
3 Snapshot created at 18:03:03 UTC Feb 19 2014:
Snapshot created due to 16384 blocks running out
4 Snapshot created at 18:04:03 UTC Feb 19 2014:
Snapshot created due to 16384 blocks running out
Table 4-28 shows each field description.
Table 4-28
show blocks pool summary Fields
Field
Description
total_count
The number of blocks for a given class.
miss_count
The number of blocks not reported in the specified category due to technical
reasons.
Freed_pc
The program addresses of applications that released blocks in this class.
Alloc_pc
The program addresses of applications that allocated blocks in this class.
Queue
The queues to which valid blocks in this class belong.
valid_cnt
The number of blocks that are currently allocated.
Cisco ASA Series Command Reference, S Commands
4-88
Chapter
Table 4-28
Related Commands
show blocks pool summary Fields
Field
Description
invalid_cnt
The number of blocks that are not currently allocated.
Invalid Bad qtype
Either this queue has been freed and the contents are invalid or this queue was
never initialized.
Valid
tcp_usr_conn_inp
The queue is valid.
Command
Description
blocks
Increases the memory assigned to block diagnostics
clear blocks
Clears the system buffer statistics.
show conn
Shows active connections.
Cisco ASA Series Command Reference, S Commands
4-89
Chapter
show bootvar
To show the boot file and configuration properties, use the show bootvar command in privileged EXEC
mode.
show bootvar
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History d
•
Yes
Transparent Single
•
Release
Modification
7.2(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The BOOT variable specifies a list of bootable images on various devices. The CONFIG_FILE variable
specifies the configuration file used during system initialization. Set these variables with the boot
system command and boot config command, respectively.
Examples
The BOOT variable contains disk0:/f1_image, which is the image booted when the system reloads. The
current value of BOOT is disk0:/f1_image; disk0:/f1_backupimage. This value means that the BOOT
variable has been modified with the boot system command, but the running configuration has not been
saved with the write memory command. When the running configuration is saved, the BOOT variable
and current BOOT variable will both be disk0:/f1_image; disk0:/f1_backupimage. Assuming that the
running configuration is saved, the boot loader will try to load the contents of the BOOT variable,
starting with disk0:/f1image, but if that is not present or invalid, the boot loader will try to boot
disk0:1/f1_backupimage.
The CONFIG_FILE variable points to the system startup configuration. In this example it is not set, so
the startup configuration file is the default specified with the boot config command. The current
CONFIG_FILE variable may be modified with the boot config command and saved with the write
memory command.
The following is sample output from the show bootvar command:
ciscoasa# show bootvar
BOOT variable = disk0:/f1_image
Current BOOT variable = disk0:/f1_image; disk0:/f1_backupimage
Cisco ASA Series Command Reference, S Commands
4-90
Chapter
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa#
Related Commands
Command
Description
boot
Specifies the configuration file or image file used at startup.
Cisco ASA Series Command Reference, S Commands
4-91
Chapter
show bridge-group
To show bridge group information such as interfaces assigned, MAC addresses, and IP addresses, use
the show bridge-group command in privileged EXEC mode.
show bridge-group bridge-group-number
Syntax Description
bridge-group-number
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the bridge group number as an integer between 1 and 100.
Firewall Mode
Security Context
Multiple
Command History
Examples
Command Mode
Routed
Privileged EXEC
—
Transparent Single
•
Release
Modification
8.4(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
The following is sample output from the show bridge-group command with IPv4 addresses:
ciscoasa# show bridge-group 1
Interfaces: GigabitEthernet0/0.101, GigabitEthernet0/0.201
Management System IP Address: 10.0.1.1 255.255.255.0
Management Current IP Address: 10.0.1.1 255.255.255.0
Management IPv6 Global Unicast Address(es):
N/A
Static mac-address entries: 0
Dynamic mac-address entries: 2
The following is sample output from the show bridge-group command with IPv4 and IPv6 addresses:
ciscoasa# show bridge-group 1
Interfaces: GigabitEthernet0/0.101, GigabitEthernet0/0.201
Management System IP Address: 10.0.1.1 255.255.255.0
Management Current IP Address: 10.0.1.1 255.255.255.0
Management IPv6 Global Unicast Address(es):
2000:100::1, subnet is 2000:100::/64
2000:101::1, subnet is 2000:101::/64
2000:102::1, subnet is 2000:102::/64
Static mac-address entries: 0
Dynamic mac-address entries: 2
Cisco ASA Series Command Reference, S Commands
4-92
Chapter
Related Commands
Command
Description
bridge-group
Groups transparent firewall interfaces into a bridge group.
clear configure
interface bvi
Clears the bridge group interface configuration.
interface
Configures an interface.
interface bvi
Creates a bridge virtual interface.
ip address
Sets the management IP address for a bridge group.
show running-config
interface bvi
Shows the bridge group interface configuration.
Cisco ASA Series Command Reference, S Commands
4-93
Chapter
show call-home
To display the configured Call Home information, use the show call-home command in privileged
EXEC mode.
[cluster exec] show call-home [alert-group | detail | events | mail-server status | profile {profile
_name | all} | statistics]
Syntax Description
alert-group
(Optional) Displays the available alert group.
cluster exec
(Optional) In a clustering environment, enables you to issue the show
call-home command in one unit and run the command in all the other units
at the same time.
detail
(Optional) Displays the Call Home configuration in detail.
events
(Optional) Displays current detected events.
mail-server status
(Optional) Displays the Call Home mail server status information.
profile profile _name all (Optional) Displays configuration information for all existing profiles.
statistics
(Optional) Displays the Call Home statistics.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Yes
•
Yes
—
System
•
Yes
Release
Modification
8.2(2)
This command was added.
9.1(3)
A new type of Smart Call Home message has been added to include the output of the
show cluster history command and show cluster info command.
The following is sample output from the show call-home command and displays the configured Call
Home settings:
ciscoasa# show call-home
Current Smart Call-Home settings:
Smart Call-Home feature : enable
Smart Call-Home message's from address: [email protected]
Smart Call-Home message's reply-to address: [email protected]
contact person's email address: [email protected]
contact person's phone: 111-222-3333
street address: 1234 Any Street, Any city, Any state, 12345
customer ID: ExampleCorp
Cisco ASA Series Command Reference, S Commands
4-94
Context
Chapter
contract ID: X123456789
site ID: SantaClara
Mail-server[1]: Address: smtp.example.com Priority: 1
Mail-server[2]: Address: 192.168.0.1 Priority: 10
Rate-limit: 60 message(s) per minute
Available alert groups:
Keyword
State
------------------------ ------Syslog Enable
diagnostic Enable
environmental Enable
inventory Enable
configuration Enable
firewall Enable
troubleshooting Enable
report Enable
Profiles:
Profile Name: CiscoTAC-1
Profile Name: prof1
Profile Name: prof2
The following is sample output from the show call-home detail command and displays detailed Call
Home configuration information:
ciscoasa# show call-home detail
Description: Show smart call-home configuration in detail.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Current Smart Call-Home settings:
Smart Call-Home feature: enable
Smart Call-Home message's from address: [email protected]
Smart Call-Home message's reply-to address: [email protected]
contact person's email address: [email protected]
contact person's phone: 111-222-3333
street address: 1234 Any Street, Any city, Any state, 12345
customer ID: 111111
contract ID: 123123
site ID: SantaClara
Mail-server[1]: Address: example.example.com Priority: 1
Mail-server[2]: Address: example.example.com Priority: 10
Rate-limit: 60 message(s) per minute
Available alert groups:
Keyword State
------------------------ ------syslog Enable
diagnostic Enable
environmental Enable
inventory Enable
configuration Enable
firewall Enable
troubleshooting Enable
report Enable
Profiles:
Profile Name: CiscoTAC-1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): [email protected]
HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService
Periodic inventory message is scheduled monthly at 01:00
Alert-group Severity
------------------------ -----------inventory n/a
Cisco ASA Series Command Reference, S Commands
4-95
Chapter
Profile Name: prof1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): [email protected]
HTTP address(es): https://kafan-lnx-01.cisco.com:8443/sch/sch.jsp
Periodic configuration message is scheduled daily at 01:00
Periodic inventory message is scheduled every 60 minutes
Alert-group Severity
------------------------ -----------configuration n/a
inventory n/a
Profile Name: prof2
Profile status: ACTIVE Preferred Message Format: short-text
Message Size Limit: 1048576 Bytes
Email address(es): [email protected]
HTTP address(es): https://example.example.com:8443/sch/sch.jsp
Periodic configuration message is scheduled every 1 minutes
Periodic inventory message is scheduled every 1 minutes
Alert-group Severity
------------------------ -----------configuration n/a
inventory n/a
The following is sample output from the show call-home events command and displays available Call
Home events:
ciscoasa# show call-home events
Description: Show current detected events.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Active event list:
Event client alert-group severity active (sec)
-------------------------------------------------------------------Configuration Client configuration none 5
Inventory inventory none 15
The following is sample output from the show call-home mail-server status command and displays
available Call Home mail-server status:
ciscoasa# show call-home mail-server status
Description: Show smart call-home configuration, status, and statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Mail-server[1]: Address: example.example.com Priority: 1 [Available]
Mail-server[2]: Address: example.example.com Priority: 10 [Not Available]
The following is sample output from the show call-home alert-group command and displays the
available alert groups:
ciscoasa# show call-home alert-group
Description: Show smart call-home alert-group states.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Available alert groups:
Keyword State
------------------------ ------syslog Enable
diagnostic Enable
environmental Enable
inventory Enable
configuration Enable
firewall Enable
troubleshooting Enable
report Enable
Cisco ASA Series Command Reference, S Commands
4-96
Chapter
The following is sample output from the show call-home profile profile-name | all command and
displays information for all predefined and user-defined profiles:
ciscoasa# show call-home profile {profile-name | all}
Description: Show smart call-home profile configuration.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Profiles:
Profile Name: CiscoTAC-1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): [email protected]
HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService
Periodic inventory message is scheduled monthly at 01:00
Alert-group Severity
------------------------ -----------inventory n/a
Profile Name: prof1
Profile status: ACTIVE Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Email address(es): [email protected]
HTTP address(es): https://example.example.com:8443/sch/sch.jsp
Periodic configuration message is scheduled daily at 01:00
Periodic inventory message is scheduled every 60 minutes
Alert-group Severity
------------------------ -----------configuration n/a
inventory n/a
Profile Name: prof2
Profile status: ACTIVE Preferred Message Format: short-text
Message Size Limit: 1048576 Bytes
Email address(es): [email protected]
HTTP address(es): https://example.example.com:8443/sch/sch.jsp
Periodic configuration message is scheduled every 1 minutes
Periodic inventory message is scheduled every 1 minutes
Alert-group Severity
------------------------ -----------configuration n/a
inventory n/a
The following is sample output from the show call-home statistics command and displays the call-home
statistics:
ciscoasa# show call-home statistics
Description: Show smart call-home statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Message Types Total Email HTTP
-------------------- ---------------- ---------------- ---------------Total Success 0 0 0
Total In-Queue 0 0 0
Total Dropped 5 4 1
Tx Failed 5 4 1
inventory 3 2 1
configuration 2 2 0
Event Types Total
-------------------- ---------------Total Detected 2
inventory 1
configuration 1
Total In-Queue 0
Total Dropped 0
Last call-home message sent time: 2009-06-17 14:22:09 GMT-07:00
Cisco ASA Series Command Reference, S Commands
4-97
Chapter
The following is sample output from the show call-home status command and displays the call-home
status:
ciscoasa# show call-home mail-server status
Description: Show smart call-home configuration, status, and statistics.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Mail-server[1]: Address: kafan-lnx-01.cisco.com Priority: 1 [Available]
Mail-server[2]: Address: kafan-lnx-02.cisco.com Priority: 10 [Not Available]
37. ciscoasa# show call-home events
Description: Show current detected events.
Supported Modes: single mode and system context in multi mode, routed/transparent.
Output:
Active event list:
Event client alert-group severity active (sec)
-------------------------------------------------------------------Configuration Client configuration none 5
Inventory inventory none 15
The following is sample output from the cluster exec show call-home statistics command and displays
call-home statistics for a cluster:
ciscoasa(config)# cluster exec show call-home statistics
A(LOCAL):*************************************************************
Message Types
Total
Email
HTTP
----------------------------------- ---------------- ---------------Total Success
3
3
0
test
3
3
0
Total In-Delivering
0
0
0
Total In-Queue
0
0
0
Total Dropped
Tx Failed
configuration
test
8
8
2
6
8
8
2
6
0
0
0
0
Event Types
-------------------Total Detected
configuration
test
Total
---------------10
1
9
Total In-Processing
0
Total In-Queue
0
Total Dropped
0
Last call-home message sent time: 2013-04-15 05:37:16 GMT+00:00
B:********************************************************************
Message Types
Total
Email
HTTP
----------------------------------- ---------------- ---------------Total Success
1
1
0
test
1
1
0
Total In-Delivering
0
0
0
Total In-Queue
0
0
0
Cisco ASA Series Command Reference, S Commands
4-98
Chapter
Total Dropped
Tx Failed
configuration
2
2
2
Event Types
-------------------Total Detected
configuration
test
Total
---------------2
1
1
Total In-Processing
0
Total In-Queue
0
Total Dropped
2
2
2
0
0
0
0
Last call-home message sent time: 2013-04-15 05:36:16 GMT+00:00
C:********************************************************************
Message Types
Total
Email
HTTP
----------------------------------- ---------------- ---------------Total Success
0
0
0
Total In-Delivering
0
0
0
Total In-Queue
0
0
0
Total Dropped
Tx Failed
configuration
2
2
2
2
2
2
0
0
0
Event Types
-------------------Total Detected
configuration
Total
---------------1
1
Total In-Processing
0
Total In-Queue
0
Total Dropped
0
Last call-home message sent time: n/a
D:********************************************************************
Message Types
Total
Email
HTTP
----------------------------------- ---------------- ---------------Total Success
1
1
0
test
1
1
0
Total In-Delivering
0
0
0
Total In-Queue
0
0
0
Total Dropped
Tx Failed
configuration
2
2
2
2
2
2
0
0
0
Event Types
-------------------Total Detected
configuration
test
Total
---------------2
1
1
Cisco ASA Series Command Reference, S Commands
4-99
Chapter
Total In-Processing
0
Total In-Queue
0
Total Dropped
0
Last call-home message sent time: 2013-04-15 05:35:34 GMT+00:00
ciscoasa(config)#
Related Commands
Command
Description
call-home
Enters call home configuration mode.
call-home send alert-group
Sends a specific alert group message.
service call-home
Enables or disables Call Home.
Cisco ASA Series Command Reference, S Commands
4-100
Chapter
show call-home registered-module status
To display the registered module status, use the show call-home registered-module status command in
privileged EXEC mode.
show call-home registered-module status [all]
Note
The [all] option is only valid in system context mode.
Syntax Description
all
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Displays module status based on the device, not per context. In multiple
context mode, if a module is enabled in at least one context, it is displayed
as enabled if the “all” option is included.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
Transparent Single
Yes
•
•
Release
Modification
8.2(2)
This command was added.
Yes
•
Yes
Context
System
—
•
Yes
The following example displays the show call-home registered-module status all output:
Output:
Module Name Status
---------------------------------------- -------------------Smart Call-Home enabled
Failover Standby/Active
Related Commands
Command
Description
call-home
Enters call-home configuration mode.
call-home send alert-group
Sends a specific alert group message.
service call-home
Enables or disables Call Home.
Cisco ASA Series Command Reference, S Commands
4-101
Chapter
show capture
To display the capture configuration when no options are specified, use the show capture command in
privileged EXEC mode.
[cluster exec] show capture [capture_name] [access-list access_list_name] [count number]
[decode] [detail] [dump] [packet-number number]
Syntax Description
access-list
(Optional) Displays information for packets that are based on IP or higher fields
access_list_name for the specific access list identification.
capture_name
(Optional) Specifies the name of the packet capture.
cluster exec
(Optional) In a clustering environment, enables you to issue the show capture
command in one unit and run the command in all the other units at the same time.
count number
(Optional) Displays the number of packets specified data.
decode
This option is useful when a capture of type isakmp is applied to an interface. All
ISAKMP data flowing through that interface will be captured after decryption and
shown with more information after decoding the fields.
detail
(Optional) Displays additional protocol information for each packet.
dump
(Optional) Displays a hexadecimal dump of the packets that are transported over
the data link.
packet-number
number
Starts the display at the specified packet number.
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Release
Modification
7.0(1)
This command was added.
•
Yes
•
Yes
Context
•
Yes
8.4(2)
Detailed information in the output for IDS was added.
9.0(1)
The cluster exec option was added.
9.2(1)
The vpn-user domain name was changed to filter-aaa in the output.
9.3(1)
Output for SGT plus Ethernet Tagging was added.
Cisco ASA Series Command Reference, S Commands
4-102
Yes
Transparent Single
System
•
Yes
Chapter
Usage Guidelines
If you specify the capture_name, then the capture buffer contents for that capture are displayed.
The dump keyword does not display MAC information in the hexadecimal dump.
The decoded output of the packets depend on the protocol of the packet. In Table 4-29, the bracketed
output is displayed when you specify the detail keyword.
Table 4-29
Packet Capture Output Formats
Packet Type
Capture Output Format
802.1Q
HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet
ARP
HH:MM:SS.ms [ether-hdr] arp-type arp-info
IP/ICMP
HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp:
icmp-type icmp-code [checksum-failure]
IP/UDP
HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port:
[checksum-info] udp payload-len
IP/TCP
HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port:
tcp-flags [header-check] [checksum-info] sequence-number
ack-number tcp-window urgent-info tcp-options
IP/Other
HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol
ip-length
Other
HH:MM:SS.ms ether-hdr: hex-dump
If the ASA receives packets with an incorrectly formatted TCP header and drops them because of the
ASP drop reason invalid-tcp-hdr-length, the show capture command output on the interface where those
packets are received does not show those packets.
Examples
This example shows how to display the capture configuration:
ciscoasa(config)# show capture
capture arp ethernet-type arp interface outside
capture http access-list http packet-length 74 interface inside
This example shows how to display the packets that are captured by an ARP capture:
ciscoasa(config)# show capture arp
2 packets captured
19:12:23.478429 arp who-has 171.69.38.89 tell 171.69.38.10
19:12:26.784294 arp who-has 171.69.38.89 tell 171.69.38.10
2 packets shown
The following example shows how to display the packets that are captured on a single unit in a clustering
environment:
ciscoasa(config)# show capture
capture 1 cluster type raw-data interface primary interface cluster [Buffer Full - 524187
bytes]
capture 2 type raw-data interface cluster [Capturing - 232354 bytes]
The following example shows how to display the packets that are captured on all units in a clustering
environment:
ciscoasa(config)# cluster exec show capture
mycapture (LOCAL):----------------------------------------------------------
Cisco ASA Series Command Reference, S Commands
4-103
Chapter
capture 1 type raw-data interface primary [Buffer Full - 524187 bytes]
capture 2 type raw-data interface cluster [Capturing - 232354 bytes]
yourcapture:---------------------------------------------------------------capture 1 type raw-data interface primary [Capturing - 191484 bytes]
capture 2 type raw-data interface cluster [Capturing - 532354 bytes]
The following example shows the packets that are captured on the cluster control link in a clustering
environment after the following commands are entered:
ciscoasa
ciscoasa
ciscoasa
ciscoasa
ciscoasa
ciscoasa
ciscoasa
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
capture a interface cluster
capture cp interface cluster match udp any eq 49495 any
capture cp interface cluster match udp any any eq 49495
access-list cc1 extended permit udp any any eq 4193
access-list cc1 extended permit udp any eq 4193 any
capture dp interface cluster access-list cc1
capture lacp type lacp interface gigabitEthernet 0/0
ciscoasa(config)# show capture
capture a type raw-data interface cluster [Capturing - 970 bytes]
capture cp type raw-data interface cluster [Capturing - 26236 bytes]
match udp any eq 49495 any
capture dp type raw-data access-list cc1 interface cluster [Capturing - 4545230 bytes]
capture lacp type lacp interface gigabitEthernet0/0 [Capturing - 140 bytes]
The following example shows the packets that are captured when SGT plus Ethernet tagging has been
enabled on an interface:
ciscoasa(config)# show capture my-inside-capture
1: 11:34:42.931012 INLINE-TAG 36 10.0.101.22 > 11.0.101.100:
2: 11:34:42.931470 INLINE-TAG 48 11.0.101.100 > 10.0.101.22:
3: 11:34:43.932553 INLINE-TAG 36 10.0.101.22 > 11.0.101.100:
4: 11.34.43.933164 INLINE-TAG 48 11.0.101.100 > 10.0.101.22:
icmp:
icmp:
icmp:
icmp:
echo
echo
echo
echo
request
reply
request
reply
When SGT plus Ethernet tagging has been enabled on an interface, the interface can still receive tagged
or untagged packets. The example shown is for tagged packets, which have INLINE-TAG 36 in the
output. When the same interface receives untagged packets, the output remains unchanged (that is, no
“INLINE-TAG 36” entry is included in the output).
Related Commands
Command
Description
capture
Enables packet capture capabilities for packet sniffing and network fault
isolation.
clear capture
Clears the capture buffer.
copy capture
Copies a capture file to a server.
Cisco ASA Series Command Reference, S Commands
4-104
Chapter
show chardrop
To display the count of characters dropped from the serial console, use the show chardrop command in
privileged EXEC mode.
show chardrop
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Examples
Routed
•
Yes
Transparent Single
•
Release
Modification
7.2(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show chardrop command:
ciscoasa# show chardrop
Chars dropped pre-TxTimeouts: 0, post-TxTimeouts: 0
Related Commands
Command
Description
show running-config
Shows the current operating configuration.
Cisco ASA Series Command Reference, S Commands
4-105
Chapter
show checkheaps
To show the checkheaps statistics, use the show checkheaps command in privileged EXEC mode.
Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory
is allocated from the system heap memory region) and the integrity of the code region.
show checkheaps
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
The following is sample output from the show checkheaps command:
ciscoasa# show checkheaps
Checkheaps stats from buffer validation runs
-------------------------------------------Time elapsed since last run
: 42 secs
Duration of last run
: 0 millisecs
Number of buffers created
: 8082
Number of buffers allocated
: 7808
Number of buffers free
: 274
Total memory in use
: 43570344 bytes
Total memory in free buffers
: 87000 bytes
Total number of runs
: 310
Related Commands
Command
Description
checkheaps
Sets the checkheap verification intervals.
Cisco ASA Series Command Reference, S Commands
4-106
Context
—
System
•
Yes
Chapter
show checksum
To display the configuration checksum, use the show checksum command in privileged EXEC mode.
show checksum
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Release
Modification
7.2(1)
This command was added.
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
The show checksum command allows you to display four groups of hexadecimal numbers that act as a
digital summary of the configuration contents. This checksum is calculated only when you store the
configuration in flash memory.
If a dot (“.”) appears before the checksum in the show config or show checksum command output, the
output indicates a normal configuration load or write mode indicator (when loading from or writing to
the ASA flash partition). The “.” shows that the ASA is preoccupied with the operation but is not “hung
up.” This message is similar to a “system processing, please wait” message.
Examples
This example shows how to display the configuration or the checksum:
ciscoasa(config)# show checksum
Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81
Cisco ASA Series Command Reference, S Commands
4-107
Chapter
show chunkstat
To display the chunk statistics, use the show chunkstat command in privileged EXEC mode.
show chunkstat
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
This example shows how to display the chunk statistics:
ciscoasa# show chunkstat
Global chunk statistics: created 181, destroyed 34, siblings created 94, siblings
destroyed 34
Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01edb4cc, name "Managed Chunk Queue Elements", data start @ 01edbd24, end
@ 01eddc54
next: 01eddc8c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 499, elt size: 16, index first free 498
# chunks in use: 1, HWM of total used: 1, alignment: 0
Per-chunk statistics: siblings created 0, siblings trimmed 0
Dump of chunk at 01eddc8c, name "Registry Function List", data start @ 01eddea4, end @
01ede348
next: 01ede37c, next_sibling: 00000000, prev_sibling: 00000000
flags 00000001
maximum chunk elt's: 99, elt size: 12, index first free 42
# chunks in use: 57, HWM of total used: 57, alignment: 0
Related Commands
Command
Description
show counters
Displays the protocol stack counters.
show cpu
Displays the CPU utilization information.
Cisco ASA Series Command Reference, S Commands
4-108
Chapter
show class
To show the contexts assigned to a class, use the show class command in privileged EXEC mode.
show class name
Syntax Description
name
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the name as a string up to 20 characters long. To show the default
class, enter default for the name.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Transparent Single
Yes
•
Release
Modification
7.2(1)
This command was added.
Yes
—
Context
—
System
•
Yes
The following is sample output from the show class default command:
ciscoasa# show class default
Class Name
default
Related Commands
Members
All
ID
1
Flags
0001
Command
Description
class
Configures a resource class.
clear configure class
Clears the class configuration.
context
Configures a security context.
limit-resource
Sets the resource limit for a class.
member
Assigns a context to a resource class.
Cisco ASA Series Command Reference, S Commands
4-109
Chapter
show clns
To show Connectionless-mode Network Service (CLNS) information for IS-IS, use the show clns
command in privileged EXEC mode.
show clns {filter-set | interface [interface_name] | is-neighbors [interface_name] [detail] |
neighbors [areas] [interface_name] [detail] | protocol [domain] | traffic [since {bootup |
show}]}
Syntax Description
areas
(Optional) Shows CLNS multiarea adjacencies.
bootup
Shows CLNS protocol statistics since bootup.
detail
(Optional) Shows the areas associated with the intermediate systems.
Otherwise, a summary display is provided.
domain
(Optional) Shows routing protocol process information for a CLNS domain.
filter-set
Shows CLNS filter sets.
interface
Shows CLNS interface status and configuration.
interface_name
(Optional) Specifies the interface name.
is-neighbors
Shows IS neighbor adjacencies. Neighbor entries are sorted according to the
area in which they are located.
neighbors
Displays end system (ES), intermediate system (IS), and multitopology
Integrated Intermediate System-to-Intermediate System (M-ISIS) neighbors
protocol
Shows CLNS routing protocol process information. There will always be at
least two routing processes, a Level 1 and a Level 2, and there can be more.
show
Shows CLNS protocol statistics since the last time you used this show
command.
since
(Optional) Shows CLNS protocol statistics since either bootup or the last
time you used this show command.
traffic
Lists the CLNS packets that this router has seen.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
—
Release
Modification
9.6(1)
We introduced this command.
Cisco ASA Series Command Reference, S Commands
4-110
Yes
Transparent Single
•
Yes
Context
•
Yes
System
—
Chapter
Usage Guidelines
This command shows CLNS information for IS-IS.
Examples
The following display assumes filter sets have been defined with the following commands:
ciscoasa(config)# clns filter-set US-OR-NORDUNET 47.0005...
ciscoasa(config)# clns filter-set US-OR-NORDUNET 47.0023...
ciscoasa(config)# clns filter-set LOCAL 49.0003...
The following is a sample output from the show clns filter-set command:
ciscoasa# show clns filter-set
CLNS filter set US-OR-NORDUNET
permit 47.0005...
permit 47.0023...
CLNS filter set LOCAL
permit 49.0003...
The following is sample output from the show clns interface command that includes information for
Token Ring and serial interfaces:
ciscoasa# show clns interface
GigabitEthernet0/1 is up, line protocol is up
Checksums enabled, MTU 1500
ERPDUs enabled, min. interval 10 msec.
DEC compatibility mode OFF for this interface
Next ESH/ISH in 0 seconds
Routing Protocol: IS-IS
Circuit Type: level-1-2
Interface number 0x0, local circuit ID 0x1
Level-1 Metric: 10, Priority: 64, Circuit ID: c2.01
DR ID: c2.01
Level-1 IPv6 Metric: 10
Number of active level-1 adjacencies: 3
Level-2 Metric: 10, Priority: 64, Circuit ID: c2.01
DR ID: c2.01
Level-2 IPv6 Metric: 10
Number of active level-2 adjacencies: 3
Next IS-IS LAN Level-1 Hello in 1 seconds
Next IS-IS LAN Level-2 Hello in 1 seconds
Table 4-30
show clns interface fields
Field
Description
GigabitEthernet0/1 is up, line protocol is up
Shown to be up, and the line protocol is up.
Checksums enabled
Can be enabled or disabled.
MTU
The number following maximum transmission
unit (MTU) is the maximum transmission size for
a packet on this interface.
ERPDUs
Displays information about the generation of
error protocol data units (ERPDUs). They can be
either enabled or disabled. If they are enabled,
they are sent out no more frequently than the
specified interval.
Cisco ASA Series Command Reference, S Commands
4-111
Chapter
Table 4-30
show clns interface fields
Field
Description
RDPDUs
Provides information about the generation of
redirect protocol data units (RDPDUs). They can
be either enabled or disabled. If they are enabled,
they are sent out no more frequently than the
specified interval. If the address mask is enabled,
redirects are sent out with an address mask.
Congestion Experienced
Tells when CLNS will turn on the congestion
experienced bit. The default is to turn this bit on
when there are more than four packets in a queue.
DEC compatibility mode
Indicates whether Digital Equipment Corporation
(DEC) compatibility has been enabled.
Next ESH/ISH
Displays when the next end system (ES) hello or
intermediate system (IS) hello will be sent on this
interface.
Routing Protocol
Lists the areas that this interface is in. In most
cases, an interface will be in only one area.
Circuit Type
Indicates whether the interface has been
configured for local routing (level 1), area routing
(level 2), or local and area routing (level 1-2).
Interface number, local circuit ID; Level-1
Metric; DR ID; Level-1 IPv6 Metric; Number of
active level-1 adjacencies; Level-2 Metric; DR
ID; Level-2 IPv6 Metric; Number of active level-2
adjacencies; Next IS-IS LAN Level-1; Next IS-IS
LAN Level-2
Last series of fields displays information
pertaining to Intermediate
System-to-Intermediate System (IS-IS). For
IS-IS, the Level 1 and Level 2 metrics, priorities,
circuit IDs, and number of active Level 1 and
Level 2 adjacencies are specified.
BFD enabled
BFD has been enabled on the interface.
The following is sample output from the show clns is-neighbors command:
ciscoasa# show clns is-neighbors
System Id
CSR7001
CSR7002
Table 4-31
Interface
inside
inside
State
Up
Up
Format
Phase V
Phase V
show clns is-neighbors Fields
Field
Description
System Id
Identification value of the system.
Interface
Interface on which the router was discovered.
State
Adjacency state. Up and Init are the states. See the show clns neighbors
description.
Type
L1, L2, and L1L2 type adjacencies. See the show clns neighbors description.
Priority
IS-IS priority that the respective neighbor is advertising. The highest priority
neighbor is elected the designated IS-IS router for the interface.
Cisco ASA Series Command Reference, S Commands
4-112
Type Priority Circuit Id
L1L2 64/64
ciscoasa.01
L1L2 64/64
ciscoasa.01
Chapter
Table 4-31
show clns is-neighbors Fields
Field
Description
Circuit Id
Neighbor's idea of what the designated IS-IS router is for the interface.
Format
Indicates if the neighbor is either a Phase V (OSI) adjacency or Phase IV
(DECnet) adjacency.
The following is sample output from the show clns is-neighbors detail command:
ciscoasa# show clns is-neighbors detail
System Id
Interface
State
CSR7001
inside
Up
Area Address(es): 49.0001
IP Address(es): 1.3.3.3*
Uptime: 00:12:49
NSF capable
Interface name: inside
CSR7002
inside
Up
Area Address(es): 49.0001
IP Address(es): 20.3.3.3*
Uptime: 00:12:50
NSF capable
Interface name: inside
Type Priority Circuit Id
L1L2 64/64
ciscoasa.01
Format
Phase V
L1L2 64/64
Phase V
ciscoasa.01
The following is sample output from the show clns neighbors detail command:
ciscoasa# show clns neighbors detail
System Id
Interface
SNPA
CSR7001
inside
000c.2921.ff44
Area Address(es): 49.0001
IP Address(es): 1.3.3.3*
Uptime: 01:16:33
NSF capable
Interface name: inside
CSR7002
inside
000c.2906.491c
Area Address(es): 49.0001
IP Address(es): 20.3.3.3*
Uptime: 01:16:33
NSF capable
Interface name: inside
State
Up
Up
Holdtime
26
27
Type Protocol
L1L2
L1L2
The following is sample output from the show clns neighbors command:
ciscoasa# show clns neighbors
System Id
CSR7001
CSR7002
Table 4-32
Interface
inside
inside
SNPA
000c.2921.ff44
000c.2906.491c
State
Up
Up
Holdtime
29
27
Type Protocol
L1L2
L1L2
show clns neighbors Fields
Field
Description
System Id
Six-byte value that identifies a system in an area.
Interface
Interface name from which the system was learned.
SNPA
Subnetwork Point of Attachment. This is the data-link address.
Cisco ASA Series Command Reference, S Commands
4-113
Chapter
Table 4-32
show clns neighbors Fields
Field
Description
State
State of the ES, IS, or M-ISIS.
•
Init—System is an IS and is waiting for an IS-IS hello message. IS-IS
regards the neighbor as not adjacent.
•
Up—Believes the ES or IS is reachable.
Holdtime
Number of seconds before this adjacency entry times out.
Type
The adjacency type. Possible values are as follows:
Protocol
•
ES—End-system adjacency either discovered via the ES-IS protocol or
statically configured.
•
IS—Router adjacency either discovered via the ES-IS protocol or
statically configured.
•
M-ISIS—Router adjacency discovered via the multitopology IS-IS
protocol.
•
L1—Router adjacency for Level 1 routing only.
•
L1L2—Router adjacency for Level 1 and Level 2 routing.
•
L2—Router adjacency for Level 2 only.
Protocol through which the adjacency was learned. Valid protocol sources
are ES-IS, IS-IS, ISO IGRP, Static, DECnet, and M-ISIS.
The following is sample output from the show clns protocol command:
ciscoasa# show clns protocol
IS-IS Router
System Id: 0050.0500.5008.00 IS-Type: level-1-2
Manual area address(es):
49.0001
Routing for area address(es):
49.0001
Interfaces supported by IS-IS:
outside - IP
Redistribute:
static (on by default)
Distance for L2 CLNS routes: 110
RRR level: none
Generate narrow metrics: level-1-2
Accept narrow metrics:
level-1-2
Generate wide metrics:
none
Accept wide metrics:
none
The following is sample output from the show clns traffic command:
ciscoasa# show clns traffic
CLNS: Time since last clear: never
CLNS & ESIS Output: 0, Input: 8829
CLNS Local: 0, Forward: 0
CLNS Discards:
Hdr Syntax: 0, Checksum: 0, Lifetime: 0, Output cngstn: 0
No Route: 0, Discard Route: 0, Dst Unreachable 0, Encaps. Failed: 0
NLP Unknown: 0, Not an IS: 0
CLNS Options: Packets 0, total 0 , bad 0, GQOS 0, cngstn exprncd 0
CLNS Segments: Segmented: 0, Failed: 0
Cisco ASA Series Command Reference, S Commands
4-114
Chapter
CLNS Broadcasts: sent: 0, rcvd: 0
Echos: Rcvd 0 requests, 0 replies
Sent 0 requests, 0 replies
ESIS(sent/rcvd): ESHs: 0/0, ISHs: 0/0, RDs: 0/0, QCF: 0/0
Tunneling (sent/rcvd): IP: 0/0, IPv6: 0/0
Tunneling dropped (rcvd) IP/IPV6: 0
ISO-IGRP: Querys (sent/rcvd): 0/0 Updates (sent/rcvd): 0/0
ISO-IGRP: Router Hellos: (sent/rcvd): 0/0
ISO-IGRP Syntax Errors: 0
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
IS-IS:
Time since last clear: never
Level-1 Hellos (sent/rcvd): 1928/1287
Level-2 Hellos (sent/rcvd): 1918/1283
PTP Hellos
(sent/rcvd): 0/0
Level-1 LSPs sourced (new/refresh): 7/13
Level-2 LSPs sourced (new/refresh): 7/14
Level-1 LSPs flooded (sent/rcvd): 97/2675
Level-2 LSPs flooded (sent/rcvd): 73/2628
LSP Retransmissions: 0
Level-1 CSNPs (sent/rcvd): 642/0
Level-2 CSNPs (sent/rcvd): 639/0
Level-1 PSNPs (sent/rcvd): 0/554
Level-2 PSNPs (sent/rcvd): 0/390
Level-1 DR Elections: 1
Level-2 DR Elections: 1
Level-1 SPF Calculations: 9
Level-2 SPF Calculations: 8
Level-1 Partial Route Calculations: 0
Level-2 Partial Route Calculations: 0
LSP checksum errors received: 0
Update process queue depth: 0/200
Update process packets dropped: 0
Table 4-33
show clns traffic Fields
Field
Description
CLNS & ESIS Output
Total number of packets that this router has sent.
Input
Total number of packets that this router has received.
CLNS Local
Lists the number of packets that were generated by this router.
Forward
Lists the number of packets that this router has forwarded.
CLNS Discards
Lists the packets that CLNS has discarded, along with the reason for the
discard.
CLNS Options
Lists the options seen in CLNS packets.
CLNS Segments
Lists the number of packets segmented and the number of failures that
occurred because a packet could not be segmented.
CLNS Broadcasts
Lists the number of CLNS broadcasts sent and received.
Echos
Lists the number of echo request packets and echo reply packets received.
The line following this field lists the number of echo request packets and
echo reply packets sent.
ESIS (sent/rcvd)
Lists the number of End System Hello (ESH), Intermediate System Hello
(ISH), and redirects sent and received.
ISO IGRP
Lists the number of ISO Interior Gateway Routing Protocol (IGRP) queries
and updates sent and received.
Cisco ASA Series Command Reference, S Commands
4-115
Chapter
Table 4-33
Related Commands
show clns traffic Fields
Field
Description
Router Hellos
Lists the number of ISO IGRP router hello packets sent and received.
IS-IS: Level-1 hellos
(sent/rcvd)
Lists the number of Level 1 IS-IS hello packets sent and received.
IS-IS: Level-2 hellos
(sent/rcvd)
Lists the number of Level 2 IS-IS hello packets sent and received.
IS-IS: PTP hellos
(sent/rcvd)
Lists the number of point-to-point IS-IS hello packets sent and received over
serial links.
IS-IS: Level-1 LSPs
(sent/rcvd)
Lists the number of Level 1 link-state Protocol Data Unit (PDUs) sent and
received.
IS-IS: Level-2 LSPs
(sent/rcvd)
Lists the number of Level 2 link-state PDUs sent and received.
IS-IS: Level-1 CSNPs
(sent/rcvd)
Lists the number of Level 1 Complete Sequence Number Packets (CSNP)
sent and received.
IS-IS: Level-2 CSNPs
(sent/rcvd)
Lists the number of Level 2 CSNPs sent and received.
IS-IS: Level-1 PSNPs
(sent/rcvd)
Lists the number of Level 1 Partial Sequence Number Packets (PSNP) sent
and received.
IS-IS: Level-2 PSNPs
(sent/rcvd)
Lists the number of Level 2 PSNPs sent and received.
IS-IS: Level-1 DR
Elections
Lists the number of times Level 1 designated router election occurred.
IS-IS: Level-2 DR
Elections
Lists the number of times Level 2 designated router election occurred.
IS-IS: Level-1 SPF
Calculations
Lists the number of times the Level 1 shortest-path-first (SPF) tree was
computed.
IS-IS: Level-2 SPF
Calculations
Lists the number of times the Level 2 SPF tree was computed.
Command
Description
advertise passive-only
Configures the ASA to advertise passive interfaces.
area-password
Configures an IS-IS area authentication password.
authentication key
Enables authentication for IS-IS globally.
authentication mode
Specifies the type of authentication mode used in IS-IS packets for the IS-IS
instance globally.
authentication
send-only
Configure the IS-IS instance globally to have authentication performed only
on IS-IS packets being sent (not received).
clear isis
Clears IS-IS data structures.
Cisco ASA Series Command Reference, S Commands
4-116
Chapter
Command
Description
default-information
originate
Generates a default route into an IS-IS routing domain.
distance
Defines the administrative distance assigned to routes discovered by the
IS-IS protocol.
domain-password
Configures an IS-IS domain authentication password.
fast-flood
Configures IS-IS LSPs to be full.
hello padding
Configures IS-IS hellos to the full MTU size.
hostname dynamic
Enables IS-IS dynamic hostname capability.
ignore-lsp-errors
Configures the ASA to ignore IS-IS LSPs that are received with internal
checksum errors rather than purging the LSPs.
isis adjacency-filter
Filters the establishment of IS-IS adjacencies.
isis advertise-prefix
Advertises IS-IS prefixes of connected networks in LSP advertisements on
an IS-IS interface.
isis authentication key Enables authentication for an interface.
isis authentication
mode
Specifies the type of authentication mode used in IS-IS packets for the IS-IS
instance per interface
isis authentication
send-only
Configure the IS-IS instance per interface to have authentication performed
only on IS-IS packets being sent (not received).
isis circuit-type
Configures the type of adjacency used for the IS-IS.
isis csnp-interval
Configures the interval at which periodic CSNP packets are sent on
broadcast interfaces.
isis hello-interval
Specifies the length of time between consecutive hello packets sent by IS-IS.
isis hello-multiplier
Specifies the number of IS-IS hello packets a neighbor must miss before the
ASA declares the adjacency as down.
isis hello padding
Configures IS-IS hellos to the full MTU size per interface.
isis lsp-interval
Configures the time delay between successive IS-IS LSP transmissions per
interface.
isis metric
Configures the value of an IS-IS metric.
isis password
Configures the authentication password for an interface.
isis priority
Configures the priority of designated ASAs on the interface.
isis protocol shutdown Disables the IS-IS protocol per interface.
isis
retransmit-interval
Configures the amount of time between retransmission of each IS-IS LSP on
the interface.
isis
Configures the amount of time between retransmissions of each IS-IS LSP
retransmit-throttle-int on the interface.
erval
isis tag
Sets a tag on the IP address configured for an interface when the IP prefix is
put into an LSP.
is-type
Assigns the routing level for the IS-IS routing process.
log-adjacency-changes Enables the ASA to generate a log message when an NLSP IS-IS adjacency
changes state (up or down).
lsp-full suppress
Configures which routes are suppressed when the PDU becomes full.
lsp-gen-interval
Customizes IS-IS throttling of LSP generation.
Cisco ASA Series Command Reference, S Commands
4-117
Chapter
Command
Description
lsp-refresh-interval
Sets the LSP refresh interval.
max-area-addresses
Configures additional manual addresses for an IS-IS area.
max-lsp-lifetime
Sets the maximum time that LSPs persist in the ASA's database without
being refreshed.
maximum-paths
Configures multi-path load sharing for IS-IS.
metric
Globally changes the metric value for all IS-IS interfaces.
metric-style
Configures an ASA running IS-IS so that it generates and only accepts
new-style, length, value objects (TLVs).
net
Specifies the NET for the routing process.
passive-interface
Configures a passive interface.
prc-interval
Customizes IS-IS throttling of PRCs.
protocol shutdown
Disables the IS-IS protocol globally so that it cannot form any adjacency on
any interface and will clear the LSP database.
redistribute isis
Redistributes IS-IS routes specifically from Level 1 into Level 2 or from
Level 2 into Level 1.
route priority high
Assigns a high priority to an IS-IS IP prefix.
router isis
Enables IS-IS routing.
set-attached-bit
Specifies constraints for when a Level 1-Level 2 router should set its
attached bit.
set-overload-bit
Configures the ASA to signal other routers not to use it as an intermediate
hop in their SPF calculations.
show isis
Shows IS-IS information.
show route isis
Shows IS-IS routes.
spf-interval
Customizes IS-IS throttling of SPF calculations.
summary-address
Creates aggregate addresses for IS-IS.
Cisco ASA Series Command Reference, S Commands
4-118
Chapter
show clock
To view the time on the ASA, use the show clock command in user EXEC mode.
show clock [detail]
Syntax Description
detail
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Indicates the clock source (NTP or user configuration) and the
current summer-time setting (if any).
Firewall Mode
Security Context
Multiple
Command Mode
User EXEC
Command History
Examples
Routed
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show clock command:
ciscoasa# show clock
12:35:45.205 EDT Tue Jul 27 2004
The following is sample output from the show clock detail command:
ciscoasa# show clock detail
12:35:45.205 EDT Tue Jul 27 2004
Time source is user configuration
Summer time starts 02:00:00 EST Sun Apr 4 2004
Summer time ends 02:00:00 EDT Sun Oct 31 2004
Related Commands
Command
Description
clock set
Manually sets the clock on the ASA.
clock summer-time
Sets the date range to show daylight saving time.
clock timezone
Sets the time zone.
ntp server
Identifies an NTP server.
show ntp status
Shows the status of the NTP association.
Cisco ASA Series Command Reference, S Commands
4-119
Chapter
show cluster
To view aggregated data for the entire cluster or other information, use the show cluster command in
privileged EXEC mode.
show cluster [chassis] {access-list [acl_name] | conn [count] | cpu [usage] | history |
interface-mode | memory | resource usage | service-policy | traffic | xlate count}
Syntax Description
access-list [acl_name]
Shows hit counters for access policies. To see the counters for a specific
ACL, enter the acl_name.
chassis
For the Firepower 9300 ASA security module, shows the cluster information
for the chassis.
conn [count]
Shows the aggregated count of in-use connections for all units. If you enter
the count keyword, only the connection count is shown.
cpu [usage]
Shows CPU usage information.
history
Shows cluster switching history.
interface-mode
Shows the cluster interface mode, either spanned or individual.
memory
Shows system memory utilization and other information.
resource usage
Shows system resources and usage.
service-policy
Shows the MPF service policy statistics.
traffic
Shows traffic statistics.
xlate count
Shows current translation information.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
•
Yes
•
Release
Modification
9.0(1)
This command was added.
9.4(1)
The service-policy keyword was added.
9.4(1.152)
The chassis keyword was added.
Yes
See also the show cluster info and show cluster user-identity commands.
Cisco ASA Series Command Reference, S Commands
4-120
Yes
Transparent Single
Context
—
System
•
Yes
Chapter
Examples
The following is sample output from the show cluster access-list command:
ciscoasa# show cluster access-list
hitcnt display order: cluster-wide aggregated result, unit-A, unit-B, unit-C, unit-D
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval
300
access-list 101; 122 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit tcp 192.168.143.0 255.255.255.0 any eq www
(hitcnt=0, 0, 0, 0, 0) 0x207a2b7d
access-list 101 line 2 extended permit tcp any 192.168.143.0 255.255.255.0 (hitcnt=0, 0,
0, 0, 0) 0xfe4f4947
access-list 101 line 3 extended permit tcp host 192.168.1.183 host 192.168.43.238
(hitcnt=1, 0, 0, 0, 1) 0x7b521307
access-list 101 line 4 extended permit tcp host 192.168.1.116 host 192.168.43.238
(hitcnt=0, 0, 0, 0, 0) 0x5795c069
access-list 101 line 5 extended permit tcp host 192.168.1.177 host 192.168.43.238
(hitcnt=1, 0, 0, 1, 0) 0x51bde7ee
access list 101 line 6 extended permit tcp host 192.168.1.177 host 192.168.43.13
(hitcnt=0, 0, 0, 0, 0) 0x1e68697c
access-list 101 line 7 extended permit tcp host 192.168.1.177 host 192.168.43.132
(hitcnt=2, 0, 0, 1, 1) 0xc1ce5c49
access-list 101 line 8 extended permit tcp host 192.168.1.177 host 192.168.43.192
(hitcnt=3, 0, 1, 1, 1) 0xb6f59512
access-list 101 line 9 extended permit tcp host 192.168.1.177 host 192.168.43.44
(hitcnt=0, 0, 0, 0, 0) 0xdc104200
access-list 101 line 10 extended permit tcp host 192.168.1.112 host 192.168.43.44
(hitcnt=429, 109, 107, 109, 104)
0xce4f281d
access-list 101 line 11 extended permit tcp host 192.168.1.170 host 192.168.43.238
(hitcnt=3, 1, 0, 0, 2) 0x4143a818
access-list 101 line 12 extended permit tcp host 192.168.1.170 host 192.168.43.169
(hitcnt=2, 0, 1, 0, 1) 0xb18dfea4
access-list 101 line 13 extended permit tcp host 192.168.1.170 host 192.168.43.229
(hitcnt=1, 1, 0, 0, 0) 0x21557d71
access-list 101 line 14 extended permit tcp host 192.168.1.170 host 192.168.43.106
(hitcnt=0, 0, 0, 0, 0) 0x7316e016
access-list 101 line 15 extended permit tcp host 192.168.1.170 host 192.168.43.196
(hitcnt=0, 0, 0, 0, 0) 0x013fd5b8
access-list 101 line 16 extended permit tcp host 192.168.1.170 host 192.168.43.75
(hitcnt=0, 0, 0, 0, 0) 0x2c7dba0d
To display the aggregated count of in-use connections for all units, enter:
ciscoasa# show cluster conn count
Usage Summary In Cluster:*********************************************
200 in use (cluster-wide aggregated)
cl2(LOCAL):***********************************************************
100 in use, 100 most used
cl1:******************************************************************
100 in use, 100 most used
Related Commands
Command
Description
show cluster info
Shows cluster information.
show cluster
user-identity
Shows cluster user identity information and statistics.
Cisco ASA Series Command Reference, S Commands
4-121
Chapter
show cluster info
To view cluster information, use the show cluster info command in privileged EXEC mode.
show cluster info [clients | conn-distribution | flow-mobility counters | goid [options] | health |
incompatible-config | loadbalance | old-members | packet-distribution | trace [options] |
transport {asp | cp}]
Syntax Description
clients
(Optional) Shows the version of register clients.
conn-distribution
(Optional) Shows the connection distribution in the cluster.
flow-mobility counters (Optional) Shows EID movement and flow owner movement information.
goid [options]
(Optional) Shows the global object ID database. Options include:
classmap
conn-set
hwidb
idfw-domain
idfw-group
interface
policymap
virtual-context
health
(Optional) Shows health monitoring information.
incompatible-config
(Optional) Shows commands that are incompatible with clustering in the
current running configuration. This command is useful before you enable
clustering.
loadbalance
(Optional) Shows load balancing information.
old-members
(Optional) Shows former members of the cluster.
packet-distribution
(Optional) Shows packet distribution in the cluster.
trace [options]
(Optional) Shows the clustering control module event trace. Options include:
transport {asp | cp}
•
latest [number]—Displays the latest number events, where the number
is from 1 to 2147483647. The default is to show all.
•
level level—Filters events by level where the level is one of the
following: all, critical, debug, informational, or warning.
•
module module—Filters events by module where the module is one of
the following: ccp, datapath, fsm, general, hc, license, rpc, or
transport.
•
time {[month day] [hh:mm:ss]}—Shows events before the specified
time or date.
(Optional) Show transport related statistics for the following:
•
asp—Data plane transport statistics.
•
cp—Control plane transport statistics.
Cisco ASA Series Command Reference, S Commands
4-122
Chapter
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
—
System
•
Yes
Release
Modification
9.0(1)
This command was added.
9.3(1)
Improved support for modules in the show cluster info health command
was added.
9.5(1)
Site ID information was added to the output.
9.5(2)
The flow-mobility counters keywords were added.
If you do not specify any options, the show cluster info command shows general cluster information
including the cluster name and status, the cluster members, the member states, and so on.
Clear statistics using the clear cluster info command.
See also the show cluster and show cluster user-identity commands.
Examples
The following is sample output from the show cluster info command:
ciscoasa# show cluster info
Cluster stbu: On
This is "C" in state SLAVE
ID
: 0
Site ID : 1
Version
: 9.5(1)
Serial No.: P3000000025
CCL IP
: 10.0.0.3
CCL MAC
: 000b.fcf8.c192
Last join : 17:08:59 UTC Sep 26 2011
Last leave: N/A
Other members in the cluster:
Unit "D" in state SLAVE
ID
: 1
Site ID : 1
Version
: 9.5(1)
Serial No.: P3000000001
CCL IP
: 10.0.0.4
CCL MAC
: 000b.fcf8.c162
Last join : 19:13:11 UTC Sep 23 2011
Last leave: N/A
Unit "A" in state MASTER
ID
: 2
Site ID : 2
Version
: 9.5(1)
Cisco ASA Series Command Reference, S Commands
4-123
Chapter
Serial No.: JAB0815R0JY
CCL IP
: 10.0.0.1
CCL MAC
: 000f.f775.541e
Last join : 19:13:20 UTC Sep 23 2011
Last leave: N/A
Unit "B" in state SLAVE
ID
: 3
Site ID : 2
Version
: 9.5(1)
Serial No.: P3000000191
CCL IP
: 10.0.0.2
CCL MAC
: 000b.fcf8.c61e
Last join : 19:13:50 UTC Sep 23 2011
Last leave: 19:13:36 UTC Sep 23 2011
The following is sample output from the show cluster info incompatible-config command:
ciscoasa(cfg-cluster)# show cluster info incompatible-config
INFO: Clustering is not compatible with following commands which given a user's
confirmation upon enabling clustering, can be removed automatically from running-config.
policy-map global_policy
class scansafe-http
inspect scansafe http-map fail-close
policy-map global_policy
class scansafe-https
inspect scansafe https-map fail-close
INFO: No manually-correctable incompatible configuration is found.
The following is sample output from the show cluster info trace command:
ciscoasa# show cluster info trace
Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE
Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE
Feb 02 14:19:47.456 [DBUG]Send CCP message to all: CCP_MSG_KEEPALIVE from 80-1 at MASTER
The following is sample output from the show cluster info health command on the ASA 5500-X:
ciscoasa# show cluster info health
Member ID to name mapping:
0 - A
1 - B(myself)
GigabitEthernet0/0
Management0/0
0
up
up
1
up
up
ips (policy off)
sfr (policy off)
Unit overall
Cluster overall
up
None
healthy
healthy
None
up
healthy
The above output lists both ASA IPS (ips) and ASA FirePOWER (sfr) modules, and for each module the
ASA shows “policy on” or “policy off” to show if you configured the module in the service policy. For
example:
class-map sfr-class
match sfr-traffic
policy-map sfr-policy
class sfr-class
sfr inline fail-close
service-policy sfr interface inside
Cisco ASA Series Command Reference, S Commands
4-124
Chapter
With the above configuration, the ASA FirePOWER module (“sfr”) will be displayed as “policy on”. If
one cluster member has a module as “up”, and the other member has the module as “down” or “None”,
then the member with the down module will be kicked out of the cluster. However, if the service policy
is not configured, then the cluster member would not be kicked out of the cluster; the module status is
only relevant if the module is running.
The following is sample output from the show cluster info health command on the ASA 5585-X:
ciscoasa# show cluster info health
spyker-13# sh clu info heal
Member ID to name mapping:
0 - A(myself) 1 - B
GigabitEthernet0/0
SSM Card (policy off)
Unit overall
Cluster overall
0 1
upup
upup
healthyhealth
healthyhealth
If you configure the module in the service policy, then the output shows “policy on”. If you do not
configure the service policy, then the output shows “policy off”, even if a module is present in the
chassis.
The following is sample output from the show cluster info flow-mobility counters command:
ciscoasa# show cluster info flow-mobility counters
EID movement notification received : 0
EID movement notification processed : 0
Flow owner moving requested
: 0
Related Commands
Command
Description
show cluster
Displays aggregated data for the entire cluster.
show cluster
user-identity
Shows cluster user identity information and statistics.
Cisco ASA Series Command Reference, S Commands
4-125
Chapter
show cluster user-identity
To view cluster-wide user identity information and statistics, use the show cluster user-identity
command in privileged EXEC mode.
show cluster user-identity {statistics [user name | user-group group_name] |
user [active [domain name] | user name | user-group group_name] [list [detail] | all [list
[detail] | inactive {domain name | user-group group_name] [list [detail]]}
Syntax Description
active
Shows users with active IP-user mappings.
all
Shows all users in the user database.
domain name
Shows user info for a domain.
inactive
Shows users with inactive IP-user mappings.
list [detail]
Shows a list of users.
statistics
Shows cluster user identity statistics.
user
Shows the user database.
user name
Show information for a specific user.
user-group
group_name
Shows information for each user of a specific group.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Usage Guidelines
See also the show cluster info and show cluster commands.
Related Commands
Command
Description
show cluster
Displays aggregated data for the entire cluster.
show cluster info
Shows cluster information.
Cisco ASA Series Command Reference, S Commands
4-126
Context
—
System
•
Yes
Chapter
show compression svc
To view compression statistics for SVC connections on the ASA, use the show compression svc
command from privileged EXEC mode.
show compression svc
Defaults
There is no default behavior for this command.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Examples
•
—
Release
Modification
7.1(1)
This command was added.
•
Context
Yes
System
—
The following example shows the output of the show compression svc command:
ciscoasa# show compression svc
Compression SVC Sessions
Compressed Frames
Compressed Data In (bytes)
Compressed Data Out (bytes)
Expanded Frames
Compression Errors
Compression Resets
Compression Output Buf Too Small
Compression Ratio
Decompressed Frames
Decompressed Data In
Related Commands
Yes
Transparent Single
1
249756
0048042
4859704
1
0
0
0
2.06
876687
279300233
Command
Description
compression
Enables compression for all SVC and WebVPN connections.
svc compression
Enables compression of http data over an SVC connection for a specific group
or user.
Cisco ASA Series Command Reference, S Commands
4-127
Chapter
show configuration
To display the configuration that is saved in flash memory on the ASA, use the show configuration
command in privileged EXEC mode.
show configuration
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
Release
Modification
7.0(1)
This command was modified.
•
Yes
Context
•
Yes
System
•
Yes
The show configuration command displays the saved configuration in flash memory on the ASA.
Unlike the show running-config command, the show configuration command does not use many CPU
resources to run.
To display the active configuration in memory (including saved configuration changes) on the ASA, use
the show running-config command.
Examples
The following is sample output from the show configuration command:
ciscoasa# show configuration
: enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.2.5 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.132.12.6 255.255.255.0
!
interface Ethernet0/2
nameif dmz
Cisco ASA Series Command Reference, S Commands
4-128
Chapter
security-level 50
ip address 10.0.0.5 255.255.0.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/newImage
ftp mode passive
access-list acl1 extended permit ip any any
access-list mgcpacl extended permit udp any any eq 2727
access-list mgcpacl extended permit udp any any eq 2427
access-list mgcpacl extended permit udp any any eq tftp
access-list mgcpacl extended permit udp any any eq 1719
access-list permitIp extended permit ip any any
pager lines 25
logging enable
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/pdm
no asdm history enable
arp timeout 14400
global (outside) 1 10.132.12.50-10.132.12.52
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group permitIp in interface inside
access-group permitIp in interface outside
access-group mgcpacl in interface dmz
!
router ospf 1
network 10.0.0.0 255.255.0.0 area 192.168.2.0
network 192.168.2.0 255.255.255.0 area 192.168.2.0
log-adj-changes
redistribute static subnets
default-information originate
!
route outside 0.0.0.0 0.0.0.0 10.132.12.1 1
route outside 10.129.0.0 255.255.0.0 10.132.12.1 1
route outside 88.0.0.0 255.0.0.0 10.132.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
Cisco ASA Series Command Reference, S Commands
4-129
Chapter
aaa authentication ssh console LOCAL
http server enable
http 10.132.12.0 255.255.255.0 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.2.0 255.255.255.0 inside
telnet 10.132.12.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect mgcp
policy-map type inspect mgcp mgcpapp
parameters
call-agent 150.0.0.210 101
gateway 50.0.0.201 101
gateway 100.0.0.201 101
command-queue 150
!
service-policy global_policy global
webvpn
memory-size percent 25
enable inside
internal-password enable
onscreen-keyboard logon
username snoopy password /JcYsjvxHfBHc4ZK encrypted
prompt hostname context
Cryptochecksum:62bf8f5de9466cdb64fe758079594635:
end
Cisco ASA Series Command Reference, S Commands
4-130
Chapter
Related Commands
Command
Description
configure
Configures the ASA from the terminal.
Cisco ASA Series Command Reference, S Commands
4-131
Chapter
show configuration session
To display the current configuration sessions and the changes within the sessions, use the show
configuration session command in privileged EXEC mode.
show configuration session [session_name]
Syntax Description
session_name
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
The name of an existing configuration session. If you omit this parameter, all
existing sessions are shown.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.3(2)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Use this command in conjunction with the configure session command, which creates isolated sessions
for editing ACLs and their objects. This command shows the names of the sessions, and all of the
configuration changes that have been made in the sessions.
If a session shows as committed, you can open the session and revert the changes if you decide they did
not work as expected.
Examples
The following example shows all available sessions:
ciscoasa# show configuration session
config-session abc (un-committed)
access-list abc permit ip any any
access-list abc permit tcp any any
config-session abc2 (un-committed)
object network test
host 1.1.1.1
object network test2
host 2.2.2.2
ciscoasa#
Cisco ASA Series Command Reference, S Commands
4-132
Chapter
Related Commands
Command
Description
clear configuration
session
Deletes a configuration session and its contents.
clear session
Clears the contents of a configuration session or resets its access flag.
configure session
Creates or opens a session.
Cisco ASA Series Command Reference, S Commands
4-133
Chapter
show conn
To display the connection state for the designated connection type, use the show conn command in
privileged EXEC mode. This command supports IPv4 and IPv6 addresses.
show conn [count | [all] [detail] [long] [state state_type] [protocol {tcp | udp | sctp}] [scansafe]
[address src_ip[-src_ip] [netmask mask]] [port src_port[-src_port]]
[address dest_ip[-dest_ip] [netmask mask]] [port dest_port[-dest_port]]
[user-identity | user [domain_nickname\]user_name | user-group
[domain_nickname\\]user_group_name] | security-group] [zone zone_name [zone zone_name]
[...]]
Syntax Description
address
(Optional) Displays connections with the specified source or destination IP
address.
all
(Optional) Displays connections that are to the device or from the device, in
addition to through-traffic connections.
count
(Optional) Displays the number of active connections.
dest_ip
(Optional) Specifies the destination IP address (IPv4 or IPv6). To specify a
range, separate the IP addresses with a dash (-). For example:
10.1.1.1-10.1.1.5
dest_port
(Optional) Specifies the destination port number. To specify a range,
separate the port numbers with a dash (-). For example:
1000-2000
detail
(Optional) Displays connections in detail, including translation type and
interface information.
long
(Optional) Displays connections in long format.
netmask mask
(Optional) Specifies a subnet mask for use with the given IP address.
port
(Optional) Displays connections with the specified source or destination
port.
protocol {tcp | udp |
sctp}
(Optional) Specifies the connection protocol.
scansafe
(Optional) Shows connections being forwarded to the Cloud Web Security
server.
security-group
(Optional) Specifies that all connections displayed belong to the specified
security group.
src_ip
(Optional) Specifies the source IP address (IPv4 or IPv6). To specify a range,
separate the IP addresses with a dash (-). For example:
10.1.1.1-10.1.1.5
src_port
(Optional) Specifies the source port number. To specify a range, separate the
port numbers with a dash (-). For example:
1000-2000
state state_type
(Optional) Specifies the connection state type. See Table 4-34 for a list of the
keywords available for connection state types.
user
[domain_nickname\]
user_name
(Optional) Specifies that all connections displayed belong to the specified
user. When you do not include the domain_nickname argument, the ASA
displays information for the user in the default domain.
Cisco ASA Series Command Reference, S Commands
4-134
Chapter
user-group
[domain_nickname\\]
user_group_name
(Optional) Specifies that all connections displayed belong to the specified
user group. When you do not include the domain_nickname argument, the
ASA displays information for the user group in the default domain.
user-identity
(Optional) Specifies that the ASA display all connections for the Identity
Firewall feature. When displaying the connections, the ASA displays the
user name and IP address when it identifies a matching user. Similarly, the
ASA displays the host name and an IP address when it identifies a matching
host.
zone [zone_name]
(Optional) Displays connections for a zone. The long and detail keywords
show the primary interface on which the connection was built and the current
interface used to forward the traffic.
Defaults
All through connections are shown by default. You need to use the all keyword to also view management
connections to the device.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Release
Modification
7.0(8)/7.2(4)/8.0(4)
The syntax was simplified to use source and destination concepts instead
of “local” and “foreign.” In the new syntax, the source address is the first
address entered and the destination is the second address. The old syntax
used keywords like foreign and fport to determine the destination
address and port.
7.2(5)/8.0(5)/8.1(2)/8.2(4)/
8.3(2)
The tcp_embryonic state type was added. This type shows all TCP
connections with the i flag (incomplete connections); i flag connections
for UDP are not shown.
8.2(1)
The b flag was added for TCP state bypass.
8.4(2)
The user-identity, user, and user-group keywords were added to
support the Identity Firewall.
9.0(1)
Support for clustering was added. We added the scansafe and
security-group keywords.
9.3(2)
The zone keyword was added.
9.5(2)
The L flag was added for traffic subject to LISP flow-mobility.
9.5(2)
The Q flag for detailed output was added for Diameter connections. The
protocol sctp keyword was added. The o flag for detailed output was
added for off-loaded flows.
Cisco ASA Series Command Reference, S Commands
4-135
Chapter
Usage Guidelines
Note
The show conn command displays the number of active TCP and UDP connections, and provides
information about connections of various types. Use the show conn all command to see the entire table
of connections.
When the ASA creates a pinhole to allow secondary connections, this is shown as an incomplete conn
by the show conn command. To clear this incomplete conn use the clear conn command.
The connection types that you can specify using the show conn state command are defined in
Table 4-34. When specifying multiple connection types, use commas without spaces to separate the
keywords.
Table 4-34
Connection State Types
Keyword
Connection Type Displayed
up
Connections in the up state.
conn_inbound
Inbound connections.
ctiqbe
CTIQBE connections
data_in
Inbound data connections.
data_out
Outbound data connections.
finin
FIN inbound connections.
finout
FIN outbound connections.
h225
H.225 connections
h323
H.323 connections
http_get
HTTP get connections.
mgcp
MGCP connections.
nojava
Connections that deny access to Java applets.
rpc
RPC connections.
service_module
Connections being scanned by an SSM.
sip
SIP connections.
skinny
SCCP connections.
smtp_data
SMTP mail data connections.
sqlnet_fixup_data
SQL*Net data inspection engine connections.
tcp_embryonic
TCP embryonic connections.
vpn_orphan
Orphaned VPN tunneled flows.
When you use the detail option, the system displays information about the translation type and interface
information using the connection flags defined in Table 4-35.
Table 4-35
Connection Flags
Flag
Description
a
awaiting outside ACK to SYN
A
awaiting inside ACK to SYN
Cisco ASA Series Command Reference, S Commands
4-136
Chapter
Table 4-35
Connection Flags (continued)
Flag
Description
b
TCP state bypass
B
initial SYN from outside
C
Computer Telephony Interface Quick Buffer Encoding (CTIQBE) media connection
d
dump
D
DNS
E
outside back connection. This is a secondary data connection that must be initiated from the
inside host. For example, using FTP, after the inside client issues the PASV command and the
outside server accepts, the ASA preallocates an outside back connection with this flag set. If
the inside client attempts to connect back to the server, then the ASA denies this connection
attempt. Only the outside server can use the preallocated secondary connection.
f
inside FIN
F
outside FIN
g
Media Gateway Control Protocol (MGCP) connection
G
connection is part of a group1
h
H.225
H
H.323
i
incomplete TCP or UDP connection
I
inbound data
k
Skinny Client Control Protocol (SCCP) media connection
K
GTP t3-response
L
traffic subject to LISP flow-mobility
m
SIP media connection
M
SMTP data
o
Off-loaded flow.
O
outbound data
p
replicated (unused)
P
inside back connection. This is a secondary data connection that must be initiated from the
inside host. For example, using FTP, after the inside client issues the PORT command and the
outside server accepts, the ASA preallocates an inside back connection with this flag set. If
the outside server attempts to connect back to the client, then the ASA denies this connection
attempt. Only the inside client can use the preallocated secondary connection.
q
SQL*Net data
Q
Diameter connection
r
inside acknowledged FIN
R
outside acknowledged FIN for TCP connection
R
UDP RPC2
s
awaiting outside SYN
S
awaiting inside SYN
Cisco ASA Series Command Reference, S Commands
4-137
Chapter
Table 4-35
Connection Flags (continued)
Flag
Description
t
SIP transient connection3
T
SIP connection4
U
up
V
VPN orphan
W
WAAS
X
Inspected by the service module, such as a CSC SSM.
y
For clustering, identifies a backup owner flow.
Y
For clustering, identifies a director flow.
z
For clustering, identifies a forwarder flow.
Z
Cloud Web Security
1. The G flag indicates the connection is part of a group. It is set by the GRE and FTP Strict inspections to designate the control
connection and all its associated secondary connections. If the control connection terminates, then all associated secondary
connections are also terminated.
2. Because each row of show conn command output represents one connection (TCP or UDP), there will be only one R flag per
row.
3. For UDP connections, the value t indicates that it will timeout after one minute.
4. For UDP connections, the value T indicates that the connection will timeout according to the value specified using the
timeout sip command.
Note
For connections using a DNS server, the source port of the connection may be replaced by the IP address
of DNS server in the show conn command output.
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the ASA
within a limited period of time and there is no resource build-up. However, when you enter the show
conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This
is due to the nature of the shared DNS connection and is by design.
Note
When there is no TCP traffic for the period of inactivity defined by the timeout conn command (by
default, 1:00:00), the connection is closed and the corresponding conn flag entries are no longer
displayed.
If a LAN-to-LAN/Network-Extension Mode tunnel drops and does not come back, there might be a
number of orphaned tunnel flows. These flows are not torn down as a result of the tunnel going down,
but all the data attempting to flow through them is dropped. The show conn command output shows
these orphaned flows with the V flag.
Cisco ASA Series Command Reference, S Commands
4-138
Chapter
When the following TCP connection directionality flags are applied to connections between
same-security interfaces (see the same-security permit command), the direction in the flag is not
relevant because for same-security interfaces, there is no “inside” or “outside.” Because the ASA has to
use these flags for same-security connections, the ASA may choose one flag over another (for example,
f vs. F) based on other connection characteristics, but you should ignore the directionality chosen.
•
B—Initial SYN from outside
•
a—Awaiting outside ACK to SYN
•
A—Awaiting inside ACK to SYN
•
f—Inside FIN
•
F—Outside FIN
•
s—Awaiting outside SYN
•
S—Awaiting inside SYN
To display information for a specific connection, include the security-group keyword and specify a
security group table value or security group name for both the source and destination of the connection.
The ASA displays the connection matching the specific security group table values or security group
names.
When you specify the security-group keyword without specifying a source and destination security
group table value or a source and destination security group name, the ASA displays data for all SXP
connections.
The ASA displays the connection data in the format security_group_name (SGT_value) or just as the
SGT_value when the security group name is unknown.
Note
Security group data is not available for stub connections because stub connection do not go through the
slow path. Stub connections maintain only the information necessary to forward packets to the owner of
the connection.
You can specify a single security group name to display all connections in a cluster; for example, the
following example displays connections matching security-group mktg in all units of the cluster:
ciscoasa# show cluster conn security-group name mktg
Examples
When specifying multiple connection types, use commas without spaces to separate the keywords. The
following example displays information about RPC, H.323, and SIP connections in the Up state:
ciscoasa# show conn state up,rpc,h323,sip
The following is sample output from the show conn count command:
ciscoasa# show conn count
54 in use, 123 most used
The following is sample output from the show conn command. This example shows a TCP session
connection from inside host 10.1.1.15 to the outside Telnet server at 10.10.49.10. Because there is no B
flag, the connection is initiated from the inside. The “U”, “I”, and “O” flags denote that the connection
is active and has received inbound and outbound data.
ciscoasa# show conn
54 in use, 123 most used
TCP out 10.10.49.10:23 in 10.1.1.15:1026 idle 0:00:22, bytes 1774, flags UIO
Cisco ASA Series Command Reference, S Commands
4-139
Chapter
UDP out 10.10.49.10:31649 in 10.1.1.15:1028 idle 0:00:14, bytes 0, flags DTCP dmz 10.10.10.50:50026 inside 192.168.1.22:5060, idle 0:00:24, bytes 1940435, flags
UTIOB
TCP dmz 10.10.10.50:49764 inside 192.168.1.21:5060, idle 0:00:42, bytes 2328346, flags
UTIOB
TCP dmz 10.10.10.51:50196 inside 192.168.1.22:2000, idle 0:00:04, bytes 31464, flags UIB
TCP dmz 10.10.10.51:52738 inside 192.168.1.21:2000, idle 0:00:09, bytes 129156, flags UIOB
TCP dmz 10.10.10.50:49764 inside 192.168.1.21:0, idle 0:00:42, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):49736 inside 192.168.1.21:0, idle 0:01:32, bytes 0,
flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:00:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:01:34, bytes 0,
flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:02:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:03:34, bytes 0,
flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:04:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:05:34, bytes 0,
flags Ti
TCP dmz 10.10.10.50:50026 inside 192.168.1.22:0, idle 0:06:24, bytes 0, flags Ti
TCP outside 192.168.1.10(20.20.20.24):50663 inside 192.168.1.22:0, idle 0:07:34, bytes 0,
flags Ti
The following is sample output from the show conn command, whcih includes the “X” flag to indicate
that the connection is being scanned by the SSM.
ciscoasa# show conn address 10.0.0.122 state service_module
TCP out 10.1.0.121:22 in 10.0.0.122:34446 idle 0:00:03, bytes 2733, flags UIOX
The following is sample output from the show conn detail command. This example shows a UDP
connection from outside host 10.10.49.10 to inside host 10.1.1.15. The D flag denotes that this is a DNS
connection. The number 1028 is the DNS ID over the connection.
ciscoasa# show conn detail
54 in use, 123 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, e - semi-distributed,
F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, L - LISP triggered flow owner mobility,
M - SMTP data, m - SIP media, n - GUP
O - outbound data, o - offloaded,
P - inside back connection,
Q - Diameter, q - SQL*Net data,
R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
w - secondary domain backup,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow TCP outside:10.10.49.10/23
inside:10.1.1.15/1026,
flags UIO, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435
UDP outside:10.10.49.10/31649 inside:10.1.1.15/1028,
flags dD, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435
TCP dmz:10.10.10.50/50026 inside:192.168.1.22/5060,
flags UTIOB, idle 39s, uptime 1D19h, timeout 1h0m, bytes 1940435
TCP dmz:10.10.10.50/49764 inside:192.168.1.21/5060,
flags UTIOB, idle 56s, uptime 1D19h, timeout 1h0m, bytes 2328346
TCP dmz:10.10.10.51/50196 inside:192.168.1.22/2000,
Cisco ASA Series Command Reference, S Commands
4-140
Chapter
flags UIB, idle 18s, uptime 1D19h, timeout 1h0m, bytes 31464
TCP dmz:10.10.10.51/52738 inside:192.168.1.21/2000,
flags UIOB, idle 23s, uptime 1D19h, timeout 1h0m, bytes 129156
TCP outside:10.132.64.166/52510 inside:192.168.1.35/2000,
flags UIOB, idle 3s, uptime 1D21h, timeout 1h0m, bytes 357405
TCP outside:10.132.64.81/5321 inside:192.168.1.22/5060,
flags UTIOB, idle 1m48s, uptime 1D21h, timeout 1h0m, bytes 2083129
TCP outside:10.132.64.81/5320 inside:192.168.1.21/5060,
flags UTIOB, idle 1m46s, uptime 1D21h, timeout 1h0m, bytes 2500529
TCP outside:10.132.64.81/5319 inside:192.168.1.22/2000,
flags UIOB, idle 31s, uptime 1D21h, timeout 1h0m, bytes 32718
TCP outside:10.132.64.81/5315 inside:192.168.1.21/2000,
flags UIOB, idle 14s, uptime 1D21h, timeout 1h0m, bytes 358694
TCP outside:10.132.64.80/52596 inside:192.168.1.22/2000,
flags UIOB, idle 8s, uptime 1D21h, timeout 1h0m, bytes 32742
TCP outside:10.132.64.80/52834 inside:192.168.1.21/2000,
flags UIOB, idle 6s, uptime 1D21h, timeout 1h0m, bytes 358582
TCP outside:10.132.64.167/50250 inside:192.168.1.35/2000,
flags UIOB, idle 26s, uptime 1D21h, timeout 1h0m, bytes 375617
The following is sample output from the show conn command when an orphan flow exists, as indicated
by the V flag:
ciscoasa# show conn
16 in use, 19 most used
TCP out 192.168.110.251:7393 in 192.168.150.252:21 idle 0:00:00, bytes 1048, flags UOVB
TCP out 192.168.110.251:21137 in 192.168.150.252:21 idle 0:00:00, bytes 1048, flags UIOB
To limit the report to those connections that have orphan flows, add the vpn_orphan option to the show
conn state command, as in the following example:
ciscoasa# show conn state vpn_orphan
14 in use, 19 most used
TCP out 192.168.110.251:7393 in 192.168.150.252:5013, idle 0:00:00, bytes 2841019, flags
UOVB
For clustering, to troubleshoot the connection flow, first see connections on all units by entering the
cluster exec show conn command on the master unit. Look for flows that have the following flags:
director (Y), backup (y), and forwarder (z). The following example shows an SSH connection from
172.18.124.187:22 to 192.168.103.131:44727 on all three ASAs; ASA 1 has the z flag showing it is a
forwarder for the connection, ASA3 has the Y flag showing it is the director for the connection, and
ASA2 has no special flags showing it is the owner. In the outbound direction, the packets for this
connection enter the inside interface on ASA2 and exit the outside interface. In the inbound direction,
the packets for this connection enter the outside interface on ASA 1 and ASA3, are forwarded over the
cluster control link to ASA2, and then exit the inside interface on ASA2.
ciscoasa/ASA1/master# cluster exec show conn
ASA1(LOCAL):**********************************************************
18 in use, 22 most used
Cluster stub connections: 0 in use, 5 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes
37240828, flags z
ASA2:*****************************************************************
12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes
37240828, flags UIO
ASA3:*****************************************************************
10 in use, 12 most used
Cisco ASA Series Command Reference, S Commands
4-141
Chapter
Cluster stub connections: 2 in use, 29 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:03, bytes 0, flags
Y
The output of show conn detail on ASA2 shows that the most recent forwarder was ASA1:
ciscoasa/ASA2/slave# show conn detail
12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, e - semi-distributed,
F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, L - LISP triggered flow owner mobility,
M - SMTP data, m - SIP media, n - GUP
O - outbound data, o - offloaded,
P - inside back connection,
Q - Diameter, q - SQL*Net data,
R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
w - secondary domain backup,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow TCP outside: 172.18.124.187/22
inside: 192.168.103.131/44727,
flags UIO , idle 0s, uptime 25s, timeout 1h0m, bytes 1036044, cluster sent/rcvd bytes
0/1032983, cluster sent/rcvd total bytes 0/1080779, owners (1,255)
Traffic received at interface outside
Locally received: 0 (0 byte/s)
From most recent forwarder ASA1: 1032983 (41319 byte/s)
Traffic received at interface inside
Locally received: 3061 (122 byte/s)
The following examples show how to display connections for the Identity Firewall feature:
ciscoasa# show conn user-identity
1219 in use, 1904 most used
UDP inside (www.yahoo.com))10.0.0.2:1587 outside (user1)192.0.0.2:30000, idle 0:00:00,
bytes 10, flags UDP inside (www.yahoo.com)10.0.0.2:1586 outside (user2)192.0.0.1:30000, idle 0:00:00,
bytes 10, flags –
UDP inside 10.0.0.34:1586 outside 192.0.0.25:30000, idle 0:00:00, bytes 10, flags –
…
ciscoasa# show conn user user1
2 in use
UDP inside (www.yahoo.com))10.0.0.2:1587 outside (user1)192.0.0.2:30000, idle 0:00:00,
bytes 10, flags –
See the following output for the show conn long zone command:
ciscoasa# show conn long zone zone-inside zone zone-outside
TCP outside-zone:outside1(outside2): 10.122.122.1:1080 inside-zone:inside1(inside2):
10.121.121.1:34254, idle 0:00:02, bytes 10, flags UO
Cisco ASA Series Command Reference, S Commands
4-142
Chapter
Related Commands
Commands
Description
clear conn
Clears connections.
Cisco ASA Series Command Reference, S Commands
4-143
Chapter
show console-output
To display the currently captured console output, use the show console-output command in privileged
EXEC mode.
show console-output
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
•
Yes
The following is sample output from the show console-output command, which displays the following
message when there is no console output:
ciscoasa# show console-output
Sorry, there are no messages to display
Related Commands
Command
Description
clear configure console Restores the default console connection settings.
clear configure
timeout
Restores the default idle time durations in the configuration.
console timeout
Sets the idle timeout for a console connection to the ASA.
show running-config
console timeout
Displays the idle timeout for a console connection to the ASA.
Cisco ASA Series Command Reference, S Commands
4-144
System
Chapter
show context
To show context information including allocated interfaces and the configuration file URL, the number
of contexts configured, or from the system execution space, a list of all contexts, use the show context
command in privileged EXEC mode.
show context [name | detail | count]
Syntax Description
count
(Optional) Shows the number of contexts configured.
detail
(Optional) Shows additional detail about the context(s) including the
running state and information for internal use.
name
(Optional) Sets the context name. If you do not specify a name, the ASA
displays all contexts. Within a context, you can only enter the current context
name.
Defaults
In the system execution space, the ASA displays all contexts if you do not specify a name.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Release
Routed
•
Yes
Transparent Single
•
Yes
—
Context
•
Yes
System
•
Yes
Modification
7.0(1)
This command was added.
8.0(2)
Information about assigned IPS virtual sensors was added.
See the “Examples” section for a description of the display output.
Cisco ASA Series Command Reference, S Commands
4-145
Chapter
Examples
The following is sample output from the show context command. The following sample display shows
three contexts:
ciscoasa# show context
Context Name
*admin
Interfaces
GigabitEthernet0/1.100
GigabitEthernet0/1.101
contexta
GigabitEthernet0/1.200
GigabitEthernet0/1.201
contextb
GigabitEthernet0/1.300
GigabitEthernet0/1.301
Total active Security Contexts: 3
URL
flash:/admin.cfg
flash:/contexta.cfg
flash:/contextb.cfg
Table 4-36 shows each field description.
Table 4-36
show context Fields
Field
Description
Context Name
Lists all context names. The context name with the asterisk (*) is the admin context.
Interfaces
The interfaces assigned to the context.
URL
The URL from which the ASA loads the context configuration.
The following is sample output from the show context detail command in the system execution space:
ciscoasa# show context detail
Context "admin", has been created, but initial ACL rules not complete
Config URL: flash:/admin.cfg
Real Interfaces: Management0/0
Mapped Interfaces: Management0/0
Real IPS Sensors: ips1, ips2
Mapped IPS Sensors: highsec, lowsec
Flags: 0x00000013, ID: 1
Context "ctx", has been created, but initial ACL rules not complete
Config URL: ctx.cfg
Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
GigabitEthernet0/2.30
Mapped Interfaces: int1, int2, int3
Real IPS Sensors: ips1, ips3
Mapped IPS Sensors: highsec, lowsec
Flags: 0x00000011, ID: 2
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Control0/0, GigabitEthernet0/0,
GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
GigabitEthernet0/3, Management0/0, Management0/0.1
Flags: 0x00000019, ID: 257
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Flags: 0x00000009, ID: 258
Cisco ASA Series Command Reference, S Commands
4-146
Chapter
Table 4-37 shows each field description.
Table 4-37
Context States
Field
Description
Context
The context name. The null context information is for internal use
only. The system context represents the system execution space.
State Message:
The context state. See the possible messages below.
Has been created, but
initial ACL rules not
complete
The ASA parsed the configuration but has not yet downloaded the
default ACLs to establish the default security policy. The default
security policy applies to all contexts initially, and includes
disallowing traffic from lower security levels to higher security levels,
enabling application inspection, and other parameters. This security
policy ensures that no traffic can pass through the ASA after the
configuration is parsed but before the configuration ACLs are
compiled. You are unlikely to see this state because the configuration
ACLs are compiled very quickly.
Has been created, but not
initialized
You entered the context name command, but have not yet entered the
config-url command.
Has been created, but the
config hasn’t been parsed
The default ACLs were downloaded, but the ASA has not parsed the
configuration. This state might exist because the configuration
download might have failed because of network connectivity issues,
or you have not yet entered the config-url command. To reload the
configuration, from within the context, enter copy startup-config
running-config. From the system, reenter the config-url command.
Alternatively, you can start configuring the blank running
configuration.
Is a system resource
This state applies only to the system execution space and to the null
context. The null context is used by the system, and the information is
for internal use only.
Is a zombie
You deleted the context using the no context or clear context
command, but the context information persists in memory until the
ASA reuses the context ID for a new context, or you restart.
Is active
This context is currently running and can pass traffic according to the
context configuration security policy.
Is ADMIN and active
This context is the admin context and is currently running.
Was a former ADMIN, but You deleted the admin context using the clear configure context
is now a zombie
command, but the context information persists in memory until the
ASA reuses the context ID for a new context, or you restart.
Real Interfaces
The interfaces assigned to the context. If you mapped the interface IDs
in the allocate-interface command, this display shows the real name
of the interface.
Mapped Interfaces
If you mapped the interface IDs in the allocate-interface command,
this display shows the mapped names. If you did not map the
interfaces, the display lists the real names again.
Real IPS Sensors
The IPS virtual sensors assigned to the context if you have an AIP
SSM installed. If you mapped the sensor names in the allocate-ips
command, this display shows the real name of the sensor.
Cisco ASA Series Command Reference, S Commands
4-147
Chapter
Table 4-37
Context States (continued)
Field
Description
Mapped IPS Sensors
If you mapped the sensor names in the allocate-ips command, this
display shows the mapped names. If you did not map the sensor
names, the display lists the real names again.
Flag
For internal use only.
ID
An internal ID for this context.
The following is sample output from the show context count command:
ciscoasa# show context count
Total active contexts: 2
Related Commands
Command
Description
admin-context
Sets the admin context.
allocate-interface
Assigns interfaces to a context.
changeto
Changes between contexts or the system execution space.
config-url
Specifies the location of the context configuration.
context
Creates a security context in the system configuration and enters context
configuration mode.
Cisco ASA Series Command Reference, S Commands
4-148
Chapter
show controller
To view controller-specific information of all interfaces present, use the show controller command in
privileged EXEC mode.
show controller [slot] [physical_interface] [pci [bridge [bridge-id [port-num]]]] [detail]
Syntax Description
bridge
(Optional) Displays PCI bridge-specific information for the ASA 5585-X.
bridge-id
(Optional) Displays each unique PCI bridge identifier for the ASA 5585-X.
detail
(Optional) Shows additional detail about the controller.
pci
(Optional) Displays a summary of PCI devices along with their first 256
bytes of PCI configuration space for the ASA 5585-X.
physical_interface
(Optional) Identifies the interface ID.
port-num
(Optional) Displays the unique port number within each PCI bridge for the
ASA 5585-X adaptive ASA.
slot
(Optional) Displays PCI-e bus and slot information for the ASA 5580 only.
Defaults
If you do not identify an interface, this command shows information for all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
•
Yes
Release
Modification
7.2(1)
This command was added.
8.0(2)
This command now applies to all platforms, and not just the ASA 5505. The
detail keyword was added.
8.1(1)
The slot keyword was added for the ASA 5580.
8.2(5)
The pci, bridge, bridge-id, and port-num options were added for the ASA
5585-X with an IPS SSP installed. In addition, support for sending pause
frames to enable flow control on 1 GigabitEthernet interfaces has been added
for all ASA models.
8.6(1)
Support was added for the detail keyword for the ASA 5512-X through ASA
5555-X Internal-Control0/0 interface, used for control traffic between the
ASA and the software module, and for the Internal-Data0/1 interface used for
data traffic to the ASA and the software module.
Cisco ASA Series Command Reference, S Commands
4-149
Chapter
Usage Guidelines
This command helps Cisco TAC gather useful debug information about the controller when investigating
internal and customer found defects. The actual output depends on the model and Ethernet controller.
The command also displays information about all the PCI bridges of interest in the ASA 5585-X with
an IPS SSP installed. For the ASA Services Module, the show controller command output does not
show any PCIe slot information.
Examples
The following is sample output from the show controller command:
ciscoasa# show controller
Ethernet0/0:
Marvell 88E6095 revision 2, switch port 7
PHY Register:
Control:
0x3000 Status:
0x786d
Identifier1:
0x0141 Identifier2:
0x0c85
Auto Neg:
0x01e1 LP Ability:
0x40a1
Auto Neg Ex:
0x0005 PHY Spec Ctrl: 0x0130
PHY Status:
0x4c00 PHY Intr En:
0x0400
Int Port Sum: 0x0000 Rcv Err Cnt:
0x0000
Led select:
0x1a34
Reg 29:
0x0003 Reg 30:
0x0000
Port Registers:
Status:
0x0907 PCS Ctrl:
0x0003
Identifier:
0x0952 Port Ctrl:
0x0074
Port Ctrl-1:
0x0000 Vlan Map:
0x077f
VID and PRI:
0x0001 Port Ctrl-2:
0x0cc8
Rate Ctrl:
0x0000 Rate Ctrl-2:
0x3000
Port Asc Vt:
0x0080
In Discard Lo: 0x0000 In Discard Hi: 0x0000
In Filtered:
0x0000 Out Filtered: 0x0000
Global Registers:
Control:
0x0482
--------------------------------------------------------------------Number of VLANs: 1
--------------------------------------------------------------------Vlan[db]\Port| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
--------------------------------------------------------------------<0001[01]> | EUT| EUT| EUT| EUT| EUT| EUT| EUT| EUT| EUM| NM | NM |
--------------------------------------------------------------------....
Ethernet0/6:
Marvell 88E6095 revision 2, switch port 1
PHY Register:
Control:
0x3000 Status:
Identifier1:
0x0141 Identifier2:
Auto Neg:
0x01e1 LP Ability:
Auto Neg Ex:
0x0004 PHY Spec Ctrl:
PHY Status:
0x0040 PHY Intr En:
Int Port Sum: 0x0000 Rcv Err Cnt:
Led select:
0x1a34
Reg 29:
0x0003 Reg 30:
Port Registers:
Status:
0x0007 PCS Ctrl:
Identifier:
0x0952 Port Ctrl:
Port Ctrl-1:
0x0000 Vlan Map:
VID and PRI:
0x0001 Port Ctrl-2:
Rate Ctrl:
0x0000 Rate Ctrl-2:
Cisco ASA Series Command Reference, S Commands
4-150
0x7849
0x0c85
0x0000
0x8130
0x8400
0x0000
0x0000
0x0003
0x0077
0x07fd
0x0cc8
0x3000
Chapter
Port Asc Vt:
0x0002
In Discard Lo: 0x0000 In Discard Hi: 0x0000
In Filtered:
0x0000 Out Filtered: 0x0000
----Inline power related counters and registers---Power on fault: 0 Power off fault: 0
Detect enable fault: 0 Detect disable fault: 0
Faults: 0
Driver counters:
I2C Read Fail: 0
I2C Write Fail: 0
Resets: 1 Initialized: 1
PHY reset error: 0
LTC4259 registers:
INTRPT STATUS = 0x88 INTRPT MASK
= 0x00 POWER EVENT
DETECT EVENT = 0x03 FAULT EVENT
= 0x00 TSTART EVENT
SUPPLY EVENT = 0x02 PORT1 STATUS = 0x06 PORT2 STATUS
PORT3 STATUS = 0x00 PORT4 STATUS = 0x00 POWER STATUS
OPERATE MODE = 0x0f DISC. ENABLE = 0x30 DT/CLASS ENBL
TIMING CONFIG = 0x00 MISC. CONFIG = 0x00
=
=
=
=
=
0x00
0x00
0x06
0x00
0x33
...
Internal-Data0/0:
Y88ACS06 Register settings:
rap
ctrl_status
irq_src
irq_msk
irq_hw_err_src
irq_hw_err_msk
bmu_cs_rxq
bmu_cs_stxq
bmu_cs_atxq
0xe0004000
0xe0004004
0xe0004008
0xe000400c
0xe0004010
0xe0004014
0xe0004060
0xe0004068
0xe000406c
=
=
=
=
=
=
=
=
=
0x00000000
0x5501064a
0x00000000
0x00000000
0x00000000
0x00001000
0x002aaa80
0x01155540
0x012aaa80
Bank 2: MAC address registers:
....
The following is sample output from the show controller detail command:
ciscoasa# show controller gigabitethernet0/0 detail
GigabitEthernet0/0:
Intel i82546GB revision 03
Main Registers:
Device Control:
Device Status:
Extended Control:
RX Config:
TX Config:
RX Control:
TX Control:
TX Inter Packet Gap:
RX Filter Cntlr:
RX Chksum:
0xf8260000
0xf8260008
0xf8260018
0xf8260180
0xf8260178
0xf8260100
0xf8260400
0xf8260410
0xf8260150
0xf8265000
=
=
=
=
=
=
=
=
=
=
0x003c0249
0x00003347
0x000000c0
0x0c000000
0x000001a0
0x04408002
0x000400fa
0x00602008
0x00000000
0x00000300
RX Descriptor Registers:
RX Descriptor 0 Cntlr:
RX Descriptor 0 AddrLo:
RX Desccriptor 0 AddrHi:
RX Descriptor 0 Length:
RX Descriptor 0 Head:
RX Descriptor 0 Tail:
RX Descriptor 1 Cntlr:
0xf8262828
0xf8262800
0xf8262804
0xf8262808
0xf8262810
0xf8262818
0xf8262828
=
=
=
=
=
=
=
0x00010000
0x01985000
0x00000000
0x00001000
0x00000000
0x000000ff
0x00010000
Cisco ASA Series Command Reference, S Commands
4-151
Chapter
RX
RX
RX
RX
RX
Descriptor
Descriptor
Descriptor
Descriptor
Descriptor
1
1
1
1
1
AddrLo:
AddrHi:
Length:
Head:
Tail:
0xf8260138
0xf826013c
0xf8260140
0xf8260148
0xf8260150
=
=
=
=
=
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
TX Descriptor Registers:
TX Descriptor 0 Cntlr:
TX Descriptor 0 AddrLo:
TX Descriptor 0 AddrHi:
TX Descriptor 0 Length:
TX Descriptor 0 Head:
TX Descriptor 0 Tail:
0xf8263828
0xf8263800
0xf8263804
0xf8263808
0xf8263810
0xf8263818
=
=
=
=
=
=
0x00000000
0x01987000
0x00000000
0x00001000
0x00000000
0x00000000
RX Address Array:
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
Ethernet Address
0012.d948.ef58
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
Not Valid!
0:
1:
2:
3:
4:
5:
6:
7:
8:
9:
a:
b:
c:
d:
e:
f:
PHY Registers:
Phy Control:
Phy Status:
Phy ID 1:
Phy ID 2:
Phy Autoneg Advertise:
Phy Link Partner Ability:
Phy Autoneg Expansion:
Phy Next Page TX:
Phy Link Partnr Next Page:
Phy 1000T Control:
Phy 1000T Status:
Phy Extended Status:
0x1140
0x7969
0x0141
0x0c25
0x01e1
0x41e1
0x0007
0x2801
0x0000
0x0200
0x4000
0x3000
Detailed Output - RX Descriptor Ring:
rx_bd[000]: baddr
pkt chksum
rx_bd[001]: baddr
pkt chksum
=
=
=
=
0x019823A2,
0x0000,
0x01981A62,
0x0000,
length
errors
length
errors
=
=
=
=
0x0000,
0x00,
0x0000,
0x00,
status
special
status
special
=
=
=
=
0x00
0x0000
0x00
0x0000
........
The following is sample output from the show controller detail command for the Internal interfaces on
the ASA 5512-X through ASA 5555-X:
ciscoasa# show controller detail
Internal-Control0/0:
ASA IPS/VM Back Plane TunTap Interface , port id 9
Major Configuration Parameters
Device Name
: en_vtun
Linux Tun/Tap Device : /dev/net/tun/tap1
Cisco ASA Series Command Reference, S Commands
4-152
Chapter
Num of Transmit Rings
Num of Receive Rings
Ring Size
Max Frame Length
Out of Buffer
Reset
Drop
Transmit Ring [0]:
tx_pkts_in_queue
tx_pkts
tx_bytes
Receive Ring [0]:
rx_pkts_in_queue
rx_pkts
rx_bytes
rx_drops
:
:
:
:
:
:
:
1
1
128
1550
0
0
0
: 0
: 176
: 9664
:
:
:
:
0
0
0
0
Internal-Data0/1:
ASA IPS/VM Management Channel TunTap Interface , port id 9
Major Configuration Parameters
Device Name
: en_vtun
Linux Tun/Tap Device : /dev/net/tun/tap2
Num of Transmit Rings : 1
Num of Receive Rings : 1
Ring Size
: 128
Max Frame Length
: 1550
Out of Buffer
: 0
Reset
: 0
Drop
: 0
Transmit Ring [0]:
tx_pkts_in_queue
: 0
tx_pkts
: 176
tx_bytes
: 9664
Receive Ring [0]:
rx_pkts_in_queue
: 0
rx_pkts
: 0
rx_bytes
: 0
rx_drops
: 0
The following is sample output from the show controller slot command:
Slot
---3.
Card Description
---------------ASA 5580 2 port 10GE SR Fiber Interface Card
PCI-e Bandwidth Cap.
---------------------Bus: x4, Card: x8
4.
ASA 5580 4 port GE Copper Interface Card
Bus: x4, Card: x4
5.
ASA 5580 2 port 10GE SR Fiber Interface Card
Bus: x8, Card: x8
6.
ASA 5580 4 port GE Fiber Interface Card
Bus: x4, Card: x4
7.
empty
Bus: x8
8.
empty
Bus: x8
The following is sample output from the show controller pci command:
ciscoasa# show controller pci
PCI Evaluation Log:
--------------------------------------------------------------------------Empty
PCI Bus:Device.Function (hex): 00:00.0 Vendor ID: 0x8086 Device ID: 0x3406
Cisco ASA Series Command Reference, S Commands
4-153
Chapter
--------------------------------------------------------------------------PCI Configuration
0x00: 86 80 06 34
0x10: 00 00 00 00
0x20: 00 00 00 00
0x30: 00 00 00 00
0x40: 00 00 00 00
0x50: 00 00 00 00
0x60: 05 90 02 01
0x70: 00 00 00 00
0x80: 00 00 00 00
0x90: 10 e0 42 00
0xa0: 00 00 41 30
0xb0: 00 00 00 00
0xc0: 01 00 00 00
0xd0: 00 00 00 00
0xe0: 01 00 03 c8
0xf0: 00 00 00 00
Space
00 00
00 00
00 00
60 00
00 00
00 00
00 00
00 00
00 00
20 80
00 00
3e 00
00 00
00 00
08 00
00 00
(hex):
10 00 22
00 00 00
00 00 00
00 00 00
00 00 00
00 00 00
00 00 00
00 00 00
00 00 00
00 00 00
00 00 c0
00 00 09
00 00 00
00 00 00
00 00 00
00 00 00
00
00
00
00
00
00
00
00
00
00
07
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
06
00
00
00
00
00
00
00
00
00
01
00
00
00
00
00
10
00
86
05
00
00
00
00
00
41
00
00
00
00
00
00
00
00
80
01
00
00
00
00
00
3c
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3b
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
Link Capabilities: x4, Gen1
Link Status: x4, Gen1
Related Commands
Command
Description
show interface
Shows the interface statistics.
show tech-support
Shows information so Cisco TAC can diagnose problems.
Cisco ASA Series Command Reference, S Commands
4-154
Chapter
show coredump filesystem
To show the contents of the coredump filesystem, enter the show coredump filesystem command.
show coredump filesystem
Syntax Description
This command has no arguments or keywords.
Defaults
By default, coredumps are not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
•
Yes
Transparent Single
•
Release
Modification
8.2(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Usage Guidelines
This command shows the contents of the coredump filesystem.
Examples
To show the contents of any recent coredumps generated, enter the show coredump filesystem
command.
ciscoasa(config)# show coredump filesystem
Coredump Filesystem Size is 100 MB
Filesystem type is FAT for disk0
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/loop0 102182 75240 26942 74% /mnt/disk0/coredumpfsys
Directory of disk0:/coredumpfsys/
246 -rwx 20205386 19:14:53 Nov 26 2008 core_lina.2008Nov26_191244.203.11.gz
247 -rwx 36707919 19:17:27 Nov 26 2008 core_lina.2008Nov26_191456.203.6.gz
Related Commands
Command
Description
coredump enable
Enables the coredump feature.
clear configure coredump
Removes any coredumps currently stored on the coredump filesystem
and clears the coredump log. Does not touch the coredump filesystem
itself and does not change or affect the coredump configuration.
Cisco ASA Series Command Reference, S Commands
4-155
Chapter
Command
Description
clear coredump
Removes any coredumps currently stored on the coredump filesystem
and clears the coredump log. Does not touch the coredump filesystem
itself and does not change/effect the coredump configuration.
show coredump log
Shows the coredump log.
Cisco ASA Series Command Reference, S Commands
4-156
Chapter
show coredump log
To show the contents of the coredump log, newest first, enter the show coredump log command. To
show the contents of the coredump log, oldest first, enter the show coredump log reverse command.
show coredump log
show coredump log [reverse]
Syntax Description
reverse
Defaults
By default, coredumps are not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Shows the oldest coredump log.
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Routed
•
Yes
Transparent Single
•
Release
Modification
8.2(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Usage Guidelines
This command displays the contents of the coredump log. The logs should reflect what is currently on
the disk.
Examples
The following example shows the output from these commands:
ciscoasa(config)# show coredump log
[ 1 ] Wed Feb 18 22:12:09 2009: Coredump completed for module 'lina', coredump file
'core_lina.2009Feb18_221032.203.6.gz', size 971722752 bytes, compressed size 21293688
[ 2 ] Wed Feb 18 22:11:01 2009: Filesystem full on 'disk0', removing module coredump
record 'core_lina.2009Feb18_213558.203.11.gz'
[ 3 ] Wed Feb 18 22:10:32 2009: Coredump started for module 'lina', generating coredump
file 'core_lina.2009Feb18_221032.203.6.gz' on 'disk0'
[ 4 ] Wed Feb 18 21:37:35 2009: Coredump completed for module 'lina', coredump file
'core_lina.2009Feb18_213558.203.11.gz', size 971722752 bytes, compressed size 21286383
[ 5 ] Wed Feb 18 21:35:58 2009: Coredump started for module 'lina', generating coredump
file 'core_lina.2009Feb18_213558.203.11.gz' on 'disk0'
Cisco ASA Series Command Reference, S Commands
4-157
Chapter
Note
The older coredump file is deleted to make room for the new coredump. This is done automatically by
the ASA in the event the coredump filesystem fills and room is needed for the current coredump. This
is why it is imperative to archive coredumps as soon as possible, to insure they don’t get overwritten in
the event of a crash.
ciscoasa(config)# show coredump log reverse
[ 1 ] Wed Feb 18 21:35:58 2009: Coredump started for module 'lina', generating coredump
file 'core_lina.2009Feb18_213558.203.11.gz' on 'disk0''
[ 2 ] Wed Feb 18 21:37:35 2009: Coredump completed for module 'lina', coredump file
'core_lina.2009Feb18_213558.203.11.gz', size 971722752 bytes, compressed size 21286383
[ 3 ] Wed Feb 18 22:10:32 2009: Coredump started for module 'lina', generating coredump
file 'core_lina.2009Feb18_221032.203.6.gz' on 'disk0'
[ 4 ] Wed Feb 18 22:11:01 2009: Filesystem full on 'disk0', removing module coredump
record 'core_lina.2009Feb18_213558.203.11.gz'
[ 5 ] Wed Feb 18 22:12:09 2009: Coredump completed for module 'lina', coredump file
'core_lina.2009Feb18_221032.203.6.gz', size 971722752 bytes, compressed size 21293688
Related Commands
Command
Description
coredump enable
Enables the coredump feature.
clear configure coredump
Removes any coredumps currently stored on the coredump filesystem
and clears the coredump log. Does not touch the coredump filesystem
itself and does not change/effect the coredump configuration.
clear coredump
Removes any coredumps currently stored on the coredump filesystem
and clears the coredump log. Does not touch the coredump filesystem
itself and does not change or affect the coredump configuration.
show coredump filesystem
Shows the contents of the coredump filesystem.
Cisco ASA Series Command Reference, S Commands
4-158
Chapter
show counters
To display the protocol stack counters, use the show counters command in privileged EXEC mode.
show counters [all | context context-name | summary | top N ] [detail] [protocol protocol_name
[:counter_name]] [ threshold N]
Syntax Description
all
Displays the filter details.
context context-name
Specifies the context name.
:counter_name
Specifies a counter by name.
detail
Displays additional counters information.
protocol protocol_name Displays the counters for the specified protocol.
summary
Displays a counter summary.
threshold N
Displays only those counters at or above the specified threshold. The range
is 1 through 4294967295.
top N
Displays the counters at or above the specified threshold. The range is
1 through 4294967295.
Defaults
show counters summary detail threshold 1
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Release
Modification
7.2(1)
This command was added.
9.2(1)
Counters for the event manager were added.
Context
•
Yes
System
•
Yes
Cisco ASA Series Command Reference, S Commands
4-159
Chapter
Examples
The following example shows how to display all counters:
ciscoasa# show counters all
Protocol
Counter
IOS_IPC
IN_PKTS
IOS_IPC
OUT_PKTS
Value
2
2
Context
single_vf
single_vf
ciscoasa# show counters
Protocol
Counter
NPCP
IN_PKTS
NPCP
OUT_PKTS
IOS_IPC
IN_PKTS
IOS_IPC
OUT_PKTS
IP
IN_PKTS
IP
OUT_PKTS
IP
TO_ARP
IP
TO_UDP
UDP
IN_PKTS
UDP
DROP_NO_APP
FIXUP
IN_PKTS
UAUTH
IPV6_UNSUPPORTED
IDFW
HIT_USER_LIMIT
Value
7195
7603
869
865
380
411
105
9
9
9
202
27
2
Context
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
The following example shows how to display a summary of counters:
ciscoasa# show counters summary
Protocol
Counter
Value
IOS_IPC
IN_PKTS
2
IOS_IPC
OUT_PKTS
2
Context
Summary
Summary
The following example shows how to display counters for a context:
ciscoasa# show counters context single_vf
Protocol
Counter
Value
Context
IOS_IPC
IN_PKTS
4
single_vf
IOS_IPC
OUT_PKTS
4
single_vf
The following example shows how to display counters for the event manager:
ciscoasa# show counters protocol eem
Protocol
Counter
Value
EEM
SYSLOG
22
EEM
COMMANDS
6
EEM
FILES
3
Related Commands
Command
Description
clear counters
Clears the protocol stack counters.
Cisco ASA Series Command Reference, S Commands
4-160
Context
Summary
Summary
Summary
Chapter
show cpu
To display the CPU utilization information, use the show cpu command in privileged EXEC mode.
[cluster exec] show cpu [usage core-id | profile | dump | detailed]
From the system configuration in multiple context mode:
[cluster exec] show cpu [usage] [context {all | context_name}]
Syntax Description
all
Specifies that the display show all contexts.
cluster exec
(Optional) In a clustering environment, enables you to issue the show cpu
command in one unit and run the command in all the other units at the same
time.
context
Specifies that the display show a context.
context_name
Specifies the name of the context to display.
core-id
Specifies the number of the processor core.
detailed
(Optional) Displays the CPU usage internal details.
dump
(Optional) Displays the dump profiling data to the TTY.
profile
(Optional) Displays the CPU profiling data.
usage
(Optional) Displays the CPU usage.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Release
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
•
Yes
Modification
7.0(1)
This command was added.
8.6(1)
The core-id option was added to support the ASA 5512-X, 5515-X, 5525-X,
5545-X, and 5555-X.
9.1(2)
The output was updated for the show cpu profile and show cpu profile
dump commands.
9.2(1)
Virtual platform CPU usage was added to the output for the ASAv.
Cisco ASA Series Command Reference, S Commands
4-161
Chapter
Usage Guidelines
The CPU usage is computed using an approximation of the load every five seconds, and by further
feeding this approximation into two, following moving averages.
You can use the show cpu command to find process related loads (that is, activity on behalf of items
listed by the output of the show process command in both single mode and from the system
configuration in multiple context mode).
Further, you can request, when in multiple context mode, a breakdown of the process related load to CPU
consumed by any configured contexts by changing to each context and entering the show cpu command
or by entering the show cpu context command.
While process related load is rounded to the nearest whole number, context related loads include one
additional decimal digit of precision. For example, entering the show cpu command from the system
context produces a different number than from entering the show cpu context system command. The
former is an approximate summary of everything that appears in the show cpu context all command,
and the latter is only a portion of that summary.
You can use the show cpu profile dump command in conjunction with the cpu profile activate
command to collect information for TAC use in troubleshooting CPU issues. The show cpu profile
dump command output is in hexadecimal format.
If the CPU profiler is waiting for a starting condition to occur, the show cpu profile command displays
the following output:
CPU profiling started: 12:45:57.209 UTC Wed Nov 14 2012
CPU Profiling waiting on starting condition.
Core 0: 0 out of 10 samples collected.
Core 1: 0 out of 10 samples collected.
Core 2: 0 out of 10 samples collected.
Core 3: 0 out of 10 samples collected.
CP
0 out of 10 samples collected.
For the ASAv, note the following licensing guidelines:
•
The number of allowed vCPUs is determined by the vCPU platform license installed.
– If the number of licensed vCPUs matches the number of provisioned vCPUs, the state is
Compliant.
– If the number of licensed vCPUs is less than the number of provisioned vCPUs, the state is
Noncompliant: Over-provisioned.
– If the number of licensed vCPUs is more than the number of provisioned vCPUs, the state is
Compliant: Under-provisioned.
•
The memory limit is determined by the number of vCPUs provisioned.
– If the provisioned memory is at the allowed limit, the state is Compliant.
– If the provisioned memory is above the allowed limit, the state is Noncompliant:
Over-provisioned.
– If the provisioned memory is below the allowed limit, the state is Compliant:
Under-provisioned.
•
The Frequency Reservation limit is determined by the number of vCPUs provisioned.
– If the frequency reservation memory is at or above the required minimum (1000 MHz), the state
is Compliant.
– If the frequency reservation memory is below the required minimum (1000 MHz), the state is
Compliant: Under-provisioned.
Cisco ASA Series Command Reference, S Commands
4-162
Chapter
For example, the following output shows that no license has been applied. The number of allowed vCPUs
refers to the number licensed, and Noncompliant: Over-provisioned indicates that the product is running
with more resources than have been licensed.
Virtual platform CPU resources
-----------------------------Number of vCPUs
:
Number of allowed vCPUs
:
vCPU Status
:
Examples
1
0
Noncompliant: Over-provisioned
The following example shows how to display the CPU utilization:
ciscoasa# show cpu usage
CPU utilization for 5 seconds = 18%; 1 minute: 18%; 5 minutes: 18%
The following example shows how to display detailed CPU utilization information:
ciscoasa# show cpu detailed
Break down of per-core data path versus control point cpu usage:
Core
5 sec
1 min
5 min
Core 0
0.0 (0.0 + 0.0) 3.3 (0.0 + 3.3) 2.4 (0.0 + 2.4)
Current control point elapsed versus the maximum control point elapsed for:
5 seconds = 99.0%; 1 minute: 99.8%; 5 minutes: 95.9%
CPU utilization of external processes for:
5 seconds = 0.2%; 1 minute: 0.0%; 5 minutes: 0.0%
Total CPU utilization for:
5 seconds = 0.2%; 1 minute: 3.3%; 5 minutes: 2.5%
Note
The “Current control point elapsed versus the maximum control point elapsed for” statement means that
the current control point load is compared to the maximum load seen within the defined time period. This
is a ratio instead of an absolute number. The figure of 99% for the 5-second interval means that the
current control point load is at 99% of the maximum load that is visible over this 5-second interval. If
the load continues to increase all the time, then it will always remain at 100%. However, the actual CPU
may still have a lot of free capacity because the maximum absolute value has not been defined.
The following example shows how to display the CPU utilization for the system context in multiple
mode:
ciscoasa# show cpu context system
CPU utilization for 5 seconds = 9.1%; 1 minute: 9.2%; 5 minutes: 9.1%
The following example shows how to display the CPU utilization for all contexts:
ciscoasa# show cpu usage context all
5 sec 1 min 5 min Context Name
9.1%
9.2%
9.1% system
0.0%
0.0%
0.0% admin
5.0%
5.0%
5.0% one
4.2%
4.3%
4.2% two
The following example shows how to display the CPU utilization for a context named “one”:
ciscoasa/one# show cpu usage
CPU utilization for 5 seconds = 5.0%; 1 minute: 5.0%; 5 minutes: 5.0%
Cisco ASA Series Command Reference, S Commands
4-163
Chapter
The following example activates the profiler and instructs it to store 1000 samples.
ciscoasa#
Activated
Use "show
profiling
cpu
CPU
cpu
and
profile activate
profiling for 1000 samples.
profile" to display the progress or "show cpu profile dump" to interrupt
display the incomplete results.
The following examples show the status of the profiling (in-progress and completed):
ciscoasa# show cpu profile
CPU profiling started: 13:45:10.400 PST Fri Nov 16 2012
CPU profiling currently in progress:
Core 0: 209 out of 1000 samples collected.
Use "show cpu profile dump" to see the results after it is complete or to interrupt
profiling and display the incomplete results.
ciscoasa# show cpu profile dump
Cisco Adaptive Security Appliance Software Version 9.1(2)
Hardware:
ASA5555
CPU profiling started: 09:13:32.079 UTC Wed Jan 30 2013
No CPU profiling process specified.
No CPU profiling trigger specified.
cores: 2
Process virtual address map:
--------------------------…
--------------------------End of process map
Samples for core 0 - stopped
{0x00000000007eadb6,0x000000000211ee7e} ...
The following example shows CPU usage for the ASAv:
ciscoasa# show cpu
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
Virtual platform CPU resources
-----------------------------Number of vCPUs
:
Number of allowed vCPUs
:
vCPU Status
:
2
2
Compliant
Frequency Reservation
Minimum required
Frequency Limit
Maximum allowed
Frequency Status
Average Usage (30 seconds)
1000 MHz
1000 MHz
4000 MHz
56000 MHz
Compliant
136 MHz
:
:
:
:
:
:
The following example shows details of CPU usage for the ASAv:
Break down of per-core data path versus control point cpu
Core
5 sec
1 min
5 min
Core 0
0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0) 0.0 (0.0 +
Core 1
0.0 (0.0 + 0.0) 0.2 (0.2 + 0.0) 0.0 (0.0 +
Core 2
0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0) 0.0 (0.0 +
Core 3
0.0 (0.0 + 0.0) 0.1 (0.0 + 0.1) 0.0 (0.0 +
usage:
0.0)
0.0)
0.0)
0.0)
Current control point elapsed versus the maximum control point elapsed for:
5 seconds = 0.0%; 1 minute: 0.0%; 5 minutes: 0.0%
CPU utilization of external processes for:
Cisco ASA Series Command Reference, S Commands
4-164
Chapter
5 seconds = 0.0%; 1 minute: 0.0%; 5 minutes: 0.0%
Total CPU utilization for:
5 seconds = 0.1%; 1 minute: 0.1%; 5 minutes: 0.1%
Virtual platform CPU resources
-----------------------------Number of vCPUs
:
Number of allowed vCPUs
:
vCPU Status
:
4
4
Compliant
Frequency Reservation
Minimum required
Frequency Limit
Maximum allowed
Frequency Status
Average Usage (30 seconds)
1000 MHz
1000 MHz
20000 MHz
20000 MHz
Compliant
99 MHz
:
:
:
:
:
:
Copy this information and provide it to the TAC for decoding.
Related Commands
Command
Description
show counters
Displays the protocol stack counters.
cpu profile activate
Activates CPU profiling.
Cisco ASA Series Command Reference, S Commands
4-165
Chapter
Cisco ASA Series Command Reference, S Commands
4-166
CH A P T E R
5
show crashinfo through show curpriv Commands
Cisco ASA Series Command Reference, S Commands
5-1
Chapter
show crashinfo
To display the contents of the crash file stored in Flash memory, enter the show crashinfo command in
privileged EXEC mode.
show crashinfo [save]
Syntax Description
save
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Displays if the ASA is configured to save crash information to Flash
memory or not.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
•
Yes
Context
—
System
•
Yes
Release
Modification
7.0(1)
This command was added.
9.1(5)
The output displays the thread ID (TID) in the show process command.
9.4(1)
The output displays the most recent 50 lines of generated syslogs. Note that
you must enable the logging buffer command to enable these results to
appear.
If the crash file is from a test crash (generated from the crashinfo test command), the first string of the
crash file is “ : Saved_Test_Crash” and the last string is “: End_Test_Crash”. If the crash file is from
a real crash, the first string of the crash file is “: Saved_Crash” and the last string is “: End_Crash”.
(This includes crashes from use of the crashinfo force page-fault or crashinfo force watchdog
commands).
If there is no crash data saved in flash, or if the crash data has been cleared by entering the clear
crashinfo command, the show crashinfo command displays an error message.
Cisco ASA Series Command Reference, S Commands
5-2
Chapter
Examples
The following example shows how to display the current crash information configuration:
ciscoasa# show crashinfo save
crashinfo save enable
The following example shows the output for a crash file test. (However, this test does not actually crash
the ASA. It provides a simulated example file.)
ciscoasa(config)# crashinfo test
ciscoasa(config)# exit
ciscoasa# show crashinfo
: Saved_Test_Crash
Thread Name: ci/console (Old pc 0x001a6ff5 ebp 0x00e88920)
Traceback:
0: 00323143
1: 0032321b
2: 0010885c
3: 0010763c
4: 001078db
5: 00103585
6: 00000000
vector 0x000000ff (user defined)
edi 0x004f20c4
esi 0x00000000
ebp 0x00e88c20
esp 0x00e88bd8
ebx 0x00000001
edx 0x00000074
ecx 0x00322f8b
eax 0x00322f8b
error code n/a
eip 0x0010318c
cs 0x00000008
eflags 0x00000000
CR2 0x00000000
F-flags : 0x2
F-flags2 : 0x0
F-flags3 : 0x10000
F-flags4 : 0x0
F-bytes : 0
Stack dump: base:0x00e8511c size:16384, active:1476
0x00e89118: 0x004f1bb4
0x00e89114: 0x001078b4
0x00e89110-0x00e8910c: 0x00000000
0x00e89108-0x00e890ec: 0x12345678
0x00e890e8: 0x004f1bb4
0x00e890e4: 0x00103585
0x00e890e0: 0x00e8910c
0x00e890dc-0x00e890cc: 0x12345678
0x00e890c8: 0x00000000
0x00e890c4-0x00e890bc: 0x12345678
0x00e890b8: 0x004f1bb4
0x00e890b4: 0x001078db
0x00e890b0: 0x00e890e0
0x00e890ac-0x00e890a8: 0x12345678
0x00e890a4: 0x001179b3
0x00e890a0: 0x00e890b0
0x00e8909c-0x00e89064: 0x12345678
0x00e89060: 0x12345600
0x00e8905c: 0x20232970
0x00e89058: 0x616d2d65
0x00e89054: 0x74002023
Cisco ASA Series Command Reference, S Commands
5-3
Chapter
0x00e89050: 0x29676966
0x00e8904c: 0x6e6f6328
0x00e89048: 0x31636573
0x00e89044: 0x7069636f
0x00e89040: 0x64786970
0x00e8903c-0x00e88e50:
0x00e88e4c: 0x000a7473
0x00e88e48: 0x6574206f
0x00e88e44: 0x666e6968
0x00e88e40: 0x73617263
0x00e88e3c-0x00e88e38:
0x00e88e34: 0x12345600
0x00e88e30-0x00e88dfc:
0x00e88df8: 0x00316761
0x00e88df4: 0x74706100
0x00e88df0: 0x12345600
0x00e88dec-0x00e88ddc:
0x00e88dd8: 0x00000070
0x00e88dd4: 0x616d2d65
0x00e88dd0: 0x74756f00
0x00e88dcc: 0x00000000
0x00e88dc8: 0x00e88e40
0x00e88dc4: 0x004f20c4
0x00e88dc0: 0x12345600
0x00e88dbc: 0x00000000
0x00e88db8: 0x00000035
0x00e88db4: 0x315f656c
0x00e88db0: 0x62616e65
0x00e88dac: 0x0030fcf0
0x00e88da8: 0x3011111f
0x00e88da4: 0x004df43c
0x00e88da0: 0x0053fef0
0x00e88d9c: 0x004f1bb4
0x00e88d98: 0x12345600
0x00e88d94: 0x00000000
0x00e88d90: 0x00000035
0x00e88d8c: 0x315f656c
0x00e88d88: 0x62616e65
0x00e88d84: 0x00000000
0x00e88d80: 0x004f20c4
0x00e88d7c: 0x00000001
0x00e88d78: 0x01345678
0x00e88d74: 0x00f53854
0x00e88d70: 0x00f7f754
0x00e88d6c: 0x00e88db0
0x00e88d68: 0x00e88d7b
0x00e88d64: 0x00f53874
0x00e88d60: 0x00e89040
0x00e88d5c-0x00e88d54:
0x00e88d50-0x00e88d4c:
0x00e88d48: 0x004f1bb4
0x00e88d44: 0x00e88d7c
0x00e88d40: 0x00e88e40
0x00e88d3c: 0x00f53874
0x00e88d38: 0x004f1bb4
0x00e88d34: 0x0010763c
0x00e88d30: 0x00e890b0
0x00e88d2c: 0x00e88db0
0x00e88d28: 0x00e88d88
0x00e88d24: 0x0010761a
0x00e88d20: 0x00e890b0
0x00e88d1c: 0x00e88e40
0x00e88d18: 0x00f53874
0x00e88d14: 0x0010166d
0x00000000
0x00000000
0x00000000
0x00000000
0x12345678
0x00000000
Cisco ASA Series Command Reference, S Commands
5-4
Chapter
0x00e88d10: 0x0000000e
0x00e88d0c: 0x00f53874
0x00e88d08: 0x00f53854
0x00e88d04: 0x0048b301
0x00e88d00: 0x00e88d30
0x00e88cfc: 0x0000000e
0x00e88cf8: 0x00f53854
0x00e88cf4: 0x0048a401
0x00e88cf0: 0x00f53854
0x00e88cec: 0x00f53874
0x00e88ce8: 0x0000000e
0x00e88ce4: 0x0048a64b
0x00e88ce0: 0x0000000e
0x00e88cdc: 0x00f53874
0x00e88cd8: 0x00f7f96c
0x00e88cd4: 0x0048b4f8
0x00e88cd0: 0x00e88d00
0x00e88ccc: 0x0000000f
0x00e88cc8: 0x00f7f96c
0x00e88cc4-0x00e88cc0: 0x0000000e
0x00e88cbc: 0x00e89040
0x00e88cb8: 0x00000000
0x00e88cb4: 0x00f5387e
0x00e88cb0: 0x00f53874
0x00e88cac: 0x00000002
0x00e88ca8: 0x00000001
0x00e88ca4: 0x00000009
0x00e88ca0-0x00e88c9c: 0x00000001
0x00e88c98: 0x00e88cb0
0x00e88c94: 0x004f20c4
0x00e88c90: 0x0000003a
0x00e88c8c: 0x00000000
0x00e88c88: 0x0000000a
0x00e88c84: 0x00489f3a
0x00e88c80: 0x00e88d88
0x00e88c7c: 0x00e88e40
0x00e88c78: 0x00e88d7c
0x00e88c74: 0x001087ed
0x00e88c70: 0x00000001
0x00e88c6c: 0x00e88cb0
0x00e88c68: 0x00000002
0x00e88c64: 0x0010885c
0x00e88c60: 0x00e88d30
0x00e88c5c: 0x00727334
0x00e88c58: 0xa0ffffff
0x00e88c54: 0x00e88cb0
0x00e88c50: 0x00000001
0x00e88c4c: 0x00e88cb0
0x00e88c48: 0x00000002
0x00e88c44: 0x0032321b
0x00e88c40: 0x00e88c60
0x00e88c3c: 0x00e88c7f
0x00e88c38: 0x00e88c5c
0x00e88c34: 0x004b1ad5
0x00e88c30: 0x00e88c60
0x00e88c2c: 0x00e88e40
0x00e88c28: 0xa0ffffff
0x00e88c24: 0x00323143
0x00e88c20: 0x00e88c40
0x00e88c1c: 0x00000000
0x00e88c18: 0x00000008
0x00e88c14: 0x0010318c
0x00e88c10-0x00e88c0c: 0x00322f8b
0x00e88c08: 0x00000074
Cisco ASA Series Command Reference, S Commands
5-5
Chapter
0x00e88c04: 0x00000001
0x00e88c00: 0x00e88bd8
0x00e88bfc: 0x00e88c20
0x00e88bf8: 0x00000000
0x00e88bf4: 0x004f20c4
0x00e88bf0: 0x000000ff
0x00e88bec: 0x00322f87
0x00e88be8: 0x00f5387e
0x00e88be4: 0x00323021
0x00e88be0: 0x00e88c10
0x00e88bdc: 0x004f20c4
0x00e88bd8: 0x00000000 *
0x00e88bd4: 0x004eabb0
0x00e88bd0: 0x00000001
0x00e88bcc: 0x00f5387e
0x00e88bc8-0x00e88bc4: 0x00000000
0x00e88bc0: 0x00000008
0x00e88bbc: 0x0010318c
0x00e88bb8-0x00e88bb4: 0x00322f8b
0x00e88bb0: 0x00000074
0x00e88bac: 0x00000001
0x00e88ba8: 0x00e88bd8
0x00e88ba4: 0x00e88c20
0x00e88ba0: 0x00000000
0x00e88b9c: 0x004f20c4
0x00e88b98: 0x000000ff
0x00e88b94: 0x001031f2
0x00e88b90: 0x00e88c20
0x00e88b8c: 0xffffffff
0x00e88b88: 0x00e88cb0
0x00e88b84: 0x00320032
0x00e88b80: 0x37303133
0x00e88b7c: 0x312f6574
0x00e88b78: 0x6972772f
0x00e88b74: 0x342f7665
0x00e88b70: 0x64736666
0x00e88b6c: 0x00020000
0x00e88b68: 0x00000010
0x00e88b64: 0x00000001
0x00e88b60: 0x123456cd
0x00e88b5c: 0x00000000
0x00e88b58: 0x00000008
Cisco XXX Firewall Version X.X
Cisco XXX Device Manager Version X.X
Compiled on Fri 15-Nov-04 14:35 by root
hostname up 10 days 0 hours
Hardware:
XXX-XXX, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0003.e300.73fd, irq 10
1: ethernet1: address is 0003.e300.73fe, irq 7
2: ethernet2: address is 00d0.b7c8.139e, irq 9
Licensed Features:
Failover:
Disabled
VPN-DES:
Enabled
VPN-3DES-AES:
Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards:
Enabled
Cisco ASA Series Command Reference, S Commands
5-6
Chapter
URL-filtering:
Inside Hosts:
Throughput:
IKE peers:
Enabled
Unlimited
Unlimited
Unlimited
This XXX has a Restricted (R) license.
Serial Number: 480430455 (0x1ca2c977)
Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734
Configuration last modified by enable_15 at 13:49:42.148 UTC Wed Nov 20 2004
------------------ show clock -----------------15:34:28.129 UTC Sun Nov 24 2004
------------------ show memory -----------------Free memory:
Used memory:
------------Total memory:
50444824 bytes
16664040 bytes
---------------67108864 bytes
------------------ show conn count -----------------0 in use, 0 most used
------------------ show xlate count -----------------0 in use, 0 most used
------------------ show vpn-sessiondb summary -----------------Active Session Summary
Sessions:
SSL VPN
Clientless only
With client
Email Proxy
IPsec LAN-to-LAN
IPsec Remote Access
VPN Load Balancing
Totals
:
:
:
:
:
:
:
:
Active
2
0
2
0
1
0
0
3
: Cumulative : Peak Concurrent : Inactive
:
2 :
2
:
0 :
0
:
2 :
2 :
0
:
0 :
0
:
1 :
1
:
0 :
0
:
0 :
0
:
3
License Information:
Shared VPN License Information:
SSL VPN
:
Allocated to this device :
Allocated in network
:
Device limit
:
IPsec
:
SSL VPN :
Configured :
Configured :
Active
IPsec
:
1
SSL VPN
:
2
AnyConnect Mobile :
0
Linksys Phone
:
0
Totals
:
3
1500
50
50
750
750
52
:
:
:
:
:
:
750
Active :
1
Load :
52
Active :
2
Load :
Cumulative : Peak Concurrent
1 :
1
10 :
2
0 :
0
0 :
0
11
0%
4%
Tunnels:
IKE
:
Active : Cumulative : Peak Concurrent
1 :
1 :
1
Cisco ASA Series Command Reference, S Commands
5-7
Chapter
IPsec
:
1 :
1 :
Clientless :
2 :
2 :
SSL-Tunnel :
2 :
2 :
DTLS-Tunnel :
2 :
2 :
Totals
:
8 :
8
------------------ show blocks -----------------SIZE
4
80
256
1550
MAX
1600
400
500
1188
LOW
1600
400
499
795
1
2
2
2
CNT
1600
400
500
927
------------------ show interface -----------------interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.e300.73fd
IP address 172.23.59.232, subnet mask 255.255.0.0
MTU 1500 bytes, BW 10000 Kbit half duplex
6139 packets input, 830375 bytes, 0 no buffer
Received 5990 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
90 packets output, 6160 bytes, 0 underruns
0 output errors, 13 collisions, 0 interface resets
0 babbles, 0 late collisions, 47 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (5/128) software (0/2)
output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0003.e300.73fe
IP address 10.1.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1 packets output, 60 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
1 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet2 "intf2" is administratively down, line protocol is down
Hardware is i82559 ethernet, address is 00d0.b7c8.139e
IP address 127.0.0.1, subnet mask 255.255.255.255
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
------------------ show cpu usage -----------------CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
------------------ show process -----------------PC SP
STATE
Runtime SBASE Stack
Process
TID
Hsi 001e3329 00763e7c 0053e5c8 0
00762ef4 3784/4096 arp_timer 0x000000000000000a
Lsi 001e80e9 00807074 0053e5c8 0
008060fc 3792/4096 FragDBGC 0x000000000000006b
Cisco ASA Series Command Reference, S Commands
5-8
Chapter
Lwe
Lwe
Hwe
Hwe
Lsi
Lsi
Mrd
Lsi
Hsi
Hwe
Lsi
Hwe
Mwe
Hwe
Mwe
Lwe
Lwe
Hwe
Hwe
Hwe
H*
Csi
Hwe
Hwe
Hwe
Hsi
Crd
Lsi
Hwe
Cwe
Hwe
Hwe
Hwe
Hwe
Cwe
Hwe
Hwe
Hwe
Hwe
Cwe
Hwe
Hwe
Hwe
Hwe
Mwe
00117e3a
003cee95
003d2d18
003d2c91
002ec97d
002ec88b
002e3a17
00423dd5
002d59fc
0020e301
002d377c
0020bd07
00205e25
003864e3
00255a65
002e450e
002e471e
001e5368
001e5368
001e5368
001a6ff5
002dd8ab
002cb4d1
003d17d1
003e71d4
001db3ca
001db37f
001db435
001e5398
001dcdad
001e5398
001e5398
001e5398
001e5398
001dcdad
001e5398
001e5398
001e5398
001e5398
001e542d
001e5398
001e5398
001e5398
003d1a65
0035cafa
009dc2e4
009de464
009e155c
009e360c
00b1a464
00b1b504
00c8f8d4
00d3a22c
00d3b2bc
00d5957c
00d7292c
00d9c12c
00d9e1ec
00db26bc
00dc9244
00e7bb94
00e7cc44
00e7ed44
00e80e14
00e82ee4
0009ff2c
00e8a124
00f2bfbc
00f2e0bc
00f2f20c
00f30fc4
00f32084
00f33124
00f441dc
00f4523c
00f4633c
00f47404
00f4849c
00f495bc
00f4a61c
00f4b71c
00f4c7e4
00f4d87c
00f4e99c
00f4fa6c
00f50afc
00f51bc4
00f52c5c
00f78284
00f7a63c
00541d18
00537718
005379c8
005379c8
0053e5c8
0053e5c8
0053e600
0053e5c8
0053e5c8
0053e5c8
0053e5c8
0050bb90
0053e5c8
00557920
0053e5c8
00552c30
00553368
00730674
007305d4
00730534
0053e5b0
0053e5c8
0051e360
00828cf0
00537d20
0053e5c8
0053ea40
0053e5c8
008121e0
00872b48
008121bc
00812198
00812174
00812150
008ea850
0081212c
00812108
008120e4
008120c0
00730534
0081209c
00812078
00812054
008140f8
0053e5c8
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2470
4820
0
0
0
0
0
508286220
0
0
120
10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
009db46c
009dc51c
009df5e4
009e1694
00b194dc
00b1a58c
00c8d93c
00d392a4
00d3a354
00d55614
00d719a4
00d9b1c4
00d9c274
00db0764
00dc8adc
00e7ad1c
00e7bdcc
00e7ce9c
00e7ef6c
00e8103c
00e8511c
00e891cc
00f2a134
00f2c1e4
00f2e294
00f3004c
00f310fc
00f321ac
00f43294
00f44344
00f453f4
00f464cc
00f475a4
00f48674
00f49724
00f4a7d4
00f4b8ac
00f4c984
00f4da54
00f4eb04
00f4fbb4
00f50c8c
00f51d64
00f77fdc
00f786c4
3704/4096 dbgtrace
8008/8192 Logger
8008/8192 tcp_fast
8008/8192 tcp_slow
3928/4096 xlate clean
3888/4096 uxlate clean
7908/8192 tcp_intercept_times
3900/4096 route_process
3780/4096 PIX Garbage Collecr
16048/16384 isakmp_time_keepr
3928/4096 perfmon
3944/4096 IPsec
7860/8192 IPsec timer handler
6904/8192 qos_metric_daemon
1436/2048 IP Background
3704/4096 pix/trace
3704/4096 pix/tconsole
7228/8192 pix/intf0
7228/8192 pix/intf1
4892/8192 pix/intf2
12860/16384 ci/console
3396/4096 update_cpu_usage
7692/8192 uauth_in
7896/8192 uauth_thread
3960/4096 udp_timer
3784/4096 557mcfix
3688/4096 557poll
3700/4096 557timer
3912/4096 fover_ip0
3528/4096 ip/0:0
3532/4096 icmp0
3896/4096 udp_thread/0
3456/4096 tcp_thread/0
3912/4096 fover_ip1
3832/4096 ip/1:1
3912/4096 icmp1
3896/4096 udp_thread/1
3832/4096 tcp_thread/1
3912/4096 fover_ip2
3944/4096 ip/2:2
3912/4096 icmp2
3896/4096 udp_thread/2
3832/4096 tcp_thread/2
300/1024 listen/http1
7640/8192 Crypto CA
------------------ show failover -----------------No license for Failover
------------------ show traffic -----------------outside:
received (in 865565.090 secs):
6139 packets
830375 bytes
0 pkts/sec
0 bytes/sec
transmitted (in 865565.090 secs):
90 packets
6160 bytes
0 pkts/sec
0 bytes/sec
inside:
received (in 865565.090 secs):
0 packets
0 bytes
0 pkts/sec
0 bytes/sec
transmitted (in 865565.090 secs):
Cisco ASA Series Command Reference, S Commands
5-9
Chapter
1 packets
0 pkts/sec
60 bytes
0 bytes/sec
intf2:
received (in 865565.090 secs):
0 packets
0 bytes
0 pkts/sec
0 bytes/sec
transmitted (in 865565.090 secs):
0 packets
0 bytes
0 pkts/sec
0 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS:
Xlates
Connections
TCP Conns
UDP Conns
URL Access
URL Server Req
TCP Fixup
TCPIntercept
HTTP Fixup
FTP Fixup
AAA Authen
AAA Author
AAA Account
: End_Test_Crash
Related Commands
Current
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
Command
Description
clear crashinfo
Deletes the contents of the crash file.
crashinfo force
Forces a crash of the ASA.
crashinfo save disable
Disables crash information from writing to flash memory.
crashinfo test
Tests the ability of the ASA to save crash information to a file in flash
memory.
Cisco ASA Series Command Reference, S Commands
5-10
Average
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
Chapter
show crashinfo console
To display the configuration setting of the crashinfo console command, enter the show crashinfo
console command.
show crashinfo console
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
7.0(4)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
Usage Guidelines
Compliance with FIPS 140-2 prohibits the distribution of Critical Secu rity Parameters (keys, passwords,
etc.) outside of the crypto boundary (chassis). When the device crashes, due to an assert or checkheaps
failure, it is possible that the stack or memory regions dumped to the console contain sensitive data. This
output must be suppressed in FIPS-mode.
Examples
sw8-5520(config)# show crashinfo console
crashinfo console enable
Related Commands
Command
Description
clear configure fips
Clears the system or module FIPS configuration information stored in
NVRAM.
crashinfo console disable
Disables the reading, writing and configuration of crash write info to
flash.
fips enable
Enables or disablea policy-checking to enforce FIPS compliance on
the system or module.
show running-config fips
Displays the FIPS configuration that is running on the ASA.
Cisco ASA Series Command Reference, S Commands
5-11
Chapter
show crypto accelerator statistics
To display the global and accelerator-specific statistics from the hardware crypto accelerator MIB, use
the show crypto accelerator statistics command in global configuration or privileged EXEC mode.
show crypto accelerator statistics
Syntax Description
This command has no keywords or variables.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Routed
Transparent Single
Context
Global configuration
•
Yes
•
Yes
•
Yes
•
Privileged EXEC
•
Yes
•
Yes
•
Yes
—
Release
Modification
7.0(1)
This command was added.
Yes
System
—
—
The output statistics are defined as follows:
Accelerator 0 shows statistics for the software-based crypto engine.
Accelerator 1 shows statistics for the hardware-based crypto engine.
RSA statistics show RSA operations for 2048-bit keys, which are executed in software by default. This
means that when you have a 2048-bit key, IKE/SSL VPN performs RSA operations in software during
the IPsec/SSL negotiation phase. Actual IPsec/SSL traffic is still processed using hardware. This may
cause high CPU if there are many simultaneous sessions starting at the same time, which may result in
multiple RSA key operations and high CPU. If you run into a high CPU condition because of this, then
you should use a 1024-bit key to process RSA key operations in hardware. To do so, you must reenroll
the identity certificate. In releases 8.3(2) or later, you can also use the crypto engine large-mod-accel
command on the 5510-5550 platforms to perform these operations in hardware.
If you are using a 2048-bit RSA key and the RSA processing is performed in software, you can use CPU
profiling to determine which functions are causing high CPU usage. Generally, the bn_* and BN_*
functions are math operations on the large data sets used for RSA, and are the most useful when
examining CPU usage during an RSA operation in software. For example:
@@@@@@@@@@@@@@@@@@................................ 36.50% : _bn_mul_add_words
@@@@@@@@@......................................... 19.75% : _bn_sqr_comba8
Cisco ASA Series Command Reference, S Commands
5-12
Chapter
Diffie-Hellman statistics show that any crypto operation with a modulus size greater than 1024 is
performed in software (for example, DH5 (Diffie-Hellman group 5 uses 1536)). If so, a 2048-bit key
certificate will be processed in software, which can result in high CPU usage when a lot of sessions are
running.
Note
The ASA 5505 (with a Cavium CN505 processor) only supports Diffie-Hellman Groups 1 and 2 for
hardware-accelerated, 768-bit and 1024-bit key generation. Diffie-Hellman Group 5 (1536-bit key
generation) is performed in software.
A single crypto engine in the adaptive security appliance performs the IPsec and SSL operations. To
display the versions of crypto (Cavium) microcode that are loaded into the hardware crypto accelerator
at boot time, enter the show version command. For example:
ciscoasa(config) show version
Cisco Adaptive Security Appliance Software Version 8.0(4)8
Device Manager Version 6.1(5)
Compiled on Wed 15-Oct-09 17:27 by builders
System image file is “disk0:/interim/asa804-8-k8.bin”
Config file at boot was "startup-config"
asa up 5 days 17 hours
Hardware:
ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 512MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode
: CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPsec microcode : CNlite-MC-IPSECm-MAIN-2.05
DSA statistics show key generation in two phases. The first phase is a choice of algorithm parameters,
which may be shared between different users of the system. The second phase computes private and
public keys for a single user.
SSL statistics show records for the processor-intensive public key encryption algorithms involved in SSL
transactions to the hardware crypto accelerator.
RNG statistics show records for a sender and receiver, which can generate the same set of random
numbers automatically to use as keys.
Examples
The following example, entered in global configuration mode, shows global crypto accelerator statistics:
ciscoasa # show crypto accelerator statistics
Crypto Accelerator Status
------------------------[Capacity]
Supports hardware crypto: True
Supports modular hardware crypto: False
Max accelerators: 1
Max crypto throughput: 100 Mbps
Max crypto connections: 750
[Global Statistics]
Number of active accelerators: 1
Number of non-operational accelerators: 0
Input packets: 700
Input bytes: 753488
Output packets: 700
Output error packets: 0
Cisco ASA Series Command Reference, S Commands
5-13
Chapter
Output bytes: 767496
[Accelerator 0]
Status: Active
Software crypto engine
Slot: 0
Active time: 167 seconds
Total crypto transforms: 7
Total dropped packets: 0
[Input statistics]
Input packets: 0
Input bytes: 0
Input hashed packets: 0
Input hashed bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[Output statistics]
Output packets: 0
Output bad packets: 0
Output bytes: 0
Output hashed packets: 0
Output hashed bytes: 0
Encrypted packets: 0
Encrypted bytes: 0
[Diffie-Hellman statistics]
Keys generated: 0
Secret keys derived: 0
[RSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[DSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 98
Random number request failures: 0
[Accelerator 1]
Status: Active
Encryption hardware device : Cisco ASA-55x0 on-board accelerator
(revision 0x0)
Boot microcode
: CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPsec microcode : CNlite-MC-IPSECm-MAIN-2.03
Slot: 1
Active time: 170 seconds
Total crypto transforms: 1534
Total dropped packets: 0
[Input statistics]
Input packets: 700
Input bytes: 753544
Input hashed packets: 700
Input hashed bytes: 736400
Decrypted packets: 700
Decrypted bytes: 719944
[Output statistics]
Output packets: 700
Cisco ASA Series Command Reference, S Commands
5-14
Chapter
Output bad packets: 0
Output bytes: 767552
Output hashed packets: 700
Output hashed bytes: 744800
Encrypted packets: 700
Encrypted bytes: 728352
[Diffie-Hellman statistics]
Keys generated: 97
Secret keys derived: 1
[RSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[DSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 1
Random number request failures: 0
The following table describes what the output entries indicates.
Output
Description
Capacity
This section pertains to the crypto acceleration that the ASA
can support.
Supports hardware crypto
(True/False) The ASA can support hardware crypto
acceleration.
Supports modular hardware crypto
(True/False) Any supported hardware crypto accelerator can be
inserted as a separate plug-in card or module.
Max accelerators
The maximum number of hardware crypto accelerators that the
ASA supports.
Mac crypto throughput
The maximum rated VPN throughput for the ASA.
Max crypto connections
The maximum number of supported VPN tunnels for the ASA.
Global Statistics
This section pertains to the combined hardware crypto
accelerators in the ASA.
Number of active accelerators
The number of active hardware accelerators. An active
hardware accelerator has been initialized and is available to
process crypto commands.
Number of non-operational
accelerators
The number of inactive hardware accelerators. An inactive
hardware accelerator has been detected, but either has not
completed initialization or has failed and is no longer usable.
Input packets
The number of inbound packets processed by all hardware
crypto accelerators.
Input bytes
The number of bytes of data in the processed inbound packets.
Cisco ASA Series Command Reference, S Commands
5-15
Chapter
Output (continued)
Description (continued)
Output packets
The number of outbound packets processed by all hardware
crypto accelerators.
Output error packets
The number of outbound packets processed by all hardware
crypto accelerators in which an error has been detected.
Output bytes
The number of bytes of data in the processed outbound
packets.
Accelerator 0
Each of these sections pertains to a crypto accelerator. The first
one (Accelerator 0) is always the software crypto engine.
Although not a hardware accelerator, the ASA uses it to
perform specific crypto tasks, and its statistics appear here.
Accelerators 1 and higher are always hardware crypto
accelerators.
Status
The status of the accelerator, which indicates whether the
accelerator is being initialized, is active, or has failed.
Software crypto engine
The type of accelerator and firmware version (if applicable).
Slot
The slot number of the accelerator (if applicable).
Active time
The length of time that the accelerator has been in the active
state.
Total crypto transforms
The total number of crypto commands that were performed by
the accelerator.
Total dropped packets
The total number of packets that were dropped by the
accelerator because of errors.
Input statistics
This section pertains to input traffic that was processed by the
accelerator. Input traffic is considered to be ciphertext that
must be decrypted and/or authenticated.
Input packets
The number of input packets that have been processed by the
accelerator.
Input bytes
The number of input bytes that have been processed by the
accelerator
Input hashed packets
The number of packets for which the accelerator has performed
hash operations.
Input hashed bytes
The number of bytes over which the accelerator has performed
hash operations.
Decrypted packets
The number of packets for which the accelerator has performed
symmetric decryption operations.
Decrypted bytes
The number of bytes over which the accelerator has performed
symmetric decryption operations.
Output statistics
This section pertains to output traffic that has been processed
by the accelerator. Input traffic is considered clear text that
must be encrypted and/or hashed.
Output packets
The number of output packets that have been processed by the
accelerator.
Output bad packets
The number of output packets that have been processed by the
accelerator in which an error has been detected.
Cisco ASA Series Command Reference, S Commands
5-16
Chapter
Output (continued)
Description (continued)
Output bytes
The number of output bytes that have been processed by the
accelerator.
Output hashed packets
The number of packets for which the accelerator has performed
outbound hash operations.
Output hashed bytes
The number of bytes over which the accelerator has performed
outbound hash operations.
Encyrpted packets
The number of packets for which the accelerator has performed
symmetric encryption operations.
Encyrpted bytes
The number of bytes over which the accelerator has performed
symmetric encryption operations.
Diffie-Hellman statistics
This section pertains to Diffie-Hellman key exchange
operations.
Keys generated
The number of Diffie-Hellman key sets that have been
generated by the accelerator.
Secret keys derived
The number of Diffie-Hellman shared secrets that have been
derived by the accelerator.
RSA statistics
This section pertains to RSA crypto operations.
Keys generated
The number of RSA key sets that have been generated by the
accelerator.
Signatures
The number of RSA signature operations that have been
performed by the accelerator.
Verifications
The number of RSA signature verifications that have been
performed by the accelerator.
Encrypted packets
The number of packets for which the accelerator has performed
RSA encryption operations.
Decrypted packets
The number of packets for which the accelerator has performed
RSA decryption operations.
Decrypted bytes
The number of bytes of data over which the accelerator has
performed RSA decryption operations.
DSA statistics
This section pertains to DSA operations. Note that DSA is not
supported as of Version 8.2, so these statistics are no longer
displayed.
Keys generated
The number of DSA key sets that have been generated by the
accelerator.
Signatures
The number of DSA signature operations that have been
performed by the accelerator.
Verifications
The number of DSA signature verifications that have been
performed by the accelerator.
SSL statistics
This section pertains to SSL record processing operations.
Outbound records
The number of SSL records that have been encrypted and
authenticated by the accelerator.
Inbound records
The number of SSL records that have been decrypted and
authenticated by the accelerator.
Cisco ASA Series Command Reference, S Commands
5-17
Chapter
Related Commands
Output (continued)
Description (continued)
RNG statistics
This section pertains to random number generation.
Random number requests
The number of requests to the accelerator for a random
number.
Random number request failures
The number of random number requests to the accelerator that
did not succeed.
Command
Description
clear crypto accelerator
statistics
Clears the global and accelerator-specific statistics in the crypto
accelerator MIB.
clear crypto protocol
statistics
Clears the protocol-specific statistics in the crypto accelerator MIB.
show crypto protocol
statistics
Displays the protocol-specific statistics from the crypto accelerator
MIB.
Cisco ASA Series Command Reference, S Commands
5-18
Chapter
show crypto ca certificates
To display the certificates associated with a specific trustpoint or to display all the certificates installed
on the system, use the show crypto ca certificates command in global configuration or privileged EXEC
mode.
show crypto ca certificates [trustpointname]
Syntax Description
trustpointname
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) The name of a trustpoint. If you do not specify a name, this
command displays all certificates installed on the ASA.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
•
Yes
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
•
Yes
—
Release
Modification
7.0(1)
This command was added.
The following is sample output from the show crypto ca certificates command:
ciscoasa(config)# show crypto ca certificates tp1
CA Certificate
Status: Available
Certificate Serial Number 2957A3FF296EF854FD0D6732FE25B45
Certificate Usage: Signature
Issuer:
CN = ms-root-sha-06-2004
OU = rootou
O = cisco
L = franklin
ST - massachusetts
C = US
EA = [email protected]
Subject:
CN = ms-root-sha-06-2004
OU = rootou
O = cisco
L = franklin
ST = massachusetts
C = US
EA = example.com
CRL Distribution Point
Cisco ASA Series Command Reference, S Commands
5-19
Chapter
ldap://w2kadvancedsrv/CertEnroll/ms-root-sha-06-2004.crl
Validity Date:
start date: 14:11:40 UTC Jun 26 2004
end date: 14:01:30 UTC Jun 4 2022
Associated Trustpoints: tp2 tp1
ciscoasa(config)#
Related Commands
Command
Description
crypto ca authenticate
Obtains a CA certificate for a specified trustpoint.
crypto ca crl request
Requests a CRL based on the configuration parameters of a specified
trustpoint.
crypto ca enroll
Initiates the enrollment process with a CA.
crypto ca import
Imports a certificate to a specified trustpoint.
crypto ca trustpoint
Enters trustpoint configuration mode for a specified trustpoint.
Cisco ASA Series Command Reference, S Commands
5-20
Chapter
show crypto ca crl
To display all cached CRLs or to display all CRLs cached for a specified trustpoint, use the show crypto
ca crl command in global configuration or privileged EXEC mode.
show crypto ca crl [trustpool | trustpoint <trustpointname>]
Syntax Description
trustpoint
trustpointname
(Optional) The name of a trustpoint. If you do not specify a name, this
command displays all CRLs cached on the ASA.
trustpool
The name of the trust pool.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
•
Yes
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
•
Yes
—
Release
Modification
7.0(1)
This command was added.
The following is sample output from the show crypto ca crl command:
ciscoasa(config)# show crypto ca crl tp1
CRL Issuer Name:
cn=ms-sub1-ca-5-2004,ou=Franklin DevTest,o=Cisco
Systems,l=Franklin,st=MA,c=US,[email protected]
LastUpdate: 19:45:53 UTC Dec 24 2004
NextUpdate: 08:05:53 UTC Jan 1 2005
Retrieved from CRL Distribution Point:
http://win2k-ad2.frk-ms-pki.cisco.com/CertEnroll/ms-sub1-ca-5-2004.crl
Associated Trustpoints: tp1
ciscoasa(config)#
Related Commands
Command
Description
crypto ca authenticate
Obtains a CA certificate for a specified trustpoint.
crypto ca crl request
Requests a CRL based on the configuration parameters of a specified
trustpoint.
crypto ca enroll
Initiates the enrollment process with a CA.
Cisco ASA Series Command Reference, S Commands
5-21
Chapter
Command
Description
crypto ca import
Imports a certificate to a specified trustpoint.
crypto ca trustpoint
Enters trustpoint configuration mode for a specified trustpoint.
Cisco ASA Series Command Reference, S Commands
5-22
Chapter
show crypto ca server
To display the status of the local CA configuration on the ASA, use the show crypto ca server command
in ca server configuration, global configuration, or privileged EXEC mode.
show crypto ca server
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Ca server configuration
•
Yes
—
•
Yes
—
—
Global configuration
•
Yes
—
•
Yes
—
—
Privileged EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
8.0(2)
This command was added.
The following is sample output from the show crypto ca server command:
ciscoasa# show crypto ca server
#Certificate Server LOCAL-CA-SERVER:
Status: disabled
State: disabled
Server's configuration is unlocked (enter "no shutdown" to lock it)
Issuer name: CN=asa1.cisco.com
CA cert fingerprint: -Not foundLast certificate issued serial number: 0x0
CA certificate expiration timer: 00:00:00 UTC Jan 1 2009
CRL not present.
Current primary storage dir: nvram:
ciscoasa#
Related Commands
Command
Description
crypto ca server
Provides access to the ca server configuration mode CLI command set,
which allows you to configure and manage the local CA.
debug crypto ca server
Shows debugging messages when you configure the local CA server.
Cisco ASA Series Command Reference, S Commands
5-23
Chapter
Command
Description
show crypto ca server
certificate
Displays the certificate of the local CA in base64 format.
show crypto ca server crl
Displays the lifetime of the local CA CRL.
Cisco ASA Series Command Reference, S Commands
5-24
Chapter
show crypto ca server cert-db
To display all or a subset of local CA server certificates, including those issued to a specific user, use the
show crypto ca server cert-db command in ca server configuration, global configuration, or privileged
EXEC mode.
show crypto ca server cert-db [username username | allowed | enrolled | expired | on-hold]
[serial certificate-serial-number]
Syntax Description
allowed
enrolled
Specifies that users who are allowed to enroll appear, regardless of the
status of their certificate.
Specifies that users with valid certificates appear.
expired
Specifies that users holding expired certificates appear.
on-hold
Specifies that users who have not yet enrolled appear.
serial certificate-serial-number Specifies the serial number of a specific certificate that displays. The
serial number must be in hexadecimal format.
username username
Specifies the certificate owner. The username may be a username or
an e-mail address. For e-mail addresses, it is the e-mail address used
to contact and deliver the one-time password (OTP) to the end user.
An e-mail address is required to enable e-mail notifications for the end
user.
Defaults
By default, if no username or certificate serial number is specified, the entire database of issued
certificates appears.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Routed
Transparent Single
Context
System
Ca server configuration
•
Yes
—
•
Yes
—
—
Global configuration
•
Yes
—
•
Yes
—
—
Privileged EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
8.0(2)
This command was added.
The show crypto ca server cert-db command displays a list of the user certificates that are issued by
the local CA server. You can display a subset of the certificate database by specifying a specific
username with one or more of the optional certificate-type keywords, and/or with an optional certificate
serial number.
Cisco ASA Series Command Reference, S Commands
5-25
Chapter
If you specify a username without a keyword or a serial number, all of the certificates issued for that user
appear. For each user, the output shows the username, e-mail address, domain name, the time period for
which enrollment is allowed, and the number of times that the user has been notified with an enrollment
invitation.
In addition, the following information appears in the output:
•
The NOTIFIED field is required to support multiple reminders. It tracks when a user needs to be
notified of the OTP for enrollment and the reminder notification attempts. This field is set to 0
initially. It is incremented to 1 when the user entry is marked as being allowed to enroll. At this time,
the initial OTP notification is generated.
•
The NOTIFY field is incremented each time a reminder is sent. Three notifications are sent before
the OTP is due to expire. A notification is sent when the user is allowed to enroll, at the mid-point
of the expiration, and when ¾ of the expiration time has passed. This field is used only for
administrator-initiated enrollments. For automatic certificate renewals, the NOTIFY field in the
certificate database is used.
Note
While the notification counter in this command is used to track the number of times a user
is notified to renew a certificate before expiration, the notification counter in show crypto ca
server user-db is used to track the number of times a user is notified to enroll for the
certificate. Renewal notifications are tracked under cert-db and not included in user-db.
Each certificate displays the certificate serial number, the issued and expired dates, and the certificate
status (Revoked/Not Revoked).
Examples
The following example requests the display of all of the certificates issued for ASA by the CA server:
ciscoasa# show crypto ca server cert-db username asa
Username: asa
Renewal allowed until: Not Allowed
Number of times user notified: 0
PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013
Certificates Issued:
serial:
0x2
issued:
10:28:04 UTC Tue Sep 24 2013
expired: 10:28:04 UTC Thu Sep 26 2013
status:
Not Revoked
The following example requests the display of all the certificates issued by the local CA server with a
serial number of 0x2:
ciscoasa# show crypto ca server cert-db serial 2
Username:asa
Renewal allowed until: Not Allowed
Number of times user notified: 0
PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013
Certificates Issued:
serial:
0x2
issued:
10:28:04 UTC Tue Sep 24 2013
expired: 10:28:04 UTC Thu Sep 26 2013
status:
Not Revoked
The following example requests the display of all of the certificates issued by the local CA server:
ciscoasa# show crypto ca server cert-db
Username: asa
Renewal allowed until: Not Allowed
Cisco ASA Series Command Reference, S Commands
5-26
Chapter
Number of times user notified: 0
PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013
Certificates Issued:
serial:
0x2
issued:
10:28:04 UTC Tue Sep 24 2013
expired: 10:28:04 UTC Thu Sep 26 2013
status:
Not Revoked
Related Commands
Command
Description
crypto ca server
Provides access to the ca server configuration mode CLI command set,
which allows you to configure and manage the local CA.
crypto ca server revoke
Marks a certificate issued by the local CA server as revoked in both the
certificate database and CRL.
lifetime crl
Specifies the lifetime of the CRL.
Cisco ASA Series Command Reference, S Commands
5-27
Chapter
show crypto ca server certificate
To display the certificate for the local CA server in base64 format, use the show crypto ca server
certificate command in ca server configuration, global configuration, or privileged EXEC mode.
show crypto ca server certificate
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Transparent Single
Context
System
Ca server configuration
•
Yes
—
•
Yes
—
—
Global configuration
•
Yes
—
•
Yes
—
—
Privileged EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
8.0(2)
This command was added.
Usage Guidelines
The show crypto ca server certificate command displays the local CA server certificate in base64
format. This display allows you to cut and paste a certificate while exporting it to other devices that need
to trust the local CA server.
Examples
The following is sample output from the show crypto ca server certificate command:
ciscoasa# show crypto ca server certificate
The base64 encoded local CA certificate follows:
MIIXlwIBAzCCF1EGCSqGSIb3DQEHAaCCF0IEghc+
MIIXOjCCFzYGCSqGSIb3DQEHBqCCFycwghcjAgEAM
IIXHAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQ
Ijph4SxJoyTgCAQGAghbw3v4bFy+GGG2dJnB4OLphs
UM+IG3SDOiDwZG9n1SvtMieoxd7Hxknxbum06JDruj
WKtHBIqkrm+td34qlNE1iGeP2YC94/NQ2z+4kS+uZzw
cRhl1KEZTS1E4L0fSaC3uMTxJq2NUHYWmoc8pi4CIeL
j3h7VVMy6qbx2AC8I+q57+QG5vG5l5Hi5imwtYfaWwP
EdPQxaWZPrzoG1J8BFqdPa1jBGhAzzuSmElm3j/2dQ3
Atro1G9nIsRHgV39fcBgwz4fEabHG7/Vanb+fj81d
5nlOiJjDYYbP86tvbZ2yOVZR6aKFVI0b2AfCr6Pbw
Cisco ASA Series Command Reference, S Commands
5-28
Chapter
fC9U8Z/aF3BCyM2sN2xPJrXva94CaYrqyotZdAkSYA
5KWScyEcgdqmuBeGDKOncTknfgy0XM+fG5rb3qAXy1
GkjyFI5Bm9Do6RUROoG1DSrQrKeq/hj….
ciscoasa#
Related Commands
Command
Description
crypto ca server
Provides access to the ca server configuration mode CLI command set,
which allows you to configure and manage a local CA.
issuer-name
Specifies the subject-name DN of the certificate authority certificate.
keysize
Specifies the size of the public and private keys generated at user certificate
enrollment.
lifetime
Specifies the lifetime of the CA certificate and issued certificates.
show crypto ca server
Displays the local CA configuration in ASCII text format.
Cisco ASA Series Command Reference, S Commands
5-29
Chapter
show crypto ca server crl
To display the current CRL of the local CA, use the show crypto ca server crl command in ca server
configuration, global configuration, or privileged EXEC mode.
show crypto ca server crl
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Ca server configuration
•
Yes
—
•
Yes
—
—
Global configuration
•
Yes
—
•
Yes
—
—
Privileged EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
8.0(2)
This command was added.
The following is sample output from the show crypto ca server crl command:
ciscoasa# show crypto ca server crl
asa5540(config)# sh cry ca ser crl
Certificate Revocation List:
Issuer: cn=asa5540.frqa.cisco.com
This Update: 07:32:27 UTC Oct 16 2006
Next Update: 13:32:27 UTC Oct 16 2006
Number of CRL entries: 0
CRL size: 232 bytes
asa5540(config)#
ciscoasa#
Related Commands
Command
Description
cdp-url
Specifies the CRL distribution point (CDP) to be included in the
certificates issued by the CA.
crypto ca server
Provides access to the ca server configuration mode CLI command set,
which allows you to configure and manage the local CA.
crypto ca server revoke
Marks a certificate issued by the local CA server as revoked in the
certificate database and CRL.
Cisco ASA Series Command Reference, S Commands
5-30
Chapter
Command
Description
lifetime crl
Specifies the lifetime of the CRL.
show crypto ca server
Displays the status of the CA configuration.
Cisco ASA Series Command Reference, S Commands
5-31
Chapter
show crypto ca server user-db
To display users included in the local CA server user database, use the show crypto ca server user-db
command in ca server configuration, global configuration, or privileged EXEC mode.
show crypto ca server user-db [ expired | allowed | on-hold | enrolled]
Syntax Description
allowed
(Optional) Specifies that users who are allowed to enroll display, regardless
of the status of their certificate.
enrolled
(Optional) Specifies that users with valid certificates display.
expired
(Optional) Specifies that users holding expired certificates display.
on-hold
(Optional) Specifies that users who have not enrolled yet display.
Defaults
By default, all users in the database display if no keywords are entered.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Ca server configuration
•
Yes
—
•
Yes
—
—
Global configuration
•
Yes
—
•
Yes
—
—
Privileged EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
8.0(2)
This command was added.
The following example displays currently enrolled users:
ciscoasa# show crypto ca server user-db enrolled
Username
DN
Certificate issued
exampleusercn=Example User,o=...5/31/2009
ciscoasa#
Cisco ASA Series Command Reference, S Commands
5-32
Certificate expiration
5/31/2010
Chapter
Usage Guidelines
While the notification counter in this command is used to track the number of times a user is notified to
enroll for the certificate, the notification counter in show crypto ca server cert-db is used to track the
number of times a user is notified to renew a certificate before expiration. Renewal notifications are
tracked under cert-db and not included in user-db.
Related Commands
Command
Description
crypto ca server user-db add
Adds a user to the CA server user database.
crypto ca server user-db allow
Allows a specific user or a subset of users in the CA server
database to enroll with the local CA.
crypto ca server user-db remove Removes a user from the CA server user database.
crypto ca server user-db write
Writes user information configured in the local CA database to
storage.
show crypto ca server cert-db
Displays all certificates issued by the local CA.
Cisco ASA Series Command Reference, S Commands
5-33
Chapter
show crypto ca trustpool
To display the certificates that constitute the trustpool, use the show crypto ca trustpool command in
privileged EXEC mode.
show crypto ca trustpool [detail]
Syntax Description
This command has no arguments or keywords.
Defaults
This command shows an abbreviated display of all the trustpool certificates. When the “detail” option is
specified, more information is included.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
System
—
—
Usage Guidelines
The output of the show crypto ca trustpool command includes the fingerprint value of each certificate.
These values are required for removal operation.
Examples
ciscoasa# show crypto ca trustpool
CA Certificate
Status: Available
Certificate Serial Number: 6c386c409f4ff4944154635da520ed4c
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name: cn=bxb2008-root
dc=bdb2008
dc=mycompany
dc=com
Subject Name:
cn=bxb2008-root
dc=bxb2008
dc=cisco
dc=com
Validity Date:
start date:17:21:06 EST Jan 14 2009
end date:17:31:06 EST Jan 14 2024
Cisco ASA Series Command Reference, S Commands
5-34
Chapter
CA Certificate
Status: Available
Certificate Serial Number: 58d1c756000000000059
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=bxb2008-root
dc=bxb2008
dc=mycompany
dc=com
Subject Name:
cn=BXB2008SUB1-CA
dc=bxb2008
dc=cisco
dc=com
OCSP AIA:
URL: http://bxb2008-1.bxb2008.mycompany.com/ocsp
CRL Distribution Points:
(1) http://bxb2008-1.bxb2008.mycompany.com/CertEnroll/bxb2008-root.crl
Validity Date:
start date:11:54:34 EST May 18 2009
end date:12:04:34 EST May 18 2011
Related Commands
Command
Description
clear crypto ca trustpool
Removes all certificates from the trustpool.
crypto ca trustpool import
Imports certificates that constitute the PKI trustpool.
crypto ca trustpool remove
Removes a single specified certificate from the trustpool.
Cisco ASA Series Command Reference, S Commands
5-35
Chapter
show crypto ca trustpool policy
To display the configured trustpool policy and process any applied certificate maps to show how those
impact the policy, use the show crypto ca trustpool policy command in privileged EXEC mode.
show crypto ca trustpool policy
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Yes
Yes
System
—
—
Release
Modification
9.0(1)
This command was added.
9.5(2)
The ability to show status and results of automatic import of trustpool
certificates was added.
ciscoasa(config)# sh run cry ca cert map
crypto ca certificate map map1 1
issuer-name eq cn = mycompany manufacturing ca
issuer-name eq cn = mycompany ca
crypto ca certificate map map 2 1
issuer-name eq cn = mycompany manufacturing ca
issuer-name eq cn = mycompany ca2
ciscoasa(config)#
ciscoasa(config)# sh run crypto ca trustpool policy
crypto ca trustpool policy
auto-import url http://www.thawte.com
revocation-check none
match certificate map2 allow expired-certificate
match certificate map1 skip revocation-check
crl cache-time 123
crl enforcenextupdate
auto-import
auto-import url http://www.thawte.com
auto-import time 22:00:00
ciscoasa(config)#
ciscoasa# show crypto ca trustpool policy
800 trustpool certificates installed
Cisco ASA Series Command Reference, S Commands
5-36
•
Context
Chapter
Trustpool auto import statistics:
Last import result: SUCCESS
Next scheduled import at 22:00:00 Tues Jul 21 2015
Trustpool Policy
Trustpool revocation checking is disabled
CRL cache time: 123 seconds
CRL next update field: required and forced
Automatic import of trustpool certificates is enabled
Automatic import URL: http://www.thawte.com
Download time: 22:00:00
Policy overrides:
map: map1
match:issuer-name eq cn=Mycompany Manufacturing CA
match:issuer-name eq cn=Mycompany CA
action:skip revocation-check
map: map2
match: issuer-name eq cn=mycompany Manufacturing CA
match: issuer-name eq cn=mycompany CA2
action: allowed expired certificates
ciscoasa(config)#
Related Commands
Command
Description
crypto ca trustpool policy
Enters a submode that provides the commands that define the
trustpool policy.
Cisco ASA Series Command Reference, S Commands
5-37
Chapter
show crypto debug-condition
To display the currently configured filters, the unmatched states, and the error states for IPsec and
ISAKMP debugging messages, use the show crypto debug-condition command in global configuration
mode.
show crypto debug-condition
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Global configuration
Command History
Examples
•
Yes
Transparent Single
•
Yes
•
Yes
Release
Modification
8.0(2)
This command was added.
9.0(1)
Support for multiple context mode was added.
Context
•
Yes
System
—
The following example shows the filtering conditions:
ciscoasa(config)# show crypto debug-condition
Crypto conditional debug is turned ON
IKE debug context unmatched flag: OFF
IPsec debug context unmatched flag: ON
IKE peer IP address filters:
1.1.1.0/24
2.2.2.2
IKE user name filters:
my_user
Related Commands
Command
Description
debug crypto condition
Sets filtering conditions for IPsec and ISAKMP debugging messages.
debug crypto condition error Shows debugging messages whether or not filtering conditions have
been specified.
debug crypto condition
unmatched
Cisco ASA Series Command Reference, S Commands
5-38
Shows debugging messages for IPsec and ISAKMP that do not
include sufficient context information for filtering.
Chapter
show crypto ikev1 sa
To display the IKEv1 runtime SA database, use the show crypto ikev1 sa command in global
configuration mode or privileged EXEC mode.
show crypto ikev1 sa [detail]
Syntax Description
detail
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Displays detailed output about the SA database.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Routed
Transparent Single
Context
Global configuration
•
Yes
—
•
Yes
•
Privileged EXEC
•
Yes
—
•
Yes
—
Release
Modification
8.4(1)
This command was added.
9.0(1)
Support for multiple context mode was added.
System
Yes
—
—
The output from this command includes the following fields:
Detail not specified.
IKE Peer
Type
Dir
Rky
State
209.165.200.225 L2L
Init
No
MM_Active
Type
Dir
Rky
State
Encrypt Hash Auth
Lifetime
209.165.200.225 L2L
Init
No
MM_Active
3des
86400
Detail specified.
IKE Peer
md5
preshrd
Cisco ASA Series Command Reference, S Commands
5-39
Chapter
Examples
The following example, entered in global configuration mode, displays detailed information about the
SA database:
ciscoasa(config)# show crypto ikev1 sa detail
IKE Peer Type Dir
Rky State
1 209.165.200.225 User Resp No
Encrypt Hash
AM_Active 3des
Auth
SHA
Lifetime
preshrd 86400
IKE Peer Type Dir
Rky State
2 209.165.200.226 User Resp No
Encrypt Hash
AM_ACTIVE 3des
Auth
SHA
Lifetime
preshrd 86400
IKE Peer Type Dir
Rky State
3 209.165.200.227 User Resp No
Encrypt Hash
AM_ACTIVE 3des
Auth
SHA
Lifetime
preshrd 86400
IKE Peer Type Dir
Rky State
4 209.165.200.228 User Resp No
Encrypt Hash
AM_ACTIVE 3des
Auth
SHA
Lifetime
preshrd 86400
ciscoasa(config)#
Related Commands
Command
Description
show crypto ikev2 sa
Displays the IKEv2 runtime SA database.
show running-config
crypto isakmp
Displays all the active ISAKMP configuration.
Cisco ASA Series Command Reference, S Commands
5-40
Chapter
show crypto ikev2 sa
To display the IKEv2 runtime SA database, use the show crypto ikev2 sa command in global
configuration mode or privileged EXEC mode.
show crypto ikev2 sa [detail]
Syntax Description
detail
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Displays detailed output about the SA database.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Routed
Transparent Single
Context
Global configuration
•
Yes
—
•
Yes
•
Privileged EXEC
•
Yes
—
•
Yes
—
Release
Modification
8.4(1)
This command was added.
9.0(1)
Support for multiple context mode was added.
System
Yes
—
—
The output from this command includes the following fields:
Detail not specified.
IKE Peer
Type
Dir
Rky
State
209.165.200.225 L2L
Init
No
MM_Active
Type
Dir
Rky
State
Encrypt Hash Auth
Lifetime
209.165.200.225 L2L
Init
No
MM_Active
3des
86400
Detail specified.
IKE Peer
md5
preshrd
Cisco ASA Series Command Reference, S Commands
5-41
Chapter
Examples
The following example, entered in global configuration mode, displays detailed information about the
SA database:
ciscoasa(config)# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id
Local
Remote
Status
Role
671069399
10.0.0.0/500 10.255.255.255/500
READY
INITIATOR
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:20, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/188 sec
Session-id: 1
Status Description: Negotiation done
Local spi: 80173A0373C2D403
Remote spi: AE8AEFA1B97DBB22
Local id: asa
Remote id: asa1
Local req mess id: 8
Remote req mess id: 7
Local next mess id: 8
Remote next mess id: 7
Local req queued: 8
Remote req queued: 7
Local window: 1
Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x242a3da5/0xe6262034
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-GCM, keysize: 128, esp_hmac: N/A
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Related Commands
Command
Description
show crypto ikev1 sa
Displays the IKEv1 runtime SA database.
show running-config
crypto isakmp
Displays all the active ISAKMP configuration.
Cisco ASA Series Command Reference, S Commands
5-42
Chapter
show crypto ipsec df-bit
To display the IPsec DF-bit policy for IPsec packets for a specified interface, use the show crypto ipsec
df-bit command in global configuration mode and privileged EXEC mode.
show crypto ipsec df-bit interface
Syntax Description
interface
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies an interface name.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
—
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
—
—
Release
Modification
7.0(1)
This command was added.
The following example displays the IPsec DF-bit policy for interface named inside:
ciscoasa(config)# show crypto ipsec df-bit inside
df-bit inside copy
ciscoasa(config)#
Related Commands
Command
Description
crypto ipsec df-bit
Configures the IPsec DF-bit policy for IPsec packets.
crypto ipsec fragmentation
Configures the fragmentation policy for IPsec packets.
show crypto ipsec fragmentation
Displays the fragmentation policy for IPsec packets.
Cisco ASA Series Command Reference, S Commands
5-43
Chapter
show crypto ipsec fragmentation
To display the fragmentation policy for IPsec packets, use the show crypto ipsec fragmentation
command in global configuration or privileged EXEC mode.
show crypto ipsec fragmentation interface
Syntax Description
interface
Command Modes
The following table shows the modes in which you can enter the command:
Specifies an interface name.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
—
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
—
—
Release
Modification
7.0(1)
This command was added.
The following example, entered in global configuration mode, displays the IPsec fragmentation policy
for an interface named inside:
ciscoasa(config)# show crypto ipsec fragmentation inside
fragmentation inside before-encryption
ciscoasa(config)#
Related Commands
Command
Description
crypto ipsec fragmentation
Configures the fragmentation policy for IPsec packets.
crypto ipsec df-bit
Configures the DF-bit policy for IPsec packets.
show crypto ipsec df-bit
Displays the DF-bit policy for a specified interface.
Cisco ASA Series Command Reference, S Commands
5-44
Chapter
show crypto ipsec policy
To display IPsec secure socket API (SS API) security policy information provided by OSPFv3, use the
show crypto ipsec policy command in global configuration or privileged EXEC mode. You can also use
the alternate form of this command: show ipsec policy.
show crypto ipsec policy [name]
Syntax Description
name
Command Modes
The following table shows the modes in which you can enter the command:
Specifies a policy name.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
—
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
—
—
Release
Modification
7.0(1)
This command was added.
The following example, entered in global configuration mode, displays the crypto secure socket API
installed policy information for a policy named CSSU-UTF:
ciscoasa(config)# show crypto ipsec policy
Crypto IPsec client security policy data
Policy name:
CSSU-UTF
Policy refcount: 0
Inbound ESP SPI:
1031 (0x407)
Outbound ESP SPI:
1031 (0x407)
Inbound ESP Auth Key:
0123456789abcdef
Outbound ESP Auth Key:
0123456789abcdef
Inbound ESP Cipher Key:
Outbound ESP Cipher Key:
Transform set:
esp-sha-hmac
Related Commands
Command
Description
show crypto ipsec
fragmentation
Displays the fragmentation policy for IPsec packets.
show crypto ipsec sa
Displays a list of IPsec SA.
show crypto ipsec df-bit
Displays the DF-bit policy for a specified interface.
show crypto sockets
Displays crypto secure sockets and the socket state.
Cisco ASA Series Command Reference, S Commands
5-45
Chapter
show crypto ipsec sa
To display a list of IPsec SAs, use the show crypto ipsec sa command in global configuration mode or
privileged EXEC mode. You can also use the alternate form of this command: show ipsec sa.
show crypto ipsec sa [entry | identity | map map-name | peer peer-addr] [detail]
Syntax Description
detail
(Optional) Displays detailed error information on what is displayed.
entry
(Optional) Displays IPsec SAs sorted by peer address
identity
(Optional) Displays IPsec SAs for sorted by identity, not including ESPs.
This is a condensed form.
map map-name
(Optional) Displays IPsec SAs for the specified crypto map.
peer peer-addr
(Optional) Displays IPsec SAs for specified peer IP addresses.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
—
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
—
—
Release
Modification
7.0(1)
This command was added.
9.0(1)
Support for OSPFv3, multiple context mode, Suite B algorithm in the
transform and IV size portion, and ESPV3 IPsec output were added.
The following example, entered in global configuration mode, displays IPsec SAs that include a tunnel
identified as OSPFv3.
ciscoasa(config)# show crypto ipsec sa
interface: outside2
Crypto map tag: def, local addr: 10.132.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0)
current_peer: 172.20.0.21
dynamic allocated peer ip: 10.135.1.5
#pkts
#pkts
#pkts
#pkts
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
Cisco ASA Series Command Reference, S Commands
5-46
Chapter
#pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10
#PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Transport, Manual
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec):
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Transport, Manual
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec):
IV size: 8 bytes
replay detection support: Y
key, (OSPFv3), }
548
key, (OSPFv3), }
548
Crypto map tag: def, local addr: 10.132.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
ciscoasa(config)#
Note
Fragmentation statistics are pre-fragmentation statistics if the IPsec SA policy states that fragmentation
occurs before IPsec processing. Post-fragmentation statistics appear if the SA policy states that
fragmentation occurs after IPsec processing.
The following example, entered in global configuration mode, displays IPsec SAs for a crypto map
named def.
ciscoasa(config)# show crypto ipsec sa map def
cryptomap: def
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
#send
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1146, #pkts decrypt: 1146, #pkts verify: 1146
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
Cisco ASA Series Command Reference, S Commands
5-47
Chapter
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 480
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 480
IV size: 8 bytes
replay detection support: Y
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#send
encaps: 73672, #pkts encrypt: 73672, #pkts digest: 73672
decaps: 78824, #pkts decrypt: 78824, #pkts verify: 78824
compressed: 0, #pkts decompressed: 0
not compressed: 73672, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
inbound esp sas:
spi: 0xB32CF0BD (3006066877)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 263
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B6F6A35 (997157429)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 263
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
The following example, entered in global configuration mode, shows IPsec SAs for the keyword entry.
ciscoasa(config)# show crypto ipsec sa entry
peer address: 10.132.0.21
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
Cisco ASA Series Command Reference, S Commands
5-48
Chapter
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 429
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 429
IV size: 8 bytes
replay detection support: Y
peer address: 10.135.1.8
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#send
encaps: 73723, #pkts encrypt: 73723, #pkts digest: 73723
decaps: 78878, #pkts decrypt: 78878, #pkts verify: 78878
compressed: 0, #pkts decompressed: 0
not compressed: 73723, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
inbound esp sas:
spi: 0xB32CF0BD (3006066877)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 212
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B6F6A35 (997157429)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 212
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
Cisco ASA Series Command Reference, S Commands
5-49
Chapter
The following example, entered in global configuration mode, shows IPsec SAs with the keywords entry
detail.
ciscoasa(config)# show crypto ipsec sa entry detail
peer address: 10.132.0.21
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1148, #pkts decrypt: 1148, #pkts verify: 1148
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
no sa (send): 0, #pkts invalid sa (rcv): 0
encaps failed (send): 0, #pkts decaps failed (rcv): 0
invalid prot (rcv): 0, #pkts verify failed: 0
invalid identity (rcv): 0, #pkts invalid len (rcv): 0
replay rollover (send): 0, #pkts replay rollover (rcv): 0
replay failed (rcv): 0
internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 322
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 322
IV size: 8 bytes
replay detection support: Y
peer address: 10.135.1.8
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
encaps: 73831, #pkts encrypt: 73831, #pkts digest: 73831
decaps: 78989, #pkts decrypt: 78989, #pkts verify: 78989
compressed: 0, #pkts decompressed: 0
not compressed: 73831, #pkts comp failed: 0, #pkts decomp failed: 0
no sa (send): 0, #pkts invalid sa (rcv): 0
encaps failed (send): 0, #pkts decaps failed (rcv): 0
invalid prot (rcv): 0, #pkts verify failed: 0
invalid identity (rcv): 0, #pkts invalid len (rcv): 0
replay rollover (send): 0, #pkts replay rollover (rcv): 0
replay failed (rcv): 0
Cisco ASA Series Command Reference, S Commands
5-50
Chapter
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
inbound esp sas:
spi: 0xB32CF0BD (3006066877)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 104
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B6F6A35 (997157429)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 104
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
The following example shows IPsec SAs with the keyword identity.
ciscoasa(config)# show crypto ipsec sa identity
interface: outside2
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
#send
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#send
encaps: 73756, #pkts encrypt: 73756, #pkts digest: 73756
decaps: 78911, #pkts decrypt: 78911, #pkts verify: 78911
compressed: 0, #pkts decompressed: 0
not compressed: 73756, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
Cisco ASA Series Command Reference, S Commands
5-51
Chapter
The following example shows IPsec SAs with the keywords identity and detail.
ciscoasa(config)# show crypto ipsec sa identity detail
interface: outside2
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
no sa (send): 0, #pkts invalid sa (rcv): 0
encaps failed (send): 0, #pkts decaps failed (rcv): 0
invalid prot (rcv): 0, #pkts verify failed: 0
invalid identity (rcv): 0, #pkts invalid len (rcv): 0
replay rollover (send): 0, #pkts replay rollover (rcv): 0
replay failed (rcv): 0
internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
encaps: 73771, #pkts encrypt: 73771, #pkts digest: 73771
decaps: 78926, #pkts decrypt: 78926, #pkts verify: 78926
compressed: 0, #pkts decompressed: 0
not compressed: 73771, #pkts comp failed: 0, #pkts decomp failed: 0
no sa (send): 0, #pkts invalid sa (rcv): 0
encaps failed (send): 0, #pkts decaps failed (rcv): 0
invalid prot (rcv): 0, #pkts verify failed: 0
invalid identity (rcv): 0, #pkts invalid len (rcv): 0
replay rollover (send): 0, #pkts replay rollover (rcv): 0
replay failed (rcv): 0
internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
Related Commands
Command
Description
clear configure isakmp Clears all the ISAKMP configuration.
clear configure isakmp Clears all ISAKMP policy configuration.
policy
clear isakmp sa
Clears the IKE runtime SA database.
Cisco ASA Series Command Reference, S Commands
5-52
Chapter
Command
Description
isakmp enable
Enables ISAKMP negotiation on the interface on which the IPsec peer
communicates with the ASA.
show running-config
isakmp
Displays all the active ISAKMP configuration.
Cisco ASA Series Command Reference, S Commands
5-53
Chapter
show crypto ipsec stats
To display a list of IPsec statistics, use the show crypto ipsec stats command in global configuration
mode or privileged EXEC mode.
show crypto ipsec stats
Syntax Description
This command has no keywords or variables.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
System
Global configuration
•
Yes
•
Yes
•
Yes
—
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
—
—
Release
Modification
7.0(1)
This command was added.
The following example, entered in global configuration mode, displays IPsec statistics:
ciscoasa(config)# show crypto ipsec stats
IPsec Global Statistics
----------------------Active tunnels: 2
Previous tunnels: 9
Inbound
Bytes: 4933013
Decompressed bytes: 4933013
Packets: 80348
Dropped packets: 0
Replay failures: 0
Authentications: 80348
Authentication failures: 0
Decryptions: 80348
Decryption failures: 0
Decapsulated fragments needing reassembly: 0
Outbound
Bytes: 4441740
Uncompressed bytes: 4441740
Packets: 74029
Dropped packets: 0
Authentications: 74029
Authentication failures: 0
Encryptions: 74029
Cisco ASA Series Command Reference, S Commands
5-54
Context
Chapter
Encryption failures: 0
Fragmentation successes: 3
Pre-fragmentation successes:2
Post-fragmentation successes: 1
Fragmentation failures: 2
Pre-fragmentation failures:1
Post-fragmentation failures: 1
Fragments created: 10
PMTUs sent: 1
PMTUs recvd: 2
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
ciscoasa(config)#
Related Commands
Examples
Command
Description
clear ipsec sa
Clears IPsec SAs or counters based on specified parameters.
crypto ipsec transform-set
Defines a transform set.
show ipsec sa
Displays IPsec SAs based on specified parameters.
show ipsec sa summary
Displays a summary of IPsec SAs.
The following example, issued in global configuration mode, displays ISAKMP statistics:
ciscoasa(config)# show crypto isakmp stats
Global IKE Statistics
Active Tunnels: 132
Previous Tunnels: 132
In Octets: 195471
In Packets: 1854
In Drop Packets: 925
In Notifys: 0
In P2 Exchanges: 132
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 119029
Out Packets: 796
Out Drop Packets: 0
Out Notifys: 264
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
ciscoasa(config)#
Cisco ASA Series Command Reference, S Commands
5-55
Chapter
Related Commands
Command
Description
clear configure crypto Clears all the ISAKMP configuration.
isakmp
clear configure crypto Clears all ISAKMP policy configuration.
isakmp policy
clear crypto isakmp sa Clears the IKE runtime SA database.
crypto isakmp enable
Enables ISAKMP negotiation on the interface on which the IPsec peer
communicates with the ASA.
show running-config
crypto isakmp
Displays all the active ISAKMP configuration.
Cisco ASA Series Command Reference, S Commands
5-56
Chapter
show crypto isakmp sa
To display the IKE runtime SA database, use the show crypto isakmp sa command in global
configuration mode or privileged EXEC mode.
show crypto isakmp sa [detail]
Syntax Description
detail
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Displays detailed output about the SA database.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Routed
Transparent Single
Context
System
Global configuration
•
Yes
—
•
Yes
—
—
Privileged EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
7.0(1)
The show isakmp sa command was added.
7.2(1)
This show isakmp sa command was deprecated. The show crypto isakmp
sa command replaced it.
9.0(1)
Support for multiple context mode was added.
The output from this command includes the following fields:
Detail not specified
IKE Peer 209.165.200.225
Type—L2L or User
Dir—Init
Rky—No or Yes. If yes, a rekey is occurring, and a second matching SA will be in a different state until
the rekey completes.
Role—Initiator or Responder State. Tells the current state of the state machine for the SA.
State—A tunnel up and passing data has a value of either MM_ACTIVE or AM_ACTIVE. Other active
states include MM_BLD_MSG4, MM_BLD_MSG6, MM_FREE, MM_SND_MSG6_H, MM_START,
MM_TM_INIT_MODECFG_H, MM_TM_PEND_QM, MM_WAIT_DELETE, MM_WAIT_MSG3,
MM_WAIT_MSG5, and so on.
Detail specified
IKE Peer 209.165.200.225
Cisco ASA Series Command Reference, S Commands
5-57
Chapter
Type—L2L or User
Dir—Init
Rky—No or Yes. If yes, a rekey is occurring, and a second matching SA will be in a different state until
the rekey completes.
Role—Initiator or Responder State. Tells the current state of the state machine for the SA. A tunnel up
and passing data has a value of either MM_ACTIVE or AM_ACTIVE.
State—Other than MM_ACTIVE or AM_ACTIVE, other active states include MM_BLD_MSG4,
MM_BLD_MSG6, MM_FREE, MM_SND_MSG6_H, MM_START, MM_TM_INIT_MODECFG_H,
MM_TM_PEND_QM, MM_WAIT_DELETE, MM_WAIT_MSG3, MM_WAIT_MSG5, and so on.
Encrypt—3des
Hash—md5
Auth—preshrd
Lifetime—86400
Examples
The following example, entered in global configuration mode, displays detailed information about the
SA database:
ciscoasa(config)# show crypto isakmp sa detail
IKE Peer Type Dir
Rky State
1 209.165.200.225 User Resp No
Encrypt Hash
AM_Active 3des
Auth
SHA
Lifetime
preshrd 86400
IKE Peer Type Dir
Rky State
2 209.165.200.226 User Resp No
Encrypt Hash
AM_ACTIVE 3des
Auth
SHA
Lifetime
preshrd 86400
IKE Peer Type Dir
Rky State
3 209.165.200.227 User Resp No
Encrypt Hash
AM_ACTIVE 3des
Auth
SHA
Lifetime
preshrd 86400
IKE Peer Type Dir
Rky State
4 209.165.200.228 User Resp No
Encrypt Hash
AM_ACTIVE 3des
Auth
SHA
Lifetime
preshrd 86400
ciscoasa(config)#
Related Commands
Command
Description
clear configure crypto Clears all the ISAKMP configuration.
isakmp
clear configure crypto Clears all ISAKMP policy configuration.
isakmp policy
clear crypto isakmp sa Clears the IKE runtime SA database.
crypto isakmp enable
Enables ISAKMP negotiation on the interface on which the IPsec peer
communicates with the ASA.
show running-config
crypto isakmp
Displays all the active ISAKMP configuration.
Cisco ASA Series Command Reference, S Commands
5-58
Chapter
show crypto isakmp stats
To display runtime statistics, use the show crypto isakmp stats command in global configuration mode
or privileged EXEC mode.
show crypto isakmp stats
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Routed
Transparent Single
Context
System
Global configuration
•
Yes
—
•
Yes
—
—
Privileged EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
7.0(1)
The show isakmp stats command was added.
7.2(1)
The show isakmp stats command was deprecated. The show crypto
isakmp stats command replaced it.
The output from this command includes the following fields:
•
Global IKE Statistics
•
Active Tunnels
•
In Octets
•
In Packets
•
In Drop Packets
•
In Notifys
•
In P2 Exchanges
•
In P2 Exchange Invalids
•
In P2 Exchange Rejects
•
In P2 Sa Delete Requests
•
Out Octets
•
Out Packets
Cisco ASA Series Command Reference, S Commands
5-59
Chapter
Examples
•
Out Drop Packets
•
Out Notifys
•
Out P2 Exchanges
•
Out P2 Exchange Invalids
•
Out P2 Exchange Rejects
•
Out P2 Sa Delete Requests
•
Initiator Tunnels
•
Initiator Fails
•
Responder Fails
•
System Capacity Fails
•
Auth Fails
•
Decrypt Fails
•
Hash Valid Fails
•
No Sa Fails
The following example, issued in global configuration mode, displays ISAKMP statistics:
ciscoasa(config)# show crypto isakmp stats
Global IKE Statistics
Active Tunnels: 132
Previous Tunnels: 132
In Octets: 195471
In Packets: 1854
In Drop Packets: 925
In Notifys: 0
In P2 Exchanges: 132
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 119029
Out Packets: 796
Out Drop Packets: 0
Out Notifys: 264
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
ciscoasa(config)#
Cisco ASA Series Command Reference, S Commands
5-60
Chapter
Related Commands
Command
Description
clear configure crypto Clears all the ISAKMP configuration.
isakmp
clear configure crypto Clears all ISAKMP policy configuration.
isakmp policy
clear crypto isakmp sa Clears the IKE runtime SA database.
crypto isakmp enable
Enables ISAKMP negotiation on the interface on which the IPsec peer
communicates with the ASA.
show running-config
crypto isakmp
Displays all the active ISAKMP configuration.
Cisco ASA Series Command Reference, S Commands
5-61
Chapter
show crypto key mypubkey
To display the key name, usage, and elliptic curve size for ECDSA keys, use the show crypto key
mypubkey command in global configuration mode or privileged EXEC mode.
show crypto key mypubkey dsa | rsa
Syntax
Description
Command Modes
dsa
Specifies the key name.
rsa
Specifies the key name.
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Context
System
Global configuration
•
Yes
—
•
Yes
—
—
Privileged EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
7.0(1)
This command was added.
Cisco ASA Series Command Reference, S Commands
5-62
Transparent Single
Chapter
show crypto protocol statistics
To display the protocol-specific statistics in the crypto accelerator MIB, use the show crypto protocol
statistics command in global configuration or privileged EXEC mode.
show crypto protocol statistics protocol
Syntax Description
protocol
Specifies the name of the protocol for which to display statistics. Protocol
choices are as follows:
ikev1—Internet Key Exchange version 1.
ipsec—IP Security Phase-2 protocols.
ssl—Secure Sockets Layer.
other—Reserved for new protocols.
all—All protocols currently supported.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
—
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
—
—
Release
Modification
7.0(1)
This command was added.
The following examples entered in global configuration mode, display crypto accelerator statistics for
specified protocols:
ciscoasa # show crypto protocol statistics ikev1
[IKEv1 statistics]
Encrypt packet requests: 39
Encapsulate packet requests: 39
Decrypt packet requests: 35
Decapsulate packet requests: 35
HMAC calculation requests: 84
SA creation requests: 1
SA rekey requests: 3
SA deletion requests: 2
Cisco ASA Series Command Reference, S Commands
5-63
Chapter
Next phase key allocation requests: 2
Random number generation requests: 0
Failed requests: 0
ciscoasa # show crypto protocol statistics ipsec
[IPsec statistics]
Encrypt packet requests: 700
Encapsulate packet requests: 700
Decrypt packet requests: 700
Decapsulate packet requests: 700
HMAC calculation requests: 1400
SA creation requests: 2
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
ciscoasa # show crypto protocol statistics ssl
[SSL statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
ciscoasa # show crypto protocol statistics other
[Other statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 99
Failed requests: 0
ciscoasa # show crypto protocol statistics all
[IKEv1 statistics]
Encrypt packet requests: 46
Encapsulate packet requests: 46
Decrypt packet requests: 40
Decapsulate packet requests: 40
HMAC calculation requests: 91
SA creation requests: 1
SA rekey requests: 3
SA deletion requests: 3
Next phase key allocation requests: 2
Random number generation requests: 0
Failed requests: 0
[IKEv2 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
Cisco ASA Series Command Reference, S Commands
5-64
Chapter
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IPsec statistics]
Encrypt packet requests: 700
Encapsulate packet requests: 700
Decrypt packet requests: 700
Decapsulate packet requests: 700
HMAC calculation requests: 1400
SA creation requests: 2
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSL statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics are not supported]
[Other statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 99
Failed requests: 0
ciscoasa #
Related Commands
Command
Description
clear crypto accelerator
statistics
Clears the global and accelerator-specific statistics in the crypto
accelerator MIB.
clear crypto protocol
statistics
Clears the protocol-specific statistics in the crypto accelerator MIB.
show crypto accelerator
statistics
Displays the global and accelerator-specific statistics from the crypto
accelerator MIB.
Cisco ASA Series Command Reference, S Commands
5-65
Chapter
show crypto sockets
To display crypto secure socket information, use the show crypto sockets command in global
configuration mode or privileged EXEC mode.
show crypto sockets
Syntax Description
This command has no keywords or variables.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
—
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
—
—
Release
Modification
7.0(1)
This command was added.
The following example, entered in global configuration mode, displays crypto secure socket
information:
ciscoasa(config)# show crypto sockets
Number of Crypto Socket connections 1
Gi0/1
Peers: (local): 2001:1::1
(remote): ::
Local Ident (addr/plen/port/prot): (2001:1::1/64/0/89)
Remote Ident (addr/plen/port/prot): (::/0/0/89)
IPsec Profile: "CSSU-UTF"
Socket State: Open
Client: "CSSU_App(UTF)" (Client State: Active)
Crypto Sockets in Listen state:
The following table describes the fields in the show crypto sockets command output.
Field
Description
Number of Crypto Socket connections
Number of crypto sockets in the system.
Cisco ASA Series Command Reference, S Commands
5-66
Chapter
Related Commands
Socket State
This state can be Open, which means that active IPsec
security associations (SAs) exist, or it can be Closed, which
means that no active IPsec SAs exist.
Client
Application name and its state.
Flags
If this field says “shared,” the socket is shared with more
than one tunnel interface.
Crypto Sockets in Listen state
Name of the crypto IPsec profile.
Command
Description
show crypto ipsec policy
Displays the crypto secure socket API installed policy information.
Cisco ASA Series Command Reference, S Commands
5-67
Chapter
show csc node-count
To display the number of nodes for which the CSC SSM scanned traffic, use the show csc node-count
command in privileged EXEC mode:
show csc node-count [yesterday]
Syntax Description
yesterday
Defaults
By default, the node count displayed is the number of nodes scanned since midnight.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Shows the number of nodes for which the CSC SSM scanned
traffic in the preceding 24-hour period, from midnight to midnight.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
Usage Guidelines
A node is any distinct source IP address or the address of a device that is on a network protected by the
ASA. The ASA keeps track of a daily node count and communicates this to the CSC SSM for user license
enforcement.
Examples
The following is sample output of the show csc node-count command, which displays the number of
nodes for which the CSC SSM has scanned traffic since midnight:
ciscoasa# show csc node-count
Current node count is 1
The following is sample output of the show csc node-count command, which displays the number of
nodes for which the CSC SSM scanned traffic in the preceding 24-hour period, from midnight to
midnight:
ciscoasa(config)# show csc node-count yesterday
Yesterday’s node count is 2
Cisco ASA Series Command Reference, S Commands
5-68
Chapter
Related Commands
csc
Sends network traffic to the CSC SSM for scanning of FTP,
HTTP, POP3, and SMTP, as configured on the CSC SSM.
show running-config class-map
Shows current class map configuration.
show running-config
policy-map
Shows the current policy map configuration.
show running-config
service-policy
Shows the current service policy configuration.
Cisco ASA Series Command Reference, S Commands
5-69
Chapter
show ctiqbe
To display information about CTIQBE sessions established across the ASA, use the show ctiqbe
command in privileged EXEC mode.
show ctiqbe
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
Note
Examples
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
•
Yes
System
•
Yes
The show ctiqbe command displays information of CTIQBE sessions established across the ASA. Along
with debug ctiqbe and show local-host, this command is used for troubleshooting CTIQBE inspection
engine issues.
We recommend that you have the pager command configured before using the show ctiqbe command.
If there are a lot of CTIQBE sessions and the pager command is not configured, it can take a while for
the show ctiqbe command output to reach the end.
The following is sample output from the show ctiqbe command under the following conditions. There
is only one active CTIQBE session setup across the ASA. It is established between an internal CTI
device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco Call
Manager at 172.29.1.77, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the
session is 120 seconds.
ciscoasa# | show ctiqbe
Total: 1
LOCAL
FOREIGN
STATE
HEARTBEAT
--------------------------------------------------------------1
10.0.0.99/1117 172.29.1.77/2748
1
120
----------------------------------------------
Cisco ASA Series Command Reference, S Commands
5-70
Context
Chapter
RTP/RTCP: PAT xlates: mapped to 172.29.1.99(1028 - 1029)
---------------------------------------------MEDIA: Device ID 27
Call ID 0
Foreign 172.29.1.99
(1028 - 1029)
Local
172.29.1.88
(26822 - 26823)
----------------------------------------------
The CTI device has already registered with the CallManager. The device internal address and RTP
listening port is PATed to 172.29.1.99 UDP port 1028. Its RTCP listening port is PATed to UDP 1029.
The line beginning with RTP/RTCP: PAT xlates: appears only if an internal CTI device has registered
with an external CallManager and the CTI device address and ports are PATed to that external interface.
This line does not appear if the CallManager is located on an internal interface, or if the internal CTI
device address and ports are NATed to the same external interface that is used by the CallManager.
The output indicates a call has been established between this CTI device and another phone at
172.29.1.88. The RTP and RTCP listening ports of the other phone are UDP 26822 and 26823. The other
phone locates on the same interface as the CallManager because the ASA does not maintain a CTIQBE
session record associated with the second phone and CallManager. The active call leg on the CTI device
side can be identified with Device ID 27 and Call ID 0.
Related Commands
Commands
Description
inspect ctiqbe
Enables CTIQBE application inspection.
service-policy
Applies a policy map to one or more interfaces.
show conn
Displays the connection state for different connection types.
timeout
Sets the maximum idle time duration for different protocols and session
types.
Cisco ASA Series Command Reference, S Commands
5-71
Chapter
show ctl-file
To show the contents of the CTL file used by the phone proxy, use the show ctl-file command in global
configuration mode.
show ctl-file filename [parsed]
Syntax Description
filename
Displays the phones capable of secure mode stored in the database.
parsed
(Optional) Displays detailed information from the CTL file specified.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
8.2(1)
The command was added.
•
Yes
Usage Guidelines
When specifying the filename of the CTL file stored in Flash memory, specify the disk number, filename,
and extension; for example: disk0:/testctl.tlv. Using the show ctl-file command is useful for
debugging when configuring the phone proxy instance.
Examples
The following example shows the use of the show ctl-file command to show general information about
the CTL file:
ciscoasa# show ctl-file disk0:/ctlfile.tlv
Total Number of Records: 1
CTL Record Number 1
Subject Name:
serialNumber=JMX1215L2TX+hostname=ciscoasa
Issuer Name:
serialNumber=JMX1215L2TX+hostname=ciscoasa
Function:
cucm
IP Address:
192.168.52.102
Associated Trustpoint:
cucm_primary
Cisco ASA Series Command Reference, S Commands
5-72
Chapter
The following example shows the use of the show ctl-file command to show detailed information
about the CTL file:
ciscoasa# show ctl-file disk0:/ctlfile.tlv parsed
TAG 0x01: Version: Maj 1, Min 2
TAG 0x02: Header Len: Len 288
TAG 0x03: Signer ID: Len 103
TAG 0x04: Signer Name: Len 45 Name: <cn=_internal_myctl_SAST_0,ou=STG,o=Cisco Inc>
TAG 0x05: Cert SN: Len 4 SN: c43c9048
TAG 0x06: CA Name: Len 45 Name: <cn=_internal_myctl_SAST_0,ou=STG,o=Cisco Inc>
TAG 0x07: Signature: Len 15
TAG 0x08: Digest Alg: Len 1 Name: SHA-1
TAG 0x09: Sig Alg Info: Len 8
TAG 0x0A: Sig Alg: Len 1 Name: RSA
TAG 0x0B: Modulus: Len 1 Name: 1024
TAG 0x0C: Sig Block: Len 128 Signature:
521debcf b7a77ea8 94eba5f7 f3c8b0d8 3337a9fa 267ce1a7 202b2c8b 2ac980d3
9608f64d e7cd82df e205e5bf 74a1d9c4 fae20f90 f3d2746a e90f439e ef93fca7
d4925551 72daa414 2c55f249 ef7e6dc2 bcb9f9b5 39be8238 5011eecb ce37e4d1
866e6550 6779c3fd 25c8bab0 6e9be32c 7f79fe34 5575e3af ea039145 45ce3158
TAG 0x0E: File Name: Len 12 Name: <CTLFile.tlv>
TAG 0x0F: Timestamp: Len 4 Timestamp: 48903cc6
### CTL RECORD No. 1 ###
TAG 0x01: Rcd Len: Len 731
TAG 0x03: Sub Name: Len 43 Sub Name: <serialNumber=JMX1215L2TX+hostname=ciscoasa>
TAG 0x04: Function: Len 2 Func: CCM
TAG 0x05: Cert Issuer: Len 43 Issuer Name: <serialNumber=JMX1215L2TX+hostname=ciscoasa>
TAG 0x06: Cert SN: Len 4 Cert SN: 15379048
TAG 0x07: Pub Key: Len 140 Pub Key:
30818902 818100ad a752b4e6 89769a49 13115e52 1209b3ef 96a179af 728c29d7
af7fed4e c759d0ea cebd7587 dd4f7c4c 322da86b 3a677c08 ce39ce60 2525f6d2
50fe87cf 2aea60a5 690ec985 10706e5a 30ad26db e6fdb243 159758ed bb487525
f901ef4a 658445de 29981546 3867d2d1 ce519ee4 62c7be32 51037c3c 751c0ad6
040bedbb 3e984502 03010001
TAG 0x09: Cert: Len 469 X.509v3 Cert:
308201d1 3082013a a0030201 02020415 37904830 0d06092a 864886f7 0d010104
0500302d 312b3012 06035504 05130b4a 4d583132 31354c32 54583015 06092a86
4886f70d 01090216 08636973 636f6173 61301e17 0d303830 37333030 39343033
375a170d 31383037 32383039 34303337 5a302d31 2b301206 03550405 130b4a4d
58313231 354c3254 58301506 092a8648 86f70d01 09021608 63697363 6f617361
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00ada752
b4e68976 9a491311 5e521209 b3ef96a1 79af728c 29d7af7f ed4ec759 d0eacebd
7587dd4f 7c4c322d a86b3a67 7c08ce39 ce602525 f6d250fe 87cf2aea 60a5690e
c9851070 6e5a30ad 26dbe6fd b2431597 58edbb48 7525f901 ef4a6584 45de2998
15463867 d2d1ce51 9ee462c7 be325103 7c3c751c 0ad6040b edbb3e98 45020301
0001300d 06092a86 4886f70d 01010405 00038181 005d82b7 ac45dbf8 bd911d4d
a330454a a2784a4b 5ef898b1 482e0bbf 4a86ed86 9019820b 00e80361 fd7b2518
9efa746c b98b1e23 fcc0793c de48de6d 6b1a4998 cd6f4e66 ba661d3a d200739a
ae679c7c 94f550fb a6381b94 1eae389e a9ec4b11 30ba31f3 33cd184e 25647174
ce00231d 102d5db3 c9c111a6 df37eb43 66f3d2d5 46
TAG 0x0A: IP Addr: Len 4 IP Addr: 192.168.52.102
Related Commands
Command
Description
ctl-file (global)
Specifies the CTL instance to create for the phone proxy or parses the CTL
file stored in Flash memory.
ctl-file
(phone-proxy)
Specifies the CTL instance to use when configuring the phone proxy.
phone proxy
Configures the Phone Proxy instance.
Cisco ASA Series Command Reference, S Commands
5-73
Chapter
show cts environment-data
To show the health and status of the environment data refresh operation on the ASA for Cisco TrustSec,
use the show cts environment-data command in privileged EXEC mode.
show cts environment-data
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
This command is not supported on a standby device in a failover configuration. If you enter this
command on a standby device, the following error message appears:
ERROR: This command is only permitted on the active device.
This command is only supported on the master unit in a clustering configuration. If you enter this
command on a slave unit, the following error message appears:
This command is only permitted on the master device.
Examples
The following is sample output from the show cts environment-data command
ciscoasa# show cts environment-data
CTS Environment Data
====================
Status:
Last download attempt:
Environment Data Lifetime:
Last update time:
Env-data expires in:
Env-data refreshes in:
Active
Successful
1200 secs
18:12:07 EST Feb 27 2012
0:00:12:24 (dd:hr:mm:sec)
0:00:02:24 (dd:hr:mm:sec)
Cisco ASA Series Command Reference, S Commands
5-74
Chapter
Related Commands
Commands
Description
show running-config
cts
Shows the SXP connections for the running configuration.
show cts pac
Shows the components on the PAC.
Cisco ASA Series Command Reference, S Commands
5-75
Chapter
show cts environment-data sg-table
To show the resident security group table on the ASA for Cisco TrustSec, use the show cts
environment-data sg-table command in privileged EXEC mode.
show cts environment-data sg-table
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
Yes
•
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
This command is not supported on a standby device in a failover configuration. If you enter this
command on a standby device, the following error message appears:
ERROR: This command is only permitted on the active device.
This command is only supported on the master unit in a clustering configuration. If you enter this
command on a slave unit, the following error message appears:
This command is only permitted on the master device.
Examples
The following is sample output from the show cts environment-data sg-table command
ciscoasa# show cts environment-data sg-table
Security Group Table:
Valid until: 18:32:07 EST Feb 27 2012
Showing 9 of 9 entries
SG Name
------ANY
ExampleSG1
ExampleSG13
ExampleSG14
Cisco ASA Series Command Reference, S Commands
5-76
SG Tag
-----65535
2
14
15
Type
------------unicast
unicast
unicast
unicast
Chapter
ExampleSG15
ExampleSG16
ExampleSG17
ExampleSG18
Unknown
Related Commands
16
17
18
19
0
unicast
unicast
unicast
unicast
unicast
Commands
Description
show running-config
cts
Shows the SXP connections for the running configuration.
show cts pac
Shows the components on the PAC.
Cisco ASA Series Command Reference, S Commands
5-77
Chapter
show cts pac
To show the components of the Protected Access Credential (PAC) on the ASA for Cisco TrustSec, use
the show cts pac command in privileged EXEC mode.
show cts pac
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
The show cts pac command displays PAC information, including the expiration time. The expiration
time is important because the ASA cannot retrieve security group table updates after the PAC lifetime
lapses. The administrator must request and install a new PAC before the old one expires to maintain
synchronization with the security group table on the Identity Services Engine.
This command is not supported on a standby device in a failover configuration. If you enter this
command on a standby device, the following error message appears:
ERROR: This command is only permitted on the active device.
This command is only supported on the master unit in a clustering configuration. If you enter this
command on a slave unit, the following error message appears:
This command is only permitted on the master device.
Examples
The following is sample output from the show cts pac command
ciscoasa# show cts pac
PAC-Info:
Valid until: Jul 28 2012 08:03:23
AID:
6499578bc0240a3d8bd6591127ab270c
I-ID:
BrianASA36
A-ID-Info:
Identity Services Engine
PAC-type:
Cisco Trustsec
Cisco ASA Series Command Reference, S Commands
5-78
Chapter
PAC-Opaque:
000200b000030001000400106499578bc0240a3d8bd6591127ab270c00060094000301
00d75a3f2293ff3b1310803b9967540ff7000000134e2d2deb00093a803d227383e2b9
7db59ed2eeac4e469fcb1eeb0ac2dd84e76e13342a4c2f1081c06d493e192616d43611
8ff93d2af9b9135bb95127e8b9989db36cf1667b4fe6c284e220c11e1f7dbab91721d1
00e9f47231078288dab83a342ce176ed2410f1249780882a147cc087942f52238fc9b4
09100e1758
Related Commands
Commands
Description
show running-config
cts
Shows the SXP connections for the running configuration.
show cts environment
Shows the health and status of the environment data refresh operation.
Cisco ASA Series Command Reference, S Commands
5-79
Chapter
show cts sgt-map
To show the IP address-security group table manager entries in the control path, use the show cts
sgt-map command in privileged EXEC mode.
show cts sgt-map [sgt sgt] [address ipv4[/mask] | address ipv6 [/prefix] | ipv4 | ipv6] [name] [brief
| detail]
Syntax Description
address {ipv4[/mask] Shows only IP address-security group table mapping for the specific IPv4 or
/ipv6[/prefix]}
IPv6 address. Include an IPv4 subnet mask or IPv6 prefix to see the mapping
for a network.
brief
Shows the IP address-security group table mapping summary.
detail
Shows the IP address-security group table mapping.
ipv4
Shows the IPv4 address-security group table mapping. By default, only the
IPv4 address-security group table mapping is displayed.
ipv6
Shows the IPv6 address-security group table mapping.
name
Shows IP address-security group table mapping with the matched security
group name.
sgt sgt
Shows only IP address-security group table mapping with the matched security
group table.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
•
Yes
•
Yes
Context
•
Yes
System
—
Release
Modification
9.01)
The command was added.
9.3(1)
The output was updated to include IP-SGT binding information from the
“CLI-HI” source, which is populated by the cts role-based sgt-map command.
9.6(1)
The ability to show network mappings was added.
This command displays the IP address-security group table manager entries in the control path.
Cisco ASA Series Command Reference, S Commands
5-80
Yes
Transparent Single
Chapter
Examples
The following is sample output from the show cts sgt-map command:
ciscoasa# show cts sgt-map
Active IP-SGT Bindings Information
IP Address
SGT Source
============================================
1.1.1.1
7 CLI-HI
10.10.10.1
7 CLI-HI
10.10.10.10
3 LOCAL
10.10.100.1
7 CLI-HI
198.26.208.31 7
SXP
IP-SGT Active Bindings Summary
============================================
Total number of LOCAL
bindings = 1
Total number of CLI-HI
bindings = 3
Total number of SXP
bindings = 1
Total number of active
bindings = 5
The following is sample output from the show cts sgt-map command with some network bindings.
ciscoasa# show cts sgt-map
Active IP-SGT Bindings Information
IP Address
SGT Source
============================================
10.1.1.1
7
CLI-HI
10.252.10.0/24
7
CLI-HI
10.252.10.10
3
LOCAL
10.252.100.1
7
CLI-HI
172.26.0.0/16
7
SXP
IP-SGT Active Bindings Summary
============================================
Total number of LOCAL
bindings = 1
Total number of CLI-HI
bindings = 3
Total number of SXP
bindings = 1
Total number of active
bindings = 5
The following is sample output from the show cts sgt-map ipv6 command:
ciscoasa# show cts sgt-map ipv6
Active IP-SGT Bindings Information
IP Address
SGT
Source
============================================================
3330::1
17
SXP
FE80::A8BB:CCFF:FE00:110
17
SXP
IP-SGT Active Bindings Summary
============================================
Total number of SXP
bindings = 2
Total number of active
bindings = 2
The following is sample output from the show cts sgt-map ipv6 detail command:
ciscoasa# show cts sgt-map ipv6 detail
Active IP-SGT Bindings Information
IP Address
Security Group
Source
=========================================================================
3330::1
2345
SXP
1280::A8BB:CCFF:FE00:110
Security Tech Business Unit(12345)
SXP
IP-SGT Active Bindings Summary
===================================
Total number of SXP bindings
= 2
Cisco ASA Series Command Reference, S Commands
5-81
Chapter
Total number of active bindings = 2
The following is sample output from the show cts sgt-map ipv6 brief command:
ciscoasa# show cts sgt-map ipv6 brief
Active IP-SGT Bindings Information
IP-SGT Active Bindings Summary
====================================
Total number of SXP bindings
= 2
Total number of active bindings = 2
The following is sample output from the show cts sgt-map address command:
ciscoasa# show cts sgt-map address 10.10.10.5
Active IP-SGT Bindings Information
IP Address
SGT
Source
============================================================
10.10.10.5
1234
SXP
IP-SGT Active Bindings Summary
============================================
Total number of SXP
bindings = 1
Total number of active
bindings = 1
Related Commands
Command
Description
show running-config cts
Shows the SXP connections for the running configuration.
show cts environment
Shows the health and status of the environment data refresh operation.
Cisco ASA Series Command Reference, S Commands
5-82
Chapter
show cts sxp connections
To show the Security eXchange Protocol (SXP) connections on the ASA, use the show cts sxp
connections command in privileged EXEC mode.
show cts sxp connections [peer peer addr] [local local addr] [ipv4 | ipv6] [status {on | off |
delete-hold-down | pending-on}] [mode {speaker | listener}] [brief]
Syntax Description
brief
(Optional) Shows the SXP connection summary.
delete-hold-down
(Optional) The TCP connection was terminated (TCP is down) when it was in
the ON state. Only an ASA configured in listener mode can be in this state.
ipv4
(Optional) Shows SXP connections with IPv4 addresses.
ipv6
(Optional) Shows SXP connections with IPv6 addresses.
listener
(Optional) Shows the ASA configured in listener mode.
local local addr
(Optional) Shows SXP connections with the matched local IP addresses.
mode
(Optional) Shows SXP connections with the matched mode.
off
(Optional) The TCP connection has not been initiated. The ASA retries the
TCP connection only in this state.
on
(Optional) An SXP OPEN or SXP OPEN RESP message has been received.
The SXP connection has been successfully established. The ASA only
exchanges SXP messages in this state.
peer peer addr
(Optional) Shows SXP connections with the matched peer IP addresses.
pending-on
(Optional) An SXP OPEN message has been sent to the peer; the response from
the peer is being awaited.
speaker
(Optional) Shows the ASA configured in speaker mode.
status
(Optional) Shows SXP connections with the matched status.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Release
Modification
9.0(1)
The command was added.
Yes
•
Yes
Context
•
Yes
System
—
Cisco ASA Series Command Reference, S Commands
5-83
Chapter
Usage Guidelines
The SXP states change under the following conditions:
•
If the SXP listener drops its SXP connection because its peer unconfigures SXP or disables SXP,
then the SXP listener moves to the OFF state.
•
If the SXP listener drops its SXP connection because its peer crashes or has the interface shut down,
then the SXP listener moves to the DELETE_HOLD_DOWN state.
•
The SXP speaker moves to the OFF state when either of the first two conditions occurs.
This command is not supported on a standby device in a failover configuration. If you enter this
command on a standby device, the following error message appears:
ERROR: This command is only permitted on the active device.
This command is only supported on the master unit in a clustering configuration. If you enter this
command on a slave unit, the following error message appears:
This command is only permitted on the master device.
Examples
The following is sample output from the show cts sxp connections command:
ciscoasa# show cts sxp connections
SXP
: Enabled
Highest version
: 2
Default password : Set
Default local IP : Not Set
Reconcile period : 120 secs
Retry open period : 10 secs
Retry open timer : Not Running
Total number of SXP connections : 3
Total number of SXP connection shown : 3
---------------------------------------------Peer IP
: 2.2.2.1
Local IP
: 2.2.2.2
Conn status
: On
Local mode
: Listener
Ins number
: 1
TCP conn password : Default
Delete hold down timer : Not Running
Reconciliation timer
: Not Running
Duration since last state change: 0:00:01:25 (dd:hr:mm:sec)
---------------------------------------------Peer IP
: 3.3.3.1
Local IP
: 3.3.3.2
Conn status
: On
Local mode
: Listener
Ins number
: 2
TCP conn password : None
Delete hold down timer : Not Running
Reconciliation timer
: Not Running
Duration since last state change: 0:01:02:20 (dd:hr:mm:sec)
---------------------------------------------Peer IP
: 4.4.4.1
Local IP
: 4.4.4.2
Conn status
: On
Local mode
: Speaker
Ins number
: 1
TCP conn password : Set
Delete hold down timer : Not Running
Reconciliation timer
: Not Running
Duration since last state change: 0:03:01:20 (dd:hr:mm:sec)
Cisco ASA Series Command Reference, S Commands
5-84
Chapter
Related Commands
Command
Description
show running-config cts
Shows the SXP connections for the running configuration.
show cts environment
Shows the health and status of the environment data refresh operation.
Cisco ASA Series Command Reference, S Commands
5-85
Chapter
show cts sxp sgt-map
To show the current IP address-security group table mapping database entries in the Security eXchange
Protocol (SXP) module on the ASA for Cisco TrustSec, use the show cts sxp sgt-map command in
privileged EXEC mode.
show cts sxp sgt-map [peer peer_addr] [sgt sgt] [address ipv4[/mask] | address ipv6[/prefix] | ipv4
| ipv6] [name] [brief | detail] [status]
Syntax Description
address {ipv4[/mask] Shows only IP address-security group table mapping for the specific IPv4 or
/ipv6[/prefix]}
IPv6 address. Include an IPv4 subnet mask or IPv6 prefix to see the mapping
for a network.
brief
Shows the IP address-security group table mapping summary.
detail
Shows the security group table information. If a security group name is not
available, only the security group table value is displayed without the bracket.
ipv4
Shows the IP address-security group table mapping with IPv4 addresses. By
default, only the IP address-security group table mapping with IPv4 addresses
is displayed.
ipv6
Shows the IP address-security group table mapping with IPv6 addresses.
name
Shows IP address-security group table mapping with the matched security
group name.
peer peer addr
Shows only IP address-security group table mapping with the matched peer IP
address.
sgt sgt
Shows only IP address-security group table mapping with the matched security
group table.
status
Shows active or inactive mapped entries.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Release
•
•
Yes
•
Yes
Modification
9.01)
The command was added.
9.6(1)
The ability to show network mappings was added.
Cisco ASA Series Command Reference, S Commands
5-86
Yes
Transparent Single
Context
•
Yes
System
—
Chapter
Usage Guidelines
This command displays the active IP address-security group table mapped entries consolidated from
SXP.
This command is not supported on a standby device in a failover configuration. In a cluster, enter the
command on the master unit.
Examples
The following is sample output from the show cts sxp sgt-map command:
ciscoasa# show cts sxp sgt-map
Total number of IP-SGT mappings : 3
SGT
IPv4
Peer IP
Ins Num
:
:
:
:
7
2.2.2.1
2.2.2.1
1
SGT
IPv4
Peer IP
Ins Num
:
:
:
:
7
2.2.2.0
3.3.3.1
1
SGT
IPv6
Peer IP
Ins Num
:
:
:
:
7
FE80::A8BB:CCFF:FE00:110
2.2.2.1
1
The following is sample output from the show cts sxp sgt-map detail command:
ciscoasa# show cts sxp sgt-map detail
Total number of IP-SGT mappings : 3
SGT
IPv4
Peer IP
Ins Num
Status
:
:
:
:
:
STBU(7)
2.2.2.1
2.2.2.1
1
Active
SGT
IPv4
Peer IP
Ins Num
Status
:
:
:
:
:
STBU(7)
2.2.2.0
3.3.3.1
1
Inactive
SGT
IPv6
Peer IP
Ins Num
Status
:
:
:
:
:
6
1234::A8BB:CCFF:FE00:110
2.2.2.1
1
Active
The following is sample output from the show cts sxp sgt-map brief command. Some mappings are to
networks.
ciscoasa# show cts sxp sgt-map brief
Total number of IP-SGT mappings : 3
SGT, IPv4: 7, 2.2.2.0/24
SGT, IPv4: 7, 3.3.3.3
SGT, IPv6: 7, FE80::0/64
Cisco ASA Series Command Reference, S Commands
5-87
Chapter
Related Commands
Command
Description
show running-config cts
Shows the SXP connections for the running configuration.
show cts environment
Shows the health and status of the environment data refresh operation.
Cisco ASA Series Command Reference, S Commands
5-88
Chapter
show curpriv
To display the current user privileges, use the show curpriv command:
show curpriv
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
—
—
•
Yes
Privileged EXEC
•
Yes
•
Yes
—
—
•
Yes
User EXEC
•
Yes
•
Yes
—
—
•
Yes
Release
Modification
7.0(1)
Modified to conform to CLI guidelines.
Usage Guidelines
The show curpriv command displays the current privilege level. Lower privilege level numbers indicate
lower privilege levels.
Examples
These examples show output from the show curpriv command when a user named enable_15 is at
different privilege levels. The username indicates the name that the user entered when the user logged
in. P_PRIV indicates that the user has entered the enable command. P_CONF indicates that the user has
entered the config terminal command.
ciscoasa(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF
ciscoasa(config)# exit
ciscoasa(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
ciscoasa(config)# exit
ciscoasa(config)# show curpriv
Username : enable_1
Cisco ASA Series Command Reference, S Commands
5-89
Chapter
Current privilege level : 1
Current Mode/s : P_UNPR
ciscoasa(config)#
The following example shows a known behavior. When you are in enable mode, then enter disable mode,
the initial logged-in username is replaced with enable_1:
ciscoasa(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF
ciscoasa(config)# exit
ciscoasa# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
ciscoasa# exit
Logoff
Type help or '?' for a list of available commands.
ciscoasa# show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
ciscoasa#
Related Commands
Command
Description
clear configure privilege
Remove privilege command statements from the configuration.
show running-config
privilege
Display privilege levels for commands.
Cisco ASA Series Command Reference, S Commands
5-90
CH A P T E R
6
show ddns update interface through show event
manager Commands
Cisco ASA Series Command Reference, S Commands
6-1
Chapter
show ddns update interface
To display the DDNS methods assigned to ASA interfaces, use the show ddns update interface
command in privileged EXEC mode.
show ddns update interface [interface-name]
Syntax Description
interface-name
Defaults
Omitting the interface-name string displays the DDNS method assigned to each interface.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) The name of a network interface.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
—
Release
Modification
7.2(1)
This command was added.
•
Yes
Context
•
Yes
System
—
The following example displays the DDNS method assigned to the inside interface:
ciscoasa# show ddns update interface inside
Dynamic DNS Update on inside:
Update Method Name
Update Destination
ddns-2
not available
ciscoasa#
Related Commands
Command
Description
ddns (DDNS-updatemethod mode)
Specifies a DDNS update method type for a created DDNS
method.
ddns update (interface config
mode)
Associates an ASA interface with a DDNS update method or a
DDNS update hostname.
ddns update method (global
config mode)
Creates a method for dynamically updating DNS resource
records.
show ddns update method
Displays the type and interval for each configured DDNS method.
a DHCP server to perform DDNS updates.
show running-config ddns
Displays the type and interval of all configured DDNS methods in
the running configuration.
Cisco ASA Series Command Reference, S Commands
6-2
Chapter
show ddns update method
To display the DDNS update methods in the running configuration, use the show ddns update method
command in privileged EXEC mode.
show ddns update method [method-name]
Syntax Description
method-name
Defaults
Omitting the method-name string displays all configured DDNS update methods.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) The name of a configured DDNS update method.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
—
Release
Modification
7.2(1)
This command was added.
•
Yes
Context
•
Yes
System
—
The following example displays the DDNS method named ddns-2:
ciscoasa(config)# show ddns update method ddns-2
Dynamic DNS Update Method: ddns-2
IETF standardized Dynamic DNS 'A' and 'PTR' records update
Maximum update interval: 0 days 0 hours 10 minutes 0 seconds
ciscoasa(config)#
Related Commands
Command
Description
ddns (DDNS-updatemethod mode)
Specifies a DDNS update method type for a created DDNS
method.
ddns update (interface config
mode)
Associates a ASA interface with a Dynamic DNS (DDNS) update
method or a DDNS update hostname.
ddns update method (global
config mode)
Creates a method for dynamically updating DNS resource
records.
show ddns update interface
Displays the interfaces associated with each configured DDNS
method.
show running-config ddns
Displays the type and interval of all configured DDNS methods in
the running configuration.
Cisco ASA Series Command Reference, S Commands
6-3
Chapter
show debug
To show the current debugging configuration, use the show debug command.
show debug [command [keywords]]
Syntax Description
command
(Optional) Specifies the debug command whose current configuration you want to
view.
keywords
(Optional) For each command, the keywords following the command are identical
to the keywords supported by the associated debug command.
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
Note
Release
•
Yes
•
Yes
•
Yes
Context
•
Yes
System
•
Yes
Modification
7.0(1)
This command was added.
8.0(2)
The eigrp keyword was added to the list of possible command values.
8.4(1)
The route keyword was added to the list of possible command values.
9.2(1)
The event manager keyword was added to the list of possible command values.
9.5(2)
The output has been modified to include any debug persistent settings.
9.5(2)
The ability to show debug logs by filtering, based on the filter condition sets was
added.
For each command, the keywords following the command are identical to the keywords supported by the
associated debug command. For information about the supported syntax, see the associated debug
command.
The availability of each command depends on the command modes that support the applicable debug
command.
The valid command values are as follows:
•
aaa
•
appfw
•
arp
Cisco ASA Series Command Reference, S Commands
6-4
Transparent Single
Chapter
•
asdm
•
context
•
crypto
•
ctiqbe
•
ctm
•
cxsc
•
dhcpc
•
dhcpd
•
dhcprelay
•
disk
•
dns
•
eigrp
•
email
•
entity
•
event manager
•
fixup
•
fover
•
fsm
•
ftp
•
generic
•
gtp
•
h323
•
http
•
http-map
•
icmp
•
igmp
•
ils
•
imagemgr
•
ipsec-over-tcp
•
ipv6
•
iua-proxy
•
kerberos
•
ldap
•
mfib
•
mgcp
•
mmp
•
mrib
•
ntdomain
Cisco ASA Series Command Reference, S Commands
6-5
Chapter
Examples
•
ntp
•
ospf
•
parser
•
pim
•
pix
•
pptp
•
radius
•
rip
•
route
•
rtsp
•
sdi
•
sequence
•
sfr
•
sip
•
skinny
•
smtp
•
sqlnet
•
ssh
•
ssl
•
sunrpc
•
tacacs
•
timestamps
•
vpn-sessiondb
•
webvpn
•
xdmcp
•
xml
You can use the show debug command to view all debugging configurations, a debugging configuration
for a specific feature, and a debugging configuration for a portion of a feature.
The following commands enable debugging for authentication, accounting, and flash memory:
ciscoasa# debug aaa authentication
debug aaa authentication enabled at level 1
ciscoasa# debug aaa accounting
debug aaa accounting enabled at level 1
ciscoasa# debug disk filesystem
debug disk filesystem enabled at level 1
ciscoasa# show debug
debug aaa authentication enabled at level 1
debug aaa accounting enabled at level 1
debug disk filesystem enabled at level 1
ciscoasa# show debug aaa
debug aaa authentication enabled at level 1
Cisco ASA Series Command Reference, S Commands
6-6
Chapter
debug aaa
debug aaa
debug aaa
debug aaa
ciscoasa#
debug aaa
ciscoasa#
Related Commands
authorization is disabled.
accounting enabled at level 1
internal is disabled.
vpn is disabled.
show debug aaa accounting
accounting enabled at level 1
Command
Description
debug
Displays all debug commands.
Cisco ASA Series Command Reference, S Commands
6-7
Chapter
show dhcpd
To view DHCP binding, state, and statistical information, use the show dhcpd command in privileged
EXEC or global configuration mode.
show dhcpd {binding [IP_address] | state | statistics}
Syntax Description
binding
Displays binding information for a given server IP address and its
associated client hardware address and lease length.
IP_address
Shows the binding information for the specified IP address.
state
Displays the state of the DHCP server, such as whether it is enabled in the
current context and whether it is enabled on each of the interfaces.
statistics
Displays statistical information, such as the number of address pools,
bindings, expired bindings, malformed messages, sent messages, and
received messages.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
If you include the optional IP address in the show dhcpd binding command, only the binding for that
IP address is shown.
The show dhcpd binding | state | statistics commands are also available in global configuration mode.
Examples
The following is sample output from the show dhcpd binding command:
ciscoasa# show dhcpd binding
IP Address Client-id
Lease Expiration Type
10.0.1.100 0100.a0c9.868e.43 84985 seconds automatic
The following is sample output from the show dhcpd state command:
ciscoasa# show dhcpd state
Context Not Configured for DHCP
Interface outside, Not Configured for DHCP
Cisco ASA Series Command Reference, S Commands
6-8
Chapter
Interface inside, Not Configured for DHCP
The following is sample output from the show dhcpd statistics command:
ciscoasa# show dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Related Commands
Address pools
Automatic bindings
Expired bindings
Malformed messages
1
1
1
0
Message
BOOTREQUEST
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
Received
0
1
2
0
0
0
Message
BOOTREPLY
DHCPOFFER
DHCPACK
DHCPNAK
Sent
0
1
1
1
Command
Description
clear configure dhcpd
Removes all DHCP server settings.
clear dhcpd
Clears the DHCP server bindings and statistic counters.
dhcpd lease
Defines the lease length for DHCP information granted to clients.
show running-config
dhcpd
Displays the current DHCP server configuration.
Cisco ASA Series Command Reference, S Commands
6-9
Chapter
show dhcprelay state
To view the state of the DHCP relay agent, use the show dhcprelay state command in privileged EXEC
or global configuration mode.
show dhcprelay state
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
—
Release
Modification
7.0(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Usage Guidelines
This command displays the DHCP relay agent state information for the current context and each
interface.
Examples
The following is sample output from the show dhcprelay state command:
ciscoasa# show dhcprelay state
Context Configured as DHCP Relay
Interface outside, Not Configured for DHCP
Interface infrastructure, Configured for DHCP RELAY SERVER
Interface inside, Configured for DHCP RELAY
Related Commands
Command
Description
show dhcpd
Displays DHCP server statistics and state information.
show dhcprelay
statistics
Displays the DHCP relay statistics.
show running-config
dhcprelay
Displays the current DHCP relay agent configuration.
Cisco ASA Series Command Reference, S Commands
6-10
Chapter
show dhcprelay statistics
To display the DHCP relay statistics, use the show dhcprelay statistics command in privileged EXEC
mode.
show dhcprelay statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
—
Release
Modification
7.0(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Usage Guidelines
The output of the show dhcprelay statistics command increments until you enter the clear dhcprelay
statistics command.
Examples
The following shows sample output for the show dhcprelay statistics command:
ciscoasa# show dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Packets Relayed
BOOTREQUEST
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
BOOTREPLY
DHCPOFFER
DHCPACK
DHCPNAK
ciscoasa#
0
7
3
0
0
0
0
7
3
0
Cisco ASA Series Command Reference, S Commands
6-11
Chapter
Related Commands
Command
Description
clear configure
dhcprelay
Removes all DHCP relay agent settings.
clear dhcprelay
statistics
Clears the DHCP relay agent statistic counters.
debug dhcprelay
Displays debug information for the DHCP relay agent.
show dhcprelay state
Displays the state of the DHCP relay agent.
show running-config
dhcprelay
Displays the current DHCP relay agent configuration.
Cisco ASA Series Command Reference, S Commands
6-12
Chapter
show diameter
To display state information for each Diameter connection, use the show diameter command in
privileged EXEC mode.
show diameter
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Release
Modification
9.5(2)
This command was added.
Yes
•
Yes
Context
•
Yes
Usage Guidelines
To display Diameter connection state information, you must inspect Diameter traffic.
Examples
The following shows sample output for the show diameter command:
System
—
ciscoasa# show diameter
Total active diameter sessions: 5
Session 3638
==========
ref_count: 1 val = .; 1096298391; 2461;
Protocol : diameter Context id : 0
From inside:211.1.1.10/45169 to outside:212.1.1.10/3868
...
Related Commands
Command
Description
clear service-policy
Clears service policy statistic.
inspect diameter
Inspects Diameter traffic.
Cisco ASA Series Command Reference, S Commands
6-13
Chapter
show disk
To display the contents of the flash memory for the ASA only, use the show disk command in privileged
EXEC mode.
show disk[0 | 1] [filesys | all] controller
Syntax Description
0|1
Specifies the internal flash memory (0, the default) or the external flash
memory (1).
all
Shows the contents of flash memory plus the file system information.
controller
Specifies the flash controller model number.
filesys
Shows information about the compact flash card.
Defaults
By default, this command shows the internal flash memory.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
•
Release
Modification
7.0(1)
This command was added.
Yes
The following is sample output from the show disk command:
ciscoasa# show
-#- --length-11 1301
12 1949
13 2551
14 609223
15 1619
16 3184
17 4787
20 1792
21 7765184
22 1674
23 1863
24 1197
25 608554
26 5124096
27 5124096
28 2074
29 5124096
disk
-----date/time-----Feb 21 2005 18:01:34
Feb 21 2005 20:13:36
Jan 06 2005 10:07:36
Jan 21 2005 07:14:18
Jul 16 2004 16:06:48
Aug 03 2004 07:07:00
Mar 04 2005 12:32:18
Jan 21 2005 07:29:24
Mar 07 2005 19:38:30
Nov 11 2004 02:47:52
Jan 21 2005 07:29:18
Jan 19 2005 08:17:48
Jan 13 2005 06:20:54
Feb 20 2005 08:49:28
Mar 01 2005 17:59:56
Jan 13 2005 08:13:26
Mar 07 2005 19:56:58
Cisco ASA Series Command Reference, S Commands
6-14
Yes
Transparent Single
path
test.cfg
test1.cfg
test2.cfg
test3.cfg
test4.cfg
old_running.cfg
test5.cfg
test6.cfg
test7.cfg
test8.cfg
test9.cfg
test10.cfg
backupconfig.cfg
cdisk1
cdisk2
test11.cfg
cdisk3
•
Yes
Context
—
System
•
Yes
Chapter
30
31
32
33
34
35
1276
7756788
7579792
7764344
5124096
15322
Jan
Feb
Mar
Mar
Feb
Mar
28
24
08
04
24
04
2005
2005
2005
2005
2005
2005
08:31:58
12:59:46
11:06:56
12:17:46
11:50:50
12:30:24
lead
asdmfile.dbg
asdmfile1.dbg
asdmfile2.dbg
cdisk4
hs_err.log
10170368 bytes available (52711424 bytes used)
The following is sample output from the show disk filesys command:
ciscoasa# show disk filesys
******** Flash Card Geometry/Format Info ********
COMPACT FLASH CARD GEOMETRY
Number of Heads:
4
Number of Cylinders
978
Sectors per Cylinder
32
Sector Size
512
Total Sectors
125184
COMPACT FLASH CARD FORMAT
Number of FAT Sectors
61
Sectors Per Cluster
8
Number of Clusters
15352
Number of Data Sectors 122976
Base Root Sector
123
Base FAT Sector
1
Base Data Sector
155
The following is sample output from the show disk controller command:
ciscoasa# show disk:1 controller
Flash Model: TOSHIBA THNCF064MBA
Related Commands
Command
Description
dir
Displays the directory contents.
Cisco ASA Series Command Reference, S Commands
6-15
Chapter
show dns
To show the current resolved DNS addresses for all or specified fully qualified domain name (FQDN)
hosts, use the show dns command in privileged EXEC mode.
show dns [host fqdn_name]
Syntax Description
fqdn_name
(Optional) Specifies the FQDN of the selected host.
host
(Optional) Indicates the IP address of the specified host.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
The following is sample output from the show dns command:
ciscoasa# show dns
Name:
www.example1.com
Address: 10.1.3.1
Address: 10.1.3.3
Address: 10.4.1.2
Name: www.example2.com
Address: 10.2.4.1
Address: 10.5.2.1
Name: server.ddns-exampleuser.com
Address: fe80::21e:8cff:feb5:4faa
Address: 10.10.10.2
Note
TTL 00:03:01
TTL 00:00:36
TTL 00:01:01
TTL 00:25:13
TTL 00:25:01
TTL 00:00:41
TTL 00:25:01
If the FQDN host has not been activated yet, this command shows no output.
The following is sample output from the show dns host command:
ciscoasa# show dns host www.example.com
Name:
www.example.com
Address: 10.1.3.1 TTL 00:03:01
Address: 10.1.9.5 TTL 00:00:36
Address: 10.1.1.2 TTL 00:01:01
Cisco ASA Series Command Reference, S Commands
6-16
Context
•
Yes
System
—
Chapter
Related Commands
Command
Description
clear dns-hosts
Clears the DNS cache.
dns domain-lookup
Enables the ASA to perform a name lookup.
dns name-server
Configures a DNS server address.
Cisco ASA Series Command Reference, S Commands
6-17
Chapter
show dns-hosts
To show the DNS cache, use the show dns-hosts command in privileged EXEC mode. The DNS cache
includes dynamically learned entries from a DNS server and manually entered names and IP addresses.
show dns-hosts
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Privileged EXEC
Command History
Examples
Yes
•
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
The following is sample output from the show dns-hosts command:
ciscoasa# show dns-hosts
Host
ns2.example.com
ns1.example.com
snowmass.example.com
server.example.com
Related Commands
Flags
(temp,
(temp,
(temp,
(temp,
OK)
OK)
OK)
OK)
Age Type
0
IP
0
IP
0
IP
0
IP
Address(es)
10.102.255.44
192.168.241.185
10.94.146.101
10.94.146.80
Command
Description
clear dns-hosts
Clears the DNS cache.
dns domain-lookup
Enables the ASA to perform a name lookup.
dns name-server
Configures a DNS server address.
dns retries
Specifies the number of times to retry the list of DNS servers when the ASA
does not receive a response.
dns timeout
Specifies the amount of time to wait before trying the next DNS server.
Cisco ASA Series Command Reference, S Commands
6-18
Transparent Single
Chapter
Table 11 shows each field description.
Table 6-1
Related Commands
show dns-hosts Fields
Field
Description
Host
Shows the hostname.
Flags
Shows the entry status as a combination of the following:
•
temp—This entry is temporary because it comes from a DNS server. The ASA
removes this entry after 72 hours of inactivity.
•
perm—This entry is permanent because it was added with the name
command.
•
OK—This entry is valid.
•
??—This entry is suspect and needs to be revalidated.
•
EX—This entry is expired.
Age
Shows the number of hours since this entry was last referenced.
Type
Shows the type of DNS record; this value is always IP.
Address(es)
The IP addresses.
Command
Description
clear dns-hosts
Clears the DNS cache.
dns domain-lookup
Enables the ASA to perform a name lookup.
dns name-server
Configures a DNS server address.
dns retries
Specifies the number of times to retry the list of DNS servers when the ASA
does not receive a response.
dns timeout
Specifies the amount of time to wait before trying the next DNS server.
Cisco ASA Series Command Reference, S Commands
6-19
Chapter
show dynamic-filter data
To show information about the Botnet Traffic Filter dynamic database, including when the dynamic
database was last downloaded, the version of the database, how many entries the database contains, and
10 sample entries, use the show dynamic-filter data command in privileged EXEC mode.
show dynamic-filter data
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
•
Yes
Transparent Single
•
Release
Modification
8.2(1)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
Usage Guidelines
To view dynamic database information, first enable use and download of the database with the
dynamic-filter use-database and dynamic-filter updater-client enable commands.
Examples
The following is sample output from the show dynamic-filter data command:
ciscoasa# show dynamic-filter data
Traffic filter is using downloaded database version '907'
Fetched at 18:00:16 UTC Jan 22 2009, size: 674381
Sample names from downloaded database:
example.com, example.net, example.org,
cisco.example, cisco.invalid, bad.example.com
bad.example.net, bad.example.org, bad.cisco.example
bad.cisco.ivalid
Total entries in Dynamic Filter database:
Dynamic data: 40909 domain names , 1080 IPv4 addresses
Local data: 0 domain names , 0 IPv4 addresses
Active rules in Dynamic Filter asp table:
Dynamic data: 0 domain names , 1080 IPv4 addresses
Local data: 0 domain names , 0 IPv4 addresses
Cisco ASA Series Command Reference, S Commands
6-20
Chapter
Related Commands
Command
Description
address
Adds an IP address to the blacklist or whitelist.
clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration.
clear dynamic-filter
dns-snoop
Clears Botnet Traffic Filter DNS snooping data.
clear dynamic-filter reports
Clears Botnet Traffic filter report data.
clear dynamic-filter statistics
Clears Botnet Traffic filter statistics.
dns domain-lookup
Enables the ASA to send DNS requests to a DNS server to perform a
name lookup for supported commands.
dns server-group
Identifies a DNS server for the ASA.
dynamic-filter
ambiguous-is-black
Treats greylisted traffic as blacklisted traffic for action purposes.
dynamic-filter blacklist
Edits the Botnet Traffic Filter blacklist.
dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database.
dynamic-filter database find
Searches the dynamic database for a domain name or IP address.
dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database.
dynamic-filter drop blacklist
Automatically drops blacklisted traffic.
dynamic-filter enable
Enables the Botnet Traffic Filter for a class of traffic or for all traffic
if you do not specify an access list.
dynamic-filter updater-client
enable
Enables downloading of the dynamic database.
dynamic-filter use-database
Enables use of the dynamic database.
dynamic-filter whitelist
Edits the Botnet Traffic Filter whitelist.
inspect dns
dynamic-filter-snoop
Enables DNS inspection with Botnet Traffic Filter snooping.
name
Adds a name to the blacklist or whitelist.
show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the
accelerated security path.
show dynamic-filter data
Shows information about the dynamic database, including when the
dynamic database was last downloaded, the version of the database,
how many entries the database contains, and 10 sample entries.
show dynamic-filter reports
Generates reports of the top 10 botnet sites, ports, and infected hosts.
show dynamic-filter statistics
Shows how many connections were monitored with the Botnet Traffic
Filter, and how many of those connections match the whitelist,
blacklist, and greylist.
show dynamic-filter
updater-client
Shows information about the updater server, including the server IP
address, the next time the ASA will connect with the server, and the
database version last installed.
show running-config
dynamic-filter
Shows the Botnet Traffic Filter running configuration.
Cisco ASA Series Command Reference, S Commands
6-21
Chapter
show dynamic-filter dns-snoop
To show the Botnet Traffic Filter DNS snooping summary, or the actual IP addresses and names, use the
show dynamic-filter dns-snoop command in privileged EXEC mode.
show dynamic-filter dns-snoop [detail]
Syntax Description
detail
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Shows the IP addresses and names snooped from DNS responses.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
8.2(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
All inspected DNS data is included in this output, and not just matching names in the blacklist. DNS data
from static entries are not included.
To clear the DNS snooping data, enter the clear dynamic-filter dns-snoop command.
Examples
The following is sample output from the show dynamic-filter dns-snoop command:
ciscoasa# show dynamic-filter dns-snoop
DNS Reverse Cache Summary Information:
75 addresses, 124 names, 997 dnsrc address buckets
The following is sample output from the show dynamic-filter dns-snoop detail command:
ciscoasa# show dynamic-filter dns-snoop detail
DNS Reverse Cache Summary Information:
75 addresses, 124 names, 997 dnsrc address buckets
DNS reverse Cache Information:
[10.67.22.34] flags=0x22, cat=2, unit=0 b:g:w=3:0:0, cookie=0xda148218
[www3.example.com] cat=2, ttl=3
[www.bad.example.com] cat=2, ttl=3
[www.example.com] cat=2, ttl=3
[10.6.68.133] flags=0x2, cat=2, unit=0 b:g:w=1:0:0, cookie=0xda13ed60
[cisco.example] cat=2, ttl=73
Cisco ASA Series Command Reference, S Commands
6-22
Chapter
[10.166.226.25] flags=0x2, cat=2, unit=0 b:g:w=1:0:0, cookie=0xda608cb8
[cisco.invalid] cat=2, ttl=2
Related Commands
Command
Description
address
Adds an IP address to the blacklist or whitelist.
clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration.
clear dynamic-filter
dns-snoop
Clears Botnet Traffic Filter DNS snooping data.
clear dynamic-filter reports
Clears Botnet Traffic filter report data.
clear dynamic-filter statistics
Clears Botnet Traffic filter statistics.
dns domain-lookup
Enables the ASA to send DNS requests to a DNS server to perform a
name lookup for supported commands.
dns server-group
Identifies a DNS server for the ASA.
dynamic-filter
ambiguous-is-black
Treats greylisted traffic as blacklisted traffic for action purposes.
dynamic-filter blacklist
Edits the Botnet Traffic Filter blacklist.
dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database.
dynamic-filter database find
Searches the dynamic database for a domain name or IP address.
dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database.
dynamic-filter drop blacklist
Automatically drops blacklisted traffic.
dynamic-filter enable
Enables the Botnet Traffic Filter for a class of traffic or for all traffic
if you do not specify an access list.
dynamic-filter updater-client
enable
Enables downloading of the dynamic database.
dynamic-filter use-database
Enables use of the dynamic database.
dynamic-filter whitelist
Edits the Botnet Traffic Filter whitelist.
inspect dns
dynamic-filter-snoop
Enables DNS inspection with Botnet Traffic Filter snooping.
name
Adds a name to the blacklist or whitelist.
show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the
accelerated security path.
show dynamic-filter data
Shows information about the dynamic database, including when the
dynamic database was last downloaded, the version of the database,
how many entries the database contains, and 10 sample entries.
show dynamic-filter reports
Generates reports of the top 10 botnet sites, ports, and infected hosts.
show dynamic-filter statistics
Shows how many connections were monitored with the Botnet Traffic
Filter, and how many of those connections match the whitelist,
blacklist, and greylist.
show dynamic-filter
updater-client
Shows information about the updater server, including the server IP
address, the next time the ASA will connect with the server, and the
database version last installed.
show running-config
dynamic-filter
Shows the Botnet Traffic Filter running configuration.
Cisco ASA Series Command Reference, S Commands
6-23
Chapter
show dynamic-filter reports infected-hosts
To generate reports about infected hosts classified by the Botnet Traffic Filter, use the show
dynamic-filter reports infected-hosts command in privileged EXEC mode.
show dynamic-filter reports infected-hosts {max-connections | latest-active | highest-threat |
subnet ip_address netmask | all}
Syntax Description
all
Shows all buffered infected-hosts information. This display might include
thousands of entries. You might want to use ASDM to generate a PDF file
instead of using the CLI.
highest-threat
Shows the 20 hosts that connected to the malware sites with the highest
threat level.
latest-active
Shows the 20 hosts with the most recent activity. For each host, the display
shows detailed information about 5 visited malware sites.
max-connections
Shows the 20 infected hosts with the most number of connections.
subnet ip_address
netmask
Shows up to 20 hosts within the specified subnet.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
8.2(2)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
These reports contain detailed history about infected hosts, showing the correlation between infected
hosts, visited malware sites, and malware ports.
To clear the report data, enter the clear dynamic-filter reports infected-hosts command.
Examples
The following is sample output from the show dynamic-filter reports infected hosts all command:
ciscoasa# show dynamic-filter reports infected-hosts all
Total 2 infected-hosts in buffer
Host (interface)
Latest malicious conn time, filter action
Cisco ASA Series Command Reference, S Commands
6-24
Conn logged, dropped
Chapter
=======================================================================================================
192.168.1.4 (internal)
15:39:40 UTC Sep 17 2009, dropped
3
3
Malware-sites connected to (not ordered)
Site
Latest conn port, time, filter action
Conn logged, dropped Threat-level Category
------------------------------------------------------------------------------------------------------10.73.210.27 (bad.example.com)
80, 15:39:31 UTC Sep 17 2009, dropped
2
2
very-high Malware
10.65.2.119 (bad2.example.com)
0, 15:39:40 UTC Sep 17 2009, dropped
1
1
very-high admin-added
=======================================================================================================
192.168.1.2 (internal)
15:39:01 UTC Sep 17 2009, dropped
5
5
Malware-sites connected to (not ordered)
Site
Latest conn port, time, filter action
Conn logged, dropped Threat-level Category
------------------------------------------------------------------------------------------------------10.131.36.158 (bad.example.com)
0, 15:37:46 UTC Sep 17 2009, dropped
1
1
very-high admin-added
10.65.2.119 (bad2.example.com)
0, 15:37:53 UTC Sep 17 2009, dropped
1
1
very-high admin-added
20.73.210.27 (bad3.example.com)
80, 15:39:01 UTC Sep 17 2009, dropped
3
3
very-high Malware
=======================================================================================================
Last clearing of the infected-hosts report: Never
Related Commands
Command
Description
address
Adds an IP address to the blacklist or whitelist.
clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration.
clear dynamic-filter
dns-snoop
Clears Botnet Traffic Filter DNS snooping data.
clear dynamic-filter reports
Clears Botnet Traffic filter report data.
clear dynamic-filter statistics
Clears Botnet Traffic filter statistics.
dns domain-lookup
Enables the ASA to send DNS requests to a DNS server to perform a
name lookup for supported commands.
dns server-group
Identifies a DNS server for the ASA.
dynamic-filter
ambiguous-is-black
Treats greylisted traffic as blacklisted traffic for action purposes.
dynamic-filter blacklist
Edits the Botnet Traffic Filter blacklist.
dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database.
dynamic-filter database find
Searches the dynamic database for a domain name or IP address.
dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database.
dynamic-filter drop blacklist
Automatically drops blacklisted traffic.
dynamic-filter enable
Enables the Botnet Traffic Filter for a class of traffic or for all traffic
if you do not specify an access list.
dynamic-filter updater-client
enable
Enables downloading of the dynamic database.
dynamic-filter use-database
Enables use of the dynamic database.
dynamic-filter whitelist
Edits the Botnet Traffic Filter whitelist.
inspect dns
dynamic-filter-snoop
Enables DNS inspection with Botnet Traffic Filter snooping.
name
Adds a name to the blacklist or whitelist.
show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the
accelerated security path.
Cisco ASA Series Command Reference, S Commands
6-25
Chapter
Command
Description
show dynamic-filter data
Shows information about the dynamic database, including when the
dynamic database was last downloaded, the version of the database,
how many entries the database contains, and 10 sample entries.
show dynamic-filter
dns-snoop
Shows the Botnet Traffic Filter DNS snooping summary, or with the
detail keyword, the actual IP addresses and names.
show dynamic-filter statistics
Shows how many connections were monitored with the Botnet Traffic
Filter, and how many of those connections match the whitelist,
blacklist, and greylist.
show dynamic-filter
updater-client
Shows information about the updater server, including the server IP
address, the next time the ASA will connect with the server, and the
database version last installed.
show running-config
dynamic-filter
Shows the Botnet Traffic Filter running configuration.
Cisco ASA Series Command Reference, S Commands
6-26
Chapter
show dynamic-filter reports top
To generate reports of the top 10 malware sites, ports, and infected hosts classified by the Botnet Traffic
Filter, use the show dynamic-filter reports top command in privileged EXEC mode.
show dynamic-filter reports top [malware-sites | malware-ports | infected-hosts]
Syntax Description
malware-ports
(Optional) Shows a report for the top 10 malware ports.
malware-sites
(Optional) Shows a report for the top 10 malware sites.
infected-hosts
(Optional) Shows a report for the top 10 infected hosts.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Release
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Modification
8.2(1)
This command was added.
8.2(2)
The botnet-sites and botnet-ports keywords were changed to
malware-sites and malware-ports. The malware-sites report now includes
the number of connections dropped, and the threat level and category of
each site. A last clear timestamp was added. For threat events, the severity
level was changed from a warning to a notification. Threat events can be
triggered every five minutes.
This report is a snapshot of the data, and may not match the top 10 items since the statistics started to be
collected.
To clear the report data, enter the clear dynamic-filter reports top command.
Examples
The following is sample output from the show dynamic-filter reports top malware-sites command:
ciscoasa# show dynamic-filter reports top malware-sites
Site
Connections logged dropped Threat Level Category
-------------------------------------------------------------------------------------bad1.example.com (10.67.22.34)
11
0
2
Botnet
bad2.example.com (209.165.200.225)
8
8
3
Virus
bad1.cisco.example(10.131.36.158)
6
6
3
Virus
bad2.cisco.example(209.165.201.1)
2
2
3
Trojan
Cisco ASA Series Command Reference, S Commands
6-27
Chapter
horrible.example.net(10.232.224.2)
nono.example.org(209.165.202.130)
2
1
2
1
3
3
Botnet
Virus
Last clearing of the top sites report: at 13:41:06 UTC Jul 15 2009
The following is sample output from the show dynamic-filter reports top malware-ports command:
ciscoasa# show dynamic-filter reports top malware-ports
Port
Connections logged
---------------------------------------------------------------------tcp 1000
617
tcp 2001
472
tcp 23
22
tcp 1001
19
udp 2000
17
udp 2001
17
tcp 8080
9
tcp 80
3
tcp >8192
2
Last clearing of the top ports report: at 13:41:06 UTC Jul 15 2009
The following is sample output from the show dynamic-filter reports top infected-hosts command:
ciscoasa# show dynamic-filter reports top infected-hosts
Host
Connections logged
---------------------------------------------------------------------10.10.10.51(inside)
1190
10.12.10.10(inside)
10
10.10.11.10(inside)
5
Last clearing of the top infected-hosts report: at 13:41:06 UTC Jul 15 2009
Related Commands
Command
Description
address
Adds an IP address to the blacklist or whitelist.
clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration.
clear dynamic-filter
dns-snoop
Clears Botnet Traffic Filter DNS snooping data.
clear dynamic-filter reports
Clears Botnet Traffic filter report data.
clear dynamic-filter statistics
Clears Botnet Traffic filter statistics.
dns domain-lookup
Enables the ASA to send DNS requests to a DNS server to perform a
name lookup for supported commands.
dns server-group
Identifies a DNS server for the ASA.
dynamic-filter
ambiguous-is-black
Treats greylisted traffic as blacklisted traffic for action purposes.
dynamic-filter blacklist
Edits the Botnet Traffic Filter blacklist.
dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database.
dynamic-filter database find
Searches the dynamic database for a domain name or IP address.
dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database.
dynamic-filter drop blacklist
Automatically drops blacklisted traffic.
dynamic-filter enable
Enables the Botnet Traffic Filter for a class of traffic or for all traffic
if you do not specify an access list.
Cisco ASA Series Command Reference, S Commands
6-28
Chapter
Command
Description
dynamic-filter updater-client
enable
Enables downloading of the dynamic database.
dynamic-filter use-database
Enables use of the dynamic database.
dynamic-filter whitelist
Edits the Botnet Traffic Filter whitelist.
inspect dns
dynamic-filter-snoop
Enables DNS inspection with Botnet Traffic Filter snooping.
name
Adds a name to the blacklist or whitelist.
show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the
accelerated security path.
show dynamic-filter data
Shows information about the dynamic database, including when the
dynamic database was last downloaded, the version of the database,
how many entries the database contains, and 10 sample entries.
show dynamic-filter
dns-snoop
Shows the Botnet Traffic Filter DNS snooping summary, or with the
detail keyword, the actual IP addresses and names.
show dynamic-filter statistics
Shows how many connections were monitored with the Botnet Traffic
Filter, and how many of those connections match the whitelist,
blacklist, and greylist.
show dynamic-filter
updater-client
Shows information about the updater server, including the server IP
address, the next time the ASA will connect with the server, and the
database version last installed.
show running-config
dynamic-filter
Shows the Botnet Traffic Filter running configuration.
Cisco ASA Series Command Reference, S Commands
6-29
Chapter
show dynamic-filter statistics
To show how many connections were classified as whitelist, blacklist, and greylist connections using the
Botnet Traffic Filter, use the show dynamic-filter statistics command in privileged EXEC mode.
show dynamic-filter statistics [interface name] [detail]
Syntax Description
detail
(Optional) Shows how many packets at each threat level were classified or
dropped.
interface name
(Optional) Shows statistics for a particular interface.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
Modification
8.2(1)
This command was added.
8.2(2)
The detail keyword was added to show how many packets at each threat
level were classified or dropped. For threat events, the severity level was
changed from a warning to a notification. Threat events can be triggered
every five minutes.
The greylist includes addresses that are associated with multiple domain names, but not all of these
domain names are on the blacklist.
The following is sample output from the show dynamic-filter statistics command:
ciscoasa# show dynamic-filter statistics
Enabled on interface outside
Total conns classified 11, ingress 11, egress 0
Total whitelist classified 0, ingress 0, egress 0
Total greylist classified 0, dropped 0, ingress 0, egress 0
Total blacklist classified 11, dropped 5, ingress 11, egress 0
Enabled on interface inside
Total conns classified 1182, ingress 1182, egress 0
Total whitelist classified 3, ingress 3, egress 0
Total greylist classified 0, dropped 0, ingress 0, egress 0
Cisco ASA Series Command Reference, S Commands
6-30
—
Release
To clear the statistics, enter the clear dynamic-filter statistics command.
Examples
System
Chapter
Total blacklist classified 1179, dropped 1000, ingress 1179, egress 0
The following is sample output from the show dynamic-filter statistics interface outside detail
command:
ciscoasa# show dynamic-filter statistics interface outside detail
Enabled on interface outside
Total conns classified 2108, ingress 2108, egress 0
Total whitelist classified 0, ingress 0, egress 0
Total greylist classified 1, dropped 1, ingress 0, egress 0
Threat level 5 classified 1, dropped 1, ingress 0, egress 0
Threat level 4 classified 0, dropped 0, ingress 0, egress 0
...
Total blacklist classified 30, dropped 20, ingress 11, egress 2
Threat level 5 classified 6, dropped 6, ingress 4, egress 2
Threat level 4 classified 5, dropped 5, ingress 5, egress 0
Related Commands
Command
Description
address
Adds an IP address to the blacklist or whitelist.
clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration.
clear dynamic-filter
dns-snoop
Clears Botnet Traffic Filter DNS snooping data.
clear dynamic-filter reports
Clears Botnet Traffic filter report data.
clear dynamic-filter statistics
Clears Botnet Traffic filter statistics.
dns domain-lookup
Enables the ASA to send DNS requests to a DNS server to perform a
name lookup for supported commands.
dns server-group
Identifies a DNS server for the ASA.
dynamic-filter
ambiguous-is-black
Treats greylisted traffic as blacklisted traffic for action purposes.
dynamic-filter blacklist
Edits the Botnet Traffic Filter blacklist.
dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database.
dynamic-filter database find
Searches the dynamic database for a domain name or IP address.
dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database.
dynamic-filter drop blacklist
Automatically drops blacklisted traffic.
dynamic-filter enable
Enables the Botnet Traffic Filter for a class of traffic or for all traffic
if you do not specify an access list.
dynamic-filter updater-client
enable
Enables downloading of the dynamic database.
dynamic-filter use-database
Enables use of the dynamic database.
dynamic-filter whitelist
Edits the Botnet Traffic Filter whitelist.
inspect dns
dynamic-filter-snoop
Enables DNS inspection with Botnet Traffic Filter snooping.
name
Adds a name to the blacklist or whitelist.
show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the
accelerated security path.
Cisco ASA Series Command Reference, S Commands
6-31
Chapter
Command
Description
show dynamic-filter data
Shows information about the dynamic database, including when the
dynamic database was last downloaded, the version of the database,
how many entries the database contains, and 10 sample entries.
show dynamic-filter
dns-snoop
Shows the Botnet Traffic Filter DNS snooping summary, or with the
detail keyword, the actual IP addresses and names.
show dynamic-filter reports
Generates reports of the top 10 Botnet sites, ports, and infected hosts.
show dynamic-filter
updater-client
Shows information about the updater server, including the server IP
address, the next time the ASA will connect with the server, and the
database version last installed.
show running-config
dynamic-filter
Shows the Botnet Traffic Filter running configuration.
Cisco ASA Series Command Reference, S Commands
6-32
Chapter
show dynamic-filter updater-client
To show information about the Botnet Traffic Filter updater server, including the server IP address, the
next time the ASA will connect with the server, and the database version last installed, use the show
dynamic-filter updater-client command in privileged EXEC mode.
show dynamic-filter updater-client
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
8.2(1)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
The following is sample output from the show dynamic-filter updater-client command:
ciscoasa# show dynamic-filter updater-client
Traffic Filter updater client is enabled
Updater server url is https://10.15.80.240:446
Application name: trafmon, version: 1.0
Encrypted UDI:
0bb93985f42d941e50dc8f022350d1a8de96ba6c1f6d45f4bc0ead02a7d5990be32f483b
5715cd80a215cedadd4e5ffe
Next update is in 00:02:00
Database file version is '907' fetched at 22:51:41 UTC Oct 16 2006,
size: 521408
Related Commands
Command
Description
address
Adds an IP address to the blacklist or whitelist.
clear configure dynamic-filter Clears the running Botnet Traffic Filter configuration.
clear dynamic-filter
dns-snoop
Clears Botnet Traffic Filter DNS snooping data.
clear dynamic-filter reports
Clears Botnet Traffic filter report data.
clear dynamic-filter statistics
Clears Botnet Traffic filter statistics.
Cisco ASA Series Command Reference, S Commands
6-33
Chapter
Command
Description
dns domain-lookup
Enables the ASA to send DNS requests to a DNS server to perform a
name lookup for supported commands.
dns server-group
Identifies a DNS server for the ASA.
dynamic-filter
ambiguous-is-black
Treats greylisted traffic as blacklisted traffic for action purposes.
dynamic-filter blacklist
Edits the Botnet Traffic Filter blacklist.
dynamic-filter database fetch Manually retrieves the Botnet Traffic Filter dynamic database.
dynamic-filter database find
Searches the dynamic database for a domain name or IP address.
dynamic-filter database purge Manually deletes the Botnet Traffic Filter dynamic database.
dynamic-filter drop blacklist
Automatically drops blacklisted traffic.
dynamic-filter enable
Enables the Botnet Traffic Filter for a class of traffic or for all traffic
if you do not specify an access list.
dynamic-filter updater-client
enable
Enables downloading of the dynamic database.
dynamic-filter use-database
Enables use of the dynamic database.
dynamic-filter whitelist
Edits the Botnet Traffic Filter whitelist.
inspect dns
dynamic-filter-snoop
Enables DNS inspection with Botnet Traffic Filter snooping.
name
Adds a name to the blacklist or whitelist.
show asp table dynamic-filter Shows the Botnet Traffic Filter rules that are installed in the
accelerated security path.
show dynamic-filter data
Shows information about the dynamic database, including when the
dynamic database was last downloaded, the version of the database,
how many entries the database contains, and 10 sample entries.
show dynamic-filter
dns-snoop
Shows the Botnet Traffic Filter DNS snooping summary, or with the
detail keyword, the actual IP addresses and names.
show dynamic-filter reports
Generates reports of the top 10 Botnet sites, ports, and infected hosts.
show dynamic-filter statistics
Shows how many connections were monitored with the Botnet Traffic
Filter, and how many of those connections match the whitelist,
blacklist, and greylist.
show running-config
dynamic-filter
Shows the Botnet Traffic Filter running configuration.
Cisco ASA Series Command Reference, S Commands
6-34
Chapter
show eigrp events
To display the EIGRP event log, use the show eigrp events command in privileged EXEC mode.
show eigrp [as-number] events [{start end} | type]
Syntax Description
as-number
(Optional) Specifies the autonomous system number of the EIGRP process
for which you are viewing the event log. Because the ASA only supports
one EIGRP routing process, you do not need to specify the autonomous
system number.
end
(Optional) Limits the output to the entries with starting with the start index
number and ending with the end index number.
start
(Optional) A number specifying the log entry index number. Specifying a
start number causes the output to start with the specified event and end with
the event specified by the end argument. Valid values are from 1 to
4294967295.
type
(Optional) Displays the events that are being logged.
Defaults
If a start and end is not specified, all log entries are shown.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
—
•
Yes
Release
Modification
8.0(2)
This command was added.
9.0(1)
Support for multiple context mode was added.
Context
•
Yes
System
—
The show eigrp events output displays up to 500 events. Once the maximum number of events has been
reached, new events are added to the bottom of the output and old events are removed from the top of
the output.
You can use the clear eigrp events command to clear the EIGRP event log.
The show eigrp events type command displays the logging status of EIGRP events. By default, neighbor
changes, neighbor warning, and DUAL FSM messages are logged. You can disable neighbor change
event logging using the no eigrp log-neighbor-changes command. You can disable neighbor warning
event logging using the no eigrp log-neighbor-warnings command. You cannot disable the logging of
DUAL FSM events.
Cisco ASA Series Command Reference, S Commands
6-35
Chapter
Examples
The following is sample output from the show eigrp events command:
ciscoasa# show eigrp events
Event information
1
12:11:23.500
2
12:11:23.500
3
12:11:23.500
4
12:11:23.500
5
12:11:23.500
6
12:11:23.500
7
12:11:23.500
8
12:11:23.500
9
12:11:23.500
10
12:11:23.500
11
12:11:23.500
for AS 100:
Change queue emptied, entries: 4
Metric set: 10.1.0.0/16 53760
Update reason, delay: new if 4294967295
Update sent, RD: 10.1.0.0/16 4294967295
Update reason, delay: metric chg 4294967295
Update sent, RD: 10.1.0.0/16 4294967295
Route install: 10.1.0.0/16 10.130.60.248
Find FS: 10.1.0.0/16 4294967295
Rcv update met/succmet: 53760 28160
Rcv update dest/nh: 10.1.0.0/16 10.130.60.248
Metric set: 10.1.0.0/16 4294967295
The following is sample output from the show eigrp events command with a start and stop number
defined:
ciscoasa# show eigrp events 3 8
Event information
3
12:11:23.500
4
12:11:23.500
5
12:11:23.500
6
12:11:23.500
7
12:11:23.500
8
12:11:23.500
for AS 100:
Update reason, delay: new if 4294967295
Update sent, RD: 10.1.0.0/16 4294967295
Update reason, delay: metric chg 4294967295
Update sent, RD: 10.1.0.0/16 4294967295
Route install: 10.1.0.0/16 10.130.60.248
Find FS: 10.1.0.0/16 4294967295
The following is sample output from the show eigrp events command when there are no entries in the
EIGRP event log:
ciscoasa# show eigrp events
Event information for AS 100:
Event log is empty.
The following is sample output from the show eigrp events type command:
ciscoasa# show eigrp events type
EIGRP-IPv4 Event Logging for AS 100:
Log Size
500
Neighbor Changes Enable
Neighbor Warnings Enable
Dual FSM
Enable
Related Commands
Command
Description
clear eigrp events
Clears the EIGRP event logging buffer.
eigrp log-neighbor-changes
Enables the logging of neighbor change events.
eigrp log-neighbor-warnings
Enables the logging of neighbor warning events.
Cisco ASA Series Command Reference, S Commands
6-36
Chapter
show eigrp interfaces
To display the interfaces participating in EIGRP routing, use the show eigrp interfaces command in
privileged EXEC mode.
show eigrp [as-number] interfaces [if-name] [detail]
Syntax Description
as-number
(Optional) Specifies the autonomous system number of the EIGRP process
for which you are displaying active interfaces. Because the ASA only
supports one EIGRP routing process, you do not need to specify the
autonomous system number.
detail
(Optional) Displays detail information.
if-name
(Optional) The name of an interface as specified by the nameif command.
Specifying an interface name limits the display to the specified interface.
Defaults
If you do not specify an interface name, information for all EIGRP interfaces is displayed.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
—
•
Yes
Release
Modification
8.0(2)
This command was added.
9.0(1)
Support for multiple context mode was added.
Context
•
Yes
System
—
Use the show eigrp interfaces command to determine on which interfaces EIGRP is active, and to learn
information about EIGRP relating to those interfaces.
If an interface is specified, only that interface is displayed. Otherwise, all interfaces on which EIGRP is
running are displayed.
If an autonomous system is specified, only the routing process for the specified autonomous system is
displayed. Otherwise, all EIGRP processes are displayed.
Examples
The following is sample output from the show eigrp interfaces command:
ciscoasa# show eigrp interfaces
EIGRP-IPv4 interfaces for process 100
Cisco ASA Series Command Reference, S Commands
6-37
Chapter
Interface
mgmt
outside
inside
Peers
0
1
1
Xmit Queue
Un/Reliable
0/0
0/0
0/0
Mean
SRTT
0
337
10
Pacing Time
Un/Reliable
11/434
0/10
1/63
Multicast
Flow Timer
0
0
103
Pending
Routes
0
0
0
Table 6-2 describes the significant fields shown in the display.
Table 6-2
Related Commands
show eigrp interfaces Field Descriptions
Field
Description
process
Autonomous system number for the EIGRP routing process.
Peers
Number of directly-connected peers.
Xmit Queue
Un/Reliable
Number of packets remaining in the Unreliable and Reliable transmit queues.
Mean SRTT
Mean smooth round-trip time interval (in seconds).
Pacing Time
Un/Reliable
Pacing time (in seconds) used to determine when EIGRP packets should be
sent out the interface (unreliable and reliable packets).
Multicast Flow
Timer
Maximum number of seconds in which the ASA will send multicast EIGRP
packets.
Pending Routes
Number of routes in the packets in the transmit queue waiting to be sent.
Command
Description
network
Defines the networks and interfaces that participate in the EIGRP routing
process.
Cisco ASA Series Command Reference, S Commands
6-38
Chapter
show eigrp neighbors
To display the EIGRP neighbor table, use the show eigrp neighbors command in privileged EXEC
mode.
show eigrp [as-number] neighbors [detail | static] [if-name]
Syntax Description
as-number
(Optional) Specifies the autonomous system number of the EIGRP process
for which you are deleting neighbor entries. Because the ASA only supports
one EIGRP routing process, you do not need to specify the autonomous
system number.
detail
(Optional) Displays detail neighbor information.
if-name
(Optional) The name of an interface as specified by the nameif command.
Specifying an interface name displays all neighbor table entries that were
learned through that interface.
static
(Optional) Displays EIGRP neighbors that are statically defined using the
neighbor command.
Defaults
If you do not specify an interface name, the neighbors learned through all interfaces are displayed.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
—
•
Context
Yes
•
Release
Modification
8.0(2)
This command was added.
9.0(1)
Support for multiple context mode was added.
System
Yes
—
You can use the clear eigrp neighbors command to clear the dynamically learned neighbors from the
EIGRP neighbor table.
Static neighbors are not included in the output unless you use the static keyword.
Examples
The following is sample output from the show eigrp neighbors command:
ciscoasa# show eigrp neighbors
EIGRP-IPv4 Neighbors for process 100
Address
Interface
Holdtime Uptime
Q
Seq
SRTT
RTO
Cisco ASA Series Command Reference, S Commands
6-39
Chapter
172.16.81.28
172.16.80.28
172.16.80.31
Ethernet1
Ethernet0
Ethernet0
(secs)
13
14
12
(h:m:s)
0:00:41
0:02:01
0:02:02
Count
0
0
0
Num
11
10
4
(ms)
4
12
5
(ms)
20
24
20
Table 6-2 describes the significant fields shown in the display.
Table 6-3
show eigrp neighbors Field Descriptions
Field
Description
process
Autonomous system number for the EIGRP routing process.
Address
IP address of the EIGRP neighbor.
Interface
Interface on which the ASA receives hello packets from the neighbor.
Holdtime
Length of time (in seconds) that the ASA waits to hear from the neighbor
before declaring it down. This hold time is received from the neighbor in the
hello packet, and begins decreasing until another hello packet is received from
the neighbor.
If the neighbor is using the default hold time, this number will be less than 15.
If the peer configures a non-default hold time, the non-default hold time will
be displayed.
If this value reaches 0, the ASA considers the neighbor unreachable.
Uptime
Elapsed time (in hours:minutes: seconds) since the ASA first heard from this
neighbor.
Q Count
Number of EIGRP packets (update, query, and reply) that the ASA is waiting
to send.
Seq Num
Sequence number of the last update, query, or reply packet that was received
from the neighbor.
SRTT
Smooth round-trip time. This is the number of milliseconds required for an
EIGRP packet to be sent to this neighbor and for the ASA to receive an
acknowledgment of that packet.
RTO
Retransmission timeout (in milliseconds). This is the amount of time the ASA
waits before resending a packet from the retransmission queue to a neighbor.
The following is sample output from the show eigrp neighbors static command:
ciscoasa# show eigrp neighbors static
EIGRP-IPv4 neighbors for process 100
Static Address
Interface
192.168.1.5
management
Table 6-4 describes the significant fields shown in the display.
Table 6-4
show ip eigrp neighbors static Field Descriptions
Field
Description
process
Autonomous system number for the EIGRP routing process.
Static Address
IP address of the EIGRP neighbor.
Interface
Interface on which the ASA receives hello packets from the neighbor.
Cisco ASA Series Command Reference, S Commands
6-40
Chapter
The following is sample output from the show eigrp neighbors detail command:
ciscoasa# show eigrp neighbors detail
EIGRP-IPv4 neighbors for process 100
H
Address
Interface
3
0
2
1
1.1.1.3
Et0/0
Version 12.2/1.2, Retrans: 0, Retries:
Restart time 00:01:05
10.4.9.5
Fa0/0
Version 12.2/1.2, Retrans: 0, Retries:
10.4.9.10
Fa0/0
Version 12.2/1.2, Retrans: 1, Retries:
10.4.9.6
Fa0/0
Version 12.2/1.2, Retrans: 1, Retries:
Hold Uptime
SRTT
(sec)
(ms)
12 00:04:48 1832
RTO
Q Seq Tye
Cnt Num
5000 0 14
0
11 00:04:07
768
4608
0
4
S
13 1w0d
1
3000
0
6
S
12 1w0d
1
3000
0
4
S
0
0
0
Table 6-5 describes the significant fields shown in the display.
Table 6-5
show ip eigrp neighbors details Field Descriptions
Field
Description
process
Autonomous system number for the EIGRP routing process.
H
This column lists the order in which a peering session was established with the
specified neighbor. The order is specified with sequential numbering starting
with 0.
Address
IP address of the EIGRP neighbor.
Interface
Interface on which the ASA receives hello packets from the neighbor.
Holdtime
Length of time (in seconds) that the ASA waits to hear from the neighbor before
declaring it down. This hold time is received from the neighbor in the hello
packet, and begins decreasing until another hello packet is received from the
neighbor.
If the neighbor is using the default hold time, this number will be less than 15. If
the peer configures a non-default hold time, the non-default hold time will be
displayed.
If this value reaches 0, the ASA considers the neighbor unreachable.
Uptime
Elapsed time (in hours:minutes: seconds) since the ASA first heard from this
neighbor.
SRTT
Smooth round-trip time. This is the number of milliseconds required for an
EIGRP packet to be sent to this neighbor and for the ASA to receive an
acknowledgment of that packet.
RTO
Retransmission timeout (in milliseconds). This is the amount of time the ASA
waits before resending a packet from the retransmission queue to a neighbor.
Q Count
Number of EIGRP packets (update, query, and reply) that the ASA is waiting to
send.
Seq Num
Sequence number of the last update, query, or reply packet that was received
from the neighbor.
Version
The software version that the specified peer is running.
Retrans
The number of times that a packet has been retransmitted.
Cisco ASA Series Command Reference, S Commands
6-41
Chapter
Table 6-5
Related Commands
show ip eigrp neighbors details Field Descriptions
Field
Description
Retries
The number of times an attempt was made to retransmit a packet.
Restart time
Elapsed time (in hours:minutes:seconds) since the specified neighbor has
restarted.
Command
Description
clear eigrp neighbors
Clears the EIGRP neighbor table.
debug eigrp neighbors Displays EIGRP neighbor debugging messages.
debug ip eigrp
Displays EIGRP packet debugging messages.
Cisco ASA Series Command Reference, S Commands
6-42
Chapter
show eigrp topology
To display the EIGRP topology table, use the show eigrp topology command in privileged EXEC mode.
show eigrp [as-number] topology [ip-addr [mask] | active | all-links | pending | summary |
zero-successors]
Syntax Description
active
(Optional) Displays only active entries in the EIGRP topology table.
all-links
(Optional) Displays all routes in the EIGRP topology table, even those that
are not feasible successors.
as-number
(Optional) Specifies the autonomous system number of the EIGRP process.
Because the ASA only supports one EIGRP routing process, you do not
need to specify the autonomous system number.
ip-addr
(Optional) Defines the IP address from the topology table to display. When
specified with a mask, a detailed description of the entry is provided.
mask
(Optional) Defines the network mask to apply to the ip-addr argument.
pending
(Optional) Displays all entries in the EIGRP topology table that are waiting
for an update from a neighbor or are waiting to reply to a neighbor.
summary
(Optional) Displays a summary of the EIGRP topology table.
zero-successors
(Optional) Displays available routes in the EIGRP topology table.
Defaults
Only routes that are feasible successors are displayed. Use the all-links keyword to display all routes,
including those that are not feasible successors.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
—
•
Yes
Release
Modification
8.0(2)
This command was added.
9.0(1)
Support for multiple context mode was added.
Context
•
Yes
System
—
You can use the clear eigrp topology command to remove the dynamic entries from the topology table.
Cisco ASA Series Command Reference, S Commands
6-43
Chapter
Examples
The following is sample output from the show eigrp topology command:
Command Historyci
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - Reply status
P 10.2.1.0 255.255.255.0, 2 successors, FD is 0
via 10.16.80.28 (46251776/46226176), Ethernet0
via 10.16.81.28 (46251776/46226176), Ethernet1
P 10.2.1.0 255.255.255.0, 1 successors, FD is 307200
via Connected, Ethernet1
via 10.16.81.28 (307200/281600), Ethernet1
via 10.16.80.28 (307200/281600), Ethernet0
Table 6-6 describes the significant fields shown in the displays.
Table 6-6
show eigrp topology Field Information
Field
Description
Codes
State of this topology table entry. Passive and Active refer to the EIGRP state
with respect to this destination; Update, Query, and Reply refer to the type of
packet that is being sent.
P - Passive
The route is known to be good and no EIGRP computations are being performed
for this destination.
A - Active
EIGRP computations are being performed for this destination.
U - Update
Indicates that an update packet was sent to this destination.
Q - Query
Indicates that a query packet was sent to this destination.
R - Reply
Indicates that a reply packet was sent to this destination.
r - Reply status
Flag that is set after the software has sent a query and is waiting for a reply.
address mask
Destination IP address and mask.
successors
Number of successors. This number corresponds to the number of next hops in
the IP routing table. If “successors” is capitalized, then the route or next hop is
in a transition state.
FD
Feasible distance. The feasible distance is the best metric to reach the destination
or the best metric that was known when the route went active. This value is used
in the feasibility condition check. If the reported distance of the router (the metric
after the slash) is less than the feasible distance, the feasibility condition is met
and that path is a feasible successor. Once the software determines it has a
feasible successor, it need not send a query for that destination.
via
IP address of the peer that told the software about this destination. The first n of
these entries, where n is the number of successors, is the current successors. The
remaining entries on the list are feasible successors.
(cost/adv_cost)
The first number is the EIGRP metric that represents the cost to the destination.
The second number is the EIGRP metric that this peer advertised.
interface
The interface from which the information was learned.
Cisco ASA Series Command Reference, S Commands
6-44
Chapter
The following is sample output from the show eigrp topology used with an IP address. The output shown
is for an internal route.
ciscoasa# show eigrp topology 10.2.1.0 255.255.255.0
EIGRP-IPv4 (AS 100): Topology Default-IP-Routing-Table(0) entry for entry for 10.2.1.0
255.255.255.0
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 281600
Routing Descriptor Blocks:
0.0.0.0 (Ethernet0/0), from Connected, Send flag is 0x0
Composite metric is (281600/0), Route is Internal
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 1000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 0
The following is sample output from the show eigrp topology used with an IP address. The output shown
is for an external route.
ciscoasa# show eigrp topology 10.4.80.0 255.255.255.0
EIGRP-IPv4 (AS 100): Topology Default-IP-Routing-Table(0) entry for entry for 10.4.80.0
255.255.255.0
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 409600
Routing Descriptor Blocks:
10.2.1.1 (Ethernet0/0), from 10.2.1.1, Send flag is 0x0
Composite metric is (409600/128256), Route is External
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 6000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
External data:
Originating router is 10.89.245.1
AS number of route is 0
External protocol is Connected, external metric is 0
Administrator tag is 0 (0x00000000)
Related Commands
Command
Description
clear eigrp topology
Clears the dynamically discovered entries from the EIGRP topology table.
Cisco ASA Series Command Reference, S Commands
6-45
Chapter
show eigrp traffic
To display the number of EIGRP packets sent and received, use the show eigrp traffic command in
privileged EXEC mode.
show eigrp [as-number] traffic
Syntax Description
as-number
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Specifies the autonomous system number of the EIGRP process
for which you are viewing the event log. Because the ASA only supports
one EIGRP routing process, you do not need to specify the autonomous
system number.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
—
•
Yes
Release
Modification
8.0(2)
This command was added.
9.0(1)
Support for multiple context mode was added.
Context
•
Yes
Usage Guidelines
You can use the clear eigrp traffic command to clear the EIGRP traffic statistics.
Examples
The following is sample output from the show eigrp traffic command:
ciscoasa# show eigrp traffic
EIGRP-IPv4 Traffic Statistics for AS 100
Hellos sent/received: 218/205
Updates sent/received: 7/23
Queries sent/received: 2/0
Replies sent/received: 0/2
Acks sent/received: 21/14
Input queue high water mark 0, 0 drops
SIA-Queries sent/received: 0/0
SIA-Replies sent/received: 0/0
Hello Process ID: 1719439416
PDM Process ID: 1719439824
Cisco ASA Series Command Reference, S Commands
6-46
System
—
Chapter
Table 6-4 describes the significant fields shown in the display.
Table 6-7
Related Commands
show eigrp traffic Field Descriptions
Field
Description
process
Autonomous system number for the EIGRP routing process.
Hellos sent/received
Number of hello packets sent and received.
Updates sent/received
Number of update packets sent and received.
Queries sent/received
Number of query packets sent and received.
Replies sent/received
Number of reply packets sent and received.
Acks sent/received
Number of acknowledgment packets sent and received.
Input queue high water
mark/drops
Number of received packets that are approaching the maximum receive
threshold and number of dropped packets.
SIA-Queries sent/received
Stuck-in-active queries sent and received.
SIA-Replies sent/received
Stuck-in-active replies sent and received.
Command
Description
debug eigrp packets
Displays debugging information for EIGRP packets sent and received.
debug eigrp transmit
Displays debugging information for EIGRP messages sent.
Cisco ASA Series Command Reference, S Commands
6-47
Chapter
show environment
To display system environment information for system components, use the show environment
command in privileged EXEC mode.
show environment [driver | fans | power-supply | temperature] [chassis | cpu | voltage]
Syntax Description
chassis
(Optional) Limits the temperature display to the chassis.
cpu
(Optional) Limits the temperature display to the processors. The ASA
5580-40 displays information for 4 processors. The ASA 5580-20 displays
information for 2 processors.
driver
(Optional) Displays the environment monitoring (IPMI) driver status. The
driver status can be one of the following:
fans
power-supply
•
RUNNING—The driver is operational.
•
STOPPED—An error has caused the driver to stop.
(Optional) Displays the operational status of the cooling fans. The status is
one of the following:
•
OK—The fan is operating normally.
•
Failed—The fan has failed and should be replaced.
(Optional) Displays the operational status of the power supplies. The status
for each power supply is one of the following:
•
OK—The power supply is operating normally.
•
Failed—The power supply has failed and should be replaced.
•
Not Present—The specified power supply is not installed.
The power supply redundancy status also displays. The redundancy status is
one of the following:
temperature
•
OK—The unit is operating normally with full resources.
•
Lost—The unit has lost redundancy but is operating normally with
minimum resources. Any further failures will result in a system
shutdown.
•
N/A—The unit is not configured for power supply redundancy.
(Optional) Displays the temperature and status of the processors and chassis.
The temperature is given in celsius. The status is one of the following:
•
OK—The temperature is within normal operating range.
•
Critical—The temperature is outside of normal operating range.
Operating ranges are categorized as follows:
voltage
•
Less than 70 degrees—OK
•
70-80—Warm
•
80-90—Critical
•
Greater than 90—Unrecoverable
(Optional) Displays the values for CPU voltage channels 1-24. Excludes the
operational status.
Cisco ASA Series Command Reference, S Commands
6-48
Chapter
Defaults
All operational information, except for the driver, is displayed if no keywords are specified.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
Note
Examples
•
Yes
Transparent Single
•
Yes
•
Yes
Context
System
—
•
Yes
Release
Modification
8.1(1)
This command was added.
8.4(2)
The output for an ASA 5585-X SSP was added. In addition, support for a dual
SSP installation was added.
8.4.4(1)
Displayed power supply temperature values for the ASA 5515-X, ASA
5525-X, 5545-X, and ASA 5555-X have been changed in the output.
8.6(1)
The output for CPU voltage regulator thermal events in the ASA 5545-X and
ASA 5555-X was added. The output for power supply input status was added.
The output for voltage sensors was added.
You can display operating environment information on the ASA 5545-X, 5555-X, 5580 and 5585-X.
This information includes the operational status of the fans and power supplies, and temperature and
status of the CPUs and chassis. The ASA 5580-40 displays information for 4 CPUs; the ASA 5580-20
displays information for 2 CPUs.
For a dual SSP installation, only the sensors for the chassis master show output for the cooling fans and
power supplies.
The following is sample generic output from the show environment command:
ciscoasa# show environment
Cooling Fans:
----------------------------------Power Supplies:
-------------------------------Left Slot (PS0): 6900 RPM - OK (Power Supply Fan)
Right Slot (PS1): 7000 RPM - OK (Power Supply Fan) Power Supplies:
----------------------------------Power Supply Unit Redundancy: OK
Temperature:
-------------------------------Left Slot (PS0): 26 C - OK (Power Supply Temperature)
Right Slot (PS1): 27 C - OK (Power Supply Temperature)
Cooling Fans:
-------------------------------Left Slot (PS0): 6900 RPM - OK (Power Supply Fan)
Cisco ASA Series Command Reference, S Commands
6-49
Chapter
Right Slot (PS1): 7000 RPM - OK (Power Supply Fan)
Temperature:
----------------------------------Processors:
-------------------------------Processor 1: 44.0 C - OK (CPU1 Core Temperature)
Processor 2: 45.0 C - OK (CPU2 Core Temperature)
Chassis:
-------------------------------Ambient 1: 28.0 C - OK (Chassis Front Temperature)
Ambient 2: 40.5 C - OK (Chassis Back Temperature)
Ambient 3: 28.0 C - OK (CPU1 Front Temperature)
Ambient 4: 36.50 C - OK (CPU1 Back Temperature)
Ambient 5: 34.50 C - OK (CPU2 Front Temperature)
Ambient 6: 43.25 C - OK (CPU2 Back Temperature)
Power Supplies:
-------------------------------Left Slot (PS0): 26 C - OK (Power Supply Temperature)
Right Slot (PS1): 27 C - OK (Power Supply Temperature)
The following is sample output from the show environment driver command:
ciscoasa# show environment driver
Cooling Fans:
----------------------------------Chassis Fans:
-------------------------------Cooling Fan 1: 5888 RPM - OK
Cooling Fan 2: 5632 RPM - OK
Cooling Fan 3: 5888 RPM - OK
Power Supplies:
-------------------------------Left Slot (PS0): N/A
Right Slot (PS1): 8448 RPM - OK
Power Supplies:
----------------------------------Left Slot (PS0): Not Present
Right Slot (PS1): Present
Left Slot (PS0): N/A
Right Slot (PS1): 33 C - OK
Left Slot (PS0): N/A
Right Slot (PS1): 8448 RPM - OK
Temperature:
----------------------------------Processors:
-------------------------------Processor 1: 70.0 C - OK
Chassis:
-------------------------------Ambient 1: 36.0 C - OK (Chassis Back Temperature)
Ambient 2: 31.0 C - OK (Chassis Front Temperature)
Ambient 3: 39.0 C - OK (Chassis Back Left Temperature)
Power Supplies:
Cisco ASA Series Command Reference, S Commands
6-50
Chapter
-------------------------------Left Slot (PS0): N/A
Right Slot (PS1): 33 C - OK
Voltage:
----------------------------------Channel 1: 1.168 V - (CPU Core 0.46V-1.4V)
Channel 2: 11.954 V - (12V)
Channel 3: 4.998 V - (5V)
Channel 4: 3.296 V - (3.3V)
Channel 5: 1.496 V - (DDR3 1.5V)
Channel 6: 1.048 V - (PCH 1.5V)
The following is sample output from the show environment command for an ASA 5555-X:
ciscoasa# show environment
Cooling Fans:
----------------------------------Chassis Fans:
-------------------------------Power Supplies:
-------------------------------Left Slot (PS0): 9728 RPM - OK
Right Slot (PS1): 0 RPM - OK
Power Supplies:
----------------------------------Left Slot (PS0): Present
Right Slot (PS1): Present
Power Input:
-------------------------------Left Slot (PS0): OK
Right Slot (PS1): Failure Detected
Temperature:
-------------------------------Left Slot (PS0): 29 C - OK
Right Slot (PS1): N/A
Processors:
-------------------------------Processor 1: 81.0 C - OK
Chassis:
-------------------------------Ambient 1: 39.0 C - OK (Chassis Back Temperature)
Ambient 2: 32.0 C - OK (Chassis Front Temperature)
Ambient 3: 47.0 C - OK (Chassis Back Left Temperature)
Power Supplies:
-------------------------------Left Slot (PS0): 33 C - OK
Right Slot (PS1): -128 C - OK
The following is sample output from the show environment command for an ASA 5585-X chassis
master in a dual SSP installation:
ciscoasa(config)# show environment
Cisco ASA Series Command Reference, S Commands
6-51
Chapter
Cooling Fans:
----------------------------------Power Supplies:
-------------------------------Left Slot (PS0): 7000 RPM - OK (Fan Module Fan)
Right Slot (PS1): 6900 RPM - OK (Power Supply Fan)
Power Supplies:
----------------------------------Power Supply Unit Redundancy: N/A
Power Supplies:
-------------------------------Left Slot (PS0): 64 C - OK (Fan Module Temperature)
Right Slot (PS1): 64 C - OK (Power Supply Temperature)
Power Supplies:
-------------------------------Left Slot (PS0): 7000 RPM - OK (Fan Module Fan)
Right Slot (PS1): 6900 RPM - OK (Power Supply Fan)
Temperature:
----------------------------------Processors:
-------------------------------Processor 1: 48.0 C - OK (CPU1 Core Temperature)
Processor 2: 47.0 C - OK (CPU2 Core Temperature)
Chassis:
-------------------------------Ambient 1: 25.5 C - OK (Chassis Front Temperature)
Ambient 2: 37.5 C - OK (Chassis Back Temperature)
Ambient 3: 31.50 C - OK (CPU1 Back Temperature)
Ambient 4: 27.75 C - OK (CPU1 Front Temperature)
Ambient 5: 38.25 C - OK (CPU2 Back Temperature)
Ambient 6: 34.0 C - OK (CPU2 Front Temperature)
Power Supplies:
-------------------------------Left Slot (PS0): 64 C - OK (Fan Module Temperature)
Right Slot (PS1): 64 C - OK (Power Supply Temperature)
Voltage:
----------------------------------Channel 1: 3.310 V - (3.3V (U142 VX1))
Channel 2: 1.492 V - (1.5V (U142 VX2))
Channel 3: 1.053 V - (1.05V (U142 VX3))
Channel 4: 3.328 V - (3.3V_STDBY (U142 VP1))
Channel 5: 11.675 V - (12V (U142 VP2))
Channel 6: 4.921 V - (5.0V (U142 VP3))
Channel 7: 6.713 V - (7.0V (U142 VP4))
Channel 8: 9.763 V - (IBV (U142 VH))
Channel 9: 1.048 V - (1.05VB (U209 VX2))
Channel 10: 1.209 V - (1.2V (U209 VX3))
Channel 11: 1.109 V - (1.1V (U209 VX4))
Channel 12: 0.999 V - (1.0V (U209 VX5))
Channel 13: 3.324 V - (3.3V STDBY (U209 VP1))
Channel 14: 2.504 V - (2.5V (U209 VP2))
Channel 15: 1.799 V - (1.8V (U209 VP3))
Channel 16: 1.899 V - (1.9V (U209 VP4))
Channel 17: 9.763 V - (IBV (U209 VH))
Channel 18: 2.048 V - (VTT CPU0 (U83 VX2))
Cisco ASA Series Command Reference, S Commands
6-52
Chapter
Channel
Channel
Channel
Channel
Channel
Channel
19:
20:
21:
22:
23:
24:
2.048
2.048
2.048
1.516
1.515
8.937
V
V
V
V
V
V
-
(VTT CPU1 (U83 VX3))
(VCC CPU0 (U83 VX4))
(VCC CPU1 (U83 VX5))
(1.5VA (U83 VP1))
(1.5VB (U83 VP2))
(IBV (U83 VH))
If the ASA was shut down because of a CPU voltage regulator thermal event, the following warning
message appears:
WARNING: ASA was previously shut down due to a CPU Voltage Regulator running beyond the
max thermal operating temperature. The chassis and CPU need to be inspected immediately
for ventilation issues.
For more information, see syslog message 735024 in the syslog messages guide.
Related Commands
Command
Description
show version
Displays the hardware and software version.
Cisco ASA Series Command Reference, S Commands
6-53
Chapter
show event manager
To show information about each configured event manager applet, use the show event manager
command in privileged EXEC mode.
show event manager
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Global configuration
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
9.2(1)
This command was added.
Yes
•
Yes
Context
—
The following is sample output from the show event manager command:
ciscoasa# show event manager
event manager applet 21, hits 1, last 2014/01/19 06:47:46
last file disk0:/eem-21-20140119-064746.log
event countdown 21 secs, left 0 secs, hits 1, last 2014/01/19 06:47:47
action 1 cli command "sh ver", hits 1, last 2014/01/19 06:47:46
Related Commands
Command
Description
show running-config event
manager
Shows the event manager running configuration.
Cisco ASA Series Command Reference, S Commands
6-54
System
•
Yes
CH A P T E R
7
show failover through show ipsec stats
Commands
Cisco ASA Series Command Reference, S Commands
7-1
Chapter
show failover
To display information about the failover status of the unit, use the show failover command in privileged
EXEC mode.
show failover [group num | history | interface | state | statistics]
Syntax Description
group
Displays the running state of the specified failover group.
history
Displays failover history. The failover history displays past failover state
changes and the reason for the state change. History information is cleared
with the device is rebooted.
interface
Displays failover and stateful link information.
num
Failover group number.
state
Displays the failover state of both failover units. The information displayed
includes the primary or secondary status of the unit, the Active/Standby
status of the unit, and the last reported reason for failover. The fail reason
remains in the output even when the reason for failure is cleared.
statistics
Displays transmit and receive packet count of failover command interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
•
Yes
•
Yes
Context
•
Yes
System
•
Yes
Release
Modification
7.0(1)
This command was modified. The output includes additional information.
8.2(2)
This command was modified. The output includes IPv6 addresses for
firewall and failover interfaces. The Stateful Failover statistics output
includes information for the IPv6 neighbor discover table (IPv6 ND tbl)
updates.
The show failover command displays the dynamic failover information, interface status, and Stateful
Failover statistics.
Cisco ASA Series Command Reference, S Commands
7-2
Yes
Transparent Single
Chapter
If both IPv4 and IPv6 addresses are configured on an interface, both addresses appear in the output.
Because an interface can have more than one IPv6 address configured on it, only the link-local address
is displayed. If there is no IPv4 address configured on the interface, the IPv4 address in the output
appears as 0.0.0.0. If there is no IPv6 address configured on an interface, the address is simply omitted
from the output.
The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled.
The “xerr” and “rerr” values do not indicate errors in failover, but rather the number of packet transmit
or receive errors.
Note
Stateful Failover, and therefore Stateful Failover statistics output, is not available on the ASA 5505.
In the show failover command output, the stateful failover fields have the following values:
•
Stateful Obj has these values:
– xmit—Indicates the number of packets transmitted.
– xerr—Indicates the number of transmit errors.
– rcv—Indicates the number of packets received.
– rerr—Indicates the number of receive errors.
•
Each row is for a particular object static count as follows:
– General—Indicates the sum of all stateful objects.
– sys cmd—Refers to the logical update system commands, such as login or stay alive.
– up time—Indicates the value for the ASA up time, which the active ASA passes on to the
standby ASA.
– RPC services—Remote Procedure Call connection information.
– TCP conn—Dynamic TCP connection information.
– UDP conn—Dynamic UDP connection information.
– ARP tbl—Dynamic ARP table information.
– Xlate_Timeout—Indicates connection translation timeout information.
– IPv6 ND tbl—The IPv6 neighbor discovery table information.
– VPN IKE upd—IKE connection information.
– VPN IPSEC upd—IPsec connection information.
– VPN CTCP upd—cTCP tunnel connection information.
– VPN SDI upd—SDI AAA connection information.
– VPN DHCP upd—Tunneled DHCP connection information.
– SIP Session—SIP signalling session information.
– Route Session—LU statistics of the route synhronization updates
If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address,
and monitoring of the interfaces remain in a “waiting” state. You must set a failover IP address for
failover to work.
Cisco ASA Series Command Reference, S Commands
7-3
Chapter
Table 7-1 describes the interface states for failover.
Table 7-1
Failover Interface States
State
Description
Normal
The interface is up and receiving hello packets from the corresponding
interface on the peer unit.
Normal (Waiting)
The interface is up but has not yet received a hello packet from the
corresponding interface on the peer unit. Verify that a standby IP address
has been configured for the interface and that there is connectivity
between the two interfaces.
Normal (Not-Monitored)
The interface is up but is not monitored by the failover process. The
failure of an interface that is not monitored does not trigger failover.
No Link
The physical link is down.
No Link (Waiting)
The physical link is down and the interface has not yet received a hello
packet from the corresponding interface on the peer unit. After restoring
the link, verify that a standby IP address has been configured for the
interface and that there is connectivity between the two interfaces.
No Link (Not-Monitored)
The physical link is down but is not monitored by the failover process.
The failure of an interface that is not monitored does not trigger failover.
Link Down
The physical link is up, but the interface is administratively down.
Link Down (Waiting)
The physical link is up, but the interface is administratively down and
the interface has not yet received a hello packet from the corresponding
interface on the peer unit. After bringing the interface up (using the no
shutdown command in interface configuration mode), verify that a
standby IP address has been configured for the interface and that there
is connectivity between the two interfaces.
Link Down (Not-Monitored) The physical link is up, but the interface is administratively down but is
not monitored by the failover process. The failure of an interface that is
not monitored does not trigger failover.
Testing
The interface is in testing mode due to missed hello packets from the
corresponding interface on the peer unit.
Failed
Interface testing has failed and the interface is marked as failed. If the
interface failure causes the failover criteria to be met, then the interface
failure causes a failover to the secondary unit or failover group.
In multiple configuration mode, only the show failover command is available in a security context; you
cannot enter the optional keywords.
Examples
The following is sample output from the show failover command for Active/Standby Failover. The
ASAs are ASA 5500 series ASAs, each equipped with a CSC SSM as shown in the details for slot 1 of
each ASA. The security appliances use IPv6 addresses on the failover link (folink) and the inside
interface.
ciscoasa# show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Cisco ASA Series Command Reference, S Commands
7-4
Chapter
Failover unit Primary
Failover LAN Interface: folink Ethernet2 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Last Failover at: 22:44:03 UTC Dec 8 2004
This host: Primary - Active
Active time: 13434 (sec)
slot 0: ASA5520 hw/sw rev (1.0/7.1(0)10) status (Up Sys)
Interface inside (10.130.9.3/FE80::20d:29ff:fe1d:69f0): Normal
Interface outside (10.132.9.3): Normal
Interface folink (0.0.0.0/fe80::2a0:c9ff:fe03:101): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC-SSM 5.0 (Build#1176)) status (Up/Up)
Logging port IP: 10.0.0.3/24
CSC-SSM, 5.0 (Build#1176)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5520 hw/sw rev (1.0/7.1(0)10) status (Up Sys)
Interface inside (10.130.9.4/FE80::20d:29ff:fe2b:7ba6): Normal
Interface outside (10.132.9.4): Normal
Interface folink (0.0.0.0/fe80::2e0:b6ff:fe07:3096): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC-SSM 5.0 (Build#1176)) status (Up/Up)
Logging port IP: 10.0.0.4/24
CSC-SSM, 5.0 (Build#1176)
Stateful Failover Logical Update Statistics
Link : fover Ethernet2 (up)
Stateful Obj
xmit
xerr
rcv
General
0
0
0
sys cmd
1733
0
1733
up time
0
0
0
RPC services
0
0
0
TCP conn
6
0
0
UDP conn
0
0
0
ARP tbl
106
0
0
Xlate_Timeout
0
0
0
IPv6 ND tbl
22
0
0
VPN IKE upd
15
0
0
VPN IPSEC upd
90
0
0
VPN CTCP upd
0
0
0
VPN SDI upd
0
0
0
VPN DHCP upd
0
0
0
SIP Session
0
0
0
Route Session
165
0
70
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
6
Logical Update Queue Information
Cur
Max
Total
Recv Q:
0
2
1733
Xmit Q:
0
2
15225
The following is sample output from the show failover command for Active/Active Failover. In this
example, only the admin context has IPv6 addresses assigned to the interfaces.
ciscoasa# show failover
Failover On
Failover unit Primary
Failover LAN Interface: folink GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 4 seconds
Interface Policy 1
Monitored Interfaces 8 of 250 maximum
Cisco ASA Series Command Reference, S Commands
7-5
Chapter
failover replication http
Group 1 last failover at: 13:40:18 UTC Dec 9 2004
Group 2 last failover at: 13:40:06 UTC Dec 9 2004
This host:
Group 1
Group 2
Primary
State:
Active time:
State:
Active time:
Active
2896 (sec)
Standby Ready
0 (sec)
slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.11)S91(0.11)) status (Up)
admin Interface outside (10.132.8.5): Normal
admin Interface folink (10.132.9.5/fe80::2a0:c9ff:fe03:101): Normal
admin Interface inside (10.130.8.5/fe80::2a0:c9ff:fe01:101): Normal
admin Interface fourth (10.130.9.5/fe80::3eff:fe11:6670): Normal
ctx1 Interface outside (10.1.1.1): Normal
ctx1 Interface inside (10.2.2.1): Normal
ctx2 Interface outside (10.3.3.2): Normal
ctx2 Interface inside (10.4.4.2): Normal
Other host:
Group 1
Group 2
Secondary
State:
Active time:
State:
Active time:
Standby Ready
190 (sec)
Active
3322 (sec)
slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.1)S91(0.1)) status (Up)
admin Interface outside (10.132.8.6): Normal
admin Interface folink (10.132.9.6/fe80::2a0:c9ff:fe03:102): Normal
admin Interface inside (10.130.8.6/fe80::2a0:c9ff:fe01:102): Normal
admin Interface fourth (10.130.9.6/fe80::3eff:fe11:6671): Normal
ctx1 Interface outside (10.1.1.2): Normal
ctx1 Interface inside (10.2.2.2): Normal
ctx2 Interface outside (10.3.3.1): Normal
ctx2 Interface inside (10.4.4.1): Normal
Stateful Failover Logical Update Statistics
Link : third GigabitEthernet0/2 (up)
Stateful Obj
xmit
xerr
rcv
General
0
0
0
sys cmd
380
0
380
up time
0
0
0
RPC services
0
0
0
TCP conn
1435
0
1450
UDP conn
0
0
0
ARP tbl
124
0
65
Xlate_Timeout
0
0
0
IPv6 ND tbl
22
0
0
VPN IKE upd
15
0
0
VPN IPSEC upd
90
0
0
VPN CTCP upd
0
0
0
VPN SDI upd
0
0
0
VPN DHCP upd
0
0
0
SIP Session
0
0
0
Logical Update Queue Information
Cur
Max
Total
Recv Q:
0
1
1895
Xmit Q:
0
0
1940
Cisco ASA Series Command Reference, S Commands
7-6
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Chapter
The following is sample output from the show failover command on the ASA 5505:
Failover On
Failover unit Primary
Failover LAN Interface: fover Vlan150 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(0)55, Mate 7.2(0)55
Last Failover at: 19:59:58 PST Apr 6 2006
This host: Primary - Active
Active time: 34 (sec)
slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55) status (Up Sys)
Interface inside (192.168.1.1): Normal
Interface outside (192.168.2.201): Normal
Interface dmz (172.16.0.1): Normal
Interface test (172.23.62.138): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55) status (Up Sys)
Interface inside (192.168.1.2): Normal
Interface outside (192.168.2.211): Normal
Interface dmz (172.16.0.2): Normal
Interface test (172.23.62.137): Normal
slot 1: empty
The following is sample output from the show failover state command for an active-active setup:
ciscoasa(config)# show failover state
This host Group 1
Group 2
Other host Group 1
Group 2
State
Secondary
Failed
Failed
Primary
Active
Active
Last Failure Reason
Date/Time
Backplane Failure
Backplane Failure
03:42:29 UTC Apr 17 2009
03:42:29 UTC Apr 17 2009
Comm Failure
Comm Failure
03:41:12 UTC Apr 17 2009
03:41:12 UTC Apr 17 2009
====Configuration State===
Sync Done
====Communication State===
Mac set
The following is sample output from the show failover state command for an active-standby setup:
ciscoasa(config)# show failover state
This host
-
Other host -
State
Primary
Negotiation
Secondary
Not Detected
Last Failure Reason
Date/Time
Backplane Failure
15:44:56 UTC Jun 20 2009
Comm Failure
15:36:30 UTC Jun 20 2009
====Configuration State===
Sync Done
====Communication State===
Mac set
Cisco ASA Series Command Reference, S Commands
7-7
Chapter
Table 7-2 describes the output of the show failover state command.
Table 7-2
show failover state Output Description
Field
Description
Configuration State
Displays the state of configuration synchronization.
The following are possible configuration states for the standby unit:
•
Config Syncing - STANDBY—Set while the synchronized
configuration is being executed.
•
Interface Config Syncing - STANDBY
•
Sync Done - STANDBY—Set when the standby unit has completed a
configuration synchronization from the active unit.
The following are possible configuration states for the active unit:
Communication State
•
Config Syncing—Set on the active unit when it is performing a
configuration synchronization to the standby unit.
•
Interface Config Syncing
•
Sync Done—Set when the active unit has completed a successful
configuration synchronization to the standby unit.
•
Ready for Config Sync—Set on the active unit when the standby unit
signals that it is ready to receive a configuration synchronization.
Displays the status of the MAC address synchronization.
•
Mac set—The MAC addresses have been synchronized from the peer
unit to this unit.
•
Updated Mac—Used when a MAC address is updated and needs to
be synchronized to the other unit. Also used during the transition
period where the unit is updating the local MAC addresses
synchronized from the peer unit.
Date/Time
Displays a date and timestamp for the failure.
Last Failure Reason
Displays the reason for the last reported failure. This information is not
cleared, even if the failure condition is cleared. This information changes
only when a failover occurs.
The following are possible fail reasons:
•
Ifc Failure—The number of interfaces that failed met the failover
criteria and caused failover.
•
Comm Failure—The failover link failed or peer is down.
•
Backplane Failure
State
Displays the Primary/Secondary and Active/Standby status for the unit.
This host/Other host
This host indicates information for the device upon which the command
was executed. Other host indicates information for the other device in the
failover pair.
The following is sample output from the show failover history command:
ciscoasa(config)# show failover history
==========================================================================
Cisco ASA Series Command Reference, S Commands
7-8
Chapter
Group
From State
To State
Reason
==========================================================================
. . .
03:42:29 UTC Apr 17 2009
0
Sync Config
Failed
Backplane failed
03:42:29 UTC Apr 17 2009
1
Standby Ready
Backplane failed
Failed
03:42:29 UTC Apr 17 2009
2
Standby Ready
Backplane failed
Failed
03:44:39 UTC Apr 17 2009
0
Failed
Backplane operational
Negotiation
03:44:40 UTC Apr 17 2009
1
Failed
Backplane operational
Negotiation
03:44:40 UTC Apr 17 2009
2
Failed
Backplane operational
Negotiation
==========================================================================
Each entry provides the time and date the state change occurred, the beginning state, the resulting state,
and the reason for the state change. The newest entries are located at the bottom of the display. Older
entries appear at the top. A maximum of 60 entries can be displayed. Once the maximum number of
entries has been reached, the oldest entries are removed from the top of the output as new entries are
added to the bottom.
Table 7-3 shows the failover states. There are two types of states—stable and transient. Stable states are
states that the unit can remain in until some occurrence, such as a failure, causes a state change. A
transient state is a state that the unit passes through while reaching a stable state.
Table 7-3
Failover States
States
Description
Disabled
Failover is disabled. This is a stable state.
Failed
The unit is in the failed state. This is a stable state.
Negotiation
The unit establishes the connection with peer and negotiates with peer to
determine software version compatibility and Active/Standby role.
Depending upon the role that is negotiated, the unit will go through the
Standby Unit States or the Active Unit States or enter the failed state. This
is a transient state.
Not Detected
The ASA cannot detect the presence of a peer. This can happen when the
ASA boots up with failover enabled but the peer is not present or is
powered down.
Standby Unit States
Cold Standby
The unit waits for the peer to reach the Active state. When the peer unit
reaches the Active state, this unit progresses to the Standby Config state.
This is a transient state.
Cisco ASA Series Command Reference, S Commands
7-9
Chapter
Table 7-3
Failover States (continued)
States
Description
Sync Config
The unit requests the running configuration from the peer unit. If an error
occurs during the configuration synchronization, the unit returns to the
Initialization state. This is a transient state.
Sync File System
The unit synchronizes the file system with the peer unit. This is a transient
state.
Bulk Sync
The unit receives state information from the peer. This state only occurs
when Stateful Failover is enabled. This is a transient state.
Standby Ready
The unit is ready to take over if the active unit fails. This is a stable state.
Active Unit States
Just Active
The first state the unit enters when becoming the active unit. During this
state a message is sent to the peer alerting the peer that the unit is
becoming active and the IP and MAC addresses are set for the interfaces.
This is a transient state.
Active Drain
Queues messages from the peer are discarded. This is a transient state.
Active Applying Config
The unit is applying the system configuration. This is a transient state.
Active Config Applied
The unit has finished applying the system configuration. This is a transient
state.
Active
The unit is active and processing traffic. This is a stable state.
Each state change is followed by a reason for the state change. The reason typically remains the same as
the unit progresses through the transient states to the stable state. The following are the possible state
change reasons:
•
No Error
•
Set by the CI config cmd
•
Failover state check
•
Failover interface become OK
•
HELLO not heard from mate
•
Other unit has different software version
•
Other unit operating mode is different
•
Other unit license is different
•
Other unit chassis configuration is different
•
Other unit card configuration is different
•
Other unit want me Active
•
Other unit want me Standby
•
Other unit reports that I am failed
•
Other unit reports that it is failed
•
Configuration mismatch
•
Detected an Active mate
•
No Active unit found
Cisco ASA Series Command Reference, S Commands
7-10
Chapter
•
Configuration synchronization done
•
Recovered from communication failure
•
Other unit has different set of vlans configured
•
Unable to verify vlan configuration
•
Incomplete configuration synchronization
•
Configuration synchronization failed
•
Interface check
•
My communication failed
•
ACK not received for failover message
•
Other unit got stuck in learn state after sync
•
No power detected from peer
•
No failover cable
•
HA state progression failed
•
Detect service card failure
•
Service card in other unit has failed
•
My service card is as good as peer
•
LAN Interface become un-configured
•
Peer unit just reloaded
•
Switch from Serial Cable to LAN-Based fover
•
Unable to verify state of config sync
•
Auto-update request
•
Unknown reason
The following is sample output from the show failover interface command. The device has an IPv6
address configured on the failover interface.
ciscoasa(config)# sh fail int
interface folink GigabitEthernet0/2
System IP Address: 2001:a0a:b00::a0a:b70/64
My IP Address
: 2001:a0a:b00::a0a:b70
Other IP Address : 2001:a0a:b00::a0a:b71
Related Commands
Command
Description
show running-config
failover
Displays the failover commands in the current configuration.
Cisco ASA Series Command Reference, S Commands
7-11
Chapter
show failover exec
To display the failover exec command mode for the specified unit, use the show failover exec command
in privileged EXEC mode.
show failover exec {active | standby | mate}
Syntax Description
active
Displays the failover exec command mode for the active unit.
mate
Displays the failover exec command mode for the peer unit.
standby
Displays the failover exec command mode for the standby unit.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
8.0(2)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
The failover exec command creates a session with the specified device. By default, that session is in
global configuration mode. You can change the command mode of that session by sending the
appropriate command (such as the interface command) using the failover exec command. Changing
failover exec command modes for the specified device does not change the command mode for the
session you are using to access the device. Changing commands modes for your current session to the
device does not affect the command mode used by the failover exec command.
The show failover exec command displays the command mode on the specified device in which
commands sent with the failover exec command are executed.
Examples
The following is sample output from the show failover exec command. This example demonstrates that
the command mode for the unit where the failover exec commands are being entered does not have to
be the same as the failover exec command mode where the commands are being executed.
In this example, an administrator logged into the standby unit adds a name to an interface on the active
unit. The second time the show failover exec mate command is entered in this example shows the peer
device in interface configuration mode. Commands sent to the device with the failover exec command
are executed in that mode.
ciscoasa(config)# show failover exec mate
Cisco ASA Series Command Reference, S Commands
7-12
Chapter
Active unit Failover EXEC is at config mode
! The following command changes the standby unit failover exec mode
! to interface configuration mode.
ciscoasa(config)# failover exec mate interface GigabitEthernet0/1
ciscoasa(config)# show failover exec mate
Active unit Failover EXEC is at interface sub-command mode
! Because the following command is sent to the active unit, it is replicated
! back to the standby unit.
ciscoasa(config)# failover exec mate nameif test
Related Commands
Command
Description
failover exec
Executes the supplied command on the designated unit in a failover pair.
Cisco ASA Series Command Reference, S Commands
7-13
Chapter
show file
To display information about the file system, use the show file command in privileged EXEC mode.
show file descriptors | system | information filename
Syntax Description
descriptors
Displays all open file descriptors.
filename
Specifies the filename.
information
Displays information about a specific file, including partner application
package files.
system
Displays the size, bytes available, type of media, flags, and prefix information
about the disk file system.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Yes
•
•
Yes
System
•
Yes
Release
Modification
7.0(1)
This command was added.
8.2(1)
The capability to view information about partner application package files
was added.
The following is sample output from the show file descriptors command:
ciscoasa# show file descriptors
No open file descriptors
ciscoasa# show file system
File Systems:
Size(b)
Free(b)
Type Flags
* 60985344
60973056
disk
rw
Prefixes
disk:
The following is sample output fromthe show file info command:
ciscoasa# show file info disk0:csc_embd1.0.1000.pkg
type is package (csc)
file size is 17204149 bytes version 1
Cisco ASA Series Command Reference, S Commands
7-14
Yes
Context
Chapter
Related Commands
Command
Description
dir
Displays the directory contents.
pwd
Displays the current working directory.
Cisco ASA Series Command Reference, S Commands
7-15
Chapter
show firewall
To show the current firewall mode (routed or transparent), use the show firewall command in privileged
EXEC mode.
show firewall
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Transparent Single
Yes
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
The following is sample output from the show firewall command:
ciscoasa# show firewall
Firewall mode: Router
Related Commands
Command
Description
firewall transparent
Sets the firewall mode.
show mode
Shows the current context mode, either single or multiple.
Cisco ASA Series Command Reference, S Commands
7-16
System
•
Yes
Chapter
show flash
To display the contents of the internal Flash memory, use the show flash: command in privileged EXEC
mode.
show flash: all | controller | filesys
Note
Syntax Description
In the ASA, the flash keyword is aliased to disk0.
all
Displays all Flash information.
controller
Displays file system controller information.
filesys
Displays file system information.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
The following is sample output from the show flash: command:
ciscoasa# show
-#- --length-11 1301
12 1949
13 2551
14 609223
15 1619
16 3184
17 4787
20 1792
21 7765184
22 1674
23 1863
24 1197
25 608554
26 5124096
27 5124096
28 2074
29 5124096
flash:
-----date/time-----Feb 21 2005 18:01:34
Feb 21 2005 20:13:36
Jan 06 2005 10:07:36
Jan 21 2005 07:14:18
Jul 16 2004 16:06:48
Aug 03 2004 07:07:00
Mar 04 2005 12:32:18
Jan 21 2005 07:29:24
Mar 07 2005 19:38:30
Nov 11 2004 02:47:52
Jan 21 2005 07:29:18
Jan 19 2005 08:17:48
Jan 13 2005 06:20:54
Feb 20 2005 08:49:28
Mar 01 2005 17:59:56
Jan 13 2005 08:13:26
Mar 07 2005 19:56:58
path
test.cfg
pepsi.cfg
Leo.cfg
rr.cfg
hackers.cfg
old_running.cfg
admin.cfg
Marketing.cfg
asdmfile-RLK
potts.cfg
r.cfg
tst.cfg
500kconfig
cdisk70102
cdisk70104
negateACL
cdisk70105
Cisco ASA Series Command Reference, S Commands
7-17
Chapter
30
31
32
33
34
35
1276
7756788
7579792
7764344
5124096
15322
Jan
Feb
Mar
Mar
Feb
Mar
28
24
08
04
24
04
2005
2005
2005
2005
2005
2005
08:31:58
12:59:46
11:06:56
12:17:46
11:50:50
12:30:24
steel
asdmfile.50074.dbg
asdmfile.gusingh
asdmfile.50075.dbg
cdisk70103
hs_err_pid2240.log
10170368 bytes available (52711424 bytes used)
Related Commands
Command
Description
dir
Displays the directory contents.
show disk0:
Displays the contents of the internal Flash memory.
show disk1:
Displays the contents of the external Flash memory card.
Cisco ASA Series Command Reference, S Commands
7-18
Chapter
show flow-export counters
To display runtime counters associated with NetFlow data, use the show flow-export counters
command in privileged EXEC mode.
show flow-export counters
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
—
Release
Modification
8.1(1)
This command was added.
9.0(1)
A new error counter was added for source port allocation failure.
Usage Guidelines
The runtime counters include statistical data as well as error data.
Examples
The following is sample output from the show flow-export counters command, which shows runtime
counters that are associated with NetFlow data:
ciscoasa# show flow-export counters
destination: inside 209.165.200.224 2055
Statistics:
packets sent
1000
Errors:
block allocation failure
0
invalid interface
0
template send failure
0
no route to collector
0
source port allocation
0
Cisco ASA Series Command Reference, S Commands
7-19
Chapter
Related Commands
Commands
Description
clear flow-export counters Resets all runtime counters in NetFlow to zero.
flow-export destination
Specifies the IP address or hostname of the NetFlow collector, and the
UDP port on which the NetFlow collector is listening.
flow-export template
timeout-rate
Controls the interval at which the template information is sent to the
NetFlow collector.
logging
Enables syslog messages after you have entered the logging
flow-export-syslogs enable flow-export-syslogs disable command, and the syslog messages that
are associated with NetFlow data.
Cisco ASA Series Command Reference, S Commands
7-20
Chapter
show flow-offload
To display information about flow off-loading, use the show flow-offload command in privileged EXEC
mode.
show flow-offload {info [detail] | cpu | flow [count | detail] | statistics}
Syntax Description
info [detail]
Shows basic information about the offload engine. Add the detail keyword
to get additional information such as a summary of port usage.
cpu
Shows the load percentage on offload cores.
flow [count | detail]
Shows information on the active off-loaded flows. You can optionally add
the following keywords:
statistics
•
count—Shows the number of off-loaded active flows and offloaded
flows created.
•
detail—Shows the active off-loaded flows and their rewrite rules and
data.
Shows the packet statistics of off-loaded flows.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
•
Yes
Release
Modification
9.5(2)
This command was introduced.
•
Yes
Context
•
Yes
System
—
If you enable flow off-loading, use this command to view information about the service and the
off-loaded flows.
Cisco ASA Series Command Reference, S Commands
7-21
Chapter
Examples
The following is sample output from the show flow-offload statistics command. The output shows
counts for transmitted (Tx), received (Rx) and dropped packets, and statistics for the virtual NIC (VNIC)
used.
ciscoasa# show offload-engine statistics
Packet stats of port : 0
Tx Packet count
Rx Packet count
Dropped Packet count
VNIC transmitted packet
VNIC transmitted bytes
VNIC Dropped packets
VNIC erroneous received
VNIC CRC errors
VNIC transmit failed
VNIC multicast received
Packet stats of port : 1
Tx Packet count
Rx Packet count
Dropped Packet count
VNIC transmitted packet
VNIC transmitted bytes
VNIC Dropped packets
VNIC erroneous received
VNIC CRC errors
VNIC transmit failed
VNIC multicast received
Related Commands
785807566
785807566
0
785807566
103726598712
0
0
0
0
0
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
Command
Description
clear flow-offload
Clears off-load statistics or flows.
flow-offload
Enables flow off-load.
set-connection advanced-options
flow-offload
Identifies traffic flows as eligible for off-load.
Cisco ASA Series Command Reference, S Commands
7-22
:
:
:
:
:
:
:
:
:
:
Chapter
show fragment
To display the operational data of the IP fragment reassembly module, enter the show fragment
command in privileged EXEC mode.
show fragment [interface]
Syntax Description
interface
Defaults
If an interface is not specified, the command applies to all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Specifies the ASA interface.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC mode
Command History
Examples
•
Yes
Transparent Single
•
Yes
Yes
•
Yes
System
•
Yes
Release
Modification
7.0(1)
The command was separated into two commands, show fragment and show
running-config fragment, to separate the configuration data from the operational
data.
This example shows how to display the operational data of the IP fragment reassembly module:
ciscoasa# show fragment
Interface: inside
Size: 200, Chain: 24, Timeout: 5, Threshold:
Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
Interface: outside1
Size: 200, Chain: 24, Timeout: 5, Threshold:
Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
Interface: test1
Size: 200, Chain: 24, Timeout: 5, Threshold:
Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
Interface: test2
Size: 200, Chain: 24, Timeout: 5, Threshold:
Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
Related Commands
•
Context
133
133
133
133
Command
Description
clear configure
fragment
Clears the IP fragment reassembly configuration and resets the defaults.
clear fragment
Clears the operational data of the IP fragment reassembly module.
Cisco ASA Series Command Reference, S Commands
7-23
Chapter
Command
Description
fragment
Provides additional management of packet fragmentation and improves
compatibility with NFS.
show running-config
fragment
Displays the IP fragment reassembly configuration.
Cisco ASA Series Command Reference, S Commands
7-24
Chapter
show gc
To display the garbage collection process statistics, use the show gc command in privileged EXEC mode.
show gc
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Examples
Routed
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Context
Yes
•
Yes
System
•
Yes
The following is sample output from the show gc command:
ciscoasa# show gc
Garbage collection process stats:
Total tcp conn delete response
Total udp conn delete response
Total number of zombie cleaned
Total number of embryonic conn cleaned
Total error response
Total queries generated
Total queries with conn present response
Total number of sweeps
Total number of invalid vcid
Total number of zombie vcid
Related Commands
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
946
0
0
Command
Description
clear gc
Removes the garbage collection process statistics.
Cisco ASA Series Command Reference, S Commands
7-25
Chapter
show h225
To display information for H.225 sessions established across the ASA, use the show h225 command in
privileged EXEC mode.
show h225
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
The show h225 command displays information for H.225 sessions established across the ASA.
Before using the show h225, show h245, or show h323 ras commands, we recommend that you
configure the pager command. If there are a lot of session records and the pager command is not
configured, it may take a while for the show output to reach its end.
If there is an abnormally large number of connections, check that the sessions are timing out based on
the default timeout values or the values set by you. If they are not, then there is a problem that needs to
be investigated.
Examples
The following is sample output from the show h225 command:
ciscoasa# show h225
Total H.323 Calls: 1
1 Concurrent Call(s) for
Local:
10.130.56.3/1040
1. CRV 9861
Local:
10.130.56.3/1040
0 Concurrent Call(s) for
Local:
10.130.56.4/1050
Foreign: 172.30.254.203/1720
Foreign: 172.30.254.203/1720
Foreign: 172.30.254.205/1720
This output indicates that there is currently 1 active H.323 call going through the ASA between the local
endpoint 10.130.56.3 and foreign host 172.30.254.203, and for these particular endpoints, there is 1
concurrent call between them, with a CRV (Call Reference Value) for that call of 9861.
Cisco ASA Series Command Reference, S Commands
7-26
Chapter
For the local endpoint 10.130.56.4 and foreign host 172.30.254.205, there are 0 concurrent Calls. This
means that there is no active call between the endpoints even though the H.225 session still exists. This
could happen if, at the time of the show h225 command, the call has already ended but the H.225 session
has not yet been deleted. Alternately, it could mean that the two endpoints still have a TCP connection
opened between them because they set “maintainConnection” to TRUE, so the session is kept open until
they set it to FALSE again, or until the session times out based on the H.225 timeout value in your
configuration.
Related Commands
Commands
Description
inspect h323
Enables H.323 application inspection.
show h245
Displays information for H.245 sessions established across the ASA by
endpoints using slow start.
show h323 ras
Displays information for H.323 RAS sessions established across the ASA.
timeout h225 | h323
Configures idle time after which an H.225 signaling connection or an H.323
control connection will be closed.
Cisco ASA Series Command Reference, S Commands
7-27
Chapter
show h245
To display information for H.245 sessions established across the ASA by endpoints using slow start, use
the show h245 command in privileged EXEC mode.
show h245
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The show h245 command displays information for H.245 sessions established across the ASA by
endpoints using slow start. (Slow start is when the two endpoints of a call open another TCP control
channel for H.245. Fast start is where the H.245 messages are exchanged as part of the H.225 messages
on the H.225 control channel.)
Examples
The following is sample output from the show h245 command:
ciscoasa# show h245
Total: 1
LOCAL
TPKT
FOREIGN
TPKT
1
10.130.56.3/1041
0
172.30.254.203/1245
0
MEDIA: LCN 258 Foreign 172.30.254.203 RTP 49608 RTCP 49609
Local
10.130.56.3 RTP 49608 RTCP 49609
MEDIA: LCN 259 Foreign 172.30.254.203 RTP 49606 RTCP 49607
Local
10.130.56.3 RTP 49606 RTCP 49607
There is currently one H.245 control session active across the ASA. The local endpoint is 10.130.56.3,
and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value
is 0. (The TKTP header is a 4-byte header preceding each H.225/H.245 message. It gives the length of
the message, including the 4-byte header.) The foreign host endpoint is 172.30.254.203, and we are
expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0.
Cisco ASA Series Command Reference, S Commands
7-28
Chapter
The media negotiated between these endpoints have a LCN (logical channel number) of 258 with the
foreign RTP IP address/port pair of 172.30.254.203/49608 and a RTCP IP address/port of
172.30.254.203/49609 with a local RTP IP address/port pair of 10.130.56.3/49608 and a RTCP port of
49609.
The second LCN of 259 has a foreign RTP IP address/port pair of 172.30.254.203/49606 and a RTCP IP
address/port pair of 172.30.254.203/49607 with a local RTP IP address/port pair of 10.130.56.3/49606
and RTCP port of 49607.
Related Commands
Commands
Description
inspect h323
Enables H.323 application inspection.
show h245
Displays information for H.245 sessions established across the ASA by
endpoints using slow start.
show h323 ras
Displays information for H.323 RAS sessions established across the ASA.
timeout h225 | h323
Configures idle time after which an H.225 signaling connection or an H.323
control connection will be closed.
Cisco ASA Series Command Reference, S Commands
7-29
Chapter
show h323
To display information for H.323 connections, use the show h323 command in privileged EXEC mode.
show h323 {ras | gup}
Syntax Description
ras
Displays the H323 RAS sessions established across the ASA between a
gatekeeper and its H.323 endpoint.
gup
Displays information about the H323 gateway updated protocol
connections.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The show h323 ras command displays information for H.323 RAS sessions established across the ASA
between a gatekeeper and its H.323 endpoint.
Examples
The following is sample output from the show h323 ras command:
ciscoasa# show h323 ras
ciscoasa#
Total: 1
GK
Caller
172.30.254.214 10.130.56.14
This output shows that there is one active registration between the gatekeeper 172.30.254.214 and its
client 10.130.56.14.
Related Commands
Cisco ASA Series Command Reference, S Commands
7-30
Chapter
Commands
Description
inspect h323
Enables H.323 application inspection.
show h245
Displays information for H.245 sessions established across the ASA by
endpoints using slow start.
timeout h225 | h323
Configures idle time after which an H.225 signaling connection or an H.323
control connection will be closed.
Cisco ASA Series Command Reference, S Commands
7-31
Chapter
show history
To display the previously entered commands, use the show history command in user EXEC mode.
show history
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
User EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
•
Yes
Usage Guidelines
The show history command lets you display previously entered commands. You can examine commands
individually with the up and down arrows, enter ^p to display previously entered lines, or enter ^n to
display the next line.
Examples
The following example shows sample output from the show history command in user EXEC mode:
ciscoasa> show history
show history
help
show history
The following example shows sample output from the show history command in privileged EXEC
mode:
ciscoasa# show history
show history
help
show history
enable
show history
The following example shows sample output from the show history command in global configuration
mode:
ciscoasa(config)# show history
show history
Cisco ASA Series Command Reference, S Commands
7-32
Chapter
help
show history
enable
show history
config t
show history
Related Commands
Command
Description
help
Displays help information for the command specified.
Cisco ASA Series Command Reference, S Commands
7-33
Chapter
show icmp
To display the ICMP configuration, use the show icmp command in privileged EXEC mode.
show icmp
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
Examples
•
Yes
Transparent Single
•
Yes
Release
Modification
7.0(1)
This command already existed.
•
Yes
Context
•
Yes
System
•
The show icmp command displays the ICMP configuration.
The following example shows the ICMP configuration:
ciscoasa# show icmp
Related Commands
clear configure icmp
Clears the ICMP configuration.
debug icmp
Enables the display of debugging information for ICMP.
icmp
Configures access rules for ICMP traffic that terminates at an ASA
interface.
inspect icmp
Enables or disables the ICMP inspection engine.
timeout icmp
Configures the idle timeout for ICMP.
Cisco ASA Series Command Reference, S Commands
7-34
Yes
Chapter
show idb
To display information about the status of interface descriptor blocks, use the show idb command in
privileged EXEC mode.
show idb
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
User EXEC
Command History
•
Yes
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
—
System
•
Yes
Usage Guidelines
IDBs are the internal data structure representing interface resources. See the “Examples” section for a
description of the display output.
Examples
The following is sample output from the show idb command:
ciscoasa# show idb
Maximum number of Software IDBs 280. In use 23.
Active
Inactive
Total IDBs
Size each (bytes)
Total bytes
0xbb68ebc
0xcd47d84
0xcd4c1dc
0xcd5063c
0xcd54a9c
0xcd58f04
HWIDBs
6
1
7
116
812
SWIDBs
21
2
23
212
4876
HWIDB#
HWIDB#
HWIDB#
HWIDB#
HWIDB#
HWIDB#
1
2
3
4
5
6
Control0/0
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
Management0/0
SWIDB#
SWIDB#
SWIDB#
1 0x0bb68f54 0x01010001 Control0/0
2 0x0cd47e1c 0xffffffff GigabitEthernet0/0
3 0x0cd772b4 0xffffffff GigabitEthernet0/0.1
Cisco ASA Series Command Reference, S Commands
7-35
Chapter
PEER
PEER
PEER
SWIDB#
SWIDB#
SWIDB#
PEER
SWIDB#
PEER
SWIDB#
PEER
SWIDB#
SWIDB#
PEER
PEER
PEER
SWIDB#
PEER
IDB# 1 0x0d44109c 0xffffffff
3 GigabitEthernet0/0.1
IDB# 2 0x0d2c0674 0x00020002
2 GigabitEthernet0/0.1
IDB# 3 0x0d05a084 0x00010001
1 GigabitEthernet0/0.1
4 0x0bb7501c 0xffffffff GigabitEthernet0/0.2
5 0x0cd4c274 0xffffffff GigabitEthernet0/1
6 0x0bb75704 0xffffffff GigabitEthernet0/1.1
IDB# 1 0x0cf8686c 0x00020003
2 GigabitEthernet0/1.1
7 0x0bb75dec 0xffffffff GigabitEthernet0/1.2
IDB# 1 0x0d2c08ac 0xffffffff
2 GigabitEthernet0/1.2
8 0x0bb764d4 0xffffffff GigabitEthernet0/1.3
IDB# 1 0x0d441294 0x00030001
3 GigabitEthernet0/1.3
9 0x0cd506d4 0x01010002 GigabitEthernet0/2
10 0x0cd54b34 0xffffffff GigabitEthernet0/3
IDB# 1 0x0d3291ec 0x00030002
3 GigabitEthernet0/3
IDB# 2 0x0d2c0aa4 0x00020001
2 GigabitEthernet0/3
IDB# 3 0x0d05a474 0x00010002
1 GigabitEthernet0/3
11 0x0cd58f9c 0xffffffff Management0/0
IDB# 1 0x0d05a65c 0x00010003
1 Management0/0
Table 7-4 shows each field description.
Table 7-4
show idb stats Fields
Field
Description
HWIDBs
Shows the statistics for all HWIDBs. HWIDBs are created for each hardware port
in the system.
SWIDBs
Shows the statistics for all SWIDBs. SWIDBs are created for each main and
subinterface in the system, and for each interface that is allocated to a context.
Some other internal software modules also create IDBs.
Related Commands
HWIDB#
Specifies a hardware interface entry. The IDB sequence number, address, and
interface name is displayed in each line.
SWIDB#
Specifies a software interface entry. The IDB sequence number, address,
corresponding vPif id, and interface name are displayed in each line.
PEER IDB#
Specifies an interface allocated to a context. The IDB sequence number, address,
corresponding vPif id, context id and interface name are displayed in each line.
Command
Description
interface
Configures an interface and enters interface configuration mode.
show interface
Displays the runtime status and statistics of interfaces.
Cisco ASA Series Command Reference, S Commands
7-36
Chapter
show igmp groups
To display the multicast groups with receivers that are directly connected to the ASA and that were
learned through IGMP, use the show igmp groups command in privileged EXEC mode.
show igmp groups [[reserved | group] [if_name] [detail]] | summary]
Syntax Description
detail
(Optional) Provides a detailed description of the sources.
group
(Optional) The address of an IGMP group. Including this optional argument
limits the display to the specified group.
if_name
(Optional) Displays group information for the specified interface.
reserved
(Optional) Displays information about reserved groups.
summary
(Optional) Displays group joins summary information.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was added.
•
Yes
If you omit all optional arguments and keywords, the show igmp groups command displays all directly
connected multicast groups by group address, interface type, and interface number.
Cisco ASA Series Command Reference, S Commands
7-37
Chapter
Examples
The following is sample output from the show igmp groups command:
ciscoasa# show igmp groups
IGMP Connected Group Membership
Group Address
Interface
224.1.1.1
inside
Related Commands
Expires
00:03:26
Last Reporter
192.168.1.6
Command
Description
show igmp interface
Displays multicast information for an interface.
Cisco ASA Series Command Reference, S Commands
7-38
Uptime
00:00:53
Chapter
show igmp interface
To display multicast information for an interface, use the show igmp interface command in privileged
EXEC mode.
show igmp interface [if_name]
Syntax Description
if_name
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Displays IGMP group information for the selected interface.
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
Context
System
—
—
—
•
Yes
Release
Modification
7.0(1)
This command was modified. The detail keyword was removed.
Usage Guidelines
If you omit the optional if_name argument, the show igmp interface command displays information
about all interfaces.
Examples
The following is sample output from the show igmp interface command:
ciscoasa# show igmp interface inside
inside is up, line protocol is up
Internet address is 192.168.37.6, subnet mask is 255.255.255.0
IGMP is enabled on interface
IGMP query interval is 60 seconds
Inbound IGMP access group is not set
Multicast routing is enabled on interface
Multicast TTL threshold is 0
Multicast designated router (DR) is 192.168.37.33
No multicast groups joined
Related Commands
Command
Description
show igmp groups
Displays the multicast groups with receivers that are directly connected to
the ASA and that were learned through IGMP.
Cisco ASA Series Command Reference, S Commands
7-39
Chapter
show igmp traffic
To display IGMP traffic statistics, use the show igmp traffic command in privileged EXEC mode.
show igmp traffic
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was added.
Yes
The following is sample output from the show igmp traffic command:
ciscoasa# show igmp traffic
IGMP Traffic Counters
Elapsed time since counters cleared: 00:02:30
Received
Sent
Valid IGMP Packets
3
6
Queries
2
6
Reports
1
0
Leaves
0
0
Mtrace packets
0
0
DVMRP packets
0
0
PIM packets
0
0
Errors:
Malformed Packets
Martian source
Bad Checksums
Related Commands
0
0
0
Command
Description
clear igmp counters
Clears all IGMP statistic counters.
clear igmp traffic
Clears the IGMP traffic counters.
Cisco ASA Series Command Reference, S Commands
7-40
•
Chapter
show import webvpn
To list the files, customization objects, translation tables, or plug-ins in flash memory that customize and
localize the ASA or the AnyConnect Secure Mobility Client, use the show import webvpn command in
privileged EXEC mode.
show import webvpn {AnyConnect-customization | customization | mst-translation | plug-in |
translation-table | url-list | webcontent}[detailed | xml-output]
Syntax Description
AnyConnect-customization Displays resource files, executable files, and MS transforms in the ASA
flash memory that customize the AnyConnect client GUI.
customization
Displays XML customization objects in the ASA flash memory that
customize the clientless VPN portal (filenames base64 decoded).
mst-translation
Displays MS transforms in the ASA flash memory that translate the
AnyConnect client installer program.
plug-in
Displays plug-in modules in the ASA flash memory (third-party
Java-based client applications, including SSH, VNC, and RDP).
translation-table
Displays translation tables in the ASA flash memory that translate the
language of user messages displayed by the clientless portal, Secure
Desktop, and plug-ins.
url-list
Displays URL lists in the ASA flash memory used by the clientless
portal (filenames base64 decoded).
webcontent
Displays content in ASA flash memory used by the clientless portal,
clientless applications, and plugins for online help visible to end users.
detailed
Displays the path in flash memory of the file(s) and the hash.
xml-output
Displays the XML of the file(s).
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC mode
Command History
Release
Routed
•
Yes
Transparent Single
Context
System
—
—
—
•
Yes
Modification
8.0(2)
This command was added.
8.2(1)
The AnyConnect-customization keyword was added.
Cisco ASA Series Command Reference, S Commands
7-41
Chapter
Usage Guidelines
Use the show import webvpn command to identify the custom data and the Java-based client
applications available to clientless SSL VPN users. The displayed list itemizes all of the requested data
types that are in flash memory on the ASA.
Example
The following illustrates the WebVPN data displayed by various show import webvpn command:
ciscoasa# show import webvpn plug
ssh
rdp
vnc
ciscoasa#
ciscoasa#show import webvpn plug detail
post GXN2BIGGOAOkBMibDQsMu2GWZ3Q= Tue, 29 Apr 2008 19:57:03 GMT
rdp fHeyReIOUwDCgAL9HdTsPnjdBOo= Tue, 15 Sep 2009 23:23:56 GMT
rdp2 shw8c22T2SsILLk6zyCd6H6VOz8= Wed, 11 Feb 2009 21:17:54 GMT
ciscoasa# show import webvpn customization
Template
DfltCustomization
ciscoasa#
ciscoasa# show import webvpn translation-table
Translation Tables' Templates:
AnyConnect
PortForwarder
banners
csd
customization
url-list
webvpn
Translation Tables:
ru
ua
ciscoasa#
customization
customization
ciscoasa# show import webvpn url-list
Template
No bookmarks are currently defined
ciscoasa#
ciscoasa# show import webvpn webcontent
No custom webcontent is loaded
ciscoasa#
Related Commands
Command
Description
revert webvpn all
Removes all WebVPN data and plug-in current on the ASA.
Cisco ASA Series Command Reference, S Commands
7-42
Chapter
show interface
To view interface statistics, use the show interface command in privileged EXEC mode.
show interface [{physical_interface | redundantnumber}[.subinterface] | mapped_name |
interface_name | vlan number | vni id [summary]] [stats | detail]
Syntax Description
detail
(Optional) Shows detailed interface information, including the order in
which the interface was added, the configured state, the actual state, and
asymmetrical routing statistics, if enabled by the asr-group command. If you
show all interfaces, then information about the internal interfaces for SSMs
displays, if installed on the ASA 5500 series adaptive security appliance. The
internal interface is not user-configurable, and the information is for
debugging purposes only.
interface_name
(Optional) Identifies the interface name set with the nameif command.
mapped_name
(Optional) In multiple context mode, identifies the mapped name if it was
assigned using the allocate-interface command.
physical_interface
(Optional) Identifies the interface ID, such as gigabitethernet 0/1. See the
interface command for accepted values.
redundantnumber
(Optional) Identifies the redundant interface ID, such as redundant1.
stats
(Default) Shows interface information and statistics. This keyword is the
default, so this keyword is optional.
summary
(Optional) For a VNI interface, shows only the VNI interface parameters.
subinterface
(Optional) Identifies an integer between 1 and 4294967293 designating a
logical subinterface.
vlan number
(Optional) For the ASA 5505 or ASASM, specifies the VLAN interface.
vni id
(Optional) Shows the parameters, status and statistics of a VNI interface,
status of its bridged interface (if configured), and NVE interface it is
associated with.
Defaults
If you do not identify any options, this command shows basic statistics for all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Context
•
Yes
System
•
Yes
Cisco ASA Series Command Reference, S Commands
7-43
Chapter
Command History
Usage Guidelines
Release
Modification
7.0(1)
This command was modified to include the new interface numbering scheme,
and to add the stats keyword for clarity, and the detail keyword.
7.0(4)
Support for the 4GE SSM interfaces was added.
7.2(1)
Support for switch interfaces was added.
8.0(2)
Support for redundant interfaces was added. Also, the delay is added for
subinterfaces. Two new counters were added: input reset drops and output
reset drops.
8.2(1)
The no buffer number was changed to show the number of failures from block
allocations.
8.6(1)
Support for the ASA 5512-X through ASA 5555-X shared management
interface and the control plane interface for the software module were added.
The management interface is displayed using the show interface detail
command as Internal-Data0/1; the control plane interface is displayed as
Internal-Control0/0.
9.4(1)
The vni interface type was added.
9.5(1)
Clustering site-specific MAC addresses were added to the output.
If an interface is shared among contexts, and you enter this command within a context, the ASA shows
only statistics for the current context. When you enter this command in the system execution space for
a physical interface, the ASA shows the combined statistics for all contexts.
The number of statistics shown for subinterfaces is a subset of the number of statistics shown for a
physical interface.
You cannot use the interface name in the system execution space, because the nameif command is only
available within a context. Similarly, if you mapped the interface ID to a mapped name using the
allocate-interface command, you can only use the mapped name in a context. If you set the visible
keyword in the allocate-interface command, the ASA shows the interface ID in the output of the show
interface command.
Note
The number of bytes transmitted or received in the Hardware count and the Traffic Statistics count are
different.
In the hardware count, the amount is retrieved directly from hardware, and reflects the Layer 2 packet
size. While in traffic statistics, it reflects the Layer 3 packet size.
The count difference is varied based upon the design of the interface card hardware.
For example, for a Fast Ethernet card, the Layer 2 count is 14 bytes greater than the traffic count, because
it includes the Ethernet header. On the Gigabit Ethernet card, the Layer 2 count is 18 bytes greater than
the traffic count, because it includes both the Ethernet header and the CRC.
See the “Examples” section for a description of the display output.
Examples
The following is sample output from the show interface command:
ciscoasa# show interface
Cisco ASA Series Command Reference, S Commands
7-44
Chapter
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 000b.fcf8.c44e, MTU 1500
IP address 10.86.194.60, subnet mask 255.255.254.0
1328522 packets input, 124426545 bytes, 0 no buffer
Received 1215464 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9 L2 decode drops
124606 packets output, 86803402 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/7)
output queue (curr/max packets): hardware (0/13)
Traffic Statistics for "outside":
1328509 packets input, 99873203 bytes
124606 packets output, 84502975 bytes
524605 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/1 "inside", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
Auto-Duplex, Auto-Speed
MAC address 000b.fcf8.c44f, MTU 1500
IP address 10.10.0.1, subnet mask 255.255.0.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0)
output queue (curr/max packets): hardware (0/0)
Traffic Statistics for "inside":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/2 "faillink", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
Auto-Duplex, Auto-Speed
Description: LAN/STATE Failover Interface
MAC address 000b.fcf8.c450, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
Cisco ASA Series Command Reference, S Commands
7-45
Chapter
input queue (curr/max packets): hardware (0/0)
output queue (curr/max packets): hardware (0/0)
Traffic Statistics for "faillink":
0 packets input, 0 bytes
1 packets output, 28 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/3 "", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
Auto-Duplex, Auto-Speed
Active member of Redundant5
MAC address 000b.fcf8.c451, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0)
output queue (curr/max packets): hardware (0/0)
Interface Management0/0 "", is administratively down, line protocol is down
Hardware is i82557, BW 100 Mbps, DLY 1000 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 000b.fcf8.c44d, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (128/128) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Interface Redundant1 "", is down, line protocol is down
Redundancy Information:
Members unassigned
Interface Redundant5 "redundant", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
Auto-Duplex, Auto-Speed
MAC address 000b.fcf8.c451, MTU 1500
IP address 10.2.3.5, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "redundant":
0 packets input, 0 bytes
Cisco ASA Series Command Reference, S Commands
7-46
Chapter
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member GigabitEthernet0/3(Active), GigabitEthernet0/2
Last switchover at 15:15:26 UTC Oct 24 2006
Interface Redundant5.1 "", is down, line protocol is down
VLAN identifier none
Available but not configured with VLAN or via nameif
The following output shows the use of the site MAC address when in use:
ciscoasa# show interface port-channel1.3151
Interface Port-channel1.3151 "inside", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 1000 Mbps, DLY 10 usec
VLAN identifier 3151
MAC address aaaa.1111.1234, MTU 1500
Site Specific MAC address aaaa.1111.aaaa
IP address 10.3.1.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
132269 packets input, 6483425 bytes
1062 packets output, 110448 bytes
98530 packets dropped
Table 7-5 shows each field description.
Table 7-5
show interface Fields
Field
Description
Interface ID
The interface ID. Within a context, the ASA shows the mapped name (if
configured), unless you set the allocate-interface command visible keyword.
“interface_name”
The interface name set with the nameif command. In the system execution space,
this field is blank because you cannot set the name in the system. If you do not
configure a name, the following message appears after the Hardware line:
Available but not configured via nameif
is state
Line protocol is
state
VLAN identifier
The administrative state, as follows:
•
up—The interface is not shut down.
•
administratively down—The interface is shut down with the shutdown
command.
The line status, as follows:
•
up—A working cable is plugged into the network interface.
•
down—Either the cable is incorrect or not plugged into the interface
connector.
For subinterfaces, the VLAN ID.
Cisco ASA Series Command Reference, S Commands
7-47
Chapter
Table 7-5
show interface Fields (continued)
Field
Description
Hardware
The interface type, maximum bandwidth, delay, duplex, and speed. When the link
is down, the duplex and speed show the configured values. When the link is up,
these fields show the configured values with the actual settings in parentheses.
The following list describes the common hardware types:
•
i82542 - Intel PCI Fiber Gigabit card used on PIX platforms
•
i82543 - Intel PCI-X Fiber Gigabit card used on PIX platforms
•
i82546GB - Intel PCI-X Copper Gigabit used on ASA platforms
•
i82547GI - Intel CSA Copper Gigabit used as backplane on ASA platforms
•
i82557 - Intel PCI Copper Fast Ethernet used on ASA platforms
•
i82559 - Intel PCI Copper Fast Ethernet used on PIX platforms
•
VCS7380 - Vitesse Four Port Gigabit Switch used in SSM-4GE
Media-type
(For 4GE SSM interfaces only) Shows if the interface is set as RJ-45 or SFP.
message area
A message might be displayed in some circumstances. See the following
examples:
•
In the system execution space, you might see the following message:
Available for allocation to a context
•
If you do not configure a name, you see the following message:
Available but not configured via nameif
•
If an interface is a member of a redundant interface, you see the following
message:
Active member of Redundant5
MAC address
The interface MAC address.
Site Specific MAC For clustering, shows an in-use site-specific MAC address.
address
MTU
The maximum size, in bytes, of packets allowed on this interface. If you do not
set the interface name, this field shows “MTU not set.”
IP address
The interface IP address set using the ip address command or received from a
DHCP server. In the system execution space, this field shows “IP address
unassigned” because you cannot set the IP address in the system.
Subnet mask
The subnet mask for the IP address.
Packets input
The number of packets received on this interface.
Bytes
The number of bytes received on this interface.
No buffer
The number of failures from block allocations.
Received:
Broadcasts
Input errors
The number of broadcasts received.
The number of total input errors, including the types listed below. Other
input-related errors can also cause the input error count to increase, and some
datagrams might have more than one error; therefore, this sum might exceed the
number of errors listed for the types below.
Cisco ASA Series Command Reference, S Commands
7-48
Chapter
Table 7-5
show interface Fields (continued)
Field
Description
Runts
The number of packets that are discarded because they are smaller than the
minimum packet size, which is 64 bytes. Runts are usually caused by collisions.
They might also be caused by poor wiring and electrical interference.
Giants
The number of packets that are discarded because they exceed the maximum
packet size. For example, any Ethernet packet that is greater than 1518 bytes is
considered a giant.
CRC
The number of Cyclical Redundancy Check errors. When a station sends a frame,
it appends a CRC to the end of the frame. This CRC is generated from an
algorithm based on the data in the frame. If the frame is altered between the source
and destination, the ASA notes that the CRC does not match. A high number of
CRCs is usually the result of collisions or a station transmitting bad data.
Frame
The number of frame errors. Bad frames include packets with an incorrect length
or bad frame checksums. This error is usually the result of collisions or a
malfunctioning Ethernet device.
Overrun
The number of times that the ASA was incapable of handing received data to a
hardware buffer because the input rate exceeded the ASA capability to handle the
data.
Ignored
This field is not used. The value is always 0.
Abort
This field is not used. The value is always 0.
L2 decode drops
The number of packets dropped because the name is not configured (nameif
command) or a frame with an invalid VLAN id is received. On a standby interface
in a redundant interface configuration, this counter may increase because this
interface has no name (nameif command) configured.
Packets output
The number of packets sent on this interface.
Bytes
The number of bytes sent on this interface.
Underruns
The number of times that the transmitter ran faster than the ASA could handle.
Output Errors
The number of frames not transmitted because the configured maximum number
of collisions was exceeded. This counter should only increment during heavy
network traffic.
Collisions
The number of messages retransmitted due to an Ethernet collision (single and
multiple collisions). This usually occurs on an overextended LAN (Ethernet or
transceiver cable too long, more than two repeaters between stations, or too many
cascaded multiport transceivers). A packet that collides is counted only once by
the output packets.
Interface resets
The number of times an interface has been reset. If an interface is unable to
transmit for three seconds, the ASA resets the interface to restart transmission.
During this interval, connection state is maintained. An interface reset can also
happen when an interface is looped back or shut down.
Babbles
Unused. (“babble” means that the transmitter has been on the interface longer than
the time taken to transmit the largest frame.)
Cisco ASA Series Command Reference, S Commands
7-49
Chapter
Table 7-5
show interface Fields (continued)
Field
Description
Late collisions
The number of frames that were not transmitted because a collision occurred
outside the normal collision window. A late collision is a collision that is detected
late in the transmission of the packet. Normally, these should never happen. When
two Ethernet hosts try to talk at once, they should collide early in the packet and
both back off, or the second host should see that the first one is talking and wait.
If you get a late collision, a device is jumping in and trying to send the packet on
the Ethernet while the ASA is partly finished sending the packet. The ASA does
not resend the packet, because it may have freed the buffers that held the first part
of the packet. This is not a real problem because networking protocols are
designed to cope with collisions by resending packets. However, late collisions
indicate a problem exists in your network. Common problems are large repeated
networks and Ethernet networks running beyond the specification.
Deferred
The number of frames that were deferred before transmission due to activity on
the link.
input reset drops
Counts the number of packets dropped in the RX ring when a reset occurs.
output reset drops
Counts the number of packets dropped in the TX ring when a reset occurs.
Rate limit drops
(For 4GE SSM interfaces only) The number of packets dropped if you configured
the interface at non-Gigabit speeds and attempted to transmit more than 10 Mbps
or 100 Mbps, depending on configuration..
Lost carrier
The number of times the carrier signal was lost during transmission.
No carrier
Unused.
Input queue
(curr/max
packets):
The number of packets in the input queue, the current and the maximum.
Hardware
The number of packets in the hardware queue.
Software
The number of packets in the software queue. Not available for Gigabit Ethernet
interfaces.
Output queue
(curr/max
packets):
The number of packets in the output queue, the current and the maximum.
Hardware
The number of packets in the hardware queue.
Software
The number of packets in the software queue.
input queue
(blocks free
curr/low)
The curr/low entry indicates the number of current and all-time-lowest available
slots on the interface's Receive (input) descriptor ring. These are updated by the
main CPU, so the all-time-lowest (until the interface statistics are cleared or the
device is reloaded) watermarks are not highly accurate.
output queue
(blocks free
curr/low)
The curr/low entry indicates the number of current and all-time-lowest available
slots on the interface's Transmit (output) descriptor rings. These are updated by
the main CPU, so the all-time-lowest (until the interface statistics are cleared or
the device is reloaded) watermarks are not highly accurate.
Traffic Statistics:
The number of packets received, transmitted, or dropped.
Packets input
The number of packets received and the number of bytes.
Packets output The number of packets transmitted and the number of bytes.
Cisco ASA Series Command Reference, S Commands
7-50
Chapter
Table 7-5
Field
Packets
dropped
show interface Fields (continued)
Description
The number of packets dropped. Typically this counter increments for packets
dropped on the accelerated security path (ASP), for example, if a packet is
dropped due to an access list deny.
See the show asp drop command for reasons for potential drops on an interface.
1 minute input The number of packets received in packets/sec and bytes/sec over the last minute.
rate
1 minute
output rate
The number of packets transmitted in packets/sec and bytes/sec over the last
minute.
1 minute drop The number of packets dropped in packets/sec over the last minute.
rate
5 minute input The number of packets received in packets/sec and bytes/sec over the last 5
rate
minutes.
5 minute
output rate
The number of packets transmitted in packets/sec and bytes/sec over the last 5
minutes.
5 minute drop The number of packets dropped in packets/sec over the last 5 minutes.
rate
Redundancy
Information:
For redundant interfaces, shows the member physical interfaces. The active
interface has “(Active)” after the interface ID.
If you have not yet assigned members, you see the following output:
Members unassigned
Last switchover
For redundant interfaces, shows the last time the active interface failed over to the
standby interface.
Cisco ASA Series Command Reference, S Commands
7-51
Chapter
The following is sample output from the show interface command on the ASA 5505, which includes
switch ports:
ciscoasa# show interface
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 00d0.2bff.449f, MTU 1500
IP address 1.1.1.1, subnet mask 255.0.0.0
Traffic Statistics for "inside":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 1000 usec
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 00d0.2bfd.6ec5, MTU not set
IP address unassigned
407 packets input, 53587 bytes, 0 no buffer
Received 103 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
43 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Cisco ASA Series Command Reference, S Commands
7-52
Chapter
Table 7-7 shows each field description for the show interface command for switch interfaces, such as
those for the ASA 5505 adaptive security appliance. See Table 7-6 for fields that are also shown for the
show interface command.
Table 7-6
show interface for Switch Interfaces Fields
Field
Description
switch ingress
policy drops
This drop is usually seen when a port is not configured correctly. This drop is
incremented when a packet cannot be successfully forwarded within switch ports
as a result of the default or user configured switch port settings. The following
configurations are the likely reasons for this drop:
•
Note
switch egress
policy drops
The nameif command was not configured on the VLAN interface.
For interfaces in the same VLAN, even if the nameif command was not
configured, switching within the VLAN is successful, and this counter
does not increment.
•
The VLAN is shut down.
•
An access port received an 802.1Q-tagged packet.
•
A trunk port received a tag that is not allowed or an untagged packet.
•
The ASA is connected to another Cisco device that has Ethernet keepalives.
For example, Cisco IOS software uses Ethernet loopback packets to ensure
interface health. This packet is not intended to be received by any other
device; the health is ensured just by being able to send the packet. These types
of packets are dropped at the switch port, and the counter increments.
Not currently in use.
The following is sample output from the show interface detail command. The following example shows
detailed interface statistics for all interfaces, including the internal interfaces (if present for your
platform) and asymmetrical routing statistics, if enabled by the asr-group command:
ciscoasa# show interface detail
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 1000 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 000b.fcf8.c44e, MTU 1500
IP address 10.86.194.60, subnet mask 255.255.254.0
1330214 packets input, 124580214 bytes, 0 no buffer
Received 1216917 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9 L2 decode drops
124863 packets output, 86956597 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max packets): hardware (0/7)
output queue (curr/max packets): hardware (0/13)
Traffic Statistics for "outside":
1330201 packets input, 99995120 bytes
124863 packets output, 84651382 bytes
525233 packets dropped
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Cisco ASA Series Command Reference, S Commands
7-53
Chapter
Interface Internal-Data0/0 "", is up, line protocol is up
Hardware is i82547GI rev00, BW 1000 Mbps, DLY 1000 usec
(Full-duplex), (1000 Mbps)
MAC address 0000.0001.0002, MTU not set
IP address unassigned
6 packets input, 1094 bytes, 0 no buffer
Received 6 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops, 0 demux drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max packets): hardware (0/2) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Control Point Interface States:
Interface number is unassigned
...
Table 7-7 shows each field description for the show interface detail command. See Table 7-7 for fields
that are also shown for the show interface command.
Table 7-7
show interface detail Fields
Field
Description
Demux drops
(On Internal-Data interface only) The number of packets dropped because the
ASA was unable to demultiplex packets from SSM interfaces. SSM interfaces
communicate with the native interfaces across the backplane, and packets from all
SSM interfaces are multiplexed on the backplane.
Control Point
Interface States:
Interface
number
A number used for debugging that indicates in what order this interface was
created, starting with 0.
Interface
config status
The administrative state, as follows:
•
active—The interface is not shut down.
•
not active—The interface is shut down with the shutdown command.
Interface state The actual state of the interface. In most cases, this state matches the config status
above. If you configure high availability, it is possible there can be a mismatch
because the ASA brings the interfaces up or down as needed.
Asymmetrical
Routing Statistics:
Received X1
packets
Number of ASR packets received on this interface.
Transmitted
X2 packets
Number of ASR packets sent on this interfaces.
Dropped X3
packets
Number of ASR packets dropped on this interface. The packets might be dropped
if the interface is down when trying to forward the packet.
Cisco ASA Series Command Reference, S Commands
7-54
Chapter
The following is sample output from the show interface detail command on the ASA 5512-X through
ASA 5555-X, which shows combined statistics for the Management 0/0 interface (shown as
“Internal-Data0/1”) for both the ASA and the software module. The output also shows the
Internal-Control0/0 interface, which is used for control traffic between the software module and the
ASA.
Interface Internal-Data0/1 "ipsmgmt", is down, line protocol is up
Hardware is , BW Unknown Speed-Capability, DLY 1000 usec
(Full-duplex), (1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 0100.0100.0000, MTU not set
IP address 127.0.1.1, subnet mask 255.255.0.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
182 packets output, 9992 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Traffic Statistics for "ipsmgmt":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 11
Interface config status is active
Interface state is active
Interface Internal-Control0/0 "cplane", is down, line protocol is up
Hardware is , BW Unknown Speed-Capability, DLY 1000 usec
(Full-duplex), (1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 0100.0100.0000, MTU not set
IP address 127.0.1.1, subnet mask 255.255.0.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
182 packets output, 9992 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Traffic Statistics for "cplane":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
Cisco ASA Series Command Reference, S Commands
7-55
Chapter
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 11
Interface config status is active
Interface state is active
See the following output for the show interface vni 1 command:
ciscoasa# show interface vni 1
Interface vni1 "vni-inside", is up, line protocol is up
VTEP-NVE 1
Segment-id 5001
Tag-switching: disabled
MTU: 1500
MAC: aaaa.bbbb.1234
IP address 192.168.0.1, subnet mask 255.255.255.0
Multicast group 239.1.3.3
Traffic Statistics for "vni-inside":
235 packets input, 23606 bytes
524 packets output, 32364 bytes
14 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 2 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
See the following output for the show interface vni 1 summary command:
ciscoasa# show interface vni 1 summary
Interface vni1 "vni-inside", is up, line protocol is up
VTEP-NVE 1
Segment-id 5001
Tag-switching: disabled
MTU: 1500
MAC: aaaa.bbbb.1234
IP address 192.168.0.1, subnet mask 255.255.255.0
Multicast group not configured
Related Commands
Command
Description
allocate-interface
Assigns interfaces and subinterfaces to a security context.
clear interface
Clears counters for the show interface command.
delay
Changes the delay metric for an interface.
interface
Configures an interface and enters interface configuration mode.
nameif
Sets the interface name.
show interface ip brief Shows the interface IP address and status.
Cisco ASA Series Command Reference, S Commands
7-56
Chapter
show interface ip brief
To view interface IP addresses and status, use the show interface ip brief command in privileged EXEC
mode.
show interface [physical_interface[.subinterface] | mapped_name | interface_name | vlan number]
ip brief
Syntax Description
interface_name
(Optional) Identifies the interface name set with the nameif command.
mapped_name
(Optional) In multiple context mode, identifies the mapped name if it was
assigned using the allocate-interface command.
physical_interface
(Optional) Identifies the interface ID, such as gigabitethernet0/1. See the
interface command for accepted values.
subinterface
(Optional) Identifies an integer between 1 and 4294967293 designating a
logical subinterface.
vlan number
(Optional) For models with a built-in switch, such as the ASA 5505 adaptive
security appliance, specifies the VLAN interface.
Defaults
If you do not specify an interface, the ASA shows all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Routed
•
Yes
Transparent
•
Yes
1
Single
•
Yes
Context
•
Yes
System
—
1. Available for the Management 0/0 interface or subinterface only.
Command History
Usage Guidelines
Release
Modification
7.0(1)
This command was added.
7.2(1)
Support for VLAN interfaces and for the Management 0/0 interface or
subinterface in transparent mode was added.
In multiple context mode, if you mapped the interface ID in the allocate-interface command, you can
only specify the mapped name or the interface name in a context.
See the “Examples” section for a description of the display output.
Examples
The following is sample output from the show ip brief command:
ciscoasa# show interface ip brief
Cisco ASA Series Command Reference, S Commands
7-57
Chapter
Interface
Control0/0
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
Management0/0
IP-Address
127.0.1.1
209.165.200.226
unassigned
10.1.1.50
192.168.2.6
209.165.201.3
OK?
YES
YES
YES
YES
YES
YES
Method
CONFIG
CONFIG
unset
manual
DHCP
CONFIG
Status
Protocol
up
up
up
up
administratively down down
administratively down down
administratively down down
up
Table 7-7 shows each field description.
Table 7-8
show interface ip brief Fields
Field
Description
Interface
The interface ID or, in multiple context mode, the mapped name if you configured
it using the allocate-interface command. If you show all interfaces, then
information about the internal interface for the AIP SSM displays, if installed on
the ASA. The internal interface is not user-configurable, and the information is for
debugging purposes only.
IP-Address
The interface IP address.
OK?
This column is not currently used, and always shows “Yes.”
Method
The method by which the interface received the IP address. Values include the
following:
Status
Protocol
•
unset—No IP address configured.
•
manual—Configured the running configuration.
•
CONFIG—Loaded from the startup configuration.
•
DHCP—Received from a DHCP server.
The administrative state, as follows:
•
up—The interface is not shut down.
•
administratively down—The interface is shut down with the shutdown
command.
The line status, as follows:
•
up—A working cable is plugged into the network interface.
•
down—Either the cable is incorrect or not plugged into the interface
connector.
Cisco ASA Series Command Reference, S Commands
7-58
Chapter
Related Commands
Command
Description
allocate-interface
Assigns interfaces and subinterfaces to a security context.
interface
Configures an interface and enters interface configuration mode.
ip address
Sets the IP address for the interface or sets the management IP address for a
transparent firewall.
nameif
Sets the interface name.
show interface
Displays the runtime status and statistics of interfaces.
Cisco ASA Series Command Reference, S Commands
7-59
Chapter
show inventory
To display information about all of the Cisco products installed in the networking device that are
assigned a product identifier (PID), version identifier (VID), and serial number (SN), use the show
inventory command in user EXEC or privileged EXEC mode.
show inventory [mod_id]
Syntax Description
mod_id
Defaults
If you do not specify a slot to show inventory for an item, the inventory information of all modules
(including the power supply) is displayed.
Command Modes
The following table shows the modes in which you can enter the command.
(Optional) Specifies the module ID or slot number, 0-3.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Routed
Transparent Single
Context
System
Privileged EXEC
•
Yes
•
Yes
—
—
•
Yes
User EXEC
•
Yes
•
Yes
—
—
•
Yes
Release
Modification
7.0(1)
Minor editorial changes.
8.4(2)
The output for an SSP was added. In addition, support for a dual SSP
installation was added.
8.6(1)
The output for the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X (the
chassis, redundant power supplies, and I/O expansion card) was added.
9.1(1)
The output for the ASA CX module was added.
The show inventory command retrieves and displays inventory information about each Cisco product in
the form of a UDI, which is a combination of three separate data elements: the product identifier (PID),
the version identifier (VID), and the serial number (SN).
The PID is the name by which the product can be ordered; it has been historically called the “Product
Name” or “Part Number.” This is the identifier that you use to order an exact replacement part.
The VID is the version of the product. Whenever a product has been revised, the VID is incremented
according to a rigorous process derived from Telcordia GR-209-CORE, an industry guideline that
governs product change notices.
The SN is the vendor-unique serialization of the product. Each manufactured product has a unique serial
number assigned at the factory, which cannot be changed in the field. The serial number is the means by
which to identify an individual, specific instance of a product. The serial number can be different lengths
for the various components of the device.
Cisco ASA Series Command Reference, S Commands
7-60
Chapter
The UDI refers to each product as an entity. Some entities, such as a chassis, have sub-entities like slots.
Each entity appears on a separate line in a logically ordered presentation that is arranged hierarchically
by Cisco entities.
Use the show inventory command without options to display a list of Cisco entities installed in the
networking device that are assigned a PID.
If a Cisco entity is not assigned a PID, that entity is not retrieved or displayed.
Note
When two SSPs are installed in the same chassis, the number of the module indicates the physical
location of the module in the chassis. The chassis master is always the SSP installed in slot 0. Only those
sensors with which the SSP is associated are displayed in the output.
The term module in the output is equivalent to physical slot. In the description of the SSP itself, the
output includes module: 0 when it is installed in physical slot 0, and module: 1 otherwise. When the
target SSP is the chassis master, the show inventory command output includes the power supplies and/or
cooling fans. Otherwise, these components are omitted.
The serial number may not display because of hardware limitations on the ASA 5500-X series. For the
UDI display of the PCI-E I/O (NIC) option cards in these models, there are six possible outputs
according to the chassis type, although there are only two different card types. This is because there are
different PCI-E bracket assemblies used according to the specified chassis. The following examples
show the expected outputs for each PCI-E I/O card assembly. For example, if a Silicom SFP NIC card
is detected, the UDI display is determined by the device on which it is installed. The VID and S/N values
are N/A, because there is no electronic storage of these values.
For a 6-port SFP Ethernet NIC card in an ASA 5512-X or 5515-X:
Name: "module1", DESCR: "ASA 5512-X/5515-X Interface Card 6-port GE SFP, SX/LX"
PID: ASA-IC-6GE-SFP-A
, VID: N/A, SN: N/A
For a 6-port SFP Ethernet NIC card in an ASA 5525-X:
Name: "module1", DESCR: "ASA 5525-X Interface Card 6-port GE SFP, SX/LX"
PID: ASA-IC-6GE-SFP-B
, VID: N/A, SN: N/A
For a 6-port SFP Ethernet NIC card in an ASA 5545-X or 5555-X:
Name: "module1", DESCR: "ASA 5545-X/5555-X Interface Card 6-port GE SFP, SX/LX"
PID: ASA-IC-6GE-SFP-C
, VID: N/A, SN: N/A
For a 6-port Copper Ethernet NIC card in an ASA 5512-X or 5515-X:
Name: "module1", DESCR: "ASA 5512-X/5515-X Interface Card 6-port 10/100/1000, RJ-45"
PID: ASA-IC-6GE-CU-A
, VID: N/A, SN: N/A
For a 6-port Copper Ethernet NIC card in an ASA 5525-X:
Name: "module1", DESCR: "ASA 5525-X Interface Card 6-port 10/100/1000, RJ-45"
PID: ASA-IC-6GE-CU-B
, VID: N/A, SN: N/A
For a 6-port Copper Ethernet NIC card in an ASA 5545-X or 5555-X:
Name: "module1", DESCR: "ASA 5545-X/5555-X Interface Card 6-port 10/100/1000, RJ-45"
PID: ASA-IC-6GE-CU-C
, VID: N/A, SN: N/A
Cisco ASA Series Command Reference, S Commands
7-61
Chapter
Examples
The following is sample output from the show inventory command without any keywords or arguments.
This sample output displays a list of Cisco entities installed in an ASA that are each assigned a PID,
including a storage device used for an ASA CX module.
ciscoasa> show inventory
Name: "Chassis", DESCR: "ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt"
PID: ASA5555
, VID: V01
, SN: FGL170441BU
Name: "power supply 1", DESCR: "ASA 5545-X/5555-X AC Power Supply"
PID: ASA-PWR-AC
, VID: N/A
, SN: 2CS1AX
Name: "Storage Device 1", DESCR: "Micron 128 GB SSD MLC, Model Number: C400-MTFDDAC128MAM"
PID: N/A
, VID: N/A
, SN: MXA174201RR
The following example shows the output of the show inventory command on a chassis master for a dual
SSP installation:
ciscoasa(config)# show inventory
Name: "module 0", DESCR: "ASA 5585-X Security Services Processor-40 w 6GE,4 SFP+"
PID: ASA5585-SSP-40
, VID: V01
, SN: JAF1436ACLJ
Name: "Chassis", DESCR: "ASA 5585-X"
PID: ASA5585
, VID: V01
, SN: 123456789AB
Name: "fan", DESCR: "ASA 5585-X Fan Module"
PID: ASA5585-FAN
, VID: V01
, SN: POG1434000G
Name: "power supply 0", DESCR: "ASA 5585-X AC Power Supply"
PID: ASA5585-PWR-AC
, VID: V01
, SN: POG1434002K
Table 7-9 describes the fields shown in the display.
Table 7-9
Related Commands
Field Descriptions for show inventory
Field
Description
Name
Physical name (text string) assigned to the Cisco entity. For example, console,
SSP, or a simple component number (port or module number), such as “1,”
depending on the physical component naming syntax of the device. Equivalent
to the entPhysicalName MIB variable in RFC 2737.
DESCR
Physical description of the Cisco entity that characterizes the object. Equivalent
to the entPhysicalDesc MIB variable in RFC 2737.
PID
Entity product identifier. Equivalent to the entPhysicalModelName MIB
variable in RFC 2737.
VID
Entity version identifier. Equivalent to the entPhysicalHardwareRev MIB
variable in RFC 2737.
SN
Entity serial number. Equivalent to the entPhysicalSerialNum MIB variable in
RFC 2737.
Command
Description
show diag
Displays diagnostic information about the controller, interface processor, and
port adapters for a networking device.
show tech-support
Displays general information about the router when it reports a problem.
Cisco ASA Series Command Reference, S Commands
7-62
Chapter
show ip address
To view interface IP addresses or, for transparent mode, the management IP address, use the
show ip address command in privileged EXEC mode.
show ip address [physical_interface[.subinterface] | mapped_name | interface_name |
vlan number]
Syntax Description
interface_name
(Optional) Identifies the interface name set with the nameif command.
mapped_name
(Optional) In multiple context mode, identifies the mapped name if it was
assigned using the allocate-interface command.
physical_interface
(Optional) Identifies the interface ID, such as gigabitethernet0/1. See the
interface command for accepted values.
subinterface
(Optional) Identifies an integer between 1 and 4294967293 designating a
logical subinterface.
vlan number
(Optional) For models with a built-in switch, such as the ASA 5505 adaptive
security appliance, specifies the VLAN interface.
Defaults
If you do not specify an interface, the ASA shows all interface IP addresses.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
•
Yes
•
Yes
Release
Modification
7.2(1)
Support for VLAN interfaces was added.
Context
•
Yes
System
—
Usage Guidelines
This command shows the primary IP addresses (called “System” in the display) for when you configure
high availability as well as the current IP addresses. If the unit is active, then the system and current IP
addresses match. If the unit is standby, then the current IP addresses show the standby addresses.
Examples
The following is sample output from the show ip address command:
ciscoasa# show ip address
System IP Addresses:
Interface
Name
GigabitEthernet0/0
mgmt
GigabitEthernet0/1
inside
GigabitEthernet0/2.40
outside
IP address
10.7.12.100
10.1.1.100
209.165.201.2
Subnet mask
255.255.255.0
255.255.255.0
255.255.255.224
Method
CONFIG
CONFIG
DHCP
Cisco ASA Series Command Reference, S Commands
7-63
Chapter
GigabitEthernet0/3
Current IP Addresses:
Interface
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2.40
GigabitEthernet0/3
dmz
209.165.200.225 255.255.255.224
manual
Name
mgmt
inside
outside
dmz
IP address
10.7.12.100
10.1.1.100
209.165.201.2
209.165.200.225
Method
CONFIG
CONFIG
DHCP
manual
Subnet mask
255.255.255.0
255.255.255.0
255.255.255.224
255.255.255.224
Table 7-7 shows each field description.
Table 7-10
Related Commands
show ip address Fields
Field
Description
Interface
The interface ID or, in multiple context mode, the mapped name if you configured
it using the allocate-interface command.
Name
The interface name set with the nameif command.
IP address
The interface IP address.
Subnet mask
The IP address subnet mask.
Method
The method by which the interface received the IP address. Values include the
following:
•
unset—No IP address configured.
•
manual—Configured the running configuration.
•
CONFIG—Loaded from the startup configuration.
•
DHCP—Received from a DHCP server.
Command
Description
allocate-interface
Assigns interfaces and subinterfaces to a security context.
interface
Configures an interface and enters interface configuration mode.
nameif
Sets the interface name.
show interface
Displays the runtime status and statistics of interfaces.
show interface ip brief Shows the interface IP address and status.
Cisco ASA Series Command Reference, S Commands
7-64
Chapter
show ip address dhcp
To view detailed information about the DHCP lease or server for an interface, use the show ip address
dhcp command in privileged EXEC mode.
show ip address {physical_interface[.subinterface] | mapped_name | interface_name} dhcp
{lease | server}
show ip address {physical_interface[.subinterface] | mapped_name | interface_name} dhcp lease
{proxy | server} {summary}
Syntax Description
interface_name
Identifies the interface name set with the nameif command.
lease
Shows information about the DHCP lease.
mapped_name
In multiple context mode, identifies the mapped name if it was assigned using
the allocate-interface command.
physical_interface
Identifies the interface ID, such as gigabitethernet0/1. See the interface
command for accepted values.
proxy
Shows proxy entries in the IPL table.
server
Shows server entries in the IPL table.
subinterface
Identifies an integer between 1 and 4294967293 designating a logical
subinterface.
summary
Shows summary for the entry.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Routed
•
Yes
Transparent
—
1
Single
•
Yes
Context
•
Yes
System
—
1. Available for the Management 0/0 interface or subinterface only.
Command History
Release
Modification
7.0(1)
The lease and server keywords to accommodate the new server functionality
were added.
7.2(1)
Support for VLAN interfaces and for the Management 0/0 interface or
subinterface in transparent mode was added.
9.1(4)
The proxy and summary keywords to accommodate the new server
functionality were added.
Cisco ASA Series Command Reference, S Commands
7-65
Chapter
Usage Guidelines
See the “Examples” section for a description of the display output.
Examples
The following is sample output from the show ip address dhcp lease command:
ciscoasa# show ip address outside dhcp lease
Temp IP Addr:209.165.201.57 for peer on interface:outside
Temp sub net mask:255.255.255.224
DHCP Lease server:209.165.200.225, state:3 Bound
DHCP Transaction id:0x4123
Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs
Temp default-gateway addr:209.165.201.1
Temp ip static route0: dest 10.9.0.0 router 10.7.12.255
Next timer fires after:111797 secs
Retry count:0, Client-ID:cisco-0000.0000.0000-outside
Proxy: TRUE Proxy Network: 10.1.1.1
Hostname: device1
Table 7-7 shows each field description.
Table 7-11
show ip address dhcp lease Fields
Field
Description
Temp IP Addr
The IP address assigned to the interface.
Temp sub net mask
The subnet mask assigned to the interface.
DHCP Lease server
The DHCP server address.
state
The state of the DHCP lease, as follows:
DHCP transaction id
•
Initial—The initialization state, where the ASA begins the process
of acquiring a lease. This state is also shown when a lease ends or
when a lease negotiation fails.
•
Selecting—The ASA is waiting to receive DHCPOFFER messages
from one or more DHCP servers, so it can choose one.
•
Requesting—The ASA is waiting to hear back from the server to
which it sent its request.
•
Purging—The ASA is removing the lease because the client has
released the IP address or there was some other error.
•
Bound—The ASA has a valid lease and is operating normally.
•
Renewing—The ASA is trying to renew the lease. It regularly sends
DHCPREQUEST messages to the current DHCP server, and waits
for a reply.
•
Rebinding—The ASA failed to renew the lease with the original
server, and now sends DHCPREQUEST messages until it gets a
reply from any server or the lease ends.
•
Holddown—The ASA started the process to remove the lease.
•
Releasing—The ASA sends release messages to the server
indicating that the IP address is no longer needed.
A random number chosen by the client, used by the client and server to
associate the request messages.
Cisco ASA Series Command Reference, S Commands
7-66
Chapter
Table 7-11
show ip address dhcp lease Fields (continued)
Field
Description
Lease
The length of time, specified by the DHCP server, that the interface can
use this IP address.
Renewal
The length of time until the interface automatically attempts to renew
this lease.
Rebind
The length of time until the ASA attempts to rebind to a DHCP server.
Rebinding occurs if the ASA cannot communicate with the original
DHCP server, and 87.5 percent of the lease time has expired. The ASA
then attempts to contact any available DHCP server by broadcasting
DHCP requests.
Temp default-gateway addr
The default gateway address supplied by the DHCP server.
Temp ip static route0
The default static route.
Next timer fires after
The number of seconds until the internal timer triggers.
Retry count
If the ASA is attempting to establish a lease, this field shows the number
of times the ASA tried sending a DHCP message. For example, if the
ASA is in the Selecting state, this value shows the number of times the
ASA sent discover messages. If the ASA is in the Requesting state, this
value shows the number of times the ASA sent request messages.
Client-ID
The client ID used in all communication with the server.
Proxy
Specifies if this interface is a proxy DHCP client for VPN clients, True
or False.
Proxy Network
The requested network.
Hostname
The client hostname.
The following is sample output from the show ip address dhcp server command:
ciscoasa# show ip address outside dhcp server
DHCP server: ANY (255.255.255.255)
Leases:
0
Offers:
0
Requests: 0
Acks: 0
Declines: 0
Releases: 0
Bad: 0
DHCP server: 40.7.12.6
Leases:
1
Offers:
1
Requests: 17
Acks: 17
Declines: 0
Releases: 0
Bad: 0
DNS0:
171.69.161.23,
DNS1: 171.69.161.24
WINS0: 172.69.161.23,
WINS1: 172.69.161.23
Subnet: 255.255.0.0
DNS Domain: cisco.com
Naks: 0
Naks: 0
Cisco ASA Series Command Reference, S Commands
7-67
Chapter
Table 7-12 shows each field description.
Table 7-12
Related Commands
show ip address dhcp server Fields
Field
Description
DHCP server
The DHCP server address from which this interface obtained a lease.
The top entry (“ANY”) is the default server and is always present.
Leases
The number of leases obtained from the server. For an interface, the
number of leases is typically 1. If the server is providing address for an
interface that is running proxy for VPN, there will be several leases.
Offers
The number of offers from the server.
Requests
The number of requests sent to the server.
Acks
The number of acknowledgments received from the server.
Naks
The number of negative acknowledgments received from the server.
Declines
The number of declines received from the server.
Releases
The number of releases sent to the server.
Bad
The number of bad packets received from the server.
DNS0
The primary DNS server address obtained from the DHCP server.
DNS1
The secondary DNS server address obtained from the DHCP server.
WINS0
The primary WINS server address obtained from the DHCP server.
WINS1
The secondary WINS server address obtained from the DHCP server.
Subnet
The subnet address obtained from the DHCP server.
DNS Domain
The domain obtained from the DHCP server.
Command
Description
interface
Configures an interface and enters interface configuration mode.
ip address dhcp
Sets the interface to obtain an IP address from a DHCP server.
nameif
Sets the interface name.
show interface ip brief Shows the interface IP address and status.
show ip address
Displays the IP addresses of interfaces.
Cisco ASA Series Command Reference, S Commands
7-68
Chapter
show ip address pppoe
To view detailed information about the PPPoE connection, use the show ip address pppoe command in
privileged EXEC mode.
show ip address {physical_interface[.subinterface] | mapped_name | interface_name |
vlan number} pppoe
Syntax Description
interface_name
Identifies the interface name set with the nameif command.
mapped_name
In multiple context mode, identifies the mapped name if it was assigned using
the allocate-interface command.
physical_interface
Identifies the interface ID, such as gigabitethernet0/1. See the interface
command for accepted values.
subinterface
Identifies an integer between 1 and 4294967293 designating a logical
subinterface.
vlan number
(Optional) For models with a built-in switch, such as the ASA 5505 adaptive
security appliance, specifies the VLAN interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Routed
•
Yes
Transparent
•
Yes
1
Single
•
Yes
Context
•
Yes
System
—
1. Available for the Management 0/0 interface or subinterface only.
Command History
Release
Modification
7.2(1)
This command was added.
Usage Guidelines
See the “Examples” section for a description of the display output.
Examples
The following is sample output from the show ip address pppoe command:
ciscoasa# show ip address outside pppoe
Cisco ASA Series Command Reference, S Commands
7-69
Chapter
Related Commands
Command
Description
interface
Configures an interface and enters interface configuration mode.
ip address ppoe
Sets the interface to obtain an IP address from a PPPoE server.
nameif
Sets the interface name.
show interface ip brief Shows the interface IP address and status.
show ip address
Displays the IP addresses of interfaces.
Cisco ASA Series Command Reference, S Commands
7-70
Chapter
show ip audit count
To show the number of signature matches when you apply an audit policy to an interface, use the show
ip audit count command in privileged EXEC mode.
show ip audit count [global | interface interface_name]
Syntax Description
global
(Default) Shows the number of matches for all interfaces.
interface
interface_name
(Optional) Shows the number of matches for the specified interface.
Defaults
If you do not specify a keyword, this command shows the matches for all interfaces (global).
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Yes
•
Transparent Single
•
Release
Modification
7.0(1)
This command was added.
Yes
•
Yes
Context
•
Yes
System
—
Usage Guidelines
To create an audit policy, use the ip audit name command, and to apply the policy, use the ip audit
interface command.
Examples
The following is sample output from the show ip audit count command:
ciscoasa# show ip audit count
IP AUDIT GLOBAL COUNTERS
1000
1001
1002
1003
1004
1005
1006
1100
1102
1103
2000
2001
2002
2003
I
I
I
I
I
I
I
A
A
A
I
I
I
I
Bad IP Options List
Record Packet Route
Timestamp
Provide s,c,h,tcc
Loose Source Route
SATNET ID
Strict Source Route
IP Fragment Attack
Impossible IP Packet
IP Teardrop
ICMP Echo Reply
ICMP Unreachable
ICMP Source Quench
ICMP Redirect
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Cisco ASA Series Command Reference, S Commands
7-71
Chapter
2004
2005
2006
2007
2008
2009
2010
2011
2012
2150
2151
2154
3040
3041
3042
3153
3154
4050
4051
4052
6050
6051
6052
6053
6100
6101
6102
6103
6150
6151
6152
6153
6154
6155
6175
6180
6190
I
I
I
I
I
I
I
I
I
A
A
A
A
A
A
A
A
A
A
A
I
I
I
I
I
I
I
A
I
I
I
I
I
I
I
I
A
ICMP Echo Request
ICMP Time Exceed
ICMP Parameter Problem
ICMP Time Request
ICMP Time Reply
ICMP Info Request
ICMP Info Reply
ICMP Address Mask Request
ICMP Address Mask Reply
Fragmented ICMP
Large ICMP
Ping of Death
TCP No Flags
TCP SYN & FIN Flags Only
TCP FIN Flag Only
FTP Improper Address
FTP Improper Port
Bomb
Snork
Chargen
DNS Host Info
DNS Zone Xfer
DNS Zone Xfer High Port
DNS All Records
RPC Port Registration
RPC Port Unregistration
RPC Dump
Proxied RPC
ypserv Portmap Request
ypbind Portmap Request
yppasswdd Portmap Request
ypupdated Portmap Request
ypxfrd Portmap Request
mountd Portmap Request
rexd Portmap Request
rexd Attempt
statd Buffer Overflow
10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
IP AUDIT INTERFACE COUNTERS: inside
...
Related Commands
Command
Description
clear ip audit count
Clears the count of signature matches for an audit policy.
ip audit interface
Assigns an audit policy to an interface.
ip audit name
Creates a named audit policy that identifies the actions to take when a packet
matches an attack signature or an informational signature.
show running-config
ip audit attack
Shows the configuration for the ip audit attack command.
Cisco ASA Series Command Reference, S Commands
7-72
Chapter
show ip verify statistics
To show the number of packets dropped because of the Unicast RPF feature, use the show ip verify
statistics command in privileged EXEC mode. Use the ip verify reverse-path command to enable
Unicast RPF.
show ip verify statistics [interface interface_name]
Syntax Description
interface
interface_name
Defaults
This command shows statistics for all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Shows statistics for the specified interface.
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
—
Release
Modification
7.0(1)
This command was added.
•
Context
Yes
•
Yes
System
—
The following is sample output from the show ip verify statistics command:
ciscoasa#
interface
interface
interface
Related Commands
Routed
show ip verify statistics
outside: 2 unicast rpf drops
inside: 1 unicast rpf drops
intf2: 3 unicast rpf drops
Command
Description
clear configure ip
verify reverse-path
Clears the ip verify reverse-path configuration.
clear ip verify
statistics
Clears the Unicast RPF statistics.
ip verify reverse-path
Enables the Unicast Reverse Path Forwarding feature to prevent IP spoofing.
show running-config
ip verify reverse-path
Shows the ip verify reverse-path configuration.
Cisco ASA Series Command Reference, S Commands
7-73
Chapter
show ips
To show all available IPS virtual sensors that are configured on the AIP SSM, use the show ips command
in privileged EXEC mode.
show ips [detail]
Syntax Description
detail
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Shows the sensor ID number as well as the name.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
Usage Guidelines
•
Yes
Transparent Single
•
Release
Modification
8.0(2)
This command was added.
Yes
Yes
•
Yes
System
•
Yes
In multiple context mode, this command shows all virtual sensors when entered in the system execution
space, but only shows the virtual sensors assigned to the context in the context execution space. See the
allocate-ips command to assign virtual sensors to contexts.
Virtual sensors are available in IPS Version 6.0 and above.
Cisco ASA Series Command Reference, S Commands
7-74
•
Context
Chapter
Examples
The following is sample output from the show ips command:
ciscoasa# show ips
Sensor name
-----------ips1
ips2
The following is sample output from the show ips detail command:
ciscoasa# show ips detail
Sensor name
Sensor ID
-------------------ips1
1
ips2
2
Related Commands
Command
Description
allocate-ips
Assigns a virtual sensor to a security context.
ips
Diverts traffic to the AIP SSM.
Cisco ASA Series Command Reference, S Commands
7-75
Chapter
show ipsec sa
To display a list of IPsec SAs, use the show ipsec sa command in global configuration mode or
privileged EXEC mode. You can also use the alternate form of this command: show crypto ipsec sa.
show ipsec sa [assigned-address hostname or IP address | entry | identity | inactive | map
map-name | peer peer-addr] [detail]
Syntax Description
assigned-address
(Optional) Displays IPsec SAs for the specified hostname or IP address.
detail
(Optional) Displays detailed error information on what is displayed.
entry
(Optional) Displays IPsec SAs sorted by peer address
identity
(Optional) Displays IPsec SAs for sorted by identity, not including ESPs.
This is a condensed form.
inactive
(Optional) Displays IPsec SAs that are unable to pass traffic.
map map-name
(Optional) Displays IPsec SAs for the specified crypto map.
peer peer-addr
(Optional) Displays IPsec SAs for specified peer IP addresses.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
Global configuration
•
Yes
•
Yes
•
Yes
•
Yes
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
•
Yes
—
Release
Modification
7.0(1)
This command was added.
9.0(1)
Support for OSPFv3 and multiple context mode was added.
9.1(4)
Output has been updated to reflect the assigned IPv6 address and to indicate
the GRE Transport Mode security association when doing IKEv2 dual
traffic.
The following example, entered in global configuration mode, displays IPsec SAs, including the
assigned IPv6 address and the Tansport Mode and GRE encapsulation indication.
ciscoasa(config)# sho ipsec sa
interface: outside
Crypto map tag: def, seq num: 1, local addr: 75.2.1.23
local ident (addr/mask/prot/port): (75.2.1.23/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (75.2.1.60/255.255.255.255/47/0)
Cisco ASA Series Command Reference, S Commands
7-76
System
Chapter
current_peer: 75.2.1.60, username: rashmi
dynamic allocated peer ip: 65.2.1.100
dynamic allocated peer ip(ipv6): 2001:1000::10
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 4
local crypto endpt.: 75.2.1.23/4500, remote crypto endpt.: 75.2.1.60/64251
path mtu 1342, ipsec overhead 62(44), override mtu 1280, media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D9C00FC2
current inbound spi : 4FCB6624
inbound esp sas:
spi: 0x4FCB6624 (1338730020)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, GRE, IKEv2, }
slot: 0, conn_id: 8192, crypto-map: def
sa timing: remaining key lifetime (sec): 28387
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x0003FFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD9C00FC2 (3653242818)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, GRE, IKEv2, }
slot: 0, conn_id: 8192, crypto-map: def
sa timing: remaining key lifetime (sec): 28387
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
The following example, entered in global configuration mode, displays IPsec SAs, including an in-use
setting to identify a tunnel as OSPFv3.
ciscoasa(config)# show ipsec sa
interface: outside2
Crypto map tag: def, local addr: 10.132.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0)
current_peer: 172.20.0.21
dynamic allocated peer ip: 10.135.1.5
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10
#PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21
Cisco ASA Series Command Reference, S Commands
7-77
Chapter
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Transport, Manual
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec):
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Transport, Manual
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec):
IV size: 8 bytes
replay detection support: Y
key (OSPFv3),}
548
key (OSPFv3), }
548
Crypto map tag: def, local addr: 10.132.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
ciscoasa(config)#
Note
Fragmentation statistics are pre-fragmentation statistics if the IPsec SA policy states that fragmentation
occurs before IPsec processing. Post-fragmentation statistics appear if the SA policy states that
fragmentation occurs after IPsec processing.
The following example, entered in global configuration mode, displays IPsec SAs for a crypto map
named def.
ciscoasa(config)# show ipsec sa map def
cryptomap: def
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
#send
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1146, #pkts decrypt: 1146, #pkts verify: 1146
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 480
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
Cisco ASA Series Command Reference, S Commands
7-78
Chapter
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 480
IV size: 8 bytes
replay detection support: Y
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#send
encaps: 73672, #pkts encrypt: 73672, #pkts digest: 73672
decaps: 78824, #pkts decrypt: 78824, #pkts verify: 78824
compressed: 0, #pkts decompressed: 0
not compressed: 73672, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
inbound esp sas:
spi: 0xB32CF0BD (3006066877)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 263
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B6F6A35 (997157429)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 263
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
The following example, entered in global configuration mode, shows IPsec SAs for the keyword entry.
ciscoasa(config)# show ipsec sa entry
peer address: 10.132.0.21
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
#send
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
Cisco ASA Series Command Reference, S Commands
7-79
Chapter
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 429
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 429
IV size: 8 bytes
replay detection support: Y
peer address: 10.135.1.8
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#send
encaps: 73723, #pkts encrypt: 73723, #pkts digest: 73723
decaps: 78878, #pkts decrypt: 78878, #pkts verify: 78878
compressed: 0, #pkts decompressed: 0
not compressed: 73723, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
inbound esp sas:
spi: 0xB32CF0BD (3006066877)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 212
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B6F6A35 (997157429)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 212
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
The following example, entered in global configuration mode, shows IPsec SAs with the keywords entry
detail.
ciscoasa(config)# show ipsec sa entry detail
peer address: 10.132.0.21
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
Cisco ASA Series Command Reference, S Commands
7-80
Chapter
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1148, #pkts decrypt: 1148, #pkts verify: 1148
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
no sa (send): 0, #pkts invalid sa (rcv): 0
encaps failed (send): 0, #pkts decaps failed (rcv): 0
invalid prot (rcv): 0, #pkts verify failed: 0
invalid identity (rcv): 0, #pkts invalid len (rcv): 0
replay rollover (send): 0, #pkts replay rollover (rcv): 0
replay failed (rcv): 0
internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 322
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 322
IV size: 8 bytes
replay detection support: Y
peer address: 10.135.1.8
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
encaps: 73831, #pkts encrypt: 73831, #pkts digest: 73831
decaps: 78989, #pkts decrypt: 78989, #pkts verify: 78989
compressed: 0, #pkts decompressed: 0
not compressed: 73831, #pkts comp failed: 0, #pkts decomp failed: 0
no sa (send): 0, #pkts invalid sa (rcv): 0
encaps failed (send): 0, #pkts decaps failed (rcv): 0
invalid prot (rcv): 0, #pkts verify failed: 0
invalid identity (rcv): 0, #pkts invalid len (rcv): 0
replay rollover (send): 0, #pkts replay rollover (rcv): 0
replay failed (rcv): 0
internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
inbound esp sas:
spi: 0xB32CF0BD (3006066877)
Cisco ASA Series Command Reference, S Commands
7-81
Chapter
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 104
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B6F6A35 (997157429)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 104
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
The following example shows IPsec SAs with the keyword identity.
ciscoasa(config)# show ipsec sa identity
interface: outside2
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
#send
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#send
encaps: 73756, #pkts encrypt: 73756, #pkts digest: 73756
decaps: 78911, #pkts decrypt: 78911, #pkts verify: 78911
compressed: 0, #pkts decompressed: 0
not compressed: 73756, #pkts comp failed: 0, #pkts decomp failed: 0
errors: 0, #recv errors: 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
The following example shows IPsec SAs with the keywords identity and detail.
ciscoasa(config)# show ipsec sa identity detail
interface: outside2
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
Cisco ASA Series Command Reference, S Commands
7-82
Chapter
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
compressed: 0, #pkts decompressed: 0
not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
no sa (send): 0, #pkts invalid sa (rcv): 0
encaps failed (send): 0, #pkts decaps failed (rcv): 0
invalid prot (rcv): 0, #pkts verify failed: 0
invalid identity (rcv): 0, #pkts invalid len (rcv): 0
replay rollover (send): 0, #pkts replay rollover (rcv): 0
replay failed (rcv): 0
internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
Crypto map tag: def, local addr: 172.20.0.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
#pkts
encaps: 73771, #pkts encrypt: 73771, #pkts digest: 73771
decaps: 78926, #pkts decrypt: 78926, #pkts verify: 78926
compressed: 0, #pkts decompressed: 0
not compressed: 73771, #pkts comp failed: 0, #pkts decomp failed: 0
no sa (send): 0, #pkts invalid sa (rcv): 0
encaps failed (send): 0, #pkts decaps failed (rcv): 0
invalid prot (rcv): 0, #pkts verify failed: 0
invalid identity (rcv): 0, #pkts invalid len (rcv): 0
replay rollover (send): 0, #pkts replay rollover (rcv): 0
replay failed (rcv): 0
internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
The following example displays IPSec SAs based on IPv6 assigned address:
ciscoasa(config)# sho ipsec sa assigned-address 2001:1000::10
assigned address: 2001:1000::10
Crypto map tag: def, seq num: 1, local addr: 75.2.1.23
local ident (addr/mask/prot/port): (75.2.1.23/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (75.2.1.60/255.255.255.255/47/0)
current_peer: 75.2.1.60, username: rashmi
dynamic allocated peer ip: 65.2.1.100
dynamic allocated peer ip(ipv6): 2001:1000::10
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 326, #pkts decrypt: 326, #pkts verify: 326
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#TFC
Cisco ASA Series Command Reference, S Commands
7-83
Chapter
#send errors: 0, #recv errors: 35
local crypto endpt.: 75.2.1.23/4500, remote crypto endpt.: 75.2.1.60/64251
path mtu 1342, ipsec overhead 62(44), override mtu 1280, media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D9C00FC2
current inbound spi : 4FCB6624
inbound esp sas:
spi: 0x4FCB6624 (1338730020)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, GRE, IKEv2, }
slot: 0, conn_id: 8192, crypto-map: def
sa timing: remaining key lifetime (sec): 28108
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD9C00FC2 (3653242818)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, GRE, IKEv2, }
slot: 0, conn_id: 8192, crypto-map: def
sa timing: remaining key lifetime (sec): 28108
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Related Commands
Command
Description
clear configure isakmp Clears all the ISAKMP configuration.
clear configure isakmp Clears all ISAKMP policy configuration.
policy
clear isakmp sa
Clears the IKE runtime SA database.
isakmp enable
Enables ISAKMP negotiation on the interface on which the IPsec peer
communicates with the ASA.
show running-config
isakmp
Displays all the active ISAKMP configuration.
Cisco ASA Series Command Reference, S Commands
7-84
Chapter
show ipsec sa summary
To display a summary of IPsec SAs, use the show ipsec sa summary command in global configuration
mode or privileged EXEC mode.
show ipsec sa summary
Syntax Description
This command has no arguments or variables.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Examples
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
•
Yes
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
•
Yes
—
Release
Modification
7.0(1)
This command was added.
9.0(1)
Support for multiple context mode was added.
The following example, entered in global configuration mode, displays a summary of IPsec SAs by the
following connection types:
•
IPsec
•
IPsec over UDP
•
IPsec over NAT-T
•
IPsec over TCP
•
IPsec VPN load balancing
ciscoasa(config)# show ipsec sa summary
Current IPsec SA's:
IPsec
:
IPsec over UDP
:
IPsec over NAT-T :
IPsec over TCP
:
IPsec VPN LB
:
Total
:
ciscoasa(config)#
2
2
4
6
0
14
Peak IPsec SA's:
Peak Concurrent SA :
Peak Concurrent L2L :
Peak Concurrent RA :
14
0
14
Cisco ASA Series Command Reference, S Commands
7-85
Chapter
Related Commands
Command
Description
clear ipsec sa
Removes IPsec SAs entirely or based on specific parameters.
show ipsec sa
Displays a list of IPsec SAs.
show ipsec stats
Displays a list of IPsec statistics.
Cisco ASA Series Command Reference, S Commands
7-86
Chapter
show ipsec stats
To display a list of IPsec statistics, use the show ipsec stats command in global configuration mode or
privileged EXEC mode.
show ipsec stats
Syntax Description
This command has no keywords or variables.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Routed
Transparent Single
Context
System
Global configuration
•
Yes
•
Yes
•
Yes
•
Yes
—
Privileged EXEC
•
Yes
•
Yes
•
Yes
•
Yes
—
Release
Modification
7.0(1)
This command was added.
9.0(1)
ESPv3 statistics are shown with IPsec subsystems, and support for multiple
context mode was added.
The following table describes what the output entries indicate.
Output
Description
IPsec Global Statistics
This section pertains to the total number of IPsec tunnels that
the ASA supports.
Active tunnels
The number of IPsec tunnels that are currently connected.
Previous tunnels
The number of IPsec tunnels that have been connected,
including the active ones.
Inbound
This section pertains to inbound encrypted traffic that is
received through IPsec tunnels.
Bytes
The number of bytes of encrypted traffic that has been
received.
Decompressed bytes
The number of bytes of encrypted traffic that were received
after decompression was performed, if applicable. This
counter should always be equal to the previous one if
compression is not enabled.
Cisco ASA Series Command Reference, S Commands
7-87
Chapter
Output (continued)
Description (continued)
Packets
The number of encrypted IPsec packets that were received.
Dropped packets
The number of encrypted IPsec packets that were received and
dropped because of errors.
Replay failures
The number of anti-replay failure that were detected on
received, encrypted IPsec packets.
Authentications
The number of successful authentications performed on
received, encrypted IPsec packets.
Authentication failures
The number of authentications failure detected on received,
encrypted IPsec packets.
Decryptions
The number of successful decryptions performed on received,
encrypted IPsec packets.
Decryption failures
The number of decryptions failures detected on received,
encrypted IPsec packets.
Decapsulated fragments needing
reassembly
The number of decryption IPsec packets that include IP
fragments to be reassembled.
Outbound
This section pertains to outbound cleartext traffic to be
transmitted through IPsec traffic.
Bytes
The number of bytes of cleartext traffic to be encrypted and
transmitted through IPsec tunnels.
Uncompressed bytes
The number of bytes of uncompressed cleartext traffic to be
encrypted and transmitted through IPsec tunnels. The counter
should always be equal to the previous one if compression is
not enabled
Packets
The number of cleartext packets to be encrypted and
transmitted through IPsec tunnels.
Dropped packets
The number of cleartext packets to be encrypted and
transmitted through IPsec tunnels that have been dropped
because of errors.
Authentications
The number of successful authentications performed on
packets to be transmitted through IPsec tunnels.
Authentication failures
The number of authentication failures that were detected on
packets to be transmitted through IPsec tunnels.
Encryptions
The number of successful encryptions that were performed on
packets to be transmitted through IPsec tunnels.
Encryption failures
The number of encryption failures that were detected on
packets to be transmitted through IPsec tunnels.
Fragmentation successes
The number of successful fragmentation operations that were
performed as part of outbound IPsec packet transformation.
Pre-fragmentation successes
The number of successful prefragmentation operations that
were performed as part of outbound IPsec packet
transformation. Prefragmentation occurs before the cleartext
packet is encrypted and encapsulated as one or more IPsec
packets.
Cisco ASA Series Command Reference, S Commands
7-88
Chapter
Examples
Output (continued)
Description (continued)
Post-fragmentation successes
The number of successful prefragmentation operations that
were performed as part of outbound IPsec packet
transformation. Post-fragmentation occurs after the cleartext
packet is encrypted and encapsulated as an IPsec packet, which
results in multiple IP fragments. These fragments must be
reassembled before decryption.
Fragmentation failures
The number of fragmentation failures that have occurred
during outbound IPsec packet transformation.
Pre-fragmentation failures
The number of prefragmentation failures that have occurred
during outbound IPsec packet transformation.
Prefragmentation occurs before the cleartext packet is
encrypted and encapsulated as one or more IPsec packets.
Post-fragmentation failure
The number of post-fragmentation failure that have occurred
during outbound IPsec packet transformation.
Post-fragmentation occurs after the cleartext packet is
encrypted and encapsulated as an IPsec packet, which results
in multiple IP fragments. These fragments must be
reassembled before decryption.
Fragments created
The number of fragments that were created as part of IPsec
transformation.
PMTUs sent
The number of path MTU messages that were sent by the IPsec
system. IPsec will send a PMTU message to an inside host that
is sending packets that are too large to be transmitted through
an IPsec tunnel after encapsulation. The PMTU message is a
request for the host to lower its MTU and send smaller packets
for transmission through the IPsec tunnel.
PMTUs recvd
The number of path MTU messages that were received by the
IPsec system. IPsec will receive a path MTU message from a
downstream network element if the packets it is sending
through the tunnel are too large to traverse that network
element. IPsec will usually lower its tunnel MTU when a path
MTU message is received.
Protocol failures
The number of malformed IPsec packets that have been
received.
Missing SA failures
The number of IPsec operations that have been requested for
which the specified IPsec security association does not exist.
System capacity failures
The number of IPsec operations that cannot be completed
because the capacity of the IPsec system is not high enough to
support the data rate.
The following example, entered in global configuration mode, displays IPsec statistics:
ciscoasa(config)# show ipsec stats
IPsec Global Statistics
----------------------Active tunnels: 2
Previous tunnels: 9
Cisco ASA Series Command Reference, S Commands
7-89
Chapter
Inbound
Bytes: 4933013
Decompressed bytes: 4933013
Packets: 80348
Dropped packets: 0
Replay failures: 0
Authentications: 80348
Authentication failures: 0
Decryptions: 80348
Decryption failures: 0
Decapsulated fragments needing reassembly: 0
Outbound
Bytes: 4441740
Uncompressed bytes: 4441740
Packets: 74029
Dropped packets: 0
Authentications: 74029
Authentication failures: 0
Encryptions: 74029
Encryption failures: 0
Fragmentation successes: 3
Pre-fragmentation successes:2
Post-fragmentation successes: 1
Fragmentation failures: 2
Pre-fragmentation failures:1
Post-fragmentation failures: 1
Fragments created: 10
PMTUs sent: 1
PMTUs recvd: 2
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
ciscoasa(config)#
Related Commands
Command
Description
clear ipsec sa
Clears IPsec SAs or counters based on specified parameters.
crypto ipsec transform-set
Defines a transform set.
show ipsec sa
Displays IPsec SAs based on specified parameters.
show ipsec sa summary
Displays a summary of IPsec SAs.
Cisco ASA Series Command Reference, S Commands
7-90
CH A P T E R
8
show ipv6 access-list through show ipv6 traffic
Commands
Cisco ASA Series Command Reference, S Commands
8-1
Chapter
show ipv6 access-list
To display the IPv6 access list, use the show ipv6 access-list command in privileged EXEC mode. The
IPv6 access list determines what IPv6 traffic can pass through the ASA.
show ipv6 access-list [id [source-ipv6-prefix/prefix-length | any | host source-ipv6-address]]
Syntax Description
any
(Optional) An abbreviation for the IPv6 prefix ::/0.
host
source-ipv6-address
(Optional) IPv6 address of a specific host. When provided, only the access
rules for the specified host are displayed.
id
(Optional) The access list name. When provided, only the specified access
list is displayed.
source-ipv6-prefix
/prefix-length
(Optional) IPv6 network address and prefix. When provided, only the
access rules for the specified IPv6 network are displayed.
Defaults
Displays all IPv6 access lists.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
—
Release
Modification
7.0(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Usage Guidelines
The show ipv6 access-list command provides output similar to the show ip access-list command, except
that it is IPv6-specific.
Examples
The following is sample output from the show ipv6 access-list command. It shows IPv6 access lists
named inbound, tcptraffic, and outbound.
ciscoasa# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp reflect tcptraffic (8 matches) sequence 10
permit tcp any any eq telnet reflect tcptraffic (15 matches) sequence 20
permit udp any any reflect udptraffic sequence 30
IPv6 access list tcptraffic (reflexive) (per-user)
permit tcp host 2001:0DB8:1::1 eq bgp host 2001:0DB8:1::2 eq 11000 timeout 300 (time
left 243) sequence 1
permit tcp host 2001:0DB8:1::1 eq telnet host 2001:0DB8:1::2 eq 11001 timeout 300
(time left 296) sequence 2
Cisco ASA Series Command Reference, S Commands
8-2
Chapter
IPv6 access list outbound
evaluate udptraffic
evaluate tcptraffic
Related Commands
Command
Description
ipv6 access-list
Creates an IPv6 access list.
Cisco ASA Series Command Reference, S Commands
8-3
Chapter
show ipv6 dhcprelay binding
To display the relay binding entries created by the relay agent, use the show ipv6 dhcprelay binding
command in privileged EXEC mode.
show ipv6 dhcprelay binding
Syntax Description
This command has no keywords or variables.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Privileged EXEC
Command History
•
Yes
Transparent Single
—
Release
Modification
9.0(1)
This command was added.
•
Yes
Context
•
Yes
System
—
Usage Guidelines
The show ipv6 dhcprelay binding command allows you to check the relay binding entries that the relay
agent has created.
Examples
The following is sample output from the show ipv6 dhcprelay binding command:
ciscoasa# show ipv6 dhcprelay binding
1 in use, 2 most used
Client: fe80::204:23ff:febb:b094 (inside)
DUID: 000100010f9a59d1000423bbb094, Timeout in 60 seconds
Above binding is created for client with link local address of fe80::204:23ff:febb:b094 on
the inside interface using DHCPv6 id of 000100010f9a59d1000423bbb094, and will timeout in
60 seconds.
There will be limit of 1000 bindings for each context.
Related Commands
Command
Description
show ipv6 dhcprelay
statistics
Shows the IPv6 DHCP relay agent information.
Cisco ASA Series Command Reference, S Commands
8-4
Chapter
show ipv6 dhcprelay statistics
To display the IPv6 DHCP relay agent statistics, use the show ipv6 dhcprelay statistics command in
privileged EXEC mode.
show ipv6 dhcprelay statistics
Syntax Description
This command has no keywords or variables.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Yes
Transparent Single
—
•
Release
Modification
9.0(1)
This command was added.
Yes
Context
•
Yes
System
—
Usage Guidelines
The show ipv6 dhcprelay statistics command allows you to view IPv6 DHCP relay agent information.
Examples
The following is sample output from the show ipv6 dhcprelay statistics command:
ciscoasa# show ipv6 dhcprelay statistics
Relay Messages:
SOLICIT
ADVERTISE
REQUEST
CONFIRM
RENEW
REBIND
REPLY
RELEASE
DECLINE
RECONFIGURE
INFORMATION-REQUEST
RELAY-FORWARD
RELAY-REPLY
1
2
1
1
496
0
498
0
0
0
0
499
500
Relay Errors:
Malformed message:
Block allocation/duplication failures:
Hop count limit exceeded:
Forward binding creation failures:
0
0
0
0
Cisco ASA Series Command Reference, S Commands
8-5
Chapter
Reply binding lookup failures:
No output route:
Conflict relay server route:
Failed to add server NP rule:
Unit or context is not active:
Total Relay Bindings Created:
Related Commands
498
Command
Description
show ipv6 dhcprelay
binding
Shows the relay binding entries created by the relay agent.
Cisco ASA Series Command Reference, S Commands
8-6
0
0
0
0
0
Chapter
show ipv6 interface
To display the status of interfaces configured for IPv6, use the show ipv6 interface command in
privileged EXEC mode.
show ipv6 interface [brief] [if_name [prefix]]
Syntax Description
brief
Displays a brief summary of IPv6 status and configuration for each
interface.
if_name
(Optional) The internal or external interface name, as designated by the
nameif command. The status and configuration for only the designated
interface is shown.
prefix
(Optional) Prefix generated from a local IPv6 prefix pool. The prefix is the
network portion of the IPv6 address.
Defaults
Displays all IPv6 interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
—
Release
Modification
7.0(1)
This command was added.
•
Context
Yes
•
Yes
System
—
The show ipv6 interface command provides output similar to the show interface command, except that
it is IPv6-specific. If the interface hardware is usable, the interface is marked up. If the interface can
provide two-way communication, the line protocol is marked up.
When an interface name is not specified, information on all IPv6 interfaces is displayed. Specifying an
interface name displays information about the specified interface.
Examples
The following is sample output from the show ipv6 interface command:
ciscoasa# show ipv6 interface outside
interface ethernet0 “outside” is up, line protocol is up
IPv6 is enabled, link-local address is 2001:0DB8::/29 [TENTATIVE]
Global unicast address(es):
2000::2, subnet is 2000::/64
Joined group address(es):
FF02::1
Cisco ASA Series Command Reference, S Commands
8-7
Chapter
FF02::1:FF11:6770
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
The following is sample output from the show ipv6 interface command when entered with the brief
keyword:
ciscoasa# show ipv6 interface brief
outside [up/up]
unassigned
inside [up/up]
fe80::20d:29ff:fe1d:69f0
fec0::a:0:0:a0a:a70
vlan101 [up/up]
fe80::20d:29ff:fe1d:69f0
fec0::65:0:0:a0a:6570
dmz-ca [up/up]
unassigned
The following is sample output from the show ipv6 interface command. It shows the characteristics of
an interface which has generated a prefix from an address.
ciscoasa# show ipv6 interface inside prefix
IPv6 Prefix Advertisements inside
Codes: A - Address, P - Prefix-Advertisement, O - Pool
U - Per-user prefix, D - Default
N - Not advertised, C - Calendar
AD
fec0:0:0:a::/64 [LA] Valid lifetime 2592000, preferred lifetime 604800
Cisco ASA Series Command Reference, S Commands
8-8
Chapter
show ipv6 mld traffic
To display the Multicast Listener Discovery (MLD) traffic counter information, use the show ipv6 mld
traffic command in privileged EXEC mode.
show ipv6 mld traffic
Syntax Description
This command has no keywords or variables.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
—
Release
Modification
7.2(4)
This command was added.
•
Context
Yes
•
Yes
System
—
The show ipv6 mld traffic command allows you to check if the expected number of MLD messages have
been received and sent.
The following information is provided by the show ipv6 mld traffic command:
Examples
•
Elapsed time since counters cleared—The amount of time since the counters were cleared.
•
Valid MLD Packets—The number of valid MLD packets that are received and sent.
•
Queries—The number of valid queries that are received and sent.
•
Reports—The number of valid reports that are received and sent.
•
Leaves—The number of valid leaves received and sent.
•
Mtraee packets—The number of multicast trace packets that are received and sent.
•
Errors—The types of errors and the number of errors that have occurred.
The following is sample output from the show ipv6 mld traffic command:
ciscoasa# show ipv6 mld traffic
show ipv6 mld traffic
MLD Traffic Counters
Elapsed time since counters cleared: 00:01:19
Received
Sent
Valid MLD Packets 1
3
Cisco ASA Series Command Reference, S Commands
8-9
Chapter
Queries
1
Reports
0
Leaves
0
Mtrace packets
0
Errors:
Malformed Packets 0
Martian source
0
Non link-local source 0
Hop limit is not equal to 1 0
Related Commands
0
Command
Description
clear ipv6 mld traffic
Resets all MLD traffic counters.
Cisco ASA Series Command Reference, S Commands
8-10
0
3
0
Chapter
show ipv6 neighbor
To display the IPv6 neighbor discovery cache information, use the show ipv6 neighbor command in
privileged EXEC mode.
show ipv6 neighbor [if_name | address]
Syntax Description
address
(Optional) Displays neighbor discovery cache information for the supplied
IPv6 address only.
if_name
(Optional) Displays cache information for the supplied interface name, as
configured by the nameif command only.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Yes
Transparent Single
—
Release
Modification
7.0(1)
This command was added.
•
Yes
Context
•
Yes
System
—
The following information is provided by the show ipv6 neighbor command:
•
IPv6 Address—The IPv6 address of the neighbor or interface.
•
Age—The time (in minutes) since the address was confirmed to be reachable. A hyphen (-) indicates
a static entry.
•
Link-layer Addr—The MAC address. If the address is unknown, a hyphen (-) is displayed.
•
State—The state of the neighbor cache entry.
Note
Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache;
therefore, the descriptions for the INCMP (Incomplete) and REACH (Reachable) states are
different for dynamic and static cache entries.
The following are possible states for dynamic entries in the IPv6 neighbor discovery cache:
– INCMP—(Incomplete) Address resolution is being performed on the entry. A neighbor
solicitation message has been sent to the solicited-node multicast address of the target, but the
corresponding neighbor advertisement message has not yet been received.
Cisco ASA Series Command Reference, S Commands
8-11
Chapter
– REACH—(Reachable) Positive confirmation was received within the last ReachableTime
milliseconds that the forward path to the neighbor was functioning properly. While in REACH
state, the device takes no special action as packets are sent.
– STALE—More than ReachableTime milliseconds have elapsed since the last positive
confirmation was received that the forward path was functioning properly. While in STALE
state, the device takes no action until a packet is sent.
– DELAY—More than ReachableTime milliseconds have elapsed since the last positive
confirmation was received that the forward path was functioning properly. A packet was sent
within the last DELAY_FIRST_PROBE_TIME seconds. If no reachability confirmation is
received within DELAY_FIRST_PROBE_TIME seconds of entering the DELAY state, send a
neighbor solicitation message and change the state to PROBE.
– PROBE—A reachability confirmation is actively sought by resending neighbor solicitation
messages every RetransTimer milliseconds until a reachability confirmation is received.
– ????—Unknown state.
The following are possible states for static entries in the IPv6 neighbor discovery cache:
– INCMP—(Incomplete) The interface for this entry is down.
– REACH—(Reachable) The interface for this entry is up.
• Interface
The interface from which the address was reachable.
Examples
The following is sample output from the show ipv6 neighbor command when entered with an interface:
ciscoasa# show ipv6 neighbor inside
IPv6 Address
2000:0:0:4::2
FE80::203:A0FF:FED6:141E
3001:1::45a
Age
0
0
-
Link-layer Addr
0003.a0d6.141e
0003.a0d6.141e
0002.7d1a.9472
State
REACH
REACH
REACH
Interface
inside
inside
inside
The following is sample output from the show ipv6 neighbor command when entered with an IPv6
address:
ciscoasa# show ipv6 neighbor 2000:0:0:4::2
IPv6 Address
Age Link-layer Addr State Interface
2000:0:0:4::2
0 0003.a0d6.141e REACH inside
Related Commands
Command
Description
clear ipv6 neighbors
Deletes all entries in the IPv6 neighbor discovery cache, except static
entries.
ipv6 neighbor
Configures a static entry in the IPv6 neighbor discovery cache.
Cisco ASA Series Command Reference, S Commands
8-12
Chapter
show ipv6 ospf
To display general information about OSPFv3 routing processes, use the show ipv6 ospf command in
user EXEC or privileged EXEC mode.
show ipv6 ospf [process_id] [area_id]
Syntax Description
area_id
(Optional) Shows information about a specified area only.
process_id
(Optional) Specifies an internal ID that is locally assigned and can be any
positive integer. This ID is the number assigned administratively when the
OSPFv3 routing process is enabled.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Examples
Routed
Transparent Single
Context
System
Privileged EXEC
•
Yes
—
•
Yes
—
—
User EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
9.0(1)
This command was added.
The show ipv6 ospf command lists the following settings:
•
Event logging
•
Router type
•
Redistribution route type
•
SPF schedule delay
•
Hold time between two consecutive SPFs
•
Wait time between two consecutive SPFs
•
Minimum LSA interval
•
Minimum LSA arrival
The following is sample output from the show ipv6 ospf command:
ciscoasa# show ipv6 ospf
Cisco ASA Series Command Reference, S Commands
8-13
Chapter
Routing Process “ospfv3 1” with ID 10.9.4.1
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
It is an autonomous system boundary router
Redistributing External Routes from,
ospf 2
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
Related Commands
Command
Description
show ipv6 ospf
border-routers
Shows the internal OSPFv3 routing table entries to an area border router
(ABR) and an autonomous system boundary router (ASBR).
show ipv6 ospf
database
Shows lists of information related to the OSPFv3 database for a specific
router.
Cisco ASA Series Command Reference, S Commands
8-14
Chapter
show ipv6 ospf border-routers
To display the internal OSPFv3 routing table entries to an area border router (ABR) and an autonomous
system boundary router (ASBR), use the show ipv6 ospf border-routers command in user EXEC or
privileged EXEC mode.
show ipv6 ospf [process_id] border-routers
Syntax Description
process_id
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Specifies an internal ID that is locally assigned and can be any
positive integer. This ID is the number assigned administratively when the
OSPFv3 routing process is enabled.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Examples
Routed
Transparent Single
Context
System
Privileged EXEC
•
Yes
—
•
Yes
—
—
User EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
9.0(1)
This command was added.
The show ipv6 ospf border-routers command lists the following settings:
•
Intra-area route
•
Inter-area route
•
IPv6 address
•
Interface type
•
Area ID
•
SPF number
The following is sample output from the show ipv6 ospf border-routers command:
ciscoasa# show ipv6 ospf border-routers
OSPFv3 Process 1 internal Routing Table
Codes: i - Intra-area route, I - Inter-area route
Cisco ASA Series Command Reference, S Commands
8-15
Chapter
i 172.16.4.4 [2] via FE80::205:5FFF:FED3:5808, FastEthernet0/0, ABR, Area 1, SPF 13
i 172.16.4.4 [1] via FE80::205:5FFF:FED3:5406, POS4/0, ABR, Area 0, SPF 8
i 172.16.3.3 [1] via FE80::205:5FFF:FED3:5808, FastEthernet0/0, ASBR, Area 1, SPF 3
Related Commands
Command
Description
show ipv6 ospf
Shows all IPv6 settings in the OSPFv3 routing process.
show ipv6 ospf
database
Shows lists of information related to the OSPFv3 database for a specific
router.
Cisco ASA Series Command Reference, S Commands
8-16
Chapter
show ipv6 ospf database
To display lists of information related to the OSPFv3 database for a specific router, use the show ipv6
ospf database command in user EXEC or privileged EXEC mode.
show ipv6 ospf [process_id] [area_id] database [external | inter-area prefix | inter-area-router |
network | nssa-external | router | area | as | ref-lsa | [destination-router-id] [prefix
ipv6-prefix] [link-state-id]] [link [interface interface-name] [adv-router router-id] |
self-originate] [internal] [database-summary]
Syntax Description
adv-router router-id
(Optional) Displays all the LSAs of the advertising router. The router ID
must be in the form documented in RFC 2740, in which the address is
specified in hexadecimal using 16-bit values between colons.
area
(Optional) Displays information only about area LSAs.
area_id
(Optional) Displays information about a specified area only.
as
(Optional) Filters unknown autonomous system (AS) LSAs.
database-summary
(Optional) Displays how many of each type of LSA exists for each area in
the database and the total.
destination-router-id
(Optional) Displays information about a specified destination router only.
external
(Optional) Displays information only about the external LSAs.
interface
Optional) Displays information about the LSAs filtered by interface
context.
interface-name
(Optional) Specifies the LSA interface name.
internal
(Optional) Displays information only about the internal LSAs.
inter-area prefix
(Optional) Displays information only about LSAs based on inter-area
prefix.
inter-area router
(Optional) Displays information only about LSAs based on inter-area router
LSAs.
link
(Optional) Displays information about link LSAs. When it follows the
unknown keyword, the link keyword filters link-scope LSAs.
link-state-id
(Optional) Specifies an integer used to differentiate LSAs. In network and
link LSAs, the link-state ID matches the interface index.
network
(Optional) Displays information about network LSAs.
nssa-external
(Optional) Displays information only about the not so stubby area (NSSA)
external LSAs.
prefix ipv6-prefix
(Optional) Displays the link-local IPv6 address of the neighbor. The IPv6
prefix must be in the form documented in RFC 2373, in which the address
is specified in hexadecimal using 16-bit values between colons.
process_id
(Optional) Specifies an internal ID that is locally assigned and can be any
positive integer. This ID is the number assigned administratively when the
OSPF routing process is enabled.
ref-lsa
(Optional) Further filters the prefix LSA type.
router
(Optional) Displays information about router LSAs.
self-originate
(Optional) Displays only self-originated LSAs from the local router.
Cisco ASA Series Command Reference, S Commands
8-17
Chapter
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Transparent Single
Context
System
Privileged EXEC
•
Yes
—
•
Yes
—
—
User EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
9.0(1)
This command was added.
Usage Guidelines
The various forms of the command provide information about different OSPFv3 LSAs.
Examples
The following is sample output from the show ipv6 ospf database command:
ciscoasa# show ipv6 ospf database
OSPFv3 Router with ID (172.16.4.4) (Process ID 1)
Router Link States (Area 0)
ADV Router
172.16.4.4
172.16.6.6
Age
239
239
Seq#
0x80000003
0x80000003
Fragment ID
0
0
Link count
1
1
Bits
B
B
Inter Area Prefix Link States (Area 0)
ADV Router
172.16.4.4
172.16.4.4
172.16.6.6
172.16.6.6
172.16.6.6
Age
249
219
247
193
82
Seq#
0x80000001
0x80000001
0x80000001
0x80000001
0x80000001
Prefix
FEC0:3344::/32
FEC0:3366::/32
FEC0:3366::/32
FEC0:3344::/32
FEC0::/32
Inter Area Router Link States (Area 0)
ADV Router
172.16.4.4
172.16.6.6
ADV Router
172.16.4.4
172.16.6.6
Age
219
193
Link (Type-8) Link
Age
242
252
Seq#
Link ID
0x80000001 50529027
0x80000001 50529027
States (Area 0)
Dest RtrID
172.16.3.3
172.16.3.3
Seq#
0x80000002
0x80000002
Interface
PO4/0
PO4/0
Link ID
14
14
Intra Area Prefix Link States (Area 0)
ADV Router
172.16.4.4
Age
242
Cisco ASA Series Command Reference, S Commands
8-18
Seq#
0x80000002
Link ID
0
Ref-lstype
0x2001
Ref-LSID
0
Chapter
172.16.6.6
Related Commands
252
0x80000002
0
0x2001
0
Command
Description
show ipv6 ospf
Shows all IPv6 settings in the OSPFv3 routing process.
show ipv6 ospf
border-routers
Shows the internal OSPFv3 routing table entries to an area border router
(ABR) and an autonomous system boundary router (ASBR).
Cisco ASA Series Command Reference, S Commands
8-19
Chapter
show ipv6 ospf events
To display OSPFv3 internal event information, use the show ipv6 ospf events command in user EXEC
or privileged EXEC mode.
show ipv6 ospf [process_id] events
Syntax Description
process_id
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Specifies an internal ID that is locally assigned and can be any
positive integer. This ID is the number assigned administratively when the
OSPF routing process is enabled.
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Transparent Single
Context
System
Privileged EXEC
•
Yes
—
•
Yes
—
—
User EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
9.0(1)
This command was added.
Usage Guidelines
Use this command to display OSPFv3 events information.
Examples
The following is sample output from the show ipv6 ospf events command:
ciscoasa# show ipv6 ospf events
OSPFv3 Router with ID (10.1.3.2) (Process ID 10)
1 Jul 9 18:49:34.071: Timer Exp: ospfv3_if_ack_delayed 0xda05fad8
2 Jul 9 18:49:31.571: Rcv Unchanged Type-0x2001 LSA, LSID 0.0.0.0, Adv-Rtr 10.1.1.2,
Seq# 80000008, Age 1, Area 10
3 Jul 9 18:48:13.241: Generate Changed Type-0x8 LSA, LSID 2.0.0.0, Seq# 80000004, Age
0, Area 10
4 Jul 9 18:48:13.241: Generate Changed Type-0x2001 LSA, LSID 0.0.0.0, Seq# 80000005,
Age 0, Area 10
5 Jul 9 18:41:18.901: End of SPF, SPF time 0ms, next wait-interval 10000ms
6 Jul 9 18:41:18.902: Starting External processing in area 10
7 Jul 9 18:41:18.902: Starting External processing
8 Jul 9 18:41:18.902: Starting Inter-Area SPF in area 10
9 Jul 9 18:41:18.902: Generic: post_spf_intra 0x0
10 Jul 9 18:41:18.902: RIB Delete (All Paths), Prefix 2002::/64, type Intra
Cisco ASA Series Command Reference, S Commands
8-20
Chapter
11 Jul 9 18:41:18.902: RIB Update, Prefix 5005::/64, gw ::, via inside, type Intra
12 Jul 9 18:41:18.902: Starting Intra-Area SPF in Area 10
13 Jul 9 18:41:18.903: Starting SPF, wait-interval 5000ms
14 Jul 9 18:41:16.403: Timer Exp: ospfv3_if_ack_delayed 0xda05fad8
15 Jul 9 18:41:13.903: Schedule SPF, Area 10, Change in LSA type PLSID 0.8.0.0, Adv-Rtr
50.100.168.192
16 Jul 9 18:41:13.903: Rcv Changed Type-0x2009 LSA, LSID 0.8.0.0, Adv-Rtr 10.1.2.3,
Seq# 80000003, Age 1, Area 10
Related Commands
Command
Description
show ipv6 ospf
Shows all IPv6 settings in the OSPFv3 routing process.
show ipv6 ospf
border-routers
Shows the internal OSPFv3 routing table entries to an area border router
(ABR) and an autonomous system boundary router (ASBR).
Cisco ASA Series Command Reference, S Commands
8-21
Chapter
show ipv6 ospf flood-list
To display a list of OSPFv3 LSAs waiting to be flooded over an interface, use the show ipv6 ospf
flood-list command in user EXEC or privileged EXEC mode.
show ipv6 ospf [process_id] [area_id] flood-list interface-type interface-number
Syntax Description
area_id
(Optional) Displays information about a specified area only.
interface-number
Specifies the interface number over which the LSAs are flooded.
interface-type
Specifies the interface type over which the LSAs are flooded.
process_id
(Optional) Specifies an internal ID that is locally assigned and can be any
positive integer. This ID is the number assigned administratively when the
OSPFv3 routing process is enabled.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Transparent Single
Context
System
Privileged EXEC
•
Yes
—
•
Yes
—
—
User EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
9.0(1)
This command was added.
Usage Guidelines
Use this command to display OSPFv3 packet pacing information.
Examples
The following is sample output from the show ipv6 ospf flood-list command:
ciscoasa# show ipv6 ospf flood-list
OSPFv3 Router with ID (172.16.6.6) (Process ID 1)
Interface POS4/0, Queue length 1
Link state retransmission due in 14 msec
Type
0x2001
LS ID
0
ADV RTR
172.16.6.6
Seq NO
0x80000031
Interface FastEthernet0/0, Queue length 0
Cisco ASA Series Command Reference, S Commands
8-22
Age
0
Checksum
0x1971
Chapter
Interface ATM3/0, Queue length 0
Related Commands
Command
Description
show ipv6 ospf
Shows all IPv6 settings in the OSPFv3 routing process.
show ipv6 ospf
border-routers
Shows the internal OSPFv3 routing table entries to an area border router
(ABR) and an autonomous system boundary router (ASBR).
Cisco ASA Series Command Reference, S Commands
8-23
Chapter
show ipv6 ospf graceful-restart
To display information about OSPFv3 graceful-restart, use the show ipv6 ospf graceful-restart
command in privileged EXEC mode.
show ipv6 ospf graceful-restart
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Routed
Command Mode
Privileged EXEC
Command History
Examples
•
Yes
Transparent Single
—
Release
Modification
9.3(1)
This command was added.
•
Yes
Context
•
Yes
The following is sample output from the show ipv6 ospf graceful-restart command:
ciscoasa# show ipv6 ospf graceful-restart
Routing Process "ospfv3 10"
Graceful Restart enabled
restart-interval limit: 240 sec
Clustering is not configured in spanned etherchannel mode
Graceful Restart helper support enabled
Number of neighbors performing Graceful Restart is 0
Related Commands
Command
Description
show ipv6 ospf
Shows all IPv6 settings in the OSPFv3 routing process.
Cisco ASA Series Command Reference, S Commands
8-24
System
—
Chapter
show ipv6 ospf interface
To display OSPFv3-related interface information, use the show ipv6 ospf interface command in user
EXEC or privileged EXEC mode.
show ipv6 ospf [process_id] [area_id] interface [type-number] [brief]
Syntax Description
area_id
(Optional) Displays information about a specified area only.
brief
(Optional) Displays brief overview information for OSPFv3 interfaces,
states, addresses and masks, and areas on the router.
process_id
(Optional) Specifies an internal ID that is locally assigned and can be any
positive integer. This ID is the number assigned administratively when the
OSPF routing process is enabled.
type-number
(Optional) Specifies the interface type and number.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Transparent Single
Context
System
Privileged EXEC
•
Yes
—
•
Yes
—
—
User EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
9.0(1)
This command was added.
Usage Guidelines
Use this command to display overview information for OSPFv3 interfaces, states, addresses and masks,
and areas on the router.
Examples
The following is sample output from the show ipv6 ospf interface command:
ciscoasa# show ipv6 ospf interface
ATM3/0 is up, line protocol is up
Link Local Address 2001:0DB1:205:5FFF:FED3:5808, Interface ID 13
Area 1, Process ID 1, Instance ID 0, Router ID 172.16.3.3
Network Type POINT_TO_POINT, Cost: 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Index 1/2/2, flood queue length 0
Cisco ASA Series Command Reference, S Commands
8-25
Chapter
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 12, maximum is 12
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.16.4.4
Suppress hello for 0 neighbor(s)
FastEthernet0/0 is up, line protocol is up
Link Local Address 2001:0DB1:205:5FFF:FED3:5808, Interface ID 3
Area 1, Process ID 1, Instance ID 0, Router ID 172.16.3.3
Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 172.16.6.6, local address 2001:0DB1:205:5FFF:FED3:6408
Backup Designated router (ID) 172.16.3.3, local address 2001:0DB1:205:5FFF:FED3:5808
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 12, maximum is 12
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.16.6.6 (Designated Router)
Suppress hello for 0 neighbor(s)
Related Commands
Command
Description
show ipv6 ospf
Shows all IPv6 settings in the OSPFv3 routing process.
show ipv6 ospf
border-routers
Shows the internal OSPFv3 routing table entries to an area border router
(ABR) and an autonomous system boundary router (ASBR).
Cisco ASA Series Command Reference, S Commands
8-26
Chapter
show ipv6 ospf neighbor
To display OSPFv3 neighbor information on a per-interface basis, use the show ipv6 ospf neighbor
command in user EXEC or privileged EXEC mode.
show ipv6 ospf [process_id] [area_id] neighbor [interface-type interface-number] [neighbor-id]
[detail]
Syntax Description
area_id
(Optional) Displays information about a specified area only.
detail
(Optional) Displays all neighbors information in detail.
interface-type
interface-number
(Optional) Specifies the interface type and number.
neighbor-id
(Optional) Specifies the neighbor ID.
process_id
(Optional) Specifies an internal ID that is locally assigned and can be any
positive integer. This ID is the number assigned administratively when the
OSPF routing process is enabled.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Transparent Single
Context
System
Privileged EXEC
•
Yes
—
•
Yes
—
—
User EXEC
•
Yes
—
•
Yes
—
—
Release
Modification
9.0(1)
This command was added.
Usage Guidelines
Use this command to display detailed information for OSPFv3 neighbors by interface.
Examples
The following is sample output from the show ipv6 ospf neighbor command:
ciscoasa# show ipv6 ospf neighbor
Neighbor ID
172.16.4.4
172.16.3.3
172.16.5.5
Pri
1
1
1
State
FULL/ FULL/BDR
FULL/ -
Dead Time
00:00:31
00:00:30
00:00:33
Interface ID
14
3
13
Interface
POS4/0
FastEthernet00
ATM3/0
Cisco ASA Series Command Reference, S Commands
8-27
Chapter
The following is sample output from the show ipv6 ospf neighbor detail command:
Neighbor 172.16.4.4
In the area 0 via interface POS4/0
Neighbor: interface-id 14, link-local address FE80::205:5FFF:FED3:5406
Neighbor priority is 1, State is FULL, 6 state change
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement