Command Reference for ASA CX and Cisco Prime Security Manager

Transcription

1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA Tel: NETS (6387) Fax: Text Part Number: OL

2 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Google, Google Play, Android and certain other marks are trademarks of Google Inc Cisco Systems, Inc. All rights reserved.

3 CONTENTS Preface Preface vii Audience vii Related Documentation vii Conventions vii Obtaining Documentation and Submitting a Service Request ix CHAPTER 1 Using the Command Line Interface (CLI) 1 Command Context Modes 1 Syntax Formatting 1 Entering Commands 2 Filtering Show Command Output 2 Command Help 4 CHAPTER 2 a through h commands 5 clear opdata 6 config advanced 8 config backup 10 config cert-reset 12 config clear-truststore 14 config mgmt-interface 15 config ntp 17 config passwd 20 config prune 22 config reset 24 config restore 26 config time 28 config timezone 30 OL iii

4 Contents delete 32 exit 34 format 35 help 37 CHAPTER 3 i through show ntp commands 39 nslookup 40 partition 42 ping 45 services 47 setup 49 show addomain 55 show autorestart status 57 show crashinfo 58 show diskusage 60 show dns 62 show hostname 64 show hosts 65 show interfaces 66 show mgmt-interface 69 show netstat 71 show ntp 74 CHAPTER 4 show opdata through show raid commands 79 show opdata adisessions 80 show opdata arptable 82 show opdata blocks 84 show opdata connections 88 show opdata flowdrop 91 show opdata framedrop 104 show opdata http 128 show opdata hwregex 134 show opdata interface 139 show opdata pdts 144 show opdata policy 151 iv OL

5 Contents show opdata routingtable 155 show opdata summary 157 show opdata tls 159 show partitions 161 show platform hardware 163 show platform software 165 show raid 167 CHAPTER 5 show route through z commands 171 show route 172 show services status 174 show tech-support 178 show time 180 show version 181 support diagnostic 183 support fsck 187 support list 189 support set-property 191 support tail logs 193 support tunnel (9.3(3)+) 196 support tunnel (pre-9.3(3)) 199 support validatedb 201 support view logs 203 system reload 206 system revert 208 system shutdown 210 system upgrade, system install 212 traceroute 215 OL v

6 Contents vi OL

7 Preface The preface contains the following topics. Audience, page vii Related Documentation, page vii Conventions, page vii Obtaining Documentation and Submitting a Service Request, page ix Audience This document is for network and security personnel who install, configure, deploy, and manage security infrastructure. Related Documentation Use the following documentation road maps to find related documentation. Finding ASA CX and Cisco Prime Security Manager Documentation Navigating the Cisco ASA 5500 Series Documentation Conventions This document uses the following conventions: Convention Indication Command Commands, keywords, buttons, field names, and user-entered text appear in bold font. For menu-based commands, the full path to the command is shown. Menu > Menu Item OL vii

8 Conventions Preface Convention variable [ ] {x y z} [x y z] courier font < > [ ]!, # Indication Variables, for which you supply values, are in italic font. Italic font is also used for document titles and for general emphasis. Elements in square brackets are optional. Required alternative keywords are grouped in braces and separated by vertical bars. Optional alternative keywords are grouped in brackets and separated by vertical bars. Terminal sessions and information that the system displays appear in courier font. Nonprinting characters such as passwords are in angle brackets. Default responses to system prompts are in square brackets. An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line. Reader Alert Conventions This document uses the following conventions for reader alerts: Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual. Tip Means the following information will help you solve a problem. Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph. viii OL

9 Preface Obtaining Documentation and Submitting a Service Request Warning Means reader be warned. In this situation, you might perform an action that could result in bodily injury. Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation. To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's New in Cisco Product Documentation RSS feed. RSS feeds are a free service. OL ix

10 Obtaining Documentation and Submitting a Service Request Preface x OL

11 Using the Command Line Interface (CLI) The following topics explain how to use the system command line interface (CLI) for CX devices and PRSM and how to interpret the command reference topics. Use the CLI for basic system setup and troubleshooting. Command Context Modes, page 1 Syntax Formatting, page 1 Entering Commands, page 2 Filtering Show Command Output, page 2 Command Help, page 4 Command Context Modes You can use the CLI commands in the following contexts: ASA CX console or SSH session, or a console session opened from the parent ASA using the session cxsc console command. PRSM VMware console or SSH session. In most cases, command behavior is identical for these products. Any differences are noted in the reference section for the commands. Unlike the ASA, there are no separate command modes, but instead a single mode only. All commands are always available. Syntax Formatting Command syntax descriptions use the following conventions: Convention command Command text indicates commands and keywords that you enter literally as shown. OL

12 Entering Commands Using the Command Line Interface (CLI) Convention variable [x] [ x y] {x y} [x {y z}] Variable text indicates arguments for which you supply values. Square brackets enclose an optional element (keyword or argument). Square brackets enclosing keywords or arguments separated by a vertical bar indicate an optional choice. Braces enclosing keywords or arguments separated by a vertical bar indicate a required choice. Nested sets of square brackets or braces indicate optional or required choices within optional or required elements. Braces and a vertical bar within square brackets indicate a required choice within an optional element. Entering Commands When you log into the console through the Console port or an SSH session, you are presented with a command prompt that shows the name of the device, for example: hostname> You type the command at the prompt and press Enter to execute the command. Following are some additional features: Abbreviating commands You can abbreviate most commands down to the fewest unique characters for a command; for example, you can enter sho v to view the system version instead of show version. Scrolling through command history You can use the up and down arrow keys to scroll through the commands that you have already entered. You can reenter or edit and reenter the commands in the history. Completing commands To complete a command or keyword after entering a partial string, press the Tab key. The partial string must match a single command or keyword only for it to be completed. Filtering Show Command Output You can filter the output of show commands by piping the output to filtering commands. Piping output works with all show commands but is most useful when dealing with commands that produce a lot of text. To use the filtering capabilities, use the following format: show command {grep include exclude begin} [options] pattern 2 OL

13 Using the Command Line Interface (CLI) Filtering Show Command Output Filtering Commands You can use these filtering commands: grep Display only those lines that match the pattern. include Display only those lines that match the pattern. exclude Exclude all lines that match the pattern, show all other lines. begin Find the first line that includes the pattern, and display that line and all subsequent lines. Options You can include any combination of the following options that make sense, although not all options are available on the begin command. Option -A number -B number -C number -m number -c -i Include the indicated number of lines that follow matching lines in the output. For example: -A 5 Include the indicated number of lines that precede matching lines in the output. For example: -B 5 Include the indicated number of lines that surround matching lines in the output. For example: -C 5 Stop printing showing output after showing the indicated number of lines. For example: -m 5 Just print the number of lines that match the pattern. If you include this option, -A, -B, and -C are ignored. Ignore case. Commands grep include grep include grep include All grep include exclude All Pattern This is a simple case-sensitive text string that can include alphanumeric characters and - _, ; =. To ignore case, include the -i option. You cannot use regular expressions. The following example shows how these commands change the output of the show ntp command. prsm-vm> show ntp remote refid st t when poll reach delay offset jitter OL

14 Command Help Using the Command Line Interface (CLI) ============================================================================== *ntp-rtp1.exampl.gps. 1 u ntp-rtp2.exampl.gps. 1 u Current NTP Configuration: Configuration in ntp.conf: server 1.ntp.example.com server 2.ntp.example.com prsm-vm> show ntp grep rtp1 *ntp-rtp1.exampl.gps. 1 u prsm-vm> show ntp include rtp1 *ntp-rtp1.exampl.gps. 1 u prsm-vm> show ntp exclude rtp1 remote refid st t when poll reach delay offset jitter ============================================================================== +ntp-rtp2.exampl.gps. 1 u Current NTP Configuration: Configuration in ntp.conf: server 1.ntp.example.com server 2.ntp.example.com prsm-vm> show ntp begin rtp1 *ntp-rtp1.exampl.gps. 1 u ntp-rtp2.exampl.gps. 1 u Current NTP Configuration: Configuration in ntp.conf: server 1.ntp.example.com server 2.ntp.example.com prsm-vm> Command Help Help information is available from the command line by entering the following commands: help or?, to see a list of all commands. help command_name to see the syntax for a command. command_name? to see the options for a command. For example, show?. string? to show the commands or keywords that match the string. For example, n?. 4 OL

15 a through h commands clear opdata, page 6 config advanced, page 8 config backup, page 10 config cert-reset, page 12 config clear-truststore, page 14 config mgmt-interface, page 15 config ntp, page 17 config passwd, page 20 config prune, page 22 config reset, page 24 config restore, page 26 config time, page 28 config timezone, page 30 delete, page 32 exit, page 34 format, page 35 help, page 37 OL

16 clear opdata a through h commands clear opdata To clear a variety of operational and device statistics related to the data plane, use the clear opdata command. clear opdata {interface blocks connections framedrop flowdrop adisessions summary policy rate-limit} clear opdata http{summary detail threat ips_stream ips_regex} clear opdata tls{threat ips_stream ips_regex} Syntax interface blocks connections framedrop flowdrop adisessions summary policy rate-limit http tls Clear the network interface card (NIC) counters for each NIC. Clear the statistics about packet buffer blocks. Clear the connection information for each TCP and UDP connection. Clear the statistics about dropped packets. Clear the statistics about dropped traffic flows (connections). Clear the user-to-ip-address connection mappings (ADI sessions) directory. Clear contributor summary data from the data plane. Clear rate limit counter data. Clear HTTP Inspector flow information. You must include one of the following keywords to clear the data related to the equivalent show opdata http command: summary, detail, threat, ips_stream, ips_regex. Clear TLS Inspector flow information. You must include one of the following keywords to clear the data related to the equivalent show opdata tls command: threat, ips_stream, ips_regex. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(2) CX Software 9.1(2) Modification This command was introduced. The following keywords were added: summary 6 OL

17 a through h commands clear opdata Release CX Software 9.2(1) Modification The following keywords were added: http tls policy rate-limit Examples The following example presents output for the clear opdata adisessions command; the results are similar for the other clear commands. hostname>clear opdata adisessions Cleared sessions hostname> Related Commands Command show opdata interface show opdata blocks show opdata connections show opdata framedrop show opdata flowdrop show opdata adisessions show opdata http show opdata policy Display basic statistics for all data-plane interfaces. Display details for packet buffer blocks. Display details for current TCP and UDP connections. Display information about dropped frames (packets). Display information about dropped traffic flows (connections). Display all ADI session information (that is, the user-to-ip-address connection directory). Display HTTP Inspector flow information. Display policy data from the data plane. OL

18 config advanced a through h commands config advanced To configure CX options that under normal circumstances you should not change, use the config advanced command. config advanced {autorestart {on off} inspection {on off} crashinfo {enable disable}} Syntax autorestart on off inspection on off crashinfo enable disable Enable or disable auto restart, which controls how failed system processes are restarted. Enable or disable HTTP inspection. HTTP inspection is required for advanced traffic handling such as application filtering. Enable or disable the creation of crashinfo files, which contain condensed versions of core dumps. Use these files when working on system problems with the Cisco Technical Assistance Center (TAC). Command Default The default is that services are enabled. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) CX Software 9.3(1) Modification This command was introduced. The crashinfo keyword was added. 8 OL

19 a through h commands config advanced Usage Guidelines Auto Restart The device will attempt to restart failed system processes regardless of your auto restart setting. What this setting controls is how persistent restart failures are handled, that is, in cases where frequent attempts at restarting a process occur during a short time window (for example, 5 attempts in 3 minutes). On When auto restart is enabled, if the restart of a critical system process persistently fails, the system restarts all processes. Critical system processes include PDTS, Data Plane, or TLS Proxy, for example. For non-critical processes, only the failed process is restarted. Off If you disable auto restart, the system still tries to restart processes. However, if the process fails to restart after a few retries, it is left disabled. If a critical process restarts successfully, the other processes are not also restarted. If the failed process is non-critical, your system might remain functional, but features controlled by that process will not be available. Using auto restart can provide resiliency to the device. However, if a process cannot be successfully restarted, the device could be placed in an endless loop, constantly attempting to restart a process when a reboot is required to get around a problem. If the device runs into a restart loop situation, disable auto restart, then reboot the system. If that does not resolve the problem, contact Cisco Technical Support. Inspection HTTP inspection is required for full-function traffic filtering. If you disable inspection, the device behaves like a traditional firewall and does not filter on attributes obtained through inspection, such as application filtering. If you change the inspection setting, all processes are restarted. Crashinfo Crashinfo files can be helpful when diagnosing system problems. The Cisco Technical Assistance Center (TAC) will want them if you call with a problem. Examples The following example shows how to turn off auto restart. hostname> config advanced autorestart off hostname> Related Commands Command show autorestart status show crashinfo show services status show tech-support Shows the current status of autorestart. Shows crashinfo files. Shows the current status of system processes. Shows diagnostic information for troubleshooting purposes. OL

20 config backup a through h commands config backup To back up the configuration database, use the config backup command. config backup URL Syntax URL The URL of the location where you want to create the backup. You can use the following types of URL, which should include the path but not a file name: ftp:// Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the backup command to back up the configuration database. The backup does not include event or reporting data. To restore the backup, use the config restore command. Include the URL of the folder on an FTP server where the backup should be copied. If the FTP server supports anonymous login, but does not give upload permission to the anonymous user, include a username that has the appropriate permissions and optionally, the password, in the following format: ftp://username[ :password ]@servername/path. Backup files are automatically named using the following components, in order, with underscores separating components, with.pkg as the file extension: System type Either prsm or cx. Hostname Software version number Date and time the backup was made in month_day_year_hour_minutes_seconds format, 24-hour clock notation. 10 OL

21 a through h commands config backup For example, prsm_prsm-vm_1.0.0_04_02_2012_16_25_30.pkg is the name of a backup for PRSM Multiple Device mode, for the host using the default host name prsm-vm, for software version 1.0.0, taken on April 2, 2012 at 16:25:30 in 24-hour clock notation. In Multiple Device mode, do not back up and restore individual managed CX devices. The PRSM backup includes the configurations for managed devices, so redeploying configurations should restore a device to the desired state. If you must restore a managed device from backup for an unusual disaster recovery purpose, ensure that you first switch to Single Device mode. For PRSM Multiple Device mode, you can also use VMware to create snapshots of the virtual machine, and restore those snapshots instead of restoring a database backup. You can use both techniques to protect against different potential problems. Caution During backup, you are asked whether you want to clear passwords. Clear passwords only if you intend to share the backup with others, such as the Cisco Technical Assistance Center. If you recover a backup that has cleared passwords, you will have to delete all devices from the PRSM Multiple Device mode inventory and add them back to reset the passwords. In all modes, you will have to define all of the following passwords: local users (except the admin user), AD/LDAP directory, CDA and AD agent, and signature updater HTTP proxy username. You will be able to log in as the admin user only after recovering a database in which passwords have been cleared. Examples The following example shows how to create a backup of the database. Note that the backup message tells you the name of the backup file that will be created. hostname> config backup ftp:// /backups Starting the database backup process... Please note that eventing/reporting data will not be backed up If you are creating a backup to share with others for system Troubleshooting, you can clear device passwords to maintain security. A backup with cleared passwords is not suitable for system recovery. Do you want to clear the passwords in the backup database(y/n)?[n]:n Uploading file prsm_prsm-vm_1.0.0_04_02_2012_16_25_30.pkg to ftp:// /backups You need to authenticate with the server to upload/download file Username: ftpusername Password: (typing not displayed) Uploading the file to /users/admin/backups on the remote server. Backup of the database is completed. hostname> Related Commands Command config reset config restore Resets the database to factory defaults. Restores a database backup. OL

22 config cert-reset a through h commands config cert-reset To generate a new self-signed management certificate, use the config cert-reset command. config cert-reset Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.1(1) PRSM 9.1(1) Modification This command was introduced. Usage Guidelines The management Certificate Authority (CA) certificate is required to enable secure HTTPS access to the system. The certificate has a valid time range, which might be out-of-bounds if you change the time settings on the device. If you have problems with HTTP access, including problems adding a device to the PRSM inventory, use the config cert-reset command to generate a new self-signed certificate. You might have to regenerate the certificate on the server, the managed device, or both. When you are logged into the web interface, you can also upload a server certificate signed by a third-party CA, or regenerate the certificate on a managed device from the PRSM inventory page. Note that if you run the setup command and change the hostname, a new certificate is also generated. If you regenerate the certificate on a PRSM server or a managed device, you must do the following on the device inventory page of the PRSM server s web interface. Managed device You must refresh the certificate of the device. PRSM server You must refresh the certificate of every managed device, because each device has a copy of the PRSM server s certificate. Examples The following example shows how to generate a new management certificate. hostname> config cert-reset 12 OL

23 a through h commands config cert-reset This action will overwrite the existing management certificate with a new self-signed certificate and the web server will be restarted. Do you want to continue?(y/n) Y Generating a 2048 bit RSA private key writing new private key to '/var/db/certs/smx_self_signed_cert.pem' hostname> Related Commands Command setup Configures basic system settings, including DNS servers. OL

24 config clear-truststore a through h commands config clear-truststore To remove all device certificates from the trust store, use the config clear-truststore command. config clear-truststore Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.2(1) PRSM 9.2(1) Modification This command was introduced. Usage Guidelines The management Certificate Authority (CA) certificates required to enable secure HTTPS access between a managed device and the PRSM server are kept in the trust store. You can use this command to remove all certificates. You would do this if you start having certificate-related deployment problems. The command is primarily useful on the PRSM server. After clearing the certificate store, go to the device inventory in the PRSM web interface and refresh certificates for each device. This updates the trust store on the managed device as well as the server. Examples The following example shows how to clear the trust store. prsm-vm> config clear-truststore prsm-vm> Related Commands There are no related commands. 14 OL

25 a through h commands config mgmt-interface config mgmt-interface To configure properties for the management interface, use the config mgmt-interface command. config mgmt-interface log-drops [enable disable] config mgmt-interface https ciphers{load-defaults enable cipher_list disable cipher_list} Syntax log-drops [enable disable] https ciphers [load-defaults enable cipher_list disable cipher_list] Whether to enable or disable the logging of dropped packets on the management interface by the firewall. If you do not include the enable or disable keyword, you are shown the current state of logging and asked if you want to change it. Control the ciphers allowed for HTTPS connections. You can load the recommended defaults, or explicitly enable or disable particular ciphers. To find the valid cipher names, and determine which ciphers are currently allowed, use the show mgmt-interface https ciphers command. When enabling or disabling ciphers, you can include more than one cipher; use spaces between the cipher names. Command Default The default is that log-drops is disabled. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(2) PRSM 9.0(2) CX Software 9.3(1) PRSM 9.3(1) Modification This command was introduced. The https ciphers option was added. Usage Guidelines Use the config mgmt-interface command to enable or disable logging of dropped packets on the management interface. You might want to do this if you are debugging a problem with management access. You can also configure the ciphers to allow for HTTPS connections to the management interface, that is, for logging into the web interface to configure the device. The default cipher set includes the recommended strong ciphers, but you can add others that you want to allow, or narrow the allowed set. Use the show mgmt-interface OL

26 config mgmt-interface a through h commands https ciphers command to view the currently allowed ciphers and to see the names of the other ciphers you can enable. Examples The following example shows how to change the current state of logging. hostname> config mgmt-interface log-drops Logging of dropped packets on management interface is disabled. Would you like to enable it? (y/n) [Y]: Y Logging of dropped packets on management interface has been enabled. hostname> The following example enables specific ciphers. Disabling ciphers is similar. prsm-vm> config mgmt-interface https ciphers enable RC4-SHA RC4-MD5 Current ciphers: ECDHE-ECDSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-CAMELLIA128-SHA, AES128-SHA Ciphers to add: RC4-SHA, RC4-MD5 Adding ciphers requires a restart of the web server. Are you sure you want to continue? (y/n) [n]: y Writing ciphers to the configuration file... Restarting the web server... The following example loads the default HTTPS ciphers. If you are already using the default ciphers, you are told so, and you can avoid restarting the web server. prsm-vm> config mgmt-interface https ciphers load-defaults Default ciphers: 1. ECDHE-ECDSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA 5. DHE-RSA-CAMELLIA128-SHA 6. AES128-SHA Loading default ciphers would require restarting the web server. Are you sure you want to continue? (y/n) [n]: y Restarting the web server... Related Commands Command delete show mgmt-interface https ciphers Removes core dumps, packet captures, or log files. Shows the currently allowed and available ciphers. 16 OL

27 a through h commands config ntp config ntp To configure the network time protocol (NTP) servers for the system, use the config ntp command. config ntp Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.3(1) PRSM 9.3(1) Modification This command was introduced. Support for authenticated NTP was added. Usage Guidelines Note You can also configure NTP during system setup using the setup command. Use config ntp to make changes to the NTP setup without going through the entire system setup wizard. Use the config timezone command to set the time zone for the system. Use NTP servers to ensure time synchronization among the devices in your network. Time synchronization makes it easier to evaluate system events, ensuring easy comparison among event time stamps. The config ntp command prompts you for the host name or address the NTP servers; enter them in priority order, highest priority first, separated by commas. You will be asked if you want to use NTP symmetric key authentication. Authentication is useful if you want to ensure your time source is trusted. If you configure authentication, follow the prompts to add the key number (e.g. 2), key type, key, and then assign the keys to your servers based on key number. Supported key types include MD, MD2, MD5 SHA, SHA1,MDC2, and RIPEMD160. Because the key must first be defined on the NTP server, obtain the keys from the server administrator. If you own the NTP server, consult the server documentation to learn how to configure authentication. Each time you use the config ntp command, you must enter the complete list of servers; you cannot simply add or subtract a single server. OL

28 config ntp a through h commands To disable NTP, use the config time command to set the system time; NTP is automatically disabled. You can re-enable NTP using either the config ntp or setup commands. Examples The following example shows how to configure NTP servers for the system. The existing servers are shown in brackets; press enter to make no changes. Otherwise, enter the complete list of NTP servers, repeating the existing servers if necessary, in priority order. hostname> config ntp Enter the NTP servers separated by commas [ntp.example.com]: ntp.example.com, ntp2.example.com hostname> show ntp remote refid st t when poll reach delay offset jitter ============================================================================== ntp.example.com u ntp2.example.co.gps. 1 u The following example shows how to enable NTP. This example assumes that you had already configured NTP, and disabled it by setting the system time. The original list of NTP servers is saved so you do not have to retype the server names. hostname> config ntp Proceeding with configuration will overwrite any existing NTP configuration. Do you want to change the configuration? Press Ctrl+C to quit. Enter the NTP servers separated by commas [ntp.example.com, ntp2.example.com]: (press Enter) ntp.example.com, ntp2.example.com Do you want to enable the NTP symmetric key authentication? [N]: N Restarting NTP service... Done hostname> The following example shows how to configure authenticated NTP. This example assumes that the key is already configured on the NTP server. If you are not using a key with one of your NTP servers, leave the Key ID prompt blank for that server. prsm-vm> config ntp Proceeding with configuration will overwrite any existing NTP configuration. Do you want to change the configuration? Press Ctrl+C to quit. Enter the NTP servers separated by commas [oldntp1.example.com, oldntp2.example.com]: ntp1.example.com, ntp2.example.com Do you want to enable the NTP symmetric key authentication? [N]: y Enter NTP symmetric keys details Enter the keyid for the key: 2 Enter the key Type (example: MD5, SHA1) for the key: md5 Enter the symmetric key (example: VrBGb<LY9ua5F@B): VrBGb<LY9ua5F@B Do you want to add another key entry? [N]: n Enter the keyid to be used for the server svel-lnx.cisco.com: 2 Enter the keyid to be used for the server 2.ntp.esl.cisco.com: (press Enter) Restarting NTP service... Done Related Commands Command config time config timezone show ntp Configures the local date and time. Configures the time zone. Shows the network time protocol (NTP) servers for the system. 18 OL

29 a through h commands config ntp Command show time Shows the current system date, time, and time zone. OL

30 config passwd a through h commands config passwd To change the password of the admin user, use the config passwd command. Caution If you are using PRSM Multiple Device mode to manage a CX device, do not change the password of the admin user on the CX device. Changing the password will prevent PRSM from communicating with the device. You will have to remove the device from the PRSM inventory and add it back to update PRSM with the new admin password. config passwd Syntax This command has no arguments or keywords. Command Default For CX devices, the default password for the admin user is Admin123. For PRSM Multiple Device mode, there is no default password. You are prompted to configure the password when you install and boot the VM for the first time. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The config passwd command changes the password of the admin user. You can also change the admin user password through the web interface. Good passwords are enforced. If you attempt to change the password to one that does not meet the requirements, or you do not type in the same password twice, you will be prompted to try again. The password must be at least 8 characters long and must contain at least one uppercase letter (A-Z), at least one lowercase letter (a-z) and at least one digit (0-9). Examples The following example shows how to change the password of the admin user. Typed passwords are not displayed. hostname> config passwd 20 OL

31 a through h commands config passwd The password must be at least 8 characters long and must contain at least one uppercase letter (A-Z), at least one lowercase letter (a-z) and at least one digit (0-9). Enter password: (type password) Confirm password: (retype password) SUCCESS: Password changed for user admin hostname> The following example shows an attempt that failed because the password did not meet the requirements on the first attempt. hostname> config passwd The password must be at least 8 characters long and must contain at least one uppercase letter (A-Z), at least one lowercase letter (a-z) and at least one digit (0-9). Enter password: (type bad password) Confirm password: (retype bad password) The password must be at least 8 characters long and must contain at least one uppercase letter (A-Z), at least one lowercase letter (a-z) and at least one digit (0-9). Press any key to try again [Ctrl+C to quit]: Enter password: (type good password) Confirm password: (retype good password) SUCCESS: Password changed for user admin hostname> Related Commands There are no related commands. OL

32 config prune a through h commands config prune To reclaim disk space by pruning the database, use the config prune command. config prune Syntax This command has no arguments or keywords. Command Default Pruning is done by date. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.2(1) PRSM 9.2(1) Modification This command was introduced. Usage Guidelines Over time, the size of the configuration database can grow as you continually edit policies and other objects, because each successive version of the object is retained. You can periodically reclaim space by pruning the database of these older versions. During the pruning process, the database is also optimized for performance. When pruning the database, you can either remove versions older than a particular date, or you can simple retain a specified number of previous versions (3 or higher). If you elect to prune by date, no current version of a policy or object is deleted, even if it has not been changed since before that date. Pruning never compromises your currently-active versions. Note For a managed CX device, the database is automatically pruned to retain only the most recent three versions of any item. Thus, if you prune the database, it is optimized only, data is not deleted. Examples The following example shows how to prune the database prsm-vm> config prune WARNING: You are about to prune the configuration database which may result in removal of inactive versions of objects. To continue, all services will be stopped; once pruning is completed, all services will be restarted. Are you sure you want to proceed? [y/n]: y Stopping services OL

33 a through h commands config prune Pruning configuration database... Please select which criteria to prune: 1) Prune records prior to a specified date (default) 2) Retain the last X number of committed changes Choice [1]: Prune eligible records prior to date (MM-DD-YYYY): There are 117 commit records eligible for removal. Do you want to continue? [y/n]: y 117 commit records were successfully pruned! Running vacuum on database... Finished vacuuming database... Starting services... prsm-vm> Related Commands There are no related commands. OL

34 config reset a through h commands config reset Caution Resetting the database to factory defaults erases all policies and configuration settings defined through the web interface, and all collected events and report data. You cannot recover from this action. Follow this procedure only if you are certain that you do not want to keep any of your configurations. For Cisco Prime Security Manager, we recommend that you first remove all devices from the inventory before proceeding. To reset the system to factory defaults, use the config reset command. config reset Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The purpose of the config reset command is to erase the policy database, events, and reports data. Use it only if you are certain you do not want to preserve any of the policies configured in the system or the events and reports collected from network traffic. You will not be able to undo this action. Resetting the system to factory defaults does not reset the device settings that you configured through the CLI. For example, the management IP address and mask, gateway, DNS configuration, NTP configuration, and time settings. These values are preserved so that the device remains accessible on your network. Use the setup and other config commands if you want to also change these settings. Examples The following example shows how to reset the system to factory defaults. The warning differs slightly based on the system you are resetting. hostname> config reset WARNING: You are about to erase all policy and device configurations. Before proceeding, remove all devices from the inventory. 24 OL

35 a through h commands config reset Otherwise, you must unmanage each managed ASA CX from its home page. The database will be reset to factory defaults. System setup configuration will be preserved. You cannot undo this action. Are you sure you want to proceed? [y/n]: y Stopping services... Removing settings... Initializing database... Generating certificates... Starting services... The system has been successfully reset to factory defaults. hostname> Related Commands Command system revert system upgrade Restores the previously installed package. Installs an upgrade package. OL

36 config restore a through h commands config restore To restore or recover a database backup, use the config restore command. config restore URL Syntax URL The URL of the database backup ZIP file that you want to restore. You can use the following types of URL, which must include the path and file name: ftp:// Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the config restore command to restore a backup of the configuration database. The restore does not include event or reporting data. To create the backup, use the config backup command. Include the file name and full path of the backup file in the URL. You can optionally include a username and password in the following format: ftp://username[ :password ]@servername/path/filename. Typically, you can restore a database backup only if the backup was from the same software version currently running on the system. However, there might be cases where the database from an older backup is compatible with a new software version. When you restore a backup to a PRSM Multiple Device mode server, the policies and configuration defined in the restored database for a managed device might differ from the policies and configuration currently running on the device. That is, you might have deployed changes to a device between the time the backup was taken and the current time. In this case, you will see a Version Mismatch alert in PRSM, and this will be visible the first time you log into the restored PRSM server. For each device with a Version Mismatch alert, the recommended action is to log into the device s managed mode home page and click the re-synchronize link. If you want to preserve the currently running configuration, delete the device from the PRSM inventory and rediscover it. 26 OL

37 a through h commands config restore In Multiple Device mode, do not back up and restore individual managed CX devices. The PRSM backup includes the configurations for managed devices, so redeploying configurations should restore a device to the desired state. If you must restore a managed device from backup for an unusual disaster recovery purpose, ensure that you first switch to Single Device mode. For PRSM Multiple Device mode, you can also use VMware to create snapshots of the virtual machine, and restore those snapshots instead of restoring a database backup. You can use both techniques to protect against different potential problems. Caution If the backup file you are restoring has all passwords cleared in it, you are warned and asked if you want to proceed. You should abort the restore of backups with cleared passwords, because you will have to manually rebuild all passwords fields. For example, you will have to delete all devices from the PRSM Multiple Device mode inventory and add them back to reset the passwords. In all modes, you will have to define all of the following passwords: local users (except the admin user), AD/LDAP directory, CDA or AD agent, and signature updater HTTP proxy username. You must log in as the admin user after recovering a database in which passwords have been cleared. Recover a database with cleared passwords only if you have no other options for rebuilding your system. Examples The following example shows how to restore a database backup. hostname> config restore ftp:// /backups/ prsm_prsm-vm_1.0.0_04_02_2012_16_25_30.pkg Downloading: ftp:// /backups/prsm_prsm-vm_1.0.0_04_02_2012_16_25_30.pkg You need to authenticate with the server to upload/download file Username: ftpusername Password: (typing not displayed) Starting the database restore process... Please note that existing eventing and reporting data will not be restored. NOTE: The restore process removes the present configuration replacing it with the backed up configuration. Do you want to proceed with restore?(y/n)?[n]: y Stopping Cisco Services for restoring Database The database has been restored to a backup version. NOTE: Log into PRSM and check the inventory for Version Mismatch alerts. These alerts indicate that a managed ASA CX is running a different configuration than the one defined in the PRSM database. You must correct the mismatch. Either log into each ASA CX home page and click the resynchronize link to revert to the old configuration, or remove the device from the inventory and rediscover it to preserve the current configuration. Restarting Cisco Services after restoring database... hostname> Related Commands Command config backup config reset Backs up the database. Resets the database to factory defaults. OL

38 config time a through h commands config time To configure the local date and time when not using NTP, use the config time command. config time Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Note Use the config time command only if you do not use the Network Time Protocol (NTP) to set system time. If you use the config time command, it disables NTP and the system starts using the local time you configure. The config time command prompts you for date and time in the format MM/DD/YYYY HH:MM[:SS], where: MM is the month from 01 to 12. DD is the day. YYYY is the four digit year. HH is the hour in 24-hour notation. MM is the minutes. SS is the optional seconds. Use the config timezone command to set the time zone. Use the config ntp command to configure an NTP server. Using NTP can ensure time synchronization among the devices in your network. 28 OL

39 a through h commands config time Tip If you change the local time, and you have time-based access policies, the time change will not affect policies until you restart services or midnight passes. If you do not want to wait until midnight, use services stop and services start to restart processes. Redeploying policies to the devices from the web interface will also work. Examples The following example shows how to change the local system date and time. In this example, NTP was active, so setting the date and time disabled it. hostname> config time Enter the date and time [01/10/ :51:1]: 01/10/ :53 Tue Jan 10 23:53:00 UTC :53:00 NTP service has been disabled. Related Commands Command config ntp config timezone show ntp show time Configures network time protocol (NTP) servers to set the time. Configures the time zone. Shows the network time protocol (NTP) servers for the system. Shows the current system date, time, and time zone. OL

40 config timezone a through h commands config timezone To configure the time zone for the system, use the config timezone command. config timezone Syntax This command has no arguments or keywords. Command Default The default time zone is UTC. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines When you configure the time zone, cities or areas in the zones are displayed, and you enter the number of the city or area of the zone that you want. In some cases, the zone names themselves are listed. If an area is shown in [brackets], it is not itself a zone; when you select it, the zones contained in that area are listed. For example, selecting [America] lists cities and areas in North and South America. Examples The following example shows how to change the time zone. hostname> config timezone The current time zone is: UTC 1. [Africa] 2. [America] 3. [Antarctica] 4. [Arctic] 5. [Asia] 6. [Atlantic] 7. [Australia] 8. [Brazil] 9. [Canada] 10. [Chile] 11. [Etc] 12. [Europe] 13. [Indian] 14. [Mexico] 15. [Mideast] 16. [Pacific] 17. [US] 18. CET 19. CST6CDT 20. Cuba... (Some zones removed for publishing purposes)... Please enter your choice [Enter 'b' to go back]: Alaska 2. Aleutian 3. Arizona 4. Central 5. East-Indiana 6. Eastern 7. Hawaii 8. Indiana-Starke 9. Michigan 10. Mountain 11. Pacific 12. Samoa Please enter your choice [Enter 'b' to go back]: OL

41 a through h commands config timezone You have chosen the Pacific time zone. Changing the time zone requires a process manager restart. Do you want to restart the process manager now? [Y]: Y The time zone has been changed to: PDT Restarting process manager... hostname> Related Commands Command config ntp config time show ntp show time Configures network time protocol (NTP) servers to set the time. Configures the local date and time. Shows the network time protocol (NTP) servers for the system. Shows the current system date, time, and time zone. OL

42 delete a through h commands delete To remove unneeded packet capture, core dump, or log files, use the delete command. delete Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.0(2) PRSM 9.0(2) Modification This command was introduced. The ability to delete log files was added. Usage Guidelines Use the delete command to delete files that you no longer need. You can delete packet captures, core dumps, and system logs. Before deleting the files, you can use the support diagnostic command to upload them to an FTP server. If you choose to delete log files, you should avoid deleting active log files. You can tell the difference between active and inactive log files by looking at the file name. If the extension is simply.log, the file is active; if there is a number at the end, such as.log.4, the log should not be active. If you do need to delete an active log file, first, stop services using the services stop command; after deleting the log, restart services using services start. Follow the command prompts to locate and delete the appropriate files. Examples The following example shows how to delete a packet capture file. Type a partial name to select more than one similarly named file; all matching file names are echoed back to you for your confirmation. The file name is case-sensitive, so allow does not match Allow. asacx> delete ===Remove Files=== 1. Cores 32 OL

43 a through h commands delete 2. Packet Captures 3. Logs Please enter your choice ([Ctrl+C] to exit): 2 ============================ Directory: /var/local files :37: Allow All.pcap :52: aspdrop.pcap Type the partial name of the file to delete ([<] to cancel) > asp aspdrop.pcap Are you sure you want to delete these files? (y/n) [Y]: y Deleted: /var/local/aspdrop.pcap Type the partial name of the file to delete ([<] to cancel) > < ===Remove Files=== 1. Cores 2. Packet Captures Please enter your choice ([Ctrl+C] to exit): (Ctrl+C) asacx> Related Commands Command support diagnostic Creates and uploads diagnostic file for system logs, core dumps, and packet captures. OL

44 exit a through h commands exit To log out of the console session, use the exit command. exit Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The exit command always logs you out of the console session. There are no configuration modes to exit. Examples The following example shows how to log out of the console session. hostname> exit Cisco Prime Security Manager You can access the Web UI from your browser using the following URL(s): hostname login: Related Commands There are no related commands. 34 OL

45 a through h commands format format To format or reformat the system hard drive and embedded USB (eusb) flash drive, use the format command. format Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command only in the following context: ASA CX console, boot image only. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines Use the format command to reformat the device s hard drive and eusb drive this process can require hours to complete. This command is available only on boot-image devices. Caution Use of this command will erase all data from the drives, which cannot be undone. You will be asked to verify that you want to proceed. Examples The following example shows output from the format command. hostname>format WARNING: You are about to erase all policy configurations and data. You cannot undo this action. This command will take HOURS to complete. Are you sure you want to proceed? [y/n]:y Logical volume "data" successfully removed Logical volume "var" successfully removed Logical volume "packages" successfully removed Logical volume "db" successfully removed Logical volume "log" successfully removed Logical volume "local" successfully removed Logical volume "diag_cores" successfully removed 0 logical volume(s) in volume group "vg" now active Volume group "vg" successfully removed mdadm: stopped /dev/md0 Command (m for help): Partition number (1-4): Command (m for help): The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. OL

46 format a through h commands Command (m for help): Partition number (1-4): Command (m for help): The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. Command (m for help): Partition number (1-4): Command (m for help): The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. Command (m for help): Selected partition 4 Command (m for help): The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. Formatting the hard drives and eusb Formatting first hard drive records in records out bytes (600 GB) copied, seconds, 135 MB/s Formatting second hard drive records in records out bytes (600 GB) copied, seconds, 134 MB/s Formatting eusb records in records out bytes (8.1 GB) copied, seconds, 26.0 MB/s Format Successful Related Commands Command partition Partitions (or repartitions) the system hard drive and eusb flash drive. 36 OL

47 a through h commands help help To get a list of available commands or information on command syntax, use the help command. {help?} [command_name] Syntax command_name The name of a command for which you want syntax help. Command Default No default behavior or values. Command Modes Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Help information is available from the command line by entering the following commands: help or?, to see a list of all commands. help command_name to see the syntax for a command. command_name? to see the options for a command. For example, show?. string? to show the commands or keywords that match the string. For example, n?. Examples The following example shows how to view the available list of commands. The command syntax (or a description) appears on the right. The syntax description for the config command indicates that there are additional options; enter config? to see them. The list of commands differs depending on which system type and software release you are using. hostname> help show config system setup => Display system information. Enter show? for options => Configure the system. Enter config? for options => Control system operation => System Setup Wizard OL

48 help a through h commands support delete ping nslookup traceroute services exit help hostname> config? ntp time timezone passwd reset backup restore => Support information for TAC => Delete files => Ping a host to check reachability => Look up an IP address or host name with the DNS servers => Trace the route to a remote host => Control services on the box => Exit the session => Get help on command syntax => Configure NTP servers => Configure date and time => Configure time zone => Change the admin user password => Reset the database to factory defaults => Backup of the current DB snapshot is taken => Current DB is replaced by prev snapshot of backed up DB hostname> Related Commands There are no related commands. 38 OL

49 i through show ntp commands nslookup, page 40 partition, page 42 ping, page 45 services, page 47 setup, page 49 show addomain, page 55 show autorestart status, page 57 show crashinfo, page 58 show diskusage, page 60 show dns, page 62 show hostname, page 64 show hosts, page 65 show interfaces, page 66 show mgmt-interface, page 69 show netstat, page 71 show ntp, page 74 OL

50 nslookup i through show ntp commands nslookup To query the DNS server for the address associated with a host name, or the host name associated with an address, use the nslookup command. nslookup {hostname IP_address} Syntax hostname IP_address The DNS host name of the host whose address you are looking up. The IPv4 or IPv6 address of the host whose name you are looking up. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The nslookup command queries the DNS server configured for the system to determine the IP address associated with a host name. If the server has multiple addresses, all are shown. You can also do a reverse lookup, entering an IPv4 or IPv6 address to determine the host name. You must configure at least one DNS server using the setup command before you can use nslookup. The nslookup output indicates which DNS server was used to retrieve the information. Examples The following example shows how to look up the addresses associated with a host name. In this example, the DNS server has several addresses associated with the name. The Server and its associated Address field indicate the DNS server that answered the query. The Name and associated Address fields indicate the name or IP address that was looked up and the addresses the DNS server returned for that name. All address lines include the IPv4 or IPv6 address and DNS name. hostname> nslookup Server: Address 1: dns.example.com Name: Address 1: www1.example.com 40 OL

51 i through show ntp commands nslookup Address 2: www2.example.com Address 3: www3.example.com Address 4: www4.example.com Address 5: www5.example.com Address 6: www6.example.com Related Commands Command setup show dns Configures basic system settings, including DNS servers. Shows the configured DNS servers. OL

52 partition i through show ntp commands partition To partition (or repartition) the system hard drive and embedded USB (eusb) flash drive, use the partition command. partition Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command only in the following context: ASA CX console, boot image only. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines Use the partition command to create new partition tables on the device s hard drive and eusb drive for storage of system files. This command is available only on boot-image devices. Caution Use of this command will erase all policy configurations and data, which cannot be undone. You will be asked to verify that you want to proceed. Examples The following example shows output from the partition command. hostname>partition WARNING: You are about to erase all policy configurations and data. You cannot undo this action. Are you sure you want to proceed? [y/n]:y Warning: The partition table looks like it was made for C/H/S=*/39/39 (instead of 1017/124/62). For this listing I'll assume that geometry. start: (c,h,s) expected (2,2,17) found (0,49,50) end: (c,h,s) expected (1023,38,39) found (121,38,39) Warning: The partition table looks like it was made for C/H/S=*/39/39 (instead of 1017/124/62). For this listing I'll assume that geometry. start: (c,h,s) expected (2,2,17) found (0,49,50) end: (c,h,s) expected (1023,38,39) found (121,38,39) Logical volume "data" successfully removed Logical volume "var" successfully removed Logical volume "packages" successfully removed Logical volume "db" successfully removed 42 OL

53 i through show ntp commands partition Logical volume "log" successfully removed Logical volume "local" successfully removed Logical volume "diag_cores" successfully removed 0 logical volume(s) in volume group "vg" now active Volume group "vg" successfully removed mdadm: stopped /dev/md0 Command (m for help): Partition number (1-4): Command (m for help): The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. Command (m for help): Partition number (1-4): Command (m for help): The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. Command (m for help): Partition number (1-4): Command (m for help): The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. Command (m for help): Selected partition 4 Command (m for help): The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. Disk /dev/sdb: cylinders, 255 heads, 63 sectors/track Old situation: Units = sectors of 512 bytes, counting from 0 Device Boot Start End #sectors Id System /dev/sdb Linux /dev/sdb Empty /dev/sdb Empty /dev/sdb Empty New situation: Units = sectors of 512 bytes, counting from 0 Device Boot Start End #sectors Id System /dev/sdb Linux /dev/sdb Empty /dev/sdb Empty /dev/sdb Empty Warning: no primary partition is marked bootable (active) This does not matter for LILO, but the DOS MBR will not boot this disk. Successfully wrote the new partition table... (Intervening output removed for publishing purposes)... Re-reading the partition table... If you created or changed a DOS partition, /dev/foo7, say, then use dd(1) to zero the first 512 bytes: dd if=/dev/zero of=/dev/foo7 bs=512 count=1 (See fdisk(8).) mke2fs (27-Jan-2009) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) inodes, blocks blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks= block groups 8192 blocks per group, 8192 fragments per group 2032 inodes per group Superblock backups stored on blocks: OL

54 partition i through show ntp commands 8193, 24577, 40961, 57345, 73729, , , Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 26 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. mke2fs (27-Jan-2009) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) inodes, blocks blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks= block groups blocks per group, fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, , , (Intervening output removed for publishing purposes)... Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 34 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. Persistent partition doesn't have /etc/network/interfaces so copy it over Persistent partition doesn't have /etc/resolv.conf so copy it over Persistent partition doesn't have /etc/passwd so copy it over Persistent partition doesn't have /etc/shadow so copy it over Persistent partition doesn't have /etc/ssh/ssh_host_rsa_key so copy it over Persistent partition doesn't have /etc/hostname so copy it over Persistent partition doesn't have /etc/ntp.conf so copy it over Persistent partition doesn't have /etc/hosts so copy it over Persistent partition is there so create symbolic link /etc/network/interfaces Persistent partition is there so create symbolic link /etc/resolv.conf Persistent partition is there so create symbolic link /etc/ssh/ Persistent partition is there so create symbolic link /etc/hostname Persistent partition is there so create symbolic link /etc/ntp.conf Persistent partition is there so create symbolic link /etc/hosts Partition Successfully Completed on the Flash Related Commands Command format show partitions Formats (or reformats) the system hard drive and eusb flash drive. Lists current partition tables on the device s drives. 44 OL

55 i through show ntp commands ping ping To check connectivity to a host from the device or management station, use the ping command. ping {destination_ip destination_host_name} Syntax destination_ip destination_host_name The IPv4 or IPv6 address of the host you are pinging. The DNS host name of the host you are pinging. You must configure DNS servers to use host names. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The ping command sends ICMP echo requests to the designated host. Unless a node along the way blocks ICMP, you should get a response, which indicates that there is a route between the device or management station and the host. Use the ping and traceroute commands to troubleshoot connectivity issues with a host. When you enter the ping command, the ping is continuous until you press Ctrl+C. Successful responses are displayed as they happen, but unsuccessful responses are not displayed at all. Thus, if you ping an unavailable host, it might appear that the command is not working, or that it is stuck, because you will see no feedback. However, when you press Ctrl+C, you will get a summary of the ping results that indicate how many packets were sent and lost. Examples The following example shows ping output. The ping is stopped after six packets by pressing Ctrl+C, and a summary of the ping results is shown. Time is shown in milliseconds (ms), ttl is the time-to-live value, and the summary includes the minimum (min), average (avg), and maximum (max) round trip response times. hostname> ping PING ( ): 56 data bytes 64 bytes from : seq=0 ttl=117 time=7.980 ms 64 bytes from : seq=1 ttl=117 time=7.821 ms OL

56 ping i through show ntp commands 64 bytes from : seq=2 ttl=117 time=7.892 ms 64 bytes from : seq=3 ttl=117 time=8.218 ms 64 bytes from : seq=4 ttl=117 time= ms 64 bytes from : seq=5 ttl=117 time=7.689 ms (press Ctrl+C) ping statistics packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max = 7.689/8.389/ ms hostname> The following example shows ping output when you are pinging an unavailable or unreachable host. You would also get this output if ICMP messages are being blocked somewhere in the route to the host. hostname> ping PING ( ): 56 data bytes (press Ctrl+C) ping statistics packets transmitted, 0 packets received, 100% packet loss hostname> Related Commands Command setup show dns traceroute Configures basic system settings, including DNS servers. Shows the configured DNS servers. Traces the route to a host. 46 OL

57 i through show ntp commands services services To stop and restart system processes, use the services command. services {start stop} Syntax start stop Start system processes. Stop system processes. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The services command is primarily useful as a troubleshooting tool. If you determine that the system is not functioning normally, you can stop processes and then restart them. Stopping and restarting processes is quicker than rebooting the system, although you might need to reboot if restarting processes does not resolve the problem. When system processes are stopped, you cannot log into the web interface, although you can still log into the CLI console. Examples The following example shows how to stop processes, verify that they are stopped, and then restart them. hostname> services stop Are you sure you want to stop all services? [N]: y... hostname> show services status Process Manager Not Running hostname> services start Process Manager Starting hostname> OL

58 services i through show ntp commands Related Commands Command show services status system reload system shutdown Shows the status of all system processes. Reboots the system. Shuts down the system. 48 OL

59 i through show ntp commands setup setup To configure the basic properties for the system, use the setup command. setup Syntax This command has no arguments or keywords. Command Default Defaults differ based on platform: ASA CX Hostname asacx. IP address, mask / Gateway PRSM Multiple Device mode Hostname prsm-vm. IP address, mask / Gateway There is no default DNS configuration. NTP is disabled until you specify NTP servers. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.3(1) PRSM 9.3(1) Modification This command was introduced. Support for authenticated NTP was added. Usage Guidelines The setup command is a wizard that prompts you for the required information. Before you start the wizard, be sure you determine the correct input for the following values for PRSM and ASA CX: OL

60 setup i through show ntp commands Host name for the system. The hostname must be fewer than 65 characters and can contain characters, numbers, and hyphens only. The first and last character must be a letter or number and the hostname cannot be all numbers. The type of addressing to use for the management IP address. You can configure the following types of address: static IPv4, DHCP for IPv4, static IPv6, IPv6 stateless autoconfiguration. For the ASA CX software module, the address must be on the same subnet as the ASA management address, and the ASA management interface must be up and available. You can configure both IPv4 and IPv6 addressing. Do the following: IPv4 static address Determine the IPv4 management IP address, subnet mask, and gateway. DHCP Ensure there is a DHCP server that will respond on the management network. Note DHCP is not recommended. The system will stop functioning correctly if DHCP changes the assigned address due to lease expiration or other reasons. We suggest you use static addressing instead. IPv6 static address Determine the IPv6 management IP address and prefix length and gateway. IPv6 stateless autoconfiguration IPv6 stateless autoconfiguration will generate a global IPv6 address only if the link on which the device resides has a router configured to provide IPv6 services, including the advertisement of an IPv6 global prefix for use on the link. If IPv6 routing services are not available on the link, you will get a link-local IPv6 address only, which you cannot access outside of the device s immediate network link. Note IPv6 stateless autoconfiguration assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly. We suggest you use static addressing instead. DNS information. If you do not use DHCP, you need to specify the IP addresses (IPv4 or IPv6) of the primary and optionally, secondary, DNS servers and the local domain name. If you configure both IPv4 and IPv6 management addresses, you can enter DNS addresses in either or both formats; otherwise, you must match the format of the management address. You can also enter a comma-separated list of search domains, which are sequentially appended to host names that are not fully qualified in an attempt to resolve the name to an IP address. For example, a search domain list would allow you to ping www instead of a fully-qualified name such as 50 OL

61 i through show ntp commands setup NTP information. You can decide whether to configure Network Time Protocol (NTP) for system time. When using NTP, specify the NTP server names or IPv4 addresses. You will be asked if you want to use NTP symmetric key authentication. Authentication is useful if you want to ensure your time source is trusted. If you configure authentication, follow the prompts to add the key number (e.g. 2), key type, key, and then assign the keys to your servers based on key number. Supported key types include MD, MD2, MD5 SHA, SHA1,MDC2, and RIPEMD160. Because the key must first be defined on the NTP server, obtain the keys from the server administrator. If you own the NTP server, consult the server documentation to learn how to configure authentication. Note It is critical that system time be consistent among the CX device, its parent device, and PRSM management server. The best solution is to use NTP servers to maintain consistent time; time zones can be different, but the relative time must be equivalent. If there is a significant time mismatch, PRSM might not be able to add a device to the inventory, for example, if the start time of the CX CA certificate generated during the installation process is later than the current time on the PRSM server. Also, event and dashboard data can be skewed. If you change the host name or management addressing, a new self-signed certificate is generated. This certificate is used to enable HTTPS connections to the management interface. Note When using Multiple Device mode, do not change the management IP address without first removing the device from the PRSM inventory. You will have to delete and add the device again anyway to re-establish the management relationship between the two systems; deleting the device first allows PRSM to unmanage the device gracefully (otherwise, you will have to log into the device s web interface and manually switch it to Single Device mode). If you change the PRSM address, first delete all devices from the inventory. To remove a DNS server, domain name, or search domains from the configuration, run the setup command and enter N when you are asked if you want to configure the primary or secondary DNS server, domain name, or search domains. When you enter N, any existing configuration for that item is erased. Note If you change the host name, the prompt does not show the new name until you log out and log back in. Example 1, Static IPv4 Management Address, IPv6 Stateless Autoconfiguration The following example shows a typical path through the wizard, configuring a static IPv4 management address and stateless autoconfiguration for IPv6. If you enter Y instead of N at a prompt, you will be able to configure some additional settings mentioned above. Bold text indicates the values that you enter; replace these sample values with your own. In some cases, the entered value is the same as the default value for clarity; you could instead simply press Enter without typing any value. asacx> setup Welcome to Cisco Prime Security Manager Setup [hit Ctrl-C to abort] Default values are inside [] OL

62 setup i through show ntp commands Enter a hostname [asacx]: asa-cx-host Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y Do you want to enable DHCP for IPv4 address assignment on management interface? (y/n) [N]: N Enter an IPv4 address [ ]: Enter the netmask [ ]: Enter the gateway [ ]: Do you want to configure static IPv6 address on management interface?(y/n) [N]: N Stateless autoconfiguration will be enabled for IPv6 addresses. Enter the primary DNS server IP address [ ]: Do you want to configure Secondary DNS Server? (y/n) [N]: N Do you want to configure Local Domain Name? (y/n) [N] Y Enter the local domain name: example.com Do you want to configure Search domains? (y/n) [N] Y Enter the comma separated list for search domains: example.com Do you want to enable the NTP service?(y/n) [N]: Y Enter the NTP servers separated by commas: 1.ntp.example.com, 2.ntp.example.com Do you want to enable the NTP symmetric key authentication? [N]: N Please review the final configuration: Hostname: asa-cx-host Management Interface Configuration IPv4 Configuration: static IP Address: Netmask: Gateway: IPv6 Configuration: DNS Configuration: Domain: Search: DNS Server: Stateless autoconfiguration example.com example.com NTP servers: 1.ntp.example.com 2.ntp.example.com Apply the changes?(y,n) [Y]: Y Configuration saved successfully! Applying... Restarting network services... Restarting NTP service... Done. Generating self-signed certificate, the web server will be restarted after that... Done. Press ENTER to continue... asacx> Example 2, IPv4 DHCP and IPv6 Stateless Autoconfiguration The following example shows how to configure the system to use DHCP to obtain an IPv4 address and IPv6 stateless autoconfiguration. To accept command defaults, press Enter as indicated. prsm-vm> setup Welcome to Cisco Prime Security Manager Setup [hit Ctrl-C to abort] Default values are inside [] Enter a hostname [prsm-vm]: (press Enter) Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: Y Do you want to configure static IPv6 address on management interface?(y/n) [N]: N Stateless autoconfiguration will be enabled for IPv6 addresses. 52 OL

63 i through show ntp commands setup Do you want to enable the NTP service?(y/n) [N]: Y Enter the NTP servers separated by commas: 1.ntp.example.com, 2.ntp.example.com Do you want to enable the NTP symmetric key authentication? [N]: N Please review the final configuration: Hostname: prsm-vm Management Interface Configuration IPv4 Configuration: IPv6 Configuration: dhcp Stateless autoconfiguration NTP servers: 1.ntp.example.com 2.ntp.example.com Apply the changes?(y,n) [Y]: (press Enter) Configuration saved successfully! Applying... Restarting network services... Restarting NTP service... Done. Generating self-signed certificate, the web server will be restarted after that... Done. Press ENTER to continue... prsm-vm> Example 3, Static IPv4 and IPv6 Management Addresses The following example shows how to configure static management addresses for both IPv4 and IPv6. If you want to configure an IPv6 address only, simply reply N when asked if you want to configure an IPv4 address. Note that you must include the prefix length when specifying the IPv6 management address, for example, 2001:DB8:0:CD30::1234/64. Do not enter the prefix length for the IPv6 gateway. asacx> setup Welcome to Cisco Prime Security Manager Setup [hit Ctrl-C to abort] Default values are inside [] Enter a hostname [asacx]: asa-cx-host Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y Do you want to enable DHCP for IPv4 address assignment on management interface? (y/n) [N]: N Enter an IPv4 address [ ]: Enter the netmask [ ]: Enter the gateway [ ]: Do you want to configure static IPv6 address on management interface?(y/n) [N]: Y Enter an IPv6 address: 2001:DB8:0:CD30::1234/64 Enter the gateway: 2001:DB8:0:CD30::1 Enter the primary DNS server IP address [ ]: Do you want to configure Secondary DNS Server? (y/n) [N]: N Do you want to configure Local Domain Name? (y/n) [N] Y Enter the local domain name: example.com Do you want to configure Search domains? (y/n) [N] Y Enter the comma separated list for search domains: example.com Do you want to enable the NTP service?(y/n) [N]: Y Enter the NTP servers separated by commas: 1.ntp.example.com, 2.ntp.example.com Do you want to enable the NTP symmetric key authentication? [N]: N Please review the final configuration: Hostname: asa-cx-host Management Interface Configuration IPv4 Configuration: static IP Address: Netmask: Gateway: OL

64 setup i through show ntp commands IPv6 Configuration: IP Address: Gateway: static 2001:DB8:0:CD30::1234/ :DB8:0:CD30::1 DNS Configuration: Domain: Search: DNS Server: example.com example.com NTP servers: 1.ntp.example.com 2.ntp.example.com Apply the changes?(y,n) [Y]: Y Configuration saved successfully! Applying... Restarting network services... Restarting NTP service... Done. Generating self-signed certificate, the web server will be restarted after that... Done. Press ENTER to continue... asacx> Related Commands Command config ntp config time config timezone show dns Configures network time protocol (NTP) servers to set the time. Configures the local date and time. Configures the time zone. Shows the configured DNS servers. 54 OL

65 i through show ntp commands show addomain show addomain To show the Active Directory (AD) domain to which the CX device is joined, use the show addomain command. show addomain Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.1(1) Modification This command was introduced. Usage Guidelines Use the show addomain command to show whether the device has successfully joined an Active Directory (AD) domain. The device joins a domain if you configure an AD directory realm in the web interface. You can use this command to verify the domain join was successful when debugging your identity policies related to an AD domain. The output shows the name of the device, the domain, and the distinguished name for the device. If the device has not joined a domain, the domain name is blank and no distinguished name is shown. Examples The following example shows the expected output if the device has not joined a domain, followed by what you should see after configuring an AD directory realm in the web interface and committing your changes. You cannot configure the AD directory realm using CLI commands, so the configuration is not shown here. asacx> show addomain Name = asacx Domain = asacx> Log into the web interface and configure the directory realm. Commit your changes. asacx> show addomain Name = asacx Domain = DOMAIN.EXAMPLE.COM Distinguished Name = CN=ASACX,CN=Computers,DC=domain,DC=example,DC=com asacx> OL

66 show addomain i through show ntp commands Related Commands There are no related commands. 56 OL

67 i through show ntp commands show autorestart status show autorestart status To show the current autorestart setting for the CX device, use the show autorestart status command. show autorestart status Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines Use the show autorestart status command to show the current status of the autorestart option. If you want to change it, use the config advanced command. Examples The following example shows how to display the current status for autorestart. hostname> show autorestart status autorestart option is currently set to on hostname> Related Commands Command config advanced Configures autorestart. OL

68 show crashinfo i through show ntp commands show crashinfo To display the crashinfo files generated during a system failure, use the show crashinfo command. The crashinfo files are primarily for use by Cisco Technical Assistance Center (TAC) when working with them to resolve a problem. show crashinfo Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.3(1) Modification This command was introduced. Usage Guidelines The generation of crashinfo files is enabled by default. These files are created during system failures, and contain condensed versions of core dumps, to help diagnose the problem with the Cisco Technical Assistance Center (TAC). Crashinfo files that are 100 KB or less are also included in the show tech-support output. These files are not generated if you used the config advanced crashinfo disable command. If you disabled crashinfo generation, use config advanced crashinfo enable, then repeat the actions that lead to the problem. You can then display the crashinfo files. Examples The following example shows how to display a crashinfo file. Follow the displayed instructions for selecting files and exiting the command. asacx> show crashinfo Crashinfo files (/var/data/cores) :13: crashinfo.dp_smp :13: crashinfo.dp_smp :13: crashinfo.monocle Type the name of the file to view ([Ctrl+C] to exit) > crashinfo.monocle Process Name: monocle Signal No.: 6 Thread id: Register dump from crashing thread...(diagnostic output removed for publishing purposes) OL

69 i through show ntp commands show crashinfo Related Commands Command config advanced crashinfo support diagnostic Enables or disables the generation of crashinfo files. Creates and uploads diagnostic file for system logs, core dumps, and packet captures. OL

70 show diskusage i through show ntp commands show diskusage To show hard disk usage information, including space allocated and used, use the show diskusage command. show diskusage Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines You can view the current status of the hard disk drives and file systems allocated by the system. When configuring PRSM, use the standard VMware procedures for adding or removing disk space. CX devices automatically manage hard disk space. For each file system, the information includes the size, the amount of space available, and the percentage used. Examples The following example shows how to display disk space usage information for PRSM. Note that the /var/data file system is a secondary disk and is used for event and report data storage. If you add disks to the virtual machine, the additional space is added to this file system. hostname> show diskusage FILESYSTEM SIZE AVAILABLE USE% / 2.9G 2.2G 21% /boot 290.1M 261.2M 5% /var 2.0G 1.8G 2% /var/db 3.9G 3.7G 1% /var/packages 7.9G 6.5G 13% /var/diagnostics 5.9G 5.4G 3% /var/log 3.9G 3.6G 3% /var/local 3.9G 3.7G 1% /var/data 252.0G 237.5G 1% hostname> 60 OL

71 i through show ntp commands show diskusage The following example shows how to display disk usage for ASA CX. hostname> show diskusage FILESYSTEM SIZE AVAILABLE USE% / 17.7G 8.2G 51% /usr/data/xsa 5.9G 5.5G 2% No secondary disk(s) found. /var/data uses the primary disk. hostname> Related Commands Command show raid show services status Shows RAID status. Shows the current status of system processes. OL

72 show dns i through show ntp commands show dns To show the DNS servers configured for the system, use the show dns command. show dns Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the setup command to configure the DNS servers. The show dns command displays the servers and the search domains defined in the setup. Examples The following example shows how to display the DNS servers. The servers are in priority order: the second server is contacted only if the first one is unavailable or cannot resolve a host name. The search domain listing is shown only if you configured one; these domains are added to host names that are not fully-qualified, for example, if you enter a host name on the ping command. hostname> show dns Local domain: domain example.com Search domain: search example.com DNS servers: nameserver nameserver hostname> 62 OL

73 i through show ntp commands show dns Related Commands Command setup Configures basic system settings, including DNS servers. OL

74 show hostname i through show ntp commands show hostname To show the system host name, use the show hostname command. show hostname Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the setup command to configure the host name for the system. The show hostname command displays the host name configured in the setup. Note that the host name is also shown in the CLI prompt. Examples The following example shows how to display the host name. hostname> show hostname hostname hostname> Related Commands Command setup Configures basic system settings, including DNS servers. 64 OL

75 i through show ntp commands show hosts show hosts To display the system host table, use the show hosts command. show hosts Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the show hosts command to display the contents of the system host table. The host table is used to perform address lookups for host names prior to doing a DNS lookup. Although you cannot update the host table yourself, the system creates a host table for you. If an entry in the host table is preventing the system from correctly addressing a host name, contact the Cisco Technical Assistance Center (TAC) for help. Examples The following example shows the host table. There is a single entry for the loopback IP address, equating three host names to the address. hostname> show hosts asacx.example.com asacx localhost hostname> Related Commands Command show hostname Shows the system host name. OL

76 show interfaces i through show ntp commands show interfaces To view system interface statistics, use the show interfaces command. show interfaces Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the interface statistics to troubleshoot system problems such as an inability to make a browser connection to the management interface. System interfaces are involved in handling management connections to the system and in general system functioning. There are two system interfaces of interest: eth0 is the management interface. Use the setup command to configure the IP address, netmask, and gateway for this interface. lo is the loopback interface. Examples The following example shows how to display system interface statistics. hostname> show interfaces eth0 Link encap:ethernet HWaddr 00:50:56:AA:00:7A inet addr: Bcast: Mask: inet6 addr: fe80::250:56ff:feaa:7a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:1 dropped:1 overruns:0 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes: (155.3 MiB) TX bytes: (44.9 MiB) Interrupt:19 Base address:0x2000 lo Link encap:local Loopback inet addr: Mask: inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 66 OL

77 i through show ntp commands show interfaces hostname> RX packets:3696 errors:0 dropped:0 overruns:0 frame:0 TX packets:3696 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (453.5 KiB) TX bytes: (453.5 KiB) The fields are explained in the following table. Table 1: Show Interfaces Display Fields Field Link encap HWaddr inet addr Bcast addr Mask inet6 addr Scope The type of interface, for example, Ethernet or Local Loopback. The hardware address (MAC address) for the interface, if any. The IPv4 address of the interface. The broadcast address of the interface. The subnet mask. The IPv6 address of the interface, including the prefix length. The scope of the IPv6 address: Host Limited to this host. Link A link-local address, limited to the network link to which the system is connected. The address is not routed outside the link. Site A site-local address, limited to the network at the site. Border routers do not advertise the address outside the site. Global A global address, which can be routed on the Internet. A static IPv6 address is a global address. (flags) A series of words in uppercase that indicate characteristics of the interface. For example: UP The interface is administratively active. BROADCAST There is a broadcast address for the interface. LOOPBACK The interface is a loopback interface. RUNNING The interface is operational. MULTICAST The interface can receive and send multicast packets. MTU Metric RX packets The maximum transmission unit. The routing metric, which indicates the relative cost of the route. Statistics for received packets, including the number received error-free, the number of packets with errors, the number dropped, and the number lost due to overruns. OL

78 show interfaces i through show ntp commands Field TX packets RX bytes, TX bytes Statistics for transmitted packets, including the number sent error-free, the number of packets with errors, the number dropped, the number lost due to overruns, the number of collisions, and the transmit queue length. The number of bytes sent and received. Related Commands Command show diskusage show netstat Shows the disks configured on the system. Shows network statistics. show services status Shows the current status of system processes. 68 OL

79 i through show ntp commands show mgmt-interface show mgmt-interface To view configuration information about the management interface, use the show mgmt-interface command. show mgmt-interface https ciphers Syntax https ciphers View the list of HTTPS ciphers currently allowed for connections to the management interface (to configure the device), and the available ciphers that you could configure if desired. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.3(1) PRSM 9.3(1) Modification This command was introduced. Usage Guidelines Use the show mgmt-interface command to view information about the management interface for the device, which is the interface you connect to with a browser to configure the device. You can configure the interface properties using the config mgmt-interface command. Examples The following example shows the currently allowed HTTPS ciphers and the list of available ciphers. prsm-vm> show mgmt-interface https ciphers Currently-configured ciphers: 1. ECDHE-ECDSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA 5. DHE-RSA-CAMELLIA128-SHA 6. AES128-SHA All available ciphers: 1. AES128-GCM-SHA AES128-SHA SRP-RSA-AES-128-CBC-SHA 67. SRP-RSA-AES-256-CBC-SHA OL

80 show mgmt-interface i through show ntp commands Related Commands Command config mgmt-interface https ciphers Configures which ciphers to allow on the management interface. 70 OL

81 i through show ntp commands show netstat show netstat To view network statistic information to help when troubleshooting system problems with the Cisco Technical Assistance Center (TAC), use the show netstat command. show netstat Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The show netstat command is an aide for troubleshooting problems with Cisco TAC. It is not a command to use for normal operations or initial troubleshooting. The command output includes the following information and is divided into two sections. Table 2: Show Netstat Display Fields Field Active Internet Connections A list of network connection sockets. The table includes the following fields: Proto Recv-Q Send-Q Local Address Foreign Address The protocol used in the connection, TCP or UDP. The number of bytes in the receive queue, which the local client has not yet copied. The number of bytes in the send queue, which have not been acknowledged by the remote (foreign) host. The IP address or host name and port number of the local end of the connection. The IP address or host name and port number of the remote end of the connection. OL

82 show netstat i through show ntp commands Field State The current condition of the connection: ESTABLISHED The socket has an established connection. SYN_SENT The socket is trying to establish a connection. SYN_RECV A connection request has been received from the network. FIN_WAIT1 The socket is closed and the connection is shutting down. FIN_WAIT2 The socket is waiting for a shutdown from the remote end, but the connection is closed. TIME_WAIT The socket is closed but it is waiting to handle packets that are still in the network. CLOSED The socket is closed. CLOSE_WAIT The socket is waiting to close although the remote end has shut down the connection. LAST_ACK The socket is closed, the remote end has shut down the connection, and the socket is waiting for the acknowledgment. CLOSING Both the local and remote sockets are in the process of closing down, but the local socket has not sent all data yet. UNKNOWN The state of the connection is not known. Active UNIX Domain Sockets A list of UNIX domain sockets. The table includes the following fields: Proto RefCnt Flags Type The protocol used by the socket, typically unix. The number of processes attached through the socket. The only flag of interest is ACC, which can appear on unconnected sockets when their corresponding processes are waiting for a connection request. The type of socket: DGRAM Datagram (connectionless) socket. STREAM Stream (connection) socket. RAW Raw socket. RDM Reliably-delivered message socket. SEQPACKET Sequential packet socket. PACKET Raw interface access socket. 72 OL

83 i through show ntp commands show netstat Field State The state of the socket: FREE The socket is not allocated. LISTENING The socket is listening for a connection request. CONNECTING The socket is in the process of establishing a connection. CONNECTED The socket is connected. DISCONNECTED The socket is disconnecting. (Empty, blank) The socket is not connected to another socket. I-Node Path The I node. The file system path of the process connected to the socket. Examples The following example shows how to display network statistics. The output has been edited for brevity. hostname> show netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp : :4466 ESTABLISHED tcp : :4466 ESTABLISHED tcp : :4466 ESTABLISHED tcp : :4466 ESTABLISHED tcp : :4466 ESTABLISHED tcp 0 0 ::ffff: % :4466 ::ffff: :41385 ESTABLISHED tcp 0 0 ::ffff: % :4466 ::ffff: :41388 ESTABLISHED tcp 0 0 ::ffff: % :4466 ::ffff: :41387 ESTABLISHED tcp 0 0 ::ffff: % :4466 ::ffff: :41386 ESTABLISHED tcp 0 0 ::ffff: % :4466 ::ffff: :41384 ESTABLISHED tcp ::ffff: % :22 ::ffff: :4149 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 8 [ ] DGRAM /dev/log unix 2 [ ] DGRAM (Remaining output removed for publishing purposes)... hostname> Related Commands Command show diskusage show interfaces show services status Shows the disks configured on the system. Shows the status of system interfaces. Shows the current status of system processes. OL

84 show ntp i through show ntp commands show ntp To view the currently configured network time protocol (NTP) servers and their associations, use the show ntp command. show ntp Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.3(1) PRSM 9.3(1) Modification This command was introduced. The contents of the configuration and key files were added to the output. Usage Guidelines Use the setup or config ntp command to configure the NTP servers. The show ntp command displays the servers defined in the setup along with information about their association to other NTP servers. The output includes a table of NTP servers followed by the contents of the NTP configuration file and, if you use authenticated NTP, the key file. The NTP table includes the following columns: Leading characters in display lines The first characters in a display line can be one or more of the following characters: * The current time source. # The peer is selected, but the distance exceeds the maximum value. o The peer is selected and pulse per second (PPS) is used. + The peer is selected and included in the final set. x The peer has a false ticker.. The peer is selected from the end of the candidate list. 74 OL

85 i through show ntp commands show ntp - The peer is discarded by the cluster algorithm. (blank) The peer is discarded high stratum; it failed sanity checking. Remote The name or address of the remote peer of the configured NTP server. Refid The source to which the peer is synchronized, if any. Possible values are: IP address The remote NTP peer or server..locl. This local host, which might occur when there are no remote peers or servers available..pps. Pulse Per Second from a time standard..irig. Inter-Range Instrumentation Group time code..acts. American NIST time standard telephone modem..nist. American NIST time standard telephone modem..ptb. German PTB time standard telephone modem..usno. American USNO time standard telephone modem..chu. CHU (HF, Ottawa, ON, Canada) time standard radio receiver..dcfa. DCF77 (LF, Mainflingen, Germany) time standard radio receiver..hbg. HBG (LF Prangins, Switzerland) time standard radio receiver..jjy. JJY (LF Fukushima, Japan) time standard radio receiver..msf. MSF (LF, Anthorn, Great Britain) time standard radio receiver..tdf. TDF (MF, Allouis, France) time standard radio receiver..wwv. WWV (HF, Ft. Collins, CO, America) time standard radio receiver..wwvb. WWVB (LF, Ft. Collins, CO, America) time standard radio receiver..wwvh. WWVH (HF, Kauai, HI, America) time standard radio receiver..goes. American Geosynchronous Orbit Environment Satellite..GPS. American Global Positioning System..GAL. Galileo European GNSS..ACST. Manycast server..auth. Authentication error..auto. - Autokey sequence error..bcst. Broadcast server..crypt. Autokey protocol error..deny. Access denied by server..init. Association initialized..mcst. Multicast server. OL

86 show ntp i through show ntp commands.rate. Polling rate exceeded..time. Association timeout..step. Step time change, the offset is less than the panic threshold (1000ms) but greater than the step threshold (125ms). ST The stratum of the peer. T The stratum type: l Local. u Unicast. This is the most common type. m Multicast. b Broadcast. - Network address. When The time since the last NTP packet was received from the peer, in seconds. Poll The polling interval (in seconds). Reach The success or failure to reach the peer. A value of 357 indicates that all attempts have been successful. Delay The round-trip time, in milliseconds, to receive a reply from the peer. Offset The relative time of the peer clock to the local clock (in milliseconds). Jitter The difference, in milliseconds, between two samples. Examples The following example shows how to view the NTP server configuration and associations. hostname> show ntp remote refid st t when poll reach delay offset jitter ============================================================================== +ntp-m.example.c u *ntp-rt.example..gps. 1 u The following example shows what you see if you have not enabled NTP. In this case, local time is being used. hostname> show ntp NTP service is disabled hostname> The following example show how the key configuration appears when you configure authenticated NTP. The NTP configuration file shows the key assignments, and the key file shows the keys. prsm-vm> show ntp remote refid st t when poll reach delay offset jitter ============================================================================== svel-ntp.exampl.init. 16 u ntp2.example.co.gps. 1 u Current NTP Configuration: Configuration in ntp.conf: enable auth 76 OL

87 i through show ntp commands show ntp trustedkey 2 server svel-ntp.example.com key 2 server ntp2.example.com Configuration in ntp.keys: 2 md5 VrBGb<LY9ua5F@B prsm-vm> Related Commands Command config ntp config time config timezone Configures network time protocol (NTP) servers to set the time. Configures the local date and time. Configures the time zone. OL

88 show ntp i through show ntp commands 78 OL

89 show opdata through show raid commands show opdata adisessions, page 80 show opdata arptable, page 82 show opdata blocks, page 84 show opdata connections, page 88 show opdata flowdrop, page 91 show opdata framedrop, page 104 show opdata http, page 128 show opdata hwregex, page 134 show opdata interface, page 139 show opdata pdts, page 144 show opdata policy, page 151 show opdata routingtable, page 155 show opdata summary, page 157 show opdata tls, page 159 show partitions, page 161 show platform hardware, page 163 show platform software, page 165 show raid, page 167 OL

90 show opdata adisessions show opdata through show raid commands show opdata adisessions To view current Authentication Directory Interface (ADI) session information, use the show opdata adisessions command. show opdata adisessions Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(2) Modification This command was introduced. Usage Guidelines Use the show opdata adisessions command to view the directory of current ADI sessions (that is, user-to-ip-address connection mappings). The following information is displayed. Field total_sessions contained_op_data {...} Total number of current sessions in the directory. Each session entry consists of the following information: realm The realm, or authentication server, used to authenticate traffic. username Name by which user was authenticated for this session. ip IP address assigned to this session. identity_type Type of session-to-flow mapping. auth_type Type of authentication performed for this session. Examples The following example presents output for the show opdata adisessions command. 80 OL

91 show opdata through show raid commands show opdata adisessions Note The ADI session directory is also referred to as the VDI (Virtual Directory Inteface) session directory in some locations; the abbreviations are used interchangeably. hostname>show opdata adisessions Vdi Session Directory: ============================ total_sessions: 4 contained_op_data { realm: "my_asacx" username: "doe, john" ip: " " identity_type: IDENTITY_PASSIVE auth_type: AUTH_TYPE_NEGOTIATE } contained_op_data { realm: "my_asacx" username: "administrator" ip: " " identity_type: IDENTITY_PASSIVE auth_type: AUTH_TYPE_NEGOTIATE } contained_op_data { realm: "my_asacx" username: "administrator" ip: " " identity_type: IDENTITY_PASSIVE auth_type: AUTH_TYPE_NEGOTIATE } contained_op_data { realm: "my_asacx" username: "smith, john" ip: " " identity_type: IDENTITY_PASSIVE auth_type: AUTH_TYPE_NEGOTIATE } hostname> Related Commands Command clear opdata adisessions Clears all ADI session information. OL

92 show opdata arptable show opdata through show raid commands show opdata arptable To view the data plane Address Resolution Protocol (ARP) table, use the show opdata arptable command. show opdata arptable Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines The following information is displayed for each ARP entry from each interface assigned to each context on the device. Field Context: name, Interface: name entry Each entry consists of a remote peer s IP address, status, MAC address, and number of hits (address translations). Examples The following example shows how to display data-plane ARP table statistics. The output has been edited for brevity. hostname>show opdata arptable Data Plane ARP Table: ===================== Context: NATIVE, Interface: outside Active aa.0022 hits Active aa.0022 hits Active hits 796 Context: NATIVE, Interface: inside Active aa.0022 hits Active aa.0022 hits Active hits (Remaining output removed for publishing purposes) OL

93 show opdata through show raid commands show opdata arptable Related Commands There are no related commands. OL

94 show opdata blocks show opdata through show raid commands show opdata blocks To view packet buffer block information, use the show opdata blocks command. show opdata blocks {free assigned free core assigned core interface core} Syntax core free (Optional) Show per-core block usage data. (Optional) Show blocks available for use. You also can append the following keyword to the show opdata blocks free command: core (Optional) Show blocks that are available for use, on a per-core basis. assigned (Optional) Show blocks that are assigned and in use by an application. You also can append the following keyword to the show opdata blocks assigned command: core (Optional) Show blocks that are available for use, on a per-core basis. interface (Optional) Show per-interface block usage data. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines Use the show opdata blocks commands to view various memory and system-buffer usage statistics. This information can be useful for detecting leaks, and determine if the system is overloaded. Examples The show opdata blocks command can be used without any additional keywords. The following is an example of this output. hostname>show opdata blocks Data Plane Blocks Usage Stats: =========================== SIZE MAX LOW CNT OL

95 show opdata through show raid commands show opdata blocks The displayed columns for show opdata blocks are as follows: SIZE Size, in bytes, of the block pool. Each size represents a particular type, as follows: 0 Used for duplicate message (dupb) blocks. 4 Duplicates existing blocks in applications such as DNS, ISAKMP, URL filtering, uauth, TFTP, and TCP modules. Also, this sized block can be used to send packets to drivers, etc. 80 Used in TCP intercept to generate acknowledgment packets and for failover hello messages 256 Used for stateful failover updates, syslog messages, and other TCP functions. These blocks are mainly used for stateful failover messages. The active device generates and sends packets to the standby device to update the translation and connection table. In bursty traffic, where high rates of connections are created or torn down, the number of available blocks might drop to zero. This situation indicates that one or more connections were not updated to the standby device. The stateful failover protocol catches the missing translation or connection the next time. If the CNT column for 256-byte blocks stays at or near zero for extended periods of time, then the device is having trouble keeping the translation and connection tables synchronized because of the number of connections per second being processed. Syslog messages sent from the device also use the 256-byte blocks, but they are generally not released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows that the number of 256-byte blocks is near zero, ensure that you are not logging at Debugging (level 7) to the syslog server. We recommend that you set logging at Notification (level 5) or lower, unless you require additional information for debugging purposes Used to store Ethernet packets for processing. When a packet enters an interface, it is placed on the input interface queue, passed up to the operating system, and placed in a block. The device determines whether the packet should be permitted or denied based on the security policy and processes the packet through to the output queue on the outbound interface. If the device is having trouble keeping up with the traffic load, the number of available blocks will hover close to zero, as shown in the CNT column. When the CNT column is zero, the device attempts to allocate more blocks, up to a maximum of If no more blocks are available, the packet is dropped Control or guided frames used for control updates MAX Maximum number of blocks available for the specified byte block pool. The maximum block numbers are assigned at boot-up. Typically, the maximum number of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the device can dynamically create more when needed, up to a maximum of LOW This is the lowest number of this size blocks available since the last reboot. A zero in the LOW column indicates a previous event where memory was exhausted. CNT Current number of blocks available for that specific size block pool. A zero in the CNT column means memory is full now. OL

96 show opdata blocks show opdata through show raid commands The following is an example of show opdata blocks assigned output. hostname>show opdata blocks assigned Data Plane Blocks Usage Stats: =========================== Class 0, size 0 Block allocd_by freed_by data size alloccnt dup_cnt oper location Found 100 of 100 blocks Displaying 0 of 100 blocks Class 1, size 4 Block allocd_by freed_by data size alloccnt dup_cnt oper location Found 100 of 100 blocks Displaying 0 of 100 blocks Class 2, size 80 Block allocd_by freed_by data size alloccnt dup_cnt oper location Found 5400 of 5400 blocks Displaying 0 of 5400 blocks Class 3, size 256 Block allocd_by freed_by data size alloccnt dup_cnt oper location Found 5100 of 5100 blocks Displaying 0 of 5100 blocks Class 4, size 1550 Block allocd_by freed_by data size alloccnt dup_cnt oper location Found of blocks Displaying 0 of blocks Class 5, size 2048 Block allocd_by freed_by data size alloccnt dup_cnt oper location Found 2100 of 2100 blocks Displaying 0 of 2100 blocks Class 9, size 9472 Block allocd_by freed_by data size alloccnt dup_cnt oper location Found 5000 of 5000 blocks Displaying 0 of 5000 blocks Table 3: show opdata blocks assigned (assigned core, free, and free core) Display Columns Column Block allocd_by freed_by data size alloccnt dup_cnt oper The block address. The program address of the application that last used the block (0 if not used). The program address of the application that last released the block. The size of the application buffer/packet data in the block. The number of times this block has been used since its creation. The current number of references to this block if used: 0 means 1 reference, 1 means 2 references. The operation last performed on the block: alloc, get, put, or free. 86 OL

97 show opdata through show raid commands show opdata blocks Column location The application that uses the block, or the program address of the application that last allocated the block (same as the allocd_by field). The following is an example of show opdata blocks free output. The output has been edited for brevity. hostname>show opdata blocks free Class 5, size 2048 Block allocd_by freed_by data size alloccnt dup_cnt oper location 0x7f2db8b81080 (nil) 0x6a75b free freelist 0x7f2db8b80340 (nil) 0x6a75b free freelist 0x7f2db8b7f600 (nil) 0x6a75b free freelist 0x7f2db8b7e8c0 (nil) 0x6a75b free freelist 0x7f2db8b7db80 (nil) 0x6a75b free freelist... (Portions of output removed for publishing purposes)... 0x7f2db8b3ec80 (nil) 0x6a75b free freelist 0x7f2db8b3df40 (nil) 0x6a75b free freelist Found 2100 of 2100 blocks Displaying 82 of 2100 blocks The following is an example of show opdata blocks interface output. hostname>show opdata blocks interface Data Plane Blocks Usage Stats: =========================== Memory Pool SIZE LIMIT/MAX LOW CNT GLB:HELD GLB:TOTAL DMA Cache pool statistics: Queue LIMIT/MAX LOW CNT Core Core Core Core Global Related Commands Command clear opdata blocks Clear block statistics. OL

98 show opdata connections show opdata through show raid commands show opdata connections To view the number of current and peak concurrent TCP and UDP connections, use the show opdata connections command. Note Prior to version 9.1(2), the data presented by this command are inaccurate and should not be relied upon. show opdata connections {details session_id} Syntax details session_id (Optional) You can add this keyword to view details for the connection identified by session_id. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) CX Software 9.1(2) CX Software 9.2(1.2) Modification This command was introduced. The output of this command was updated to remove redundancies and inaccuracies; it is also presented in a more readable format. The details keyword was added. Usage Guidelines The following information is displayed for the device. Table 4: show opdata connections Display Fields Field in use most used The number of active TCP and UDP connections, and the peak number of concurrent TCP and UDP connections. 88 OL

99 show opdata through show raid commands show opdata connections Field data-plane connections Details for individual connections, beginning with the most recent. The details include protocol, from and to interface and port information, time data, bytes transferred, and session ID. Connection information is displayed in blocks of 80 lines. Press Enter to display the next block, or Crtl-C to cancel output. To see detailed information for a session, use the session ID shown in the show opdata connections output on the details keyword. The details show the basic connection information plus the following information: tcp_full_proxy Whether the connection has entered TCP full proxy mode. If false, the connection is in the light-weight proxy mode. Connections enter full proxy mode if the inspectors modify content in it, because modifying content will change TCP sequence numbers on both sides of the connection. All decrypted flows are in full proxy mode. Other flows can enter full proxy, for example, if the HTTP Inspector modifies the header when sending an end-user notification page. proto The protocol for the connection. app The application matched to the connection. seg_cnt The pending segment count in the PDTS ring, that is, the segments that have not yet been read by the consumer for the PDTS ring. consumer The component that is consuming the session, where the data plan is the producer. This can be HTTP Engine, TLS Engine, or None (in cases where no inspection is required and the data plane can resolve the connection itself). Example: Showing Connections The following is an example of the show opdata connections output. Connection information is displayed in blocks of 80 lines. hostname>show opdata connections Data Plane Connections: ============================ 34 in use, 98 most used TCP inside :1520 outside :80, idle 0:01:13 uptime 0:01:13, idle_timeout 1:01:00, bytes 718, flags, session_id UDP inside :57392 outside :6881, idle 0:01:31 uptime 0:01:31, idle_timeout 0:02:05, bytes 67, flags, session_id (Some output removed for publishing purposes)... <---More---> Press Enter to continue, 'CTRL + C' to exit Example: Showing Connection Details The following is an example of the show opdata connections details session_id output. asacx> show opdata connections details ca Data Plane Connection Details ============================ TCP inside :10367 inside :80 tcp_full_proxy False, proto HTTP, app HTTP, seg_cnt 0, consumer HTTP Engine OL

100 show opdata connections show opdata through show raid commands Related Commands Command clear opdata connections Clear connection statistics. 90 OL

101 show opdata through show raid commands show opdata flowdrop show opdata flowdrop To view information about dropped flows (connections) which might help you troubleshoot a problem, use the show opdata flowdrop command. show opdata flowdrop Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The following table describes reasons a flow (connection) might have been dropped. Note This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Reason Tunnel has been torn down (tunnel-torn-down) No memory to complete flow (out-of-memory) This counter is incremented when the appliance receives a packet associated with an established flow whose IPSec security association is in the process of being deleted. Recommendation: This is a normal condition when the IPSec tunnel is torn down for any reason. This counter is incremented when the appliance is unable to create a flow because of insufficient memory. Recommendation: Verify that the appliance is not under attack by checking the current connections. Also verify if the configured timeout values are too large resulting in idle flows residing in memory longer. Check the free memory; if free memory is low, determine which processes are utilizing most of the memory. OL

102 show opdata flowdrop show opdata through show raid commands Reason Parent flow is closed (parent-closed) Flow closed by inspection (closed-by-inspection) Failover primary closed (fo-primary-closed) Flow closed by failover standby (fo-standby) Standby flow replication error (fo_rep_err) Flow is a loopback (loopback) When the parent flow of a subordinate flow is closed, the subordinate flow is also closed. For example, an FTP data flow (subordinate flow) will be closed with this specific reason when its control flow (parent flow) is terminated. This reason is also given when a secondary flow (pin-hole) is closed by its controlling application. For example, when the BYE message is received, the SIP inspection engine (controlling application) will close the corresponding SIP RTP flows (secondary flow). Recommendation: None. This reason is given for closing a flow due to an error detected during application inspection. For example, if an error is detected during inspecting an H323 message, the corresponding H323 flow is closed with this reason. Recommendation: None. Standby unit received a flow delete message from the active unit and terminated the flow. Recommendation: If the appliance is running stateful failover, then this counter should increment for every replicated connection that is torn down on the standby appliance. If a through-the-appliance packet arrives at an appliance or context that is in a standby state, and a flow is created, the packet is dropped and the flow removed. This counter is incremented each time a flow is removed in this manner. Recommendation: This counter should not be incrementing on the active appliance or context. However, it is normal to see it increment on the standby appliance or context. Standby unit failed to replicate a flow. Recommendation: If the appliance is processing VPN traffic, this counter could be constantly increasing on the standby unit because the flow could be replicated before the IKE SA information. No action is required in this case. However, if the appliance is not processing VPN traffic, then this indicates a software defect. Turn on debugging on the standby unit, collect the debug output, and report the problem to Cisco TAC. This reason indicates a flow was closed when: 1) U-turn traffic was present, and 2) same-security-traffic permit intra-interface is not configured. Recommendation: To allow U-turn traffic on an interface, configure the interface with same-security-traffic permit intra-interface. 92 OL

103 show opdata through show raid commands show opdata flowdrop Reason Flow is denied by access rule (acl-drop) This counter is incremented when a drop rule denies flow creation. This could be a default rule created when the appliance is powered up, when various features are turned on or off, when an ACL is applied to interface, etc. Aside from default rule drops, a flow might be denied because of: An ACL rule configured on an interface. An ACL configured for AAA and an AAA rule denied the user. Through-box traffic arriving at the management-only interface. Unencrypted traffic arriving on a IPSec-enabled interface. An implicit deny IP any any rule at the end of an ACL. Recommendation: Determine if any syslogs related to packet drop (106023, , ) were sent. Flow drop results in corresponding packet-drop syslogs. Pinhole timeout (pinhole-timeout) Host is removed (host-removed) Xlate Clear (xlate-removed) Connection timeout (connection-timeout) Connection limit exceeded (conn-limit-exceeded) TCP FINs (tcp-fins) SYN Timeout (syn-timeout) This counter is incremented to report that the appliance opened a secondary flow, but no packets passed through this flow within the timeout interval, and hence it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel. Recommendation: No action required. Flow removed in response to a clear local-host command. Recommendation: None; this is an informational counter. Flow removed in response to a clear xlate or clear local-host command. Recommendation: None; this is an informational counter. This counter is incremented when a flow is closed because its inactivity time-out expired. Recommendation: No action required. This indicates a flow was closed because the connection limit has been exceeded. Recommendation: None. A TCP flow was closed because TCP FIN packets were received. Recommendation: None. This counter is incremented for each TCP connection that is terminated normally with FINs. A TCP flow was closed because an embryonic timer expired. Recommendation: For valid sessions that take longer to establish a connection, increase the embryonic timeout. OL

104 show opdata flowdrop show opdata through show raid commands Reason FIN Timeout (fin-timeout) TCP Reset-I (reset-in) TCP Reset-O (reset-out) TCP Reset-APPLIANCE (reset-appliance) Close recursive flow (recurse) TCP intercept, no response from server (tcp-intecept-no-response) TCP intercept unexpected state (tcp-intercept-unexpected) TCP bad retransmission (tcpnorm-rexmit-bad) TCP unexpected window size variation (tcpnorm-win-variation) This reason is given for closing a TCP flow due to expiry of half-closed timer. Recommendation: If these are valid session which take longer to close a TCP flow, increase the half-closed timeout. This reason is given for closing an outbound flow (from a low-security interface to a same- or high-security interface) when a TCP reset is received on the flow. Recommendation: None. This reason is given for closing an inbound flow (from a high-security interface to low-security interface) when a TCP reset is received on the flow. Recommendation: None. This reason is given for closing a flow when a TCP reset is generated by appliance. Recommendation: None. A flow was recursively freed. This reason applies to pair flows, multicast slave flows, and syslog flows to prevent syslogs being issued for each of these subordinate flows. Recommendation: No action required. SYN retransmission timeout after trying three times, once every second. Server unreachable, tearing down connection. Recommendation: Check if the server is reachable from the ASA. Logic error in TCP intercept module, this should never happen. Recommendation: Indicates memory corruption or some other logic error in the TCP intercept module. This reason is given for closing a TCP flow when check-retranmission feature is enabled and the TCP endpoint sent a retranmission with different data from the original packet. Recommendation: The TCP endpoint maybe attacking by sending different data in TCP retransmits. Please use the packet capture feature to learn more about the origin of the packet. This reason is given for closing a TCP flow when window size advertized by TCP endpoint is drastically changed without accepting that much data. Recommendation: In order to allow this connection, use the window-variation configuration under tcp-map. 94 OL

105 show opdata through show raid commands show opdata flowdrop Reason TCP invalid SYN (tcpnorm-invalid-syn) Multicast interface removed (mcast-intrf-removed) Multicast entry removed (mcast-entry-removed) Flow terminated by TCP Intercept (tcp-intercept-kill) Audit failure (audit-failure) Flow terminated by IPS (ips-request) IPS fail-close (ips-fail-close) This reason is given for closing a TCP flow when the SYN packet is invalid. Recommendation: SYN packet could be invalid for number of reasons, like invalid checksum, invalid TCP header. Please use the packet capture feature to understand why the SYN packet is invalid. If you would like to allow these connection use tcp-map configurations to bypass checks. An output interface has been removed from the multicast entry. - OR - All output interfaces have been removed from the multicast entry. Recommendation: No action required. - OR - Verify that there are no longer any receivers for this group. A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built. - OR - The multicast entry has been deleted so the flow is being cleaned up, but the packet will be reinjected into the data path. Recommendation: Re-enable multicast if it is disabled. - OR - No action required. TCP intercept would teardown a connection if this is the first SYN, a connection is created for the SYN, and TCP intercept replied with a SYN cookie, or after seeing a valid ACK from client, when TCP intercept sends a SYN to server, server replies with a RST. Recommendation: TCP intercept normally does not create a connection for first SYN, except when there are nailed rules or the packet comes over a VPN tunnel or the next hop gateway address to reach the client is not resolved. So for the first SYN this indicates that a connection got created. When TCP intercept receives a RST from server, its likely the corresponding port is closed on the server. A flow was freed after matching an "ip audit" signature that had reset as the associated action. Recommendation: If removing the flow is not the desired outcome of matching this signature, then remove the reset action from the "ip audit" command. This reason is given for terminating a flow as requested by IPS module. Recommendation: Check syslogs and alerts on IPS module. This reason is given for terminating a flow since IPS card is down and fail-close option was used with IPS inspection. Recommendation: Check and bring up IPS card OL

106 show opdata flowdrop show opdata through show raid commands Reason Flow terminated by punt action (reinject-punt) Flow shunned (shunned) Host limit exceeded (host-limit) NAT failed (nat-failed) NAT reverse path failed (nat-rpf-failed) IPSec over IPv6 unsupported (no-ipv6-ipsec) Tunnel being brought up or torn down (tunnel-pending) This counter is incremented when a packet is punted to the exception-path for processing by one of the enhanced services such as inspect, aaa etc and the servicing routine, having detected a violation in the traffic flowing on the flow, requests that the flow be dropped. The flow is immediately dropped. Recommendation: Please watch for syslogs fired by servicing routine for more information. Flow drop terminates the corresponding connection. This counter will increment when a packet is received which has a source IP address that matches a host in the shun database. When a shun command is applied, it will be incremented for each existing flow that matches the shun command. Recommendation: No action required. This counter is incremented when the number of licensed host limit is exceeded. Failed to create an xlate to translate an IP or transport header. Recommendation: If NAT is not desired, disable "nat-control". Otherwise, use the "static", "nat" or "global" command to configure NAT policy for the dropped flow. For dynamic NAT, ensure that each "nat" command is paired with at least one "global" command. Use "show nat" and "debug pix process" to verify NAT rules. Rejected attempt to connect to a translated host using the translated host's real address. Recommendation: When not on the same interface as the host undergoing NAT, use the mapped address instead of the real address to connect to the host. Also, enable the appropriate inspect command if the application embeds IP address. This counter will increment when the appliance receives an IPSec ESP packet, IPSec NAT-T ESP packet or an IPSec over UDP ESP packet encapsulated in an IP version 6 header. The appliance does not currently support any IPSec sessions encapsulated in IP version 6. Recommendation: None This counter will increment when the appliance receives a packet matching an entry in the security policy database (i.e. crypto map) but the security association is in the process of being negotiated; its not complete yet. This counter will also increment when the appliance receives a packet matching an entry in the security policy database but the security association has been or is in the process of being deleted. The difference between this indication and the 'Tunnel has been torn down' indication is that the 'Tunnel has been torn down' indication is for established flows. Recommendation: This is a normal condition when the IPSec tunnel is in the process of being negotiated or deleted. 96 OL

107 show opdata through show raid commands show opdata flowdrop Reason Need to start IKE negotiation (need-ike) VPN handle error (vpn-handle-error) VPN handle not found (vpn-handle-not-found) Inspection failure (inspect-fail) Failed to allocate inspection (no-inspect) Flow reset by IPS (reset-by-ips) This counter will increment when the appliance receives a packet which requires encryption but has no established IPSec security association. This is generally a normal condition for LAN-to-LAN IPSec configurations. This indication will cause the appliance to begin ISAKMP negotiations with the destination peer. Recommendation: If you have configured IPSec LAN-to-LAN on your appliance, this indication is normal and does not indicate a problem. However, if this counter increments rapidly it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing. Verify that you can communicate with the destination peer and verify your crypto configuration via the 'show running-config' command. This counter is incremented when the appliance is unable to create a VPN handle because the VPN handle already exists. Recommendation: It is possible to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a serious malfunction of VPN-based applications, it may be a software defect. Contact Cisco TAC. This counter is incremented when a datagram hits an encrypt or decrypt rule, and no VPN handle is found for the related flow. Recommendation: It is possible to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a serious malfunction of VPN-based applications, it may be a software defect. Contact Cisco TAC. This counter will increment when the appliance fails to enable protocol inspection carried out by the NP for the connection. The cause could be memory allocation failure, or for ICMP error message, the appliance not being able to find any established connection related to the frame embedded in the ICMP error message. Recommendation: Check system memory usage. For ICMP error message, if the cause is an attack, you can deny the host using the ACLs. This counter will increment when the security appliance fails to allocate a run-time inspection data structure upon connection creation. The connection will be dropped. Recommendation: This error condition is caused when the security appliance runs out of system memory. Please check the current available free memory by executing the "show memory" command. This reason is given for terminating a TCP flow as requested by IPS module. Recommendation: Check syslogs and alerts on IPS module. OL

108 show opdata flowdrop show opdata through show raid commands Reason Non-tcp/udp flow reclaimed for new request (flow-reclaimed) non-syn TCP (non_tcp_syn) IPSec spoof packet detected (ipsec-spoof-detect) RM xlate limit reached (rm-xlate-limit) RM host limit reached (rm-host-limit) RM inspect rate limit reached (rm-inspect-rate-limit) tcpmod-connect-clash This counter is incremented when a reclaimable flow is removed to make room for a new flow. This occurs only when the number of flows through the appliance equals the maximum number permitted by the software imposed limit, and a new flow request is received. When this occurs, if the number of reclaimable flows exceeds the number of VPN tunnels permitted by the appliance, then the oldest reclaimable flow is removed to make room for the new flow. All flows except the following are deemed to be reclaimable: 1. TCP, UDP, GRE and Failover flows 2. ICMP flows if ICMP stateful inspection is enabled 3. ESP flows to the appliance Recommendation: No action is required if this counter is incrementing slowly. If this counter is incrementing rapidly, it could mean that the appliance is under attack and the appliance is spending more time reclaiming and rebuilding flows. This reason is given for terminating a TCP flow when the first packet is not a SYN packet. Recommendation: None This counter will increment when the appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the appliance but was received unencrypted. This is a security issue. Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic. This counter is incremented when the maximum number of xlates for a context or the system has been reached and a new connection is attempted. Recommendation: The device administrator can use the commands 'show resource usage' and 'show resource usage system' to view context and system resource limits and 'Denied' counts and adjust resource limits if desired. This counter is incremented when the maximum number of hosts for a context or the system has been reached and a new connection is attempted. Recommendation: The device administrator can use the commands 'show resource usage' and 'show resource usage system' to view context and system resource limits and 'Denied' counts and adjust resource limits if desired. This counter is incremented when the maximum inspection rate for a context or the system has been reached and a new connection is attempted. Recommendation: The device administrator can use the commands 'show resource usage' and 'show resource usage system' to view context and system resource limits and 'Denied' counts and adjust resource limits if desired. A TCP connect socket clashes with an existing listen connection. This is an internal system error. Contact TAC. 98 OL

109 show opdata through show raid commands show opdata flowdrop Reason SVC spoof packet detected (svc-spoof-detect) Flow terminated by service module (ssm-app-request) Service module failed (ssm-app-fail) Service module incompetent (ssm-app-incompetent) SSL bad record detected (ssl-bad-record-detect) SSL handshake failed (ssl-handshake-failed) This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established SVC connection on the security appliance but was received unencrypted. This is a security issue. Recommendation: Analyze your network traffic to determine the source of the spoofed SVC traffic. This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the application running on the SSM requests the security appliance to terminate a connection. Recommendation: You can obtain more information by querying the incident report or system messages generated by the SSM itself. Please consult the documentation that comes with comes with the SSM for instructions. This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when a connection that is being inspected by the SSM is terminated because the SSM has failed. Recommendation: The card manager process running in the security appliance control plane issued system messages and CLI warning to inform you of the failure. Please consult the documentation that comes with the SSM to trouble shoot the SSM failure. Contact Cisco Technical Assistance Center (TAC) if needed. This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when a connection is supposed to be inspected by the SSM, but the SSM is not able to inspect it. This counter is reserved for future use. It should always be 0 in the current release. Recommendation: None. This counter is incremented for each unknown SSL record type received from the remote peer. Any unknown record type received from the peer is treated as a fatal error and the SSL connections that encounter this error must be terminated. Recommendation: It is not normal to see this counter increment at any time. If this counter is incremented, it usually means that the SSL protocol state is out of sync with the client software. The most likely cause of this problem is a software defect in the client software. Contact the Cisco TAC with the client software or web browser version and provide a network trace of the SSL data exchange to troubleshoot this problem. This counter is incremented when the TCP connection is dropped because the SSL handshake failed. Recommendation: This is to indicate that the TCP connection is dropped because the SSL handshake failed. If the problem cannot be resolved based on the syslog information generated by the handshake failure condition, please include the related syslog information when contacting the Cisco TAC. OL

110 show opdata flowdrop show opdata through show raid commands Reason SSL malloc error (ssl-malloc-error) CTM crypto request error (ctm-crypto-request-error) SSL record decryption failed (ssl-record-decrypt-error) A new socket connection was not accepted (np-socket-conn-not-accepted) NP socket failure (np-socket-failure) NP socket relay failure (np-socket-relay-failure) NP socket data movement failure (np-socket-data-move-failure) NP socket new connection failure (np-socket-new-conn-failure) This counter is incremented for each malloc failure that occurs in the SSL lib. This is to indicate that SSL encountered a low memory condition where it can't allocate a memory buffer or packet block. Recommendation: Check the security appliance memory and packet block condition and contact Cisco the TAC with this memory information. This counter is incremented each time CTM cannot accept our crypto request. This usually means the crypto hardware request queue is full. Recommendation: Issue the show crypto protocol statistics ssl command and contact the Cisco TAC with this information. This counter is incremented when a decryption error occurs during SSL data receive. This usually means that there is a bug in the SSL code of the ASA or peer, or an attacker may be modifying the data stream. The SSL connection has been closed. Recommendation: Investigate the SSL data streams to and from your ASA. If there is no attacker, then this indicates a software error that should be reported to the Cisco TAC. This counter is incremented for each new socket connection that is not accepted by the security appliance. Recommendation: It is possible to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of socket-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further. This is a general counter for critical socket processing errors. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This is a general counter for socket relay processing errors. Recommendation: It is possible to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of socket-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further. This counter is incremented for socket data movement errors. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter is incremented for new socket connection failures. Recommendation: This indicates that a software error should be reported to the Cisco TAC. 100 OL

111 show opdata through show raid commands show opdata flowdrop Reason NP socket transport closed (np-socket-transport-closed) NP socket block conversion failure (np-socket-block-conv-failure) SSL received close alert (ssl-received-close-alert) An SVC socket connection is being disconnected on the standby unit (svc-failover) Max per-flow children limit exceeded (children-limit) packet-tracer traced flow drop (tracer-flow) looping-address (sp-looping-address) This counter is incremented when the transport attached to the socket is abruptly closed. Recommendation: It is possible to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of socket-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further. This counter is incremented for socket block conversion failures. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter is incremented each time the security appliance receives a close alert from the remote client. This indicates that the client has notified us they are going to drop the connection. It is part of the normal disconnect process. Recommendation: None. This counter is incremented for each new SVC socket connection that is disconnected when the active unit is transitioning into standby state as part of a failover transition. Recommendation: None. This is part of a normal cleanup of a SVC connection when the current device is transitioning from active to standby. Existing SVC connections on the device are no longer valid and need to be removed. The number of children flows associated with one parent flow exceeds the internal limit of 200. Recommendation: This message indicates either a misbehaving application or an active attempt to exhaust the firewall memory. Use "set connection per-client-max" command to further fine tune the limit. For FTP, additionally enable the "strict" option in "inspect ftp". This counter is internally used by packet-tracer for flow freed once tracing is complete. Recommendation: None. This counter is incremented when the source and destination addresses in a flow are the same. SIP flows where address privacy is enabled are excluded, as it is normal for those flows to have the same source and destination address. Recommendation: There are two possible conditions when this counter will increment. One is when the appliance receives a packet with the source address equal to the destination. This represents a type of DoS attack. The second is when the NAT configuration of the appliance NATs a source address to equal that of the destination. One should examine syslog message to determine what IP address is causing the counter to increment, then enable packet captures to capture the offending packet, and perform additional analysis. OL

112 show opdata flowdrop show opdata through show raid commands Reason No valid adjacency (no-adjacency) IPSec VPN inner policy selector mismatch detected (ipsec-selector-failure) NP midpath service failure (np-midpath-service-failure) SVC replacement connection established (svc-replacement-conn) NP midpath CP event failure (np-midpath-cp-event-failure) NP virtual context removed (np-context-removed) Expired VPN context (vpn-context-expired) IPSec locking error (vpn-lock-error) This counter will increment when the security appliance receives a packet on an existing flow that no longer has a valid output adjacency. This can occur if the nexthop is no longer reachable or if a routing change has occurred typically in a dynamic routing environment. Recommendation: No action required. This counter is incremented when an IPSec packet is received with an inner IP header that does not match the configured policy for the tunnel. Recommendation: Verify that the crypto ACLs for the tunnel are correct and that all acceptable packets are included in the tunnel identity. Verify that the box is not under attack if this message is repeatedly seen. This is a general counter for critical midpath service errors. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter is incremented when an SVC connection is replaced by a new connection. Recommendation: None. This may indicate that users are having difficulty maintaining connections to the ASA. Users should evaluate the quality of their home network and Internet connection. This is counter for critical midpath events that could not be sent to the CP. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter is incremented when the virtual context with which the flow is going to be associated has been removed. This could happen in multi-core environment when one CPU core is in the process of destroying the virtual context, and another CPU core tries to create a flow in the context. Recommendation: No action is required. This counter will increment when the security appliance receives a packet that requires encryption or decryption, and the ASP VPN context required to perform the operation is no longer valid. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter is incremented when VPN flow cannot be created due to an internal locking error. Recommendation: This condition should never be encountered during normal operation and may indicate a software problem with the appliance. Contact the Cisco Technical Assistance Center (TAC) if this error occurs. 102 OL

113 show opdata through show raid commands show opdata flowdrop Reason Flow removed from standby unit due to idle timeout (fover-idle-timeout) Flow matched dynamic-filter blacklist (dynamic-filter) A flow is considered idle if standby unit no longer receives periodical update from active which is supposed to happen to at fixed internal when flow is alive. This counter is incremented when such flow is removed from standby unit. Recommendation: This counter is informational. A flow matched a dynamic-filter blacklist or greylist entry with a threat-level higher than the threat-level threshold configured to drop traffic. Recommendation: Use the internal IP address to trace the infected host. Take remidiation steps to remove the infection. Examples The following example shows the output if there are no flow drops: hostname> show opdata flowdrop Data Plane Drop Table: ============================ Data Plane Flow Drop Related Commands Command clear opdata flowdrop show opdata framedrop Clear dropped flow records. Displays information about dropped frames (packets). OL

114 show opdata framedrop show opdata through show raid commands show opdata framedrop To view information about dropped frames which might help you troubleshoot a problem, use the show opdata framedrop command. show opdata framedrop Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines The reasons a frame (packet) might have been dropped are described below. Note This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. Table 5: ASA CX Frame Drop Reasons Reason Punt rate limit exceeded (punt-rate-limit) Punt no memory (punt-no-mem) This counter is incremented when the appliance attempts to forward a Layer-2 packet to a rate-limited control-point service routine and the rate limit (per/second) is exceeded. Currently, the only Layer-2 packets destined for a control-point service routine which are rate limited are ARP packets. The ARP packet rate limit is 500 per second per interface. Recommendation: Analyze your network traffic to determine the reason behind the high rate of ARP packets. This counter is incremented and the packet dropped when there is no memory to create data structure for punting a packet to Control Point. Recommendation: No action needs to be taken if this condition is transient. If this condition persists due to low memory, a system upgrade might be necessary. 104 OL

115 show opdata through show raid commands show opdata framedrop Reason Punt queue limit exceeded (punt-queue-limit) Flow is being freed (flow-being-freed) Invalid Encapsulation (invalid-encap) Invalid IP header (invalid-ip-header) Unsupported IP version (unsupported-ip-version) Invalid IP Length (invalid-ip-length) Invalid Ethertype (invalid-ethertype) Invalid TCP Length (invalid-tcp-hdr-length) This counter is incremented and the packet is dropped when punt queue limit is exceeded, an indication that a bottleneck is forming at Control Point. Recommendation: No action needs to be taken. This is a design limitation. This counter is incremented when the flow is being freed and all packets queued for inspection are dropped. Recommendation: No action needs to be taken. This counter is incremented when a frame belonging to an unsupported link-level protocol is received, or if the Layer-3 type specified in the frame is not supported. The packet is dropped. Recommendation: Verify that directly connected hosts have proper link-level protocol settings. This counter is incremented and the packet dropped when an IP packet is received whose computed checksum for the IP header does not match the recorded checksum in the header. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a peer is sending corrupted packets and an attack is in progress. Use packet capture to learn more about the origin of the packet. This counter is incremented when an IP packet is received that has an unsupported version in the version field of the IP header specifically, if the packet does not belong to version 4 or version 6. The packet is dropped. Recommendation: Verify that other devices on connected network are configured to send IP packets belonging to versions 4 or 6 only. This counter is incremented when an IPv4 or IPv6 packet is received in which the header length or total length fields in the IP header are not valid or do not conform to the received packet length. Recommendation: None. This counter is incremented when the fragmentation module receives or tries to send a fragmented packet that does not belong IP version 4 or version 6. The packet is dropped. Recommendation: Verify the MTU of the device and other devices on the connected network to determine why the device is processing such fragments. This counter is incremented when a TCP packet is received whose size is smaller than the minimum-allowed header length, or does not conform to the received packet length. Recommendation: The invalid packet could be a bogus packet being sent by an attacker. Investigate the traffic source. OL

116 show opdata framedrop show opdata through show raid commands Reason Invalid UDP Length (invalid-udp-length) No valid adjacency (no-adjacency) Unexpected packet (unexpected-packet) No route to host (no-route) Reverse-path verify failed (rpf-violated) Flow is denied by configured rule (acl-drop) This counter is incremented when a UDP packet is received whose size, as calculated from the fields in the header, is different from the measured size of packet as received from the network. Recommendation: The invalid packet could be a bogus packet being sent by an attacker. This counter is incremented when the device tried to obtain an adjacency and could not obtain a MAC address for the next hop. The packet is dropped. Recommendation: Configure a capture for this drop reason and check if a host with specified destination address exists on connected network or is routable from the device. This counter is incremented when the device in transparent mode receives a non-ip packet, destined to its MAC address, but there is no corresponding service running on the appliance to process the packet. Recommendation: Verify if the device is under attack. If there are no suspicious packets, or the device is not in transparent mode, this counter is most likely being incremented due to a software error. Attempt to capture the traffic that is causing the counter to increment and contact the Cisco Technical Assistance Center (TAC). This counter is incremented when the device tries to send a packet out of an interface and does not find a route for it in routing table. Recommendation: Verify that a route exists for the destination address. This counter is incremented when IP-verify is configured on an interface and a packet is received for which the route lookup of source IP did not yield the same interface as the one on which the packet was received. Recommendation: Trace the source of the traffic and determine why it is sending spoofed traffic. This counter is incremented when a packet is dropped because of a drop rule. This could be a default rule created when the device is powered up, when various features are turned on or off, when an ACL is applied to an interface, and so on. Aside from default rule drops, a packet might be dropped because of: An ACL rule configured on an interface. An ACL configured for AAA and an AAA rule denied the user. Through-box traffic arriving at the management-only interface. Unencrypted traffic arriving on a IPSec-enabled interface. Recommendation: Determine if one of the ACL rules has been matched. 106 OL

117 show opdata through show raid commands show opdata framedrop Reason Flow denied due to resource limitation (unable-to-create-flow) This counter is incremented and the packet is dropped when flow creation fails due to a system resource limitation. The resource limit may be: System memory low Packet block extension memory low System connection limit The first two can occur simultaneously with the flow-drop reason: No memory to complete flow. Recommendation: Determine if free system memory is low. Determine if flow-drop reason No memory to complete flow occurs. Determine if connection count reaches the system connection limit. Flow hash full (unable-to-add-flow) Invalid SPI (np-sp-invalid-spi) Unsupported IPv6 header (unsupport-ipv6-hdr) NAT-T keepalive message (natt-keepalive) This counter is incremented when a newly created flow cannot be inserted into the flow hash table because the table is full. The flow and the packet are dropped. (This is not the maximum connection limit counter.) Recommendation: This message signifies lack of resources on the device to support an operation that should have been successful. Use the show opdata connections command to determine if the number of connections exceeds the configured idle timeout values. If so, contact Cisco TAC. This counter is incremented when an IPSec Encapsulating Security Payload (ESP) packet addressed to the device is received which specifies a SPI (security parameter index) not currently known by the device. Recommendation: Occasional invalid SPI indications occur, especially during rekey processing. Many invalid SPI indications may suggest a problem or DoS attack. If you are experiencing a high rate of invalid SPI indications, analyze your network traffic to determine the source of the ESP traffic. This counter is incremented and the packet dropped if an IPv6 packet is received with an unsupported IPv6 extension header. The supported IPv6 extension headers are: TCP, UDP, ICMPv6, ESP, AH, Hop Options, Destination Options, and Fragment. The IPv6 routing extension header is not supported, and any other extension header not listed here is not supported. IPv6 ESP and AH headers are supported only if the packet is through-the-box. To-the-box IPv6 ESP and AH packets are not supported and will be dropped. Recommendation: This error may be due to a misconfigured host. If this error occurs repeatedly or in large numbers, it could also indicate spurious or malicious activity such as an attempted DoS attack. This counter is incremented when an IPSec NAT-T keep-alive message is received. NAT-T keep-alive messages are sent from the IPSec peer to keep NAT/PAT flow information current in network devices. Recommendation: If you have configured IPSec NAT-T on this device, this indication is normal and doesn t indicate a problem. If NAT-T is not configured on your appliance, analyze your network traffic to determine the source of the NAT-T traffic. OL

118 show opdata framedrop show opdata through show raid commands Reason First TCP packet not SYN (tcp-not-syn) Bad TCP checksum (bad-tcp-cksum) Bad TCP flags (bad-tcp-flags) TCP reserved flags set (tcp-reserved-set) TCP option list invalid (tcp-bad-option-list) TCP data exceeded MSS (tcp-mss-exceeded) TCP SYNACK with data (tcp-synack-data) TCP SYN with data (tcp-syn-data) A non-syn packet was received as the first packet of a non-intercepted and non-nailed connection. Recommendation: Under normal conditions, this may be seen when a connection has already closed a connection, while the peer still believes the connection is open, and continues to transmit data. However, if connections have not been recently removed, and the counter is incrementing rapidly, the appliance may be under attack. This counter is incremented and the packet dropped when a TCP packet is received whose computed TCP checksum does not match the recorded checksum in TCP header. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. This counter is incremented and the packet dropped when a TCP packet is received with invalid TCP flags in TCP header. For example, a packet with SYN and FIN TCP flags set will be dropped. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. This counter is incremented and the packet dropped when a TCP packet is received with reserved flags set in TCP header. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. This counter is incremented and the packet dropped when a TCP packet is received with a non-standard TCP header option. Recommendation: To allow such TCP packets or clear non-standard TCP header options and then allow the packet, reconfigure TCP on the device. This counter is incremented and the packet dropped when a TCP packet is received with a data length greater than the MSS advertised by the peer TCP endpoint. Recommendation: To allow such TCP packets, reconfigure TCP on the device. This counter is incremented and the packet dropped when a TCP SYN-ACK packet with data is received. Recommendation: The packet corruption may be caused by a bad cable or noise on the line. It may also be that a TCP endpoint is sending corrupted packets and an attack is in progress. This counter is incremented and the packet dropped when a TCP SYN packet with data is received. Recommendation: To allow such TCP packets, reconfigure TCP on the device. 108 OL

119 show opdata through show raid commands show opdata framedrop Reason TCP Dual open denied (tcp-dual-open) TCP data send after FIN (tcp-data-past-fin) TCP failed 3 way handshake (tcp-3whs-failed) TCP RST/FIN out of order (tcp-rstfin-ooo) TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) TCP ACK in SYNACK invalid (tcp-ack-syn-diff) TCP SYN on established conn (tcp-syn-ooo) TCP SYNACK on established conn (tcp-synack-ooo) TCP packet SEQ past window (tcp-synack-ooo) TCP invalid ACK (tcp-invalid-ack) TCP replicated flow pak drop (tcp-fo-drop) This counter is incremented and the packet dropped when a TCP SYN packet is received and an embryonic TCP connection is already open. Recommendation: None This counter is incremented and the packet dropped when a new TCP data packet is received from an endpoint which had previously sent a FIN to close the connection. Recommendation: None This counter is incremented and the packet dropped when an invalid TCP packet is received during three-way-handshake. Recommendation: None This counter is incremented and the packet dropped when a RST or a FIN packet is received with an incorrect TCP sequence number. Recommendation: None This counter is incremented and the packet dropped when a SYN or SYN-ACK packet is received during three-way-handshake with an incorrect TCP sequence number. Recommendation: None This counter is incremented and the packet dropped when a SYN-ACK packet is received during three-way-handshake with incorrect TCP acknowledgment number. Recommendation: None This counter is incremented and the packet dropped when a TCP SYN packet is received on an established TCP connection. Recommendation: None This counter is incremented and the packet dropped when a TCP SYN-ACK packet is received on an established TCP connection. Recommendation: None This counter is incremented and the packet dropped when a TCP data packet is received with a sequence number beyond the window allowed by the peer TCP endpoint. Recommendation: None This counter is incremented and the packet dropped when a TCP packet is received with an acknowledgment number greater than the data sent by the peer TCP endpoint. Recommendation: None This counter is incremented and the packet dropped when a TCP packet is received with a control flag like SYN, FIN, or RST on an established connection just after the appliance has taken over as active unit. Recommendation: None OL

120 show opdata framedrop show opdata through show raid commands Reason TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) TCP Out-of-Order packet buffer full (tcp-buffer-full) TCP global Out-of-Order packet buffer full (tcp-global-buffer-full) TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) TCP RST/SYN in window (tcp-rst-syn-in-win) TCP DUP and has been ACKed (tcp-acked) This counter is incremented and the packet dropped when a TCP ACK packet is received during a three-way-handshake and the sequence number is not the next expected sequence number. Recommendation: None This counter is incremented and the packet is dropped when an out-of-order (OoO) TCP packet is received on a connection and there is no remaining buffer space to store this packet. In order to inspect traffic, all TCP packets must be normalized (or re-assembled so that they are in order) on connections that transit the module. There is a fixed queue size on the CX module that limits the amount of traffic that can be buffered. When the out-of-order packets are not re-transmitted by the sender before this buffer fills then packets will be dropped. This occurs most commonly in environments where traffic is back-hauled across a WAN link prior to being sent to the CX module and there is either packet loss or packet re-ordering on the WAN link. Recommendation: In general, the OoO traffic condition must be addressed as there is a limit on how much buffering CX can perform. This counter is incremented and the packet dropped when an out-of-order TCP packet is received on a connection and there are no more global buffers available. Typically, TCP packets are put into order on connections that are inspected by the appliance, or when packets are sent to a module for inspection. Recommendation: This is a temporary condition when all global buffers are full. If this counter is constantly incrementing, check your network for a large amount of out-of-order traffic, which could be caused by traffic of the same flow taking different routes through the network. This counter is incremented and the packet dropped when a queued out-of-order TCP packet has been held in a buffer too long. Typically, TCP packets are put into order on connections that are inspected by the appliance, or when packets are sent to a module for inspection. If the next expected TCP packet does not arrive within a certain period, the queued out-of-order packet is dropped. Recommendation: The next expected TCP packet may not arrive because of network congestion, which is normal in a busy network. The TCP retransmission mechanism in the end host will retransmit the packet and the session will continue. This counter is incremented and the packet dropped whens a TCP SYN or TCP RST packet is received on an established connection with a sequence number within the timeout window but not the next expected sequence number. Recommendation: None This counter is incremented and the packet dropped when a retransmitted data packet is received and the data has been acknowledged by the peer TCP endpoint. Recommendation: None 110 OL

121 show opdata through show raid commands show opdata framedrop Reason TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) TCP packet failed PAWS test (tcp-paws-fail) TCP connection limit reached (tcp-conn-limit) Connection limit reached (conn-limit) TCP retransmission partial (tcp_xmit_partial) TCP bad retransmission (tcpnorm-rexmit-bad) TCP unexpected window size variation (tcpnorm-win-variation) IPSEC/UDP keepalive message (ipsecudp-keepalive) This counter is incremented and the packet dropped when a retransmitted data packet is received that is already in an out-of-order packet queue. Recommendation: None This counter is incremented and the packet dropped when a TCP packet with timestamp header option fails the PAWS (Protect Against Wrapped Sequences) test. Recommendation: To allow such connections to proceed, reconfigure the TCP options. This reason is given for dropping a TCP packet during TCP connection establishment if the connection limit has been exceeded. Recommendation: If this counter is incrementing rapidly, determine which host s connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack. This reason is given for dropping a packet when the connection limit or host connection limit has been exceeded. If this is a TCP packet which is dropped during TCP connection establishment due to a connection limit, the drop reason TCP connection limit reached is also reported. Recommendation: If this counter is incrementing rapidly, determine which host s connection limit is reached. The connection limit may need to be increased if the traffic is normal, or the host may be under attack. This counter is incremented and the packet dropped when the check-retranmission feature is enabled and a partial TCP retransmission was received. Recommendation: None This counter is incremented and the packet dropped when the check-retranmission feature is enabled and a TCP retranmission with different data from the original packet was received. Recommendation: None This counter is incremented and the packet dropped when the window size advertized by a TCP endpoint is drastically changed without accepting that much data. Recommendation: In order to allow such packets, change the TCP window-size configuration. This counter is incremented when an IPSec over UDP keepalive message is received. IPSec over UDP keepalive messages are sent from the IPSec peer to keep NAT/PAT flow information current in network devices. These are not industry-standard NAT-T keepalive messages, which are carried over UDP and addressed to UDP port Recommendation: If you have configured IPSec over UDP, this indication is normal and doesn t indicate a problem. If IPSec over UDP is not configured on your device, analyze your network traffic to determine the source of the IPSec over UDP traffic. OL

122 show opdata framedrop show opdata through show raid commands Reason Rate limit exceeded (rate-exceeded) Rate-limiter queued packet dropped (queue-removed) Bad crypto return in packet (bad-crypto) IPSec not AH or ESP (bad-ipsec-prot) IPSec via IPV6 (ipsec-ipv6) BAD IPSec NATT packet (bad-ipsec-natt) BAD IPSec UDP packet (bad-ipsec-udp) This counter is incremented when rate-limiting (policing) is configured on an egress/ingress interface and the egress/ingress traffic rate exceeds the burst rate configured. The counter is incremented for each packet dropped. Recommendation: Determine why the rate of traffic leaving/entering the interface is higher than the configured rate. This may be normal, or could be an indication of virus or attempted attack. When QoS configuration is changed or removed, the packets in the output queues awaiting transmission are dropped and this counter is incremented. Recommendation: Under normal conditions, this may be seen when the QoS configuration is changed. If this occurs when no changes to QoS configuration were made, please contact Cisco Technical Assistance Center (TAC). This counter is incremented when the device attempts a crypto operation on a packet and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems. Recommendation: If you are receiving many bad crypto indications your device may need servicing. This counter is incremented when a packet is received on an IPSec connection which is not an AH or ESP protocol. This is not a normal condition. Recommendation: If you are receiving many IPSec not AH or ESP indications, analyze network to determine the source of the traffic. This counter is incremented when an IPSec ESP packet, IPSec NAT-T ESP packet, or an IPSec over UDP ESP packet is received encapsulated in an IPv6 header. IPSec sessions encapsulated in IPv6 are not currently supported. Recommendation: None. This counter is incremented when a packet is received on an IPSec connection which has negotiated NAT-T, but the packet is not addressed to the NAT-T UDP destination port of 4500, or it had an invalid payload length. Recommendation: Analyze your network to determine the source of the NAT-T traffic. This counter is incremented when a packet is received on an IPSec connection that has negotiated IPSec over UDP, but the packet has an invalid payload length. Recommendation: Analyze your network to determine the source of the IPSec traffic. 112 OL

123 show opdata through show raid commands show opdata framedrop Reason IPSec SA not negotiated yet (ipsec-need-sa) CTM returned error (ctm-error) Send to CTM returned error (send-ctm-error) IPSec spoof detected (ipsec-spoof) IPSec Clear Pkt w/no tunnel (ipsec-clearpkt-notun) IPSec tunnel is down (ipsec-tun-down) Early security checks failed (security-failed) This counter is incremented when a packet is received that requires encryption but has no established IPSec security association. This is generally a normal condition for LAN-to-LAN IPSec configurations. This indication will cause the appliance to begin ISAKMP negotiations with the destination peer. Recommendation: If you have configured IPSec LAN-to-LAN on your device, this indication is normal and doesn t indicate a problem. However, if this counter increments rapidly it may indicate a crypto configuration error, or a network error preventing the ISAKMP negotiation from completing. Verify that you can communicate with the destination peer, and verify your crypto configuration. This counter is incremented when a crypto operation on a packet is attempted and the crypto operation fails. This is not a normal condition and could indicate software or hardware problems. Recommendation: If you are receiving many bad crypto indications, the device may need servicing. This counter is obsolete and should never be incremented. Recommendation: None. This counter is incremented when a packet is received that should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection, but was received unencrypted. This is a security issue. Recommendation: Analyze your network to determine the source of the spoofed IPSec traffic. This counter is incremented when an IPSec clear-text packet is received, for which there is no tunnel established. The packet is dropped and a tunnel established for when the packet is resent. Recommendation: None. This counter is incremented when a received packet is associated with an IPSec connection which is in the process of being deleted. Recommendation: This is a normal condition when the IPSec tunnel is torn down for any reason. This counter is incremented and the packet dropped when: an IPv4 multicast packet is received and the packet s multicast MAC address doesn t match the packet s multicast destination IP address. an IPv6 or IPv4 teardrop fragment is received containing either a small offset or an overlapping fragment. an IPv4 packet is received that matches an IP audit (IPS) signature. Recommendation: Contact the remote peer administrator, or escalate this issue according to your security policy. OL

124 show opdata framedrop show opdata through show raid commands Reason Slowpath security checks failed (sp-security-failed) This counter is incremented and the packet dropped when: 1 In routed mode, any of the following through-the-box packets are received: a Layer-2 broadcast packet. an IPv4 packet with a destination IP address of an IPv4 packet with a source IP address of In routed or transparent mode, a through-the-box IPv4 packet is received with any of the following: the first octet of the source IP address is equal to zero. the source IP address is equal to the loopback IP address. the network part of the source IP address is all zeros. the network part of the source IP address is all ones. the source IP address host part is all zeros or all ones. 3 In routed or transparent mode, an IPv4 or IPv6 packet is received with same source and destination IP address. Recommendation: For items 1 and 2, determine if an external user is trying to compromise the protected network. Check for misconfigured clients. For item 3, if this message counter is incrementing rapidly, an attack may be in progress. Check the packet s source MAC address to determine where they are coming from. IPv6 slowpath security checks failed (ipv6_sp-security-failed) This counter is incremented and the packet dropped for any of the following: IPv6 through-the-box packet with identical source and destination addresses. IPv6 through-the-box packet with link-local source or destination address. IPv6 through-the-box packet with a multicast destination address. Recommendation: These packets could indicate malicious activity, or could be the result of a misconfigured IPv6 host. Check the packet s source MAC address to determine where they are coming from. IP option drop (invalid-ip-option) Invalid LU packet (lu-invalid-pkt) This counter is incremented when any unicast packet with IP options, or any multicast packet with IP options that have not been configured for acceptance, is received by the device. The packet is dropped. Recommendation: Determine why a packet with IP options is being sent by the remote host. The standby unit received a corrupted Logical Update packet. Recommendation: Packet corruption can be caused by a bad cable, interface card, line noise, or a software defect. If the interface appears to be functioning properly, report the problem to Cisco TAC. 114 OL

125 show opdata through show raid commands show opdata framedrop Reason Dropped by standby unit (fo-standby) Dst MAC L2 Lookup Failed (dst-l2_lookup-fail) L2 Src/Dst same LAN port (l2_same-lan-port) Expired flow (flow-expired) ICMP Inspect out of App ID (inspect-icmp-out-of-app-id) ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) If a through-the-box packet arrives at a device in standby mode, and a flow is created, the packet is dropped and the flow removed. This counter is incremented each time a packet is dropped for this reason. Recommendation: This counter should never be incremented on the active device or context. However, it is normal to see it incremented on the standby device or context. This counter is incremented when, in transparent mode, the appliance performs a Layer-2 destination MAC address look-up which fails. Upon the look-up failure, the appliance begins the destination MAC discovery process, and attempts to determine the location of the remote host via ARP and/or ICMP messages. Recommendation: This is a normal condition when the appliance is operating transparent mode. This counter is incremented when the appliance or context is configured for transparent mode and the appliance determines that the destination interface s Layer-2 MAC address is the same as its ingress interface. Recommendation: This is a normal condition when the appliance or context is operating in transparent mode. Since the appliance interface is operating in promiscuous mode, the appliance/context receives all packets on the local LAN seqment. This counter is incremented when the appliance tries to inject a new or cached packet belonging to a flow that has already expired. It is also incremented when the appliance attempts to send an RST on a TCP flow that has already expired, or when a packet returns from an IDS blade but the flow has already expired. The packet is dropped. Recommendation: If valid applications are being pre-empted, determine if a longer time-out is needed. This counter is incremented when the ICMP inspection engine fails to allocate an App ID data structure. This structure is used to store the sequence number of the ICMP packet. Recommendation: Check system-memory usage. This event normally occurs when the system runs short of memory. This counter is incremented when the sequence number in the ICMP echo reply message does not match any ICMP echo message that passed across the appliance earlier on the same connection. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the ACLs. This counter is incremented when the appliance is not able to find any established connection related to the frame embedded in the ICMP error message. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the ACLs. OL

126 show opdata framedrop show opdata through show raid commands Reason ICMP Error Inspect different embedded conn (inspect-icmp-error-different-embedded-conn) This counter is incremented when the frame embedded in the ICMP error message does not match the established connection identified when the ICMP connection is created. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the ACLs. ICMPv6 Error Inspect invalid packet (inspect-icmpv6-error-invalid-pak) ICMPv6 Error Inspect no existing conn (inspect-icmpv6-error-no-existing-conn) DNS Inspect invalid packet (inspect-dns-invalid-pak) DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) DNS Inspect packet too long (inspect-dns-pak-too-long) DNS Inspect out of App ID (inspect-dns-out-of-app-id) DNS Inspect ID not matched (inspect-dns-id-not-matched) This counter is incremented when the appliance detects an invalid frame embedded in the ICMP v6 packet. This check is the same as that on IPv6 packets. Examples: Incomplete IPv6 header; malformed IPv6 Next Header; etc. Recommendation: No action required. This counter is incremented when the appliance is not able to find any established connection related to the frame embedded in the ICMP v6 error message. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the ACLs. This counter is incremented when the appliance detects an invalid DNS packet. Examples: A DNS packet with no DNS header; the number of DNS resource records does not match the counter in the header; etc. Recommendation: No action required. This counter is incremented when the appliance detects an invalid DNS domain name or label. DNS domain name and label are checked per RFC Recommendation: No action required. If the domain name and label checking is not desired, disable the protocol-enforcement parameter in the DNS inspection policy. This counter is incremented when the length of the DNS message exceeds the configured maximum allowed value. Recommendation: No action required. If DNS message length checking is not desired, enable DNS inspection without the maximum-length option, or disable the message-length maximum parameter in the DNS inspection policy. This counter is incremented when the DNS inspection engine fails to allocate a data structure to store the identification of the DNS message. Recommendation: Check system-memory usage. This event normally happens when the system runs short of memory. This counter is incremented when the identification of the DNS response message does not match any DNS queries that passed across the appliance earlier on the same connection. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the ACLs. 116 OL

127 show opdata through show raid commands show opdata framedrop Reason DNS Guard out of App ID (dns-guard-out-of-app-id) DNS Guard ID not matched (dns-guard-id-not-matched) Invalid RTP Packet length (inspect-rtp-invalid-length) Invalid RTP Version field (inspect-rtp-invalid-version) Invalid RTP Payload type field (inspect-rtp-invalid-payload-type) Invalid RTP Synchronization Source field (inspect-rtp-ssrc-mismatch) RTP Sequence number out of range (inspect-rtp-sequence-num-outofrange) This counter is incremented when the DNS Guard function fails to allocate a data structure to store the identification of the DNS message. Recommendation: Check the system memory usage. This event normally happens when the system runs short of memory. This counter is incremented when the identification of the DNS response message does not match any DNS queries that passed across the appliance earlier on the same connection. Recommendation: No action required if it is an intermittent event. If the cause is an attack, you can deny the host using the ACLs. This counter is incremented when the UDP packet length is less than the size of the RTP header. Recommendation: No action required. If desired, you can determine which RTP source is sending the incorrect packets and deny the host using the ACLs. This counter is incremented when the RTP version field contains a version other than 2. Recommendation: The RTP source in your network seems to be sending RTP packets that do not conform to RFC The reason for this should be identified, and you can deny the host using ACLs if necessary. This counter is incremented when the RTP payload type field does not contain an audio payload type when the signalling channel negotiated an audio media type for this RTP secondary connection. The counter increments similarly for the video payload type. Recommendation: The RTP source in your network is using the audio RTP secondary connection to send video or vice versa. If you wish to prevent this you can deny the host using ACLs. This counter will increment when the RTP SSRC field in the packet does not match the SSRC which the inspect has been seeing from this RTP source in all the RTP packets. Recommendation: This could be because the RTP source in your network is rebooting and hence changing the SSRC or it could be because of another host on your network trying to use the opened secondary RTP connections on the firewall to send RTP packets. This should be investigated further to confirm if there is a problem. This counter will increment when the RTP sequence number in the packet is not in the range expected by the inspect. Recommendation: No action is required because the inspect tries to recover and start tracking from a new sequence number after a lapse in the sequence numbers from the RTP source. OL

128 show opdata framedrop show opdata through show raid commands Reason RTP out of sequence packets in probation period (inspect-rtp-max-outofseq-paks-probation) This counter will increment when the out of sequence packets when the RTP source is being validated exceeds 20. During the probation period, the inspect looks for 5 in-sequence packets to consider the source validated. Recommendation: Check the RTP source to see why the first few packets do not come in sequence and correct it. Invalid RTCP Packet length (inspect-rtcp-invalid-length) Invalid RTCP Version field (inspect-rtcp-invalid-version) Invalid RTCP Payload type field (inspect-rtcp-invalid-payload-type) Inspect SRTP Encryption failed (inspect-srtp-encrypt-failed) Inspect SRTP Decryption failed (inspect-srtp-decrypt-failed) This counter will increment when the UDP packet length is less than the size of the RTCP header. Recommendation: No action required. A capture can be used to figure out which RTP source is sending the incorrect packets and you can deny the host using the ACLs. This counter will increment when the RTCP version field contains a version other than 2. Recommendation: The RTP source in your network does not seem to be sending RTCP packets conformant with the RFC The reason for this has to be identified and you can deny the host using ACLs if required. This counter will increment when the RTCP payload type field does not contain the values 200 to 204. Recommendation: The RTP source should be validated to see why it is sending payload types outside of the range recommended by the RFC This counter will increment when SRTP encryption fails. Recommendation: If error persists even after a reboot please call TAC to see why SRTP encryption is failing in the hardware crypto accelerator. This counter will increment when SRTP decryption fails. Recommendation: If error persists even after a reboot please call TAC to see why SRTP decryption is failing in the hardware crypto accelerator. Inspect SRTP Authentication tag validation failed (inspect-srtp-validate-authtag-failed) This counter will increment when SRTP authentication tag validation fails. Recommendation: No action is required. If error persists SRTP packets arriving at the firewall are being tampered with and the administrator has to identify the cause. Inspect SRTP Authentication tag generation failed (inspect-srtp-generate-authtag-failed) Inspect SRTP failed to find output flow (inspect-srtp-no-output-flow) This counter will increment when SRTP authentication tag generation fails. Recommendation: No action is required. This counter will increment when the flow from the Phone proxy could not be created or if the flow has been torn down Recommendation: No action is required. The flow creation could have failed because of low memory conditions. 118 OL

129 show opdata through show raid commands show opdata framedrop Reason Inspect SRTP setup in CTM failed (inspect-srtp-setup-srtp-failed) Inspect SRTP failed to find keys for both parties (inspect-srtp-one-part-no-key) Inspect SRTP Media session lookup failed (inspect-srtp-no-media-session) Inspect SRTP Remote Phone Proxy IP not populated (inspect-srtp-no-remote-phone-proxy-ip) Inspect SRTP client port wildcarded in media session (inspect-srtp-client-port-not-present) IPS Module requested drop (ips-request) IPS card is down (ips-fail-close) IPS config removed for connection (ips-fail) Executing IPS software does not support IPv6 (ips-no-ipv6) This counter will increment when SRTP setup in the CTM fails. Recommendation: No action is required. If error persists call TAC to see why the CTM calls are failing. This counter will increment when Inspect SRTP finds only one party's keys populated in the media session. Recommendation: No action is required. This counter could increment in the beginning phase of the call but eventually when the call signaling exchange completes both parties should know their respective keys. This counter will increment when SRTP media session lookup fails. Recommendation: No action is required. The media session is created by Inspect SIP or Skinny when the IP address is parsed as part of the signaling exchange. Debug the signaling messages to figure out the cause. This counter will increment when remote phone proxy IP is not populated Recommendation: No action is required. The remote phone proxy IP address is populated from the signaling exchange. If error persists debug the signaling messages to figure out if ASA is seeing all the signaling messages. This counter will increment when client port is not populated in media session Recommendation: No action is required. The client port is populated dynamically when the media stream comes in from the client. Capture the media packets to see if the client is sending media packets. This counter is incremented and the packet is dropped as requested by IPS module when the packet matches a signature on the IPS engine. Recommendation: Check syslogs and alerts on IPS module. This counter is incremented and the packet is dropped when IPS card is down and fail-close option was used in IPS inspection. Recommendation: Check and bring up the IPS card. This counter is incremented and the packet is dropped when IPS configuration is not found for a particular connection. Recommendation: Check if any configuration changes have been done for IPS. This counter is incremented when an IPv6 packet, configured to be directed toward IPS SSM, is discarded since the software executing on IPS SSM card does not support IPv6. Recommendation: Upgrade the IPS software to version 6.2 or later. OL

130 show opdata framedrop show opdata through show raid commands Reason FP L2 rule drop (l2_acl) Intercept unexpected packet (intercept-unexpected) FP no mcast entry (no-mcast-entry) FP no mcast output intrf (no-mcast-intrf) Fragment reassembly failed (fragment-reassembly-failed) Virtual firewall classification failed (ifc-classify) This counter will increment when the appliance denies a packet due to a layer-2 ACL. By default, in routed mode the appliance will PERMIT: 1) IPv4 packets 2) IPv6 packets 3) ARP packets 4) L2 Destination MAC of FFFF:FFFF:FFFF (broadcast) 5) IPv4 MCAST packet with destination L2 of 0100:5E00: :5EFE:FFFF 6) IPv6 MCAST packet with destination L2 of 3333:0000: :FFFF:FFFF By default, in Transparent mode permits the routed mode ACL and PERMITS: 1) BPDU packets with destination L2 of 0100:0CCC:CCCD 2) Appletalk packets with destination L2 of 0900:0700: :07FF:FFFF The user can also configure ethertype ACL(s) and apply them to an interface to permit other types of L2 traffic. Note - Packets permitted by L2 ACLs may still be dropped by L3-L4 ACLs. Recommendation: If your running the appliance/context in transparent mode and your NON-IP packets are dropped by the appliance, you can configure an ethertype ACL and apply the ACL to an access group. Note - the appliance ethertype CLI only supports protocol types and not L2 destination MAC addresses. Either received data from client while waiting for SYNACK from server or received a packet which cannot be handled in a particular state of TCP intercept. Recommendation: If this drop is causing the connection to fail, please have a sniffer trace of the client and server side of the connection while reporting the issue. The box could be under attack and the sniffer traces or capture would help narrowing down the culprit. A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built. - OR - A multicast entry change has been detected after a packet was punted to the CP, and the NP can no longer forward the packet since no entry is present. Recommendation: Re-enable multicast if it is disabled. - OR - No action required. All output interfaces have been removed from the multicast entry. - OR - The multicast packet could not be forwarded. Recommendation: Verify that there are no longer any receivers for this group. - OR - Verify that a flow exists for this packet. This counter is incremented when the appliance fails to reassemble a chain of fragmented packets into a single packet. All the fragment packets in the chain are dropped. This is most probably because of failure while allocating memory for the reassembled packet. Recommendation: Use the show blocks command to monitor the current block memory. A packet arrived on a shared interface, but failed to classify to any specific context interface. Recommendation: For software versions without customizable mac-address support, use the "global" or "static" command to specify the IPv4 addresses that belong to each context interface. For software versions with customizable mac-address support, enable "mac-address auto" in system context. Alternatively, configure unique MAC addresses for each context interfaces residing over a shared interface with "mac-address" command under each context interface submode. 120 OL

131 show opdata through show raid commands show opdata framedrop Reason Connection locking failed (connection-lock) Interface is down (interface-down) Invalid App length (invalid-app-length) Loopback buffer full (loopback-buffer-full) Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode) FP host move packet (host-move-pkt) No management IP address configured for TFW (tfw-no-mgmt-ip-config) Packet shunned (shunned) While the packet was waiting for processing, the flow that would be usedwas destroyed. Recommendation: The message could occur from user interface command to remove connection in an device that is actively processing packet. Otherwise, investigate flow drop counter. This message may occur if the flow are forced dropped from error. This counter will increment for each packet received on an interface that is shutdown via the 'shutdown' interface sub-mode command. For ingress traffic, the packet is dropped after security context classification and if the interface associated with the context is shut down. For egress traffic, the packet is dropped when the egress interface is shut down. Recommendation: No action required. This counter will increment when the appliance detects an invalid length of the Layer 7 payload in the packet. Currently, it counts the drops by the DNS Guard function only. Example: Incomplete DNS header. Recommendation: No action required. This counter is incremented and the packet is dropped when packets are sent from one context of the appliance to another context through a shared interface and there is no buffer space in loopback queue. Recommendation: Check system CPU to make sure it is not overloaded. This counter will increment when the appliance receives a packet which is NOT IPv4, IPv6 or ARP and the appliance/context is configured for ROUTED mode. In normal operation such packets should be dropped by the default L2 ACL configuration. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter will increment when the appliance/context is configured for transparent and source interface of a known L2 MAC address is detected on a different interface. Recommendation: This indicates that a host has been moved from one interface (i.e. LAN segment) to another. This condition is normal while in transparent mode if the host has in fact been moved. However, if the host move toggles back and forth between interfaces, a network loop may be present. This counter is incremented when the security appliance receives an IP packet in transparent mode and has no management IP address defined. The packet is dropped. Recommendation: Configure the device with management IP address and mask values. This counter will increment when a packet is received which has a source IP address that matches a host in the shun database. Recommendation: No action required. OL

132 show opdata framedrop show opdata through show raid commands Reason RM connection limit reached (rm-conn-limit) RM connection rate limit reached (rm-conn-rate-limit) Dropped pending packets in a closed socket (np-socket-closed) Port Forwarding Queue Is Full (mp-pf-queue-full) SVC Module received data while connection was being deleted (mp-svc-delete-in-progress) SVC Module received badly framed data (mp-svc-bad-framing) SVC Module received bad data length (mp-svc-bad-length) SVC Module received unknown data frame (mp-svc-unknown-type) This counter is incremented when the maximum number of connections for a context or the system has been reached and a new connection is attempted. Recommendation: The device administrator can use the commands 'show resource usage' and 'show resource usage system' to view context and system resource limits and 'Denied' counts and adjust resource limits if desired. This counter is incremented when the maximum connection rate for a context or the system has been reached and a new connection is attempted. Recommendation: The device administrator can use the commands 'show resource usage' and 'show resource usage system' to view context and system resource limits and 'Denied' counts and adjust resource limits if desired. If a socket is abruptly closed, by the user or software, then any pending packets in the pipeline for that socket are also dropped. This counter is incremented for each packet in the pipeline that is dropped. Recommendation: It is common to see this counter increment as part of normal operation. However, if the counter is rapidly incrementing and there is a major malfunction of socket-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further. This counter is incremented when the Port Forwarding application's internal queue is full and it receives another packet for transmission. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter will increment when the security appliance receives a packet associated with an SVC connection that is in the process of being deleted. Recommendation: This is a normal condition when the SVC connection is torn down for any reason. If this error occurs repeatedly or in large numbers, it could indicate that clients are having network connectivity issues. This counter will increment when the security appliance receives a packet from an SVC or the control software that it is unable to decode. Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault. This counter will increment when the security appliance receives a packet from an SVC or the control software where the calculated and specified lengths do not match. Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault. This counter will increment when the security appliance receives a packet from an SVC where the data type is unknown. Recommendation: Validate that the SVC being used by the client is compatible with the version of security appliance software. 122 OL

133 show opdata through show raid commands show opdata framedrop Reason SVC Module received address renew response data frame (mp-svc-addr-renew-response) SVC Module does not have enough space to insert header (mp-svc-no-prepend) SVC Module does not have a channel for re-injection (mp-svc-no-channel) SVC Module does not have a session (mp-svc-no-session) SVC Module decompression error (mp-svc-decompres-error) SVC Module compression error (mp-svc-compress-error) SVC Module unable to find L2 data for frame (mp-svc-no-mac) SVC Module found invalid L2 data in the frame (mp-svc-invalid-mac) SVC Module found invalid L2 data length in the frame (mp-svc-invalid-mac-len) This counter will increment when the security appliance receives an Address Renew Response message from an SVC. The SVC should not be sending this message. Recommendation: This indicates that an SVC software error should be reported to the Cisco TAC. This counter will increment when there is not enough space before the packet data to prepend a MAC header in order to put the packet onto the network. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter will increment when the interface that the encrypted data was received upon cannot be found in order to inject the decrypted data. Recommendation: If an interface is shut down during a connection, this could happen; re-enable/check the interface. Otherwise, this indicates that a software error should be reported to the Cisco TAC. This counter will increment when the security appliance cannot determine the SVC session that this data should be transmitted over. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter will increment when the security appliance encounters an error during decompression of data from an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault. This counter will increment when the security appliance encounters an error during compression of data to an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. The SVC or security appliance could be at fault. This counter will increment when the security appliance is unable to find an L2 MAC header for data received from an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter will increment when the security appliance is finds an invalid L2 MAC header attached to data received from an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. This counter will increment when the security appliance is finds an invalid L2 MAC length attached to data received from an SVC. Recommendation: This indicates that a software error should be reported to the Cisco TAC. OL

134 show opdata framedrop show opdata through show raid commands Reason SVC Session is in flow control (mp-svc-flow-control) SVC Module unable to fragment packet (mp-svc-no-fragment) Invalid packet received from SSM card (ssm-dpp-invalid) Invalid ASDP packet received from SSM card (ssm-asdp-invalid) Service module requested drop (ssm-app-request) This counter will increment when the security appliance needs to drop data because an SVC is temporarily not accepting any more data. Recommendation: This indicates that the client is unable to accept more data. The client should reduce the amount of traffic it is attempting to receive. This counter is incremented when a packet to be sent to the SVC is not permitted to be fragmented or when there are not enough data buffers to fragment the packet. Recommendation: Increase the MTU of the SVC to reduce fragmentation. Avoid using applications that do not permit fragmentation. Decrease the load on the device to increase available data buffers. This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the security appliance receives a packet from the internal data plane interface but could not find the proper driver to parse it. Recommendation: The data plane driver is dynamically registered depending on the type of SSM installed in the system. So this could happen if data plane packets arrive before the security appliance is fully initialized. This counter is usually 0. You should not be concerned if there are a few drops. However, if this counter keeps rising when system is up and running, it may indicate a problem. Please contact Cisco Technical Assistance Center (TAC) if you suspect it affects the normal operation of your the security appliance. This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the security appliance receives an ASA SSM Dataplane Protocol (ASDP) packet from the internal data plane interface, but the driver encountered a problem when parsing the packet. ASDP is a protocol used by the security appliance to communicate with certain types of SSMs, like the CSC-SSM. This could happen for various reasons, for example ASDP protocol version is not compatible between the security appliance and SSM, in which case the card manager process in the control plane issues system messages and CLI warnings to inform you of the proper version of images that need to be installed; the ASDP packet belongs to a connection that has already been terminated on the security appliance; the security appliance has switched to the standby state (if failover is enable) in which case it can no longer pass traffic; or any unexpected value when parsing the ASDP header and payload. Recommendation: The counter is usually 0 or a very small number. But user should not be concerned if the counter slowly increases over the time, especially when there has been a failover, or you have manually cleared connections on the security appliance via CLI. If the counter increases drastically during normal operation, please contact Cisco Technical Assistance Center (TAC). This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when the application running on the SSM requests the security appliance to drop a packet. Recommendation: More information could be obtained by querying the incident report or system messages generated by the SSM itself. Please consult the documentation that comes with your SSM for instructions. 124 OL

135 show opdata through show raid commands show opdata framedrop Reason Service module is down (ssm-app-fail) No route to host for WCCP returned packet (wccp-return-no-route) No route to Cache Engine (wccp-redirect-no-route) VPN Handle Error (vpn-handle-error) Telnet not permitted on least secure interface (telnet-not-permitted) Data path channel closed (channel-closed) Dispatch decode error (dispatch-decode-err) This counter only applies to the ASA 5500 series adaptive security appliance. It is incremented when a packet to be inspected by the SSM is dropped because the SSM has become unavailable. Some examples of this are: software or hardware failure, software or signature upgrade, or the module being shut down. Recommendation: The card manager process running in the security appliance control plane would have issued system messages and CLI warning to inform you of the failure. Please consult the documentation that comes with the SSM to trouble shoot the SSM failure. Contact Cisco Technical Assistance Center (TAC) if needed. This counter is incremented when a packet is returned from the Cache Engine and the security appliance does not find a route for the original source of the packet. Recommendation: Verify that a route exists for the source ip address of the packet returned from Cache Engine. This counter is incremented when the security appliance tries to redirect a packet and does not find a route to the Cache Engine. Recommendation: Verify that a route exists for Cache Engine. This counter is incremented when the appliances is unable to create a VPN handle because the VPN handle already exists. Recommendation: It is possible to see this counter increment as part of normal operation However, if the counter is rapidly incrementing and there is a major malfunction of vpn-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further. This counter is incremented and packet is dropped when the appliance receives a TCP SYN packet attempting to establish a TELNET session to the appliance and that packet was received on the least secure interface. Recommendation: To establish a TELNET session to the appliance via the least secure interface, first establish an IPSec tunnel to that interface and then connect the TELNET session over that tunnel. This counter is incremented when the data path channel has been closed before the packet attempts to be sent out through this channel. Recommendation: It is normal in multi-processor system when one processor closes the channel (e.g., via CLI), and another processor tries to send a packet through the channel. This counter is incremented when the packet dispatch module finds an error when decoding the frame. An example is an unsupported packet frame. Recommendation: Verify the packet format with a capture tool. OL

136 show opdata framedrop show opdata through show raid commands Reason IPSec locking error (ipsec-lock-error) CP event queue error (cp-event-queue-error) Host limit exceeded (host-limit) CP syslog event queue error (cp-syslog-event-queue-error) Dispatch block unavailable (dispatch-block-alloc) VPN Handle Mismatch (vpn-handle-mismatch) Async lock queue limit exceeded (async-lock-queue-limit) This counter is incremented when an IPSec operation is attempted but fails due to an internal locking error. Recommendation: This condition should never be encountered during normal operation and may indicate a software problem with the appliance. Contact the Cisco Technical Assistance Center (TAC) if this error occurs. This counter is incremented when a CP event queue enqueue attempt has failed due to queue length exceeded. This queue is used by the data-path to punt packets to the control-point for additional processing. This condition is only possible in a multi-processor enviroment. The module that attempted to enqueue the packet may issue its own packet specific drop in response to this error. Recommendation: While this error does indicate a failure to completely process a packet, it may not adversely affect the connection. If the condition persists or connections are adversely affected contact the Cisco Technical Assistance Center (TAC). This counter is incremented when the licensed host limit is exceeded. Recommendation: None. This counter is incremented when a CP syslog event queue enqueue attempt has failed due to queue length exceeded. This queue is used by the data-path to punt logging events to the control-point when logging destinations other than to a UDP server are configured. This condition is only possible in a multi-processor environment. Recommendation: While this error does indicate a failure to completely process a logging event, logging to UDP servers should not be affected. If the condition persists consider lowering the logging level and/or removing logging destinations or contact the Cisco Technical Assistance Center (TAC). This counter is incremented and the packet is dropped when the appliance could not allocate a core local block to process the packet that was received by the interface driver. Recommendation: This may be due to packets being queued for later processing or a block leak. Core local blocks may also not be available if they are not replenished on time by the free resource rebalancing logic. Please use "show blocks core" to further diagnose the problem. This counter is incremented when the appliance wants to forward a block and the flow referred to by the VPN Handle is different than the flow associated with the block. Recommendation: This is not a normal occurrence. Please perform a "show console-output" and forward that output to CISCO TAC for further analysis Each async lock working queue has a limit of When more SIP packets are attempted to be dispatch to the work queue, packet will be dropped. Recommendation: Only SIP traffic may be dropped. When SIP packets have the same parent lock and they can be queued into the same async lock queue, thus may result into blocks depletion, becasue only single core is handling all the media. If a SIP packet attempts to be queued when the size of the async lock queue exceeds the limit, the packet will be dropped. 126 OL

137 show opdata through show raid commands show opdata framedrop Examples The following is sample output for the show opdata framedrop command. hostname>show opdata framedrop Data Plane Drop Stats: ====================== Flow is being freed (flow-being-freed) 413 TCP failed 3 way handshake (tcp-3whs-failed) TCP RST/FIN out of order (tcp-rstfin-ooo) Connection limit reached (conn-limit) 3 Expired flow (flow-expired) Unable to obtain connection lock (connection-lock) 46 TCP Proxy no inspection (tcp-proxy-no-inspection) Related Commands Command clear opdata framedrop show opdata flowdrop Clear dropped frame records. Displays information about dropped flows (connections). OL

138 show opdata http show opdata through show raid commands show opdata http To view statistics about HTTP traffic-flow inspection, use the show opdata http commands. show opdata http {summary detail snapshot threat pdts_poller ips_http ips_stream ips_regex} Syntax summary detail snapshot Show all flow statistics collected during HTTP Inspector processing; for example, total flows, denied flows, decrypted TLS (Transport Layer Security) flows, and so on. These are cumulative values since the process started, or was last reset. Show current values for certain HTTP Inspector counters, such as warnings, safe search, and DMA memory allocation. Show a snapshot of all current flows being inspected. Statistics displayed are: Flow ID The flow identifier. Last segment timestamp Date and time the last segment in the flow was processed. Direction of buffer Direction of travel of the last segment processed, where C represents client and S represents server. Idle time (sec) The number of seconds since the last flow segment was processed. Buffered segments count The number of pending segments buffered, with address and the size of each buffered segment. threat pdts_poller ips_http ips_stream ips_regex Show Threat Protection-related information for the HTTP and TCP stream scanners. Each scanner provides a request and a response for both the header and body of a stream. Each returns information on scans sent and responses received. Show PDTS poller statistics from the HTTP Inspector. Show IPS HTTP information from the HTTP Inspector. Show IPS stream information from the HTTP Inspector. Show IPS information from the regular-expression engine. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Release 9.2(1) Modification This command was introduced. 128 OL

139 show opdata through show raid commands show opdata http Usage Guidelines Use the show opdata http commands to view a variety of HTTP traffic inspection statistics. Example: Showing the HTTP Summary The following is an example of show opdata http summary output. hostname>show opdata http summary Process HTTP Flow Summary: ============================ totalflow: 61 activeflows: 15 TLSFlow: 0 nontlsflow: 61 authrequiredflow: 0 deniedflow: 0 errorflow: 0 scanerror: 0 parseerror: 0 policyversioningerror: 0 Example: Showing HTTP Details The following is an example of show opdata http detail output. hostname>show opdata http detail Process HTTP Flow Detail: ============================ warning_issued_count: 2 warning_block_count: 0 warning_accepted_count: 2 safe_search_rewrite_count: 0 safe_search_block_count: 0 safe_search_total_count: 0 dma_alloc_count: 0 dma_free_count: 0 dma_alloc_error: 0 Table 6: Show Opdata HTTP Detail Output Statistic warning_issued_count warning_block_count warning_accepted_count safe_search_rewrite_count How many times a user was presented a warning end-user notification page, because the access attempt matched a warning policy. The number of flows denied due to an internal error in Monocle. Related to flows that match warning policies. How many times users accepted a warning and proceeded to the intended web site. Related to flows that match warning policies. How many times search URLs were re-written to enforce safe search. OL

140 show opdata http show opdata through show raid commands Statistic safe_search_block_count safe_search_total_count dma_alloc_count dma_free_count dma_alloc_error How many times searches were blocked while enforcing safe search. The sum of safe search rewrite count and safe search block count. How many times DMA (Direct Memory Access) memory was allocated. How many times DMA memory was freed. How many times DMA memory could not be allocated due to internal errors. Example: Showing the HTTP Snapshot The following is an example of show opdata http snapshot output. hostname>show opdata http snapshot Process HTTP Flow Snapshot: ============================ Flow ID Last segment timestamp Direction of buffer Idle time (sec) Buffered segments count Thu May 4 19:16: C->S Thu May 4 19:16: S->C Thu May 4 19:16: C->S Thu May 4 19:16: C->S Thu May 4 19:16: C->S Thu May 4 19:16: C->S Thu May 23 18:49: C->S 9 2 Segment Address [0x0] Segment Size [1] Segment Address [0x0] Segment Size [1] Thu May 23 18:49: C->S Thu May 23 18:49: C->S 28 1 Segment Address [0x0] Segment Size [1] Thu May 23 18:49: C->S Thu May 4 19:16: C->S Thu May 4 19:16: C->S (Remaining output removed for publishing purposes)... Example: Showing HTTP Threats The following is an example of show opdata http threat output, where tp stands for threat protection. 130 OL

141 show opdata through show raid commands show opdata http Skipped refers to scan calls that were skipped because the IPS was not interested in the data. No session errors are cases where a result was returned after the session was freed. Search errrors are errors within the IPS search functionality. Submission errors indicates a failure to submit scans (for example, jobs are being submitted too rapidly for the regex engine). Bypassed means there was an internal IPS error and the IPS is bypassing that flow. Poll count is the number of times the scanners were polled and data was returned. Result errors indicates general errors in the results. hostname>show opdata threat Process Monocle Flow Threat: ============================ tp_http_request_header_scans_sent: 0 tp_http_request_header_scans_recv: 0 tp_http_request_header_scans_nosessionerrors: 0 tp_http_request_header_scans_submissionerrors: 0 tp_http_request_header_scans_searcherrors: 0 tp_http_request_header_scans_skipped: 0 tp_http_response_header_scans_sent: 0 tp_http_response_header_scans_recv: 0 tp_http_response_header_scans_nosessionerrors: 0 tp_http_response_header_scans_submissionerrors: 0 tp_http_response_header_scans_searcherrors: 0 tp_http_response_header_scans_bypassed: 0 tp_http_response_header_scans_skipped: 0... (Intervening lines removed for publishing purposes)... tp_tcp_req_header_scans_sent: 0 tp_tcp_req_header_scans_recv: 0 tp_tcp_req_header_scans_nosessionerrors: 0 tp_tcp_req_header_scans_submissionerrors: 0 tp_tcp_req_header_scans_searcherrors: 0 tp_tcp_req_header_scans_bypassed: 0 tp_tcp_req_header_scans_skipped: 0 tp_tcp_req_body_scans_sent: 0 tp_tcp_req_body_scans_recv: 0 tp_tcp_req_body_scans_nosessionerrors: 0 tp_tcp_req_body_scans_submissionerrors: 0 tp_tcp_req_body_scans_searcherrors: 0 tp_tcp_req_body_scans_bypassed: 0 tp_tcp_req_body_scans_skipped: 0... (Intervening lines removed for publishing purposes)... tp_poll_count: 0 tp_result_errors: 0 Example: Showing IPS HTTP and IPS Stream The following is an example of show opdata http ips_http output. hostname>show opdata http ips_http Process 5710 Monocle HTTP Intrusion Protection: ============================ HTTP request header submissions [0] HTTP request header callbacks [0] HTTP request header bypassed [0]... (Intervening lines removed for publishing purposes)... HTTP response body submissions [0] HTTP response body callbacks [0] HTTP response body bypassed [0] HTTP opened transactions [0] HTTP closed transactions [0] HTTP poll calls [0] OL

142 show opdata http show opdata through show raid commands For both show opdata http ips_http and show opdata http ips_stream, submissions are scan calls, callbacks represent results for a submission, while bypassed can happen for a number of reasons, such as the IPS is not interested in the traffic, or there were errors in the flow. The following is an example of show opdata http ips_stream output. hostname>show opdata http ips_stream Process HTTP Flow Detail: ============================ Stream TCP submissions [0] Stream TCP callbacks [0] Submissions TO_SERVER [0] Submissions FROM_SERVER [0] Submissions UNKNOWN_DIRECTION [0] Submissions bypassed [0] Results complete [0] TCP opened connections [0] TCP closed connections [0] TCP poll calls [0] Example: Showing HTTP IPS Regex The following is an example of show opdata http ips_regex output. hostname>show opdata http ips_regex Process Intrusion Protection REGEX: ============================ info: "Search_document = Search_stream = Searches_with_match = Total_pattern_matches = Client_process_results = Poll_loop_called = Client_polls = Init_search_request = Free_search_request = Init Scanner = 2 Free Scanner = 0 Free_results = Search_virtual_addr = 0 Search_physical_addr = Init_doc_context = Free_doc_context = Init_stream_context = Free_stream_context = Search_document_error = 0 Search_stream_error = 0 Start_condition_errors = 0 Search_error_result_buf = 0 Init_doc_context_error = 0 Init_stream_context_error = 0 SLM_enabled_patterns = 0 SLM_fallback_patterns = 0 " Process Intrusion Protection REGEX: ============================ info: "Search_document = Search_stream = Searches_with_match = Total_pattern_matches = Client_process_results = Poll_loop_called = OL

143 show opdata through show raid commands show opdata http Client_polls = Init_search_request = Free_search_request = Init Scanner = 2 Free Scanner = 0 Free_results = Search_virtual_addr = 0 Search_physical_addr = Init_doc_context = Free_doc_context = Init_stream_context = Free_stream_context = Search_document_error = 0 Search_stream_error = 0 Start_condition_errors = 0 Search_error_result_buf = 0 Init_doc_context_error = 0 Init_stream_context_error = 0 SLM_enabled_patterns = 0 SLM_fallback_patterns = 0 "... (Intervening lines removed for publishing purposes)... Process Intrusion Protection REGEX: ============================ info: "Search_document = Search_stream = Searches_with_match = Total_pattern_matches = Client_process_results = Poll_loop_called = Client_polls = Init_search_request = Free_search_request = Init Scanner = 2 Free Scanner = 0 Free_results = Search_virtual_addr = 0 Search_physical_addr = Init_doc_context = Free_doc_context = Init_stream_context = Free_stream_context = Search_document_error = 0 Search_stream_error = 0 Start_condition_errors = 0 Search_error_result_buf = 0 Init_doc_context_error = 0 Init_stream_context_error = 0 SLM_enabled_patterns = 0 SLM_fallback_patterns = 0 " Related Commands Command clear opdata http Clear HTTP statistics. OL

144 show opdata hwregex show opdata through show raid commands show opdata hwregex To view statistics about HTTP flow scans performed by the hardware-based regex engine, use the show opdata hwregex commands. show opdata hwregex Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Release 9.2(1) Modification This command was introduced. Usage Guidelines The output of this command is copious; it is intended for use when diagnosing system issues. Examples The following is an example of show opdata hwregex output. hostname>show opdata hwregex Process HW Regex Summary: ============================ [Velocity] Velocity version Velocity library version = release = release [Hardware] Number of agents = 20 (Regex: 0, Longreach: 20) Number of regex engines = 60 Number of boards = 2 Number of devices = 2 [Device 0] Model = LCPX5110 (LCPX5110) Serial Number = L Memory Size (KB) = Host Direct Memory Size (KB) = 0 Board Temperature (C) = 0 CPC Temperature (C) = 61 CPE0 Temperature (C) = 63 CPE1 Temperature (C) = 15 Number of devices = 2 [Device 1] Model = LCPX5110 (LCPX5110) Serial Number = SL Memory Size (KB) = Host Direct Memory Size (KB) = 0 Board Temperature (C) = 0 CPC Temperature (C) = 53 CPE0 Temperature (C) = OL

145 show opdata through show raid commands show opdata hwregex CPE1 Temperature (C) = 15 [Driver] Version = In VM = No System Memory size (KB) = Submitted jobs = Completed jobs = Submitted bytes = Completed bytes = [Global] Current requests in hardware = 0 Current queued requests = 0 Current queued results = 0 Current contexts = 0 Current dead contexts = 0 Current small pool allocations = 0 Current medium pool allocations = 0 Current large pool allocations = 0 Current non-pooled allocations = 0 Peak requests in hardware = 4096 Peak queued requests = 3404 Peak queued results = 6132 Peak contexts = 8811 Peak dead contexts = 0 Peak small pool allocations = 0 Peak medium pool allocations = 0 Peak large pool allocations = 0 Peak non-pooled allocations = 0 Total queued requests = Total queued results = Total contexts = Total dead contexts = 0 Total requests received = Total requests aborted = 0 Total results sent = Total unrecoverable search errors = 0 Total LCB allocation exceptions = 0 Total result buffer resize exceptions = 0 Total result buffer resize at offset 0 = 0 Total start condition errors = 0 Total memory alloc successful count = Total memory alloc fail count = 0 Total memory free count = Total rgxmalloc success count = 180 Total rgxmalloc fail count = 0 Total rgxfree count = 0 Total rgxallocatestream success count = Total rgxallocatestream fail count = 0 Total rgxfreestream success count = Total rgxfreestream fail count = 0 Number of velocity engines = 19 [Engine 0] Current requests in hardware = 0 Current queued requests = 0 Current queued results = 0 Current contexts = 0 Current dead contexts = 0 Peak requests in hardware = 2059 Peak queued requests = 1161 Peak queued results = 2400 Peak contexts = 487 Peak dead contexts = 0 Total queued requests = 3671 Total queued results = Total contexts = Total dead contexts = 0 Total requests received = Total requests aborted = 0 Total results sent = Number of velocity scanners = 2 OL

146 show opdata hwregex show opdata through show raid commands [Scanner 0] Current requests in hardware = 0 Current queued requests = 0 Current queued results = 0 Current held requests = 0 Current recovered requests = 0 Current contexts = 0 Current dead contexts = 0 Peak requests in hardware = 2059 Peak queued requests = 1161 Peak queued results = 2400 Peak held requests = 0 Peak recovered requests = 0 Peak contexts = 487 Peak dead contexts = 0 Total queued requests = 3671 Total queued results = Total contexts = Total dead contexts = 0 Total requests received = Total requests aborted = 0 Total results sent = [Scanner 1] Current requests in hardware = 0 Current queued requests = 0 Current queued results = 0 Current held requests = 0 Current recovered requests = 0 Current contexts = 0 Current dead contexts = 0 Peak requests in hardware = 0 Peak queued requests = 0 Peak queued results = 0 Peak held requests = 0 Peak recovered requests = 0 Peak contexts = 0 Peak dead contexts = 0 Total queued requests = 0 Total queued results = 0 Total contexts = 0 Total dead contexts = 0 Total requests received = 0 Total requests aborted = 0 Total results sent = 0 [Engine 1] Current requests in hardware = 0 Current queued requests = 0 Current queued results = 0 Current contexts = 0 Current dead contexts = 0 Peak requests in hardware = 3220 Peak queued requests = 3220 Peak queued results = 3220 Peak contexts = 565 Peak dead contexts = 0 Total queued requests = 4216 Total queued results = Total contexts = Total dead contexts = 0 Total requests received = Total requests aborted = 0 Total results sent = Number of velocity scanners = 2 [Scanner 0] Current requests in hardware = 0 Current queued requests = 0 Current queued results = 0 Current held requests = 0 Current recovered requests = 0 Current contexts = 0 Current dead contexts = 0 Peak requests in hardware = OL

147 show opdata through show raid commands show opdata hwregex Peak queued requests = 3220 Peak queued results = 3220 Peak held requests = 0 Peak recovered requests = 0 Peak contexts = 565 Peak dead contexts = 0 Total queued requests = 4216 Total queued results = Total contexts = Total dead contexts = 0 Total requests received = Total requests aborted = 0 Total results sent = [Scanner 1] Current requests in hardware = 0 Current queued requests = 0 Current queued results = 0 Current held requests = 0 Current recovered requests = 0 Current contexts = 0 Current dead contexts = 0 Peak requests in hardware = 0 Peak queued requests = 0 Peak queued results = 0 Peak held requests = 0 Peak recovered requests = 0 Peak contexts = 0 Peak dead contexts = 0 Total queued requests = 0 Total queued results = 0 Total contexts = 0 Total dead contexts = 0 Total requests received = 0 Total requests aborted = 0 Total results sent = 0... (Intervening lines removed for publishing purposes)... [Engine 18] Current requests in hardware = 0 Current queued requests = 0 Current queued results = 0 Current contexts = 0 Current dead contexts = 0 Peak requests in hardware = 0 Peak queued requests = 0 Peak queued results = 0 Peak contexts = 0 Peak dead contexts = 0 Total queued requests = 0 Total queued results = 0 Total contexts = 0 Total dead contexts = 0 Total requests received = 0 Total requests aborted = 0 Total results sent = 0 Number of velocity scanners = 1 [Scanner 0] Current requests in hardware = 0 Current queued requests = 0 Current queued results = 0 Current held requests = 0 Current recovered requests = 0 Current contexts = 0 Current dead contexts = 0 Peak requests in hardware = 0 Peak queued requests = 0 Peak queued results = 0 Peak held requests = 0 Peak recovered requests = 0 Peak contexts = 0 Peak dead contexts = 0 Total queued requests = 0 OL

148 show opdata hwregex show opdata through show raid commands Total queued results = 0 Total contexts = 0 Total dead contexts = 0 Total requests received = 0 Total requests aborted = 0 Total results sent = 0 hostname> 138 OL

149 show opdata through show raid commands show opdata interface show opdata interface To view basic statistics for all data-plane interfaces, use the show opdata interface command. show opdata interface [detail] Syntax detail Shows detailed interface-specific statistics. This detailed information is all the statistics displayed by the show opdata interface command, plus statistics for both the input (RX) and output (TX) queues. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines The following show opdata interface and show opdata interface detail information is displayed for each interface on the device. Note that these are data-plane NIC statistics, whereas show interface displays management interface and card-manager interface information. Table 7: show opdata interface and show opdata interface detail Display Fields Field Interface: Type, slot and name. For example, GigabitEthernet1 (outside). NIC Counters and NP Counters packets input The number of packets received on this interface. This line includes: bytes The number of bytes received on this interface. no buffer The number of failures from block allocations. OL

150 show opdata interface show opdata through show raid commands Field Received Information about broadcasts and packets received, specifically: broadcasts The number of broadcasts received. runts The number of packets that are discarded because they are smaller than the minimum packet size, which is 64 bytes. Runts are usually caused by collisions. They might also be caused by poor wiring and electrical interference. giants The number of packets that are discarded because they exceed the maximum packet size. For example, any Ethernet packet that is greater than 1518 bytes is considered a giant. input errors The number of total input errors, including the types listed below. Other input-related errors can also cause the input error count to increase, and some datagrams might have more than one error; therefore, this sum might exceed the number of errors listed for these types. CRC The number of Cyclical Redundancy Check errors. When a station sends a frame, it appends a CRC to the end of the frame. This CRC is generated from an algorithm based on the data in the frame. If the frame is altered between the source and destination, the system notes that the CRC does not match. A high number of CRCs is usually the result of collisions or a station transmitting bad data. frame The number of frame errors. Bad frames include packets with an incorrect length or bad frame checksums. This error is usually the result of collisions or a malfunctioning Ethernet device. overrun The number of times that the device could not hand received data to a hardware buffer because the input rate exceeded the device s ability to handle the data. ignored This field is not used. The value is always zero. abort This field is not used. The value is always zero. pause input/resume input packets output The number of times input was paused on the interface, followed by the number of times input was resumed. The number of packets sent on this interface. Also on this line: bytes The number of bytes sent on this interface. underruns The number of times that the transmitter ran faster than the device could handle. pause output/resume output The number of times output was paused on the interface, followed by the number of times output was resumed. 140 OL

151 show opdata through show raid commands show opdata interface Field output errors collisions interface resets late collisions deferred input reset drops output reset drops The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic. The number of messages retransmitted due to an Ethernet collision (single and multiple collisions). This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once. The number of times an interface has been reset. If an interface is unable to transmit for three seconds, the device resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down. The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should not happen. When two Ethernet hosts try to send information at the same time, they will collide early in the packet and both back off, or the second host should recognize that the first is transmitting and wait. With a late collision, another device is jumping in and trying to send a packet on the Ethernet while this device is only partially finished sending a packet. This device does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is generally not a problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate that a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification. The number of frames that were deferred before transmission due to activity on the link. The number of packets dropped in the RX ring when a reset occurs. The number of packets dropped in the TX ring when a reset occurs. The following statistics are appended to the show opdata interface output when you include the detail keyword. RX Queue Stats The number of packets in the input queue current and maximum. Also: hardware The number of packets in the hardware queue. software The number of packets in the software queue. TX Queue Stats The number of packets in the output queue, the current and the maximum. Also: hardware The number of packets in the hardware queue. software The number of packets in the software queue. OL

152 show opdata interface show opdata through show raid commands Field Shared memory stats The Shared memory stats present the TX and RX stats for each interface buffer ring: Tx Queue Full The number of times the transmit queue of particular ring became full, resulting in packet drops. Tx Out of Sync The number of times shared memory went into out of sync. This is a system error. Tx No buffer The number of times packet drops occurred because there was no shared memory buffer available while writing. Tx Decode error Internal system error. Indicates invalid frame contents. Examples Here is an example of the show opdata interface detail output: hostname>show opdata interface detail Data Plane Interface Stats: =========================== Interface: GigabitEthernet0 (inside) =================================== NIC Counters: packets input, bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input packets output, bytes, 0 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops NP Counters: packets input, bytes, 0 dropped, packets output, bytes RX Queue Stats: RX[0]: packets input, bytes, Blocks free curr/low 2687/2493 RX[1]: packets input, bytes, Blocks free curr/low 2687/2648 RX[2]: packets input, bytes, Blocks free curr/low 2687/2648 RX[3]: packets input, bytes, Blocks free curr/low 2687/2648 RX[4]: packets input, bytes, Blocks free curr/low 2687/2656 RX[5]: packets input, bytes, Blocks free curr/low 2687/2647 TX Queue Stats: TX[0]: packets input, bytes, Blocks free curr/low 2687/2466 TX[1]: packets input, bytes, Blocks free curr/low 2687/2460 TX[2]: packets input, bytes, Blocks free curr/low 2687/2465 TX[3]: packets input, bytes, Blocks free curr/low 2687/2466 TX[4]: packets input, bytes, Blocks free curr/low 2687/2467 TX[5]: packets input, bytes, Blocks free curr/low 2687/2461 Shared memory stats: Tx Queue Full: 0 Tx Out of Sync: 0 Tx No buffer: 0 Tx Decode error: OL

153 show opdata through show raid commands show opdata interface hostname> Related Commands Command clear opdata interface show interfaces Clear data-plane interface statistics. Display system interface statistics. OL

154 show opdata pdts show opdata through show raid commands show opdata pdts To view current Packet Data Transport System (PDTS) running statistics, use the show opdata pdts command. show opdata pdts {data-plane tls all segment[assigned pdts ring name address segment address] statistics summary} Syntax data-plane tls all segment Show statistics for the PDTS data-plane ring producer; for example, number of times data was added to a ring, data was read from a ring, a ring was full, and so on. Under normal conditions, you will see all read and write counters incrementing periodically. Excessive increments to the ring full counter may indicate issues with the communication between the services. Show summary statistics for the transport layer security (TLS) ring producer; for example, number of times data was added to a ring, data was read from a ring, a ring was full, and so on. Under normal conditions, you will see all read and write counters incrementing periodically. Excessive increments to the ring full counter may indicate issues with the communication between the services. Show summary statistics for all service ring producers. Show segment information for each PDTS shared memory (SHM) ring. Segments are differing sizes (0, 64, 512 ) and the current available count for each size is shown per ring. Elem on ring is the number of outstanding segments in the ring which need to be read, and Pending segs is the number of outstanding segments in the ring which need to be cleared. You also can append the following keywords to the show opdata pdts segment command: assigned pdts ring name List allocated PDTS segments per PDTS shared memory region, where pdts ring name is the PDTS read-write-read-write (RWRW) region name, in the format pdts_rwrw_#_#_#_#. The RWRW region name can be obtained from the output of the show opdata pdts segment command. address segment address Show the PDTS segment header information at the given segment address, which is an address listed in the output of the show opdata pdts segment assigned pdts ring name command. statistics summary Show statistics regarding use of each PDTS SHM ring. Some of these statistics indicate error conditions. For example, seg-alloc-failure is incremented when the producer fails to allocate a segment; ring-full indicates the PDTS ring is full and subsequent segments couldn t be added. Other counters are informational and will increment under normal operations; for example, ntfy-cbuf-empty. Show all services registered to the PDTS manager, and the handles for each registration. 144 OL

155 show opdata through show raid commands show opdata pdts Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.1(1) CX Software 9.2(1) Modification This command was introduced. The following keywords were added: assigned pdts ring name address segment address CX Software 9.2(1.2) Additional fields were added to the statistics output. Usage Guidelines Use the show opdata pdts commands to view various packet transport and operational data, including service, client, peer, and shared-memory usage. Example: Showing Segments The following is an example of show opdata pdts segment output. hostname>show opdata pdts segment ============================ output: " Client: 0/ARP, Registered: 2 Client 0x7f18e : Producer Peers Data Plane Elem on Ring 0 Pending segs 0 SHM NAME: /pdts_rwrw_9_1_1_0 Seg size current count ============================= Example: Showing Assigned Segments The following is an example of show opdata pdts segment assigned output. It indicates there are a total of three segments not free at this moment in pdts_rwrw_3_5_1_3. The corresponding ring producer and consumer can be obtained from the output of show opdata pdts summary or show opdata pdts segment. hostname>show opdata pdts segment assigned pdts_rwrw_3_5_1_3 Shm Assigned Pdts Operational Data: OL

156 show opdata pdts show opdata through show raid commands ============================ Producer Client: Data Plane, instance: 0 Consumer Client: HTTP Engine, instance: 0 Seg Addr: 0x7f , Seg type: Data, location: Pending, session_id: Seg Addr: 0x7f be8, Seg type: Data, location: Pending, session_id: Seg Addr: 0x7f e68, Seg type: Data, location: Pending, session_id: Example: Showing Segments by Address The following is an example of show opdata pdts segment address output. It presents segment header values, including metadata or data segment lengths, and the session ID; flags: Pending represents segments being processed by the inspector, on and off the ring. hostname>show opdata pdts segment address 0x7f Shm Address Pdts Operational Data: ============================ flags: Pending peer ids: raw data start: 0x7f b6 preamble data len: 0 raw data len: 0 meta data len: 117 session id: session code: none session flags: bypass-segment session virtual context tag: 0 session load balance info: Example: Showing the PDTS Summary The following is an example of show opdata pdts summary output. hostname>show opdata pdts summary Service 0/ARP, Reged: 2 Client Client 0x7f18e : Peer: Data Plane SHM NAME: /pdts_rwrw_9_1_1_0 Service 1/Data Plane, Reged: 35 Client Client 0x7f18ef3a6910: Client Client 0x7f18ef385c80: Client Client 0x7f18ef364ff0: Client Client 0x7f18ef344360: Client Client 0x7f18ef3236d0: Client Client 0x7f18ef302a40: Client Client 0x7f18ef2e1db0: Client Client 0x7f18ef2c1120: Client Client 0x7f18ef2a0490: Client Client 0x7f18ef27f800: Client Client 0x7f18ef25eb70: Client Client 0x7f18ef21d250: Service 2/Auth Daemon, Reged: 2 Client Client 0x7f18e404f010: Peer: Data Plane SHM NAME: /pdts_rwrw_9_2_1_2 Service 3/HTTP Engine, Reged: 25 Client Client 0x7f18e3f89010: Peer: Data Plane SHM NAME: /pdts_rwrw_9_8_1_3 SHM NAME: /pdts_rwrw_11_8_1_3 SHM NAME: /pdts_rwrw_12_8_1_3 SHM NAME: /pdts_rwrw_13_8_1_3 SHM NAME: /pdts_rwrw_14_8_1_3 SHM NAME: /pdts_rwrw_15_8_1_3 146 OL

157 show opdata through show raid commands show opdata pdts SHM NAME: /pdts_rwrw_16_8_1_3 SHM NAME: /pdts_rwrw_17_8_1_3 SHM NAME: /pdts_rwrw_18_8_1_3 SHM NAME: /pdts_rwrw_19_8_1_3 SHM NAME: /pdts_rwrw_20_8_1_3 SHM NAME: /pdts_rwrw_21_8_1_3 ========================================== Example: Showing PDTS Statistics The following is an example of show opdata pdts statistics output. hostname>show opdata pdts statistics ========================================== == PDTS SHM Stats /pdts_rwrw_4_7_1_4 == general-error : 0 invalid-prod-handle : 0 invalid-cons-handle : 0 no-consumer : 0 no-producer : 0 load-balance-failure : 0 buffer-empty-producer : 0 buffer-empty-consumer : 0 hiwater-limit : 0 ring-full : 0 ring-empty : 1199 ring-put : 125 ring-get : 125 seg-alloc-failure : 0 ntfy-cbuf-full : 0 ntfy-cbuf-empty : ntfy-cbuf-write : 125 ntfy-cbuf-read : 125 ntfy-cbuf-buf-small : 0 prod-next-loc-search : 0 cons-next-loc-search : 0 ntfy-too-big : 0 shm-not-ready-for-prod : 0 shm-not-ready-for-cons : 0 producer-sent-event : 109 producer-skipped-event : 16 ring-threshold-exceeded : 0 meta-data-segments-written : 29 meta-data-segments-read : 29 metadata-segments-notified : 58 events-segments-written : 12 events-segments-read : 12 events-segments-notified : 12 data-segments-written : 84 data-segments-read : 84 data-segments-notified : 55 ntfy-action-continue : 113 ntfy-packet-consumed : 12 ntfy-ignore-flow : 0 ntfy-kill-flow : 0 ntfy-inform-drop : 0 ntfy-kill-flow-tcp-intercept : 0 ntfy-ignore-flow-no-aaacfg : 0 ntfy-send-pkt-kill-flow : 0 ntfy-pkt-kill-flow : 0 ntfy-restart : 0 ntfy-restart-ignore-flow : 0 ntfy-ack-pkg-no-fwd : 0 ntfy-shut-flow : 0 ========================================== OL

158 show opdata pdts show opdata through show raid commands Table 8: Show Opdata PDTS Statistics Output Statistic general-error invalid-prod-handle invalid-cons-handle no-consumer no-producer load-balance-failure buffer-empty-producer buffer-empty-consumer hiwater-limit ring-full ring-empty ring-put ring-get seg-alloc-failure ntfy-cbuf-full ntfy-cbuf-empty ntfy-cbuf-write ntfy-cbuf-read ntfy-cbuf-buf-small -1 indicates a general error. The number of times the PDTS handle for the producer was invalid. The number of times the PDTS handle for the consumer was invalid. There is not a consumer instance with the specified service ID. There is not a producer instance with the specified service ID. The number of times the producer failed to apply load balancing function. The number of times the shared memory buffer has not been allocated for the producer. The number of times the shared memory buffer has not been allocated for the consumer. The number of times the descriptor ring reached the high water mark. The number of times the descriptor ring was full. The number of times the descriptor ring was empty. The number of put attempts to the descriptor ring. The number of get attempts from the descriptor ring. The number of times the producer failed to allocate a free segment. The number of times the notify circular buffer was full. The number of times the notify circular buffer was empty. The number of write attempts to the notify circular buffer. The number of read attempts from the notify circular buffer. The number of times the input buffer size was too small to hold the data read. 148 OL

159 show opdata through show raid commands show opdata pdts Statistic prod-next-loc-search cons-next-loc-search ntfy-too-big shm-not-ready-for-prod shm-not-ready-for-cons producer-sent-event producer-skipped-event ring-threshold-exceeded meta-data-segments-written meta-data-segments-read metadata-segments-notified events-segments-written events-segments-read events-segments-notified data-segments-written data-segments-read data-segments-notified The number of times the producer failed to find the next shared memory package location. The number of times the consumer failed to find the next shared memory package location. The number of times the notify message length exceeded the maximum. The number of times the shared memory was not ready for read/write by the producer. The number of times the shared memory was not ready for read/write by the consumer. The number of times the producer sent an event along with the packet segment. The number of times the producer skipped sending an event with the packet segment. The number of times the PDTS ring high threshold has been exceeded. The number of meta data segments written in the PDTS ring by the producer. The number of meta data segments read by the consumer from the PDTS ring. The number of metadata segments notified by the consumer. The number of event segments written by the producer in the PDTS ring. The number of event segments read by the consumer from the PDTS ring. The number of event segments notified by the consumer. The number of data segments written by the producer in the PDTS ring. The number of data segments read by the consumer from the PDTS ring. The number of data segments notified by the consumer. OL

160 show opdata pdts show opdata through show raid commands Statistic ntfy-action-continue ntfy-packet-consumed ntfy-ignore-flow ntfy-kill-flow ntfy-inform-drop ntfy-kill-flow-tcp-intercept ntfy-ignore-flow-no-aaacfg ntfy-send-pkt-kill-flow ntfy-pkt-kill-flow ntfy-restart ntfy-restart-ignore-flow ntfy-ack-pkg-no-fwd ntfy-shut-flow The number of action continue notifications sent by the consumer. The number of action packet consumed notifications sent by the consumer. The number of action ignore flow notifications sent by the consumer. The number of action kill flow notifications sent by the consumer. The number of action inform drop notifications sent by the consumer. The number of action kill flow tcp intercept notifications sent by the consumer. The number of action ignore flow no aaacfg notifications sent by the consumer. The number of action send pkt kill flow notifications sent by the consumer. The number of action pkt kill flow notifications sent by the consumer. The number of action restart notifications sent by the consumer. The number of action restart ignore flow notifications sent by the consumer. The number of action ack pkg no fwd notifications sent by the consumer. The number of action shut flow notifications sent by the consumer. Related Commands There are no related commands. 150 OL

161 show opdata through show raid commands show opdata policy show opdata policy To view data-plane definitions and statistics for policy elements defined on this device, use the show opdata policy keyword command. show opdata policy {dest source table tags rate-limit} Syntax dest rate-limit source table tags (Optional) List destination IP addresses defined by policies on the device. (Optional) List per-policy rate limit statistics. (Optional) List source IP addresses defined by policies on the device. (Optional) List overall policy access and hit information. (Optional) List available internal policy-tag definitions. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) CX Software 9.2(1) Modification This command was introduced. The rate-limit keyword was added. Usage Guidelines These commands present data-plane level listings of policy data, such as security tag definitions and hit statistics. This information is intended for use when troubleshooting an issue with Cisco TAC. Examples This section presents output samples for the various show opdata policy keyword commands. OL

162 show opdata policy show opdata through show raid commands The following is sample show opdata policy rate-limit output. Note that BLT is bandwidth limiter traffic, with each BLT acting as a bucket. Each policy is assigned to a BLT (bucket), and all flows that match a given policy will be limited by its bucket. Pdef is the caller address. asacx>show opdata policy rate-limit Data Plane Policy Rate Limiting Stats: ============================ Blt=0x7fb09005e8d0 id=920 Flow=0 Rcnt=1 Pdef=0x7fb09005e850 Caller=0x7cb764 0x7cc3e8 0x7cedab 0x78b0dc Rate Limiter Configuration: Rate (bps) Burst (bps) 1500 Max Packets In Queue 0 Max Bytes In Queue 0 Priority 0 Queue Type 0 Blt Id 920 Flow Id 0 Rate Limiter Statistics: 0x7fb09005eaa0 Rate (bps) Burst (bps) Tx pkts 0 Tx bytes 0 Drop pkts 0 Drop bytes 0 Max Queue Length 0 Current Queued Length 0 Max Queued Length 0 Max Queue Time (ns) Current Queue Time (ns) 0 Replenish Time (ns) 10 Bucket Size Last Empty Time (ns) Uptime (ns) The following is sample show opdata policy tags output. asacx>show opdata policy tags Data Plane Policy Stats: ======================== output: "svc dpv table Running policy version 1919 with bitmap-size 1026, 253 access rules, 2 authn rules hits 0, uid 32, protocol 2, protocol_mask 0xff, protocol_subtype 0, protocol_subtype_mask 0 dscp 0, dscp_mask 0 hits 0, uid 33, protocol 6, protocol_mask 0xff, protocol_subtype 0, protocol_subtype_mask 0 dscp 0, dscp_mask 0 dport 7, dport_mask 0xffff hits 0, uid 35, protocol 17, protocol_mask 0xff, protocol_subtype 0, protocol_subtype_mask 0 dscp 0, dscp_mask 0 dport 7, dport_mask 0xffff hits 0, uid 36, protocol 6, protocol_mask 0xff, protocol_subtype 0, protocol_subtype_mask 0 dscp 0, dscp_mask 0 dport 9, dport_mask 0xffff... (Intervening lines removed for publishing purposes)... hits 0, uid 383, protocol 6, protocol_mask 0xff, protocol_subtype 0, protocol_subtype_mask 0 dscp 0, dscp_mask 0 dport 1521, dport_mask 0xffff " hostname> 152 OL

163 show opdata through show raid commands show opdata policy The following is sample show opdata policy table output. The time range field indicates whether an access policy that is limited to a time range is currently active or inactive. asacx> show opdata policy table Data Plane Policy Stats: ============================ Policy table Running policy version 24 with bitmap-size 38, 6 access rules, 2 authn rules Domain: AUTHN hits 0, uid 1, persisted_policy_id 1128, flags 0x3, decision NP_DPV_USE_IDENTITY_IF_AVAILABLE resolvable key vector: Start: mask vector: Start: Domain: ACCESS hits 0, uid 1, persisted_policy_id 1112, flags 0x15, decision NP_DPV_DENY resolvable key vector: Start: 36 mask vector: Start: 36 Domain: ACCESS hits 0, uid 2, persisted_policy_id 1098, flags 0xa4, decision NP_DPV_PERMIT Time Range: Inactive key vector: Start: mask vector: Start: Domain: ACCESS hits 0, uid 3, persisted_policy_id 1117, flags 0x95, decision NP_DPV_DENY resolvable Time Range: Inactive key vector: Start: mask vector: Start: Domain: ACCESS hits 0, uid 4, persisted_policy_id 1101, flags 0x84, decision NP_DPV_PERMIT Time Range: Inactive key vector: Start: mask vector: Start: The following is sample show opdata policy source output. hostname>show opdata policy source Data Plane Policy Stats: ======================== output: "src netobj ipv4 dpv table Running policy version 1919 with bitmap-size 1026, 253 access rules, 2 authn rules tmatch_hitcnt 0, objgrp_id 39, v4_ip , v4_mask , tmatch_hitcnt 0, objgrp_id 40, v4_ip , v4_mask , tmatch_hitcnt 0, objgrp_id 44, v4_ip , v4_mask , tmatch_hitcnt 0, objgrp_id 45, v4_ip , v4_mask ,... (Intervening lines removed for publishing purposes)... " Data Plane Policy Stats: ======================== output: "src netobj ipv6 dpv table Running policy version 1919 with bitmap-size 1026, 253 access rules, 2 authn rules " The following is sample show opdata policy dest output. hostname>show opdata policy dest Data Plane Policy Stats: ======================== output: "dst netobj ipv4 dpv table OL

164 show opdata policy show opdata through show raid commands Running policy version 1919 with bitmap-size 1026, 253 access rules, 2 authn rules tmatch_hitcnt 0, objgrp_id 34, v4_ip , v4_mask , tmatch_hitcnt 0, objgrp_id 41, v4_ip , v4_mask , tmatch_hitcnt 0, objgrp_id 42, v4_ip , v4_mask , tmatch_hitcnt 0, objgrp_id 43, v4_ip , v4_mask ,... (Intervening lines removed for publishing purposes)... " Data Plane Policy Stats: ======================== output: "dst netobj ipv6 dpv table Running policy version 1919 with bitmap-size 1026, 253 access rules, 2 authn rules " Related Commands Command clear opdata policy rate-limit Clear all rate-limit counter data. 154 OL

165 show opdata through show raid commands show opdata routingtable show opdata routingtable To display the routing table from the data plane, use the show opdata routingtable command. show opdata routingtable Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines The data plane routing table shows the following information for each route: Direction, in or out. IP address and mask. The name of the interface used in the route. The information can include a gateway address. Examples The following example shows how to display the data plane routing table. asacx> show opdata routingtable Data Plane Routing Table: ============================ in inside in outside in c0a8:100:c0a8:100:c0a8:100:c0a8:100 ffff:ff00:: inside in c0a8:100:c0a8:100:c0a8:100:c0a8:100 ffff:ff00:: inside in :: :: outside out outside out via , outside out :: :: via c0a8:201:c0a8:201:c0a8:201:c0a8:201, outside out inside out via , inside out :: :: via c0a8:103:c0a8:103:c0a8:103:c0a8:103, inside OL

166 show opdata routingtable show opdata through show raid commands Related Commands Command show route Shows the system s routing table. 156 OL

167 show opdata through show raid commands show opdata summary show opdata summary To view summary information from the data plane, use the show opdata summary command. show opdata summary Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines Use this command to view summary statistics for traffic in the data plane. The following information is displayed. Field active_connections total_packets_passed acl_deny_packets_dropped total_flows_dropped total_packets_dropped The number of currently active TCP and UDP connections to the device. Total number of packets passed by the device. Number of packets denied by an access-control rule and dropped. Total number of flows (connections) dropped by the device. Total number of packets dropped for any reason. Examples The following is an example of show opdata summary output. hostname>show opdata summary Data Plane Summary Data: ======================== active_connections: 5 total_packets_passed: acl_deny_packets_dropped: 0 total_flows_dropped: 0 total_packets_dropped: 0 OL

168 show opdata summary show opdata through show raid commands Related Commands Command clear opdata summary Clear data-plane summary statistics. 158 OL

169 show opdata through show raid commands show opdata tls show opdata tls To view statistics about TLS flow inspection, use the show opdata tls commands. show opdata tls{threat ips_stream ips_regex sessions_summary sessions_details tables PDTS status} Syntax threat ips_stream ips_regex sessions_summary sessions_details tables PDTS status Show Next Generation IPS-related information for the TLS (Transport Layer Security) stream scanners. Each scanner provides a request and a response for both the header and body of a stream. Each returns information on scans sent and responses received. Show IPS stream information from the TLS Inspector. Show IPS regular-expression information from the TLS Inspector. Show basic information for TLS sessions. Show detailed information for TLS sessions. Show information on the tables used in the TLS decryption engine. Information includes the number of certificates cached for quick access compared to the available cache size, the number of entries in the pass-through cache for allowed transactions, and the verdict map size. Show information about PDTS segments owned by the TLS decryption engine. Show the status of the TLS decryption engine. Information includes whether hardware acceleration is enabled, whether you have installed the 3DES/AES K9 license, whether threat defense (Next Generation IPS) is enabled, and whether decryption policies are enabled. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Release CX Software 9.2(1) CX Software 9.2(1.2) Modification This command was introduced. The following keywords were added: sessions_summary, sessions_details, tables, PDTS, status. OL

170 show opdata tls show opdata through show raid commands Usage Guidelines Use the show opdata tls commands to view a variety of TLS traffic inspection statistics. Example 1: Show TLS Decryption Engine Status The following example shows how to display status for the TLS decryption engine. This output shows that decryption policies are enabled, but that Next Generation IPS is disabled. Also note that the 3DES/AES K9 license is not installed, so the engine cannot work with sites that require strong decryption. Your decryption policies should bypass such sites, or you should enable the decryption settings option to bypass decryption on handshake failures. asacx> show opdata tls status TLS Decryption Engine Status: ============================ Hardware acceleratation: disabled K9 license installed: NO Threat defense: disabled Decryption: enabled Example 2: Show TLS Session Data The following example shows how to view summary and detailed information on TLS decryption engine sessions. The summary shows the total number of sessions, the number being decrypted and the number awaiting a decision. The sessions being decrypted count is broken out between HTTP and non-http sessions. Detailed information includes the session ID, the IP address, port, and cipher for source and destination, and the destination hostname. asacx> show opdata tls sessions_summary Currently Active TLS Sessions Summary: ============================ TLS sessions under inspection: 22 Sessions being decrypted: 21 HTTPS sessions being decrypted: 13 Non-HTTPS sessions being decrypted: 8 Sessions pending decryption decision: 1 asacx> show opdata tls sessions_details Currently Active TLS Sessions Details: ============================ Sessions Id Source IP (Port) /Cipher Destination IP (Port) /Cipher Matched Hostname (62047)DHE-RSA-CAMELLIA256-SHA ( 443)ECDHE-RSA-RC4-SHA *.example.com (...remaining output redacted...) Related Commands Command clear opdata tls Clear TLS Inspector statistics: 160 OL

171 show opdata through show raid commands show partitions show partitions To view a listing of device-partition information, use the show partitions command. show partitions Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines Use the show partitions command to view a listing of partition tables on the device s hard disk and embedded USB (eusb) flash drive. This information includes disk geometry, and cylinder and block sizes. Examples The following example shows output for the show partitions command. Note that a + or - sign appended to certain values indicates rounding up or down; actual values are slightly more or less. asacx>show partitions Disk /dev/sda: cylinders, 255 heads, 63 sectors/track Units = cylinders of bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sda Linux /dev/sda Empty /dev/sda Empty /dev/sda Empty Disk /dev/sdb: cylinders, 255 heads, 63 sectors/track Units = cylinders of bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sdb Linux /dev/sdb Empty /dev/sdb Empty /dev/sdb Empty Disk /dev/sdc: cylinders, 255 heads, 63 sectors/track Units = cylinders of bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sdc Linux /dev/sdc Empty /dev/sdc Empty OL

172 show partitions show opdata through show raid commands /dev/sdc Empty Disk /dev/sdd: cylinders, 255 heads, 63 sectors/track Units = cylinders of bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sdd Linux /dev/sdd Empty /dev/sdd Empty /dev/sdd Empty Disk /dev/sde: 1022 cylinders, 248 heads, 62 sectors/track Units = cylinders of bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sde1 * Linux /dev/sde Linux /dev/sde Linux /dev/sde Linux Related Commands Command partition Creates new partitions on the device s hard drive and eusb for storage of system files; overwrites any existing information. 162 OL

173 show opdata through show raid commands show platform hardware show platform hardware To view hardware-specific platform information which might help Cisco TAC troubleshoot a problem, use the show platform hardware commands. show platform hardware {scsi regex info dmidecode} Syntax scsi regex info dmidecode Displays host information for all SCSI-attached devices, including host bus adapter number, bus address, and target ID. (CX only.) Displays regex accelerator hardware information. Displays specific hardware-related information, such as motherboard serial number, product ID and version number. (PRSM only.) Displays the system s Desktop Management Interface (DMI) table. This information consists primarily of hardware component descriptions. (This table is sometimes referred to as the System Management BIOS, or SMBIOS, table.) Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.2(1) Modification This command was introduced. The regex keyword was added. Usage Guidelines Use the show platform hardware commands to access and view SCSI-device and hardware-component information that may be useful when working with Cisco TAC to resolve hardware issues. Examples The following is sample output for the show platform hardware info command. hostname> show platform hardware info [platform_info] udi desc = "ASA-5515" pid = ASA-5515 controller_type_name = ASA-5515 controller type = 1879 OL

174 show platform hardware show opdata through show raid commands vid = "V01 " clei codes = "CMMHA00ARA" udi desc = "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC" chassis mac addr = 50:3D:E5:E5:90:26 top assy p/n rev = " " pcb 73 level pn = mac addr_blk sz = 10 pcb sn = "FCH Q" dig sign = 40C1 rma hist info = 00 hw rev = 1.0 pcb rev = fw ver = 2.1(9)8 top 68 level pn = mfg test info = rma num = new deviation num = yeti ecid = "D " Related Commands Command show platform software Displays software-specific platform information. 164 OL

175 show opdata through show raid commands show platform software show platform software To view software-specific platform information which might help Cisco TAC troubleshoot a problem, use the show platform software commands. show platform software {network options components fstab lv pv rpms swap utilization [detail] grub iptables} Syntax network options components fstab lv pv rpms swap utilization Displays current network settings, including whether IP forwarding and spoof protection are enabled. Displays a list of installed software packages, according to the device operating system. Displays the file-systems table, listing all available disks and partitions. Displays information about all active logical volumes, including size and path. Displays physical-volume information. Displays a list of installed software packages, according to the RPM Packet Manager (RPM). Displays virtual-memory and swap statistics. Displays current system utilization information, including processor utilization, memory usage, and which processes are using the most CPU cycles. You also can append the following keyword to this command: detail (Optional) Displays the system utilization information, with some thread details added. grub iptables Displays GRand Unified Bootloader (GRUB) boot-up information for the device, including kernel partition, path and file name. Displays the IP packet filter rules (firewall rules) defined on the system, which control access to the management interface or port. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. OL

176 show platform software show opdata through show raid commands Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the show platform software commands to access and view system-related information that may be useful when working with Cisco TAC to resolve software issues and system bottlenecks. Related Commands Command show platform hardware Displays hardware-specific platform information. 166 OL

177 show opdata through show raid commands show raid show raid To show device-by-device status information for an attached RAID array, including current state, use the show raid command. Note This command applies to the Cisco ASA 5585-X CX Security Services Processor; it does not apply to the ASA CX software module. To view raid status for the ASA CX software module, use the show raid command from the ASA command-line interface. show raid Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. Command History Release CX Software 9.0(1) Modification This command was introduced. Usage Guidelines RAID devices are virtual devices created from two or more actual block devices to provide data protection in the event of disk failure. You can view the current status of each device active in any attached RAID (redundant array of independent disks). Note that ASA CX automatically manages all disk drives, including those in attached RAID arrays. For each individual RAID component, the information displayed is essentially its Superblock and includes array information, the amount of space available, and its state. Note On platforms with only one disk, the output will indicate a two-disk RAID array with the second disk is listed as removed. Examples The following example shows output for the show raid command. The output has been edited for brevity. hostname> show raid /dev/md0: Version : 0.90 OL

178 show raid show opdata through show raid commands Table 9: show raid Display Fields Creation Time : Tue Nov 15 14:09: Raid Level : raid1 Array Size : (3.00 GiB 3.22 GB) Used Dev Size : (3.00 GiB 3.22 GB) Raid Devices : 2 Total Devices : 2 Preferred Minor : 0 Persistence : Superblock is persistent Update Time : Fri Mar 23 13:55: State : clean Active Devices : 2 Working Devices : 2 Failed Devices : 0 Spare Devices : 0 UUID : 56a43ec8:b06323c5:bfbc7f69:238aba8a Events : 0.4 Number Major Minor RaidDevice State active sync /dev/sdb active sync /dev/sdd1 /dev/md1: Version : 0.90 Creation Time : Tue Nov 15 14:09: Raid Level : raid1 Array Size : (3.00 GiB 3.22 GB) Used Dev Size : (3.00 GiB 3.22 GB) Raid Devices : 2 Total Devices : 2 Preferred Minor : 1 Persistence : Superblock is persistent Update Time : Thu Mar 8 13:26: State : clean Active Devices : 2 Working Devices : 2 Failed Devices : 0 Spare Devices : 0 UUID : 21ea8606:f982d196:bfbc7f69:238aba8a Events : 0.8 Number Major Minor RaidDevice State active sync /dev/sdb active sync /dev/sdd2... (Remaining output removed for publishing purposes)... These output fields are explained in the following table. Field identifier Version Array component identifier; for example, /dev/md0. Format of the Superblock (RAID metadata): 0.90 Original format; this is the default. Arrays are limited to 28 devices of up to two terabytes each. 1.0, 1.1, 1.2 Newer format version with fewer restrictions. Each of these 1.n versions stores the Superblock at different locations on the devices. Creation Time Date and time when this component was configured. 168 OL

179 show opdata through show raid commands show raid Field Raid Level Array Size Used Dev Size Raid Devices Total Devices Preferred Minor Persistence Update Time State Data-storage scheme used by this array RAID 0, RAID 1, RAID 5, RAID 6, and RAID 10. RAID 1 is a mirroring scheme. Total storage space available across all component devices in bytes (as well as gibibytes and gigabytes). Amount of storage space contributed to the total by each device in bytes (as well as gibibytes and gigabytes). This is determined by the smallest device or partition; there may be unused space on larger devices. The total number of member devices in the complete array, including spare, missing, and failed devices. The number of functional devices available. For auto-assembled devices, the preferred Minor number (specific device identifier) for this RAID component. For example, with /dev/md1 the minor number is one. A persistent Superblock (the default when an array is created) means the Superblock is written to a specific location in all component devices of the array. The RAID configuration can then be read directly from the disks involved. The time at which the array status changed. Status changes include activation, failure, etc. The current state of the array; possible states include: active fully operational; input/output and resychronization can be underway. clean active; no pending writes. dirty active; writes underway. Active Devices Working Devices Failed Devices Spare Devices UUID Events The number of currently functioning devices in the array; does not include spare devices. The total number of operational (non-failed) devices in the array; that is, active devices plus spare devices. The number of failed devices in the array. The number of spare devices currently assigned to the array. The 128-bit hexadecimal universally unique identifier (UUID) stored in the array s Superblock; randomly generated, and used to uniquely tag a RAID. All component devices share this ID. Event counter for the array; incremented whenever the Superblock is updated. OL

180 show raid show opdata through show raid commands Field component-disk information Linux identifies all block devices with two numbers, the Major and the Minor. The Major number usually corresponds to the device type, while the Minor number is the identifier for a specific device in that group. For example, Major 8 indicates a SCSI disk. Each component of the RAID device is listed here. Related Commands Command show partitions Displays a listing of device-partition information. 170 OL

181 show route through z commands show route, page 172 show services status, page 174 show tech-support, page 178 show time, page 180 show version, page 181 support diagnostic, page 183 support fsck, page 187 support list, page 189 support set-property, page 191 support tail logs, page 193 support tunnel (9.3(3)+), page 196 support tunnel (pre-9.3(3)), page 199 support validatedb, page 201 support view logs, page 203 system reload, page 206 system revert, page 208 system shutdown, page 210 system upgrade, system install, page 212 traceroute, page 215 OL

182 show route show route through z commands show route To view the routing table, including gateway information, use the show route command. show route Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the show route command to troubleshoot system routing problems. Examples The following example shows how to display the routing table. hostname> show route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface U eth UG eth0 Kernel IPv6 routing table Destination Next Hop Flags Metric Ref Use Iface ::1/128 :: U lo 2001::124/128 :: U lo 2001::/64 :: U eth0 fe80::/64 :: U eth0 ff00::/8 :: U eth0 ::/0 2001::124 UG eth0 hostname> The fields are explained in the following table. 172 OL

183 show route through z commands show route Table 10: Show Route Display Fields Field Destination Gateway Genmask Flags The destination host or network. The gateway used for the destination host or network. An asterisk (*) indicates that no gateway is used. The network mask for this route. The flags can include the following characters: U The interface used by the route is up. G The route uses a gateway. H A single host only is accessible through this route. D The route is dynamically generated. M The route was modified by an ICMP redirect message.! The route is a reject route; datagrams will be dropped. Metric Ref Use Iface The relative cost of the route. The number of references to this route. The number of times the route has been used. The interface to use with the route. Related Commands Command setup show interfaces Configures basic system settings, including DNS servers. Shows the status of system interfaces. OL

184 show services status show route through z commands show services status To view the current status of system processes, use the show services status command. show services status [all] Syntax all Show all processes, even those intentionally disabled on the platform, plus the state information for each process. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.1(2) PRSM 9.1(2) Modification This command was introduced. The all keyword was introduced and the output format was changed to show the process state. Usage Guidelines Starting in release 9.1(2), you can use the show services status command to get a quick view of process status. The Up status for all listed processes should be True. The list of processes differs depending on the product; enabled processes only are listed. If the Up status is False, use the show services status all command to see the detailed state of the process. Compare the Enabled, State, and Up columns to identify problems: If the Enabled status is False, the process is intentionally down on this system because it is not needed. The State should be DISABLED, and the Up status should also be False. This is the expected status for intentionally disabled processes. Processes in this state are not shown unless you use the all keyword. If the Enabled status is True, the State should be RUNNING and the Up status should be True for the process to be operating normally. Any other combination represents either a temporary or a systematic problem. See the following table for an explanation of the possible states and recommendations on how to resolve problems. The status output also shows up time. The PID, or process ID number, is of interest to TAC only. 174 OL

185 show route through z commands show services status In systems running releases older than 9.1(2), for the system to function correctly, the Enabled and Up status for all processes must be True. If any of these values is False, and remains False for several minutes (which indicates that the system failed to restart the process on its own), use the services stop command to stop all processes, then the services start command to restart them. If restarting processes does not resolve the problem, use the system reload command to reboot the system. If problems continue, contact the Cisco Technical Assistance Center (TAC). Note Even if all processes are shown as healthy, your system might still be experiencing problems. If system behavior remains abnormal, reboot the system. Table 11: Process States State TRY_START WAIT_INIT START_WAIT_DEPEND RUNNING DISABLED The system is starting the process. If the process depends on other processes, the state goes to START_WAIT_DEPEND. For processes that do not depend on others, the next normal states are WAIT_INIT followed by RUNNING. The process is starting up but has not yet finished starting. The next normal state is RUNNING The process has not started yet and is waiting for processes on which it depends to start and be ready. The process is running normally. One of the following: If the Enabled status is False, this process is disabled on purpose. It is not needed on this platform. If the Enabled status is True, the system has repeatedly tried to restart the process without success. You should stop and then restart processes. If the problem persists, reboot the system. DOWN DOWN_FORCE_LATER DOWN_NO_FORCE DOWN_RESTART_LATER The process is not running because you intentionally stopped services. To restart services, use the services start command. The process is being brought down, but is not down yet. If the process does not stop within a set timeout period, the system will force it down. The next normal state is DOWN. The process is being brought down, but is not down yet. The system will wait for normal termination and will not force it down. The next normal state is DOWN. The system is in the process of bringing down the process with the intention of restarting it. The next normal state is DOWN_RESTART_WAIT. OL

186 show services status show route through z commands State DOWN_RESTART_WAIT RESTART_TIMEOUT The system is restarting the process and is waiting a short time before trying to start it again. The process has ended unexpectedly. The system will try to restart it. The next normal state is TRY_START. If you repeatedly see RESTART_TIMEOUT states, consider stopping all services and restarting them, or as a last resort, reboot the system. Examples The following example shows that the HTTP Inspector process is down. The full process table shows that the process is enabled, but its state is DISABLED, indicating that the system has repeatedly tried to restart the process and failed. Given this output, you should stop services, then restart them. If the problem persists, reboot the system. Note that in this example, the CXSC Client process is also DISABLED, but its Enabled status is False, so in this case the process is intentionally disabled and this status line is normal. asacx> show services status ============================================================ Process PID Up Up Time ============================================================ HTTP Server 2223 True 00:08:08 Capability Daemon 2411 True 00:07:58 Data Plane 2513 True 00:07:46 AD Interface 2527 True 00:07:45 PDTS 2348 True 00:08:07 Message Nameserver 2264 True 00:08:08 HTTP Auth Daemon 2373 True 00:08:06 Management Plane 2385 True 00:08:05 HTTP Inspector NA False 00:00:00 HPM Monitor 2518 True 00:07:46 Support Tunnel 2296 True 00:08:08 Updater 2422 True 00:07:58 Card Manager 2181 True 00:08:08 ARP Daemon 2368 True 00:08:06 Event Server 2404 True 00:07:58 TLS Proxy 2493 True 00:07:49 ============================================================ asacx> show services status all ================================================================================ Process PID Enabled State Up Up Time ================================================================================ HTTP Server 2223 True RUNNING True 00:08:16 Capability Daemon 2411 True RUNNING True 00:08:07 Data Plane 2513 True RUNNING True 00:07:54 AD Interface 2527 True RUNNING True 00:07:54 PDTS 2348 True RUNNING True 00:08:16 Message Nameserver 2264 True RUNNING True 00:08:16 HTTP Auth Daemon 2373 True RUNNING True 00:08:15 Management Plane 2385 True RUNNING True 00:08:13 CXSC Client NA False DISABLED False 00:00:00 HTTP Inspector NA True DISABLED False 00:00:00 HPM Monitor 2518 True RUNNING True 00:07:54 Support Tunnel 2296 True RUNNING True 00:08:16 Updater 2422 True RUNNING True 00:08:07 Card Manager 2181 True RUNNING True 00:08:17 ARP Daemon 2368 True RUNNING True 00:08:15 Event Server 2404 True RUNNING True 00:08:07 TLS Proxy 2493 True RUNNING True 00:07:57 ================================================================================ asacx> 176 OL

187 show route through z commands show services status For releases older than 9.1(2), the following example shows how to display the status of ASA CX processes. This output indicates that the system processes are functioning normally. hostname> show services status ============================================================ Process PID Enabled Up Up Time ============================================================ AD Interface True True 02:41:37 Message Nameserver True True 02:41:55 HTTP Auth Daemon True True 02:41:54 PDTS True True 02:41:55 HTTP Inspector True True 02:41:43 HTTP Server True True 02:41:55 Data Plane True True 02:41:40 Management Plane True True 02:41:52 HPM Monitor True True 02:41:37 Updater True True 02:41:48 Card Manager True True 02:41:39 ARP Daemon True True 02:41:54 Event Server True True 02:41:48 TLS Proxy True True 02:41:43 ============================================================ hostname> Related Commands Command show diskusage show interfaces show netstat Shows the disks configured on the system. Shows the status of system interfaces. Shows network statistics. OL

188 show tech-support show route through z commands show tech-support To generate information for use by Cisco Technical Assistance Center (TAC) when working with them to resolve a problem, use the show tech-support command. Try to reproduce the problem immediately prior to using the command. show tech-support Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the show tech-support command to view diagnostic information when troubleshooting system problems. The displayed information is also placed in a file named tech_support_report.txt. This command is run automatically when you click the link to download logs from the web interface. Examples The following example shows how to display diagnostics for TAC. hostname> show tech-support...(diagnostic output removed for publishing purposes)... hostname> Related Commands Command delete support diagnostic Removes core dumps or packet captures. Creates and uploads diagnostic file for system logs, core dumps, and packet captures. 178 OL

189 show route through z commands show tech-support Command support list support tail logs support view logs Shows the files on the system. Shows log file contents and leaves log open. Shows log file contents. OL

190 show time show route through z commands show time To show the current date and time on the system, use the show time command. show time Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines Use the config ntp, config timezone, or config time commands to configure the system time. The show time command displays the current time and date on the system. Examples The following example shows how to display the current date and time, which includes the time zone. hostname> show time Wed Aug 10 15:00:01 PDT 2011 hostname> Related Commands Command config ntp config time config timezone Configures network time protocol (NTP) servers to set the time. Configures the local date and time. Configures the time zone. 180 OL

191 show route through z commands show version show version To show version information for the system, use the show version command. show version Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The show version command displays information about the software version running on the system. The information includes which product you are running. Examples The following example shows how to display the system version for ASA CX. The hostname is included. asacx> show version Cisco ASA CX Platform (12) Cisco Prime Security Manager (12) for asacx firewall asacx> The following example shows how to display the system version for PRSM. Multi Device indicates that this platform can manage more than one device. The hostname is included. prsm-vm> show version Cisco Prime Security Manager (12) Multi Device prsm-vm prsm-vm> OL

192 show version show route through z commands Related Commands Command setup Configures basic system settings, including DNS servers. 182 OL

193 show route through z commands support diagnostic support diagnostic To create a diagnostic file containing system logs, core dumps, or packet captures, use the support diagnostic command. System logs and core dumps are for use by Cisco Technical Assistance Center (TAC) when working with them to resolve a problem. support diagnostic Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.2(1) PRSM 9.2(1) Modification This command was introduced. The option to create an advanced diagnostic file was added to the wizard. Usage Guidelines Use the support diagnostic command to create a ZIP file containing selected files and then upload the file to an FTP server. There are two main uses for this command: To create a diagnostic file containing system logs and core dumps for use in troubleshooting problems with the Cisco Technical Assistance Center (TAC). You can create a default diagnostic file, or you can pick the specific logs you want to include. Pick specific log files only if instructed to do so by Cisco Technical Support. Follow the command prompts to navigate the file system and select your files. To upload the packet captures you have configured for your analysis. Tip File names are case sensitive. For example, if you enter allow, it will not match a file named Allow. The zip file name includes the date and time you created the file. OL

194 support diagnostic show route through z commands You are prompted for the URL of an FTP or RFC-2348-compliant TFTP server to which the ZIP file will be sent. If the server requires authentication, you are prompted for username and password. You must specify a URL during the command execution to get the file off the system. Because the file can be very large, upload to non-compliant TFTP servers might not complete correctly, and TFTP file upload is in general limited to 1 GB; FTP can take larger files. This command is run automatically when you click the link to download logs from the web interface. Thus, if you need a default diagnostic file and you can log into the system through your browser, use those links instead of this command. You can find the Download Logs link on the page where you configure logging levels. For a managed CX, you can also log into the device and click the link to download logs that appears on the home page. Example 1, Creating a Default Diagnostic File The following example shows how to create the default diagnostic archive. This is the archive you would get if you clicked the Download Logs link in the web interface. asacx> support diagnostic ======= Diagnostic ======= 1. Create default diagnostic archive 2. Create diagnostic archive for advanced troubleshooting 3. Manually create diagnostic archive Please enter your choice (Ctrl+C to exit): 1 Creating archive... Enter upload url (FTP or TFTP) or [Ctrl+C] to exit Example: ftp:// /uploads > ftp:// /diagnostics Uploading file cx_asacx_02_29_2012_09_12_08.zip [size: ] You need to authenticate with the server to upload/download file Username: ftpusername Password: (typing not displayed) Uploading file cx_asacx_02_29_2012_09_12_08.zip [size: ] Uploading the file to /diagnostics on the remote server.... Successfully Uploaded ftp:// /diagnostics/cx_asacx_02_29_2012_09_12_08.zip asacx> Example 2, Uploading Packet Captures The following example shows how to upload packet captures to an FTP server. After completing the upload, you can optionally use the delete command to delete the packet capture files. asacx> support diagnostic ======= Diagnostic ======= 1. Create default diagnostic archive 2. Create diagnostic archive for advanced troubleshooting 3. Manually create diagnostic archive Please enter your choice (Ctrl+C to exit): 3 === Manual Diagnostic === 1. Add files and directories to package 2. View files in package 3. Upload package 184 OL

195 show route through z commands support diagnostic Please enter your choice (Ctrl+C to exit): 1 === Add files and directories to package Manual Diagnostic === 1. Logs 2. Core dumps 3. Packet captures 4. Reporting data 5. Eventing data 6. Update data b. Back to main menu Please enter your choice (Ctrl+C to exit): 3 ============================ Directory: /var/local 514 KB files :37: Allow All.pcap :52: aspdrop.pcap ([b] to go back or [m] for the menu or [s] to select files to add) Type a sub-dir name to see its contents: s Type the partial name of the file to add ([*] for all, [<] to cancel) > allow No file named 'allow' Type the partial name of the file to add ([*] for all, [<] to cancel) > Allow Allow All.pcap Are you sure you want to add these files? (y/n) [Y]: y === Package Contents === [Added] Allow All.pcap ======================== ============================ Directory: /var/local files :37: Allow All.pcap :52: aspdrop.pcap ([b] to go back or [m] for the menu or [s] to select files to add) Type a sub-dir name to see its contents: m === Manual Diagnostic === 1. Add files to package 2. View files in package 3. Upload package Please enter your choice (Ctrl+C to exit): 3 Creating archive Enter upload url (FTP or TFTP) or [Ctrl+C] to exit Example: ftp:// /uploads > ftp:// /diagnostics Uploading file cx_asacx_03_20_2012_19_12_15.zip [size: ] You need to authenticate with the server to upload/download file Username: ftpusername Password: (typing not displayed) Uploading file cx_asacx_03_20_2012_19_12_15.zip [size: ] Uploading the file to /diagnostics on the remote server.... Successfully Uploaded ftp:// /diagnostics/cx_asacx_03_20_2012_19_12_15.zip asacx> OL

196 support diagnostic show route through z commands Related Commands Command delete show tech-support support list support tail logs support view logs Removes core dumps or packet captures. Shows diagnostic information for troubleshooting purposes. Shows the files on the system. Shows log file contents and leaves log open. Shows log file contents. 186 OL

197 show route through z commands support fsck support fsck To check the status of the file systems when working with the Cisco Technical Assistance Center (TAC) to resolve a problem, use the support fsck command. support fsck Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(2) PRSM 9.0(2) Modification This command was introduced. Usage Guidelines The purpose of the support fsck command is to help the Cisco Technical Assistance Center (TAC) verify that the file system is not corrupted during troubleshooting. The command prompts you to select which file system to check. If the file system is mounted, services must first be stopped before the check; services are restarted after the check completes. Press Ctrl+C to exit the command and return to the command prompt. Examples The following example shows a file system check on an ASA CX. Notice that by selecting a file system that is parent to other file systems, both the parent and child file systems are checked. Otherwise, only the file system you select is checked. asacx> support fsck Partitions: 1. / (Inactive Root) 2. /var/config 3. /var/data 4. /var/data/cores 5. /var/data/diagnostics 6. /var/db 7. /var/local 8. /var/packages Select Partition (1-8) or press Ctrl+C to exit: 3 OL

198 support fsck show route through z commands Stopping services... Unmounting /var/data/cores Unmounting /var/data/diagnostics Unmounting /var/data Checking filesystem on /var/data /dev/mapper/vg-data: clean, 52715/ files, / blocks Mounting /var/data Mounting /var/data/diagnostics Mounting /var/data/cores Starting services... Partitions: 1. / (Inactive Root) 2. /var/config 3. /var/data 4. /var/data/cores 5. /var/data/diagnostics 6. /var/db 7. /var/local 8. /var/packages Select Partition (1-8) or press Ctrl+C to exit: (Ctrl+C) asacx> Related Commands Command show diskusage show raid support validatedb Shows the disks configured on the system. Shows RAID status. Validates database referential integrity. 188 OL

199 show route through z commands support list support list To view a list of files on the system when working with the Cisco Technical Assistance Center (TAC) to resolve a problem, use the support list command. support list Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The purpose of the support list command is to help the Cisco Technical Assistance Center (TAC) verify that certain files are on the system to aide troubleshooting. The command prompts you to navigate through the system to view the file list. Use the following commands to navigate the wizard: Type in the directory name to view the contents of the directory. b to go up one level in the directory structure. Ctrl+C to exit the command and return to the command prompt. Examples The following example shows the initial view of the file list. You would type the name of a sub-directory to proceed, or Ctrl+C to return to the command prompt. asacx> support list ============================ Directory: / sub-dirs (directory list removed for publishing purposes) files (file list removed for publishing purposes)... ([Ctrl+C] to exit) OL

200 support list show route through z commands Type a sub-dir name to list its contents: Related Commands Command support diagnostic support tail logs support view logs Creates and uploads diagnostic file for system logs, core dumps, and packet captures. Shows log file contents and leaves log open. Shows log file contents. 190 OL

201 show route through z commands support set-property support set-property To enable optional support features when working with the Cisco Technical Assistance Center (TAC), use the support set-property command. support set-property asa.be.tmp.files Syntax asa.be.tmp.files Write debug files during ASA discovery and deployment. Command Default No optional features are enabled. Command Modes You can use this command in the following contexts: PRSM console or SSH session. Command History Release PRSM 9.2(1) Modification This command was introduced. Usage Guidelines When working with the Cisco Technical Assistance Center (TAC) to resolve problems, they might ask you to use this command so that additional debugging information is generated. Examples Following is an example of enabling asa.be.tmp.files. prsm-vm> support set-property asa.be.tmp.files Status: Disabled. Would you like to enable this property? Note that changing this property will require asa-be to be restarted. (y/n) [Y]: y Please note that these files will need to be deleted manually. Changing Property... Restarting asa-be Process... prsm-vm> Related Commands Command delete show tech-support Removes core dumps or packet captures. Shows diagnostic information for troubleshooting purposes. OL

202 support set-property show route through z commands Command support diagnostic support list support view logs Creates and uploads diagnostic file for system logs, core dumps, and packet captures. Shows the files on the system. Shows log file contents. 192 OL

203 show route through z commands support tail logs support tail logs To open a system log to view messages as they are written when working with the Cisco Technical Assistance Center (TAC) to resolve a problem, use the support tail logs command. support tail logs Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.1(1) PRSM 9.1(1) Modification This command was introduced. The method for selecting files and navigating in the command were changed. Usage Guidelines The support tail logs command opens a system log and leaves it open so that you can view messages as they are created. Use this command while working with the Cisco Technical Assistance Center (TAC) so that they can help you interpret the output and to select the appropriate log to view. The command presents a menu listing all available logs. Follow the command prompts to select the log. Press Ctrl+C to return to the command prompt when you are finished viewing the log. Examples The following example shows how to view the authentication log. To select the log, or to go into a subdirectory (listed at the top), you must first type s, then type in the exact file name (including capitalization) at the prompt. When you are finished viewing the log, press Ctrl+C to get back to the command prompt. Type b to go back up a level when traversing subdirectories. If the log is long, you will see a More line; press Enter to progress a line at a time, Space to go a page at a time. When you are finished viewing the log, press Ctrl+C to get back to the command prompt. Use the b command to go back up a level when traversing subdirectories. hostname> support tail logs ===Tail Logs=== OL

204 support tail logs show route through z commands ============================ Directory: /var/log sub-dirs lost+found cisco lighttpd files :01: auth.log :48: daemon.log :57: kern.log :59:05 0 lpr.log :59:05 0 mail.err :59:05 0 mail.info :59:05 0 mail.log :59:05 0 mail.warn :04: messages :59:05 0 news.crit :59:05 0 news.err :59:05 0 news.notice :59:05 0 syslog :04: wtmp ([b] to go back or [s] to select a file to tail, [Ctrl+C] to exit) Type a sub-dir name to list its contents: s Type the name of the file to tail ([b] to go back, [Ctrl+C] to exit) > auth.log Tailing /var/log/auth.log... Sep 27 00:01:59 prsm-vm login[3436]: pam_unix(login:session): session opened for user admin by LOGIN(uid=0) ^C hostname> (Release 9.0 only.) The following example shows how to view the upgrade log. Note that you first select the Upgrade Logs category, which contains several types of logs; you then select the specific log. When you are finished viewing the log, press Ctrl+C to get back to the command prompt. asacx> support tail logs Press Ctrl+C to exit Log Type [Upgrade logs] 2. System messages logs 3. [Syslogs] 4. [Management plane logs] 5. [Eventing logs] 6. [Web server access logs] 7. Backup/Restore logs 8. [Updater logs] 9. CLI logs 10. [HTTP inspector logs] 11. [Data plane logs] 12. [TLS proxy logs] 13. [Monitord logs] 14. [HTTP authentication logs] Enter the Log Type (1-14)or press Ctrl+C to exit: 1 Enter 0 to go back to the main menu [Upgrade logs] Upgrade Log Commandd Log STDOUT Commandd Log Enter the Sub-log Type (1-3)or press Ctrl+C to exit: 1...(Log output removed for publishing purposes) OL

205 show route through z commands support tail logs Related Commands Command delete show tech-support support diagnostic support list support view logs Removes core dumps or packet captures. Shows diagnostic information for troubleshooting purposes. Creates and uploads diagnostic file for system logs, core dumps, and packet captures. Shows the files on the system. Shows log file contents. OL

206 support tunnel (9.3(3)+) show route through z commands support tunnel (9.3(3)+) To establish an SSH connection with the Cisco Technical Assistance Center (TAC) to allow them access to your device when resolving a problem, use the support tunnel command. support tunnel {enable disable status info resetkey} Syntax enable disable status info resetkey Establish an SSH tunnel to Cisco TAC. End an existing SSH tunnel. View current tunnel status, including whether the support tunnel service is running. Vew the serial number and SSH key associated with the tunnel. Create a new SSH key for the tunnel. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.1(1) PRSM 9.1(1) CX Software 9.1(2) PRSM 9.1(2) CX Software 9.3(3) PRSM 9.3(3) Modification This command was introduced. The following keywords were introduced: stop, start, restart. The following keywords were introduced: info, resetkey. The following keywords were removed: stop, start, restart, extend. Usage Guidelines The support tunnel command opens and manages an SSH tunnel to the Cisco Technical Assistance Center (TAC). Open a tunnel at TAC s request only. The command negotiates a reverse SSH tunnel from a secure Cisco server so that TAC personnel can troubleshoot your situation directly. 196 OL

207 show route through z commands support tunnel (9.3(3)+) The tunnel remains open for three days. You can break the tunnel at any time. Your device s serial number is used to ensure a unique connection, and you must provide the SSH key to the TAC representative to complete the connection. You can regenerate the SSH key. Examples The following example shows how to reset the SSH key, get tunnel information, and open and close the tunnel. asacx> support tunnel resetkey Are you sure you want to reset ssh-key? [N]> y SSH-KEY: ssh-rsa AAAA... (remaining SSH key redacted)... asacx> support tunnel info S/N: (...serial number redacted...) SSH-KEY: ssh-rsa AAAA... (remaining SSH key redacted)... asacx> support tunnel status Service access currently DISABLED. Do you want to start the support tunnel now? [N]> y Enter password: Cisco123 Do you want to set a nickname for the support tunnel (optional)? Enter nickname: Support Tunnel X [N]> y asacx> support tunnel status Service access currently ENABLED (1 current service logins). Service access will be automatically terminated in 71 hrs, 59 min and 41 sec asacx> support tunnel disable Are you sure you want to disable support tunnel? Disabling support tunnel... Service access currently DISABLED. [N]> y The following example shows how to reset the SSH key when the tunnel is active. You will have to open a new tunnel. asacx> support tunnel resetkey Service access currently ENABLED. Service access will be automatically terminated in 71 hrs, 59 min and 51 sec Are you sure you want to disable the support tunnel in order to reset ssh key? Disabling support tunnel... Service access currently DISABLED. [N]> y SSH-KEY: ssh-rsa AAAA... (remaining SSH key redacted)... Command show tech-support support diagnostic support list support tail logs support view logs Shows diagnostic information for troubleshooting purposes. Creates and uploads diagnostic file for system logs, core dumps, and packet captures. Shows the files on the system. Shows log file contents and leaves log open. Shows log file contents. OL

208 support tunnel (9.3(3)+) show route through z commands 198 OL

209 show route through z commands support tunnel (pre-9.3(3)) support tunnel (pre-9.3(3)) To establish an SSH connection with the Cisco Technical Assistance Center (TAC) to allow them access to your device when resolving a problem, use the support tunnel command. support tunnel {enable disable status extend stop start restart} Syntax enable disable status extend stop start restart Establish an SSH tunnel to Cisco TAC. End an existing SSH tunnel. View current tunnel status, including whether the support tunnel service is running. Extend the period in which an existing tunnel is maintained. Stop the support tunnel service if it is running. Start the support tunnel service if it is not running. Restart the support tunnel service. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.1(1) PRSM 9.1(1) CX Software 9.1(2) PRSM 9.1(2) Modification This command was introduced. The following keywords were introduced: stop, start, restart. Usage Guidelines The support tunnel command opens and manages an SSH tunnel to the Cisco Technical Assistance Center (TAC). Open a tunnel at TAC s request only. The command negotiates a reverse SSH tunnel from a secure Cisco server so that TAC personnel can troubleshoot your situation directly. OL

210 support tunnel (pre-9.3(3)) show route through z commands The initial tunnel remains open for three days. You can extend the time the tunnel is open, which Cisco TAC might request if necessary for continued problem resolution. You can break the tunnel at any time. Your device s serial number is used to ensure a unique connection, and a one-time password is generated that you must provide the TAC representative to complete the connection. Examples The following example shows how to view status for an existing tunnel. prsm-vm> support tunnel status Checking whether Support Tunnel Daemon is running... Support Tunnel Daemon is running. Querying Support Tunnel status... S/N (serial number redacted) Service access currently ENABLED (1 current service logins). Session Password: 14MDLIRY Service access will be automatically terminated in 72 hours. Command show tech-support support diagnostic support list support tail logs support view logs Shows diagnostic information for troubleshooting purposes. Creates and uploads diagnostic file for system logs, core dumps, and packet captures. Shows the files on the system. Shows log file contents and leaves log open. Shows log file contents. 200 OL

211 show route through z commands support validatedb support validatedb To validate database referential integrity, use the support validatedb command. support validatedb Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The Cisco Technical Assistance Center (TAC) might ask you to validate the database referential integrity when you are working with them to resolve a problem. Examples The following example shows that database referential integrity is good. Any other result requires a conversation with the Cisco Technical Assistance Center (TAC). hostname> support validatedb Starting the referential integrity check on committed objects... Number of records in committed object's references table: 160 Number of records in committed blob object table: 319 Successfully completed referential integrity on committed records. Starting the referential integrity check on user objects... Total number of records in user reference object table: 0 Total number of records in pending object table: 0 Successfully completed referential integrity on user records. Starting the non-cx objects uid validation check on committed, pending and historical objects... Total no of non-cx model objects in ASA-CX: 356 Total no of non-cx objects in committed table: 319 Total no of non-cx objects in pending table: 0 Total no of non-cx objects in historical table: 923 Successfully completed uid validation on non-cx objects. Successfully completed db validation hostname> OL

212 support validatedb show route through z commands Related Commands There are no related commands. 202 OL

213 show route through z commands support view logs support view logs To view system log contents when working with the Cisco Technical Assistance Center (TAC) to resolve a problem, use the support view logs command. support view logs Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.1(1) PRSM 9.1(1) Modification This command was introduced. The method for selecting files and navigating in the command were changed. Usage Guidelines The support view logs command opens a system log. Use this command while working with the Cisco Technical Assistance Center (TAC) so that they can help you interpret the output and to select the appropriate log to view. The command presents a menu for selecting a log. Use the following commands to navigate the wizard: The method of selecting the log differs depending on your software release, as shown in the examples below. However, when you are prompted for a file name, you must type the complete name, and capitalization matters. The file list shows you the size of the log, which you might consider before opening very large logs. Press the space bar when you see --More-- to see the next page of log entries; press Enter to see just the next log entry. When you reach the end of the log, you are taken to the main menu. The --More-- line shows you the size of the log and how much of it you have viewed. Use Ctrl+C to close the log and exit the command if you do not want to page through the entire log. Type b to go up one level in the structure to the menu. If you want to leave the log open so you can see new messages as they are added, use the support tail logs command instead. OL

214 support view logs show route through z commands Examples The following example shows host to view the messages log. Note that you must type s to get to the prompt for entering the file name. hostname> support view logs ===View Logs=== ============================ Directory: /var/log sub-dirs lost+found cisco lighttpd files :01: auth.log :48: daemon.log :57: kern.log :59:05 0 lpr.log :59:05 0 mail.err :59:05 0 mail.info :59:05 0 mail.log :59:05 0 mail.warn :41: messages :59:05 0 news.crit :59:05 0 news.err :59:05 0 news.notice :59:05 0 syslog :04: wtmp ([b] to go back or [s] to select a file to view, [Ctrl+C] to exit) Type a sub-dir name to list its contents: s Type the name of the file to view ([b] to go back, [Ctrl+C] to exit) > messages Sep 26 23:59:05 prsm-vm syslogd 1.5.0: restart. Sep 26 23:59:09 prsm-vm sshd[2690]: Server listening on :: port (Log output removed for publishing purposes)... --More-- (13% of 9687 bytes) (Release 9.0 only.) The following example shows how to view the upgrade log. hostname> support view logs ===View Files=== 1. Cisco Logs 2. Generic Logs Please enter your choice ([Ctrl+C] to exit): 1 ============================ Directory: /var/log/cisco files (log list pruned for publishing purposes) :53: upgrade.log :27: upgrade_driver.log :43:52 0 view_files.log Type the name of the file to view ([b] to go back, [Ctrl+C] to exit) > upgrade.log...(log output removed for publishing purposes)... --More-- (0% of bytes) 204 OL

215 show route through z commands support view logs Related Commands Command show tech-support support diagnostic support list support tail logs Shows diagnostic information for troubleshooting purposes. Creates and uploads diagnostic file for system logs, core dumps, and packet captures. Shows the files on the system. Shows log file contents and leaves log open. OL

216 system reload show route through z commands system reload To reboot the system, use the system reload command system reload Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines If the system is not functioning correctly, and stopping and restarting processes does not resolve the problem, try rebooting the system. Your console or SSH session will be disconnected; you can reconnect after the reboot completes. Examples The following example shows how to reboot the system. If you are connected to the console, you will see the boot messages and after reboot completes, the prompt to log into the system. hostname> system reload Are you sure you want to reload the system? [N]: y Broadcast message from root (pts/0) (Mon May 14 23:07: ): The system is going down for reboot NOW! hostname> Related Commands Command services show services status system shutdown Starts and stops system processes. Shows the status of all system processes. Shuts down the system. 206 OL

217 show route through z commands system reload OL

218 system revert show route through z commands system revert To revert to the previously installed software package, use the system revert command. system revert Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines If you upgrade the system to a new package, and you encounter problems or for other reasons want to return to the previously installed package, you can enter the system revert command to undo the upgrade. For revert to work, there must have been a previously installed package to revert to. Keep the following points in mind before using this command: Once started, you cannot stop the revert process. Any changes you made after installing the upgrade are lost when you revert to the previous package. You can revert to the previously installed package only. You cannot use the system revert command multiple times to go back more than one package. Examples The following example shows how to revert to a previously installed package. hostname> system revert Current Version: Previous Version: Revert requires reboot: No Warning: Revert will restore the backup of system configuration and policy data taken at the last upgrade. The system setup configuration will be preserved. You must revert to or install the same version on all ASA CX managed by this PRSM server or you will not be able to deploy configurations 208 OL

219 show route through z commands system revert to those devices. Do you want to revert to version 9.0.2? [n]: y Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in an unusable state. Revert completed successfully. Revert requires re-login, press Enter to exit from CLI... Related Commands Command config reset show services status system reload system upgrade Resets the database to factory defaults. Shows the status of all system processes. Reboots the system. Installs an upgrade package. OL

220 system shutdown show route through z commands system shutdown To shut down the PRSM server or ASA CX hardware module completely, use the system shutdown command. system shutdown Syntax This command has no arguments or keywords. Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The system shutdown command completely shuts down the system. Use it if you need to perform actions such as removing the ASA CX SSP. Tip This command works with a PRSM server or an ASA CX hardware module only; it will not permanently shut down an ASA CX software module. For an ASA CX software module, use the sw-module module cxsc shutdown command from the ASA CLI. If you are troubleshooting a significant system problem, first try restarting processes using the services stop and services start commands, then try rebooting the system using the system reload command. Examples The following example shows how to shut down the system. hostname> system shutdown Are you sure you want to shut down the system? [N]: y Broadcast message from root (pts/0) (Mon May 14 23:14: ): The system is going down for system halt NOW! 210 OL

221 show route through z commands system shutdown Related Commands Command services show services status system reload Starts and stops system processes. Shows the status of all system processes. Reboots the system. OL

222 system upgrade, system install show route through z commands system upgrade, system install To upgrade the system software, use the system upgrade command. Note In the CX Boot Image, the command is system install, but otherwise the commands are identical. system upgrade noconfirm URL Syntax noconfirm URL To have the command install the package without first asking you to confirm the installation. After downloading and verifying the package, it is installed immediately. This keyword allows hands-free system upgrade. The URL of the upgrade package. You can use the following types of URL: ftp:// Command Default No default behavior or values. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) CX Software 9.1(1) PRSM 9.1(1) Modification This command was introduced. The noconfirm keyword was added. 212 OL

223 show route through z commands system upgrade, system install Usage Guidelines Before you can use the system upgrade command, you must download the upgrade package and place it on a server from which the system can download it. The server can require authentication; the system upgrade command prompts for authentication when the server requests it. However, when using HTTPS, the server certificate is not verified. Note For FTP downloads, the system will initially try to use ftp://anonymous:anonymous@anonymous.com@severname/filename. If the server does not accept this, and requires credentials, you are prompted to supply a username and password. During the download process, the upgrade package is first verified to ensure that it is a valid package before an installation is attempted. As a general rule, the software version running on the PRSM Multiple Device mode server must be the same version that is running on all CX devices being managed by the server. You should first upgrade the PRSM server before upgrading the managed devices (starting in PRSM 9.1(1), this rule is enforced if you use the web interface to apply upgrades). If the systems are running incompatible versions, you will see Version Mismatch alerts in PRSM Multiple Device mode for the device. While a version mismatch exists, PRSM cannot deploy changes to those devices. Thus, plan on upgrading all systems within a short time window. If you want to undo an upgrade, use the system revert command to go back to the previously installed package. Note If the upgrade process can tell that the newly installed package is not functioning correctly, the system automatically reverts to the previously installed package. Examples The following example applies the system upgrade named prsm-sys pkg from the upgrades.example.com web server. In this example, the web server does not require authentication; you are prompted for a username and password if the server requires authentication. prsm-vm> system upgrade Verifying Downloading Extracting Package Detail : Cisco Prime Security Manager System Upgrade Requires reboot: Yes NOTE: You must upgrade all ASA CX managed by this PRSM server to same version or you will not be able to deploy configurations to those devices. Do you want to continue with upgrade? [y]: y Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in unusable state. Upgrading Starting upgrade process... Extracting the upgrade image Updating the system and network configuration Reboot is required to complete the upgrade. Press Enter to reboot the system. (press Enter) Broadcast message from root (pts/0) (Tue May 15 22:50: ): OL

224 system upgrade, system install show route through z commands The system is going down for reboot NOW! Related Commands Command show services status system reload system revert Shows the status of all system processes. Reboots the system. Restores the previously installed package. 214 OL

225 show route through z commands traceroute traceroute To determine the route packets will take to their destination, use the traceroute command. traceroute {destination_ip destination_host_name} [-m hops] Syntax destination_ip destination_host_name -m hops The IPv4 address of the destination whose route you are tracing. You cannot use this command with IPv6 addresses. The DNS host name of the destination whose route you are tracing. You must configure DNS servers to use host names. The maximum number of hops to trace. Use this parameter if you are primarily concerned about tracing the portion of the route near the device and you want to limit the time needed to complete the trace. The range is 1 to 255, the default is 30. Command Default Traces are limited to 30 hops. Command Modes You can use this command in the following contexts: ASA CX console or SSH session. PRSM console or SSH session. Command History Release CX Software 9.0(1) PRSM 9.0(1) Modification This command was introduced. Usage Guidelines The traceroute command is similar to the ping command, except that instead of testing connectivity to the destination alone, traceroute tests each node along the path to the ultimate destination. The traceroute command prints the result of each probe sent. Every line of output corresponds to a time-to-live (TTL) value in increasing order. The following table explains the symbols that might appear in the output. Tip If traceroute encounters administratively prohibited nodes, or otherwise cannot get a response, the trace might take a long time to complete. Press Ctrl+C to end the trace if you do not want to wait. OL

226 traceroute show route through z commands Output Symbol * nn ms!n!h!p!a? No response was received for the probe within the timeout period. For each node, the round-trip time (in milliseconds) for each probe sent to the node. Each node should return three values. This time represents the latency between the device and each node. ICMP network unreachable. ICMP host unreachable. ICMP protocol unreachable. ICMP administratively prohibited. Unknown ICMP error. Examples The following example shows traceroute output. Note that the first line summarizes the trace, showing the host name (if you used a host name), the IP address, the maximum number of hops (nodes) that will be probed, and the size of the packet sent in the probes. The remaining output shows each node in the traced route. hostname> traceroute dest.example.com traceroute to dest.example.com ( ), 30 hops max, 46 byte packets 1 hop1.example.com ( ) ms ms ms 2 hop2.example.com ( ) ms ms ms 3 hop3.example.com ( ) ms ms ms 4 dest.example.com ( ) ms * ms Related Commands Command ping setup show dns Checks connectivity to a destination. Configures basic system settings, including DNS servers. Shows the configured DNS servers. 216 OL

227 INDEX A Active Directory (AD) 55 showing joined domain 55 admin user 20 changing password 20 autorestart 8, 57 configuring 8 showing status 57 C Cisco Technical Assistance Center 32, 58, 178, 183, 187, 189, 191, 193, 196, 199, 201, 203 changing support properties 191 checking file system status 187 creating diagnostic file for TAC 183 deleting packet captures, core dumps, or logs 32 establishing SSH connection with 196, 199 showing diagnostic information for TAC 58, 178 validating database integrity 201 viewing a list of system files 189 viewing system logs 193, 203 clear opdata command 6 command line interface (CLI) 1, 2, 4, 34, 37 command context modes 1 entering commands 2 exiting 34 filtering show command output 2 getting help 4, 37 syntax formatting 1 using 1 config advanced command 8 config backup command 10 config cert-reset command 12 config clear-truststore command 14 config mgmt-interface command 15 config ntp command 17 config passwd command 20 config prune command 22 config reset command 24 config restore command 26 config time command 28 config timezone command 30 connectivity 45, 215 pinging hosts 45 tracing routes 215 CX devices 8, 10, 22, 26, 47, 49, 55, 57, 64, 181, 206, 208, 210, 212 backing up database 10 configuring auto restart 8, 57 pruning database 22 rebooting system 206 restoring database 26 reverting upgrade 208 set up basic configuration 49 showing AD domain information 55 shutting down system 210 starting processes 47 stopping processes 47 upgrading through CLI 212 showing hostname 64 showing version 181 D database 10, 22, 26 backing up 10 pruning 22 restoring 26 delete command 32 disk 22, 35, 42 format command 35 partition command 42 reclaiming space 22 disk (raid) 167 showing status 167 disk (system hard disk) 60 showing usage 60 disk (system hard drive) 187 checking status 187 DNS servers 40, 49, 62 configuring for CX or PRSM 49 OL IN-1