Cisco ASA firewall common troubleshooting commands part 1

Check the system status

myfirewall/pri/act# show firewall
Firewall mode: Router

myfirewall/pri/act# show version

Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(1)52

Compiled on Wed 28-Nov-12 10:38 by builders
System image file is “disk0:/asa911-k8.bin”
Config file at boot was “startup-config”

myfirewall up 218 days 1 hour
failover cluster up 5 years 10 days

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Number of accelerators: 1

0: Ext: GigabitEthernet0/0 : address is 001f.abcc.a8c6, irq 9
1: Ext: GigabitEthernet0/1 : address is 001f.abcc.a5e7, irq 9
2: Ext: GigabitEthernet0/2 : address is 001f.abcc.a5e8, irq 9
3: Ext: GigabitEthernet0/3 : address is 001f.abcc.a5e9, irq 9
4: Ext: Management0/0 : address is 001f.abcc.a5ea, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: xxxxxxxx
Running Permanent Activation Key: 0x0x0x0x 0x0x0x0x 0x0x0x0x 0x0x0x0 0x0x0x0x0
Configuration register is 0x1
Configuration last modified by admin at 10:41:22.791 CEDT Fri Sep 13 2013

Failover state

myfirewall/pri/act(config)# sh failover state

State Last Failure Reason Date/Time
This host – Primary
Active None
Other host – Secondary
Standby Ready Ifc Failure 17:38:56 CEDT Jun 10 2013
dmz5: Failed
inside: Failed

====Configuration State===
Sync Done
Sync Done – STANDBY
====Communication State===
Mac set

To see what the firewall has seen so far, the traffic mix concerning the enabled inspections:

myfirewall/pri/act(config)# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 6206448, drop 1493, reset-drop 0, v6-fail-close 0
Inspect: ftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: netbios, packet 285884, drop 0, reset-drop 0, v6-fail-close 0
Inspect: tftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: icmp, packet 14657730, drop 1226951, reset-drop 0, v6-fail-close 0
Inspect: icmp error, packet 10377, drop 0, reset-drop 0, v6-fail-close 0
Inspect: dcerpc, packet 199070, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0

To see see status of CPU & memory

myfirewall/pri/act(config)# sh cpu usage
CPU utilization for 5 seconds = 8%; 1 minute: 9%; 5 minutes: 9%
myfirewall/pri/act(config)#
myfirewall/pri/act(config)#
myfirewall/pri/act(config)# sh memory
Free memory: 1722679208 bytes (80%)
Used memory: 424804440 bytes (20%)
————- ——————
Total memory: 2147483648 bytes (100%)

myfirewall/pri/act# show processes cpu-usage sorted
PC Thread 5Sec 1Min 5Min Process
0x0827e731 0x6e5d2d8c 8.4% 8.7% 8.5% Dispatch Unit
0x0878d2de 0x6e5bf254 0.2% 0.9% 0.4% ARP Thread
0x090b0155 0x6e5b7fb4 0.2% 0.2% 0.1% ssh
0x08785b0e 0x6e5bf460 0.0% 0.0% 0.0% IP Thread
0x081735b4 0x6e5c56a0 0.0% 0.0% 0.0% CTM message handler
0x08cdd5cc 0x6e5c2580 0.0% 0.0% 0.0% update_cpu_usage
0x084e2936 0x6e5c04c0 0.0% 0.0% 0.0% fover_health_monitoring_thread
0x0935c832 0x6e5bc964 0.0% 0.0% 0.0% vpnfol_thread_timer
0x080596a4 0x6e5d31a4 0.0% 0.0% 0.0% block_diag
0x08854a74 0x6e5d2974 0.0% 0.0% 0.0% WebVPN KCD Process
0x084c6b6d 0x6e5d2768 0.0% 0.0% 0.0% CF OIR
0x08eafaec 0x6e5d255c 0.0% 0.0% 0.0% lina_int
0x0807209d 0x6e5d1f38 0.0% 0.0% 0.0% Reload Control Thread
0x08086369 0x6e5d1d2c 0.0% 0.0% 0.0% aaa
0x0916ad6d 0x6e5d1b20 0.0% 0.0% 0.0% UserFromCert Thread
0x0916ad6d 0x6e5d1914 0.0% 0.0% 0.0% aaa_shim_thread
0x080bae3c 0x6e5d14fc 0.0% 0.0% 0.0% CMGR Server Process
0x080bd4ad 0x6e5d12f0 0.0% 0.0% 0.0% CMGR Timer Process
0x0816d455 0x6e5d049c 0.0% 0.0% 0.0% CTM Daemon
0x081df2c5 0x6e5d0290 0.0% 0.0% 0.0% SXP CORE
0x081d7041 0x6e5d0084 0.0% 0.0% 0.0% RBM CORE
0x081cde3c 0x6e5cfe78 0.0% 0.0% 0.0% cts_task
0x081cf2ed 0x6e5cfc6c 0.0% 0.0% 0.0% cts_timer_task
0x0827c804 0x6e5cf43c 0.0% 0.0% 0.0% dbgtrace
0x0856b194 0x6e5cec0c 0.0% 0.0% 0.0% 557mcfix
0x0856b126 0x6e5cea00 0.0% 0.0% 0.0% 557statspoll

myfirewall/pri/act# show processes internals

Invoked Giveups Max_Runtime Process
1 0 0.025 block_diag
1926681692 1926681692 32.679 Dispatch Unit
3768836 0 0.189 WebVPN KCD Process
1 0 0.012 CF OIR
1 0 0.001 lina_int
1 0 0.003 Reload Control Thread
374305 233705 0.135 aaa
10 4 1.427 UserFromCert Thread
64 63 0.104 aaa_shim_thread
2 0 0.009 CMGR Server Process
2 0 0.008 CMGR Timer Process
1 0 0.001 CTM Daemon
62 0 0.044 SXP CORE

myfirewall/pri/act(config)# sh perfmon

PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s

VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 100.00%

To get the High Availability state info with show failover command:

myfirewall/pri/act(config)# show failover ?

exec mode commands/options:
descriptor–Show failover interface descriptors. Two numbers are shown for
each interface. When exchanging information regarding a
particular interface, this unit uses the first number in messages
it sends to its peer. And it expects the second number in
messages it receives from its peer. For trouble shooting, collect
the show output from both units and verify that the numbers
match.
exec–Show failover command execution information
history–Show failover switching history
interface–Show failover command interface information
state–Show failover internal state information
statistics–Show failover command interface statistics information
| Output modifiers

Check the failover state

myfirewall/pri/act(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 9.1(1), Mate 9.1(1)
Last Failover at: 07:31:49 CEST Feb 12 2013
This host: Primary – Active
Active time: 18841674 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
Interface dmz5 (192.168.36.1): Normal (Monitored)
Interface dmz6 (192.168.47.1): Normal (Not-Monitored)
Interface inside (172.24.3.5): Normal (Monitored)
Interface oob (192.168.99.1): Normal (Monitored)
Interface management (0.0.0.0): No Link (Not-Monitored)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
Interface dmz5 (192.168.36.2): Normal (Monitored)
Interface dmz6 (192.168.47.2): Normal (Not-Monitored)
Interface inside (172.24.3.6): Normal (Monitored)
Interface oob (192.168.99.2): Normal (Monitored)
Interface management (0.0.0.0): Normal (Not-Monitored)
slot 1: empty

Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 372747905 0 2453073 0
sys cmd 2452421 0 2452415 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1275302 0 0 0
UDP conn 17706401 0 36 0
ARP tbl 351007284 0 621 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 306520 0 0 0
User-Identity 5 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 88 2453116
Xmit Q: 0 29 381560801

myfirewall/pri/act(config)# show failover interface
interface failover GigabitEthernet0/2
System IP Address: 192.168.92.109 255.255.255.252
My IP Address : 192.168.92.109
Other IP Address : 192.168.92.110

myfirewall/pri/act(config)# show failover descriptor
dmz5 send: 000200000e000000 receive: 000200000e000000
dmz6 send: 0002000041000000 receive: 0002000041000000
inside send: 0002010064000000 receive: 0002010064000000
oob send: 00020300ffff0000 receive: 00020300ffff0000
management send: 01010000ffff0000 receive: 01010000ffff0000

myfirewall/pri/act(config)# show failover history
==========================================================================
From State To State Reason
==========================================================================
07:30:59 CEST Feb 12 2013
Not Detected Negotiation No Error

07:31:03 CEST Feb 12 2013
Negotiation Cold Standby Detected an Active mate

07:31:05 CEST Feb 12 2013
Cold Standby Sync Config Detected an Active mate

07:31:15 CEST Feb 12 2013
Sync Config Sync File System Detected an Active mate

07:31:15 CEST Feb 12 2013
Sync File System Bulk Sync Detected an Active mate

07:31:29 CEST Feb 12 2013
Bulk Sync Standby Ready Detected an Active mate

07:31:49 CEST Feb 12 2013
Standby Ready Just Active HELLO not heard from mate

07:31:49 CEST Feb 12 2013
Just Active Active Drain HELLO not heard from mate

07:31:49 CEST Feb 12 2013
Active Drain Active Applying Config HELLO not heard from mate

07:31:49 CEST Feb 12 2013
Active Applying Config Active Config Applied HELLO not heard from mate

07:31:49 CEST Feb 12 2013
Active Config Applied Active HELLO not heard from mate

==========================================================================

myfirewall/pri/act(config)# show failover state

State Last Failure Reason Date/Time
This host – Primary
Active None
Other host – Secondary
Standby Ready Ifc Failure 17:38:56 CEDT Jun 10 2013
dmz5: Failed
inside: Failed

====Configuration State===
Sync Done
Sync Done – STANDBY
====Communication State===
Mac set

myfirewall/pri/act(config)# show failover statistics
tx:384585696
rx:29127977

Check the failover configuration

myfirewall/pri/act(config)# sh run all failover
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit 1 holdtime 15
failover polltime interface 5 holdtime 25
failover interface-policy 1
failover link failover GigabitEthernet0/2
failover interface ip failover 192.168.92.109 255.255.255.252 standby 192.168.92.110

With class-map you can set the maximum session for a specific traffic or generally with any:

myfirewall(config)# class-map CONNS
myfirewall(config-cmap)# match any
myfirewall(config-cmap)# policy-map CONNS
myfirewall(config-pmap)# class CONNS
myfirewall(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000

The values from the session table of the firewall (the max against the used if configured):

myfirewall/pri/act(config)# show conn ?

exec mode commands/options:
address–Enter this keyword to specify IP address
all-Enter this keyword to show conns including to-the-box and
from-the-box
count–Enter this keyword to show conn count only
detail–Enter this keyword to show conn in detail
long–Enter this keyword to show conn in long format
port–Enter this keyword to specify port
protocol–Enter this keyword to specify conn protocol
scansafe–Enter this keyword to show conns being forwarded to scan safe┬áserver
security-group–Enter this keyword to show security-group attributes in conns
state–Enter this keyword to specify conn state
user–Enter this keyword to specify conn user
user–group Enter this keyword to specify conn user group
user-identity –Enter this keyword to show user names
| Output modifiers

myfirewall/pri/act(config)# show conn count
77 in use, 1013 most used

myfirewall/pri/act(config)# show conn state ?

exec mode commands/options:
WORD Enter any number of the following conn states using ‘,’ as separator:
up finin finout http_get smtp_data nojava data_in data_out sunrpc h225
h323 sqlnet_fixup_data conn_inbound sip mgcp ctiqbe skinny
service_module stub tcp_embryonic vpn_orphan
myfirewall/pri/act(config)# show conn state up
80 in use, 1013 most used
TCP dmz5 192.168.38.250:4634 inside 172.24.1.2:54320, idle 0:02:29, bytes 12905, flags UIOB
TCP dmz5 192.168.38.250:4633 inside 172.24.1.2:135, idle 0:02:29, bytes 684, flags UIOB
TCP dmz6 192.168.47.8:80 dmz5 192.168.37.227:55335, idle 0:00:00, bytes 1618307080, flags UIOB
TCP dmz6 192.168.47.10:80 dmz5 192.168.37.227:65521, idle 0:00:00, bytes 61797243, flags UIOB
TCP dmz6 192.168.47.11:80 dmz5 192.168.37.227:55339, idle 0:00:00, bytes 3811666664, flags UIOB
TCP dmz5 192.168.36.251:80 inside 172.31.229.68:62940, idle 0:00:00, bytes 335503, flags UIO
TCP dmz5 192.168.36.251:80 inside 172.24.162.217:57429, idle 0:00:00, bytes 474510, flags UIO
TCP dmz5 192.168.38.250:23757 inside 172.24.3.38:1165, idle 0:00:00, bytes 59747307, flags UIO
TCP dmz5 192.168.38.250:3389 inside 192.168.252.66:4042, idle 0:00:48, bytes 337870, flags UIO
TCP dmz5 192.168.38.250:23757 inside 172.24.3.40:63433, idle 0:00:00, bytes 93168991, flags UIO

You can filter to the session that you looking for (example):

myfirewall/pri/act(config)# show conn long address 192.168.47.10
74 in use, 1013 most used
Flags: A – awaiting inside ACK to SYN, a – awaiting outside ACK to SYN,
B – initial SYN from outside, b – TCP state-bypass or nailed,
C – CTIQBE media, c – cluster centralized,
D – DNS, d – dump, E – outside back connection, F – outside FIN, f – inside FIN,
G – group, g – MGCP, H – H.323, h – H.225.0, I – inbound data,
i – incomplete, J – GTP, j – GTP data, K – GTP t3-response
k – Skinny media, M – SMTP data, m – SIP media, n – GUP
O – outbound data, P – inside back connection, p – Phone-proxy TFTP connection,
q – SQL*Net data, R – outside acknowledged FIN,
R – UDP SUNRPC, r – inside acknowledged FIN, S – awaiting inside SYN,
s – awaiting outside SYN, T – SIP, t – SIP transient, U – up,
V – VPN orphan, W – WAAS,
X – inspected by service module,
x – per session, Y – director stub flow, y – backup stub flow,
Z – Scansafe redirection, z – forwarding stub flow
TCP dmz6: 192.168.47.10/80 (192.168.47.10/80) dmz5: 192.168.37.227/65521 (192.168.37.227/65521), flags UIOB , idle 0s, uptime 20D23h, timeout 1h0m, bytes 478172338

Check the traffic on interfaces, the packet and byte counters.

myfirewall/pri/act(config)# show traffic
dmz5:
received (in 1661754.406 secs):
14637140684 packets 673671106797 bytes
8001 pkts/sec 405002 bytes/sec
transmitted (in 1661754.406 secs):
38728179279 packets 53732439765301 bytes
23000 pkts/sec 32334000 bytes/sec
1 minute input rate 1382 pkts/sec, 67193 bytes/sec
1 minute output rate 3546 pkts/sec, 4923809 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1375 pkts/sec, 67887 bytes/sec
5 minute output rate 3589 pkts/sec, 4994000 bytes/sec
5 minute drop rate, 0 pkts/sec
dmz6:
received (in 1661754.416 secs):
38627911784 packets 53724170049557 bytes
23002 pkts/sec 32329000 bytes/sec
transmitted (in 1661754.416 secs):
14299138045 packets 572124451016 bytes
8000 pkts/sec 344002 bytes/sec
1 minute input rate 3535 pkts/sec, 4923119 bytes/sec
1 minute output rate 1354 pkts/sec, 54206 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 3577 pkts/sec, 4993200 bytes/sec
5 minute output rate 1345 pkts/sec, 53821 bytes/sec
5 minute drop rate, 0 pkts/sec
inside:
received (in 1661754.416 secs):
826826503 packets 60669330026 bytes
1 pkts/sec 36000 bytes/sec
transmitted (in 1661754.416 secs):
245271895 packets 109518736779 bytes
0 pkts/sec 65000 bytes/sec
1 minute input rate 44 pkts/sec, 2772 bytes/sec
1 minute output rate 25 pkts/sec, 13180 bytes/sec
1 minute drop rate, 21 pkts/sec
5 minute input rate 45 pkts/sec, 2829 bytes/sec
5 minute output rate 28 pkts/sec, 14443 bytes/sec
5 minute drop rate, 21 pkts/sec

check the timeout values in the firewall

myfirewall2/pri/act# sh run timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00