Diagnostic Commands and Tools

The importance of the show commands cannot be overemphasized for troubleshooting FWSM. Under some rare circumstances, you may require to run the debug commands. Details about the show and debug commands are discussed in the following sections.

Show Commands

show commands on both the switch side and the FWSM side are important for diagnosing problems with FWSM. As the FWSM is a multi-processor system, much information cannot be viewed on the Control Plane; it can be viewed and interpreted only with the show command. This section shows you how to use some of the show commands on switches and on the FWSM.

show Commands on the Switch

The following list summarizes the use of show commands on a switch:

  • show command for module installation verification

    show module This command is used to verify the installation of the FWSM module on the switch. You can find out if the module is coming online or not, and view the status information. This is a very important first-hand command to diagnose any HW-related issue with the FWSM blade. You can find the slot number, which can be used to session into the blade.

  • show command for firewall VLAN mappings verification on the switch

    show firewall Use this command, with additional arguments, to find VLAN mappings that are configured on the switch to the firewall modules so that the VLANs can be downloaded and used by the FWSM. Example 4-3 shows the VLAN mappings in Native IOS.

Example 4-3. Using the show firewall Command Efficiently

! To Verify the VLAN groups configured in the RP Router# show firewall vlan-group Group vlans -----     ------   2       10,100 ! To verify the VLAN groups associated with a particular module. Router# show firewall module 7 vlan-group Module Vlan-groups   7            2, Router# 

show Commands on the FWSM

There are several important show commands available on the FWSM to verify the configuration and statistics of different components and the features of the FWSM. The following list contains some of those commands:

  • show command for VLAN download verification on the FWSM

    The show vlan command is used on the FWSM side to find out if or what VLANs are downloaded to the module from the switch. If the VLAN mappings from the switch to the FWSM are functioning correctly, the output shown in Example 4-4 should be same as the information reported on the switch in Example 4-3.

    Example 4-4. VLANS Downloaded to the FWSM From the Switch

    FWSM# show vlan 10, 100, FWSM# 

  • show command for statistics on different NPs

    The show np[#] stats command is by far the most important debug command to troubleshoot issues on the NPs. The NP1 and NP2 are fast paths, and NP3 is the Session Management Path.

  • show commands to find out ACL limitations in NP3

    Different ACLs have different maximum size limitations in the NP. To view the ACL limits, use the following commands:

    show np 3 acl stats show np 3 acl count show np 3 acl tree 

  • show commands for connections

    Connections are distributed into different Network Processors on FWSM. To find the details of the connections, execute the following command:

    show conn long x 

    The "x" parameter specifies the amount of the connection information you want to display. Actually the only meaningful values are "0" (default), "1", "2", and "3". More than "3" will give you the same amount of information as "3". Therefore, this is the command you will commonly use:

    Show conn long 3 

    To find the connection information that is made up to the CP complex, execute the following command:

    show pc conn 

  • show commands for checking the Gigabit Ethernet Port Statistics on the CP

    Two Gigabit Ethernet ports (ports 3 and 4 of NP3 processors) are connected to the CP. This information, and additional statistics, can be verified with the following command:

    Show nic 

  • show command for retrieving console message from buffer

    There is no external console port visible on the FWSM. For debugging, there is a console port (inside the blade), which works with a baud rate of 19600. When no Telnet session is available, the output is saved to a buffer. The buffer output can be examined subsequently when a Telnet connection is made using the following command:

    show console-output [mn] 

    Here m-n refers to message numbers. Example 4-5 displays the show console-output command.

    Example 4-5. The show console-output Command

    FWSM(config)# show console-output 6-8 Message #6 : Found PCI card in slot:4 bus:1 dev:5 (vendor:0x1014 deviceid:0x1e8) Message #7 : Ignoring PCI card in slot:4 (vendor:0x1014 deviceid:0x1e8) Message #8 : Found PCI card in slot:5 bus:1 dev:4 (vendor:0x1014 deviceid:0x1e8) FWSM(config)# 


Buffer size is limited to 4K bytes.

Debug Commands

debug commands display only the information of the packets that hit the Control Plane (CP). Information of the packets that are short-circuited in the NPs are not displayed on the CP.

One of the most important debug commands is the following:

FWSM# debug icmp trace 

With this ICMP debug command, FWSM shows only the messages for pings to the FWSM interfaces, and not for pings through the FWSM to other hosts. If you are connected to the FWSM with Telnet/SSH, and want to display the debug messages on the monitor for the connectivity problem from a host to the FWSM interface, use the following commands:

FWSM(config)# debug icmp trace FWSM(config)# logging monitor debug FWSM(config)# terminal monitor FWSM(config)# logging on FWSM(config)# 

Example 4-6 shows a sample output of the debug icmp trace command.

Example 4-6. A Sample ICMP Trace

FWSM(config)# debug icmp trace FWSM(config)# 1: ICMP echo request (len 56 id 26120 seq 0) > 2: ICMP echo reply (len 56 id 26120 seq 0) > 3: ICMP echo request (len 56 id 26120 seq 256) > 4: ICMP echo reply (len 56 id 26120 seq 256) > 5: ICMP echo request (len 56 id 26120 seq 512) > FWSM(config)# 

As shown in this example, you must see the request and reply packets. Pinging to the interface of the FWSM ensures that the FWSM interfaces are active and that the VLAN configuration is correct.

Use the following debug command to see the debug output on the interface of any types of IP packets:

[no] debug packet interface_name [src s_ip [netmask m]] [dst d_ip [netmask m]]   [[proto icmp] | [proto tcp [sport s_p ] [dport d_p]] [proto udp [sport s_p]   [dport d_p]] [rx | tx | both] 


As most of the packets flowing through FWSM are shot-circuited and never reached to the CP, this debug packet command may be ineffective as it will not show you any output. The debug packet command will be effective if you debug output when the packets are handled by the CP (for example, FTP fixup).

Other than specifying the interface name, the other arguments are optional. The following command will throw debug output to the inside interface of the IP packets:

FWSM# debug packet inside 

To know the details of fixup interactions on the FWSM, execute the following command:

FWSM# debug fixup <tcp|udp> 

For the details of a specific protocol, run the following debug command:

FWSM# debug rtsp | sip | skinny | ils | sqlnet | h323 h225 | h245 | ras  asn| event 

Sniffer on the FWSM

The FWSM has built-in sniffer capture capability, which you can use to get the details of the packets flowing through the FWSM in both directions.

To enable packet capturing, attach the capture to an interface with the interface option. Multiple interface statements attach the capture to multiple interfaces.

A packet must pass both the Ethernet and access-list filters before the packet is stored in the capture buffer.


The capture command is not saved to the configuration and the capture command is not replicated to the standby unit during failover.

To capture packets between host A and B traversing both the inside and outside interfaces, work through the following steps to turn on capture:

Step 1.

To enable packet capture traversing the inside interface, use the following commands on the FWSM:

FWSM(config)# access-list capture_in permit <protocol> host A host B FWSM(config)# access-list capture_in permit <protocol> host B host A FWSM(config)# capture inside access-list capture_in buffer 2000000   interface inside packet-length 1500 

With the this configuration, FWSM will capture packets of 1500 bytes or less in size with a maximum file size of 2 MB.

Step 2.

To enable packet capture traversing the outside interface, use the following configuration on the FWSM:

FWSM(config)# access-list capture_out permit <protocol> host A host B FWSM(config)# access-list capture_out permit <protocol> host B host A FWSM(config)# capture outside access-list capture_out buffer 2000000   interface outside packet-length 1500 

Step 3.

Retrieve the pcap format file from the PIX firewall by browsing to the PIX.

On the FWSM, you must have the web server turned on. If it's not turned on, run the setup command and run through the prompts. Next, open a browser and enter https://<pix_ip>/capture/<capture_name/pcap to connect to the web server on the FWSM. After connecting to the PIX, you will be prompted to save the file.

Step 4.

Transfer the pcap file to the TFTP server.

To send a pcap format file from the FWSM to a tftp server, execute the following command:

FWSM# copy capture:<capture_name> tftp://<pix_ip>/temp pcap 

Step 5.

View the capture buffer on the FWSM.

If the capture_name is specified, it displays the capture buffer contents for that capture. Issue show capture <capture_name> to see the capture buffer.

Step 6.

Reset and Remove the capture command.

To clear the capture buffer, enter the following clear capture command:

FWSM# clear capture inside FWSM# clear capture outside 

To remove the capture command

FWSM# no capture inside FWSM# no capture outside 

When you are finished capturing, be sure to remove the capture access-lists.

FWSM# no access-list capture_in FWSM# no access-list capture_out 

Syslog on the FWSM

Syslog implementation on FWSM is very similar to PIX Firewall with a few exceptions. Syslog is processed by the Control Plane (CP), whereas other processors might generate so many syslog messages that it could overwhelm the Control Plane (CP). So FWSM has an option for rate limiting for the Syslog on the FWSM. You can configure up to 16 Syslog servers to forward the syslog messages. There are eight levels of syslog you can configure:

  • Emergencieslevel 0

  • Alertslevel 1

  • Criticallevel 2

  • Errorslevel 3

  • Warningslevel 4

  • Notificationslevel 5

  • Informationallevel 6

  • Debugginglevel 7

The recommended syslog level is 4. Syslog messages generated in the NPs are processed by the CP before being forwarded to the Syslog servers (if any have been configured). Because the NPs can generate many Syslog messages, these Syslog messages can be rate-limited.

[no] logging rate-limit {unlimited | {num [interval]}} message syslog_id [no] logging rate-limit {unlimited | num [interval]} level syslog_level 

The rate-limiting applies for all syslog destinations (console, buffer, monitor). By default, rate limit is disabled. Interval is optional, and default is 1 second. You can disable rate-limiting with the following command:

clear logging rate-limit 

You can configure the rate-limiting configuration with the following command:

show logging rate-limit 

Sniffer Capture

Sometimes you might find that the syslog, after running the debug commands, might not give very conclusive results because other network-related issues could be affecting the packet flow. In this rare circumstance, capturing the sniffer traces simultaneously from incoming and outgoing interface segments might help to isolate the problem (as discussed earlier, the capture command can be used if the packets are reaching to the FWSM, but if the packets are getting dropped in another part of the network, then capture on the FWSM is ineffective). A very popular and freely downloadable sniffer software is Ethereal (www.ethereal.com)

Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net