Cisco Secure Firewall Threat Defense Command Reference - sa - show a [Cisco Secure Firewall Threat Defense] (2024)

To view the status of the connection (tunnel) between the device and the managing management center, use the sftunnel-status command.

sftunnel-status

Usage Guidelines

Use the sftunnel-status command to view the status of the connection between the device and the managing management center. If you are using the local manager, device manager, this command does not provide any information.

Status information includes the following sections:

• SFTUNNEL Status—When the connection was establish and information about management interfaces used in the connection.

• RUN STATUS—IP address, encryption, and registration status information.

• PEER INFO—Information about the management center and its connection to this device. This section also includes statistics blocks for several types of messages that might be transmitted between the systems for various services, including Identity, Health Events, RPC, NTP, IDS, Malware Lookup, CSM_CCM (used for configuring the device), EStreamer, UE Channel, and FSTREAM.

• RPC status.

Examples

The following is sample output from the sftunnel-status command.

> sftunnel-statusSFTUNNEL Start Time: Tue Oct 11 21:44:44 2016 Both IPv4 and IPv6 connectivity is supported Broadcast count = 2 Reserved SSL connections: 0 Management Interfaces: 1 br1 (control events) 10.83.57.37,2001:420:2710:2556:1:0:0:37*************************RUN STATUS****10.83.57.41************* Cipher used = AES256-GCM-SHA384 (strength:256 bits) ChannelA Connected: Yes, Interface br1 Cipher used = AES256-GCM-SHA384 (strength:256 bits) ChannelB Connected: Yes, Interface br1 Registration: Completed. IPv4 Connection to peer '10.83.57.41' Start Time: Tue Oct 11 21:46:00 2016PEER INFO: sw_version 6.2.0 sw_build 2007 Management Interfaces: 1 eth0 (control events) 10.83.57.41,2001:420:2710:2556:1:0:0:41 Peer channel Channel-A is valid type (CONTROL), using 'br1', connected to '10.83.57.41' via '10.83.57.37' Peer channel Channel-B is valid type (EVENT), using 'br1', connected to '10.83.57.41' via '10.83.57.37' TOTAL TRANSMITTED MESSAGES <3> for Identity service RECEIVED MESSAGES <2> for Identity service SEND MESSAGES <1> for Identity service HALT REQUEST SEND COUNTER <0> for Identity service STORED MESSAGES for Identity service (service 0/peer 0) STATE <Process messages> for Identity service REQUESTED FOR REMOTE <Process messages> for Identity service REQUESTED FROM REMOTE <Process messages> for Identity service TOTAL TRANSMITTED MESSAGES <2760> for Health Events service RECEIVED MESSAGES <1380> for Health Events service SEND MESSAGES <1380> for Health Events service HALT REQUEST SEND COUNTER <0> for Health Events service STORED MESSAGES for Health service (service 0/peer 0) STATE <Process messages> for Health Events service REQUESTED FOR REMOTE <Process messages> for Health Events service REQUESTED FROM REMOTE <Process messages> for Health Events service TOTAL TRANSMITTED MESSAGES <656> for RPC service RECEIVED MESSAGES <328> for RPC service SEND MESSAGES <328> for RPC service HALT REQUEST SEND COUNTER <0> for RPC service STORED MESSAGES for RPC service (service 0/peer 0) STATE <Process messages> for RPC service REQUESTED FOR REMOTE <Process messages> for RPC service REQUESTED FROM REMOTE <Process messages> for RPC service TOTAL TRANSMITTED MESSAGES <25131> for IP(NTP) service RECEIVED MESSAGES <13532> for IP(NTP) service SEND MESSAGES <11599> for IP(NTP) service HALT REQUEST SEND COUNTER <0> for IP(NTP) service STORED MESSAGES for IP(NTP) service (service 0/peer 0) STATE <Process messages> for IP(NTP) service REQUESTED FOR REMOTE <Process messages> for IP(NTP) service REQUESTED FROM REMOTE <Process messages> for IP(NTP) service TOTAL TRANSMITTED MESSAGES <2890> for IDS Events service RECEIVED MESSAGES <1445> for service IDS Events service SEND MESSAGES <1445> for IDS Events service HALT REQUEST SEND COUNTER <0> for IDS Events service STORED MESSAGES for IDS Events service (service 0/peer 0) STATE <Process messages> for IDS Events service REQUESTED FOR REMOTE <Process messages> for IDS Events service REQUESTED FROM REMOTE <Process messages> for IDS Events service TOTAL TRANSMITTED MESSAGES <4> for Malware Lookup Service service RECEIVED MESSAGES <1> for Malware Lookup Service) service SEND MESSAGES <3> for Malware Lookup Service service HALT REQUEST SEND COUNTER <0> for Malware Lookup Service service STORED MESSAGES for Malware Lookup Service service (service 0/peer 0) STATE <Process messages> for Malware Lookup Service service REQUESTED FOR REMOTE <Process messages> for Malware Lookup Service) service REQUESTED FROM REMOTE <Process messages> for Malware Lookup Service service TOTAL TRANSMITTED MESSAGES <372> for CSM_CCM service RECEIVED MESSAGES <186> for CSM_CCM service SEND MESSAGES <186> for CSM_CCM service HALT REQUEST SEND COUNTER <0> for CSM_CCM service STORED MESSAGES for CSM_CCM (service 0/peer 0) STATE <Process messages> for CSM_CCM service REQUESTED FOR REMOTE <Process messages> for CSM_CCM service REQUESTED FROM REMOTE <Process messages> for CSM_CCM service TOTAL TRANSMITTED MESSAGES <2907> for EStreamer Events service RECEIVED MESSAGES <1453> for service EStreamer Events service SEND MESSAGES <1454> for EStreamer Events service HALT REQUEST SEND COUNTER <0> for EStreamer Events service STORED MESSAGES for EStreamer Events service (service 0/peer 0) STATE <Process messages> for EStreamer Events service REQUESTED FOR REMOTE <Process messages> for EStreamer Events service REQUESTED FROM REMOTE <Process messages> for EStreamer Events service Priority UE Channel 1 service TOTAL TRANSMITTED MESSAGES <2930> for UE Channel service RECEIVED MESSAGES <11> for UE Channel service SEND MESSAGES <2919> for UE Channel service HALT REQUEST SEND COUNTER <0> for UE Channel service STORED MESSAGES for UE Channel service (service 0/peer 0) STATE <Process messages> for UE Channel service REQUESTED FOR REMOTE <Process messages> for UE Channel service REQUESTED FROM REMOTE <Process messages> for UE Channel service Priority UE Channel 0 service TOTAL TRANSMITTED MESSAGES <2942> for UE Channel service RECEIVED MESSAGES <11> for UE Channel service SEND MESSAGES <2931> for UE Channel service HALT REQUEST SEND COUNTER <0> for UE Channel service STORED MESSAGES for UE Channel service (service 0/peer 0) STATE <Process messages> for UE Channel service REQUESTED FOR REMOTE <Process messages> for UE Channel service REQUESTED FROM REMOTE <Process messages> for UE Channel service TOTAL TRANSMITTED MESSAGES <29286> for FSTREAM service RECEIVED MESSAGES <14648> for FSTREAM service SEND MESSAGES <14638> for FSTREAM service Heartbeat Send Time: Wed Oct 12 21:58:31 2016 Heartbeat Received Time: Wed Oct 12 21:59:48 2016*************************RPC STATUS****10.83.57.41************* 'ip' => '10.83.57.41', 'uuid' => 'c03cb3c2-8fe2-11e6-bce8-8c278d49b0dd', 'ipv6' => '2001:420:2710:2556:1:0:0:41', 'name' => '10.83.57.41', 'active' => '1', 'uuid_gw' => '', 'last_changed' => 'Tue Oct 11 19:32:20 2016'Check routes:

Related Commands

To view a brief status of the connection (tunnel) between the device and the managing management center, use the sftunnel-status-brief command.

sftunnel-status-brief

Usage Guidelines

Enter the sftunnel-status-brief command to view the management connection status. You can also use sftunnel-status to view more complete information.

Examples

See the following sample output for a connection that is down; there is no peer channel "connected to" information, nor heartbeat information shown:

> sftunnel-status-briefPEER:10.10.17.202Registration: Completed.Connection to peer '10.10.17.202' Attempted at Mon Jun 15 09:21:57 2020 UTCLast disconnect time : Mon Jun 15 09:19:09 2020 UTCLast disconnect reason : Both control and event channel connections with peer went down

See the following sample output for a connection that is up, with peer channel and heartbeat information shown:

> sftunnel-status-briefPEER:10.10.17.202Peer channel Channel-A is valid type (CONTROL), using 'eth0', connected to '10.10.17.202' via '10.10.17.222'Peer channel Channel-B is valid type (EVENT), using 'eth0', connected to '10.10.17.202' via '10.10.17.222'Registration: Completed.IPv4 Connection to peer '10.10.17.202' Start Time: Wed Jun 10 14:27:12 2020 UTCHeartbeat Send Time: Mon Jun 15 09:02:08 2020 UTCHeartbeat Received Time: Mon Jun 15 09:02:16 2020 UTC

Related Commands

To display statistics for AAA servers, use the show aaa-server command.

show aaa-server [ LOCAL | groupname [ host hostname] | protocol protocol]

Command Default

By default, all AAA server statistics display.

Usage Guidelines

The following table shows field descriptions for the output of the show aaa-server command:

Examples

The following example shows how to display the AAA statistics for a specific server in a group:

> show aaa-server group1 host 192.68.125.60Server Group: group1Server Protocol: RADIUSServer Address: 192.68.125.60Server port: 1645Server status: ACTIVE. Last transaction (success) at 11:10:08 UTC Fri Aug 22Number of pending requests 20Average round trip time 4msNumber of authentication requests 20Number of authorization requests 0Number of accounting requests 0Number of retransmissions 1Number of accepts 16Number of rejects 4Number of challenges 5Number of malformed responses 0Number of bad authenticators 0Number of timeouts 0Number of unrecognized responses 0

Related Commands

To display summary information about your access control policy, use the show access-control-config command.

show access-control-config

Usage Guidelines

This command provides a summary explanation of your Access Control Policy, including the characteristics of each access control rule. The output shows the name and description of the Access Control Policy, its default action, Security Intelligence policies, and information about the access control rule sets and each access control rule. It also shows the name of referenced SSL, network analysis, intrusion, and file policies; intrusion variable set data; logging settings; and other advanced settings, including policy-level performance, preprocessing, and general settings.

The information includes policy-related connection information, such as source and destination port data (including type and code for ICMP entries) and the number of connections that matched each access control rule (hit counts).

The information also shows the HTML used for the block and interactive block actions for URL filtering.

If you are using device manager (the local manager), unsupported features will either show their default settings or they will be empty. If you are using management center, you can adjust any of these settings using the manager. You cannot configure any of the rules or options shown in this output using the CLI; you must use the manager.

Examples

The following example shows the access control configuration for a device managed using device manager, the local manager.

> show access-control-config===============[ NGFW-Access-Policy ]===============Description : =================[ Default Action ]=================Default Action : BlockLogging Configuration DC : Enabled Beginning : Disabled End : DisabledRule Hits : 0Variable Set : Default-Set===[ Security Intelligence - Network Whitelist ]=======[ Security Intelligence - Network Blacklist ]====Logging Configuration : Disabled DC : Disabled=====[ Security Intelligence - URL Whitelist ]===========[ Security Intelligence - URL Blacklist ]======Logging Configuration : Disabled DC : Disabled=======[ Security Intelligence - DNS Policy ]======= Name : Default DNS Policy======[ Rule Set: admin_category (Built-in) ]============[ Rule Set: standard_category (Built-in) ]=====------------[ Rule: Inside_Inside_Rule ]------------ Action : Fast-path Source Zones : inside_zone Destination Zones : inside_zone Users URLs Logging Configuration DC : Enabled Beginning : Enabled End : Enabled Files : Disabled Safe Search : No Rule Hits : 0 Variable Set : Default-Set-----------[ Rule: Inside_Outside_Rule ]------------ Action : Fast-path Source Zones : inside_zone Destination Zones : outside_zone Users URLs Logging Configuration DC : Enabled Beginning : Enabled End : Enabled Files : Disabled Safe Search : No Rule Hits : 0 Variable Set : Default-Set=======[ Rule Set: root_category (Built-in) ]======================[ Advanced Settings ]================General Settings Maximum URL Length : 1024 Interactive Block Bypass Timeout : 600 Do not retry URL cache miss lookup : No Inspect Traffic During Apply : Yes Network Analysis and Intrusion Policies Initial Intrusion Policy : Balanced Security and Connectivity Initial Variable Set : Default-Set Default Network Analysis Policy : Balanced Security and ConnectivityFiles and Malware Settings File Type Inspect Limit : 1460 Cloud Lookup Timeout : 2 Minimum File Capture Size : 6144 Maximum File Capture Size : 1048576 Min Dynamic Analysis Size : 15360 Max Dynamic Analysis Size : 2097152 Malware Detection Limit : 10485760Transport/Network Layer Preprocessor Settings Detection Settings Ignore VLAN Tracking Connections : No Maximum Active Responses : No Maximum Minimum Response Seconds : No Minimum Session Termination Log Threshold : 1048576Detection Enhancement Settings Adaptive Profile : DisabledPerformance Settings Event Queue Maximum Queued Events : 5 Disable Reassembled Content Checks: False Performance Statistics Sample time (seconds) : 300 Minimum number of packets : 10000 Summary : False Log Session/Protocol Distribution : False Regular Expression Limits Match Recursion Limit : Default Match Limit : Default Rule Processing Configuration Logged Events : 5 Maximum Queued Events : 8 Events Ordered By : Content LengthIntelligent Application Bypass Settings State : OffLatency-Based Performance Settings Packet Handling : Disabled============[ HTTP Block Response HTML ]============HTTP/1.1 403 ForbiddenConnection: closeContent-Length: 506Content-Type: text/html; charset=UTF-8<!DOCTYPE html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8" /><title>Access Denied</title><style type="text/css">body {margin:0;font-family:verdana,sans-serif;} h1 {margin:0;padding:12px 25px;background-color:#343434;color:#ddd} p {margin:12px 25px;} strong {color:#E0042D;}</style></head><body><h1>Access Denied</h1><p><strong>You are attempting to access a forbidden site.</strong><br/><br/>Consult your system administrator for details.</p></body></html>

Related Commands

To display the rules and hit counters for an access list, use the show access-list command.

show access-list [ id [ ip_address | brief | numeric ] | element-count ]

Usage Guidelines

The system structures some elements of the Access Control Policy as advanced access control list (ACL) entries. When possible, access control rules that block traffic based on layer 3 criteria become deny rules in the ACL. You might also see trust ACL rules that align with trust access control rules.

But if an access control rule requires inspection, even if the rule action is block, the ACL entry actually permits the traffic. This permitted traffic is then passed to the inspection engines, such as snort, which can ultimately block unwanted traffic.

Thus, there is not a one-to-one relationship between the low-level ACL rules shown with show access-list and the Access Control Policy rules for the device. The advanced ACL allows the system to make early drop or trust decisions on traffic, so connections that do not need inspection can be passed or dropped as quickly as possible.

Note	If your goal is to view hit count information for access control and prefilter rules, use the show rule hits command instead of this one.

ACLs can also be used for other things, such as route maps and match criteria for service policies. Standard and extended ACLs are used for these purposes.

You can display multiple access lists at one time by entering the access list identifiers in one command.

You can specify the brief keyword to display access list hit count, identifiers, and timestamp information in hexadecimal format. The configuration identifiers displayed in hexadecimal format are presented in three columns, and they are the same identifiers used in syslogs 106023 and 106100.

If an access list has been changed recently, the list is excluded from the output. A message will indicate when this happens.

Note

The output shows how many elements are in the ACL. This number is not necessarily the same as the number of access control entries (ACE) in the ACL. The system might create extra elements when you use network objects with address ranges, for example, and these extra elements are not included in the output.

Clustering Guidelines

When using clustering, if traffic is received by a single unit, the other units may still show a hit count for the ACL due to the clustering director logic. This is an expected behavior. Because the unit that did not receive any packets directly from the client may receive forwarded packets over the cluster control link for an owner request, the unit may check the ACL before sending the packet back to the receiving unit. As a result, the ACL hit count will be increased even though the unit did not pass the traffic.

Examples

The following is sample output from the show access-list command and shows the advanced access list generated for the Access Control Policy when using device manager (the local or “on box” manager). The remarks are system-generated to help you understand the access control entries (ACEs). Note that the remarks give you the name of the related rule; ACEs generated from the rule follow. These remarks are highlighted in the example below.

> show access-listaccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300access-list NGFW_ONBOX_ACL; 50 elements; name hash: 0xf5cc3f88access-list NGFW_ONBOX_ACL line 1 remark rule-id 268435458: ACCESS POLICY:NGFW_Access_Policyaccess-list NGFW_ONBOX_ACL line 2 remark rule-id 268435458: L5 RULE: Inside_Inside_Ruleaccess-list NGFW_ONBOX_ACL line 3 advanced trust ip ifc inside1_2 any ifc inside1_3 anyrule-id 268435458 event-log both (hitcnt=0) 0x2c7f5801access-list NGFW_ONBOX_ACL line 4 advanced trust ip ifc inside1_2 any ifc inside1_4 anyrule-id 268435458 event-log both (hitcnt=0) 0xf170c15baccess-list NGFW_ONBOX_ACL line 5 advanced trust ip ifc inside1_2 any ifc inside1_5 anyrule-id 268435458 event-log both (hitcnt=0) 0xce627c77access-list NGFW_ONBOX_ACL line 6 advanced trust ip ifc inside1_2 any ifc inside1_6 anyrule-id 268435458 event-log both (hitcnt=0) 0xe37dcdd2access-list NGFW_ONBOX_ACL line 7 advanced trust ip ifc inside1_2 any ifc inside1_7 anyrule-id 268435458 event-log both (hitcnt=0) 0x65347856access-list NGFW_ONBOX_ACL line 8 advanced trust ip ifc inside1_2 any ifc inside1_8 anyrule-id 268435458 event-log both (hitcnt=0) 0x6d622775access-list NGFW_ONBOX_ACL line 9 advanced trust ip ifc inside1_3 any ifc inside1_2 anyrule-id 268435458 event-log both (hitcnt=0) 0xc1579ed7access-list NGFW_ONBOX_ACL line 10 advanced trust ip ifc inside1_3 any ifc inside1_4 anyrule-id 268435458 event-log both (hitcnt=0) 0x40968b8faccess-list NGFW_ONBOX_ACL line 11 advanced trust ip ifc inside1_3 any ifc inside1_5 anyrule-id 268435458 event-log both (hitcnt=0) 0xc5a178c1access-list NGFW_ONBOX_ACL line 12 advanced trust ip ifc inside1_3 any ifc inside1_6 anyrule-id 268435458 event-log both (hitcnt=0) 0xdbc1560faccess-list NGFW_ONBOX_ACL line 13 advanced trust ip ifc inside1_3 any ifc inside1_7 anyrule-id 268435458 event-log both (hitcnt=0) 0x3571535caccess-list NGFW_ONBOX_ACL line 14 advanced trust ip ifc inside1_3 any ifc inside1_8 anyrule-id 268435458 event-log both (hitcnt=0) 0xc4a66c0aaccess-list NGFW_ONBOX_ACL line 15 advanced trust ip ifc inside1_4 any ifc inside1_2 anyrule-id 268435458 event-log both (hitcnt=0) 0x1d1a8032access-list NGFW_ONBOX_ACL line 16 advanced trust ip ifc inside1_4 any ifc inside1_3 anyrule-id 268435458 event-log both (hitcnt=0) 0x8f7bbcdfaccess-list NGFW_ONBOX_ACL line 17 advanced trust ip ifc inside1_4 any ifc inside1_5 anyrule-id 268435458 event-log both (hitcnt=0) 0xe616991faccess-list NGFW_ONBOX_ACL line 18 advanced trust ip ifc inside1_4 any ifc inside1_6 anyrule-id 268435458 event-log both (hitcnt=0) 0x4db9d2aaaccess-list NGFW_ONBOX_ACL line 19 advanced trust ip ifc inside1_4 any ifc inside1_7 anyrule-id 268435458 event-log both (hitcnt=0) 0xf8a88db4access-list NGFW_ONBOX_ACL line 20 advanced trust ip ifc inside1_4 any ifc inside1_8 anyrule-id 268435458 event-log both (hitcnt=0) 0x1d3b5b80access-list NGFW_ONBOX_ACL line 21 advanced trust ip ifc inside1_5 any ifc inside1_2 anyrule-id 268435458 event-log both (hitcnt=0) 0xf508bbd8access-list NGFW_ONBOX_ACL line 22 advanced trust ip ifc inside1_5 any ifc inside1_3 anyrule-id 268435458 event-log both (hitcnt=0) 0x7084f3fcaccess-list NGFW_ONBOX_ACL line 23 advanced trust ip ifc inside1_5 any ifc inside1_4 anyrule-id 268435458 event-log both (hitcnt=0) 0xd989f9aaaccess-list NGFW_ONBOX_ACL line 24 advanced trust ip ifc inside1_5 any ifc inside1_6 anyrule-id 268435458 event-log both (hitcnt=0) 0xd5aa77f5access-list NGFW_ONBOX_ACL line 25 advanced trust ip ifc inside1_5 any ifc inside1_7 anyrule-id 268435458 event-log both (hitcnt=0) 0x4a7648b2access-list NGFW_ONBOX_ACL line 26 advanced trust ip ifc inside1_5 any ifc inside1_8 anyrule-id 268435458 event-log both (hitcnt=0) 0x118ef4b4access-list NGFW_ONBOX_ACL line 27 advanced trust ip ifc inside1_6 any ifc inside1_2 anyrule-id 268435458 event-log both (hitcnt=0) 0xa6be4e58access-list NGFW_ONBOX_ACL line 28 advanced trust ip ifc inside1_6 any ifc inside1_3 anyrule-id 268435458 event-log both (hitcnt=0) 0xda17cb9eaccess-list NGFW_ONBOX_ACL line 29 advanced trust ip ifc inside1_6 any ifc inside1_4 anyrule-id 268435458 event-log both (hitcnt=0) 0xc6bfe6b7access-list NGFW_ONBOX_ACL line 30 advanced trust ip ifc inside1_6 any ifc inside1_5 anyrule-id 268435458 event-log both (hitcnt=0) 0x5fe085c3access-list NGFW_ONBOX_ACL line 31 advanced trust ip ifc inside1_6 any ifc inside1_7 anyrule-id 268435458 event-log both (hitcnt=0) 0x4574192baccess-list NGFW_ONBOX_ACL line 32 advanced trust ip ifc inside1_6 any ifc inside1_8 anyrule-id 268435458 event-log both (hitcnt=0) 0x36203c1eaccess-list NGFW_ONBOX_ACL line 33 advanced trust ip ifc inside1_7 any ifc inside1_2 anyrule-id 268435458 event-log both (hitcnt=0) 0x699725eaaccess-list NGFW_ONBOX_ACL line 34 advanced trust ip ifc inside1_7 any ifc inside1_3 anyrule-id 268435458 event-log both (hitcnt=0) 0x36a1e6a1access-list NGFW_ONBOX_ACL line 35 advanced trust ip ifc inside1_7 any ifc inside1_4 anyrule-id 268435458 event-log both (hitcnt=0) 0xe415bb76access-list NGFW_ONBOX_ACL line 36 advanced trust ip ifc inside1_7 any ifc inside1_5 anyrule-id 268435458 event-log both (hitcnt=0) 0x18ebff70access-list NGFW_ONBOX_ACL line 37 advanced trust ip ifc inside1_7 any ifc inside1_6 anyrule-id 268435458 event-log both (hitcnt=0) 0xf9bfd690access-list NGFW_ONBOX_ACL line 38 advanced trust ip ifc inside1_7 any ifc inside1_8 anyrule-id 268435458 event-log both (hitcnt=0) 0xf08a88b4access-list NGFW_ONBOX_ACL line 39 advanced trust ip ifc inside1_8 any ifc inside1_2 anyrule-id 268435458 event-log both (hitcnt=0) 0xd2014e58access-list NGFW_ONBOX_ACL line 40 advanced trust ip ifc inside1_8 any ifc inside1_3 anyrule-id 268435458 event-log both (hitcnt=0) 0x952c7254access-list NGFW_ONBOX_ACL line 41 advanced trust ip ifc inside1_8 any ifc inside1_4 anyrule-id 268435458 event-log both (hitcnt=0) 0xfc38a46faccess-list NGFW_ONBOX_ACL line 42 advanced trust ip ifc inside1_8 any ifc inside1_5 anyrule-id 268435458 event-log both (hitcnt=0) 0x3f878e23access-list NGFW_ONBOX_ACL line 43 advanced trust ip ifc inside1_8 any ifc inside1_6 anyrule-id 268435458 event-log both (hitcnt=0) 0x48e852ceaccess-list NGFW_ONBOX_ACL line 44 advanced trust ip ifc inside1_8 any ifc inside1_7 anyrule-id 268435458 event-log both (hitcnt=0) 0x83c65e52access-list NGFW_ONBOX_ACL line 45 remark rule-id 268435457: ACCESS POLICY:NGFW_Access_Policyaccess-list NGFW_ONBOX_ACL line 46 remark rule-id 268435457: L5 RULE: Inside_Outside_Ruleaccess-list NGFW_ONBOX_ACL line 47 advanced trust ip ifc inside1_2 any ifc outside anyrule-id 268435457 event-log both (hitcnt=0) 0xea5bdd6eaccess-list NGFW_ONBOX_ACL line 48 advanced trust ip ifc inside1_3 any ifc outside anyrule-id 268435457 event-log both (hitcnt=0) 0xd7461ffcaccess-list NGFW_ONBOX_ACL line 49 advanced trust ip ifc inside1_4 any ifc outside anyrule-id 268435457 event-log both (hitcnt=0) 0x6e13508eaccess-list NGFW_ONBOX_ACL line 50 advanced trust ip ifc inside1_5 any ifc outside anyrule-id 268435457 event-log both (hitcnt=0) 0xfe1fcdd6access-list NGFW_ONBOX_ACL line 51 advanced trust ip ifc inside1_6 any ifc outside anyrule-id 268435457 event-log both (hitcnt=0) 0xa4dba9a8access-list NGFW_ONBOX_ACL line 52 advanced trust ip ifc inside1_7 any ifc outside anyrule-id 268435457 event-log both (hitcnt=0) 0x2cfd43cdaccess-list NGFW_ONBOX_ACL line 53 advanced trust ip ifc inside1_8 any ifc outside anyrule-id 268435457 event-log both (hitcnt=0) 0xc3c3fafbaccess-list NGFW_ONBOX_ACL line 54 remark rule-id 1: ACCESS POLICY: NGFW_Access_Policyaccess-list NGFW_ONBOX_ACL line 55 remark rule-id 1: L5 RULE: DefaultActionRuleaccess-list NGFW_ONBOX_ACL line 56 advanced deny ip any any rule-id 1 (hitcnt=0)0x84953cae>

The following examples show brief information about the specified access policy in hexadecimal format (ACEs in which the hitcount is not zero). The first two columns display identifiers in hexadecimal format, the third column lists the hit count, and the fourth column displays the timestamp value, also in hexadecimal format. The hit count value represents the number of times the rule has been hit by traffic. The timestamp value reports the time of the last hit. If the hit count is zero, no information is displayed.

The following is sample output from the show access-list brief command when Telnet traffic is passed:

> show access-list test briefaccess-list test; 3 elements; name hash: 0xcb4257a37b1c1660 44ae5901 00000001 4a68ab51

The following is sample output from the show access-list brief command when SSH traffic is passed:

> show access-list test briefaccess-list test; 3 elements; name hash: 0xcb4257a37b1c1660 44ae5901 00000001 4a68ab513666f922 44ae5901 00000001 4a68ab66

The following example shows the element count, which is the total number of access control entries for all access lists defined on the system. For access lists that are assigned as access groups, to control access globally or on an interface, you can reduce the element count by enabling object group search, which is represented by the object-group-search access-control command in the running configuration. When object group search is enabled, network objects are used in the access control entries; otherwise, the objects are expanded into the individual IP addresses contained in the objects and separate entries are written for each source/destination address pair. Thus, a single rule that uses a source network object with 5 IP addresses, and a destination object with 6 addresses, would expand into 5 * 6 entries, 30 elements rather than one. The higher the element count, the larger the access lists, which can potentially impact performance.

> show access-list element-count Total number of access-list elements: 33934

Starting with 7.1, if you enable object-group search, additional information is presented about the number of object groups in the rules (OBJGRP), including the split between source (SRC OBJ) and destination (DST OBJ) objects, and the added and deleted groups.

> show access-list element-count Total number of access-list elements: 892OBJGRP SRC OG DST OG ADD OG DEL OG 842 842 842 842 0 

Related Commands

To display the configuration for each type of alarm in the ISA 3000, use the show alarm settings command.

show alarm settings

Examples

The following is a sample output from the show alarm settings command:

> show alarm settings Power Supply Alarm Disabled Relay Disabled Notifies Disabled Syslog DisabledTemperature-Primary Alarm Enabled Thresholds MAX: 92C MIN: -40C Relay Enabled Notifies Enabled Syslog EnabledTemperature-Secondary Alarm Disabled Threshold Relay Disabled Notifies Disabled Syslog DisabledInput-Alarm 1 Alarm Enabled Relay Disabled Notifies Disabled Syslog EnabledInput-Alarm 2 Alarm Enabled Relay Disabled Notifies Disabled Syslog Enabled

Related Commands

To display information about how CPU cores are allocated, use the show allocate-core command.

show allocate-core { lina-cpu-percentage | lina-mem-percentage | profile state }

Usage Guidelines

You can assign CPU core allocation profiles from the management software. Use this command to view and verify the profile running on a device. Possible profiles are:

• default—The default scheme of core allocation for the Lina and Snort processes. The exact allocation differs based on hardware platform. Use the other options to determine the percentages.

• ips-heavy—Allocates more CPU to Snort for the IPS-heavy use case. The allocation is 30% Lina, 70% Snort.

• vpn-heavy-prefilter-fastpath—Allocates more CPU to Lina for the VPN-heavy use case when you also configure a prefilter policy to fastpath VPN traffic. The allocation is 90% Lina, 10% Snort.

• vpn-heavy-with-inspection—Allocates more CPU to Lina for the VPN-heavy use case when you do not configure a prefilter policy to fastpath VPN traffic, but instead have the traffic inspected in the access-control policy. The allocation is 60% Lina, 40% Snort.

Examples

The following example shows the Lina CPU and memory percentages, the profile, and the core allocation state.

> show allocate-core lina-cpu-percentage Lina CPU percentage is set to : 48 > show allocate-core lina-mem-percentage Lina memory percentage is set to : 50 > show allocate-core profile Core allocation profile is set to : default> show allocate-core state Core allocation is disabled

To display the status of the app-agent, use the show app-agent heartbeat command.

show app-agent heartbeat

Usage Guidelines

The app-agent heartbeat communication channel serves the purpose of monitoring the health of the link between FXOS chassis supervisor and threat defense application agent. This is used if you configure hardware bypass on Firepower 4100 or 9300 series devices. It is not used with other device models running threat defense software.

Use the show app-agent heartbeat command to view status on the app-agent heartbeat communication channel.

Examples

The following example shows the app-agent heartbeat status.

> show app-agent heartbeatappagent heartbeat timer 1 retry-count 3

Related Commands

To view the ARP table, use the show arp command.

show arp

Usage Guidelines

The display output shows dynamic, static, and proxy ARP entries. Dynamic ARP entries include the age of the ARP entry in seconds. Static ARP entries include a dash (-) instead of the age, and proxy ARP entries state “alias.”

The ARP table can include entries for internal interfaces, such as nlp_int_tap, which are used for system communications.

Examples

The following is sample output from the show arp command. The first entry is a dynamic entry aged 2 seconds. The second entry is a static entry, and the third entry is from proxy ARP.

> show arpoutside 10.86.194.61 0011.2094.1d2b 2 outside 10.86.194.1 001a.300c.8000 - outside 10.86.195.2 00d0.02a8.440a alias

Related Commands

To view the ARP inspection setting for each interface, use the show arp-inspection command.

show arp-inspection

Command History

Examples

The following is sample output from the show arp-inspection command:

> show arp-inspectioninterface arp-inspection miss----------------------------------------------------inside1 enabled floodoutside disabled -

The miss column shows the default action to take for non-matching packets when ARP inspection is enabled, either “flood” or “no-flood.”

Related Commands

To view ARP statistics, use the show arp statistics command.

show arp statistics

Examples

The following is sample output from the show arp statistics command:

> show arp statisticsNumber of ARP entries: ASA : 6Dropped blocks in ARP: 6 Maximum Queued blocks: 3 Queued blocks: 1 Interface collision ARPs Received: 5 ARP-defense Gratuitous ARPS sent: 4 Total ARP retries: 15 Unresolved hosts: 1Maximum Unresolved hosts: 2

The following table explains each field.

Related Commands

To display the contents of all current autonomous system (AS) path access lists, use the showas-path-access-list command.

show as-path-access-list [ number]

Command Default

If thenumber argument is not specified, command output is displayed for all AS path access lists.

Examples

The following is sample output from the show as-path-access-list command:

> show as-path-access-listAS path access list 1 AS path access list 2 

To debug global or context-specific information in a clustering environment, use the show asp cluster counter command.

show asp cluster counter

Usage Guidelines

The show asp cluster counter command shows the global and context-specific DP counters, which might help you troubleshoot a problem. This information is used for debugging purposes only, and the information output is subject to change. Consult the Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp cluster counter command:

> show asp cluster counterGlobal dp-counters:Context specific dp-counters:MCAST_FP_TO_SP 361136MCAST_SP_TOTAL 361136MCAST_SP_PKTS 143327MCAST_SP_PKTS_TO_CP 143327MCAST_FP_CHK_FAIL_NO_HANDLE 217809MCAST_FP_CHK_FAIL_NO_ACCEPT_IFC 81192MCAST_FP_CHK_FAIL_NO_FP_FWD 62135

Related Commands

To display statistics for the device’s load balance ASP dispatcher, which is useful for diagnosing performance issues, use the show asp dispatch command. It is only available for a threat defense virtual device in the hybrid poll/interrupt mode.

show asp dispatch

Examples

The following is sample output from the show asp dispatch command.

> show asp dispatch==== Lina DP thread dispatch stats - CORE 0 ====Dispatch loop count : 92260212Dispatch C2C poll count : 2CP scheduler busy : 14936242CP scheduler idle : 77323971RX ring busy : 1513632Async lock global q busy : 809481Global timer q busy : 1958684SNP flow bulk sync busy : 174Purg process busy : 2838Block attempts : 44594355Maximum timeout specified : 10000000Minimum timeout specified : 1572864Average timeout specified : 9999994Waken up with OK status : 2476791Waken up with timeout : 42117564Sleep interrupted : 85753Number of interrupts : 2492566Number of RX interrupts : 1454442Number of TX interrupts : 2492566Enable interrupt ok : 174566236Disable interrupt ok : 174231423Maximum elapsed time : 54082257Minimum elapsed time : 6165Average elapsed time : 9658532Message pipe stats :Last clearing of asp dispatch: Never==== Lina DP thread home-ring/interface list - CORE 0 ====Interface Internal-Data0/0: port-id 0 irq 10 fd 37Interface GigabitEthernet0/0: port-id 256 irq 5 fd 38Interface GigabitEthernet0/1: port-id 512 irq 9 fd 39Interface GigabitEthernet0/2: port-id 768 irq 11 fd 40>

To debug the accelerated security path dropped packets or connections, use the show asp drop command.

show asp drop [ flow [ flow_drop_reason] | frame [ frame_drop_reason]]

Usage Guidelines

The show asp drop command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

For information on the possible drop reasons, see the Show ASP Drop Command Usage document at http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/show_asp_drop/show_asp_drop.html.

Examples

The following is sample output from the show asp drop command, with the time stamp indicating the last time the counters were cleared:

> show asp dropFrame drop: Flow is denied by configured rule (acl-drop) 3 Dst MAC L2 Lookup Failed (dst-l2_lookup-fail) 4110 L2 Src/Dst same LAN port (l2_same-lan-port) 760 Expired flow (flow-expired) 1Last clearing: NeverFlow drop: Flow is denied by access rule (acl-drop)24 NAT failed (nat-failed)28739 NAT reverse path failed (nat-rpf-failed)22266 Inspection failure (inspect-fail)19433Last clearing: 17:02:12 UTC Jan 17 2012 by enable_15

To debug the data path or control path event queues, use the show asp event command.

show asp event {dp-cp | cp-dp}

Usage Guidelines

The show asp event command shows the contents of the data path and control path, which might help you troubleshoot a problem. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp event dp-cp command:

> show asp event dp-cpDP-CP EVENT QUEUE QUEUE-LEN HIGH-WATERPunt Event Queue 0 0Routing Event Queue 0 0Identity-Traffic Event Queue 0 1PTP-Traffic Event Queue 0 0General Event Queue 0 0Syslog Event Queue 0 0Non-Blocking Event Queue 0 8Midpath High Event Queue 0 0Midpath Norm Event Queue 0 0Crypto Event Queue 0 146HA Event Queue 0 0Threat-Detection Event Queue 0 0SCP Event Queue 0 0ARP Event Queue 0 1IDFW Event Queue 0 0CXSC Event Queue 0 0BFD Event Queue 0 0EVENT-TYPE ALLOC ALLOC-FAIL ENQUEUED ENQ-FAIL RETIRED 15SEC-RATEcrypto-msg 810 0 810 0 810 0arp-in 17288 0 17288 0 17288 0identity-traffic 2 0 2 0 2 0scheduler 239 0 239 0 239 0

To show statistics related to empty ACK packets that bypass Snort inspection, use the show asp inspect-dp ack-passthrough command.

show asp inspect-dp ack-passthrough

Usage Guidelines

Use the clear asp inspect-dp ack-passthrough command to reset these statistics.

Examples

The following is example output. Information includes whether ACK passthrough is enabled, and the following statistics:

• ACK packets bypassed—The number of empty ACK packets that were not forwarded to Snort for inspection.

• Meta ACK sent—The number of empty ACKs piggybacked on subsequent data packets that were sent to Snort. This number can be less than the number of packets bypassed, because if a subsequent data packet for the same direction has an ACK with a higher sequence number, the empty ACK information that was saved earlier is not needed and is not included.

> show asp inspect-dp ack-passthroughCurrent running state: EnabledPacket Statistics: ACK packets bypassed 506 Meta ACK sent 506>

Displays statistics about egress optimization, a feature that enhances performance. Use this command on the advice of Cisco TAC.

show asp inspect-dp egress optimization

Usage Guidelines

The show asp inspect-dp egress-optimization command displays information about flows eligible for egress optimization, a feature that enhances performance. The output displays the following information:

• Current running state: Whether egress optimization is enabled or disabled.

• Flow (a flow consists of one or more packets):

  • Current: Number of flows that are currently eligible for egress optimization processing.

  • Maximum: Total number of egress-optimization eligible flows since the last time inspection engine was restarted or egress optimization statistics were cleared.

• Packet:

  • Processed: Total number of packets processed.

  • Excepted: Number of packets that were initially determined to be eligible for egress optimization but later determined to be ineligible for egress optimization.

Examples

The following is sample output from the show asp inspect-dp egress-optimization command.

> show asp inspect-dp egress-optimizationCurrent running state: EnabledFlow: current: 1, maximum: 3 snort-unreachable: 0, snort-unsupported-header: 1, snort-unsupported-verdict: 2Packet: processed: 5 excepted: 0

Related Commands

To view the snapshot of a PDTS (data plane transmit/receive queues to snort) ring, use the show asp inspect-dp snapshot command.

show asp inspect-dp snapshot { config | instance instance_id queue queue_id}

Usage Guidelines

The show asp inspect-dp snapshot command displays the global configurations of the PDTS ring snapshot feature. The output displays the following information:

• Max snapshots: The maximum number of auto snapshots allowed.

• Current in use: The number of snapshots that have been stored so far.

• Interval: The time interval value specifies how long two snapshots on the same PDTS ring are allowed

• Auto Snapshot: Show if auto PDTS snapshot feature is enabled or disabled

Examples

The following is sample output from the show asp inspect-dp snapshot config command.

> show asp inspect-dp snapshot configMax snapshots Current in use Interval (min) Auto Snapshot------------- -------------- -------------- -------------2 0 5 OFF

The following is sample output from the show asp inspect-dp snapshot instance command.

> show asp inspect-dp snapshot instance 2 queue 10 packet captured0 packet shown

To display the status of all snort instances, use the show asp inspect-dp snort command.

show asp inspect-dp snort [instance instance_id]

Usage Guidelines

This command displays the status of all snort instances. The output displays the following information:

• Id: SNORT instance ID.

• PID: Snort instance process ID.

• CPU-Usage: CPU usage for the snort instance ID. Printed in total, and user/sys. Note: This field is not shown for the Firepower 2100 series.

• Conns: Number of connections currently held by the snort instance.

• Segs/Pkts: Number of segments or say packets currently processed by the snort instance.

• Status: The status of the snort instance.

Examples

The following is sample output from the show asp inspect-dp snort command.

> show asp inspect-dp snortSNORT Inspect Instance Status InfoId Pid Cpu-Usage Conns Segs/Pkts Status tot (usr | sys)-- ----- ---------------- ---------- ---------- ----------0 9188 0% ( 0%| 0%) 0 0 READY1 9187 0% ( 0%| 0%) 0 0 READY2 9186 0% ( 0%| 0%) 0 0 READY

The following is sample output from the show asp inspect-dp snort command on the Firepower 2100.

> show asp inspect-dp snortSNORT Inspect Instance Status InfoId Pid Conns Segs/Pkts Status-- ----- ---------- ---------- ----------0 30080 40 0 READY1 30081 14 0 READY2 30079 20 0 READY

To display the PDTS related raw counters for snort instances, use the show asp inspect-dp snort counters command.

show asp inspect-dp snort counters [instance instance_id] [queues] [rate] [debug] [zeros]

Command Default

If no instance is specified, all instances are displayed.

Usage Guidelines

This command displays the PDTS related raw counters for snort instances. The output displays the following information:

• Id: Snort instance ID. “All” means all snort instances aggregated.

• QId: Lina transmit queue ID. It corresponds to the number of Lina threads.“All” means all the queues are aggregated.

• Type: Type of the counter. Data counter, error counter, debug counters, etc.

• Name: Name of the counter.

• Value: Human readable value of the counter.

• Raw-Value: Raw value of the counter.

Counter Names:

• Tx Bytes: Number of bytes Lina sent to the snort instance.

• Tx Segs: Number of frames/segments Lina sent to the snort instance.

• Rx Bytes: Number of bytes Lina received from the snort instance.

• Rx Segs: Number of frames/segments Lina received from the snort instance.

• NewConns: Number of connections sent to the snort instance.

• RxQ-Wakeup

• TxQ-Wakeup

• TxQ-LB-Dynamic: Number of times the PDTS dynamic load balancing kicked in.

• TxQ-Data-Hi-Thresh: Number of times the High threshold limit on Lina’s transmit queue is hit.

• RxQ-Full: Number of times the Lina’s receive queue gets full.

• TxQ-Full: Number of times the Lina’s transmit queue gets full.

• TxQ-Data-Limit: Number of times the data limit on Lina’s transmit queue is hit.

• TxQ-LB-Failed: Number of times the PDTS dynamic load balancing failed.

• TxQ-Unavail: Number of times Lina’s transmit queue is unavailable.

• TxQ-Not-Ready: Number of times Lina’s transmit queue is not ready.

• TxQ-Suspended: Number of times Lina’s transmit queue is suspended.

• RxQ-Unavail: Number of times Lina’s receive queue is unavailable.

• RxQ-Not-Ready: Number of times Lina’s receive queue is not ready.

• RxQ-Suspended: Number of times Lina’s receive queue is suspended.

Examples

The following is sample output from the show asp inspect-dp snort counters command.

> show asp inspect-dp snort counters summary instance 5 debug zerosSNORT Inspect Instance CountersId QId Type Name Value Raw-Value-- ---- ---- ---- --------- ----------5 All data Tx Bytes 3.3 GB (3549197468)5 All data Tx Segs 4.7 M (4671722)5 All data Rx Bytes 3.3 GB (3495936190)5 All data Rx Segs 4.7 M (4677344)5 All data NewConns 11.1 K (11103)5 All debug RxQ-Wakeup 0 (0)5 All debug TxQ-Wakeup 4.7 M (4655982)5 All warn TxQ-LB-Dynamic 0 (0)5 All warn TxQ-Data-Hi-Thresh 0 (0)5 All drop RxQ-Full 0 (0)5 All drop TxQ-Full 0 (0)5 All drop TxQ-Data-Limit 0 (0)5 All drop TxQ-LB-Failed 0 (0)5 All err TxQ-Unavail 0 (0)5 All err TxQ-Not-Ready 0 (0)5 All err TxQ-Suspended 0 (0)5 All err RxQ-Unavail 0 (0)5 All err RxQ-Not-Ready 0 (0)5 All err RxQ-Suspended 0 (0)

To display the PDTS related counters for snort instances, use the show asp inspect-dp snort counters summary command. Counters are aggregated to each instance.

show asp inspect-dp snort counters summary [instance instance_id] [queues] [rate]

Command Default

If no instance is specified, all instances are displayed.

Usage Guidelines

This command displays the PDTS related counters for snort instances. The output displays the following information:

• Id: Snort instance ID. “All” means all snort instances aggregated.

• QId: Lina transmit queue ID. It corresponds to the number of Lina threads.“All” means all the queues are aggregated.

• TxBytes: Total number of bytes Lina sent to the snort instance.

• TxFrames: Total number of frames/segments Lina sent to the snort instance.

• RxBytes: Total number of bytes Lina received from the snort instance.

• RxFrames: Total number of frames/segments Lina received from the snort instance.

• Conns: Total number of connections handled by the snort instance.

Examples

The following is sample output from the show asp inspect-dp snort counters summary command.

> show asp inspect-dp snort counters summary instance 2SNORT Inspect Instance Counter SummaryId QId TxBytes TxFrames RxBytes RxFrames Conns-- ---- ---------- ---------- ---------- ---------- -----2 All 0 0 0 0 0

To display the queue information for all snort instances (processes) aggregating all queues to the same instance, use the show asp inspect-dp snort queues command.

show asp inspect-dp snort queues [instance instance_id] [detail] [debug]

Command Default

If no instance is specified, all instances are displayed.

Usage Guidelines

This command displays the queue information for all snort instances (processes) aggregating all queue to the same instance, The output displays the following information:

• Id: Snort instance ID. “All” means all snort instances aggregated.

• QId: Lina transmit queue ID. It corresponds to the number of Lina threads.“All” means all the queues are aggregated.

• Rx Queue: Lina’s receive queue. “Used” shows amount of data, “util” is the queue utilization rate, and “state” shows the shared memory state.

• TxQ: Lina’s transmit queue. “Used” shows amount of data, “util” is the queueutilization rate, and “state” shows the shared memory state.

Counters:

• RxQ-Size: Lina’s receive queue size.

• TxQ-Size: Lina’s transmit queue size.

• TxQ-Data-Limit: The data limit of transmit queue. Once beyond this threshold, data packetswill be dropped. The percentage shows the threshold value on the transmit queue.

• TxQ-Data-Hi-Thresh: The High threshold of transmit queue. Once beyond this threshold, PDTS dynamic load balancing will kick in to try balancing the flows to other snort instances.

Examples

The following is sample output from the show asp inspect-dp snort queues command.

> show asp inspect-dp snort counters summary instance 2SNORT Inspect Instance Queue ConfigurationRxQ-Size: 1 MBTxQ-Size: 128 KBTxQ-Data-Limit: 102.4 KB (80%)TxQ-Data-Hi-Thresh: 35.8 KB (28%)Id QId RxQ RxQ TxQ TxQ (used) (util) (used) (util)-- ---- ---------- ------ ---------- ------0 All 0 0% 0 0%1 All 0 0% 0 0%2 All 0 0% 0 0%

To display the automatic snapshots of when a snort queue exhaustion occurs, use the show asp inspect-dp snort queue-exhaustion command.

show asp inspect-dp snort queue-exhaustion [ snapshot snapshot_id] [ export location]

Usage Guidelines

The show asp inspect-dp snort queue-exhaustion command displays the contents of the snapshots taken when snort queues are exhausted. It shows the contents of a selected snapshot. The output is similar to the output of show capture command.

Examples

The following is sample output from the show asp inspect-dp snort queue-exhaustion command.

> show asp inspect-dp snort queue-exhaustion snapshot 1102 packets captured 1: 13:52:36.266343 10.100.26.6.80 > 192.168.26.6.45858: .693143043:693144411(1368) ack 1996534769 win 235 <nop,nop,timestamp 25172833 64977907> 2: 13:52:36.266343 10.100.26.6.80 > 192.168.26.6.45858: .693144411:693145779(1368) ack 1996534769 win 235 <nop,nop,timestamp 25172833 64977907> 3: 13:52:36.266343 10.100.26.6.80 > 192.168.26.6.45858: .693145779:693147147(1368) ack 1996534769 win 235 <nop,nop,timestamp 25172838 64977912> 4: 13:52:36.266343 10.100.26.6.80 > 192.168.26.6.45858: .693147147:693148515(1368) ack 1996534769 win 235 <nop,nop,timestamp 25172838 64977912> 5: 13:52:36.266343 10.100.26.6.80 > 192.168.26.6.45858: .693153987:693155355(1368) ack 1996534769 win 235 <nop,nop,timestamp 25172858 64977932> 6: 13:52:36.266343 10.100.26.6.80 > 192.168.26.6.45858: .(...output truncated...)

To display a histogram of the load balancer queue sizes, use the show asp load-balance command.

show asp load-balance [ detail]

Usage Guidelines

The show asp load-balance command might help you troubleshoot a problem. Normally a packet will be processed by the same core that pulled it in from the interface receive ring. However, if another core is already processing the same connection as the packet just received, then the packet will be queued to that core. This queuing can cause the load balancer queue to grow while other cores are idle. See the asp load-balance per-packet command for more information.

Examples

The following is sample output from the show asp load-balance command. The X-axis represents the number of packets queued in different queues. The Y-axis represents the number of load balancer hash buckets (not to be confused with the bucket in the histogram title, which refers to the histogram bucket) that has packets queued. To know the exact number of hash buckets having the queue, use the detail keyword.

> show asp load-balanceHistogram of 'ASP load balancer queue sizes' 64 buckets sampling from 1 to 65 (1 per bucket) 6 samples within range (average=23) ASP load balancer queue sizes 100 + | | |S |a |m |p |l 10 +e |s | | | | # | # # # # # | # # # # # +---------+---------+---------+---------+---------+---------+---- 10 20 30 40 50 60 # of queued jobs per queue

Related Commands

To debug the accelerated security path multiprocessor accelerate, use the show asp multiprocessor accelerated-features command.

show asp multiprocessor accelerated-features

Usage Guidelines

The show asp multiprocessor accelerated-features command shows the lists of features accelerated for multiprocessors, which might help you troubleshoot a performance problem.

Examples

The following is sample output from the show asp multiprocessor accelerated-features command:

> show asp multiprocessor accelerated-featuresMultiProcessor accelerated feature list: Access Lists DNS Guard Failover Stateful Updates Flow Operations(create, update, and tear-down) Inspect HTTP URL Logging Inspect HTTP (AIC) Inspect IPSec Pass through Inspect ICMP and ICMP error Inspect RTP/RTCP IP Audit IP Fragmentation & Re-assembly IPSec data-path MPF L2-L4 Classify Multicast forwarding NAT/PAT Netflow using UDP transport Non-AIC Inspect DNS Packet Capture QOS Resource Management Routing Lookup Shun SSL data-path Syslogging using UDP transport TCP Intercept TCP Security Engine TCP Transport Threat Detection Unicast RPF WCCP Re-directAbove list applies to routed, transparent, single and multi mode.

To track and display spin lock and async loss statistics, use the show asp overhead command.

show asp overhead [ sort-by-average] [ sort-by-file]

Examples

The following is sample output from the show asp overhead command:

> show asp overhead0.0% of available CPU cycles were lost to Multiprocessor overhead since last the MP overhead statistics were last cleared File Name Line Function Call Avg Cycles %----------------------- ---- ---------------------- ----- ------------- -----

To display the counters for how many packets were fastpathed by a prefilter policy, offloaded as a large flow, and fully evaluated by access control (Snort), use the show asp packet-profile command.

show asp packet-profile [data-path offload snort]

Command Default

If no instance is specified, all instances are displayed.

Usage Guidelines

Each packet traversing a threat defense device goes through various stages of processing depending on the access policies configured, the Snort verdicts, and hardware capabilities like flow offload support.

Global counters are used to track these statistics and are updated at the end of each session. These global counters are collected and represented in the form of a histogram. At any given point the histogram displays the cumulative packet counters processed by the system since device boot up time or the last restart.

Examples

The following is sample output from the show asp packet-profile command.

> show asp packet-profileCurrent config state: EnabledPackets Processed================= hw-dynamic-offload : 0 hw-static-offload : 0 data-path-trust : 1419636 data-path-snort : 3522634 data-path-snort-bypass-allowedlist : 144496 data-path-snort-bypass-blockedlist : 0 data-path-snort-busy-failopen : 0 data-path-snort-down-failopen : 10 data-path-snort-pre-allowedlist-distribution --------------------------------------------- Packets : Connections [0-3] : 0 [4-7] : 6202 [8-15] : 10950 [16-31] : 2487 [32-63] : 85 [64-127] : 0 [128-255] : 0 [256-511] : 0 [512-1023] : 0 [1024 and above]: 0 data-path-snort-pre-blockedlist-distribution --------------------------------------------- Packets : Connections [0-3] : 0 [4-7] : 0 [8-15] : 0 [16-31] : 0 [32-63] : 0 [64-127] : 0 [128-255] : 0 [256-511] : 0 [512-1023] : 0 [1024 and above]: 0 data-path-snort-post-allowedlist-distribution --------------------------------------------- Packets : Connections [0-3] : 0 [4-7] : 0 [8-15] : 0 [16-31] : 0 [32-63] : 0 [64-127] : 0 [128-255] : 0 [256-511] : 0 [512-1023] : 0 [1024 and above]: 0 offload-post-allowedlist-distribution --------------------------------------------- Packets : Connections [0-3] : 0 [4-7] : 0 [8-15] : 0 [16-31] : 0 [32-63] : 0 [64-127] : 0 [128-255] : 0 [256-511] : 0 [512-1023] : 0 [1024 and above]: 0>>

To see the status of the tmatch compilation process, use the show asp rule-engine command.

show asp rule-engine [ table classify { v4 | v6 } ]

Examples

The following example shows whether the compilation of an access list that is used as an access group is in progress or completed. Compilation time depends on the size of the access list. The time status of Start and Completed is common for all rules, because it is a batch process and not specific to modules. Most module element counts will be shown in the table. The status also shows NAT rules, routes, objects, and interface compilation.

> show asp rule-engineRule compilation Status: CompletedDuration(ms): 421Start Time: 18:58:34 UTC Apr 7 2021Last Completed Time: 18:58:44 UTC Apr 7 2021ACL Commit Mode: MANUALObject Group Search: DISABLEDTransitional Commit Model: DISABLEDModule | Insert | Remove | Current | NAT | 90 | 60 | 30 | ROUTE | 107 | 40 | 67 | IFC | 30 | 22 | 8 | ACL | 1446 | 970 | 476 |

Examples

> show asp rule-engine table classify v4------------------------------------------------------------Table name | Rule-count | Compilation status |------------------------------------------------------------v4 security | 8565712 | pending for compile |------------------------------------------------------------v4 input | 86 | Completed |------------------------------------------------------------v4 input reverse | 47 | Completed |------------------------------------------------------------v4 output | 36 | Completed |------------------------------------------------------------v4 output reverse | 3 | Completed |------------------------------------------------------------

> show asp rule-engine table classify v4------------------------------------------------------------Table name | Rule-count | Compilation status |------------------------------------------------------------v4 security | 8565712 | Completed |------------------------------------------------------------v4 input | 86 | Completed |------------------------------------------------------------v4 input reverse | 47 | Completed |------------------------------------------------------------v4 output | 36 | Completed |------------------------------------------------------------v4 output reverse | 3 | Completed |------------------------------------------------------------

To debug the accelerated security path ARP tables, use the show asp table arp command.

show asp table arp [ interface interface_name] [ address ip_address [ netmask mask]]

Usage Guidelines

The show arp command shows the contents of the control plane, while the show asp table arp command shows the contents of the accelerated security path, which might help you troubleshoot a problem. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table arp command:

> show asp table arpContext: single_vf, Interface: inside 10.86.194.50 Active 000f.66ce.5d46 hits 0 10.86.194.1 Active 00b0.64ea.91a2 hits 638 10.86.194.172 Active 0001.03cf.9e79 hits 0 10.86.194.204 Active 000f.66ce.5d3c hits 0 10.86.194.188 Active 000f.904b.80d7 hits 0Context: single_vf, Interface: identity :: Active 0000.0000.0000 hits 0 0.0.0.0 Active 0000.0000.0000 hits 50208

Related Commands

To debug the accelerated security path classifier tables, use the show asp table classify command.

show asp table classify [ interface interface_name] [ crypto | domain domain_name] [ hits] [ match regexp]

Usage Guidelines

The show asp table classify command shows the classifier contents of the accelerated security path, which might help you troubleshoot a problem. The classifier examines properties of incoming packets, such as protocol, and source and destination address, to match each packet to an appropriate classification rule. Each rule is labeled with a classification domain that determines what types of actions are performed, such as dropping a packet or allowing it through. The information shown is used for debugging purposes only, and the output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table classify command:

> show asp table classifyInterface test:No. of aborted compiles for input action table 0x33b3d70: 29in id=0x36f3800, priority=10, domain=punt, deny=false hits=0, user_data=0x0, flags=0x0 src ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip=10.86.194.60, mask=255.255.255.255, port=0, tag=anyin id=0x33d3508, priority=99, domain=inspect, deny=false hits=0, user_data=0x0, use_real_addr, flags=0x0 src ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip=0.0.0.0, mask=0.0.0.0, port=0, tag=anyin id=0x33d3978, priority=99, domain=inspect, deny=false hits=0, user_data=0x0, use_real_addr, flags=0x0 src ip=0.0.0.0, mask=0.0.0.0, port=53, tag=any dst ip=0.0.0.0, mask=0.0.0.0, port=0, tag=any...

The following is sample output from the show asp table classify hits command with a record of the last clearing hits counters:

Interface mgmt: in id=0x494cd88, priority=210, domain=permit, deny=true hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, dscp=0x0 in id=0x494d1b8, priority=112, domain=permit, deny=false hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Interface inside: in id=0x48f1580, priority=210, domain=permit, deny=true hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, dscp=0x0 in id=0x48f09e0, priority=1, domain=permit, deny=false hits=101, user_data=0x0, cs_id=0x0, l3_type=0x608 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 Interface outside: in id=0x48c0970, priority=210, domain=permit, deny=true hits=54, user_data=0x1, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=255.255.255.255, mask=255.255.255.255, port=0, dscp=0x0 

The following is sample output from the show asp table classify hits command that includes Layer 2 information:

Input Tablein id=0x7fff2de10ae0, priority=120, domain=permit, deny=false hits=4, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0 input_ifc=LAN-SEGMENT, output_ifc=identity in id=0x7fff2de135c0, priority=0, domain=inspect-ip-options, deny=true hits=41, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=LAN-SEGMENT, output_ifc=any...Output Table:L2 - Output Table:L2 - Input Table:in id=0x7fff2de0e080, priority=1, domain=permit, deny=false hits=30, user_data=0x0, cs_id=0x0, l3_type=0x608 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=LAN-SEGMENT, output_ifc=anyin id=0x7fff2de0e580, priority=1, domain=permit, deny=false hits=382, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=LAN-SEGMENT, output_ifc=anyin id=0x7fff2de0e800, priority=1, domain=permit, deny=false hits=312, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=ffff.ffff.ffff, mask=ffff.ffff.ffff input_ifc=LAN-SEGMENT, output_ifc=any

To debug the accelerated security path cHash tables for clustering, use the show asp table cluster chash-table command.

show asp table cluster chash-table

Usage Guidelines

The show asp table cluster chash-table command shows the contents of the accelerated security path, which might help you troubleshoot a problem. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table cluster chash-table command:

> show asp table cluster chash-tableCluster current chash table:000033332100120022000033022222233333111121110000001331032222222330000102112222222322233100002223(...output truncated...)

Related Commands

To debug the accelerated security path interface tables, use the show asp table interfaces command.

show asp table interfaces

Usage Guidelines

The show asp table interfaces command shows the interface table contents of the accelerated security path, which might help you troubleshoot a problem. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table interfaces command:

> show asp table interfaces** Flags: 0x0001-DHCP, 0x0002-VMAC, 0x0010-Ident Ifc, 0x0020-HDB Initd, 0x0040-RPF EnabledSoft-np interface 'dmz' is up context single_vf, nicnum 0, mtu 1500 vlan 300, Not shared, seclvl 50 0 packets input, 1 packets output flags 0x20Soft-np interface 'foo' is down context single_vf, nicnum 2, mtu 1500 vlan <None>, Not shared, seclvl 0 0 packets input, 0 packets output flags 0x20Soft-np interface 'outside' is down context single_vf, nicnum 1, mtu 1500 vlan <None>, Not shared, seclvl 50 0 packets input, 0 packets output flags 0x20Soft-np interface 'inside' is up context single_vf, nicnum 0, mtu 1500 vlan <None>, Not shared, seclvl 100 680277 packets input, 92501 packets output flags 0x20...

To debug the accelerated security path network-service object tables, use the show asp table network-service command.

show asp table network-service

Examples

The following example shows how to display the network-service object table:

> show asp table network-servicePer-Context Category NSG: subnet=0.0.0.0/0, branch_id=214491, branch_name=connect.facebook.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=214491, branch_name=connect.facebook.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=370809, branch_name=facebook.com., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=370809, branch_name=facebook.com., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=490321, branch_name=fbcdn.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=490321, branch_name=fbcdn.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=548791, branch_name=fbcdn-photos-a.akamaihd.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=548791, branch_name=fbcdn-photos-a.akamaihd.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=681143, branch_name=fbcdn-photos-e-a.akamaihd.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=681143, branch_name=fbcdn-photos-e-a.akamaihd.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=840741, branch_name=fbcdn-photos-b-a.akamaihd.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=840741, branch_name=fbcdn-photos-b-a.akamaihd.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=1014669, branch_name=fbstatic-a.akamaihd.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=1014669, branch_name=fbstatic-a.akamaihd.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=1098051, branch_name=fbexternal-a.akamaihd.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=1098051, branch_name=fbexternal-a.akamaihd.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=1217875, branch_name=fbcdn-profile-a.akamaihd.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=1217875, branch_name=fbcdn-profile-a.akamaihd.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=1379985, branch_name=fbcdn-creative-a.akamaihd.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=1379985, branch_name=fbcdn-creative-a.akamaihd.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=1524617, branch_name=channel.facebook.com., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=1524617, branch_name=channel.facebook.com., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=1683343, branch_name=fbcdn-dragon-a.akamaihd.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=1683343, branch_name=fbcdn-dragon-a.akamaihd.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=1782703, branch_name=contentcache-a.akamaihd.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=1782703, branch_name=contentcache-a.akamaihd.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=1868733, branch_name=facebook.net., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=1868733, branch_name=facebook.net., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=2068293, branch_name=plus.google.com., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=2068293, branch_name=plus.google.com., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=2176667, branch_name=instagram.com., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=2176667, branch_name=instagram.com., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0 subnet=0.0.0.0/0, branch_id=2317259, branch_name=linkedin.com., ip_prot=0, port=0/0x0, source, domain, nsg_id=512, hits=0 subnet=0.0.0.0/0, branch_id=2317259, branch_name=linkedin.com., ip_prot=0, port=0/0x0, destination, domain, nsg_id=1, hits=0

To debug the accelerated security path routing tables, use the show asp table routing command. This command supports IPv4 and IPv6 addresses.

show asp table routing [ vrf name | all] [ management-only] [ input | output] [ address ip_address [ netmask mask] | interface interface_name]

Usage Guidelines

The show asp table routing command shows the routing table contents of the accelerated security path, which might help you troubleshoot a problem. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The management-only keyword, displays the number-portability routes in the management routing table.

Examples

The following is sample output from the show asp table routing command:

> show asp table routingin 255.255.255.255 255.255.255.255 identityin 224.0.0.9 255.255.255.255 identityin 10.86.194.60 255.255.255.255 identityin 10.86.195.255 255.255.255.255 identityin 10.86.194.0 255.255.255.255 identityin 209.165.202.159 255.255.255.255 identityin 209.165.202.255 255.255.255.255 identityin 209.165.201.30 255.255.255.255 identityin 209.165.201.0 255.255.255.255 identityin 10.86.194.0 255.255.254.0 insidein 224.0.0.0 240.0.0.0 identityin 0.0.0.0 0.0.0.0 insideout 255.255.255.255 255.255.255.255 fooout 224.0.0.0 240.0.0.0 fooout 255.255.255.255 255.255.255.255 testout 224.0.0.0 240.0.0.0 testout 255.255.255.255 255.255.255.255 insideout 10.86.194.0 255.255.254.0 insideout 224.0.0.0 240.0.0.0 insideout 0.0.0.0 0.0.0.0 via 10.86.194.1, insideout 0.0.0.0 0.0.0.0 via 0.0.0.0, identityout :: :: via 0.0.0.0, identity

The following example shows the routing table for the virtual router named alpha.

> show asp table routing vrf alpha Routing table for vrf alpharoute table timestamp: 3916283895in 1.1.1.1 255.255.255.255 identityin 1.1.1.0 255.255.255.0 i1out 255.255.255.255 255.255.255.255 i1out 1.1.1.1 255.255.255.255 i1out 1.1.1.0 255.255.255.0 i1out 224.0.0.0 240.0.0.0 i1

Related Commands

To help debug the accelerated security path socket information, use the show asp table socket command.

show asp table socket [ handle] [ stats]

Usage Guidelines

The show asp table socket command shows the accelerated security path socket information, which might help in troubleshooting accelerated security path socket problems. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table socket command.

Protocol Socket Local Address Foreign Address StateTCP 00012bac 10.86.194.224:23 0.0.0.0:* LISTENTCP 0001c124 10.86.194.224:22 0.0.0.0:* LISTENSSL 00023b84 10.86.194.224:443 0.0.0.0:* LISTENSSL 0002d01c 192.168.1.1:443 0.0.0.0:* LISTENDTLS 00032b1c 10.86.194.224:443 0.0.0.0:* LISTENSSL 0003a3d4 0.0.0.0:443 0.0.0.0:* LISTENDTLS 00046074 0.0.0.0:443 0.0.0.0:* LISTENTCP 02c08aec 10.86.194.224:22 171.69.137.139:4190 ESTAB

The following is sample output from the show asp table socket stats command.

TCP Statistics: Rcvd: total14794 checksum errors0 no port0 Sent: total0UDP Statistics: Rcvd: total0 checksum errors0 Sent: total0 copied0NP SSL System Stats: Handshake Started:33 Handshake Complete:33 SSL Open:4 SSL Close:117 SSL Server:58 SSL Server Verify:0 SSL Client:0

TCP/UDP statistics are packet counters representing the number of packets sent or received that are directed to a service that is running or listening on the device, such as Telnet, SSH, or HTTPS. Checksum errors are the number of packets dropped because the calculated packet checksum did not match the checksum value stored in the packet (that is, the packet was corrupted). The NP SSL statistics indicate the number of each type of message received. Most indicate the start and completion of new SSL connections to either the SSL server or SSL client.instance

Related Commands

To debug the accelerated security path VPN context tables, use the show asp table vpn-context command.

show asp table vpn-context [ detail]

Usage Guidelines

The show asp table vpn-context command shows the VPN context contents of the accelerated security path, which might help you troubleshoot a problem. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table vpn-context command:

> show asp table vpn-contextVPN ID=0058070576, DECR+ESP, UP, pk=0000000000, rk=0000000000, gc=0VPN ID=0058193920, ENCR+ESP, UP, pk=0000000000, rk=0000000000, gc=0VPN ID=0058168568, DECR+ESP, UP, pk=0000299627, rk=0000000061, gc=2VPN ID=0058161168, ENCR+ESP, UP, pk=0000305043, rk=0000000061, gc=1VPN ID=0058153728, DECR+ESP, UP, pk=0000271432, rk=0000000061, gc=2VPN ID=0058150440, ENCR+ESP, UP, pk=0000285328, rk=0000000061, gc=1VPN ID=0058102088, DECR+ESP, UP, pk=0000268550, rk=0000000061, gc=2VPN ID=0058134088, ENCR+ESP, UP, pk=0000274673, rk=0000000061, gc=1VPN ID=0058103216, DECR+ESP, UP, pk=0000252854, rk=0000000061, gc=2...

The following is sample output from the show asp table vpn-context command when the persistent IPsec tunneled flows feature is enabled, as shown by the PRESERVE flag:

> show asp table vpn-contextVPN CTX=0x0005FF54, Ptr=0x6DE62DA0, DECR+ESP+PRESERVE, UP, pk=0000000000, rk=0000000000, gc=0VPN CTX=0x0005B234, Ptr=0x6DE635E0, ENCR+ESP+PRESERVE, UP, pk=0000000000, rk=0000000000, gc=0

The following is sample output from the show asp table vpn-context detail command. When the persistent IPsec tunneled flows feature is enabled, the flags will include the PRESERVE flag.

> show asp table vpn-context detailVPN Ctx = 0058070576 [0x03761630]State = UPFlags = DECR+ESPSA = 0x037928F0SPI = 0xEA0F21F0Group = 0Pkts = 0Bad Pkts = 0Bad SPI = 0Spoof = 0Bad Crypto = 0Rekey Pkt = 0Rekey Call = 0VPN Ctx = 0058193920 [0x0377F800]State = UPFlags = ENCR+ESPSA = 0x037B4B70SPI = 0x900FDC32Group = 0Pkts = 0Bad Pkts = 0Bad SPI = 0Spoof = 0Bad Crypto = 0Rekey Pkt = 0Rekey Call = 0...

Related Commands

To debug the accelerated security path zone table , use the show asp table zone command.

show asp table zone

Usage Guidelines

The show asp table zone command shows the contents of the accelerated security path, which might help you troubleshoot a problem. These tables are used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command.

Examples

The following is sample output from the show asp table zone command. In this example, the zone named is-154 is actually an inline set, not a traffic zone.

> show asp table zone Zone: krjones-passive-security-zone id: 48947 Security-level: 0 Context : single_vf Zone member(s): passive GigabitEthernet0/0Zone: passive_default_context_0 id: 1 Security-level: 0 Context : single_vf Zone member(s): Zone: is-154 id: 34309 Security-level: 0 Context : single_vf Zone member(s): out GigabitEthernet0/2 in GigabitEthernet0/1

Related Commands

To display the system audit log, use the show audit-log command.

show audit-log

Usage Guidelines

This command displays the audit log in reverse chronological order; the most recent audit log events are listed first.

Events can include system updates, permission problems, configuration changes, and policy applications. The information is available for devices remotely managed by management center only. The audit log is empty for locally managed systems.

Examples

The following example shows the audit log.

> show audit-logAudit Log Output: time : 1476223151 (Tue Oct 11 21:59:11 2016) event_type : notify subsystem : Task Queue actor : System message : Successful task completion : Clam update synchronizationfrom firepower result : Success action_source_ip : localhost action_destination_ip : localhost---------------------------------------------------------- time : 1476222646 (Tue Oct 11 21:50:46 2016) event_type : notify subsystem : Task Queue actor : System message : Successful task completion : Apply AMP Dynamic Analysis Configuration from firepower result : Success action_source_ip : localhost action_destination_ip : localhost---------------------------------------------------------- time : 1476222564 (Tue Oct 11 21:49:24 2016) event_type : notify subsystem : Task Queue actor : System message : Successful task completion : Apply Initial_Health_Policy2016-10-11 18:54:59 from firepower result : Success action_source_ip : localhost action_destination_ip : localhost---------------------------------------------------------- time : 1476222563 (Tue Oct 11 21:49:23 2016) event_type : notify subsystem : Health > Health Policy > Apply > Initial_Health_Policy 2016-10-11 18:54:59 > firepower actor : admin message : Apply result : Success action_source_ip : 127.0.0.1 action_destination_ip : localhost---------------------------------------------------------- time : 1476222508 (Tue Oct 11 21:48:28 2016) event_type : notify subsystem : Task Queue actor : System message : Successful task completion : Registration '10.83.57.41' result : Success action_source_ip : localhost action_destination_ip : localhost---------------------------------------------------------- time : 1476222473 (Tue Oct 11 21:47:53 2016) event_type : Restart subsystem : NTP Configuration changed actor : Default User message : Restart result : Success action_source_ip : Default User IP action_destination_ip : Default Target IP----------------------------------------------------------