This post is the second in a three-part series that highlights some of the topics covered in the new Global Knowledge ASA Essentials class, an offering intended to provide the student the key areas of interest for initially provisioning their security appliance. This post focuses on selective useful CLI troubleshooting commands.
Most everyone who has at one time or another configured the ASA is familiar with at least one show command, especially show run, short for show running-config. An additional helpful feature of this command sequence is the functionality unique to the security appliance of being able to “target” its output to a subsection of interest by using show run <keyword>. The <keyword> could be any one of many possibilities such as nat, global, static, or access-list.
The access-list keyword is of particular interest in this case because the output from show run access-list can be markedly different from show access-list. While the first of these merely shows how the configured access-list appears in the running configuration, the second can actually display numerous “extras”. These extras include hit count, expanded object-group entries and dynamically downloaded entries. A sample output of a dynamically downloaded access-list with RADIUS appears below:
access-list #ACSACL#-IP-HTTP-Only-Access-3ac232f8 line 1
extended permit tcp any any eq www (hitcnt=10) 0x2caf9971f
Another little-known helpful argument to use with several show commands is the use of the word all. The output of show run all can be quite lengthy, as the resulting display shows default and preconfigured settings which are hidden by the much more compact output of show run. These settings include command aliases and preconfigured regular expressions along with default logging, failover, and VPN constraints. While most administrators are familiar with the show conn command, the addition of all to this command (show conn all) results in a display of connections through, to, and from the ASA. This can further be embellished as follows: show conn all address <IP_Addr>. The resulting output is limited to merely those connections from the specified IP address.
A final show command worthy of mention here is show asp drop. The middle argument refers to the Accelerated Security Path or “fast path” by which it is sometimes known. A sample output is shown below:
ciscoasa(config)# show asp drop
Flow is denied by configured rule (acl-drop) 10
First TCP packet not SYN (tcp-not-syn) 12
TCP RST/FIN out of order (tcp-rstfin-ooo) 5
Interface is down (interface-down) 2
While the meaning of the first line is clear, positive values in the next two lines relating to TCP could indicate an asymmetric routing issue. For additional useful show, debug and other troubleshooting commands and tools in a simulated real-world environment, you’ll need to attend the Global Knowledge ASA Essentials class!