# ASA troubleshooting commands


Resource use

# show cpu usage detailed
# show memory
# show blocks
Hardware and license information

# show version
# show module all
# show mode
Connections and translations

# show conn
! idle == no packets received for the last x seconds
# show perfmon
# show nat
! idle == last conn created was x seconds ago 
! i-dynamic.timeout == will begin when the last conn is removed (3 hours)
! r-portmap.timeout == will begin when the last conn is removed (30 seconds)
! s-static.timeout == does not have
# show xlate
# show local-host
Drops

# show service-policy
# show asp drop
# show logging
High availability

# show failover
Interface information

# show ip
# show nameif
# show traffic
Debug

# terminal monitor ! SSH sessions
# debug icmp trace
# debug arp
# debug esmtp
# debug http
Logging

(config)# logging enable
(config)# logging timestamp
(config)# logging buffered debugging
(config)# logging buffer-size 65000
# show logging
Packet capture

(config)# access-list capture_acl extended permit ip host 1.1.1.1 host 2.2.2.2
(config)# access-list capture_acl extended permit ip host 2.2.2.2 host 1.1.1.1
# capture capture_name interface interface_name access-list capture_acl
# clear capture capture_name
# show capture capture_name
! wget -O capture_name.pcap --user=asa_user --password=asa_password https://asa_ip/capture/capture_name/pcap
# no capture capture_name
Packet-tracert

# packet-tracer input interface_name tcp 1.1.1.1 1234 2.2.2.2 5678
VPN

# show crypto isakmp sa
# show crypto ipsec sa

No comments: