We will be discussing the troubleshooting commands for the Cisco ASA firewalls in this article.
High CPU Issues
ASA# show cpu usage
ASA# show cpu usage context all ( It will show cpu usage of all contexts)
ASA# show resource usage
ASA# show resource usage resource ssh (conn | routes| Xlates)
ASA# show processes cpu-usage sorted non-zero (This will provide CPU usage per process for all process using more than 0%)
ASA# show processes cpu-hog (This will show processes consume lot of CPU cycles)
ASA# clear processes cpu-hog (This will delete all old CPU-hog entries)
Debug sessions on ASA
ASA# debug ssh 1 (SSH level debugging- Messages will be on console)
ASA# show debug (It will show all debug sessions)
ASA# logging debug-trace (This will log debug logs to syslog server)
ASA#no logging debug-trace (This will bring debug logs to console)
Running commands on Standby ASA from Active ASA
ASA(Active)# failover exec standby sh version (You can get any command output on standby ASA from Active ASA by adding “failover exec standby” keyword in command on Active ASA)
ASA Packet Drop Issues
ASA# show asp table socket (This will show ASA open port listening session)
ASA# show asp drop (This command will show ASA packet drop & reasons)
ASA# clear asp drop (This will clear old data related to drops)
ASA Active connection Review
ASA# sh conn | in :22
ASA# sh conn | in CLOSE_WAIT
ASA# sh conn all protocol tcp port 22 detail
ASA Interface Errors
ASA# show interface | inc error
Packet Tracer
ASA#packet-tracer input inside tcp 1.1.1.1 1024 2.2.2.2 443 (Packet-tracer can help you identifying ASA packet drop reasons)
SYN Flooding attacks
ASA(Context-1)# show perfmon (Check TCP-intercept counts)
ASA(System)# show resource usage details (Resource usage based on context)
ASA(System)# show resource usage summary details (Resources used by whole ASA)
Packet Capture on Cisco ASA
ASA#capture cap1 int INSIDE match ip host 1.1.1.1 host 2.2.2.2
ASA#show cap cap1
ASA#clear capture cap1
ASA#no capture cap1
https://1.1.1.1/admin/capture/cap1/pcap (You can download the capture in pcap format from ASA to use in wireshark tool)
ASA#capture drop type asp-drop all buffer 33554432 (This will show all packet drop by ASA)
ASA#show capture drop (This will show drop capture results)
I hope this article helps you in troubleshooting Cisco ASA Issues !!