Feedback
Contents
debug aaa sg-server selection through debug vrrp ha
debug aaa sg-server selection through debug vrrp ha
debug aaa sg-server selection
To obtain information about why the RADIUS and TACACS+ server group system in a router is choosing a particular server, use the debugaaasg-serverselectioncommand in privileged EXEC mode. To disable debugging output, use the no form of this command.
Command History
Release
Modification
12.3(1)
This command was introduced.
12.2(28)SB
This command was extended for RADIUS server load balancing to show which server is selected on the basis of a load balancing algorithm.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC.
Examples
The following example shows that debugging has been set to display information about server selection:
Router# debug aaa sg-server selectionThe following two debug outputs display the behavior of RADIUS transactions within a server group with the server-reorder-on-failure feature configured.
Examples
Debug 1
In the following sample output, the RADIUS server-reorder-on-failure feature is configured. The server retransmits are set to 0 (so each server is attempted only once before failover to the next configured server), and the transmissions per transaction are set to 4 (the transmissions will stop on the third failover). The third server in the server group (192.0.2.118) has accepted the transaction on the third transmission (second failover).
00:38:35: %SYS-5-CONFIG-I: Configured from console by console 00:38:53: RADIUS/ENCODE(OOOOOOOF) : ask "Username: " 00:38:53: RADIUS/ENCODE (0000000F) : send packet; GET-USER 00:38:58: RADIUS/ENCODE (0000000F) : ask "Password: " 00:38:58: RADIUS/ENCODE(0000000F) : send packet; GET-PASSWORD 00:38:59: RADIUS: AAA Unsupported [152] 4 00:38:59: RADIUS: 7474 [tt] 00:38:59: RADIUS (0000000F) : Storing nasport 2 in rad-db 00:38:59: RADIUS/ENCODE(0000000F) : dropping service type, "radius-server attribute 6 on-for-login-auth" is off 00:38:59: RADIUS (0000000F) : Config NAS IP: 192.0.2.4 00:38:59: RADIUS/ENCODE (0000000F) : acct-session-id: 15 00:38:59: RADIUS (0000000F) : sending 00:38:59: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.1 00:38:59: RAPIUS(0000000F) : Send Access-Request to 192.0.2.1:1645 id 21645/11, len 78 00:38:59: RADIUS:: authenticator 4481 E6 65 2D 5F 6F OA -lE F5 81 8F 4E 1478 9C 00:38:59: RADIUS: User-Name [1] 7 "username" 00:38:59: RADIUS: User-Password [2] 18 * 00:38:59: RADIUS: NAS-Port fSl 6 2 00:~8:59: RADIUS: NAS-Port-Type [61] 6 Virtual [5] 00:38:59: RADIUS: Calling-Station-Id [31] 15 "192.0.2.23" 00:39:00: RADIUS: NAS-IP-Address [4] 6 192.0.2.130 00:39:02: RADIUS: Fail-over to (192.0.2.2:1645,1646) for id 21645/11 00:39:02: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.2 00:39:04: RADIUS: Fail-over to (192.0.2.118:1645,1646) for id 21645/11 00:39:04: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.118 00:39:05: RADIUS: Received from id 21645/11 192.0.2.118:1645, Access-Accept, len 26 00:39:05: RADIUS: authenticator 5609 56 F9 64 4E DF 19- F3 A2 DD 73 EE 3F 9826 00:39:05: RADIUS: Service-Type [6] 6 Login [1]Examples
Debug 2
In the following sample output, the RADIUS server-reorder-on-failure feature is configured. The server retransmits are set to 0, and the transmissions per transaction are set to 8. In this transaction, the transmission to server 192.0.2.1 has failed on the eighth transmission.
00:42:30: RADIUS(00000011): Received from id 21645/13 00:43:34: RADIUS/ENCODE(00000012) : ask "Username: " 00:43:34: RADIUS/ENCODE(00000012) : send packet; GET-USER 00:43:39: RADIUS/ENCODE(00000012) : ask "Password: " 00:43:39: RADIUS/ENCODE(00000012) : send packet; GET-PASSWORD 00:43:40: RADIUS: AAA Unsupported [152] 4 00:43:40: RADIUS: 7474 [tt] 00:43:40: RADIUS(00000012) : Storing nasport 2 in rad-db 00:43:40: RADIUS/ENCODE(00000012): dropping service type, "radius-server attribute 6 on-for-login-auth" is off 00:43:40: RADIUS(00000012) : Co~fig NAS IP: 192.0.2.4 00:43:40: RADIUS/ENCODE(00000012) : acct-session-id: 18 00:43:40: RADIUS(00000012) : sending 00:43:40: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.118 00:43:40: RADIUS(00000012) : Send Access-Request to 192.0.2.118:1645 id 21645/14, len 78 00:43:40: RADIUS: authenticator B8 OA 51 3A AF A6 0018 -B3 2E 94 5E 07 OB 2A 00:43:40: RADIUS: User-Name [1] 7 "username" 00:43:40: RADIUS: User-Password [2] 18 * 00:43:40: RADIUS: NAS-Port [5] 6 2 00:43:40: RADIUS: NAS-Port-Type [61] 6 Virtual [5] 00:43:40: RADIUS: Calling-Station-]d [31] 15 "192.0.2.23" 00:43:40: RADIUS: NAS-IP-Address [4] 6 192.0.2.130 00:43:42: RADIUS: Fail-over to (192.0.2,1:1645,1646) for id 21645/14 00:43:42: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.1 00:43:44: RADIUS: Fail-over to (192.0.2.2:1645,1646) for id 21645/14 00:43:44: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.2 00:43:46: RADIUS: Fail-over to (192.0.2.118:1645,1646) for id 21645/14 00:43:46: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.118 00:43:48: RADIUS: Fail-over to (192.0.2.1:1645,1646) for id 21645/14 00:43:48: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.1 00:43:50: RADIUS: Fail-over to (192.0.2.2:1645,1646) for id 21645/14 00:43:50: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.2 00:43:52: RADIUS: Fail-over to (192.0.2.118:1645,1646) for id 21645/14 00:43:52: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.118 00:43:54: RADIUS: Fail-over to (192.0.2.1:1645,1646) for id 21645/14 00:43:54: RADIUS/ENCODE: Best Local IP-Address 192.0.2.130 for Radius-Server 192.0.2.1 00:43:56: RADIUS: No response from (192.0.2.1:1645,1646) for id 21645/14 00:43:56:RADIUS/DECODE: parse response no app start; FAIL 00:43:56: RADIUS/DECODE: parse response;FAILThe field descriptions are self-explanatory.
Examples
Debug 3
In the following sample output, the RADIUS server load balancing feature is enabled with a batch size of 3. The server selection, based on the load balancing algorithm, is shown as five access-requests that are being sent to the server group.
Router# debug aaa sg-server selection Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Obtaining least loaded server. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: [3] transactions remaining in batch. Reusing server. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Obtaining least loaded server. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: [2] transactions remaining in batch. Reusing server. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Obtaining least loaded server. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: [1] transactions remaining in batch. Reusing server. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Obtaining least loaded server. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: No more transactions in batch. Obtaining a new server. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Obtaining a new least loaded server. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Server[0] load: 3 Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Server[1] load: 0 Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Server[2] load: 0 Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Selected Server[1] with load 0 Jul 16 03:15:05: AAA/SG/SERVER_SELECT: [3] transactions remaining in batch. Jul 16 03:15:05: AAA/SG/SERVER_SELECT: Obtaining least loaded server.Jul 16 03:15:05: AAA/SG/SERVER_SELECT: [2] transactions remaining in batch. Reusing server.
The field descriptions are self-explanatory.
Related Commands
Command
Description
load-balance
Enables RADIUS server load balancing for named RADIUS server groups.
radius-server load-balance
Enables RADIUS server load balancing for the global RADIUS server group.
radius-server retry method reorder
Specifies the reordering of RADIUS traffic retries among a server group.
radius-server transaction max-tries
Specifies the maximum number of transmissions per transaction that may be retried on a RADIUS server.
test aaa group
Tests RADIUS load balancing server response manually.
debug aaa test
To show when the idle timer or dead timer has expired, when test packets are being sent, server response status, and the server state for RADIUS server load balancing, use the debugaaatestcommand in privileged EXEC mode. To disable debugging output, use the no form of this command.
Examples
In the following sample output, the RADIUS server load balancing feature is enabled. The idle timer has expired.
Router# debug aaa test Router# Jul 16 00:07:01: AAA/SG/TEST: Server (192.0.2.245:1700,1701) quarantined. Jul 16 00:07:01: AAA/SG/TEST: Sending test request(s) to server (192.0.2.245:1700,1701) Jul 16 00:07:01: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch. Jul 16 00:07:01: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request. Jul 16 00:07:01: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request. Jul 16 00:07:01: AAA/SG/TEST: Obtained Test response from server (192.0.2.245:1700,1701) Jul 16 00:07:01: AAA/SG/TEST: Obtained Test response from server (192.0.2.245:1700,1701) Jul 16 00:07:01: AAA/SG/TEST: Necessary responses received from server (192.0.2.245:1700,1701) Jul 16 00:07:01: AAA/SG/TEST: Server (192.0.2.245:1700,1701) marked ALIVE. Idle timer set for 60 sec(s). Jul 16 00:07:01: AAA/SG/TEST: Server (192.0.2.245:1700,1701) removed from quarantine.Related Commands
Command
Description
load-balance
Enables RADIUS server load balancing for named RADIUS server groups.
radius-server host
Enables RADIUS automated testing for load balancing.
radius-server load-balance
Enables RADIUS server load balancing for the global RADIUS server group.
test aaa group
Tests RADIUS load balancing server response manually.
debug authentication
To display debugging information about the Authentication Manager, use the debugauthentication command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug authentication { [ feature feature-name ] | { all | detail | errors | events | sync } }
no debug authentication { [ feature feature-name ] | { all | detail | errors | events | sync } }
Syntax Description
feature feature-name
Displays debugging information about specific features. To display the valid feature names, use the question mark (?) online help function.
all
Displays all debugging information about the Authentication Manager and all features.
detail
Displays detailed debugging information.
errors
Displays debugging information about Authentication Manager errors.
events
Displays debugging information about Authentication Manager events.
sync
Displays debugging information about Authentication Manager stateful switchovers (SSOs) or In Service Software Upgrades (ISSUs).
debug eigrp address-family neighbor
To display debugging information about Enhanced Interior Gateway Routing Protocol (EIGRP) address family neighbors, use the debug eigrp address-family neighbor command in privileged EXEC mode. To disable debugging of EIGRP service-family neighbors, use the no form of this command.
debug eigrp address-family [ ipv4 | ipv6 ] neighbor [ip-address]
no debug eigrp address-family [ ipv4 | ipv6 ] neighbor [ip-address]
Syntax Description
ipv4
(Optional) Enables debugging for neighbors formed using the IPv4 protocol family.
ipv6
(Optional) Enables debugging for neighbors formed using the IPv6 protocol family.
ip-address
(Optional) IPv4 or IPv6 address of the neighbor. Specifying an address enables debugging for the service family at this address.
Usage Guidelines
Consult Cisco technical support before using this command.
CautionUse of debug commands can have severe performance penalties and should be used with extreme caution. For this reason, Cisco recommends that you contact Cisco technical support before enabling a debug command.
Examples
The following example shows how to enable debugging of an EIGRP address-family neighbor at 10.0.0.0:
Router# debug eigrp address-family ipv4 neighbor 10.0.0.0 Neighbor target enabled on AS 3 for 10.0.0.0 *Mar 17 15:50:53.244: EIGRP: 10.0.0.0/24 - do advertise out Serial1/2 *Mar 17 15:50:53.244: EIGRP: Int 10.0.0.0/24 metric 20512000 -20000000 512000 *Mar 17 15:50:53.244: EIGRP: 10.0.0.0/24 - do advertise out Serial1/2 *Mar 17 15:50:53.244: EIGRP: Int 10.0.0.0/24 metric 28160 - 256002560 *Mar 17 15:50:53.244: EIGRP: 10.0.0.0/24 - do advertise out Serial1/2 *Mar 17 15:50:53.244: EIGRP: 10.0.0.0/24 - do advertise out Serial1/2 *Mar 17 15:50:53.244: EIGRP: Int 10.0.0.0/24 metric 28160 - 25600256 *Mar 17 15:50:53.668: EIGRP: Processing incoming UPDATE packet *Mar 17 15:50:54.544: EIGRP: 10.0.0.0/24 - do advertise out Serial1/1debug eigrp address-family notifications
To display debugging information about Enhanced Interior Gateway Routing Protocol (EIGRP) address family event notifications, use the debug eigrp address-family notifications command in privileged EXEC mode. To disable EIGRP event notification debugging, use the no form of this command.
debug eigrp address-family { ipv4 [ autonomous-system-number | vrf [vrf-name] | ip-address ] | ipv6 [ autonomous-system-number | ip-address ] } notifications
no debug eigrp address-family { ipv4 [ autonomous-system-number | vrf [vrf-name] | ip-address ] | ipv6 [ autonomous-system-number | ip-address ] } notifications
Syntax Description
ipv4
Enables debugging for neighbors formed using the IPv4 protocol family.
ipv6
Enables debugging for neighbors formed using the IPv6 protocol family.
autonomous-system- number
(Optional) Autonomous system number of the EIGRP routing process. If no autonomous system number is specified, debugging information is displayed for all autonomous systems.
vrf
(Optional) Enables debugging for the specified VRF.
vrf-name
(Optional) Name of the VRF address family to which the command is applied.
ip-address
(Optional) IPv4 or IPv6 address of neighbor. Specifying an address enables debugging for all entries with this address.
Usage Guidelines
Consult Cisco technical support before using this command.
Caution
Use of debug commands can have severe performance penalties and should be used with extreme caution. For this reason, Cisco recommends that you contact Cisco technical support before enabling a debug command.
Examples
The following example shows how to enable EIGRP event notification debugging:
Router# debug eigrp address-family ipv4 notifications *Mar 17 15:58:07.144: IP-EIGRP: Callback: reload_iptable *Mar 17 15:58:08.148: IP-EIGRP: iptable_redistribute into eigrp AS 1 *Mar 17 15:58:12.144: IP-EIGRP: Callback: redist frm static AS 0 10.0.0.0/24 *Mar 17 15:58:12.144: into: eigrp AS 1 event: 1 *Mar 17 15:58:12.144: IP-EIGRP: Callback: redist frm static AS 0 172.16.0.0/24 *Mar 17 15:58:12.144: into: eigrp AS 1 event: 1debug eigrp nsf
To display nonstop forwarding (NSF) events in the console of an NSF-aware or NSF-capable router, use the debug eigrp nsf command in privileged EXEC mode. To disable debugging output, use the no form of this command.
Command History
Release
Modification
12.2(15)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
15.0(1)M
This command was integrated into Cisco IOS Release 15.0(1)M.
Cisco IOS XE Release 3.6S
This command was modified. Support for IPv6 and IPv6 VPN Routing and Forwarding (VRF) was added.
15.2(2)S
This command was modified. Support for IPv6 and IPv6 VRF was added.
Usage Guidelines
The output from the debug eigrp nsf command displays NSF-specific events. The debug eigrp nsf command can be issued on either an NSF-capable or an NSF-aware router.
Examples
The following example shows how to enable the Enhanced Interior Gateway Routing Protocol (EIGRP) NSF debugging and display information about neighbor devices:
Device# debug eigrp nsf EIGRP NSF debugging is on Device# show ip eigrp neighbors detail EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.2.1 Et1/0 11 00:00:25 10 200 0 5 Version 5.1/3.0, Retrans: 2, Retries: 0, Prefixes: 1 Topology-ids from peer - 0 ! *Sep 23 18:57:19.423: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.2.1 (Ethernet1/0) is resync: peer graceful-restart *Sep 23 18:57:19.423: EIGRP: NSF: AS100, NSF or GR initiated by 10.1.2.1, flags 0x4:(RS) *Sep 23 18:57:36.028: EIGRP: NSF: AS100, Receive EOT from 10.1.2.1, Flags 0x8:(EOT) *Sep 23 18:57:36.028: EIGRP: NSF: route hold timer set to flush stale routes *Sep 23 18:57:36.038: EIGRP: NSF: AS100. route hold timer expiry *Sep 23 18:57:36.038: EIGRP: NSF: EIGRP-IPv4: Search for stale routes from 10.1.2.1 ! Device# show ip eigrp neighbors detail EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.2.1 Et1/0 11 00:02:31 12 200 0 6 Time since Restart 00:01:34 Version 5.1/3.0, Retrans: 2, Retries: 0, Prefixes: 1 Topology-ids from peer - 0The following sample output is displayed when a router is unable to handle an event with NSF-Awareness:
*Jan 23 18:59:56.040: EIGRP: NSF: AS100: Checking if Graceful Restart is possible with neighbor 1.1.2.1, peer_down reason 'peer restarted' *Jan 23 18:59:56.040: EIGRP: NSF: Not possible: 'peer_down was called with a HARD resync flag' *Jan 23 18:59:56.040: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor 10.1.2.1 (Ethernet1/0) is down: peer restarted *Jan 23 19:00:00.170: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor 10.1.2.1 (Ethernet1/0) is up: new adjacency *Jan 23 19:00:00.170: EIGRP: NSF: Enqueuing NULL update to 10.1.2.1, flags 0x1:(INIT)debug events
To display events, use the debug events command in privileged EXEC mode. To disable debugging output, use the no form of this command.
Usage Guidelines
This command displays events that occur on the interface processor and is useful for diagnosing problems in an network. It provides an overall picture of the stability of the network. In a stable network, the debug events command does not return any information. If the command generates numerous messages, the messages can indicate the possible source of problems.
When configuring or making changes to a router or interface for, enable the debug events command. Doing so alerts you to the progress of the changes or to any errors that might result. Also use this command periodically when you suspect network problems.
Examples
The following is sample output from the debug events command:
Router# debug events RESET(4/0): PLIM type is 1, Rate is 100Mbps aip_disable(4/0): state=1 config(4/0) aip_love_note(4/0): asr=0x201 aip_enable(4/0) aip_love_note(4/0): asr=0x4000 aip_enable(4/0): restarting VCs: 7 aip_setup_vc(4/0): vc:1 vpi:1 vci:1 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:2 vpi:2 vci:2 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:3 vpi:3 vci:3 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:4 vpi:4 vci:4 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:6 vpi:6 vci:6 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:7 vpi:7 vci:7 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:11 vpi:11 vci:11 aip_love_note(4/0): asr=0x200The below table describes the significant fields shown in the display.
The following line indicates that the AIP was reset. The PLIM detected was 1, so the maximum rate is set to 100 Mbps.
RESET(4/0): PLIM type is 1, Rate is 100MbpsThe following line indicates that the AIP was given a shutdown command, but the current configuration indicates that the AIP should be up:
aip_disable(4/0): state=1The following line indicates that a configuration command has been completed by the AIP:
aip_love_note(4/0): asr=0x201The following line indicates that the AIP was given a no shutdown command to take it out of the shutdown state:
aip_enable(4/0)The following line indicates that the AIP detected a carrier state change. It does not indicate that the carrier is down or up, only that it has changed.
aip_love_note(4/0): asr=0x4000The following line of output indicates that the AIP enable function is restarting all permanent virtual circuits (PVCs) automatically:
aip_enable(4/0): restarting VCs: 7The following lines of output indicate that PVC 1 was set up and a successful completion code was returned:
aip_setup_vc(4/0): vc:1 vpi:1 vci:1 aip_love_note(4/0): asr=0x200debug ip eigrp notifications
To display Enhanced Interior Gateway Routing Protocol (EIGRP) events and notifications in the console of the router, use the debug ip eigrp notifications command in privileged EXEC mode. To disable debugging output, use the no form of this command.
Command History
Release
Modification
12.2(15)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
15.0(1)M
This command was integrated into Cisco IOS Release 15.0(1)M.
Usage Guidelines
The output of the debug ip eigrp notifications command displays EIGRP events and notifications.
Examples
The following example output shows that the NSF-aware router has received the restart notification. The NSF-aware router will now wait for end of transmission (EOT) to be sent from the restarting neighbor (NSF-capable).
Router# debug ip eigrp notifications *Oct 4 11:39:18.092:EIGRP:NSF:AS2. Rec RS update from 135.100.10.1, 00:00:00. Wait for EOT. *Oct 4 11:39:18.092:%DUAL-5-NBRCHANGE:IP-EIGRP(0) 2:Neighbor 135.100.10.1 (POS3/0) is up:peer NSF restarteddebug ip http all
To enable debugging output for all HTTP processes on the system, use the debug ip http allcommand in privileged EXEC mode. To disable debugging output, use the no form of this command.
Command History
Release
Modification
12.2(15)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
Use this command to enable debugging messages for all HTTP processes and activity. Issuing this command is equivalent to issuing the following commands:
- debug ip http authentication
- debug ip http ezsetup
- debug ip http ssi
- debug ip http token
- debug ip http transaction
- debug ip http url
Examples
For sample output and field descriptions of this command, see the documentation of the commands listed in the “Usage Guidelines” section.
Related Commands
Command
Description
debug ip http authentication
Enables debugging output for all processes for HTTP server and client access.
debug ip http ezsetup
Displays the configuration changes that occur during the EZ Setup process.
debug ip http ssi
Displays SSI translations and SSI ECHO command execution.
debug ip http token
Displays individual tokens parsed by the HTTP server.
debug ip http transaction
Displays HTTP server transaction processing.
debug ip http url
Displays the URLs accessed from the router.
debug ip http client
To enable debugging output for the HTTP client, use the debug ip http client command in privileged EXEC mode. To disable debugging output for the HTTP client, use the no or undebug form of this command.
debug ip http client { all | api | cache | error | main | msg | socket }
no debug ip http client { all | api | cache | error | main | msg | socket }
undebug ip http client { all | api | cache | error | main | msg | socket }
Syntax Description
all
Enables debugging for all HTTP client elements.
api
Enables debugging output for the HTTP client application interface (API).
cache
Enables debugging output for the HTTP client cache.
error
Enables debugging output for HTTP communication errors.
main
Enables debugging output specific to the Voice XML (VXML) applications interacting with the HTTP client.
msg
Enables debugging output of HTTP client messages.
socket
Enables debugging output specific to the HTTP client socket.
Command History
Release
Modification
12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
Use this command to display transactional information for the HTTP client for debugging purposes.
Examples
The following example shows sample debugging output for a failed copy transfer operation when the host name resolution fails:
Router# debug ip http client all 2w4d: Cache ager called Router# copy http://www.example.com/index.html flash:index.html Destination filename [index.html]? Erase flash: before copying? [confirm] no Translating "www.example.com" % Bad IP address for host www.example.com %Error opening http://www.example.com/index.html (I/O error) Router# 2w4d: http_client_request: 2w4d: httpc_setup_request: 2w4d: http_client_process_request: 2w4d: HTTPC: Host name resolution failed for www.example.com 2w4d: http_transaction_free:2w4d: http_transaction_free: freed httpc_transaction_t
The following example shows sample debugging output for a failed copy transfer operation when the source file is not available:
Router# copy http://example.com/hi/file.html flash:/file.html Destination filename [file.html]? %Error opening http://example.com/hi/file.html (No such file or directory) Router# 2w4d: http_client_request: 2w4d: httpc_setup_request: 2w4d: http_client_process_request: 2w4d: httpc_request:Dont have the credentials Thu, 17 Jul 2003 07:05:25 GMT http://209.168.200.225/hi/file.html ok Protocol = HTTP/1.1 Content-Type = text/html; charset=iso-8859-1 Date = Thu, 17 Jul 2003 14:24:29 GMT 2w4d: http_transaction_free: 2w4d: http_transaction_free:freed httpc_transaction_t 2w4d: http_client_abort_request: 2w4d: http_client_abort_request:Bad Transaction Id Router#The table below describes the significant fields shown in the display.
Related Commands
Command
Description
copy
Copies a file from any supported remote location to a local file system, or from a local file system to a remote location, or from a local file system to a local file system.
ip http client connection
Configures the HTTP client connection.
ip http client password
Configures a password for all HTTP client connections.
ip http client proxy-server
Configures an HTTP proxy server.
ip http client source-interface
Configures a source interface for the HTTP client.
ip http client username
Configures a login name for all HTTP client connections.
service timestamps
Configures the time-stamping format for debugging or system logging messages.
show ip http client connection
Displays a report about HTTP client active connections.
show ip http client history
Displays the URLs accessed by the HTTP client.
show ip http client session-module
Displays a report about sessions that have registered with the HTTP client.
debug ip http ssl error
To enable debugging messages for the secure HTTP (HTTPS) web server and client, use the debug ip http ssl error command in privileged EXEC mode. To disable debugging messages for the HTTPS web server and client, use the no form of this command.
Command History
Release
Modification
12.2(15)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
This command displays output for debugging purposes related to the HTTPS server and HTTPS client. HTTPS services use the Secure Socket Layer (SSL) protocol, version 3.0, for encryption.
Examples
The following is sample debugging output from the debug ip http ssl error command:
Router# 000030:00:08:01:%HTTPS:Key pair generation failed Router# 000030:00:08:10:%HTTPS:Failed to generate self-signed cert Router# 000030:00:08:15:%HTTPS:SSL handshake fail Router# 000030:00:08:21:%HTTPS:SSL read fail, uninitialized hndshk ctxt Router# 000030:00:08:25:%HTTPS:SSL write fail, uninitialized hndshk ctxtThe table below describes the debug messages shown above.
Table 3 debug ip http ssl error Field Descriptions Field
Description
%HTTPS:Key pair generation failed
The RSA key pair generation failed.
%HTTPS:Failed to generate self-signed cert
The HTTPS server or client failed to generate a self-signed certificate.
%HTTPS:SSL handshake fail
SSL connection handshake failed.
%HTTPS:SSL read fail, uninitialized hndshk ctxt
A read operation failed for SSL with an unitialized handshake context
debug ip mrouting
To display information about activity in the multicast route (mroute) table, use the debug ip mrouting command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip mrouting [ vrf vrf-name ] [ rpf-events | timers ] [group-address]
no debug ip mrouting [ vrf vrf-name ] [ rpf-events | timers ] [group-address]
Command Syntax in Cisco IOS 12.2(33)SXH and Subsequent 12.2SX Releases
debug ip mrouting [ vrf vrf-name ] [ high-availability | rpf-events [group-address] | timers group-address ]
no debug ip mrouting [ vrf vrf-name ] [ high-availability | rpf-events [group-address] | timers group-address ]
Syntax Description
vrf vrf-name
(Optional) Displays debugging information related to mroute activity associated with the Multicast Virtual Private Network (MVPN) routing and forwarding (MVRF) instance specified for the vrf-name argument.
high-availability
(Optional) Displays high availability (HA) events associated with supervisor engine switchovers on Catalyst 6500 series switches, in Cisco IOS Release 12.2(33)SXH and subsequent 12.2SX releases.
rpf-events
(Optional) Displays Reverse Path Forwarding (RPF) events associated with mroutes in the mroute table.
timers
(Optional) Displays timer-related events associated with mroutes in the mroute table.
group-address
(Optional) IP address or Domain Name System (DNS) name of a multicast group. Entering a multicast group address restricts the output to only display mroute activity associated with the multicast group address specified for the optional group-address argument.
Command History
Release
Modification
10.2
This command was introduced.
12.0(22)S
The rpf-events keyword was added.
12.2(13)T
The timers keyword, vrf keyword, and vrf-name argument were added.
12.2(14)S
The timers keyword, vrf keyword, and vrf-name argument were added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH. The high-availability keyword was added in support of the PIM Triggered Joins feature.
Usage Guidelines
This command indicates when the router has made changes to the mroute table. Use the debug ip pim and debug ip mrouting commands consecutively to obtain additional multicast routing information. In addition, use the debug ip igmp command to learn why an mroute message is being displayed.
This command generates a substantial amount of output. Use the optional group-address argument to limit the output to a single multicast group.
In Cisco IOS 12.2(33)SXH and subsequent 12.2SX releases, the high-availability keyword was added in support of the PIM Triggered Joins feature to monitor HA events in the event of a supervisor engine switchover on a Catalyst 6500 series switch. The PIM Triggered Joins feature is an HA multicast enhancement that improves the reconvergence of mroutes after a supervisor engine switchover on a Catalyst 6500 series switch. After a service engine switchover, all instances of PIM running on the newly active supervisor engine will modify the value of the Generation ID (GenID) that is included in PIM hello messages sent to adjacent PIM neighbors. When an adjacent PIM neighbor receives a PIM hello message on an interface with a new GenID, the PIM neighbor will interpret the modified GenID as an indication that all mroutes states on that interface have been lost. A modified GenID, thus, is utilized as a mechanism to alert all adjacent PIM neighbors that PIM forwarding on that interface has been lost, which then triggers adjacent PIM neighbors to send PIM joins for all (*, G) and (S, G) mroute states that use that interface as an RPF interface.
Examples
The following is sample output from the debug ip mrouting command:
Router# debug ip mrouting 224.2.0.1 MRT: Delete (10.0.0.0/8, 224.2.0.1) MRT: Delete (10.4.0.0/16, 224.2.0.1) MRT: Delete (10.6.0.0/16, 224.2.0.1) MRT: Delete (10.9.0.0/16, 224.2.0.1) MRT: Delete (10.16.0.0/16, 224.2.0.1) MRT: Create (*, 224.2.0.1), if_input NULL MRT: Create (224.69.15.0/24, 225.2.2.4), if_input Ethernet0, RPF nbr 224.69.61.15 MRT: Create (224.69.39.0/24, 225.2.2.4), if_input Ethernet1, RPF nbr 0.0.0.0 MRT: Create (10.0.0.0/8, 224.2.0.1), if_input Ethernet1, RPF nbr 224.0.0.0 MRT: Create (10.4.0.0/16, 224.2.0.1), if_input Ethernet1, RPF nbr 224.0.0.0 MRT: Create (10.6.0.0/16, 224.2.0.1), if_input Ethernet1, RPF nbr 224.0.0.0 MRT: Create (10.9.0.0/16, 224.2.0.1), if_input Ethernet1, RPF nbr 224.0.0.0 MRT: Create (10.16.0.0/16, 224.2.0.1), if_input Ethernet1, RPF nbr 224.0.0.0The following lines show that multicast IP routes were deleted from the routing table:
MRT: Delete (10.0.0.0/8, 224.2.0.1) MRT: Delete (10.4.0.0/16, 224.2.0.1) MRT: Delete (10.6.0.0/16, 224.2.0.1)The (*, G) entries are generally created by receipt of an Internet Group Management Protocol (IGMP) host report from a group member on the directly connected LAN or by a Protocol Independent Multicast (PIM) join message (in sparse mode) that this router receives from a router that is sending joins toward the Route Processor (RP). This router will in turn send a join toward the RP that creates the shared tree (or RP tree).
MRT: Create (*, 224.2.0.1), if_input NULLThe following lines are an example of creating an (S, G) entry that shows that an IP multicast packet (mpacket) was received on Ethernet interface 0. The second line shows a route being created for a source that is on a directly connected LAN. The RPF means “Reverse Path Forwarding,” whereby the router looks up the source address of the multicast packet in the unicast routing table and determines which interface will be used to send a packet to that source.
MRT: Create (224.69.15.0/24, 225.2.2.4), if_input Ethernet0, RPF nbr 224.69.61.15 MRT: Create (224.69.39.0/24, 225.2.2.4), if_input Ethernet1, RPF nbr 0.0.0.0The following lines show that multicast IP routes were added to the routing table. Note the 224.0.0.0 as the RPF, which means the route was created by a source that is directly connected to this router.
MRT: Create (10.9.0.0/16, 224.2.0.1), if_input Ethernet1, RPF nbr 224.0.0.0 MRT: Create (10.16.0.0/16, 224.2.0.1), if_input Ethernet1, RPF nbr 224.0.0.0If the source is not directly connected, the neighbor address shown in these lines will be the address of the router that forwarded the packet to this router.
The shortest path tree state maintained in routers consists of source (S), multicast address (G), outgoing interface (OIF), and incoming interface (IIF). The forwarding information is referred to as the multicast forwarding entry for (S, G).
An entry for a shared tree can match packets from any source for its associated group if the packets come through the proper incoming interface as determined by the RPF lookup. Such an entry is denoted as (*, G). A (*, G) entry keeps the same information a (S, G) entry keeps, except that it saves the rendezvous point address in place of the source address in sparse mode or as 24.0.0.0 in dense mode.
The table below describes the significant fields shown in the display.
Related Commands
Command
Description
debug ip dvmrp
Displays information on DVMRP packets received and sent.
debug ip igmp
Displays IGMP packets received and sent, and IGMP host-related events.
debug ip packet
Displays general IP debugging information and IPSO security transactions.
debug ip pim
Displays all PIM announcements received.
debug ip sd
Displays all SD announcements received.
debug ip msdp
To debug Multicast Source Discovery Protocol (MSDP) activity, use the debug ip msdpcommand in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip msdp [ vrf vrf-name ] [ peer-address | name ] [detail] [routes]
no debug ip msdp [ vrf vrf-name ] [ peer-address | name ] [detail] [routes]
Syntax Description
vrf
(Optional) Supports the Multicast Virtual Private Network (VPN) routing and forwarding (VRF) instance.
vrf-name
(Optional) Name assigned to the VRF.
peer-address | name
(Optional) The peer for which debug events are logged.
detail
(Optional) Provides more detailed debugging information.
routes
(Optional) Displays the contents of Source-Active messages.
Command History
Release
Modification
12.0(7)T
This command was introduced.
12.0(23)S
The vrf keyword and vrf-name argument were added.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(27)SBC
This command was integrated into Cisco IOS Release 12.2(27)SBC.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Examples
The following is sample output from the debug ip msdp command:
Router# debug ip msdp MSDP debugging is on Router# MSDP: 224.150.44.254: Received 1388-byte message from peer MSDP: 224.150.44.254: SA TLV, len: 1388, ec: 115, RP: 172.31.3.92 MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.92, used EMBGP peer MSDP: 224.150.44.250: Forward 1388-byte SA to peer MSDP: 224.150.44.254: Received 1028-byte message from peer MSDP: 224.150.44.254: SA TLV, len: 1028, ec: 85, RP: 172.31.3.92 MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.92, used EMBGP peer MSDP: 224.150.44.250: Forward 1028-byte SA to peer MSDP: 224.150.44.254: Received 1388-byte message from peer MSDP: 224.150.44.254: SA TLV, len: 1388, ec: 115, RP: 172.31.3.111 MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.111, used EMBGP peer MSDP: 224.150.44.250: Forward 1388-byte SA to peer MSDP: 224.150.44.250: Received 56-byte message from peer MSDP: 224.150.44.250: SA TLV, len: 56, ec: 4, RP: 205.167.76.241 MSDP: 224.150.44.250: Peer RPF check passed for 205.167.76.241, used EMBGP peer MSDP: 224.150.44.254: Forward 56-byte SA to peer MSDP: 224.150.44.254: Received 116-byte message from peer MSDP: 224.150.44.254: SA TLV, len: 116, ec: 9, RP: 172.31.3.111 MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.111, used EMBGP peer MSDP: 224.150.44.250: Forward 116-byte SA to peer MSDP: 224.150.44.254: Received 32-byte message from peer MSDP: 224.150.44.254: SA TLV, len: 32, ec: 2, RP: 172.31.3.78 MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.78, used EMBGP peer MSDP: 224.150.44.250: Forward 32-byte SA to peerThe table below describes the significant fields shown in the display.
debug ip msdp resets
To debug Multicast Source Discovery Protocol (MSDP) peer reset reasons, use the debug ip msdp resets command in privileged EXEC mode.
Command History
Release
Modification
12.0(7)T
This command was introduced.
12.0(23)S
The vrf keyword and vrf-name argument were added.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(27)SBC
This command was integrated into Cisco IOS Release 12.2(27)SBC.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
debug ip ospf nsf
To display debugging messages about Open Shortest Path First (OSPF) during a Cisco nonstop forwarding (NSF) restart, use the debug ip ospf nsf command in privileged EXEC mode. To disable the display of debugging output, use the no form of this command.
Command History
Release
Modification
12.0(22)S
This command was introduced.
12.2(18)S
This command was integrated into Cisco IOS Release 12.2(18)S.
12.2(20)S
Support for the Cisco 7304 router was added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Usage Guidelines
Use the debug ip ospf nsf command to diagnose problems with OSPF link-state database (LSDB) resynchronization and NSF operations.
debug ip pim
To display Protocol Independent Multicast (PIM) packets received and sent, and to display PIM-related events, use the debug ip pimcommand in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip pim [ vrf vrf-name ] [ group-address | atm | auto-rp | bsr | df [rp-address] | hello | tag ]
no debug ip pim [ vrf vrf-name ] [ group-address | atm | auto-rp | bsr | df [rp-address] | hello | tag ]
Syntax Description
vrf vrf-name
(Optional) Displays PIM-related events associated with the Multicast Virtual Private Network (MVPN) routing and forwarding (MVRF) instance specified for the vrf-name argument.
group-address
(Optional) IP address or Domain Name System (DNS) name of a multicast group. Entering a multicast group address restricts the output to display only PIM-related events associated with the multicast group address specified for the optional group-address argument.
atm
(Optional) Displays PIM ATM signaling activity.
auto-rp
(Optional) Displays the contents of each PIM packet used in the automatic discovery of group-to-rendezvous point (RP) mapping and the actions taken on the address-to-RP mapping database.
bsr
(Optional) Displays candidate-RPs and Bootstrap Router (BSR) activity.
df
(Optional) When bidirectional PIM is used, displays all designated forwarder (DF) election messages.
rp-address
(Optional) The rendezvous point IP address.
hello
(Optional) Displays events associated with PIM hello messages.
tag
(Optional) Displays tag-switching-related activity.
Command History
Release
Modification
10.2
This command was introduced.
11.1
The auto-rp keyword was added.
11.3
The atm and tag keywords were added.
12.1(2)T
The df keyword was added.
12.1(3)T
The bsr keyword was added.
12.0(22)S
The vrf keyword, vrf-name argument, and hello keyword were added.
12.2(13)T
The vrf keyword and vrf-name argument were added.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(15)T
The hello keyword was added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Usage Guidelines
PIM uses Internet Group Management Protocol (IGMP) packets to communicate with routers and advertise reachability information.
Use this command with the debug ip igmp and debug ip mrouting commands to display additional multicast routing information.
Examples
The following is sample output from the debug ip pim command:
Router# debug ip pim 224.2.0.1 PIM: Received Join/Prune on Ethernet1 from 172.16.37.33 PIM: Received Join/Prune on Ethernet1 from 172.16.37.33 PIM: Received Join/Prune on Tunnel0 from 10.3.84.1 PIM: Received Join/Prune on Ethernet1 from 172.16.37.33 PIM: Received Join/Prune on Ethernet1 from 172.16.37.33 PIM: Received RP-Reachable on Ethernet1 from 172.16.20.31 PIM: Update RP expiration timer for 224.2.0.1 PIM: Forward RP-reachability packet for 224.2.0.1 on Tunnel0 PIM: Received Join/Prune on Ethernet1 from 172.16.37.33 PIM: Prune-list (10.221.196.51/32, 224.2.0.1) PIM: Set join delay timer to 2 seconds for (10.221.0.0/16, 224.2.0.1) on Ethernet1 PIM: Received Join/Prune on Ethernet1 from 172.16.37.6 PIM: Received Join/Prune on Ethernet1 from 172.16.37.33 PIM: Received Join/Prune on Tunnel0 from 10.3.84.1 PIM: Join-list: (*, 224.2.0.1) RP 172.16.20.31 PIM: Add Tunnel0 to (*, 224.2.0.1), Forward state PIM: Join-list: (10.0.0.0/8, 224.2.0.1) PIM: Add Tunnel0 to (10.0.0.0/8, 224.2.0.1), Forward state PIM: Join-list: (10.4.0.0/16, 224.2.0.1) PIM: Prune-list (172.16.84.16/28, 224.2.0.1) RP-bit set RP 172.16.84.16 PIM: Send Prune on Ethernet1 to 172.16.37.6 for (172.16.84.16/28, 224.2.0.1), RP PIM: For RP, Prune-list: 10.9.0.0/16 PIM: For RP, Prune-list: 10.16.0.0/16 PIM: For RP, Prune-list: 10.49.0.0/16 PIM: For RP, Prune-list: 10.84.0.0/16 PIM: For RP, Prune-list: 10.146.0.0/16 PIM: For 10.3.84.1, Join-list: 172.16.84.16/28 PIM: Send periodic Join/Prune to RP via 172.16.37.6 (Ethernet1)The following lines appear periodically when PIM is running in sparse mode and indicate to this router the multicast groups and multicast sources in which other routers are interested:
PIM: Received Join/Prune on Ethernet1 from 172.16.37.33 PIM: Received Join/Prune on Ethernet1 from 172.16.37.33The following lines appear when a rendezvous point (RP) message is received and the RP timer is reset. The expiration timer sets a checkpoint to make sure the RP still exists. Otherwise, a new RP must be discovered.
PIM: Received RP-Reachable on Ethernet1 from 172.16.20.31 PIM: Update RP expiration timer for 224.2.0.1 PIM: Forward RP-reachability packet for 224.2.0.1 on Tunnel0The prune message in the following line states that this router is not interested in the Source-Active (SA) information. This message tells an upstream router to stop forwarding multicast packets from this source. The address 10.221.196.51/32 indicates a host route with 32 bits of mask.
PIM: Prune-list (10.221.196.51/32, 224.2.0.1)In the following line, a second router on the network wants to override the prune message that the upstream router just received. The timer is set at a random value so that if additional routers on the network still want to receive multicast packets for the group, only one will actually send the message. The other routers will receive the join message and then suppress sending their own message.
PIM: Set join delay timer to 2 seconds for (10.221.0.0/16, 224.2.0.1) on Ethernet1In the following line, a join message is sent toward the RP for all sources:
PIM: Join-list: (*, 224.2.0.1) RP 172.16.20.31In the following lines, the interface is being added to the outgoing interface (OIF) of the (*, G) and (S, G) multicast route (mroute) table entry so that packets from the source will be forwarded out that particular interface:
PIM: Add Tunnel0 to (*, 224.2.0.1), Forward state PIM: Add Tunnel0 to (10.0.0.0/8, 224.2.0.1), Forward stateThe following line appears in sparse mode only. There are two trees on which data may be received: the RP tree and the source tree. In dense mode there is no RP. After the source and the receiver have discovered one another at the RP, the first-hop router for the receiver will usually join to the source tree rather than the RP tree.
PIM: Prune-list (172.16.84.16/28, 224.2.0.1) RP-bit set RP 172.16.84.16The send prune message in the next line shows that a router is sending a message to a second router saying that the first router should no longer receive multicast packets for the (S, G). The RP at the end of the message indicates that the router is pruning the RP tree and is most likely joining the source tree, although the router may not have downstream members for the group or downstream routers with members of the group. The output shows the specific sources from which this router no longer wants to receive multicast messages.
PIM: Send Prune on Ethernet1 to 172.16.37.6 for (172.16.84.16/28, 224.2.0.1), RPThe following lines indicate that a prune message is sent toward the RP so that the router can join the source tree rather than the RP tree:
PIM: For RP, Prune-list: 10.9.0.0/16 PIM: For RP, Prune-list: 10.16.0.0/16 PIM: For RP, Prune-list: 10.49.0.0/16In the following line, a periodic message is sent toward the RP. The default period is once per minute. Prune and join messages are sent toward the RP or source rather than directly to the RP or source. It is the responsibility of the next hop router to take proper action with this message, such as continuing to forward it to the next router in the tree.
PIM: Send periodic Join/Prune to RP via 172.16.37.6 (Ethernet1)Related Commands
Command
Description
debug ip dvmrp
Displays information on DVMRP packets received and sent.
debug ip igmp
Displays IGMP packets received and sent, and displays IGMP host-related events.
debug ip igrp transactions
Displays transaction information on IGRP routing transactions.
debug ip mrouting
Displays changes to the IP multicast routing table.
debug ip sd
Displays all SD announcements received.
debug ip rgmp
To log debugging messages sent by a Router-Port Group Management Protocol (RGMP)-enabled router, use the debug ip rgmp command in privileged EXEC mode. To disable debugging outut, use the no form of this command.
Command Default
Debugging for RGMP is not enabled. If the debug ip rgmpcommand is used without arguments, debugging is enabled for all RGMP message types.
Examples
The following shows sample output from the debug ip rgmpcommand:
Router# debug ip rgmp RGMP: Sending a Hello packet on Ethernet1/0 RGMP: Sending a Join packet on Ethernet1/0 for group 224.1.2.3 RGMP: Sending a Leave packet on Ethernet1/0 for group 224.1.2.3 RGMP: Sending a Bye packet on Ethernet1/0debug ip scp
To troubleshoot secure copy (SCP) authentication problems, use the debug ip scp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)S
This command was integrated into Cisco IOS Release 12.0(21)S.
12.2(22)S
This command was integrated into Cisco IOS Release 12.2(22)S.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
12.2(18)SXD
This command was integrated into Cisco IOS Release 12.2(18)SXD.
Examples
The following example is output from the debug ip scp command. In this example, a copy of the file scptest.cfg from a UNIX host running configuration of the router was successful.
Router# debug ip scp 4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK> 4d06h:SCP:[22 <- 10.11.29.252:1018] recv C0644 20 scptest.cfg 4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK> 4d06h:SCP:[22 <- 10.11.29.252:1018] recv 20 bytes 4d06h:SCP:[22 <- 10.11.29.252:1018] recv <OK> 4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK> 4d06h:SCP:[22 <- 10.11.29.252:1018] recv <EOF>The following example is also output from the debug ip scp command, but in this example, the user has privilege 0 and is therefore denied:
Router# debug ip scp 4d06h:SCP:[22 -> 10.11.29.252:1018] send Privilege denied.debug ip ssh
To display debugging messages for Secure Shell (SSH), use the debug ip ssh command in privileged EXEC mode. To disable debugging output, use the no form of this command.
Examples
The following example shows the SSH debugging output:
Router# debug ip ssh 00:53:46: SSH0: starting SSH control process 00:53:46: SSH0: Exchanging versions - SSH-1.5-Cisco-1.25 00:53:46: SSH0: client version is - SSH-1.5-1.2.25 00:53:46: SSH0: SSH_SMSG_PUBLIC_KEY message sent 00:53:46: SSH0: SSH_CMSG_SESSION_KEY message received 00:53:47: SSH0: keys exchanged and encryption on 00:53:47: SSH0: authentication request for userid guest 00:53:47: SSH0: authentication successful for jcisco 00:53:47: SSH0: starting exec shellThe following example shows the SSH detail output:
Router# debug ip ssh detail 00:04:22: SSH0: starting SSH control process 00:04:22: SSH0: sent protocol version id SSH-1.99-Cisco-1.25 00:04:22: SSH0: protocol version id is - SSH-1.99-Cisco-1.25 00:04:22: SSH2 0: SSH2_MSG_KEXINIT sent 00:04:22: SSH2 0: SSH2_MSG_KEXINIT received 00:04:22: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha1 00:04:22: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha1 00:04:22: SSH2 0: expecting SSH2_MSG_KEXDH_INIT 00:04:22: SSH2 0: SSH2_MSG_KEXDH_INIT received 00:04:22: SSH2: kex_derive_keys complete 00:04:22: SSH2 0: SSH2_MSG_NEWKEYS sent 00:04:22: SSH2 0: waiting for SSH2_MSG_NEWKEYS 00:04:22: SSH2 0: SSH2_MSG_NEWKEYS received 00:04:24: SSH2 0: authentication successful for lab 00:04:24: SSH2 0: channel open request 00:04:24: SSH2 0: pty-req request 00:04:24: SSH2 0: setting TTY - requested: height 24, width 80; set: height 24, width 80 00:04:24: SSH2 0: shell request 00:04:24: SSH2 0: shell message received 00:04:24: SSH2 0: starting shell for vty 00:04:38: SSH0: Session terminated normallyThe following example shows the SSH packet output:
Router# debug ip ssh packet 00:05:43: SSH2 0: send:packet of length 280 (length also includes padlen of 4) 00:05:43: SSH2 0: ssh_receive: 64 bytes received 00:05:43: SSH2 0: input: total packet length of 280 bytes 00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0 00:05:43: SSH2 0: ssh_receive: 64 bytes received 00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0 00:05:43: SSH2 0: ssh_receive: 64 bytes received 00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0 00:05:43: SSH2 0: ssh_receive: 64 bytes received 00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0 00:05:43: SSH2 0: ssh_receive: 24 bytes received 00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 272 bytes, maclen 0 00:05:43: SSH2 0: input: padlength 4 bytes 00:05:43: SSH2 0: ssh_receive: 64 bytes received 00:05:43: SSH2 0: input: total packet length of 144 bytes 00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 0 00:05:43: SSH2 0: ssh_receive: 64 bytes received 00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 0 00:05:43: SSH2 0: ssh_receive: 16 bytes received 00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 0 00:05:43: SSH2 0: input: padlength 6 bytes 00:05:43: SSH2 0: signature length 143 00:05:43: SSH2 0: send:packet of length 448 (length also includes padlen of 7) 00:05:43: SSH2 0: send:packet of length 16 (length also includes padlen of 10) 00:05:43: SSH2 0: newkeys: mode 1 00:05:43: SSH2 0: ssh_receive: 16 bytes received 00:05:43: SSH2 0: input: total packet length of 16 bytes 00:05:43: SSH2 0: partial packet length(block size)8 bytes,needed 8 bytes, maclen 0 00:05:43: SSH2 0: input: padlength 10 bytes 00:05:43: SSH2 0: newkeys: mode 0 00:05:43: SSH2 0: ssh_receive: 52 bytes received 00:05:43: SSH2 0: input: total packet length of 32 bytes 00:05:43: SSH2 0: partial packet length(block size)16 bytes,needed 16 bytes, maclen 20 00:05:43: SSH2 0: MAC compared for #3 :okdebug ipv6 snooping
To enable debugging for security snooping information in IPv6, use the debug ipv6 snoopingcommand in privileged EXEC mode.
debug ipv6 snooping [ binding-table | classifier | errors | feature-manager | filter acl | ha | hw-api | interface interface | memory | ndp-inspection | policy | vlan vlanid | switcher | filter acl | interface interface | vlanid ]
no debug ipv6 snooping
Syntax Description
binding-table
(Optional) Displays information about the neighbor binding table.
classifier
(Optional) Displays information about the classifier.
errors
(Optional) Displays information about snooping security errors.
feature-manager
(Optional) Displays feature manager information.
filter acl
(Optional) Allows users to configure an access list to filter debugged traffic.
ha
(Optional) Displays information about high availability (HA) and stateful switchover (SSO).
hw-api
(Optional) Displays information about the hardware API.
interface interface
(Optional) Provides debugging information on a specified interface.
memory
(Optional) Displays information about security snooping memory.
ndp-inspection
(Optional) Displays information about Neighbor Discovery inspection.
policy
(Optional)
switcher
(Optional) Displays packets handled by the switcher.
vlanid
(Optional) Provides debugging information about a specified VLAN ID.
Usage Guidelines
The debug ipv6 snoopingcommand provides debugging output for IPv6 snooping information.
Because debugging output is assigned high priority in the CPU process, you should use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff.
debug ipv6 snooping raguard
To enable debugging for security snooping information in the IPv6 router advertisement (RA) guard feature, use the debug ipv6 snooping raguard command in privileged EXEC mode.
Syntax Description
filter
(Optional) Allows users to configure an access list to filter debugged traffic.
interface
(Optional) Provides debugging information about a specified interface configured with the IPv6 RA guard feature.
vlanid
(Optional) Provides debugging information about a specified VLAN ID configured with the IPv6 RA guard feature.
Usage Guidelines
The debug ipv6 snooping raguard command provides debugging output for IPv6 RA guard events and errors that may occur.
Because debugging output is assigned high priority in the CPU process, you should use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Also, you should use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
debug lacp
To enable debugging of all Link Aggregation Control Protocol (LACP) activity, use the debug lacpcommand in privileged EXEC mode. To disable LACP debugging, use the no form of this command.
debug lacp [ all | event | fsm | misc | multi-chassis [ all | database | lacp-mgr | redundancy-group | user-interface ] | packet ]
no debug lacp [ all | event | fsm | misc | multi-chassis [ all | database | lacp-mgr | redundancy-group | user-interface ] | packet ]
Syntax Description
all
(Optional) Activates debugging for all LACP operations.
event
(Optional) Activates debugging of events that occur within LACP.
fsm
(Optional) Activates debugging for changes within the LACP finite state machine.
misc
(Optional) Activates debugging for various operations that may be useful for monitoring the status of LACP.
multi-chassis
(Optional) Activates multi-chassis LACP (mLACP) debugging.
all
(Optional) Activates all mLACP debugging.
database
(Optional) Activates mLACP database debugging.
lacp-mgr
(Optional) Activates mLACP interface debugging.
redundancy-group
(Optional) Activates mLACP interchassis redundancy group debugging.
user-interface
(Optional) Activates mLACP interchassis user interface debugging.
packet
(Optional) Displays the receiving and transmitting LACP control packets.
Command History
Release
Modification
12.1(13)EW
Support for this command was introduced on the Cisco Catalyst 4500 series switch.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB.
12.2(33)SRB
Support for this command on the Cisco 7600 router was integrated into Cisco IOS Release 12.2(33)SRB.
Cisco IOS XE Release 2.4
This command was integrated into Cisco IOS XE Release 2.4.
12.2(33)SRE
This command was modified. The following keywords were added: multi-chassis, all, database, lacp-mgr, redundancy-group, and user-interface.
Examples
The following sample output from the debug lacp all command shows LACP activity on a port-channel member link Gigabit Ethernet 5/0/0:
Router# debug lacp all Link Aggregation Control Protocol all debugging is on Router1# *Aug 20 17:21:51.685: LACP :lacp_bugpak: Receive LACP-PDU packet via Gi5/0/0 *Aug 20 17:21:51.685: LACP : packet size: 124 *Aug 20 17:21:51.685: LACP: pdu: subtype: 1, version: 1 *Aug 20 17:21:51.685: LACP: Act: tlv:1, tlv-len:20, key:0x1, p-pri:0x8000, p:0x14, p-state:0x3C, s-pri:0xFFFF, s-mac:0011.2026.7300 *Aug 20 17:21:51.685: LACP: Part: tlv:2, tlv-len:20, key:0x5, p-pri:0x8000, p:0x42, p-state:0x3D, s-pri:0x8000, s-mac:0014.a93d.4a00 *Aug 20 17:21:51.685: LACP: col-tlv:3, col-tlv-len:16, col-max-d:0x8000 *Aug 20 17:21:51.685: LACP: term-tlv:0 termr-tlv-len:0 *Aug 20 17:21:51.685: LACP: Gi5/0/0 LACP packet received, processing *Aug 20 17:21:51.685: lacp_rx Gi5: during state CURRENT, got event 5(recv_lacpdu) *Aug 20 17:21:59.869: LACP: lacp_p(Gi5/0/0) timer stopped *Aug 20 17:21:59.869: LACP: lacp_p(Gi5/0/0) expired *Aug 20 17:21:59.869: lacp_ptx Gi5: during state SLOW_PERIODIC, got event 3(pt_expired) *Aug 20 17:21:59.869: @@@ lacp_ptx Gi5: SLOW_PERIODIC -> PERIODIC_TX *Aug 20 17:21:59.869: LACP: Gi5/0/0 lacp_action_ptx_slow_periodic_exit entered *Aug 20 17:21:59.869: LACP: lacp_p(Gi5/0/0) timer stopped *Aug 20 17:22:00.869: LACP: lacp_t(Gi5/0/0) timer stopped *Aug 20 17:22:00.869: LACP: lacp_t(Gi5/0/0) expired *Aug 20 17:22:19.089: LACP :lacp_bugpak: Receive LACP-PDU packet via Gi5/0/0 *Aug 20 17:22:19.089: LACP : packet size: 124 *Aug 20 17:22:19.089: LACP: pdu: subtype: 1, version: 1 *Aug 20 17:22:19.089: LACP: Act: tlv:1, tlv-len:20, key:0x1, p-pri:0x8000, p:0x14, p-state:0x4, s-pri:0xFFFF, s-mac:0011.2026.7300 *Aug 20 17:22:19.089: LACP: Part: tlv:2, tlv-len:20, key:0x5, p-pri:0x8000, p:0x42, p-state:0x34, s-pri:0x8000, s-mac:0014.a93d.4a00 *Aug 20 17:22:19.089: LACP: col-tlv:3, col-tlv-len:16, col-max-d:0x8000 *Aug 20 17:22:19.089: LACP: term-tlv:0 termr-tlv-len:0 *Aug 20 17:22:19.089: LACP: Gi5/0/0 LACP packet received, processing *Aug 20 17:22:19.089: lacp_rx Gi5: during state CURRENT, got event 5(recv_lacpdu) *Aug 20 17:22:19.989: LACP: lacp_t(Gi5/0/0) timer stopped *Aug 20 17:22:19.989: LACP: lacp_t(Gi5/0/0) expired *Aug 20 17:22:19.989: LACP: timer lacp_t(Gi5/0/0) started with interval 1000. *Aug 20 17:22:19.989: LACP: lacp_send_lacpdu: (Gi5/0/0) About to send the 110 LACPDU *Aug 20 17:22:19.989: LACP :lacp_bugpak: Send LACP-PDU packet via Gi5/0/0 *Aug 20 17:22:19.989: LACP : packet size: 124 *Aug 20 17:22:20.957: LACP: lacp_t(Gi5/0/0) timer stopped *Aug 20 17:22:20.957: LACP: lacp_t(Gi5/0/0) expired *Aug 20 17:22:21.205: %LINK-3-UPDOWN: Interface GigabitEthernet5/0/0, changed state to down *Aug 20 17:22:21.205: LACP: lacp_hw_off: Gi5/0/0 is going down *Aug 20 17:22:21.205: LACP: if_down: Gi5/0/0 *Aug 20 17:22:21.205: lacp_ptx Gi5: during state SLOW_PERIODIC, got event 0(no_periodic) *Aug 20 17:22:22.089: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel5, changed state to down *Aug 20 17:22:22.153: %C10K_ALARM-6-INFO: CLEAR CRITICAL GigE 5/0/0 Physical Port Link Down *Aug 20 17:22:23.413: LACP: Gi5/0/0 oper-key: 0x0 *Aug 20 17:22:23.413: LACP: lacp_hw_on: Gi5/0/0 is coming up *Aug 20 17:22:23.413: lacp_ptx Gi5: during state NO_PERIODIC, got event 0(no_periodic) *Aug 20 17:22:23.413: @@@ lacp_ptx Gi5: NO_PERIODIC -> NO_PERIODIC *Aug 20 17:22:23.413: LACP: Gi5/0/0 lacp_action_ptx_no_periodic entered *Aug 20 17:22:23.413: LACP: lacp_p(Gi5/0/0) timer stopped *Aug 20 17:22:24.153: %LINK-3-UPDOWN: Interface GigabitEthernet5/0/0, changed state to up *Aug 20 17:22:24.153: LACP: lacp_hw_on: Gi5/0/0 is coming up *Aug 20 17:22:24.153: lacp_ptx Gi5: during state FAST_PERIODIC, got event 0(no_periodic) *Aug 20 17:22:24.153: @@@ lacp_ptx Gi5: FAST_PERIODIC -> NO_PERIODIC *Aug 20 17:22:24.153: LACP: Gi5/0/0 lacp_action_ptx_fast_periodic_exit entered *Aug 20 17:22:24.153: LACP: lacp_p(Gi5/0/0) timer stopped *Aug 20 17:22:24.153: LACP: *Aug 20 17:22:25.021: LACP: lacp_p(Gi5/0/0) timer stopped *Aug 20 17:22:25.021: LACP: lacp_p(Gi5/0/0) expired *Aug 20 17:22:25.021: lacp_ptx Gi5: during state FAST_PERIODIC, got event 3(pt_expired) *Aug 20 17:22:25.021: @@@ lacp_ptx Gi5: FAST_PERIODIC -> PERIODIC_TX *Aug 20 17:22:25.021: LACP: Gi5/0/0 lacp_action_ptx_fast_periodic_exit entered *Aug 20 17:22:25.021: LACP: lacp_p(Gi5/0/0) timer stopped *Aug 20 17:22:25.917: LACP: lacp_p(Gi5/0/0) timer stopped *Aug 20 17:22:25.917: LACP: lacp_p(Gi5/0/0) expired *Aug 20 17:22:25.917: lacp_ptx Gi5: during state FAST_PERIODIC, got event 3(pt_expired) *Aug 20 17:22:25.917: @@@ lacp_ptx Gi5: FAST_PERIODIC -> PERIODIC_TX *Aug 20 17:22:25.917: LACP: Gi5/0/0 lacp_action_ptx_fast_periodic_exit entered *Aug 20 17:22:25.917: LACP: lacp_p(Gi5/0/0) timer stopped Router1#debug ntp
To display debugging messages for Network Time Protocol (NTP) features, use the debug ntpcommand in prvileged EXEC mode. To disable debugging output, use the no form of this command.
debug ntp { adjust | all | authentication | core | events | loopfilter | packet | params | refclock | select | sync | validity }
no debug ntp { adjust | all | authentication | core | events | loopfilter | packet | params | refclock | select | sync | validity }
Syntax Description
adjust
Displays debugging information on NTP clock adjustments.
all
Displays all debugging information on NTP.
authentication
Displays debugging information on NTP authentication.
core
Displays debugging information on NTP core messages.
events
Displays debugging information on NTP events.
loopfilter
Displays debugging information on NTP loop filters.
packet
Displays debugging information on NTP packets.
params
Displays debugging information on NTP clock parameters.
refclock
Displays debugging information on NTP reference clocks.
select
Displays debugging information on NTP clock selection.
sync
Displays debugging information on NTP clock synchronization.
validity
Displays debugging information on NTP peer clock validity.
Command History
Release
Modification
12.1
This command was introduced in a release prior to Cisco IOS Release 12.1.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(20)T
Support for IPv6 and NTP version 4 was added. The all and core keywords were added. The authentication, loopfilter, params, select, sync and validity keywords were removed. The packets keyword was modified as packet.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S.
Cisco IOS Release 15.2(1)S
This command was integrated into Cisco IOS Release 15.2(1)S.
Usage Guidelines
Starting from Cisco IOS Release 12.4(20)T, NTP version 4 is supported. In NTP version 4 the debugging options available are adjust, all, core, events, packet, and refclock. In NTP version 3 the debugging options available were events, authentication, loopfilter, packets, params, select, sync and validity.
debug radius
To enable debugging for Remote Authentication Dial-In User Service (RADIUS) configuration, use the debug radius command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug radius [ accounting | authentication | brief | elog | failover | retransmit | verbose ]
no debug radius [ accounting | authentication | brief | elog | failover | retransmit | verbose ]
Syntax Description
accounting
(Optional) Enables debugging of RADIUS accounting collection.
authentication
(Optional) Enables debugging of RADIUS authentication packets.
brief
(Optional) Displays abbreviated debug output.
elog
(Optional) Enables RADIUS event logging.
failover
(Optional) Enables debugging of packets sent upon failover.
retransmit
(Optional) Enables retransmission of packets.
verbose
(Optional) Displays detailed debug output.
Command History
Release
Modification
11.2(1)T
This command was introduced.
12.0(2)T
The brief keyword was added. The default output format became ASCII from hexadecimal.
12.2(11)T
The verbose keyword was added.
12.3(2)T
The elog keyword was added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
RADIUS is a distributed security system that secures networks against unauthorized access. Cisco supports RADIUS under the authentication, authorization, and accounting (AAA) security system. When RADIUS is used on the router, you can use the debug radius command to display debugging and troubleshooting information in ASCII format. Use the debug radius brief command for abbreviated output displaying client/server interaction and minimum packet information. Only the input and output transactions are recorded. Use the debug radius verbose command to include non-essential RADIUS debugs.
Examples
The following is sample output from the debug radius command:
Router# debug radius Radius protocol debugging is on Radius packet hex dump debugging is off Router# show debug 00:19:20: RADIUS/ENCODE(00000015):Orig. component type = AUTH_PROXY 00:19:20: RADIUS(00000015): Config NAS IP: 0.0.0.0 00:19:20: RADIUS/ENCODE(00000015): acct_session_id: 21 00:19:20: RADIUS(00000015): sending 00:19:20: RADIUS/ENCODE: Best Local IP-Address 33.0.0.2 for Radius-Server 33.2.0.1 00:19:20: RADIUS(00000015): Send Access-Request to 33.2.0.1:1645 id 1645/21, len 159 00:19:20: RADIUS: authenticator 2D 03 E5 A6 A5 30 1A 32 - F2 C5 EE E2 AC 5E 5D 22 00:19:20: RADIUS: User-Name [1] 11 "authproxy" 00:19:20: RADIUS: User-Password [2] 18 * 00:19:20: RADIUS: Service-Type [6] 6 Outbound [5] 00:19:20: RADIUS: Message-Authenticato[80] 18 00:19:20: RADIUS: 85 EF E8 43 03 88 58 63 78 D2 7B E7 26 61 D3 3C [ CXcx{&a<] 00:19:20: RADIUS: Vendor, Cisco [26] 49 00:19:20: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0D00000200000013001112FD" 00:19:20: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] 00:19:20: RADIUS: NAS-Port [5] 6 16480 00:19:20: RADIUS: NAS-Port-Id [87] 19 "FastEthernet1/0/3" 00:19:20: RADIUS: NAS-IP-Address [4] 6 33.0.0.2 00:19:20: RADIUS(00000015): Started 5 sec timeout 00:19:20: RADIUS: Received from id 1645/21 33.2.0.1:1645, Access-Accept, len 313 00:19:20: RADIUS: authenticator E6 6E 1D 64 5A 15 FD AE - C9 60 C0 68 F5 10 E9 B7 00:19:20: RADIUS: Filter-Id [11] 8 00:19:20: RADIUS: 31 30 30 2E 69 6E [ 100.in] 00:19:20: RADIUS: Vendor, Cisco [26] 19 00:19:20: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" 00:19:20: RADIUS: Termination-Action [29] 6 1 00:19:20: RADIUS: Vendor, Cisco [26] 45 00:19:20: RADIUS: Cisco AVpair [1] 39 "supplicant-name=Port-description test" 00:19:20: RADIUS: Vendor, Cisco [26] 38 00:19:20: RADIUS: Cisco AVpair [1] 32 "security-group-tag=2468-C0FFEE" 00:19:20: RADIUS: Vendor, Cisco [26] 33 00:19:20: RADIUS: Cisco AVpair [1] 27 "supplicant-group=engineer" 00:19:20: RADIUS: Vendor, Cisco [26] 36 00:19:20: RADIUS: Cisco AVpair [1] 30 "supplicant-group=idf_testing" 00:19:20: RADIUS: Vendor, Cisco [26] 28 00:19:20: RADIUS: Cisco AVpair [1] 22 "authz-directive=open" 00:19:20: RADIUS: Vendor, Cisco [26] 32 00:19:20: RADIUS: Cisco AVpair [1] 26 "supplicant-group=group-9" 00:19:20: RADIUS: Class [25] 30 00:19:20: RADIUS: 43 41 43 53 3A 63 2F 61 37 31 38 38 61 2F 32 31 [CACS:c/a7188a/21] 00:19:20: RADIUS: 30 30 30 30 30 32 2F 31 36 34 38 30 [ 000002/16480] 00:19:20: RADIUS: Message-Authenticato[80] 18 00:19:20: RADIUS: 24 13 29 95 A1 5E 9F D3 CB ED 78 F1 F6 62 2B E3 [ $)^xb+] 00:19:20: RADIUS(00000015): Received from id 1645/21 00:19:20: RADIUS/DECODE: parse unknown cisco vsa "supplicant-group" - IGNORE 00:19:20: RADIUS/DECODE: parse unknown cisco vsa "supplicant-group" - IGNORE 00:19:20: RADIUS/DECODE: parse unknown cisco vsa "authz-directive" - IGNORE 00:19:20: RADIUS/DECODE: parse unknown cisco vsa "supplicant-group" - IGNORE 00:19:20: RADIUS/ENCODE(00000015):Orig. component type = AUTH_PROXY 00:19:20: RADIUS(00000015): Config NAS IP: 0.0.0.0 00:19:20: RADIUS(00000015): sending 00:19:20: RADIUS/ENCODE: Best Local IP-Address 33.0.0.2 for Radius-Server 33.2.0.1 00:19:20: RADIUS(00000015): Send Accounting-Request to 33.2.0.1:1646 id 1646/1, len 204 00:19:20: RADIUS: authenticator A7 6B A0 94 F4 63 30 51 - 8A CE 8C F4 8A 8E 0B CC 00:19:20: RADIUS: Acct-Session-Id [44] 10 "00000015" 00:19:20: RADIUS: Calling-Station-Id [31] 10 "13.1.0.1" 00:19:20: RADIUS: Vendor, Cisco [26] 49 00:19:20: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0D00000200000013001112FD"The following is sample output from the debug radius brief command:
Router# debug radius brief Radius protocol debugging is on Radius packet hex dump debugging is off Radius protocol in brief format debugging is on 00:05:21: RADIUS: Initial Transmit ISDN 0:D:23 id 6 10.0.0.1:1824, Accounting-Request, len 358 00:05:21: %ISDN-6-CONNECT: Interface Serial0:22 is now connected to 4085274206 00:05:26: RADIUS: Retransmit id 6 00:05:31: RADIUS: Tried all servers. 00:05:31: RADIUS: No valid server found. Trying any viable server 00:05:31: RADIUS: Tried all servers. 00:05:31: RADIUS: No response for id 7 00:05:31: RADIUS: Initial Transmit ISDN 0:D:23 id 8 10.0.0.0:1823, Access-Request, len 171 00:05:36: RADIUS: Retransmit id 8 00:05:36: RADIUS: Received from id 8 1.7.157.1:1823, Access-Accept, len 115 00:05:47: %ISDN-6-DISCONNECT: Interface Serial0:22 disconnected from 4085274206, call lasted 26 seconds 00:05:47: RADIUS: Initial Transmit ISDN 0:D:23 id 9 10.0.0.1:1824, Accounting-Request, len 775 00:05:47: RADIUS: Received from id 9 1.7.157.1:1824, Accounting-response, len 20The following example shows how to enable debugging of RADIUS accounting collection:
Router# debug radius accounting Radius protocol debugging is on Radius protocol brief debugging is off Radius protocol verbose debugging is off Radius packet hex dump debugging is off Radius packet protocol (authentication) debugging is off Radius packet protocol (accounting) debugging is on Radius packet retransmission debugging is off Radius server fail-over debugging is off Radius elog debugging is offdebug snmp packet
To display information about every Simple Network Management Protocol (SNMP) packet sent or received by the router, use the debug snmp packet command in privileged EXEC mode. To disable debugging output, use the no form of this command.
Command History
Release
Modification
12.0(24)S
This command was introduced.
12.3(2)T
This command was integrated into Cisco IOS Release 12.3(2)T.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Cisco IOS XE Release 2.5
This command was implemented on Cisco ASR 1000 series routers.
Examples
The following is sample output from the debug snmp packetcommand. In this example, the router receives a get-next request from the host at 192.10.2.10 and responds with the requested information.
Router# debug snmp packet SNMP: Packet received via UDP from 192.10.2.10 on Ethernet0 SNMP: Get-next request, reqid 23584, errstat 0, erridx 0 sysUpTime = NULL TYPE/VALUE system.1 = NULL TYPE/VALUE system.6 = NULL TYPE/VALUE SNMP: Response, reqid 23584, errstat 0, erridx 0 sysUpTime.0 = 2217027 system.1.0 = Cisco Internetwork Operating System Software system.6.0 = SNMP: Packet sent via UDP to 192.10.2.10Based on the kind of packet sent or received, the output may vary. For get-bulk requests, a line similar to the following is displayed:
SNMP: Get-bulk request, reqid 23584, nonrptr 10, maxreps 20For traps, a line similar to the following is displayed:
SNMP: V1 Trap, ent 1.3.6.1.4.1.9.1.13, gentrap 3, spectrap 0The table below describes the significant fields shown in the display.
Table 6 debug snmp packet Field Descriptions Field
Description
Get-next request
Indicates what type of SNMP protocol data unit (PDU) the packet is. Possible types are as follows:
Depending on the type of PDU, the rest of this line displays different fields. The indented lines following this line list the MIB object names and corresponding values.
reqid
Request identification number. This number is used by the SNMP manager to match responses with requests.
errstat
Error status. All PDU types other than response will have an errstat of 0. If the agent encounters an error while processing the request, it will set errstat in the response PDU to indicate the type of error.
erridx
Error index. This value will always be 0 in all PDUs other than responses. If the agent encounters an error, the erridx will be set to indicate which varbind in the request caused the error. For example, if the agent had an error on the second varbind in the request PDU, the response PDU will have an erridx equal to 2.
nonrptr
Nonrepeater value. This value and the maximum repetition value are used to determine how many varbinds are returned. Refer to RFC 1905 for details.
maxreps
Maximum repetition value. This value and the nonrepeater value are used to determine how many varbinds are returned. Refer to RFC 1905 for details.
ent
Enterprise object identifier. Refer to RFC 1215 for details.
gentrap
Generic trap value. Refer to RFC 1215 for details.
spectrap
Specific trap value. Refer to RFC 1215 for details.
debug track
To display tracking activity for tracked objects, use the debug track command in privileged EXEC mode. To turn off output, use the no form of this command.
Command History
Release
Modification
12.2(15)T
This command was introduced.
12.3(8)T
The output was enhanced to include the track-list objects.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
Usage Guidelines
Use this command to display activity for objects being tracked by the tracking process. These objects can be the state of IP routing, the line-protocol state of an interface, the IP-route reachability, and the IP-route threshold metric.
Examples
The following example shows that object number 100 is being tracked and that the state of IP routing on Ethernet interface 0/2 is down:
Router# debug track Feb 26 19:56:23.247:Track:100 Adding interface object Feb 26 19:56:23.247:Track:Initialise Feb 26 19:56:23.247:Track:100 New interface Et0/2, ip routing Down Feb 26 19:56:23.247:Track:Starting processThe following example shows that object number 100 is being tracked and that the state of IP routing on Ethernet interface 0/2 has changed and is back up:
Router# debug track Feb 26 19:56:41.247:Track:100 Change #2 interface Et0/2, ip routing Down->Up 00:15:07:%LINK-3-UPDOWN:Interface Ethernet0/2, changed state to up 00:15:08:%LINEPROTO-5-UPDOWN:Line protocol on Interface Ethernet0/2, changed state to updebug vrrp ha
To display debugging messages for Virtual Router Redundancy Protocol (VRRP) high availability, use the debug vrrp hacommand in privileged EXEC mode. To disable debugging output, use the no form of this command.
Examples
The following examples for the debug vrrp hacommand display the syncing of VRRP state information from the Active RP to the Standby RP.
The following sample output displays two VRRP state changes on the Active RP:
Router# debug vrrp ha . . . *Nov 14 11:36:50.272 UTC: VRRP: Gi3/2 Grp 42 RF Encode state Backup into sync buffer *Nov 14 11:36:50.272 UTC: %VRRP-6-STATECHANGE: Gi3/2 Grp 42 state Init -> Backup *Nov 14 11:36:53.884 UTC: VRRP: Gi3/2 Grp 42 RF Encode state Master into sync buffer *Nov 14 11:36:53.884 UTC: %VRRP-6-STATECHANGE: Gi3/2 Grp 42 state Backup -> MasterThe following sample output displays two VRRP state changes on the Standby RP:
Router# debug vrrp ha . . . *Nov 14 11:36:50.392 UTC: STDBY: VRRP: Gi3/2 Grp 42 RF sync state Init -> Backup *Nov 14 11:36:53.984 UTC: STDBY: VRRP: Gi3/2 Grp 42 RF sync state Backup -> Master
