Feedback
Table Of Contents
D through F Commands
debug aaa
To show debug messages for AAA, use the debug aaa command in privileged EXEC mode. To stop showing AAA messages, use the no form of this command.
debug aaa [ accounting | authentication | authorization | internal | vpn [ level ] ]
no debug aaa
Syntax Description
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The debug aaa command displays detailed information about AAA activity. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example enables debugging for AAA functions supported by the local database:
hostname(config)# debug aaa internaldebug aaa internal enabled at level 1hostname(config)# uap allocated. remote address: 10.42.15.172, Session_id: 2147483841uap freed for user . remote address: 10.42.15.172, session id: 2147483841Related Commands
debug arp
To show debug messages for ARP, use the debug arp command in privileged EXEC mode. To stop showing debug messages for ARP, use the no form of this command.
debug arp
no debug arp
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for ARP:
hostname# debug arpRelated Commands
arp
Adds a static ARP entry.
show arp statistics
Shows ARP statistics.
show debug
Shows all enabled debuggers.
debug arp-inspection
To show debug messages for ARP inspection, use the debug arp-inspection command in privileged EXEC mode. To stop showing debug messages for ARP inspection, use the no form of this command.
debug arp-inspection
no debug arp-inspection
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
—
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for ARP inspection:
hostname# debug arp-inspectionRelated Commands
arp
Adds a static ARP entry.
arp-inspection
For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.
show debug
Shows all enabled debuggers.
debug asdm history
To view debug information for ASDM, use the debug asdm history command in privileged EXEC mode.
debug asdm history level
Syntax Description
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
7.0
This command was changed from the debug pdm history command to the debug asdm history command.
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables level 1 debugging of ASDM:
hostname# debug asdm historydebug asdm history enabled at level 1hostname#Related Commands
debug cmgr
To show debug messages about the SSM card manager, use the debug cmgr command in privileged EXEC mode. To stop showing debug messages for the card manager, use the no form of this command.
debug cmgr [level]
no debug cmgr [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for the card manager:
hostname# debug cmgrRelated Commands
debug context
To show debug messages when you add or delete a security context, use the debug context command in privileged EXEC mode. To stop showing debug messages for contexts, use the no form of this command.
debug context [level]
no debug context [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for context management:
hostname# debug contextRelated Commands
debug cplane
To show debug messages about the control plane that connects internally to an SSM, use the debug cplane command in privileged EXEC mode. To stop showing debug messages for the control plane, use the no form of this command.
debug cplane [level]
no debug cplane [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for the control plane:
hostname# debug cplaneRelated Commands
debug crypto ca
To show debug messages for PKI activity (used with CAs), use the debug crypto ca command in privileged EXEC mode. To stop showing debug messages for PKI, use the no form of this command.
debug crypto ca [messages | transactions] [level]
no debug crypto ca [messages | transactions] [level]
Syntax Description
Defaults
By default, this command shows all debug messages. The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for PKI:
hostname# debug crypto caRelated Commands
debug crypto engine
Shows debug messages for the crypto engine.
debug crypto ipsec
Shows debug messages for IPSec.
debug crypto isakmp
Shows debug messages for ISAKMP.
debug crypto engine
To show debug messages for the crypto engine, use the debug crypto engine command in privileged EXEC mode. To stop showing debug messages for the crypto engine, use the no form of this command.
debug crypto engine [level]
no debug crypto engine [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for the crypto engine:
hostname# debug crypto engineRelated Commands
debug crypto ca
Shows debug messages for the CA.
debug crypto ipsec
Shows debug messages for IPSec.
debug crypto isakmp
Shows debug messages for ISAKMP.
debug crypto ipsec
To show debug messages for IPSec, use the debug crypto ipsec command in privileged EXEC mode. To stop showing debug messages for IPSec, use the no form of this command.
debug crypto ipsec [level]
no debug crypto ipsec [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for IPSec:
hostname# debug crypto ipsecRelated Commands
debug crypto ca
Shows debug messages for the CA.
debug crypto engine
Shows debug messages for the crypto engine.
debug crypto isakmp
Shows debug messages for ISAKMP.
debug crypto isakmp
To show debug messages for ISAKMP, use the debug crypto isakmp command in privileged EXEC mode. To stop showing debug messages for ISAKMP, use the no form of this command.
debug crypto isakmp [timers] [level]
no debug crypto isakmp [timers] [level]
Syntax Description
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for ISAKMP:
hostname# debug crypto isakmpRelated Commands
debug crypto ca
Shows debug messages for the CA.
debug crypto engine
Shows debug messages for the crypto engine.
debug crypto ipsec
Shows debug messages for IPSec.
debug ctiqbe
To show debug messages for CTIQBE application inspection, use the debug ctiqbe command in privileged EXEC mode. To stop showing debug messages for CTIQBE application inspection, use the no form of this command.
debug ctiqbe [level]
no debug ctiqbe [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for CTIQBE application inspection:
hostname# debug ctiqbeRelated Commands
debug dhcpc
To enable debugging of the DHCP client, use the debug dhcpc command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug dhcpc {detail | packet | error} [level]
no debug dhcpc {detail | packet | error} [level]
Syntax Description
Defaults
The default debug level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
•
—
Command History
Usage Guidelines
Displays DHCP client debug information.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows how to enable debugging for the DHCP client:
hostname# debug dhcpc detail 5debug dhcpc detail enabled at level 5Related Commands
debug dhcpd
To enable debugging of the DHCP server, use the debug dhcpd command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug dhcpd {event | packet} [level]
no debug dhcpd {event | packet} [level]
Syntax Description
Defaults
The default debug level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server.
Use the no form of the debug dhcpd commands to disable debugging.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following shows an example of enabling DHCP event debugging:
hostname# debug dhcpd eventdebug dhcpd event enabled at level 1Related Commands
show dhcpd
Displays DHCP binding, statistic, or state information.
show running-config dhcpd
Displays the current DHCP server configuration.
debug dhcprelay
To enable debugging of the DHCP relay server, use the debug dhcpreleay command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug dhcprelay {event | packet | error} [level]
no debug dhcprelay {event | packet | error} [level]
Syntax Description
Defaults
The default debug level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
•
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows how to enable debugging for DHCP relay agent error messages:
hostname# debug dhcprelay errordebug dhcprelay error enabled at level 1Related Commands
debug disk
To display file system debug information, use the debug disk command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug disk {file | file-verbose | filesystem} [level]
no debug disk {file | file-verbose | filesystem}
Syntax Description
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables file-level disk debug messages. The show debug command reveals that file-level disk debug messages are enabled. The dir command causes several debug messages.
hostname# debug disk filedebug disk file enabled at level 1hostname# show debugdebug vpn-sessiondb enabled at level 1hostname# dirIFS: Opening: file flash:/, flags 1, mode 0IFS: Opened: file flash:/ as fd 3IFS: Getdent: fd 3IFS: Getdent: fd 3IFS: Getdent: fd 3IFS: Getdent: fd 3Directory of flash:/IFS: Close: fd 3IFS: Opening: file flash:/, flags 1, mode 04 -rw- 5124096 14:42:27 Apr 04 2005 cdisk.binIFS: Opened: file flash:/ as fd 39 -rw- 5919340 14:53:39 Apr 04 2005 ASDMIFS: Getdent: fd 311 drw- 0 15:18:56 Apr 21 2005 syslogIFS: Getdent: fd 3IFS: Getdent: fd 3IFS: Getdent: fd 3IFS: Close: fd 316128000 bytes total (5047296 bytes free)Related Commands
debug dns
To show debug messages for DNS, use the debug dns command in privileged EXEC mode. To stop showing debug messages for DNS, use the no form of this command.
debug dns [resolver | all] [level]
no debug dns [resolver | all] [level]
Syntax Description
Defaults
The default level is 1. If you do not specify any keywords, the security appliance shows all mesages.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for DNS:
hostname# debug dnsRelated Commands
debug entity
To display management information base (MIB) debug information, use the debug entity command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug entity [level]
no debug entity
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables MIB debug messages. The show debug command reveals that MIB debug messages are enabled.
hostname# debug entitydebug entity enabled at level 1hostname# show debugdebug entity enabled at level 1hostname#Related Commands
debug fixup
To display detailed information about application inspection, use the debug fixup command in privileged EXEC mode. To disable debugging, Use the no form of this command.
debug fixup
no debug fixup
Defaults
All options are enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug fixup command displays detailed information about application inspection. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example enables the display of detailed information about application inspection:
hostname# debug fixupRelated Commands
debug fover
To display failover debug information, use the debug fover command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug fover {cable | fail | fmsg | ifc | open | rx | rxdmp | rxip | switch | sync | tx | txdmp | txip | verify}
no debug fover {cable | fail | fmsg | ifc | open | rx | rxdmp | rxip | switch | sync | tx | txdmp | txip | verify}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows how to display debug information for failover command replication:
hostname# debug fover syncfover event trace onRelated Commands
show failover
Displays information about the failover configuration and operational statistics.
debug fsm
To display FSM debug information, use the debug fsm command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug fsm [level]
no debug fsm
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables FSM debug messages. The show debug command reveals that FSM debug messages are enabled.
hostname# debug fsmdebug fsm enabled at level 1hostname# show debugdebug fsm enabled at level 1hostname#Related Commands
debug ftp client
To show debug messages for FTP, use the debug ftp client command in privileged EXEC mode. To stop showing debug messages for FTP, use the no form of this command.
debug ftp client [level]
no debug ftp client [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for FTP:
hostname# debug ftp clientRelated Commands
debug generic
To display miscellaneous debug information, use the debug generic command in privileged EXEC mode. To disable the display of miscellaneous debug information, use the no form of this command.
debug generic [level]
no debug generic
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables miscellaneous debug messages. The show debug command reveals that miscellaneous debug messages are enabled.
hostname# debug genericdebug generic enabled at level 1hostname# show debugdebug generic enabled at level 1hostname#Related Commands
debug gtp
To display detailed information about GTP inspection, use the debug gtp command in privileged EXEC mode. To disable debugging, Use the no form of this command.
debug gtp [ error | event | ha | parser ]
no debug gtp [ error | event | ha | parser ]
Syntax Description
Defaults
All options are enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug gtp command displays detailed information about GTP inspection. The no debug all or undebug all commands turn off all enabled debugs.
Note
Examples
The following example enables the display of detailed information about GTP inspection:
hostname# debug gtpRelated Commands
debug h323
To show debug messages for H.323, use the debug h323 command in privileged EXEC mode. To stop showing debug messages for H.323, use the no form of this command.
debug h323 {h225 | h245 | ras} [asn | event]
no debug h323 {h225 | h245 | ras} [asn | event]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for H.225 signaling
hostname# debug h323 h225Related Commands
debug http
To display detailed information about HTTP traffic, use the debug http command in privileged EXEC mode. To disable debugging, Use the no form of this command.
debug http [ level ]
no debug http [ level ]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The defafult for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug http command displays detailed information about HTTP traffic. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example enables the display of detailed information about HTTP traffic:
hostname# debug httpRelated Commands
debug http-map
To show debug messages for HTTP application inspection maps, use the debug http-map command in privileged EXEC mode. To stop showing debug messages for HTTP application inspection, use the no form of this command.
debug http-map
no debug http-map
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for HTTP application inspection:
hostname# debug http-mapRelated Commands
debug icmp
To display detailed information about ICMP inspection, use the debug icmp command in privileged EXEC mode. To disable debugging, Use the no form of this command.
debug icmp trace [ level ]
no debug icmp trace [ level ]
Syntax Description
Defaults
All options are enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug icmp command displays detailed information about ICMP inspection. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example enables the display of detailed information about ICMP inspection:
hostname# debug icmpRelated Commands
debug igmp
To display IGMP debug information, use the debug igmp command in privileged EXEC mode. To stop the display of debug information, use the no form of this command.
debug igmp [group group_id | interface if_name]
no debug igmp [group group_id | interface if_name]
Syntax Description
group group_id
Displays IGMP debug information for the specified group.
interface if_name
Display IGMP debug information for the specified interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug igmp command:
hostname#debug igmpIGMP debugging is onIGMP: Received v2 Query on outside from 192.168.3.2IGMP: Send v2 general Query on dmzIGMP: Received v2 Query on dmz from 192.168.4.1IGMP: Send v2 general Query on outsideIGMP: Received v2 Query on outside from 192.168.3.1IGMP: Send v2 general Query on insideIGMP: Received v2 Query on inside from 192.168.1.1IGMP: Received v2 Report on inside from 192.168.1.6 for 224.1.1.1IGMP: Updating EXCLUDE group timer for 224.1.1.1Related Commands
debug ils
To show debug messages for ILS, use the debug ils command in privileged EXEC mode. To stop showing debug messages for ILS, use the no form of this command.
debug ils [level]
no debug ils [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for ILS application inspection:
hostname# debug ilsRelated Commands
debug imagemgr
To display Image Manager debug information, use the debug imagemgr command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug imagemgr [level]
no debug imagemgr
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables Image Manager debug messages. The show debug command reveals that Image Manager debug messages are enabled.
hostname# debug imagemgrdebug imagemgr enabled at level 1hostname# show debugdebug imagemgr enabled at level 1hostname#Related Commands
debug ipsec-over-tcp
To display IPSec-over-TCP debug information, use the debug ipsec-over-tcp command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug ipsec-over-tcp [level]
no debug ipsec-over-tcp
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables IPSec-over-TCP debug messages. The show debug command reveals that IPSec-over-TCP debug messages are enabled.
hostname# debug ipsec-over-tcpdebug ipsec-over-tcp enabled at level 1hostname# show debugdebug ipsec-over-tcp enabled at level 1hostname#Related Commands
debug ipsec-pass-thru
To show debug messages for ipsec-pass-thru, use the debug ipsec-pass-thru command in privileged EXEC mode. To stop showing debug messages for DNS, use the no form of this command.
debug ipsec-pass-thru level
no debug ipsec-pass-thru
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1. If you do not specify any keywords, the security appliance shows all mesages.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for DNS:
hostname# debug ipsec-pass-thruRelated Commands
debug ipv6
To display ipv6 debug messages, use the debug ipv6 command in privileged EXEC mode. To stop the display of debug messages, use the no form of this command.
debug ipv6 {icmp | interface | nd | packet | routing}
no debug ipv6 {icmp | interface | nd | packet | routing}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
•
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output for the debug ipv6 icmp command:
hostname# debug ipv6 icmp13:28:40:ICMPv6:Received ICMPv6 packet from 2000:0:0:3::2, type 13613:28:45:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 13513:28:50:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 13613:28:55:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 135Related Commands
debug iua-proxy
To display individual user authentication (IUA) proxy debug information, use the debug iua-proxy command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug iua-proxy [level]
no debug iua-proxy
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables IUA-proxy debug messages. The show debug command reveals that IUA-proxy debug messages are enabled.
hostname# debug iua-proxydebug iua-proxy enabled at level 1hostname# show debugdebug iua-proxy enabled at level 1hostname#Related Commands
debug kerberos
To display Kerberos authentication debug information, use the debug kerberos command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug kerberos [level]
no debug kerberos
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables Kerberos debug messages. The show debug command reveals that Kerberos debug messages are enabled.
hostname# debug kerberosdebug kerberos enabled at level 1hostname# show debugdebug kerberos enabled at level 1hostname#Related Commands
debug ldap
To display LDAP debug information, use the debug ldap command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug ldap [level]
no debug ldap
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables LDAP debug messages. The show debug command reveals that LDAP debug messages are enabled.
hostname# debug ldapdebug ldap enabled at level 1hostname# show debugdebug ldap enabled at level 1hostname#Related Commands
debug mac-address-table
To show debug messages for the MAC address table, use the debug mac-address-table command in privileged EXEC mode. To stop showing debug messages for the MAC address table, use the no form of this command.
debug mac-address-table [level]
no debug mac-address-table [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
—
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for the MAC address table:
hostname# debug mac-address-tableRelated Commands
debug menu
To display detailed debug information for specific features, use the debug menu command in privileged EXEC mode.
debug menu
Caution
Syntax Description
This command should be used only under the supervision of Cisco technical support staff.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
This command should be used only under the supervision of Cisco technical support staff.
Related Commands
debug mfib
To display MFIB debug information, use the debug mfib command in privileged EXEC mode. To stop displaying debug information, use the no form of this command.
debug mfib {db | init | mrib | pak | ps | signal} [group]
no debug mfib {db | init | mrib | pak | ps | signal} [group]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example displays MFIB dabase operation debug information:
hostname# debug mfib dbMFIB IPv4 db debugging enabledRelated Commands
debug mgcp
To display detailed information about MGCP application inspection, use the debug mgcp command in privileged EXEC mode. To disable debugging, Use the no form of this command.
debug mgcp {messages | parser | sessions}
no debug mgcp {messages | parser | sessions}
messages
Displays debug information about MGCP messages.
parser
Displays debug information for parsing MGCP messages.
sessions
Displays debug information about MGCP sessions.
Defaults
All options are enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug mgcp command displays detailed information about mgcp inspection. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example enables the display of detailed information about MGCP application inspection:
hostname# debug mgcpRelated Commands
debug module-boot
To show debug messages about the SSM booting process, use the debug module-boot command in privileged EXEC mode. To stop showing debug messages for the SSM booting process, use the no form of this command.
debug module-boot [level]
no debug module-boot [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for the SSM booting process:
hostname# debug module-bootRelated Commands
debug mrib
To display MRIB debug information, use the debug mrib command in privileged EXEC mode. To stop the display of debug information, use the no form of this command.
debug mrib {client | io | route [group] | table}
no debug mrib {client | io | route [group] | table}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows how to enable debugging of MRIB I/O events:
hostname# debug mrib ioIPv4 MRIB io debugging is onRelated Commands
show mrib client
Displays information about the MRIB client connections.
show mrib route
Displays MRIB table entries.
debug ntdomain
To display NT domain authentication debug information, use the debug ntdomain command in privileged EXEC mode. To disable the display of NT domain debug information, use the no form of this command.
debug ntdomain [level]
no debug ntdomain
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables NT domain debug messages. The show debug command reveals that NT domain debug messages are enabled.
hostname# debug ntdomaindebug ntdomain enabled at level 1hostname# show debugdebug ntdomain enabled at level 1hostname#Related Commands
debug ntp
To show debug messages for NTP, use the debug ntp command in privileged EXEC mode. To stop showing debug messages for NTP, use the no form of this command.
debug ntp {adjust | authentication | events | loopfilter | packets | params | select | sync | validity}
no debug ntp {adjust | authentication | events | loopfilter | packets | params | select | sync | validity}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for NTP:
hostname# debug ntp eventsRelated Commands
debug ospf
To display debug information about the OSPF routing processes, use the debug ospf command in privileged EXEC mode.
debug ospf [adj | database-timer | events | flood | lsa-generation | packet | retransmission | spf [external | inter | intra] | tree]
no debug ospf [adj | database-timer | events | flood | lsa-generation | packet | retransmission | spf [external | inter | intra] | tree]
Syntax Description
Defaults
Displays all OSPF debug information if no keyword is provided.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug ospf events command:
hostname# debug ospf eventsospf event debugging is onOSPF:hello with invalid timers on interface Ethernet0hello interval received 10 configured 10net mask received 255.255.255.0 configured 255.255.255.0dead interval received 40 configured 30Related Commands
debug parser cache
To display CLI parser debug information, use the debug parser cache command in privileged EXEC mode. To disable the display of CLI parser debug information, use the no form of this command.
debug parser cache [level]
no debug parser cache
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables CLI parser debug messages. The show debug command reveals the current debug configuration. The CLI parser debug messages appear before and after the output of the show debug command.
hostname# debug parser cachedebug parser cache enabled at level 1hostname# show debugparser cache: try to match 'show debug' in exec modedebug parser cache enabled at level 1parser cache: hit at index 8hostname#Related Commands
debug pim
To display PI M debug information, use the debug pim command in privileged EXEC mode. To stop displaying debug information, use the no form of this command.
debug pim [df-election [interface if_name | rp rp] | group group | interface if_name | neighbor]
no debug pim [df-election [interface if_name | rp rp] | group group | interface if_name | neighbor]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Logs PIM packets received and transmitted and also PIM-related events.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug pim command:
hostname# debug pimPIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received Join/Prune on Tunnel0 from 10.3.84.1PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received RP-Reachable on Ethernet1 from 172.16.20.31PIM: Update RP expiration timer for 224.2.0.1PIM: Forward RP-reachability packet for 224.2.0.1 on Tunnel0PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Prune-list (10.221.196.51/32, 224.2.0.1)PIM: Set join delay timer to 2 seconds for (10.221.0.0/16, 224.2.0.1) on Ethernet1PIM: Received Join/Prune on Ethernet1 from 172.24.37.6PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received Join/Prune on Tunnel0 from 10.3.84.1PIM: Join-list: (*, 224.2.0.1) RP 172.16.20.31PIM: Add Tunnel0 to (*, 224.2.0.1), Forward statePIM: Join-list: (10.0.0.0/8, 224.2.0.1)PIM: Add Tunnel0 to (10.0.0.0/8, 224.2.0.1), Forward statePIM: Join-list: (10.4.0.0/16, 224.2.0.1)PIM: Prune-list (172.24.84.16/28, 224.2.0.1) RP-bit set RP 172.24.84.16PIM: Send Prune on Ethernet1 to 172.24.37.6 for (172.24.84.16/28, 224.2.0.1), RPPIM: For RP, Prune-list: 10.9.0.0/16PIM: For RP, Prune-list: 10.16.0.0/16PIM: For RP, Prune-list: 10.49.0.0/16PIM: For RP, Prune-list: 10.84.0.0/16PIM: For RP, Prune-list: 10.146.0.0/16PIM: For 10.3.84.1, Join-list: 172.24.84.16/28PIM: Send periodic Join/Prune to RP via 172.24.37.6 (Ethernet1)Related Commands
debug pix pkt2pc
To show debug messages that trace packets sent to the uauth code and that trace the event where the uauth proxy session is cut through to the data path, use the debug pix pkt2pc command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.
debug pix pkt2pc
no debug pix pkt2pc
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages that trace packets sent to the uauth code and that trace the event where the uauth proxy session is cut through to the data path:
hostname# debug pix pkt2pcRelated Commands
debug pix process
Shows debug messages for xlate and secondary connections processing.
show debug
Shows all enabled debuggers.
debug pix process
To show debug messages for xlate and secondary connections processing, use the debug pix process command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.
debug pix process
no debug pix process
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for xlate and secondary connections processing:
hostname# debug pix processRelated Commands
debug pptp
To show debug messages for PPTP, use the debug pptp command in privileged EXEC mode. To stop showing debug messages for PPTP, use the no form of this command.
debug pptp [level]
no debug pptp [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for PPTP application inspection:
hostname# debug pptpRelated Commands
debug radius
To show debug messages for AAA, use the debug radius command in privileged EXEC mode. To stop showing RADIUS messages, use the no form of this command.
debug radius [ all | decode | session | user username ] ]
no debug radius
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The debug radius command displays detailed information about RADIUS messaging between the security appliance and a RADIUS AAA server. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example shows decoded RADIUS messages, which happen to be accounting packets:
hostname(config)# debug radius decodehostname(config)# RADIUS packet decode (accounting request)--------------------------------------Raw packet data (length = 216).....iParsed packet data.....Radius: Code = 4 (0x04)Radius: Identifier = 105 (0x69)Radius: Length = 216 (0x00D8)Radius: Vector: 842E0E99F44C00C05A0A19AB88A81312Radius: Type = 40 (0x28) Acct-Status-TypeRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x2Radius: Type = 5 (0x05) NAS-PortRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x1Radius: Type = 4 (0x04) NAS-IP-AddressRadius: Length = 6 (0x06)Radius: Value (IP Address) = 10.1.1.1 (0x0A010101)Radius: Type = 14 (0x0E) Login-IP-HostRadius: Length = 6 (0x06)Radius: Value (IP Address) = 10.2.0.50 (0xD0FE1291)Radius: Type = 16 (0x10) Login-TCP-PortRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x50Radius: Type = 44 (0x2C) Acct-Session-IdRadius: Length = 12 (0x0C)Radius: Value (String) =30 78 31 33 30 31 32 39 66 65 | 0x130129feRadius: Type = 1 (0x01) User-NameRadius: Length = 9 (0x09)Radius: Value (String) =62 72 6f 77 73 65 72 | browserRadius: Type = 46 (0x2E) Acct-Session-TimeRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x0Radius: Type = 42 (0x2A) Acct-Input-OctetsRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x256DRadius: Type = 43 (0x2B) Acct-Output-OctetsRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x3E1Radius: Type = 26 (0x1A) Vendor-SpecificRadius: Length = 30 (0x1E)Radius: Vendor ID = 9 (0x00000009)Radius: Type = 1 (0x01) Cisco-AV-pairRadius: Length = 24 (0x18)Radius: Value (String) =69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | ip:source-ip=10.31 2e 31 2e 31 30 | 1.1.10Radius: Type = 26 (0x1A) Vendor-SpecificRadius: Length = 27 (0x1B)Radius: Vendor ID = 9 (0x00000009)Radius: Type = 1 (0x01) Cisco-AV-pairRadius: Length = 21 (0x15)Radius: Value (String) =69 70 3a 73 6f 75 72 63 65 2d 70 6f 72 74 3d 33 | ip:source-port=334 31 33 | 413Radius: Type = 26 (0x1A) Vendor-SpecificRadius: Length = 40 (0x28)Radius: Vendor ID = 9 (0x00000009)Radius: Type = 1 (0x01) Cisco-AV-pairRadius: Length = 34 (0x22)Radius: Value (String) =69 70 3a 64 65 73 74 69 6e 61 74 69 6f 6e 2d 69 | ip:destination-i70 3d 32 30 38 2e 32 35 34 2e 31 38 2e 31 34 35 | p=10.2.0.50Radius: Type = 26 (0x1A) Vendor-SpecificRadius: Length = 30 (0x1E)Radius: Vendor ID = 9 (0x00000009)Radius: Type = 1 (0x01) Cisco-AV-pairRadius: Length = 24 (0x18)Radius: Value (String) =69 70 3a 64 65 73 74 69 6e 61 74 69 6f 6e 2d 70 | ip:destination-p6f 72 74 3d 38 30 | ort=80Related Commands
show running-config
Displays the configuration that is running on the security appliance.
debug rip
To display debug information for RIP, use the debug rip command in privileged EXEC mode. To disable the debug information display, use the no form of this command.
debug rip
no debug rip
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables level 1 debugging of RIP:
hostname# debug ripdebug rip enabled at level 1hostname#Related Commands
debug rtsp
To show debug messages for RTSP application inspection, use the debug rtsp command in privileged EXEC mode. To stop showing debug messages for RTSP application inspection, use the no form of this command.
debug rtsp [level]
no debug rtsp [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for RTSP application inspection:
hostname# debug rtspRelated Commands
debug sdi
To display SDI authentication debug information, use the debug sdi command in privileged EXEC mode. To disable the display of SDI debug information, use the no form of this command.
debug sdi [level]
no debug sdi
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables SDI debug messages. The show debug command reveals that SDI debug messages are enabled.
hostname# debug sdidebug sdi enabled at level 1hostname# show debugdebug sdi enabled at level 1hostname#Related Commands
debug sequence
To add a sequence number to the beginning of all debug messages, use the debug sequence command in privileged EXEC mode. To disable the use of debug sequence numbers, use the no form of this command.
debug sequence [level]
no debug sequence
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables sequence numbers in debug messages. The debug parser cache command enables CLI parser debug messages. The show debug command reveals the current debug configuration. The CLI parser debug messages shown include sequence numbers before each message.
hostname# debug sequencedebug sequence enabled at level 1hostname# debug parser cachedebug parser cache enabled at level 1hostname# show debug0: parser cache: try to match 'show debug' in exec modedebug parser cache enabled at level 1debug sequence enabled at level 11: parser cache: hit at index 8hostname#Related Commands
debug session-command
To show debug messages for a session to an SSM, use the debug session-command command in privileged EXEC mode. To stop showing debug messages for sessions, use the no form of this command.
debug session-command [level]
no debug session-command [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for sessions:
hostname# debug session-commandRelated Commands
debug sip
To show debug messages for SIP application inspection, use the debug sip command in privileged EXEC mode. To stop showing debug messages for SIP application inspection, use the no form of this command.
debug sip [level]
no debug sip [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for SIP application inspection:
hostname# debug sipRelated Commands
debug skinny
To show debug messages for SCCP (Skinny) application inspection, use the debug skinny command in privileged EXEC mode. To stop showing debug messages for SCCP application inspection, use the no form of this command.
debug skinny [level]
no debug skinny [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for SCCP application inspection:
hostname# debug skinnyRelated Commands
debug smtp
To show debug messages for SMTP/ESMTP application inspection, use the debug smtp command in privileged EXEC mode. To stop showing debug messages for SMTP/ESMTP application inspection, use the no form of this command.
debug smtp [level]
no debug smtp [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for SMTP/ESMTP application inspection:
hostname# debug smtpRelated Commands
debug sqlnet
To show debug messages for SQL*Net application inspection, use the debug sqlnet command in privileged EXEC mode. To stop showing debug messages for SQL*Net application inspection, use the no form of this command.
debug sqlnet [level]
no debug sqlnet [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for SQL*Net application inspection:
hostname# debug sqlnetRelated Commands
debug ssh
To display debug information and error messages associated with SSH, use the debug ssh command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug ssh [level]
no debug ssh [level]
Syntax Description
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug ssh 255 command:
hostname# debug ssh 255debug ssh enabled at level 255SSH2 0: send: len 64 (includes padlen 17)SSH2 0: done calc MAC out #239SSH2 0: send: len 32 (includes padlen 7)SSH2 0: done calc MAC out #240SSH2 0: send: len 64 (includes padlen 15)SSH2 0: done calc MAC out #241SSH2 0: send: len 32 (includes padlen 16)SSH2 0: done calc MAC out #242SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #243SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #244SSH2 0: send: len 64 (includes padlen 8)SSH2 0: done calc MAC out #245SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #246SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #247SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #248SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #249SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #250SSH2 0: send: len 64 (includes padlen 8)SSH2 0: done calc MAC out #251SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #252SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #253SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #254SSH2 0: send: len 64 (includes padlen 8)SSH2 0: done calc MAC out #255SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #256SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #257SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #258Related Commands
debug ssl
To display SSL debug information, use the debug ssl command in privileged EXEC mode. To disable the display of SSL debug information, use the no form of this command.
debug ssl {cipher | device} [level]
no debug ssl {cipher | device}
Syntax Description
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables SSL debug messages, specifically for cipher negotiation. The show debug command reveals that SSL debug messages are enabled.
hostname# debug ssl cipherdebug ssl cipher enabled at level 1hostname# show debugdebug ssl cipher enabled at level 1hostname#Related Commands
debug sunrpc
To show debug messages for RPC application inspection, use the debug sunrpc command in privileged EXEC mode. To stop showing debug messages for RPC application inspection, use the no form of this command.
debug sunrpc [level]
no debug sunrpc [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for RPC application inspection:
hostname# debug sunrpcRelated Commands
debug tacacs
To display TACACS+ debug information, use the debug tacacs command in privileged EXEC mode. To disable the display of TACACS+ debug information, use the no form of this command.
debug tacacs [session | user username]
no debug tacacs [session | user username]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables TACACS+ debug messages. The show debug command reveals that TACACS+ debug messages are enabled.
hostname# debug tacacs user admin342hostname# show debugdebug tacacs user admin342hostname#Related Commands
debug tcp-map
To show debug messages for TCP application inspection maps, use the debug tcp-map command in privileged EXEC mode. To stop showing debug messages for TCP application inspection, use the no form of this command.
debug tcp-map
no debug tcp-map
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables debug messages for TCP application inspection maps. The show debug command reveals that debug messages for TCP application inspection maps are enabled.
hostname# debug tcp-mapdebug tcp-map enabled at level 1.hostname# show debugdebug tcp-map enabled at level 1.hostname#Related Commands
debug timestamps
To add timestamp information to the beginning of all debug messages, use the debug timestamps command in privileged EXEC mode. To disable the use of debug timestamps, use the no form of this command.
debug timestamps [level]
no debug timestamps
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables timestamps in debug messages. The debug parser cache command enables CLI parser debug messages. The show debug command reveals the current debug configuration. The CLI parser debug messages shown include timestamps before each message.
hostname# debug timestampsdebug timestamps enabled at level 1hostname# debug parser cachedebug parser cache enabled at level 1hostname# show debug1982769.770000000: parser cache: try to match 'show debug' in exec mode1982769.770000000: parser cache: hit at index 8hostname#Related Commands
debug vpn-sessiondb
To display VPN-session database debug information, use the debug vpn-sessiondb command in privileged EXEC mode. To disable the display of VPN-session database debug information, use the no form of this command.
debug vpn-sessiondb [level]
no debug vpn-sessiondb
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables VPN-session database debug messages. The show debug command reveals that VPN-session database debug messages are enabled.
hostname# debug vpn-sessiondbdebug vpn-sessiondb enabled at level 1hostname# show debugdebug vpn-sessiondb enabled at level 1hostname#Related Commands
debug xdmcp
To show debug messages for XDMCP application inspection, use the debug xdmcp command in privileged EXEC mode. To stop showing debug messages for XDMCP application inspection, use the no form of this command.
debug xdmcp [level]
no debug xdmcp [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for XDMCP application inspection:
hostname# debug xdmcpRelated Commands
default
To restore default settings for the time-range command absolute and periodic keywords, use the default command in time-range configuration mode.
default {absolute | periodic days-of-the-week time to [days-of-the-week] time}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Time-range configuration
•
•
•
•
—
Command History
Usage Guidelines
If the end days-of-the-week value is the same as the start value, you can omit them.
If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.
The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.
Examples
The following example shows how to restore the default behavior of the absolute keyword:
hostname(config-time-range)# default absoluteRelated Commands
default (crl configure)
To return all CRL parameters to their system default values, use the default command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. These parameters are used only when the LDAP server requires them.
default
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crl configure configuration
·
·
Command History
Usage Guidelines
Invocations of this command do not become part of the active configuration.
Examples
The following example enters ca-crl configuration mode, and returns CRL command values to their defaults:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# defaulthostname(ca-crl)#Related Commands
crl configure
Enters crl configure configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
protocol ldap
Specifies LDAP as a retrieval method for CRLs.
default (time-range)
To restore default settings for the absolute and periodic commands, use the default command in time-range configuration mode.
default {absolute | periodic days-of-the-week time to [days-of-the-week] time}
Syntax Description
Defaults
There are no default settings for this command.
Command Modes
The following table shows the modes in which you can enter the command:
Time-range configuration
·
·
·
·
Command History
Usage Guidelines
If the end days-of-the-week value is the same as the start value, you can omit them.
If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.
The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.
Examples
The following example shows how to restore the default behavior of the absolute keyword:
hostname(config-time-range)# default absoluteRelated Commands
default enrollment
To return all enrollment parameters to their system default values, use the default enrollment command in crypto ca trustpoint configuration mode.
default enrollment
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
·
·
·
·
·
Command History
Usage Guidelines
Invocations of this command do not become part of the active configuration.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and returns all enrollment parameters to their default values within trustpoint central:
hostname<config># crypto ca trustpoint centralhostname<ca-trustpoint># default enrollmenthostname<ca-trustpoint>#Related Commands
clear configure crypto ca trustpoint
Removes all trustpoints.
crl configure
Enters crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
default-domain
To set a default domain name for users of the group policy, use the default-domain command in group-policy configuration mode. To delete a domain name, use the no form of this command.
To prevent users from inheriting a domain name, use the default-domain none command.
The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. When there are no default domain names, users inherit the default domain name in the default group policy.
default-domain {value domain-name | none}
no default-domain [domain-name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
You can use only alphanumeric characters, hyphens (-), and periods (.) in default domain names.
Examples
The following example shows how to set a default domain name of FirstDomain for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# default-domain value FirstDomainRelated Commands
default-group-policy
To specify the set of attributes that the user inherits by default, use the default-group-policy command in tunnel-group general-attributes configuration mode. To eliminate a default group policy name, use the no form of this command.
default-group-policy group-name
no default-group-policy group-name
Syntax Description
Defaults
The default group name is DfltGrpPolicy.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
•
Command History
Usage Guidelines
The default group policy DfltGrpPolicy comes with the initial configuration of the security appliance. You can apply this attribute to all tunnel-group types.
Examples
The following example entered in config-general configuration mode, specifies a set of attributes for users to inherit by default for an IPSec LAN-to-LAN tunnel group named standard-policy. This set of commands defines the accounting server, the authentication server, the authorization server and the address pools.
hostname(config)# tunnel-group standard-policy type ipsec-rahostname(config)# tunnel-group standard-policy general-attributeshostname(config-general)# default-group-policy first-policyhostname(config-general)# accounting-server-group aaa-server123hostname(config-general)# address-pool (inside) addrpool1 addrpool2 addrpool3hostname(config-general)# authentication-server-group aaa-server456hostname(config-general)# authorization-server-group aaa-server78hostname(config-general)#Related Commands
default-group-policy (webvpn)
To specify the name of the group policy to use when the WebVPN or e-mail proxy configuration does not specify a group policy, use the default-group-policy command. WebVPN, IMAP4S, POP3S, and SMTPS sessions require either a specified or a default group policy. For WebVPN, use this command in webvpn mode. For e-mail proxy, use this command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command.
default-group-policy groupname
no default-group-policy
Syntax Description
groupname
Identifies the previously configured group policy to use as the default group policy. Use the group-policy command in configuration mode to configure a group policy.
Defaults
A default group policy, named DfltGrpPolicy, always exists on the security appliance. This default-group-policy command lets you substitute a group policy that you create as the default group policy for WebVPN and e-mail proxy sessions. An alternative is to edit the DfltGrpPolicy.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
You can edit, but not delete the system DefaultGroupPolicy. It has the following AVPs:
Examples
The following example shows how to specify a default group policy called WebVPN7 for WebVPN:
hostname(config)# webvpnhostname(config-webvpn)# default-group-policy WebVPN7
default-idle-timeout
To set a default idle timeout value for WebVPN users, use the default-idle-timeout command in webvpn mode. To remove the default idle timeout value from the configuration and reset the default, use the no form of this command.
The default idle timeout prevents stale sessions.
default-idle-timeout seconds
no default-idle-timeout
Syntax Description
seconds
Specifies the number of seconds for the idle time out. The minimum is 60 seconds, maximum is 1 day (86400 seconds).
Defaults
1800 seconds (30 minutes).
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Usage Guidelines
The security appliance uses the value you set here if there is no idle timeout defined for a user, if the value is 0, or if the value does not fall into the valid range.
We recommend that you set this command to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the sessions database. If the maximum number of connections permitted is set to one (vpn-simultaneous-logins command), the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again.
Examples
The following example shows how to set the default idle timeout to 1200 seconds (20 minutes):
hostname(config)# webvpnhostname(config-webvpn)# default-idle-timeout 1200Related Commands
vpn-simultaneous-logins
Sets the maximum number of simultaneous VPN sessions permitted. Use in group-policy or username mode.
default-information originate
To generate a default external route into an OSPF routing domain, use the default-information originate command in router configuration mode. To disable this feature, use the no form of this command.
default-information originate [always] [metric value] [metric-type {1 | 2}] [route-map name]
no default-information originate [[always] [metric value] [metric-type {1 | 2}] [route-map name]]
Syntax Description
Defaults
The default values are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
Using the no form of this command with optional keywords and arguments only removes the optional information from the command. For example, entering no default-information originate metric 3 removes the metric 3 option from the command in the running configuration. To remove the complete command from the running configuration, use the no form of the command without any options: no default-information originate.
Examples
The following example shows how to use the default-information originate command with an optional metric and metric type:
hostname(config-router)# default-information originate always metric 3 metric-type 2hostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
delete
To delete a file in the disk partition, use the delete command in privileged EXEC mode.
delete [/noconfirm] [/recursive] [disk0: | disk1: | flash:]filename
Syntax Description
Defaults
If you do not specify a directory, the directory is the current working directory by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The file is deleted from the current working directory if a path is not specified. Wildcards are supported when deleting files. When deleting files, you are prompted with the filename and you must confirm the deletion.
The following example shows how to delete a file named test.cfg in the current working directory:
hostname# delete test.cfgRelated Commands
cd
Changes the current working directory to the one specified.
rmdir
Removes a file or directory.
show file
Displays the specified file.
deny version
To deny a specific version of SNMP traffic, use the deny version command in SNMP map configuration mode, which is accessible by entering the snmp-map command from global configuration mode. To disable this command, use the no version of the command.
deny version version
deny version version
Syntax Description
version
Specifies the version of SNMP traffic that the security appliance drops. The permitted values are 1, 2, 2c, and 3.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
SNMP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the deny version command to restrict SNMP traffic to specific versions of SNMP. Earlier versions of SNMP were less secure so restricting SNMP traffic to Version 2 may be specified by your security policy. You use the deny version command within an SNMP map, which you configure using the snmp-map command. After creating the SNMP map, you enable the map using the inspect snmp command and then apply it to one or more interfaces using the service-policy command.
Examples
The following example shows how to identify SNMP traffic, define a SNMP map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list snmp-acl permit tcp any any eq 161hostname(config)# access-list snmp-acl permit tcp any any eq 162hostname(config)# class-map snmp-porthostname(config-cmap)# match access-list snmp-aclhostname(config-cmap)# exithostname(config)# snmp-map inbound_snmphostname(config-snmp-map)# deny version 1hostname(config-snmp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class snmp-porthostname(config-pmap-c)# inspect snmp inbound_snmphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideRelated Commands
description
To add a description for a named configuration unit (for example, for a context or for an object group), use the description command in various configuration modes. To remove the description, use the no form of this command. The description adds helpful notes in your configuration.
description text
no description
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Examples
The following example adds a description to the "Administration" context configuration:
hostname(config)# context administratorhostname(config-context)# description This is the admin context.hostname(config-context)# allocate-interface gigabitethernet0/0.1hostname(config-context)# allocate-interface gigabitethernet0/1.1hostname(config-context)# config-url flash://admin.cfgRelated Commands
dhcp-network-scope
To specify the range of IP addresses the security appliance DHCP server should use to assign addresses to users of this group policy, use the dhcp-network-scope command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. To prevent inheriting a value, use the dhcp-network-scope none command.
dhcp-network-scope {ip_address} | none
no dhcp-network-scope
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Examples
The following example shows how to set an IP subnetwork of 10.10.85.0 for the group policy named First Group:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# dhcp-network-scope 10.10.85.0dhcp-server
To configure support for DHCP servers that assign IP addresses to clients as a VPN tunnel is established, use the dhcp-server command in tunnel-group general-attributes configuration mode. To return this command to the default, use the no form of this command.
dhcp-server hostname1 [...hostname10]
no dhcp-server hostname
Syntax Description
hostname1 ...hostname10
Specifies the IP address of the DHCP server. You can specify up to 10 DHCP servers.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
•
Command History
Usage Guidelines
You can apply this attribute to IPSec remote access tunnel-group types only.
Examples
The following command entered in config-general configuration mode, adds three DHCP servers (dhcp1, dhcp2, and dhcp3) to the IPSec remote-access tunnel group remotegrp:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp generalhostname(config-general)# default-group-policy remotegrphostname(config-general)# dhcp-server dhcp1 dhcp2 dhcp3hostname(config-general)Related Commands
dhcpd address
To define the IP address pool used by the DHCP server, use the dhcpd address command in global configuration mode. To remove an existing DHCP address pool, use the no form of this command.
dhcpd address IP_address1[-IP_address2] interface_name
no dhcpd address interface_name
Syntax Description
interface_name
Interface the address pool is assigned to.
IP_address1
Start address of the DHCP address pool.
IP_address2
End address of the DHCP address pool.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd address ip1[-ip2] interface_name command specifies the DHCP server address pool. The address pool of a security appliance DHCP server must be within the same subnet of the security appliance interface on which it is enabled, and you must specify the associated security appliance interface using interface_name.
The size of the address pool is limited to 256 addresses per pool on the security appliance. If the address pool range is larger than 253 addresses, the netmask of the security appliance interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0.
DHCP clients must be physically connected to the subnet of the security appliance DCHP server interface.
The dhcpd address command cannot use interface names with a "-" (dash) character because the "-" character is interpreted as a range specifier instead of as part of the object name.
The no dhcpd address interface_name command removes the DHCP server address pool that you configured for the specified interface.
Refer to the Cisco Security Appliance Command Line Configuration Guide for information on how to implement the DHCP server feature into the security appliance.
Examples
The following example shows how to use the dhcpd address, dhcpd dns, and dhcpd enable interface_name commands to configure an address pool and DNS server for the DHCP clients on the dmz interface of the security appliance:
hostname(config)# dhcpd address 10.0.1.100-10.0.1.108 dmzhostname(config)# dhcpd dns 209.165.200.226hostname(config)# dhcpd enable dmzThe following example shows how to configure a DHCP server on the inside interface. It uses the dhcpd address command to assign a pool of 10 IP addresses to the DHCP server on that interface.
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
dhcpd auto_config
To enable the security appliance to automatically configure DNS, WINS and domain name values for the DHCP server based on the values obtained from an interface running a DHCP client, use the dhcpd auto_config command in global configuration mode. To discontinue the automatic configuration of DHCP parameters, use the no form of this command.
dhcpd auto_config client_if_name
no dhcpd auto_config client_if_name
Syntax Description
client_if_name
Specifies the interface running the DHCP client that supplies the DNS, WINS, and domain name parameters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
If you specify DNS, WINS, or domain name parameters using the CLI commands, then the CLI-configured parameters overwrite the parameters obtained by automatic configuration.
Examples
The following example shows how to configure DHCP on the inside interface. The dhcpd auto_config command is used to pass DNS, WINS, and domain information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface.
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd autoconfig outsidehostname(config)# dhcpd enable insideRelated Commands
dhcpd dns
To define the DNS servers for DHCP clients, use the dhcpd dns command in global configuration mode. To clear defined servers, use the no form of this command.
dhcpd dns dnsip1 [dnsip2]
no dhcpd dns [dnsip1 [dnsip2]]
Syntax Description
dnsip1
IP address of the primary DNS server for the DHCP client.
dnsip2
(Optional) IP address of the alternate DNS server for the DHCP client.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd dns command lets you specify the IP address or addresses of the DNS server(s) for the DHCP client. You can specify two DNS servers. The no dhcpd dns command lets you remove the DNS IP address(es) from the configuration.
Examples
The following example shows how to use the dhcpd address, dhcpd dns, and dhcpd enable interface_name commands to configure an address pool and DNS server for the DHCP clients on the dmz interface of the security appliance.
hostname(config)# dhcpd address 10.0.1.100-10.0.1.108 dmzhostname(config)# dhcpd dns 192.168.1.2hostname(config)# dhcpd enable dmzRelated Commands
dhcpd domain
To define the DNS domain name for DHCP clients, use the dhcpd domain command in global configuration mode. To clear the DNS domain name, use the no form of this command.
dhcpd domain domain_name
no dhcpd domain [domain_name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd domain command lets you specify the DNS domain name for the DHCP client. The no dhcpd domain command lets you remove the DNS domain server from the configuration.
Examples
The following example shows how to use the dhcpd domain command to configure the domain name supplied to DHCP clients by the DHCP server on the security appliance:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
clear configure dhcpd
Removes all DHCP server settings.
show running-config dhcpd
Displays the current DHCP server configuration.
dhcpd enable
To enable the DHCP server, use the dhcpd enable command in global configuration mode. To disable the DHCP server, use the no form of this command. The DHCP server provides network configuration parameters to DHCP clients. Support for the DHCP server within the security appliance means that the security appliance can use DHCP to configure connected clients.
dhcpd enable interface
no dhcpd enable interface
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd enable interface command lets you enable the DHCP daemon to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface.
Note
When the security appliance responds to a DHCP client request, it uses the IP address and subnet mask of the interface where the request was received as the IP address and subnet mask of the default gateway in the response.
Note
Refer to the Cisco Security Appliance Command Line Configuration Guide for information on how to implement the DHCP server feature into the security appliance.
Examples
The following example shows how to use the dhcpd enable command to enable the DHCP server on the inside interface:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
dhcpd lease
To specify the DHCP lease length, use the dhcpd lease command in global configuration mode. To restore the default value for the lease, use the no form of this command.
dhcpd lease lease_length
no dhcpd lease [lease_length]
Syntax Description
lease_length
Length of the IP address lease, in seconds, granted to the DHCP client from the DHCP server; valid values are from 300 to 1048575 seconds.
Defaults
The default lease_length is 3600 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd lease command lets you specify the length of the lease, in seconds, that is granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address that the DHCP server granted.
The no dhcpd lease command lets you remove the lease length that you specified from the configuration and replaces this value with the default value of 3600 seconds.
Examples
The following example shows how to use the dhcpd lease command to specify the length of the lease of DHCP information for DHCP clients:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
clear configure dhcpd
Removes all DHCP server settings.
show running-config dhcpd
Displays the current DHCP server configuration.
dhcpd option
To configure DHCP options, use the dhcpd option command in global configuration mode. To clear the option, use the no form of this command. You can use the dhcpd option command to provide TFTP server information to Cisco IP Phones and routers.
dhcpd option code {ascii string} | {ip IP_address [IP_address]} | {hex hex_string}
no dhcpd option code
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When a DHCP option request arrives at the security appliance DHCP server, the security appliance places the value or values that are specified by the dhcpd option command in the response to the client.
The dhcpd option 66 and dhcpd option 150 commands specify TFTP servers that Cisco IP Phones and routers can use to download configuration files. Use the commands as follows:
•
•
Note
Use the following guidelines when specifying an IP address for the dhcpd option 66 | 150 commands:
•
•
•
For information about other DHCP options, refer to RFC2132.
Examples
The following example shows how to specify a TFTP server for DHCP option 66:
hostname(config)# dhcpd option 66 ascii MyTftpServerRelated Commands
clear configure dhcpd
Removes all DHCP server settings.
show running-config dhcpd
Displays the current DHCP server configuration.
dhcpd ping_timeout
To change the default timeout for DHCP ping, use the dhcpd ping_timeout command in global configuration mode. To return to the default value, use the no form of this command. To avoid address conflicts, the DHCP server sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the ping timeout in milliseconds.
dhcpd ping_timeout number
no dhcpd ping_timeout
Syntax Description
number
The timeout value of the ping, in milliseconds. The minimum value is 10, the maximum is 10000. The default is 50.
Defaults
The default number of milliseconds for number is 50.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The security appliance waits for both ICMP ping packets to time out before assigning an IP address to a DHCP client. For example, if the default value is used, the security appliance waits for 1500 milliseconds (750 milliseconds for each ICMP ping packet) before assigning an IP address.
A long ping timeout value can adversely affect the performance of the DHCP server.
Examples
The following example shows how to use the dhcpd ping_timeout command to change the ping timeout value for the DHCP server:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
clear configure dhcpd
Removes all DHCP server settings.
show running-config dhcpd
Displays the current DHCP server configuration.
dhcpd wins
To define the WINS servers for DHCP clients, use the dhcpd wins command in global configuration mode. To remove the WINS servers from the DHCP server, use the no form of this command.
dhcpd wins server1 [server2]
no dhcpd wins [server1 [server2]]
Syntax Description
server1
Specifies the IP address of the primary Microsoft NetBIOS name server (WINS server).
server2
(Optional) Specifies the IP address of the alternate Microsoft NetBIOS name server (WINS server).
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd wins command lets you specify the addresses of the WINS servers for the DHCP client. The no dhcpd wins command removes the WINS server IP addresses from the configuration.
Examples
The following example shows how to use the dhcpd wins command to specify WINS server information that is sent to DHCP clients:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
dhcprelay enable
To enable the DHCP relay agent, use the dhcprelay enable command in global configuration mode. To disable DHCP relay agent, use the no form of this command. The DHCP relay agent allows DHCP requests to be forwarded from a specified security appliance interface to a specified DHCP server.
dhcprelay enable interface_name
no dhcprelay enable interface_name
Syntax Description
Defaults
The DHCP relay agent is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
For the security appliance to start the DHCP relay agent with the dhcprelay enable interface_name command, you must have a dhcprelay server command already in the configuration. Otherwise, the security appliance displays an error message similar to the following:
DHCPRA: Warning - There are no DHCP servers configured!No relaying can be done without a server!Use the 'dhcprelay server <server_ip> <server_interface>' commandYou cannot enable DHCP relay under the following conditions:
•
•
•
•
The no dhcprelay enable interface_name command removes the DHCP relay agent configuration for the interface that is specified by interface_name only.
Examples
The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the security appliance, client requests on the inside interface of the security appliance, and a timeout value up to 90 seconds:
hostname(config)# dhcprelay server 10.1.1.1 outsidehostname(config)# dhcprelay timeout 90hostname(config)# dhcprelay enable insidehostname(config)# show running-config dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay enable insidedhcprelay timeout 90The following example shows how to disable the DHCP relay agent:
hostname(config)# no dhcprelay enable insidehostname(config)# show running-config dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay timeout 90Related Commands
dhcprelay server
To specify the DHCP server that DHCP requests are forwarded to, use the dhcpreplay server command in global configuration mode. To remove the DHCP server from the DHCP relay configuration, use the no form of this command. The DHCP relay agent allows DHCP requests to be forwarded from a specified security appliance interface to a specified DHCP server.
dhcprelay server IP_address interface_name
no dhcprelay server IP_address [interface_name]
Syntax Description
interface_name
Name of the security appliance interface on which the DHCP server resides.
IP_address
The IP address of the DHCP server to which the DHCP relay agent forwards client DHCP requests.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the security appliance configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.
The dhcprelay server command opens UDP port 67 on the specified interface and starts the DHCP relay task as soon as the dhcprelay enable command is added to the configuration. If there is no dhcprelay enable command in the configuration, then the sockets are not opened and the DHCP relay task does not start.
When you use the no dhcprelay server IP_address [interface_name] command, the interface stops forwarding DHCP packets to that server.
The no dhcprelay server IP_address [interface_name] command removes the DHCP relay agent configuration for the DHCP server that is specified by IP_address [interface_name] only.
Examples
The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the security appliance, client requests on the inside interface of the security appliance, and a timeout value up to 90 seconds:
hostname(config)# dhcprelay server 10.1.1.1 outsidehostname(config)# dhcprelay timeout 90hostname(config)# dhcprelay enable insidehostname(config)# show running-config dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay enable insidedhcprelay timeout 90Related Commands
dhcprelay setroute
To set the default gateway address in the DHCP reply, use the dhcprelay setroute command in global configuration mode. To remove the default router, use the no form of this command. This command causes the default IP address of the DHCP reply to be substituted with the address of the specified security appliance interface.
dhcprelay setroute interface
no dhcprelay setroute interface
Syntax Description
interface
Configures the DHCP relay agent to change the first default IP address (in the packet sent from the DHCP server) to the address of interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The dhcprelay setroute interface command lets you enable the DHCP relay agent to change the first default router address (in the packet sent from the DHCP server) to the address of interface.
If there is no default router option in the packet, the security appliance adds one containing the address of interface. This action allows the client to set its default route to point to the security appliance.
When you do not configure the dhcprelay setroute interface command (and there is a default router option in the packet), it passes through the security appliance with the router address unaltered.
Examples
The following example shows how to use the dhcprelay setroute command to set the default gateway in the DHCP reply from the external DHCP server to the inside interface of the security appliance:
hostname(config)# dhcprelay server 10.1.1.1 outsidehostname(config)# dhcprelay timeout 90hostname(config)# dhcprelay setroute insidehostname(config)# dhcprelay enable insideRelated Commands
dhcprelay timeout
To set the DHCP relay agent timeout value, use the dhcprelay timeout command in global configuration mode. To restore the timeout value to its default value, use the no form of this command.
dhcprelay timeout seconds
no dhcprelay timeout
Syntax Description
Defaults
The default value for the dhcprelay timeout is 60 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The dhcprelay timeout command lets you set the amount of time, in seconds, allowed for responses from the DHCP server to pass to the DHCP client through the relay binding structure.
Examples
The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the security appliance, client requests on the inside interface of the security appliance, and a timeout value up to 90 seconds:
hostname(config)# dhcprelay server 10.1.1.1 outsidehostname(config)# dhcprelay timeout 90hostname(config)# dhcprelay enable insidehostname(config)# show running-config dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay enable insidedhcprelay timeout 90Related Commands
dir
To display the directory contents, use the dir command in privileged EXEC mode.
dir [/all] [all-filesystems] [/recursive] [disk0: | disk1: | flash: | system:] [path]
Syntax Description
Defaults
If you do not specify a directory, the directory is the current working directory by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The dir command without keywords or arguments displays the directory contents of the current directory.
Examples
The following example shows how to display the directory contents:
hostname# dirDirectory of disk0:/1 -rw- 1519 10:03:50 Jul 14 2003 my_context.cfg2 -rw- 1516 10:04:02 Jul 14 2003 my_context.cfg3 -rw- 1516 10:01:34 Jul 14 2003 admin.cfg60985344 bytes total (60973056 bytes free)This example shows how to display recursively the contents of the entire file system:
hostname# dir /recursive disk0:Directory of disk0:/*1 -rw- 1519 10:03:50 Jul 14 2003 my_context.cfg2 -rw- 1516 10:04:02 Jul 14 2003 my_context.cfg3 -rw- 1516 10:01:34 Jul 14 2003 admin.cfg60985344 bytes total (60973056 bytes free)This example shows how display the contents of the Flash partition:
hostname# dir flash:Directory of disk0:/*1 -rw- 1519 10:03:50 Jul 14 2003 my_context.cfg2 -rw- 1516 10:04:02 Jul 14 2003 my_context.cfg3 -rw- 1516 10:01:34 Jul 14 2003 admin.cfg60985344 bytes total (60973056 bytes free)Related Commands
cd
Changes the current working directory to the one specified.
pwd
Displays the current working directory.
mkdir
Creates a directory.
rmdir
Removes a directory.
disable
To exit privileged EXEC mode and return to unprivileged EXEC mode, use the disable command in privileged EXEC mode.
disable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Use the enable command to enter privileged mode. The disable command allows you to exit privileged mode and returns you to unprivileged mode.
Examples
The following example shows how to enter privileged mode:
hostname> enablehostname#The following example shows how to exit privileged mode:
hostname# disablehostname>Related Commands
distance ospf
To define OSPF route administrative distances based on route type, use the distance ospf command in router configuration mode. To restore the default values, use the no form of this command.
distance ospf [intra-area d1] [inter-area d2] [external d3]
no distance ospf
Syntax Description
Defaults
The default values for d1, d2, and d3 are 110.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
You must specify at least one keyword and argument. You can enter the commands for each type of administrative distance separately, however they appear as a single command in the configuration. If you reenter an administrative distance, the administrative distance for only that route type changes; the administrative distances for any other route types remain unaffected.
The no form of the command does not take any keywords or arguments. Using the no form of the command restores the default administrative distance for all of the route types. If you want to restore the default administrative distance for a single route type when you have multiple route types configured, you can do one of the following:
•
•
Examples
The following example sets the administrative distance of external routes to 150:
hostname(config-router)# distance ospf external 105hostname(config-router)#The following example shows how entering separate commands for each route type appears as a single command in the router configuration:
hostname(config-router)# distance ospf intra-area 105 inter-area 105hostname(config-router)# distance ospf intra-area 105hostname(config-router)# distance ospf external 105hostname(config-router)# exithostname(config)# show running-config router ospf 1!router ospf 1distance ospf intra-area 105 inter-area 105 external 105!hostname(config)#The following example shows how to set each administrative distance to 105, and then change only the external administrative distance to 150. The show running-config router ospf command shows how only the external route type value changed, while the other route types retained the value previously set.
hostname(config-router)# distance ospf external 105 intra-area 105 inter-area 105hostname(config-router)# distance ospf external 150hostname(config-router)# exithostname(config)# show running-config router ospf 1!router ospf 1distance ospf intra-area 105 inter-area 105 external 150!hostname(config)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
dns domain-lookup
To enable the security appliance to send DNS requests to a DNS server to perform a name lookup for supported commands, use the dns domain-lookup command in global configuration mode. To disable DNS lookup, use the no form of this command.
dns domain-lookup interface_name
no dns domain-lookup interface_name
Syntax Description
Defaults
DNS lookup is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the dns name-server command to configure the DNS server addresses to which you want to send DNS requests. See the dns name-server command for a list of commands that support DNS lookup.
The security appliance maintains a cache of name resolutions that consists of dynamically learned entries. Instead of making queries to external DNS servers each time an hostname-to-IP-address translation is needed, the security appliance caches information returned from external DNS requests. The security appliance only makes requests for names that are not in the cache. The cache entries time out automatically according to the DNS record expiration, or after 72 hours, whichever comes first.
Examples
The following example enables DNS lookup on the inside interface:
hostname(config)# dns domain-lookup insideRelated Commands
dns-guard
To enable the DNS guard function, use the dns-guard command in global configuration mode. To disable the DNS guard feature, use the no form of this command.
dns-guard
no dns-guard
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
DNS guard tears down the DNS session associated with a DNS request as soon as the DNS response is forwarded by the security appliance. DNS guard also monitors the message exchange to ensure that the ID of the DNS response matches the ID of the DNS request.
The dns-guard command provides the capability to turn on or off the DNS guard function when DNS inspection is not enabled (when the inspect dns command is not configured). This command is only effective on the interfaces without DNS inspection. When DNS inspection is effective, the DNS guard function is always performed.
DNS guard is enabled together with the inspect dns command or the fixup protocol dns in earlier versions, and remains active when the inspection is disabled. This is still the default behavior, but now you have the option to disable this function.
Examples
The following example shows how to enable DNS guard:
hostname(config)# dns-guardThe following example shows how to disable DNS guard:
hostname(config)# no dns-guardRelated Commands
dns name-server
To identify one or more DNS servers, use the dns name-server command in global configuration mode. To remove a server, use the no form of this command. The security appliance uses DNS to resolve server names in your WebVPN configuration or certificate configuration (see "Usage Guidelines" for a list of supported commands). Other features that define server names (such as AAA) do not support DNS resolution. You must enter the IP address or manually resolve the name to an IP address by using the name command.
dns name-server ip_address [ip_address2] [...] [ip_address6]
no dns name-server ip_address [ip_address2] [...] [ip_address6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable DNS lookup, configure the dns domain-lookup command. If you do not enable DNS lookup, the DNS servers are not used.
WebVPN commands that support DNS resolution include the following:
•
•
•
•
•
Certificate commands that support DNS resolution include the following:
•
•
You can manually enter names and IP addresses using the name command.
See the dns retries command to set how many times the security appliance tries the list of DNS servers.
Examples
The following example adds three DNS servers:
hostname(config)# dns name-server 10.1.1.1 10.2.3.4 192.168.5.5The security appliance saves the configuration as separate commands, as follows:
dns name-server 10.1.1.1dns name-server 10.2.3.4dns name-server 192.168.5.5To add two additional servers, you can enter them as one command:
hostname(config)# dns name-server 10.5.1.1 10.8.3.8hostname(config)# show running-config dnsdns name-server 10.1.1.1dns name-server 10.2.3.4dns name-server 192.168.5.5dns name-server 10.5.1.1dns name-server 10.8.3.8...Or you can enter them as two commands:
hostname(config)# dns name-server 10.5.1.1hostname(config)# dns name-server 10.8.3.8To delete multiple servers you can enter them as multiple commands or as one command, as follows:
hostname(config)# no dns name-server 10.5.1.1 10.8.3.8Related Commands
dns retries
To specify the number of times to retry the list of DNS servers when the security appliance does not receive a response, use the dns retries command in global configuration mode. To restore the default setting, use the no form of this command.
dns retries number
no dns retries [number]
Syntax Description
Defaults
The default number of retries is 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Add DNS servers using the dns name-server command.
Examples
The following example sets the number of retries to 0. The security appliance only tries each server one time.
hostname(config)# dns retries 0Related Commands
dns timeout
To specify the amount of time to wait before trying the next DNS server, use the dns timeout command in global configuration mode. To restore the default timeout, use the no form of this command.
dns timeout seconds
no dns timeout [seconds]
Syntax Description
Defaults
The default timeout is 2 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the timeout to 1 second:
hostname(config)# dns timeout 1Related Commands
dns-server
To set the IP address of the primary and secondary DNS servers, use the dns-server command in group-policy mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a DNS server from another group policy. To prevent inheriting a server, use the dns-server none command.
dns-server {value ip_address [ip_address] | none}
no dns-server
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
Every time you issue the dns-server command you overwrite the existing setting. For example, if you configure DNS server x.x.x.x and then configure DNS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole DNS server. The same holds true for multiple servers. To add a DNS server rather than overwrite previously configured servers, include the IP addresses of all DNS servers when you enter this command.
Examples
The following example shows how to configure DNS servers with the IP addresses 10.10.10.15, 10.10.10.30, and 10.10.10.45 for the group policy named FirstGroup.
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# dns-server value 10.10.10.15 10.10.10.30 10.10.10.45
domain-name
To set the default domain name, use the domain-name command in global configuration mode. To remove the domain name, use the no form of this command. The security appliance appends the domain name as a suffix to unqualified names. For example, if you set the domain name to "example.com," and specify a syslog server by the unqualified name of "jupiter," then the security appliance qualifies the name to "jupiter.example.com."
domain-name name
no domain-name [name]
Syntax Description
Defaults
The default domain name is default.domain.invalid.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
For multiple context mode, you can set the domain name for each context, as well as within the system execution space.
Examples
The following example sets the domain as example.com:
hostname(config)# domain-name example.comRelated Commands
downgrade
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode.
Caution
downgrade image_url [activation-key [flash | 4-part_key | file]] [config start_config_url]
Syntax Description
Defaults
If the activation-key keyword is not specified, the security appliance tries to use the last four-part activation key used. If the security appliance cannot find a four-part activation key in Flash, the command is rejected and an error message displays. In this case, a valid four-part activation-key must be specified at the command line next time. The default activation key or the user specified activation key is compared with the activation key currently in effect. If there is a potential loss of features by using the chosen activation key, a warning displays with the list of features that could be lost after downgrade.
The security appliance uses downgrade.cfg by default if the startup configuration file is not specified.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
Command History
Usage Guidelines
This command is not supported on Cisco ASA 5500 series security appliances.
Caution
Recovering corrupt Flash memory requires direct console access. See the format command for more information.
Examples
The following example downgrades the software to Release 6.3.3:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 activation-key 32c261f3 062afe24 c94ef2ea 0e299a3fThis command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Buffering startup configAll items have been buffered successfully.If the flash reformat is interrupted or fails, data in flash will be lostand the system might drop to monitor mode.Do you wish to continue? [confirm]Installing the correct file system for the image and saving the buffered data!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Flash downgrade succeededRebooting....Enter zero actkey:The following example shows what happens if you enter an invalid activation key:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 activation-key0 0 0 0This command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Error: activation key entered is invalid.Enter the file option when there is no actkey in the source image (happens if the source is in tftp server).The following example shows what happens if you specify the activation key in the source image and it does not exist:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 activation-key fileThis command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Activation key does not exist in the source image.Please use the activation-key option to specify an activation key.The following example shows how to abort the downgrade procedure at the final prompt:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3This command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Buffering startup configAll items have been buffered successfully.If the flash reformat is interrupted or fails, data in flash will be lostand the system might drop to monitor mode.Do you wish to continue? [confirm] ===<typed n here>Downgrade process terminated.To downgrade, the software version must be less than 7.0. The following example shows a failed attempt at downgrading the software:
hostname# downgrade tftp://17.13.2.25//scratch/views/test/target/sw/cdiskThis command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Error: Need to use an image with version less than 7-0-0-0.The following example shows what happens if you specify an image and do not verify the activation key:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.4.4.1-relThis command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Image checksum has not been verified !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Warning: Activation key not verified.Key 32c261f3 633fe24 c94ef2ea e299a3f might be incompatible with the image version4-4-1-0.Do you wish to continue? [confirm]Downgrade process terminated.Please enter an activation-key in the command line.The following example shows what happens if the four-part activation key does not have all the features that the current five-part activation key has:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3This command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!The following features available in current activation key in flashare NOT available in 4 tuple activation key in flash:VPN-3DES-AESGTP/GPRS5 Security ContextsFailover is different:current activation key in flash: UR(estricted)4 tuple activation key in flash: R(estricted)Some features might not work in the downgraded image if this key is used.Do you wish to continue? [confirm]Downgrade process terminated.Please enter an activation-key in the command line.Related Commands
copy running-config startup-config
Saves the current running configuration to Flash memory.
drop
To drop specified GTP messages, use the drop command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form to remove the command.
drop {apn access_point_name | message message_id | version version}
no drop {apn access_point_name | message message_id | version version}
Syntax Description
Defaults
All messages with valid message IDs, APNs, and version are inspected.
Any APN is allowed.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the drop message command to drop specific GTP messages that you do not want to allow in your network.
Use the drop apn command to drop GTP messages with the specified access point. Use the drop version command to drop GTP messages with the specified version.
Examples
The following example drops traffic to message ID 20:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# drop message 20Related Commands
duplex
To set the duplex of a copper (RJ-45) Ethernet interface, use the duplex command in interface configuration mode. To restore the duplex setting to the default, use the no form of this command.
duplex {auto | full | half}
no duplex
Syntax Description
auto
Auto-detects the duplex mode.
full
Sets the duplex mode to full duplex.
half
Sets the duplex mode to half duplex.
Defaults
The default is auto detect.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
7.0
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
Set the duplex mode on the physical interface only.
The duplex command is not available for fiber media.
If your network does not support auto detection, set the duplex mode to a specific value.
For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.
Examples
The following example sets the duplex mode to full duplex:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
To include the indicated email address in the Subject Alternative Name extension of the certificate during enrollment, use the email command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.
email address
no email
Syntax Description
Defaults
The default setting is not set.
Command Modes
The following table shows the modes in which you can enter the
Crypto ca trustpoint configuration
•
•
•
command:
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the email address jjh@nhf.net in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# email jjh@nhf.nethostname(ca-trustpoint)#Related Commands
enable
To enter privileged EXEC mode, use the enable command in user EXEC mode.
enable [level]
Syntax Description
Defaults
Enters privilege level 15 unless you are using command authorization, in which case the default level depends on the level configured for your username.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The default enable password is blank. See the enable password command to set the password.
To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.
Enter the disable command to exit privileged EXEC mode.
Examples
The following example enters privileged EXEC mode:
hostname> enablePassword: Pa$$w0rdhostname#The following example enters privileged EXEC mode for level 10:
hostname> enable 10Password: Pa$$w0rd10hostname#Related Commands
enable (webvpn)
To enable WebVPN or e-mail proxy access on a previously configured interface, use the enable command. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S. POP3S, SMTPS), use this command in the applicable e-mail proxy mode. To disable WebVPN on an interface, use the no version of the command.
enable ifname
no enable
Syntax Description
ifname
Identifies the previously configured inteface. Use the nameif command to configure interfaces.
Defaults
WebVPN is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
SMTPS
•
—
•
—
—
Command History
Examples
The following example shows how to enable WebVPN on the interface named Outside:
hostname(config)# webvpnhostname(config-webvpn)# enable OutsideThe following example shows how to configure POP3S e-mail proxy on the interface named Outside:
hostname(config)# pop3shostname(config-pop3s)# enable Outside
enable password
To set the enable password for privileged EXEC mode, use the enable password command in global configuration mode. To remove the password for a level other than 15, use the no form of this command. You cannot remove the level 15 password.
enable password password [level level] [encrypted]
no enable password level level
Syntax Description
Defaults
The default password is blank. The default level is 15.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The default password for enable level 15 (the default level) is blank. To reset the password to be blank, do not enter any text for the password.
For multiple context mode, you can create an enable password for the system configuration as well as for each context.
To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.
Examples
The following example sets the enable password to Pa$$w0rd:
hostname(config)# enable password Pa$$w0rdThe following example sets the enable password to Pa$$w0rd10 for level 10:
hostname(config)# enable password Pa$$w0rd10 level 10The following example sets the enable password to an encrypted password that you copied from another security appliance:
hostname(config)# enable password jMorNbK0514fadBh encryptedRelated Commands
enforcenextupdate
To specify how to handle the NextUpdate CRL field, use the enforcenextupdate command in ca-crl configuration mode. If set, this command requires CRLs to have a NextUpdate field that has not yet lapsed. If not used, the security appliance allows a missing or lapsed NextUpdate field in a CRL.
To permit a lapsed or missing NextUpdate field, use the no form of this command.
enforcenextupdate
no enforcenextupdate
Syntax Description
Defaults
The default setting is enforced (on).
Command Modes
The following table shows the modes in which you can enter the command:
CRL configuration
•
•
•
•
•
Command History
Examples
The following example enters ca-crl configuration mode, and requires CRLs to have a NextUpdate field that has not expired for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# enforcenextupdatehostname(ca-crl)#Related Commands
cache-time
Specifies a cache refresh time in minutes.
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
enrollment retry count
To specify a retry count, use the enrollment retry count command in Crypto ca trustpoint configuration mode. After requesting a certificate, the security appliance waits to receive a certificate from the CA. If the security appliance does not receive a certificate within the configured retry period, it sends another certificate request. The security appliance repeats the request until either it receives a response or reaches the end of the configured retry period.
To restore the default setting of the retry count, use the no form of the command.
enrollment retry count number
no enrollment retry count
Syntax Description
number
The maximum number of attempts to send an enrollment request. The valid range is 0, 1-100 retries.
Defaults
The default setting for number is 0 (unlimited).
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry count of 20 retries within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry count 20hostname(ca-trustpoint)#Related Commands
enrollment retry period
To specify a retry period, use the enrollment retry period command in crypto ca trustpoint configuration mode. After requesting a certificate, the security appliance waits to receive a certificate from the CA. If the security appliance does not receive a certificate within the specified retry period, it sends another certificate request.
To restore the default setting of the retry period, use the no form of the command.
enrollment retry period minutes
no enrollment retry period
Syntax Description
minutes
The number of minutes between attempts to send an enrollment request. the valid range is 1- 60 minutes.
Defaults
The default setting is 1 minute.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
•
Command History
Usage Guidelines
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry period of 10 minutes within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry period 10hostname(ca-trustpoint)#Related Commands
enrollment terminal
To specify cut and paste enrollment with this trustpoint (also known as manual enrollment), use the enrollment terminal command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.
enrollment terminal
no enrollment terminal
Syntax Description
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies the cut and paste method of CA enrollment for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment terminalhostname(ca-trustpoint)#Related Commands
enrollment url
To specify automatic enrollment (SCEP) to enroll with this trustpoint and to configure the enrollment URL, use the enrollment url command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.
enrollment url url
no enrollment url
Syntax Description
url
Specifies the name of the URL for automatic enrollment. The maximum length is 1K characters (effectively unbounded).
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
•
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies SCEP enrollment at the URL https://enrollsite for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment url https://enrollsitehostname(ca-trustpoint)#Related Commands
erase
To erase and reformat the file system, use the erase command in privileged EXEC mode. This command overwrites all files and erases the file system, including hidden system files, and then reinstalls the file system.
erase [disk0: | disk1: | flash:]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The erase command erases all data on the Flash memory using the OxFF pattern and then rewrites an empty file system allocation table to the device.
To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the erase command.
Note
Examples
The following example erases and reformats the file system:
hostname# erase flash:Related Commands
delete
Removes all visible files, excluding hidden system files.
format
Erases all files (including hidden system files) and formats the file system.
established
To permit return connections on ports that are based on an established connection, use the established command in global configuration mode. To disable the established feature, use the no form of this command.
established est_protocol dport [sport] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
no established est_protocol dport [sport] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0
The keywords to and from were removed from the CLI. Use the keywords permitto and permitfrom instead.
Usage Guidelines
The established command lets you permit return access for outbound connections through the security appliance. This command works with an original connection that is outbound from a network and protected by the security appliance and a return connection that is inbound between the same two devices on an external host. The established command lets you specify the destination port that is used for connection lookups. This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is unknown. The permitto and permitfrom keywords define the return inbound connection.
Caution
The following potential security violations could occur if you do not use the established command correctly.
This example shows that if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:
hostname(config)# established tcp 0 4000You can specify the source and destination ports as 0 if the protocol does not specify which ports are used. Use wildcard ports (0) only when necessary.
hostname(config)# established tcp 0 0
Note
You can use the established command with the nat 0 command (where there are no global commands).
Note
The security appliance supports XDMCP with assistance from the established command.
Caution
XDMCP is on by default, but it does not complete the session unless you enter the established command as follows:
hostname(config)# established tcp 0 6000 to tcp 6000 from tcp 1024-65535Entering the established command enables the internal XDMCP-equipped (UNIX or ReflectionX) hosts to access external XDMCP-equipped XWindows servers. UDP/177-based XDMCP negotiates a TCP-based XWindows session, and subsequent TCP back connections are permitted. Because the source port(s) of the return traffic is unknown, specify the sport field as 0 (wildcard). The dport should be 6000 + n, where n represents the local display number. Use this UNIX command to change this value:
hostname(config)# setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connections is unknown. Only the destination port is static. The security appliance performs XDMCP fixups transparently. No configuration is required, but you must enter the established command to accommodate the TCP session.
Examples
This example shows a connection between two hosts using protocol A from the SRC port B destined for port C. To permit return connections through the security appliance and protocol D (protocol D can be different from protocol A), the source port(s) must correspond to port F and the destination port(s) must correspond to port E.
hostname(config)# established A B C permitto D E permitfrom D FThis example shows how a connection is started by an internal host to an external host using TCP source port 6060 and any destination port. The security appliance permits return traffic between the hosts through TCP destination port 6061 and TCP source port 6059.
hostname(config)# established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059This example shows how a connection is started by an internal host to an external host using UDP destination port 6060 and any source port. The security appliance permits return traffic between the hosts through TCP destination port 6061 and TCP source port 1024-65535.
hostname(config)# established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535This example shows how a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454.
hostname(config)# established tcp 9999 permitto tcp 5454 permitfrom tcp 4242This example shows how to allow packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:
hostname(config)# established tcp 9999 permitto tcp 5454Related Commands
clear configure established
Removes all established commands.
show running-config established
Displays the allowed inbound connections that are based on established connections.
exceed-mss
To allow or drop packets whose data length exceedx the TCP maximum segment size set by the peer during a three-way handshake, use the exceed-mss command in tcp-map configuration mode. To remove this specification, use the no form of this command.
exceed-mss {allow | drop}
no exceed-mss {allow | drop}
Syntax Description
Defaults
Packets are dropped by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the exceed-mss command in tcp-map configuration mode to drop TCP packets whose data length exceed the TCP maximum segment size set by the peer during a three-way handshake.
Examples
The following example allows flows on port 21 to send packets in excess of MSS:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# exceed-mss allowhostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq ftphostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
exit
To exit the current configuration mode, or to logout from privileged or user EXEC modes, use the exit command.
exit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.
When you enter the exit command in privileged or user EXEC modes, you log out from the security appliance. Use the disable command to return to user EXEC mode from privileged EXEC mode.
Examples
The following example shows how to use the exit command to exit global configuration mode, and then logout from the session:
hostname(config)# exithostname# exitLogoffThe following example shows how to use the exit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:
hostname(config)# exithostname# disablehostname>Related Commands
failover
To enable failover, use the failover command in global configuration mode. To disable failover, use the no form of this command.
failover
no failover
Syntax Description
This command has no arguments or keywords.
Defaults
Failover is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0
This command was limited to enable or disable failover in the configuration (see the failover active command).
Usage Guidelines
Use the no form of this command to disable failover.
Caution
Examples
The following example disables failover:
hostname(config)# no failoverhostname(config)#Related Commands
failover active
To switch a standby security appliance or failover group to the active state, use the failover active command in privileged EXEC mode. To switch an active security appliance or failover group to standby, use the no form of this command.
failover active [group group_id]
no failover active [group group_id]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Use the failover active command to initiate a failover switch from the standby unit, or use the no failover active command from the active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an active unit offline for maintenance. If you are not using stateful failover, all active connections are dropped and must be reestablished by the clients after the failover occurs.
Switching for a failover group is available only for Active/Active failover. If you enter the failover active command on an Active/Active failover unit without specifying a failover group, all groups on the unit become active.
Examples
The following example switches the standby group 1 to active:
hostname# failover active group 1Related Commands
failover group
To configure an Active/Active failover group, use the failover group command in global configuration mode. To remove a failover group, use the no form of this command.
failover group num
no failover group num
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
You can define a maximum of 2 failover groups. The failover group command can only be added to the system context of devices configured for multiple context mode. You can create and remove failover groups only when failover is disabled.
Entering this command puts you in the failover group command mode. The primary, secondary, preempt, replication http, interface-policy, mac address, and polltime interface commands are available in the failover group configuration mode. Use the exit command to return to global configuration mode.
Note
When removing failover groups, you must remove failover group 1 last. Failover group 1 always contains the admin context. Any context not assigned to a failover group defaults to failover group 1. You cannot remove a failover group that has contexts explicitly assigned to it.
Note
Examples
The following partial example shows a possible configuration for two failover groups:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)#Related Commands
failover interface ip
To specify the IP address and mask for the failover interface and the Stateful Failover interface, use the failover interface ip command in global configuration mode. To remove the IP address, use the no form of this command.
failover interface ip if_name ip_address mask standby ip_address
no failover interface ip if_name ip_address mask standby ip_address
Syntax Description
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
Failover and stateful failover interfaces are functions of Layer 3, even when the security appliance is operating in transparent firewall mode, and are global to the system.
In multiple context mode, you configure failover in the system context (except for the monitor-interface command).
This command must be part of the configuration when bootstrapping a security appliance for LAN failover.
Examples
The following example shows how to specify the IP address and mask for the failover interface:
hostname(config)# failover interface ip lanlink 172.27.48.1 255.255.255.0 standby 172.27.48.2Related Commands
failover interface-policy
To specify the policy for failover when monitoring detects an interface failure, use the failover interface-policy command in global configuration mode. To restore the default, use the no form of this command.
failover interface-policy num[%]
no failover interface-policy num[%]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
There is no space between the num argument and the optional % keyword.
If the number of failed interfaces meets the configured policy and the other security appliance is functioning properly, the security appliance will mark itself as failed and a failover may occur (if the active security appliance is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.
Note
Examples
The following examples show two ways to specify the failover policy:
hostname(config)# failover interface-policy 20%hostname(config)# failover interface-policy 5Related Commands
failover key
To specify the key for encrypted and authenticated communication between units in a failover pair, use the failover key command in global configuration mode. To remove the key, use the no form of this command.
failover key {secret | hex key}
no failover key
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0(1)
This command was modified from failover lan key to failover key.
7.0(4)
This command was modified to include the hex key keyword and argument.
Usage Guidelines
To encrypt and authenticate failover communications between the units, you must configure both units with a shared secret or hexadecimal key. If you do not specify a failover key, failover communication is transmitted in the clear.
Note
Caution
Examples
The following example shows how to specify a shared secret for securing failover communication between units in a failover pair:
hostname(config)# failover key abcdefgThe following example shows how to specify a hexadecimal key for securing failover communication between two units in a failover pair:
hostname(config)# failover key hex 6a1ed228381cf5c68557cb0c32e614dcRelated Commands
show running-config failover
Displays the failover commands in the running configuration.
failover lan enable
To enable lan-based failover on the PIX security appliance, use the failover lan enable command in global configuration mode. To disable LAN-based failover, use the no form of this command.
failover lan enable
no failover lan enable
Syntax Description
This command has no arguments or keywords.
Defaults
Not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
When LAN-based failover is disabled using the no form of this command, cable-based failover is used if the failover cable is installed. This command is available on the PIX security appliance only.
Caution
Examples
The following example enables LAN-based failover:
hostname(config)# failover lan enableRelated Commands
failover lan interface
To specify the interface used for failover communication, use the failover lan interface command in global configuration mode. To remove the failover interface, use the no form of this command.
failover lan interface if_name phy_if
no failover lan interface if_name phy_if
Syntax Description
if_name
Specifies the name of the security appliance interface dedicated to failover.
phy_if
Specifies the physical or logical interface port.
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
LAN failover requires a dedicated interface for passing failover traffic. However you can also use the LAN failover interface for the Stateful Failover link.
Note
You can use any unused Ethernet interface on the device as the failover interface. You cannot specify an interface that is currently configured with a name. The failover interface is not configured as a normal networking interface; it exists only for failover communications. This interface should only be used for the failover link (and optionally for the state link). You can connect the LAN-based failover link by using a dedicated switch with no hosts or routers on the link or by using a crossover Ethernet cable to link the units directly.
Note
On systems running in multiple context mode, the failover link resides in the system context. This interface and the state link, if used, are the only interfaces that you can configure in the system context. All other interfaces are allocated to and configured from within security contexts.
Note
The no form of this command also clears the failover interface IP address configuration.
This command must be part of the configuration when bootstrapping a security appliance for LAN failover.
Examples
The following example configures the failover LAN interface:
hostname(config)# failover lan interface folink e4Related Commands
failover lan unit
To configure the security appliance as either the primary or secondary unit in a LAN failover configuration, use the failover lan unit command in global configuration mode. To restore the default setting, use the no form of this command.
failover lan unit {primary | secondary}
no failover lan unit {primary | secondary}
Syntax Description
primary
Specifies the security appliance as a primary unit.
secondary
Specifies the security appliance as a secondary unit.
Defaults
Secondary.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
For Active/Standby failover, the primary and secondary designation for the failover unit refers to which unit becomes active at boot time. The primary unit becomes the active unit at boot time when the following occurs:
•
•
If the secondary unit is already active when the primary unit boots, the primary unit does not take control; it becomes the standby unit. In this case, you need to issue the no failover active command on the secondary (active) unit to force the primary unit back to active status.
For Active/Active failover, each failover group is assigned a primary or secondary unit preference. This preference determines on which unit in the failover pair the contexts in the failover group become active at startup when both units start simultaneously (within the failover polling period).
This command must be part of the configuration when bootstrapping a security appliance for LAN failover.
Examples
The following example sets the security appliance as the primary unit in LAN-based failover:
hostname(config)# failover lan unit primaryRelated Commands
failover lan enable
Enables LAN-based failover on the PIX security appliance.
failover lan interface
Specifies the interface used for failover communication.
failover link
To specify the Stateful Failover interface, use the failover link command in global configuration mode. To remove the Stateful Failover interface, use the no form of this command.
failover link if_name [phy_if]
no failover link
Syntax Description
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Preexisting
This command was modified to include the phy_if argument.
7.0(4)
This command was modified to accept standard firewall interfaces.
Usage Guidelines
The physical or logical interface argument is required when not sharing the failover communication or a standard firewall interface.
The failover link command enables Stateful Failover. Enter the no failover link command to disable Stateful Failover. If you are using a dedicated Stateful Failover interface, the no failover link command also clears the Stateful Failover interface IP address configuration.
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You have three options for configuring a Stateful Failover link:
•
•
•
If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be on this link.
Note
If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.
If you use a data interface as the Stateful Failover link, you will receive the following warning when you specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********Sharing Stateful failover interface with regular data interface is nota recommended configuration due to performance and security concerns.******* WARNING ***** WARNING ******* WARNING ****** WARNING *********Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks. Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing performance problems on that network segment.
Note
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.
In multiple context mode, the Stateful Failover interface resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.
Note
Caution
Examples
The following example shows how to specify a dedicated interface as the Stateful Failover interface. The interface in the example does not have an existing configuration.
hostname(config)# failover link stateful_if e4INFO: Non-failover interface config is cleared on Ethernet4 and its sub-interfacesRelated Commands
failover mac address
To specify the failover virtual MAC address for a physical interface, use the failover mac address command in global configuration mode. To remove the virtual MAC address, use the no form of this command.
failover mac address phy_if active_mac standby_mac
no failover mac address phy_if active_mac standby_mac
Syntax Description
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The failover mac address command lets you configure virtual MAC addresses for an Active/Standby failover pair. If virtual MAC addresses are not defined, then when each failover unit boots it uses the burned-in MAC addresses for its interfaces and exchanges those addresses with its failover peer. The MAC addresses for the interfaces on the primary unit are used for the interfaces on the active unit.
However, if both units are not brought online at the same time and the secondary unit boots first and becomes active, it uses the burned-in MAC addresses for its own interfaces. When the primary unit comes online, the secondary unit will obtain the MAC addresses from the primary unit. This change can disrupt network traffic. Configuring virtual MAC addresses for the interfaces ensures that the secondary unit uses the correct MAC address when it is the active unit, even if it comes online before the primary unit.
The failover mac address command is unnecessary (and therefore cannot be used) on an interface configured for LAN-based failover because the failover lan interface command does not change the IP and MAC addresses when failover occurs. This command has no effect when the security appliance is configured for Active/Active failover.
When adding the failover mac address command to your configuration, it is best to configure the virtual MAC address, save the configuration to Flash memory, and then reload the failover pair. If the virtual MAC address is added when there are active connections, then those connections stop. Also, you must write the complete configuration, including the failover mac address command, to the Flash memory of the secondary security appliance for the virtual MAC addressing to take effect.
If the failover mac address is specified in the configuration of the primary unit, it should also be specified in the bootstrap configuration of the secondary unit.
Note
Examples
The following example configures the active and standby MAC addresses for the interface named intf2:
hostname(config)# failover mac address Ethernet0/2 00a0.c969.87c8 00a0.c918.95d8Related Commands
failover polltime
To specify the failover unit and interface poll times and unit hold time, use the failover polltime command in global configuration mode. To restore the default poll time, use the no form of this command.
failover polltime [unit] [msec] time [holdtime time]
failover polltime interface time
no failover polltime [unit] [msec] time [holdtime time]
no failover polltime interface time
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0
This command was changed from the failover poll command to the failover polltime command and now includes unit, interface, and holdtime keywords.
Usage Guidelines
You cannot enter a holdtime value that is less than 3 times the unit poll time. With a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.
When the unit or interface keywords are not specified, the poll time configured is for the unit.
You can include both failover polltime unit and failover polltime interface commands in the configuration.
Note
If a hello packet is not heard on the failover communication interface or cable during the hold time, the standby unit switches to active and the peer is considered failed. Five missed consecutive interface hello packets cause interface testing.
Note
Examples
The following example sets the unit poll time frequency to 3 seconds:
hostname(config)# failover polltime 3Related Commands
polltime interface
Specify the interface polltime for Active/Active failover configurations.
show failover
Displays failover configuration information.
failover reload-standby
To force the standby unit to reboot, use the failover reload-standby command in privileged EXEC mode.
failover reload-standby
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Use this command when your failover units do not synchronize. The standby unit restarts and resynchronizes to the active unit after it finishes booting.
Examples
The following example shows how to use the failover reload-standby command on the active unit to force the standby unit to reboot:
hostname# failover reload-standbyRelated Commands
write standby
Writes the running configuration to the memory on the standby unit.
failover replication http
To enable HTTP (port 80) connection replication, use the failover replication http command in global configuration mode. To disable HTTP connection replication, use the no form of this command.
failover replication http
no failover replication http
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Preexisting
This command was changed from failover replicate http to failover replication http.
Usage Guidelines
By default, the security appliance does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The failover replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment, but could have a negative effect on system performance.
In Active/Active failover configurations, you control HTTP session replication per failover group using the replication http command in failover group configuration mode.
Examples
The following example shows how to enable HTTP connection replication:
hostname(config)# failover replication httpRelated Commands
replication http
Enables HTTP session replication for a specific failover group.
show running-config failover
Displays the failover commands in the running configuration.
failover reset
To restore a failed security appliance to an unfailed state, use the failover reset command in privileged EXEC mode.
failover reset [group group_id]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The failover reset command allows you to change the failed unit or group to an unfailed state. The failover reset command can be entered on either unit, but we recommend that you always enter the command on the active unit. Entering the failover reset command at the active unit will "unfail" the standby unit.
You can display the failover status of the unit with the show failover or show failover state commands.
There is no no version of this command.
In Active/Active failover, entering failover reset resets the whole unit. Specifying a failover group with the command resets only the specified group.
Examples
The following example shows how to change a failed unit to an unfailed state:
hostname# failover resetRelated Commands
failover interface-policy
Specifies the policy for failover when monitoring detects interface failures.
show failover
Displays information about the failover status of the unit.
failover timeout
To specify the failover reconnect timeout value for asymmetrically routed sessions, use the failover timeout command in global configuration mode. To restore the default timeout value, use the no form of this command.
failover timeout hh[:mm:[:ss]
no failover timeout [hh[:mm:[:ss]]
Syntax Description
Defaults
By default, hh, mm, and ss are 0, which prevents connections from reconnecting.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
This command is used in conjunction with the static command with the nailed option. The nailed option allows connections to be reestablished in a specified amount of time after bootup or a system goes active. The failover timeout command specifies that amount of time. If not configured, the connections cannot be reestablished. The failover timeout command does not affect the asr-group command.
Note
Enter the no form of this command restores the default value. Entering failover timeout 0 also restores the default value. When set to the default value, this command does not appear in the running configuration.
Examples
The following example switches the standby group 1 to active:
hostname(config)# failover timeout 12:30hostname(config)# show running-config failoverno failoverfailover timeout 12:30:00Related Commands
static
Configures a persistent one-to-one address translation rule by mapping a local IP address to a global IP address.
filter
To specify the name of the access list to use for WebVPN connections for this group policy or username, use the filter command in webvpn mode. To remove the access list, including a null value created by issuing the filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting filter values, use the filter value none command.
You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the filter command to apply those ACLs for WebVPN traffic.
filter {value ACLname | none}
no filter
Syntax Description
Defaults
WebVPN access lists do not apply until you use the filter command to specify them.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
•
—
—
•
Command History
Usage Guidelines
WebVPN does not use ACLs defined in the vpn-filter command.
Examples
The following example shows how to set a filter that invokes an access list named acl_in for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# filter acl_inRelated Commands
filter activex
To remove ActiveX objects in HTTP traffic passing through the security appliance, use the filter activex command in global configuration mode. To remove the configuration, use the no form of this command.
filter activex {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]
no filter activex {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects with the filter activex command.
ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for network clients including causing workstations to fail, introducing network security problems, or being used to attack servers.
The filter activex command command blocks the HTML <object> commands by commenting them out within the HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET> and </APPLET> and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested tags is supported by converting top-level tags to comments.
Caution
If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the security appliance cannot block the tag.
ActiveX blocking does not occur when users access an IP address referenced by the alias command.
Examples
The following example specifies that Activex objects are blocked on all outbound connections:
hostname(config)# filter activex 80 0 0 0 0This command specifies that the ActiveX object blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.
Related Commands
\
filter ftp
To identify the FTP traffic to be filtered by a Websense server, use the filter ftp command in global configuration mode. To remove the configuration, use the no form of this command.
filter ftp {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [interact-block]
no filter ftp {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [interact-block]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The filter ftp command lets you identify the FTP traffic to be filtered by a Websense server. FTP filtering is not supported on N2H2 servers.
After enabling this feature, when a user issues an FTP GET request to a server, the security appliance sends the request to the FTP server and to the Websense server at the same time. If the Websense server permits the connection, the security appliance allows the successful FTP return code to reach the user unchanged. For example, a successful return code is "250: CWD command successful."
If the Websense server denies the connection, the security appliance alters the FTP return code to show that the connection was denied. For example, the security appliance would change code 250 to "550 Requested file is prohibited by URL filtering policy." Websense only filters FTP GET commands and not PUT commands).
Use the interactive-block option to prevent interactive FTP sessions that do not provide the entire directory path. An interactive FTP client allows the user to change directories without typing the entire path. For example, the user might enter cd ./files instead of cd /public/files. You must identify and enable the URL filtering server before using these commands.
Examples
The following example shows how to enable FTP filtering:
hostname(config)# url-server (perimeter) host 10.0.1.1hostname(config)# filter ftp 21 0 0 0 0hostname(config)# filter ftp except 10.0.2.54 255.255.255.255 0 0Related Commands
filter https
To identify the HTTPS traffic to be filtered by a Websense server, use the filter https command in global configuration mode. To remove the configuration, use the no form of this command.
filter https {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow]
no filter https {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The security appliance supports filtering of HTTPS and FTP sites using an external Websense filtering server.
Note
HTTPS filtering works by preventing the completion of SSL connection negotiation if the site is not allowed. The browser displays an error message such as "The Page or the content cannot be displayed."
Because HTTPS content is encrypted, the security appliance sends the URL lookup without directory and filename information.
Examples
The following example filters all outbound HTTPS connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) host 10.0.1.1hostname(config)# filter https 443 0 0 0 0hostname(config)# filter https except 10.0.2.54 255.255.255.255 0 0Related Commands
filter java
To remove Java applets from HTTP traffic passing through the security appliance, use the filter java command in global configuration mode. To remove the configuration, use the no form of this command.
filter java {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]
no filter java {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can remove Java applets with the filter java command.
The filter java command filters out Java applets that return to the security appliance from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute.
If the applet or /applet HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the security appliance cannot block the tag. If Java applets are known to be in <object> tags, use the filter activex command to remove them.
Examples
The following example specifies that Java applets are blocked on all outbound connections:
hostname(config)# filter java 80 0 0 0 0This command specifies that the Java applet blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.
The following example blocks downloading of Java applets to a host on a protected network:
hostname(config)# filter java http 192.168.3.3 255.255.255.255 0 0This command prevents host 192.168.3.3 from downloading Java applets.
Related Commands
filter url
To direct traffic to a URL filtering server, use the filter url command in global configuration mode. To remove the configuration, use the no form of this command.
filter url {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]
no filter url {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the N2H2 or Websense filtering application.
Note
The allow option to the filter url command determines how the security appliance behaves if the N2H2 or Websense server goes off line. If you use the allow option with the filter url command and the N2H2 or Websense server goes offline, port 80 traffic passes through the security appliance without filtering. Used without the allow option and with the server off line, the security appliance stops outbound port 80 (Web) traffic until the server is back on line, or if another URL server is available, passes control to the next URL server.
Note
The N2H2 or Websense server works with the security appliance to deny users from access to websites based on the company security policy.
Using the Websense Filtering Server
Websense protocol Version 4 enables group and username authentication between a host and a security appliance. The security appliance performs a username lookup, and then Websense server handles URL filtering and username logging.
The N2H2 server must be a Windows workstation (2000, NT, or XP), running an IFP Server, with a recommended minimum of 512 MB of RAM. Also, the long URL support for the N2H2 service is capped at 3 KB, less than the cap for Websense.
Websense protocol Version 4 contains the following enhancements:
•
•
•
Information on Websense is available at the following website:
http://www.websense.com/
Configuration Procedure
Follow these steps to filter URLs:
Step 1
Step 2
Step 3
Step 4
Working with Long URLs
Filtering URLs up to 4 KB is supported for the Websense filtering server, and up to 1159 bytes for the N2H2 filtering server.
Use the longurl-truncate and cgi-truncate options to allow handling of URL requests longer than the maximum permitted size.
If a URL is longer than the maximum, and you do not enable the longurl-truncate or longurl-deny options, the security appliance drops the packet.
The longurl-truncate option causes the security appliance to send only the hostname or IP address portion of the URL for evaluation to the filtering server when the URL is longer than the maximum length permitted. Use the longurl-deny option to deny outbound URL traffic if the URL is longer than the maximum permitted.
Use the cgi-truncate option to truncate CGI URLs to include only the CGI script location and the script name without any parameters. Many long HTTP requests are CGI requests. If the parameters list is very long, waiting and sending the complete CGI request including the parameter list can use up memory resources and affect security appliance performance.
Buffering HTTP Responses
By default, when a user issues a request to connect to a specific website, the security appliance sends the request to the web server and to the filtering server at the same time. If the filtering server does not respond before the web content server, the response from the web server is dropped. This delays the web server response from the point of view of the web client.
By enabling the HTTP response buffer, replies from web content servers are buffered and the responses will be forwarded to the requesting user if the filtering server allows the connection. This prevents the delay that may otherwise occur.
To enable the HTTP response buffer, enter the following command:
url-block block block-buffer-limitReplace block-buffer-limit with the maximum number of blocks that will be buffered. The permitted values are from 0 to 128, which specifies the number of 1550-byte blocks that can be buffered at one time.
Examples
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) host 10.0.1.1hostname(config)# filter url 80 0 0 0 0hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0The following example blocks all outbound HTTP connections destined to a proxy server that listens on port 8080:
hostname(config)# filter url 8080 0 0 0 0 proxy-blockRelated Commands
fips enable
To enable or disable policy-checking to enforce FIPS compliance on the system or module, use the fips enable command, or [no] fips enable command.
fips enable
[no] fips enable
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
—
•
—
—
Command History
Usage Guidelines
To run in a FIPS-compliant mode of operation, you must apply both the fips enable command and the proper configuration specified in the Security Policy. The internal API allows the device to migrate towards enforcing proper configuration at run-time.
When "fips enable" is present in the startup-configuration, FIPS POST will run and print the following console message:
Copyright (c) 1996-2005 by Cisco Systems, Inc.Restricted Rights LegendUse, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706....Cryptochecksum (unchanged): 6c6d2f77 ef13898e 682c9f94 9c2d5ba9INFO: FIPS Power-On Self-Test in process. Estimated completion in 90 seconds.......................................................INFO: FIPS Power-On Self-Test complete.Type help or '?' for a list of available commands.sw8-5520>Examples
sw8-ASA(config)# fips enableRelated Commands
fips self-test poweron
To execute power-on self-tests, use the fips self-test powereon command.
fips self-test poweron
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Executing this command causes the device to run all self-tests required for FIPS 140-2 compliance. Tests are compreised of: cryptographic algorithm test, software integrity test and critical functions test.
Examples
sw8-5520(config)# fips self-test poweronRelated Commands
firewall transparent
To set the firewall mode to transparent mode, use the firewall transparent command in global configuration mode. To restore routed mode, use the no form of this command. A transparent firewall is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices.
firewall transparent
no firewall transparent
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system configuration. This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.
When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration.
If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration.
Examples
The following example changes the firewall mode to transparent:
hostname(config)# firewall transparentRelated Commands
format
To erase all files and format the file system, use the format command in privileged EXEC mode. This command erases all files on the file system, including hidden system files, and reinstalls the file system.
format {disk0: | disk1: | flash:}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The format command erases all data on the specified file system and then rewrites the FAT information to the device.
Caution
To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the format command.
Note
To repair a corrupt file system, try entering the fsck command before entering the format command.Examples
This example shows how to format the Flash memory:
hostname# format flash:Related Commands
delete
Removes all user-visible files.
erase
Deletes all files and formats the Flash memory.
fsck
Repairs a corrupt file system.
fqdn
To include the indicated FQDN in the Subject Alternative Name extension of the certificate during enrollment, use the fqdn command in crypto ca trustpoint configuration mode. To restore the default setting of the fqdn, use the no form of the command.
fqdn fqdn
no fqdn
Syntax Description
Defaults
The default setting is not to include the FQDN.
Command Modes
The following table shows the modes in which you can enter the
Crypto ca trustpoint configuration
•
•
•
•
•
command:
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the FQDN engineering in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# fqdn engineeringhostname(ca-trustpoint)#Related Commands
fragment
To provide additional management of packet fragmentation and improve compatibility with NFS, use the fragment command in global configuration mode.
fragment {size | chain | reassembly full | timeout limit} [interface]
no fragment {size | chain | reassembly full | timeout limit} interface
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, the security appliance accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the security appliance to prevent fragmented packets from traversing the security appliance by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.
If a large percentage of the network traffic through the security appliance is NFS, additional tuning might be necessary to avoid database overflow.
In an environment where the MTU size is small between the NFS server and client, such as a WAN interface, the chain keyword might require additional tuning. In this case, we recommend using NFS over TCP to improve efficiency.
Setting the size limit to a large value can make the security appliance more vulnerable to a DoS attack by fragment flooding. Do not set the size limit equal to or greater than the total number of blocks in the 1550 or 16384 pool.
The default values will limit DoS attacks caused by fragment flooding.
If reassembly full is enabled, fragments in the completed fragment set are merged into one packet. The fragments are then released.
Examples
This example shows how to prevent fragmented packets on the outside and inside interfaces:
hostname(config)# fragment chain 1 outsidehostname(config)# fragment chain 1 insideContinue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets.
This example shows how to configure the fragment database on the outside interface to a maximum size of 2000, a maximum chain length of 45, and a wait time of 10 seconds:
hostname(config)# fragment size 2000 outsidehostname(config)# fragment chain 45 outsidehostname(config)# fragment timeout 10 outsideRelated Commands
ftp-map
To identify a specific map for defining the parameters for strict FTP inspection, use the ftp-map command in global configuration mode. To remove the map, use the no form of this command.
ftp-map map_name
no ftp-map map_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the ftp-map command to identify a specific map to use for defining the parameters for strict FTP inspection. When you enter this command, the system enters the FTP map configuration mode, which lets you enter the different commands used for defining the specific map. Use the request-command deny command to prevent the FTP client from sending specific commands to the FTP server.
After defining the FTP map, use the inspect ftp strict command to enable the map. Then use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
Examples
The following example shows how to identify FTP traffic, define an FTP map, define a policy, and apply the policy to the outside interface:
hostname(config)# class-map ftp-porthostname(config-cmap)# match port tcp eq 21hostname(config-cmap)# exithostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# request-command deny put stou appehostname(config-ftp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class ftp-porthostname(config-pmap-c)# inspect ftp strict inbound_ftphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideRelated Commands
ftp mode passive
To set the FTP mode to passive, use the ftp mode passive command in global configuration mode. To reset the FTP client to active mode, use the no form of this command.
ftp mode passive
no ftp mode passive
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The ftp mode passive command sets the FTP mode to passive.The security appliance can use FTP to upload or download image files or configuration files to or from an FTP server. The ftp mode passive command controls how the FTP client on the security appliance interacts with the FTP server.
In passive FTP, the client initiates both the control connection and the data connection. Passive mode refers to the server state, in that the server is passively accepting both the control connection and the data connection, which are initiated by the client.
In passive mode, both destination and source ports are ephemeral ports (greater than 1023). The mode is set by the client, as the client issues the passive command to initiate the setup of the passive data connection. The server, which is the recipient of the data connection in passive mode, responds with the port number to which it is listening for the specific connection.
Examples
The following example sets the FTP mode to passive:
hostname(config)# ftp mode passiveRelated Commands
functions
To configure file access and file browsing, MAPI Proxy, HTTP Proxy, and URL entry over WebVPN for this user or group policy, use the functions command in webvpn mode, which you enter from group-policy or username mode. To remove a configured function, use the no form of this command.
To remove all configured functions, including a null value created by issuing the functions none command, use the no form of this command without arguments. The no option allows inheritance of a value from another group policy. To prevent inheriting function values, use the functions none command.
functions {file-access | file-browsing | file-entry | filter | http-proxy | url-entry | mapi | port-forward | none}
no functions [file-access | file-browsing | file-entry | filter | url-entry | mapi | port-forward]
Syntax Description
Defaults
Functions are disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Examples
The following example shows how to configure file access, file browsing, and MAPI Proxy for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# functions file-access file-browsing MAPIRelated Commands
