-
Cisco Security Appliance Command Reference, Version 8.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Feedback
Table Of Contents
database path through debug xml Commands
ddns update (interface configuration)
ddns update method (global configuration mode)
debug crypto condition unmatched
database path through debug xml Commands
database path
To specify a path or location for the local CA server database, use the database command in CA server configuration mode. To reset the path to flash memory, the default setting, use the no form of this command.
[no] database path mount-name directory-path
Syntax Description
directory-path
Specifies the path to a directory on the mount point where the CA files are stored.
mount-name
Specifies the mount name.
Defaults
By default, the CA server database is stored in flash memory.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Usage Guidelines
The local CA files stored in the database include the certificate database, user database files, temporary PKCS12 files, and the current CRL file. The mount-name is the same as the name argument for the mount command used to specify a file system for the security appliance.
Note
Examples
The following example defines the mount point for the CA database as cifs_share. It also defines the database files directory on the mount point as ca_dir/files_dir.
hostname(config)# crypto ca serverhostname(config-ca-server)# database path cifs_share ca_dir/files_dir/hostname(config-ca-server)#Related Commands
ddns (DDNS-update-method)
To specify a DDNS update method type, use the ddns command in DDNS-update-method mode. To remove an update method type from the running configuration, use the no form of this command.
ddns [both]
no ddns [both]
Syntax Description
Defaults
Update only A RRs.
Command Modes
The following table shows the modes in which you can enter the command:
DDNS-update-method
•
—
•
•
—
Command History
Usage Guidelines
Dynamic DNS (DDNS) updates the name to address and address to name mappings maintained by DNS. Of the two methods for performing DDNS updates—the IETF standard defined by RFC 2136 and a generic HTTP method—the security appliance supports the IETF method in this release.
Name and address mappings are contained in two types of resource records (RR):
•
•
DDNS updates can be used to maintain consistent information between the A and PTR RR types.
When issued in DDNS-update-method configuration mode, the ddns command defines whether the update is just to A RR, or to both A RR and PTR RR.
Examples
The following example configures updating to both the A and PTR RRs for the DDNS update method named ddns-2:
hostname(config)# ddns update method ddns-2hostname(DDNS-update-method)# ddns bothRelated Commands
ddns update (interface configuration)
To associate a dynamic DNS (DDNS) update method with a security appliance interface or an update hostname, use the ddns update command in interface configuration mode. To remove the association between the DDNS update method and the interface or the hostname from the running configuration, use the no form of this command.
ddns update [method-name | hostname hostname]
no ddns update [method-name | hostname hostname]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
After defining a DDNS update method, you must associate it with a security appliance interface to trigger DDNS updates.
A hostname could be a Fully Qualified Domain Name (FQDN) or just a hostname. If just a hostname, the security appliance appends a domain name to the hostname to create a FQDN.
Examples
The following example associates the interface GigabitEthernet0/2 with the DDNS update method named ddns-2 and the hostname hostname1.example.com:
hostname(config)# interface GigabitEthernet0/2hostname(config-if)# ddns update ddns-2hostname(config-if)# ddns update hostname hostname1.example.comRelated Commands
ddns update method (global configuration mode)
To create a method for dynamically updating a DNS resource records (RRs), use the ddns update method command in global configuration mode. To remove a dynamic DNS (DDNS) update method from the running configuration, use the no form of this command.
ddns update method name
no ddns update method name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
DDNS updates the name to address and address to name mappings maintained by DNS. The update method configured by the ddns update method command determines what and how often dynamic DNS updates are performed. Of the two methods for performing DDNS updates—the IETF standard defined by RFC 2136 and a generic HTTP method—the security appliance supports the IETF method in this release.
Name and address mappings are contained in two types of resource records (RR):
•
•
DDNS updates can be used to maintain consistent information between the A and PTR RR types.
Note
Examples
The following example configures the DDNS update method named ddns-2:
hostname(config)# ddns update method ddns-2Related Commands
debug aaa
To show debug messages for AAA, use the debug aaa command in privileged EXEC mode. To stop showing AAA messages, use the no form of this command.
debug aaa [ accounting | authentication | authorization | common | internal | vpn [ level ] ]
no debug aaa
Syntax Description
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The debug aaa command displays detailed information about AAA activity. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example enables debugging for AAA functions supported by the local database:
hostname(config)# debug aaa internaldebug aaa internal enabled at level 1hostname(config)# uap allocated. remote address: 10.42.15.172, Session_id: 2147483841uap freed for user . remote address: 10.42.15.172, session id: 2147483841Related Commands
debug appfw
To display detailed information about application inspection, use the debug appfw command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug appfw [chunk | event | eventverb | regex]
no debug appfw [chunk | event | eventverb | regex]
Syntax Description
Defaults
All options are enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug appfw command displays detailed information about HTTP application inspection. The no debug all or undebug all commands turn off all enabled debug commands.
Examples
The following example enables the display of detailed information about application inspection:
hostname# debug appfwRelated Commands
http-map
Defines an HTTP map for configuring enhanced HTTP inspection.
inspect http
Applies a specific HTTP map to use for application inspection.
debug arp
To show debug messages for ARP, use the debug arp command in privileged EXEC mode. To stop showing debug messages for ARP, use the no form of this command.
debug arp
no debug arp
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for ARP:
hostname# debug arpRelated Commands
arp
Adds a static ARP entry.
show arp statistics
Shows ARP statistics.
show debug
Shows all enabled debuggers.
debug arp-inspection
To show debug messages for ARP inspection, use the debug arp-inspection command in privileged EXEC mode. To stop showing debug messages for ARP inspection, use the no form of this command.
debug arp-inspection
no debug arp-inspection
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
—
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for ARP inspection:
hostname# debug arp-inspectionRelated Commands
arp
Adds a static ARP entry.
arp-inspection
For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.
show debug
Shows all enabled debuggers.
debug asdm history
To view debug information for ASDM, use the debug asdm history command in privileged EXEC mode.
debug asdm history level
Syntax Description
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
7.0(1)
This command was changed from the debug pdm history command to the debug asdm history command.
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables level 1 debugging of ASDM:
hostname# debug asdm historydebug asdm history enabled at level 1hostname#Related Commands
debug context
To show debug messages when you add or delete a security context, use the debug context command in privileged EXEC mode. To stop showing debug messages for contexts, use the no form of this command.
debug context [level]
no debug context [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for context management:
hostname# debug contextRelated Commands
debug cplane
To show debug messages about the control plane that connects internally to an SSM, use the debug cplane command in privileged EXEC mode. To stop showing debug messages for the control plane, use the no form of this command.
debug cplane [level]
no debug cplane [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for the control plane:
hostname# debug cplaneRelated Commands
debug crypto ca
To show debug messages for PKI activity (used with CAs), use the debug crypto ca command in privileged EXEC mode. To stop showing debug messages for PKI, use the no form of this command.
debug crypto ca [messages | transactions] [level]
no debug crypto ca [messages | transactions] [level]
Syntax Description
Defaults
By default, this command shows all debug messages. The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for PKI:
hostname# debug crypto caRelated Commands
debug crypto engine
Shows debug messages for the crypto engine.
debug crypto ipsec
Shows debug messages for IPSec.
debug crypto isakmp
Shows debug messages for ISAKMP.
debug crypto ca server
To set the local CA server debug message level and begin listing associated debug messages, use the debug crypto ca server command in ca server configuration mode. To stop listing all debug messages, use the no form of the command.
debug crypto ca server [level]
no debug crypto ca server [level]
Syntax Description
Defaults
The default debug level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks. Levels 5 and higher are reserved for raw data dumps and should be avoided during normal debugging because of excessive debug output.
Examples
The following example sets the debug level to 3:
hostname(config-ca-server)# debug crypto ca server 3hostname(config-ca-server)#The following example turns off all debugging:
hostname(config-ca-server)# no debug crypto ca serverhostname(config-ca-server)#Related Commands
debug crypto condition
To filter debugging messages for IPSec and ISAKMP based on the specified conditions, use the debug crypto condition command in privileged EXEC mode. To disable a single filtering condition without affecting other conditions, use the no form of this command.
debug crypto condition [[peer [address peer_addr] subnet subnet_mask]] | [user user_name] | [group group_name] | [spi spi] | [reset]
[no] debug crypto condition [[peer [address peer_addr] subnet subnet_mask]] | [user user_name] | [group group_name] | [spi spi] | [reset]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug crypto condition command does not affect the display or logging of syslog messages. This feature is not stored in the configuration, and must be reset after each power cycle.
Examples
The following examples configure a filter for the network, 10.1.1.0 and for the peer, 10.2.2.2:
hostname# debug crypto condition peer address 10.1.1.0 subnet 255.255.255.0hostname# debug crypto condition peer address 10.2.2.2The following example configures a filter for the user, "example_user."
hostname# debug crypto condition user example_userThe following example clears the debugging filters.
hostname# debug crypto condition resetRelated Commands
debug crypto condition error
To show debugging messages for IPSec and ISAKMP whether or not they match any of the configured filters, use the debug crypto condition error command in privileged EXEC mode. To not show debugging messages for IPSec and ISAKMP whether or not they match any of the configured filters, use the no form of this command.
debug crypto condition error [[ipsec | isakmp]
[no] debug crypto condition error [ipsec | isakmp]
Syntax Description
ipsec
Specifies the IPSec debugging messaging system.
isakmp
Specifies the ISAKMP debugging messaging system.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug crypto condition error command does not affect the display or logging of syslog messages. This feature is not stored in the configuration, and must be reset after each power cycle.
Examples
The following example configures IPSec messages to appear whether or not filtering conditions have been specified:
hostname# debug crypto condition error ipsecRelated Commands
debug crypto condition unmatched
To show debugging messages for IPSec and ISAKMP that do not include sufficient context information for filtering, use the debug crypto condition unmatched command in privileged EXEC mode. To filter debugging messages for IPSec and ISAKMP that do not include sufficient context information, use the no form of this command.
debug crypto condition unmatched [[ipsec | isakmp]
[no] debug crypto condition unmatched [ipsec | isakmp]
Syntax Description
ipsec
Specifies the IPSec debugging messaging system.
isakmp
Specifies the ISAKMP debugging messaging system.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug crypto condition unmatched command does not affect the display or logging of syslog messages. This feature is not stored in the configuration, and must be reset after each power cycle.
Examples
The following example configures the filter to allow IPSec messages with insufficient context to appear:
hostname# debug crypto condition unmatched ipsecRelated Commands
debug crypto engine
To show debug messages for the crypto engine, use the debug crypto engine command in privileged EXEC mode. To stop showing debug messages for the crypto engine, use the no form of this command.
debug crypto engine [level]
no debug crypto engine [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for the crypto engine:
hostname# debug crypto engineRelated Commands
debug crypto ca
Shows debug messages for the CA.
debug crypto ipsec
Shows debug messages for IPSec.
debug crypto isakmp
Shows debug messages for ISAKMP.
debug crypto ipsec
To show debug messages for IPSec, use the debug crypto ipsec command in privileged EXEC mode. To stop showing debug messages for IPSec, use the no form of this command.
debug crypto ipsec [level]
no debug crypto ipsec [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for IPSec:
hostname# debug crypto ipsecRelated Commands
debug crypto ca
Shows debug messages for the CA.
debug crypto engine
Shows debug messages for the crypto engine.
debug crypto isakmp
Shows debug messages for ISAKMP.
debug crypto isakmp
To show debug messages for ISAKMP, use the debug crypto isakmp command in privileged EXEC mode. To stop showing debug messages for ISAKMP, use the no form of this command.
debug crypto isakmp [timers] [level]
no debug crypto isakmp [timers] [level]
Syntax Description
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for ISAKMP:
hostname# debug crypto isakmpRelated Commands
debug crypto ca
Shows debug messages for the CA.
debug crypto engine
Shows debug messages for the crypto engine.
debug crypto ipsec
Shows debug messages for IPSec.
debug ctiqbe
To show debug messages for CTIQBE application inspection, use the debug ctiqbe command in privileged EXEC mode. To stop showing debug messages for CTIQBE application inspection, use the no form of this command.
debug ctiqbe [level]
no debug ctiqbe [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for CTIQBE application inspection:
hostname# debug ctiqbeRelated Commands
debug ctl-provider
To show debug messages for Certificate Trust List providers, use the debug ctl-provider command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.
debug ctl-provider [errors | events | parser]
no debug ctl-provider [errors | events | parser]
Syntax Description
errors
Specifies CTL provider error debugging.
events
Specifies CTL provider event debugging.
parser
Specifies CTL provider parser debugging.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for CTL provider:
hostname# debug ctl-providerRelated Commands
debug dap
To enable logging of Dynamic Access Policy events, use the debug dap command in privileged EXEC mode. To disable the logging of DAP debug messages, use the no form of this command.
debug dap {errors | trace}
no debug dap [errors | trace]
Syntax Description
Defaults
No default value or behaviors.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
The high priority assigned to debugging output can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows how to enable DAP trace debugging:
hostname # debug dap tracehostname #Related Commands
debug ddns
To show debug messages for DDNS, use the debug ddns command in privileged EXEC mode. To disable debug messages, use the no form of this command.
debug ddns
no debug ddns
Syntax Description
This command has no arguments or keywords.
Defaults
The default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
•
—
Command History
Usage Guidelines
The debug ddns command displays detailed information about DDNS. The undebug ddns turns off DDNS debugging information as does the no debug ddns command.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows an example of enabling DDNS debug messages:
hostname# debug ddnsdebug ddns enabled at level 1Related Commands
debug dhcpc
To enable debugging of the DHCP client, use the debug dhcpc command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug dhcpc {detail | packet | error} [level]
no debug dhcpc {detail | packet | error} [level]
Syntax Description
Defaults
The default debug level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
•
—
Command History
Usage Guidelines
Displays DHCP client debug information.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows how to enable debugging for the DHCP client:
hostname# debug dhcpc detail 5debug dhcpc detail enabled at level 5Related Commands
debug dhcpd
To enable debugging of the DHCP server, use the debug dhcpd command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug dhcpd {event | packet} [level]
no debug dhcpd {event | packet} [level]
Syntax Description
Defaults
The default debug level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server.
Use the no form of the debug dhcpd commands to disable debugging.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows an example of enabling DHCP event debugging:
hostname# debug dhcpd eventdebug dhcpd event enabled at level 1Related Commands
show dhcpd
Displays DHCP binding, statistic, or state information.
show running-config dhcpd
Displays the current DHCP server configuration.
debug dhcpd ddns
To enable debugging of the DHCP DDNS, use the debug dhcpd ddns command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug dhcpd ddns [level]
no debug dhcpd ddns [level]
Syntax Description
Defaults
The default debug level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
•
—
Command History
Usage Guidelines
The debug dhcpd ddns command displays detailed information about DHCP and DDNS. The undebug dhcpd ddns command turns off DHCP and DDNS debugging information as does the no debug dhcpd ddns command.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows DHCP DDNS debugging being enabled:
hostname# debug dhcpd ddnsdebug dhcpd ddns enabled at level 1Related Commands
debug dhcprelay
To enable debugging of the DHCP relay server, use the debug dhcpreleay command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug dhcprelay {event | packet | error} [level]
no debug dhcprelay {event | packet | error} [level]
Syntax Description
Defaults
The default debug level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
•
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows how to enable debugging for DHCP relay agent error messages:
hostname# debug dhcprelay errordebug dhcprelay error enabled at level 1Related Commands
debug disk
To display file system debug information, use the debug disk command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug disk {file | file-verbose | filesystem} [level]
no debug disk {file | file-verbose | filesystem}
Syntax Description
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables file-level disk debug messages. The show debug command reveals that file-level disk debug messages are enabled. The dir command causes several debug messages.
hostname# debug disk filedebug disk file enabled at level 1hostname# show debugdebug vpn-sessiondb enabled at level 1hostname# dirIFS: Opening: file flash:/, flags 1, mode 0IFS: Opened: file flash:/ as fd 3IFS: Getdent: fd 3IFS: Getdent: fd 3IFS: Getdent: fd 3IFS: Getdent: fd 3Directory of flash:/IFS: Close: fd 3IFS: Opening: file flash:/, flags 1, mode 04 -rw- 5124096 14:42:27 Apr 04 2005 cdisk.binIFS: Opened: file flash:/ as fd 39 -rw- 5919340 14:53:39 Apr 04 2005 ASDMIFS: Getdent: fd 311 drw- 0 15:18:56 Apr 21 2005 syslogIFS: Getdent: fd 3IFS: Getdent: fd 3IFS: Getdent: fd 3IFS: Close: fd 316128000 bytes total (5047296 bytes free)Related Commands
debug dns
To show debug messages for DNS, use the debug dns command in privileged EXEC mode. To stop showing debug messages for DNS, use the no form of this command.
debug dns [resolver | all] [level]
no debug dns [resolver | all] [level]
Syntax Description
Defaults
The default level is 1. If you do not specify any keywords, the security appliance shows all mesages.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for DNS:
hostname# debug dnsRelated Commands
debug eap
To enable logging of EAP events to debug NAC messaging, use the debug eap command in privileged EXEC mode. To disable the logging of EAP debug messages, use the no form of this command.
debug eap {all | errors | events | packets | sm}
no debug eap [all | errors | events | packets | sm]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
When you use this command, the security appliance records EAP session state changes and EAP status query events, and generates a complete record of EAP and packet contents in hexadecimal format.
The high priority assigned to debugging output can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables the logging of all EAP session events:
hostname# debug eap eventshostname#The following example enables the logging of all EAP debug messages:
hostname# debug eap allhostname#The following example disables the logging of all EAP debug messages:
hostname# no debug eaphostname#Related Commands
debug eigrp fsm
To display debug information the DUAL finite state machine, use the debug eigrp fsm command in privileged EXEC mode. To disable the debug information display, use the no form of this command.
debug eigrp fsm
no debug eigrp fsm
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
This command lets you observe EIGRP feasible successor activity and to determine whether route updates are being installed and deleted by the routing process.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug eigrp fsm command:
hostname# debug eigrp fsmDUAL: dual_rcvupdate(): 172.25.166.0 255.255.255.0 via 0.0.0.0 metric 750080/0DUAL: Find FS for dest 172.25.166.0 255.255.255.0. FD is 4294967295, RD is 4294967295 foundDUAL: RT installed 172.25.166.0 255.255.255.0 via 0.0.0.0DUAL: dual_rcvupdate(): 192.168.4.0 255.255.255.0 via 0.0.0.0 metric 4294967295/4294967295DUAL: Find FS for dest 192.168.4.0 255.255.255.0. FD is 2249216, RD is 2249216DUAL: 0.0.0.0 metric 4294967295/4294967295not found Dmin is 4294967295DUAL: Dest 192.168.4.0 255.255.255.0 not entering active state.DUAL: Removing dest 192.168.4.0 255.255.255.0, nexthop 0.0.0.0DUAL: No routes. Flushing dest 192.168.4.0 255.255.255.0In the fist line, DUAL stands for diffusing update algorithm. It is the basic mechanism within EIGRP that makes the routing decisions. The next three fields are the Internet address and mask of the destination network and the address through which the update was received. The metric field shows the metric stored in the routing table and the metric advertised by the neighbor sending the information. If shown, the term "Metric... inaccessible" usually means that the neighbor router no longer has a route to the destination, or the destination is in a hold-down state.
In the following output, EIGRP is attempting to find a feasible successor for the destination. Feasible successors are part of the DUAL loop avoidance methods. The FD field contains more loop avoidance state information. The RD field is the reported distance, which is the metric used in update, query, or reply packets.
The indented line with the "not found" message means a feasible successor was not found for 192.168.4.0 and EIGRP must start a diffusing computation. This means it begins to actively probe (sends query packets about destination 192.168.4.0) the network looking for alternate paths to 192.164.4.0.
DUAL: Find FS for dest 192.168.4.0 255.255.255.0. FD is 2249216, RD is 2249216DUAL: 0.0.0.0 metric 4294967295/4294967295not found Dmin is 4294967295The following output indicates the route DUAL successfully installed into the routing table:
DUAL: RT installed 172.25.166.0 255.255.255.0 via 0.0.0.0The following output shows that no routes to the destination were discovered and that the route information is being removed from the topology table:
DUAL: Dest 192.168.4.0 255.255.255.0 not entering active state.DUAL: Removing dest 192.168.4.0 255.255.255.0, nexthop 0.0.0.0DUAL: No routes. Flushing dest 192.168.4.0 255.255.255.0Related Commands
debug eigrp neighbors
To display debug information for neighbors discovered by EIGRP, use the debug eigrp neighbors command in privileged EXEC mode. To disable the debug information display, use the no form of this command.
debug eigrp neighbors [siatimer | static]
no debug eigrp neighbors [siatimer | static]
Syntax Description
siatimer
(Optional) Displays EIGRP stuck in active messages.
static
(Optional) Displays EIGRP static neighbor messages.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug eigrp neighbors static command. The example shows a static neighbor being added, and then removed, and the corresponding debug messages.
hostname# debug eigrp neighbors staticEIGRP Static Neighbors debugging is onhostname# configure terminalhostname(config) router eigrp 100hostname(config-router)# neighbor 10.86.194.3 interface outsidehostname(config-router)#EIGRP: Multicast Hello is disabled on Ethernet0/0!EIGRP: Add new static nbr 10.86.194.3 to AS 100 Ethernet0/0hostname(config-router)# no neighbor 10.86.194.3 interface outsidehostname(config-router)#EIGRP: Static nbr 10.86.194.3 not in AS 100 Ethernet0/0 dynamic listEIGRP: Delete static nbr 10.86.194.3 from AS 100 Ethernet0/0EIGRP: Multicast Hello is enabled on Ethernet0/0!hostname(config-router)# no debug eigrp neighbors staticEIGRP Static Neighbors debugging is offRelated Commands
neighbor
Defines an EIGRP neighbor.
show eigrp neighbors
Displays the EIGRP neighbor table.
debug eigrp packets
To display debug information for EIGRP packets, use the debug eigrp packets command in privileged EXEC mode. To disable the debug information display, use the no form of this command.
debug eigrp packets [SIAquery | SIAreply | ack | hello | probe | query | reply | request | retry | stub | terse | update | verbose]
no debug eigrp packets [SIAquery | SIAreply | ack | hello | probe | query | reply | request | retry | stub | terse | update | verbose]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
You can specify more than one packet type in a single command, for example:
debug eigrp packets query replyBecause debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug eigrp packets command:
hostname# debug eigrp packetsEIGRP: Sending HELLO on Ethernet0/1AS 109, Flags 0x0, Seq 0, Ack 0EIGRP: Sending HELLO on Ethernet0/1AS 109, Flags 0x0, Seq 0, Ack 0EIGRP: Sending HELLO on Ethernet0/1AS 109, Flags 0x0, Seq 0, Ack 0EIGRP: Received UPDATE on Ethernet0/1 from 192.195.78.24,AS 109, Flags 0x1, Seq 1, Ack 0EIGRP: Sending HELLO/ACK on Ethernet0/1 to 192.195.78.24,AS 109, Flags 0x0, Seq 0, Ack 1EIGRP: Sending HELLO/ACK on Ethernet0/1 to 192.195.78.24,AS 109, Flags 0x0, Seq 0, Ack 1EIGRP: Received UPDATE on Ethernet0/1 from 192.195.78.24,AS 109, Flags 0x0, Seq 2, Ack 0The output shows transmission and receipt of EIGRP packets. The sequence and acknowledgment numbers used by the EIGRP reliable transport algorithm are shown in the output. Where applicable, the network-layer address of the neighboring router is also included.
Related Commands
debug eigrp transmit
To display transmittal messages sent by EIGRP, use the debug eigrp transmit command in privileged EXEC mode. To disable the debug information display, use the no form of this command.
debug eigrp transmit [ack] [build] [detail] [link] [packetize] [peerdown] [sia] [startup] [strange]
no debug eigrp transmit [ack] [build] [detail] [link] [packetize] [peerdown] [sia] [startup] [strange]
Syntax Description
Defaults
If at least one transmittal event is not specified, all transmittal events are shown in the debug output.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
You can specify more than one transmittal event in a single command, For example:
hostname# debug eigrp ack build linkBecause debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug eigrp transmit command. The example shows a network command being entered and the transmittal event debug message that is generated.
hostname# debug eigrp transmitEIGRP Transmission Events debugging is on(ACK, PACKETIZE, STARTUP, PEERDOWN, LINK, BUILD, STRANGE, SIA, DETAIL)hostname# configure terminalhostname(config)# router eigrp 100hostname(config-router)# network 10.86.194.0 255.255.255.0DNDB UPDATE 10.86.194.0 255.255.255.0, serno 0 to 1, refcount 0hostname(config-router)# no debug eigrp transmitEIGRP Transmission Events debugging is offRelated Commands
debug eigrp user-interface
To display debug information for EIGRP user events, use the debug eigrp user-interface command in privileged EXEC mode. To disable the debug information display, use the no form of this command.
debug eigrp user-interface
no debug eigrp user-interface
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug eigrp user-interface command. The output is caused by an administrator removing a passive-interface command from an EIGRP configuration.
hostname# debug eigrp user-interfaceEIGRP UI Events debugging is onhostname# configure terminalhostname(config) router eigrp 100hostname(config-router)# no passive-interface insideCSB2AF: FOUND (AS=100, Name=, VRF=0, AFI=ipv4)hostname(config-router)# no debug eigrp user-interfaceEIGRP UI Events debugging is offRelated Commands
router eigrp
Enables an EIGRP routing process and enters router configuration mode.
show running-config eigrp
Displays the EIGRP commands in the running configuration.
debug entity
To display MIB debug information, use the debug entity command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug entity [level]
no debug entity
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables MIB debug messages. The show debug command reveals that MIB debug messages are enabled.
hostname# debug entitydebug entity enabled at level 1hostname# show debugdebug entity enabled at level 1hostname#Related Commands
debug eou
To enable logging of EAPoUDP events to debug NAC messaging, use the debug eou command in privileged EXEC mode. To disable the logging of EAPoUDP debug messages, use the no form of this command.
debug eou {all | eap | errors | events | packets | sm}
no debug eou [all | eap | errors | events | packets | sm]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
When you use this command, the security appliance records EAPoUDP session state changes and timer events, and generates a complete record of EAPoUDP header and packet contents in hexadecimal format.
The high priority assigned to debugging output can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables the logging of all EAPoUDP session events:
hostname# debug eou eventshostname#The following example enables the logging of all EAPoUDP debug messages:
hostname# debug eou allhostname#The following example disables the logging of all EAPoUDP debug messages:
hostname# no debug eouhostname#Related Commands
debug esmtp
To show debug messages for SMTP/ESMTP application inspection, use the debug esmtp command in privileged EXEC mode. To stop showing debug messages for SMTP/ESMTP application inspection, use the no form of this command.
debug esmtp [level]
no debug esmtp [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for SMTP/ESMTP application inspection:
hostname# debug esmtpRelated Commands
debug fixup
To display detailed information about application inspection, use the debug fixup command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug fixup
no debug fixup
Defaults
All options are enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug fixup command displays detailed information about application inspection. The no debug all or undebug all commands turn off all enabled debug commands.
Examples
The following example enables the display of detailed information about application inspection:
hostname# debug fixupRelated Commands
debug fover
To display failover debug information, use the debug fover command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug fover {cable | cmd-exec | fail | fmsg | ifc | open | rx | rxdmp | rxip | switch | sync | tx | txdmp | txip | verify}
no debug fover {cable | fail | fmsg | ifc | open | rx | rxdmp | rxip | switch | sync | tx | txdmp | txip | verify}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug fover cmd-exec command. After debugging is enabled, a failover exec command is entered. The results of the failover exec command is shown after the debug output.
hostname(config)# debug fover cmd-execfover event trace onhostname(config)# failover exec mate show running-config failoverci/console: Sending cmd: show runn failovero to peer for execution, seq = 4ci/console: frep_execv_cmd: replicating exec cmd: show runn failover...fover_parse: Fover rexec response: seq=4, size=228, data="fail..."ci/console: Fover rexec waiting at clock tick 2670960fover_parse: Fover rexec ack: seq = 4, ret_val = 0ci/console: Fover rexec conteinuer at clock tick: 2671040ci/console: Fover exec succeeded, seq = 5failoverfailover lan interface failover GigabitEthernet0/3failover polltime unit 1 holdtime 3failover key *****failover link failover GigabitEthernet0/3failover interface ip failover 10.0.5.1 255.255.255.0 standby 10.0.5.2ciscoasa(config)#Related Commands
show failover
Displays information about the failover configuration and operational statistics.
debug fsm
To display FSM debug information, use the debug fsm command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug fsm [level]
no debug fsm
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables FSM debug messages. The show debug command reveals that FSM debug messages are enabled.
hostname# debug fsmdebug fsm enabled at level 1hostname# show debugdebug fsm enabled at level 1hostname#Related Commands
debug ftp client
To show debug messages for FTP, use the debug ftp client command in privileged EXEC mode. To stop showing debug messages for FTP, use the no form of this command.
debug ftp client [level]
no debug ftp client [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for FTP:
hostname# debug ftp clientRelated Commands
debug generic
To display miscellaneous debug information, use the debug generic command in privileged EXEC mode. To disable the display of miscellaneous debug information, use the no form of this command.
debug generic [level]
no debug generic
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables miscellaneous debug messages. The show debug command reveals that miscellaneous debug messages are enabled.
hostname# debug genericdebug generic enabled at level 1hostname# show debugdebug generic enabled at level 1hostname#Related Commands
debug gtp
To display detailed information about GTP inspection, use the debug gtp command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug gtp {error | event | ha | parser}
no debug gtp {error | event | ha | parser}
Syntax Description
Defaults
All options are enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug gtp command displays detailed information about GTP inspection. The no debug all or undebug all commands turn off all enabled debug commands.
Note
Examples
The following example enables the display of detailed information about GTP inspection:
hostname# debug gtpRelated Commands
debug h323
To show debug messages for H.323, use the debug h323 command in privileged EXEC mode. To stop showing debug messages for H.323, use the no form of this command.
debug h323 {h225 | h245 | ras} [asn | event]
no debug h323 {h225 | h245 | ras} [asn | event]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for H.225 signaling:
hostname# debug h323 h225Related Commands
debug http
To display detailed information about HTTP traffic, use the debug http command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug http [ level ]
no debug http [ level ]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The defafult for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug http command displays detailed information about HTTP traffic. The no debug all or undebug all commands turn off all enabled debug commands.
Examples
The following example enables the display of detailed information about HTTP traffic:
hostname# debug httpRelated Commands
debug http-map
To show debug messages for HTTP application inspection maps, use the debug http-map command in privileged EXEC mode. To stop showing debug messages for HTTP application inspection, use the no form of this command.
debug http-map
no debug http-map
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for HTTP application inspection:
hostname# debug http-mapRelated Commands
debug icmp
To display detailed information about ICMP inspection, use the debug icmp command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug icmp trace [ level ]
no debug icmp trace [ level ]
Syntax Description
Defaults
All options are enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug icmp command displays detailed information about ICMP inspection. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example enables the display of detailed information about ICMP inspection:
hostname# debug icmpRelated Commands
debug igmp
To display IGMP debug information, use the debug igmp command in privileged EXEC mode. To stop the display of debug information, use the no form of this command.
debug igmp [group group_id | interface if_name]
no debug igmp [group group_id | interface if_name]
Syntax Description
group group_id
Displays IGMP debug information for the specified group.
interface if_name
Display IGMP debug information for the specified interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug igmp command:
hostname#debug igmpIGMP debugging is onIGMP: Received v2 Query on outside from 192.168.3.2IGMP: Send v2 general Query on dmzIGMP: Received v2 Query on dmz from 192.168.4.1IGMP: Send v2 general Query on outsideIGMP: Received v2 Query on outside from 192.168.3.1IGMP: Send v2 general Query on insideIGMP: Received v2 Query on inside from 192.168.1.1IGMP: Received v2 Report on inside from 192.168.1.6 for 224.1.1.1IGMP: Updating EXCLUDE group timer for 224.1.1.1Related Commands
debug ils
To show debug messages for ILS, use the debug ils command in privileged EXEC mode. To stop showing debug messages for ILS, use the no form of this command.
debug ils [level]
no debug ils [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for ILS application inspection:
hostname# debug ilsRelated Commands
Related Commands
debug imagemgr
To display Image Manager debug information, use the debug imagemgr command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug imagemgr [level]
no debug imagemgr
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables Image Manager debug messages. The show debug command reveals that Image Manager debug messages are enabled.
hostname# debug imagemgrdebug imagemgr enabled at level 1hostname# show debugdebug imagemgr enabled at level 1hostname#Related Commands
debug inspect tls-proxy
To show debug messages for TLS proxy inspection, use the debug inspect tls-proxy command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.
debug inspect tls-proxy [all | errors | events | packets]
no debug inspect tls-proxy [all | errors | events | packets]
Syntax Description
all
Specifies all TLS proxy debugging.
errors
Specifies TLS proxy error debugging.
events
Specifies TLS proxy event debugging.
packets
Specifies TLS proxy packet debugging.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for TLS proxy:
hostname# debug inspect tls-proxyRelated Commands
debug ip eigrp
To display debug information EIGRP protocol packets, use the debug ip eigrp command in privileged EXEC mode. To disable the debug information display, use the no form of this command.
debug ip eigrp [as-number] [ip-addr mask | neighbor nbr-addr | notifications | summary]
no debug ip eigrp [as-number] [ip-addr mask | neighbor nbr-addr | notifications | summary]
Syntax Description
Defaults
If no keywords or arguments are specified, only debug messages from the IPv4 ASDM are displayed.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
This command helps you analyze the packets that are sent and received on an interface.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug ip eigrp command:
hostname# debug ip eigrpIP-EIGRP Route Events debugging is onEIGRP-IPv4(Default-IP-Routing-Table:1): Processing incoming UPDATE packetEIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960EIGRP-IPv4(Default-IP-Routing-Table:1): 172.69.43.0 255.255.255.0, - do advertise out Ethernet0/1EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 172.69.43.0 255.255.255.0 metric 371200 - 256000 115200EIGRP-IPv4(Default-IP-Routing-Table:1): 192.135.246.0 255.255.255.0, - do advertise out Ethernet0/1EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.135.246.0 255.255.255.0 metric 46310656 - 45714176 596480EIGRP-IPv4(Default-IP-Routing-Table:1): 172.69.40.0 255.255.255.0, - do advertise out Ethernet0/1EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 172.69.40.0 255.255.255.0 metric 2272256 - 1657856 614400EIGRP-IPv4(Default-IP-Routing-Table:1): 192.135.245.0 255.255.255.0, - do advertise out Ethernet0/1EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.135.245.0 255.255.255.0 metric 40622080 - 40000000 622080EIGRP-IPv4(Default-IP-Routing-Table:1): 192.135.244.0 255.255.255.0, - do advertise out Ethernet0/1Table 10-1describes the significant fields shown in the display.
Related Commands
debug ipsec-over-tcp
To display IPSec-over-TCP debug information, use the debug ipsec-over-tcp command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug ipsec-over-tcp [level]
no debug ipsec-over-tcp
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables IPSec-over-TCP debug messages. The show debug command reveals that IPSec-over-TCP debug messages are enabled.
hostname# debug ipsec-over-tcpdebug ipsec-over-tcp enabled at level 1hostname# show debugdebug ipsec-over-tcp enabled at level 1hostname#Related Commands
debug ipv6
To display ipv6 debug messages, use the debug ipv6 command in privileged EXEC mode. To stop the display of debug messages, use the no form of this command.
debug ipv6 {icmp | interface | mld | nd | packet | routing}
no debug ipv6 {icmp | interface | nd | packet | routing}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
•
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output for the debug ipv6 icmp command:
hostname# debug ipv6 icmp13:28:40:ICMPv6:Received ICMPv6 packet from 2000:0:0:3::2, type 13613:28:45:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 13513:28:50:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 13613:28:55:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 135Related Commands
debug iua-proxy
To display IUA proxy debug information, use the debug iua-proxy command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug iua-proxy [level]
no debug iua-proxy
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables IUA-proxy debug messages. The show debug command reveals that IUA-proxy debug messages are enabled.
hostname# debug iua-proxydebug iua-proxy enabled at level 1hostname# show debugdebug iua-proxy enabled at level 1hostname#Related Commands
debug kerberos
To display Kerberos authentication debug information, use the debug kerberos command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug kerberos [level]
no debug kerberos
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables Kerberos debug messages. The show debug command reveals that Kerberos debug messages are enabled.
hostname# debug kerberosdebug kerberos enabled at level 1hostname# show debugdebug kerberos enabled at level 1hostname#Related Commands
debug l2tp
To display L2TP debug information, use the debug l2tp command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug l2tp {data | error | event | packet} level
no debug l2tp {data | error | event | packet} level
Syntax Description
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables L2TP debug messages for connection events. The show debug command reveals that L2TP debug messages are enabled.
hostname# debug l2tp event 1hostname# show debugdebug l2tp event enabled at level 1hostname#Related Commands
debug ldap
To display LDAP debug information, use the debug ldap command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug ldap [level]
no debug ldap
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables LDAP debug messages. The show debug command reveals that LDAP debug messages are enabled.
hostname# debug ldapdebug ldap enabled at level 1hostname# show debugdebug ldap enabled at level 1hostname#Related Commands
debug mac-address-table
To show debug messages for the MAC address table, use the debug mac-address-table command in privileged EXEC mode. To stop showing debug messages for the MAC address table, use the no form of this command.
debug mac-address-table [level]
no debug mac-address-table [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
—
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for the MAC address table:
hostname# debug mac-address-tableRelated Commands
debug menu
To display detailed debug information for specific features, use the debug menu command in privileged EXEC mode.
debug menu
Caution
Syntax Description
This command should be used only under the supervision of Cisco TAC.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
This command should be used only under the supervision of Cisco TAC.
Related Commands
debug mfib
To display MFIB debug information, use the debug mfib command in privileged EXEC mode. To stop displaying debug information, use the no form of this command.
debug mfib {db | init | mrib | pak | ps | signal} [group]
no debug mfib {db | init | mrib | pak | ps | signal} [group]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example displays MFIB dabase operation debug information:
hostname# debug mfib dbMFIB IPv4 db debugging enabledRelated Commands
debug mgcp
To display detailed information about MGCP application inspection, use the debug mgcp command in privileged EXEC mode. To disable debugging, Use the no form of this command.
debug mgcp {messages | parser | sessions}
no debug mgcp {messages | parser | sessions}
messages
Displays debug information about MGCP messages.
parser
Displays debug information for parsing MGCP messages.
sessions
Displays debug information about MGCP sessions.
Defaults
All options are enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The debug mgcp command displays detailed information about mgcp inspection. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example enables the display of detailed information about MGCP application inspection:
hostname# debug mgcpRelated Commands
debug mmp
To display inspect MMP events, use the debug mmp command in privileged EXEC mode. To stop the display of inspect MMP events, use the no form of this command.
debug mmp
no debug mmp
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Examples
The following example shows the use of the debug mmp command to display inspect MMP events:
hostname# debug mmpciscoasa5520-tfw-cuma/admin(config-pmap)# MMP:: received 28 bytes from outside:172.23.62.204/2494 to inside:10.0.0.42/5443MMP:: version OLWP-2.0MMP status: 0MMP:: forward 28/28 bytes from outside:172.23.62.204/2494 to inside:10.0.0.42/5443MMP:: received 85 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2494MMP:: version OLWP-2.0MMP:: session-id: 41A3D410-8B10-4DEB-B15C-B2B4B0D22055MMP status: 201MMP:: forward 85/85 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2494MMP:: received 265 bytes from outside:172.23.62.204/2494 to inside:10.0.0.42/5443MMP:: content-length: 196MMP:: content-type: text/oml21+wbxmlMMP:: processing entity body 200/196MMP:: forward 265/265 bytes from outside:172.23.62.204/2494 to inside:10.0.0.42/5443MMP:: received 267 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2494MMP:: content-length: 198MMP:: content-type: text/oml21+wbxmlMMP:: processing entity body 202/198MMP:: forward 267/267 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2494MMP:: received 135 bytes from outside:172.23.62.204/2494 to inside:10.0.0.42/5443MMP:: content-length: 67MMP:: content-type: text/oml21+wbxmlMMP:: processing entity body 71/67MMP:: forward 135/135 bytes from outside:172.23.62.204/2494 to inside:10.0.0.42/5443MMP:: received 100 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2442MMP:: content-length: 32MMP:: content-type: text/oml21+wbxmlMMP:: processing entity body 36/32MMP:: forward 100/100 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2442MMP:: received 130 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2494MMP:: content-length: 62MMP:: content-type: text/oml21+wbxmlMMP:: processing entity body 66/62MMP:: forward 130/130 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2494MMP:: received 220 bytes from outside:172.23.62.204/2494 to inside:10.0.0.42/5443MMP:: content-length: 151MMP:: content-type: text/oml21+wbxmlMMP:: processing entity body 155/151MMP:: forward 220/220 bytes from outside:172.23.62.204/2494 to inside:10.0.0.42/5443MMP:: received 130 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2494MMP:: content-length: 62MMP:: content-type: text/oml21+wbxmlMMP:: processing entity body 66/62MMP:: forward 130/130 bytes from inside:10.0.0.42/5443 to outside:172.23.62.204/2494Related Commands
debug module-boot
To show debug messages about the SSM booting process, use the debug module-boot command in privileged EXEC mode. To stop showing debug messages for the SSM booting process, use the no form of this command.
debug module-boot [level]
no debug module-boot [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for the SSM booting process:
hostname# debug module-bootRelated Commands
debug mrib
To display MRIB debug information, use the debug mrib command in privileged EXEC mode. To stop the display of debug information, use the no form of this command.
debug mrib {client | io | route [group] | table}
no debug mrib {client | io | route [group] | table}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows how to enable debugging of MRIB I/O events:
hostname# debug mrib ioIPv4 MRIB io debugging is onRelated Commands
show mrib client
Displays information about the MRIB client connections.
show mrib route
Displays MRIB table entries.
debug nac
To enable logging of NAC Framework events, use the debug nac command in privileged EXEC mode. To disable the logging of NAC debug messages, use the no form of this command.
debug nac {all | auth | errors | events}
no debug nac {all | auth | errors | events}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
When you use this command, the security appliance logs the following types of NAC events: initializations, exception list matches, ACS transactions, clientless authentications, default ACL applications, and revalidations.
The high priority assigned to debugging output can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables the logging of all NAC session events:
hostname# debug nac eventshostname#The following example enables the logging of all NAC debug messages:
hostname# debug nac allhostname#The following example disables the logging of all NAC debug messages:
hostname# no debug nachostname#Related Commands
debug ntdomain
To display NT domain authentication debug information, use the debug ntdomain command in privileged EXEC mode. To disable the display of NT domain debug information, use the no form of this command.
debug ntdomain [level]
no debug ntdomain
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables NT domain debug messages. The show debug command reveals that NT domain debug messages are enabled.
hostname# debug ntdomaindebug ntdomain enabled at level 1hostname# show debugdebug ntdomain enabled at level 1hostname#Related Commands
debug ntp
To show debug messages for NTP, use the debug ntp command in privileged EXEC mode. To stop showing debug messages for NTP, use the no form of this command.
debug ntp {adjust | authentication | events | loopfilter | packets | params | select | sync | validity}
no debug ntp {adjust | authentication | events | loopfilter | packets | params | select | sync | validity}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for NTP:
hostname# debug ntp eventsRelated Commands
debug ospf
To display debug information about the OSPF routing processes, use the debug ospf command in privileged EXEC mode. To stop displaying debug information, use the no form of this command.
debug ospf [adj | database-timer | events | flood | lsa-generation | packet | retransmission | spf [external | inter | intra] | tree]
no debug ospf [adj | database-timer | events | flood | lsa-generation | packet | retransmission | spf [external | inter | intra] | tree]
Syntax Description
Defaults
Displays all OSPF debug information if no keyword is provided.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug ospf events command:
hostname# debug ospf eventsospf event debugging is onOSPF:hello with invalid timers on interface Ethernet0hello interval received 10 configured 10net mask received 255.255.255.0 configured 255.255.255.0dead interval received 40 configured 30Related Commands
debug parser cache
To display CLI parser debug information, use the debug parser cache command in privileged EXEC mode. To disable the display of CLI parser debug information, use the no form of this command.
debug parser cache [level]
no debug parser cache
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables CLI parser debug messages. The show debug command reveals the current debug configuration. The CLI parser debug messages appear before and after the output of the show debug command.
hostname# debug parser cachedebug parser cache enabled at level 1hostname# show debugparser cache: try to match 'show debug' in exec modedebug parser cache enabled at level 1parser cache: hit at index 8hostname#Related Commands
debug phone-proxy
To show debug messages for the Phone Proxy instance, use the debug phone-proxy command in privileged EXEC mode. To stop displaying Phone Proxy messages, use the no form of this command.
debug phone-proxy [<media | signaling | tftp> [errors | events] ]
no debug phone-proxy [<media | signaling | tftp> [errors | events] ]
Syntax Description
Defaults
If no options are specified with the debug phone-proxy command, all phone-proxy debugging messages are displayed.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
The debug phone-proxy command displays detailed information about Phone Proxy activity. The no debug phone-proxy commands turn off all enabled debugs.
Examples
The following example shows the use of the debug phone-proxy command to show successful TFTP transactions for the configuration file request for the Phone Proxy:
hostname(config)# debug phone-proxy tftpPP: 98.208.49.30/1028 requesting SEP00070E364804.cnf.xml.sgnPP: opened 0x33952aa2PP: Received data from 192.168.200.101 to outside:98.208.49.30/1028Received Block 1PP: Acked Block #1 from 98.208.49.30/1028 to 192.168.200.101/39514.... [snip].....PP: Received data from 192.168.200.101 to outside:98.208.49.30/1028Received Block 10PP: Acked Block #10 from 98.208.49.30/1028 to 192.168.200.101/39514PP: Installed application redirect rule from 98.208.49.30 to 192.168.200.101 using redirect port 2000 and secure port 2443PP: Modifying to TLS as the transport layer protocol.PP: Modifying to encrypted mode.PP: Data Block 1 forwarded from 192.168.200.101/39514 to 98.208.49.30/1028PP: Received ACK Block 1 from outside:98.208.49.30/1028 to inside:192.168.200.101...... [snip] ....PP: Data Block 11 forwarded to 98.208.49.30/1028PP: Received ACK Block 11 from outside:98.208.49.30/1028 to inside:192.168.200.101PP: TFTP session complete, all data sentRelated Commands
phone-proxy
Configures the Phone Proxy instance.
show running-config phone-proxy
Displays Phone Proxy specific information.
debug pim
To display PI M debug information, use the debug pim command in privileged EXEC mode. To stop displaying debug information, use the no form of this command.
debug pim [df-election [interface if_name | rp rp] | group group | interface if_name | neighbor]
no debug pim [df-election [interface if_name | rp rp] | group group | interface if_name | neighbor]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Logs PIM packets received and transmitted and also PIM-related events.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug pim command:
hostname# debug pimPIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received Join/Prune on Tunnel0 from 10.3.84.1PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received RP-Reachable on Ethernet1 from 172.16.20.31PIM: Update RP expiration timer for 224.2.0.1PIM: Forward RP-reachability packet for 224.2.0.1 on Tunnel0PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Prune-list (10.221.196.51/32, 224.2.0.1)PIM: Set join delay timer to 2 seconds for (10.221.0.0/16, 224.2.0.1) on Ethernet1PIM: Received Join/Prune on Ethernet1 from 172.24.37.6PIM: Received Join/Prune on Ethernet1 from 172.24.37.33PIM: Received Join/Prune on Tunnel0 from 10.3.84.1PIM: Join-list: (*, 224.2.0.1) RP 172.16.20.31PIM: Add Tunnel0 to (*, 224.2.0.1), Forward statePIM: Join-list: (10.0.0.0/8, 224.2.0.1)PIM: Add Tunnel0 to (10.0.0.0/8, 224.2.0.1), Forward statePIM: Join-list: (10.4.0.0/16, 224.2.0.1)PIM: Prune-list (172.24.84.16/28, 224.2.0.1) RP-bit set RP 172.24.84.16PIM: Send Prune on Ethernet1 to 172.24.37.6 for (172.24.84.16/28, 224.2.0.1), RPPIM: For RP, Prune-list: 10.9.0.0/16PIM: For RP, Prune-list: 10.16.0.0/16PIM: For RP, Prune-list: 10.49.0.0/16PIM: For RP, Prune-list: 10.84.0.0/16PIM: For RP, Prune-list: 10.146.0.0/16PIM: For 10.3.84.1, Join-list: 172.24.84.16/28PIM: Send periodic Join/Prune to RP via 172.24.37.6 (Ethernet1)Related Commands
debug pix acl
To show pix acl debug messages, use the debug pix acl command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.
debug pix acl
no debug pix acl
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables debug messages that :
hostname# debug pix aclRelated Commands
debug pix process
Shows debug messages for xlate and secondary connections processing.
show debug
Shows all enabled debuggers.
debug pix cls
To show pix cls debug messages, use the debug pix cls command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.
debug pix cls
no debug pix cls
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables debug messages that :
hostname# debug pix clsRelated Commands
debug pix process
Shows debug messages for xlate and secondary connections processing.
show debug
Shows all enabled debuggers.
debug pix pkt2pc
To show debug messages that trace packets sent to the uauth code and that trace the event where the uauth proxy session is cut through to the data path, use the debug pix pkt2pc command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.
debug pix pkt2pc
no debug pix pkt2pc
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages that trace packets sent to the uauth code and that trace the event where the uauth proxy session is cut through to the data path:
hostname# debug pix pkt2pcRelated Commands
debug pix process
Shows debug messages for xlate and secondary connections processing.
show debug
Shows all enabled debuggers.
debug pix process
To show debug messages for xlate and secondary connections processing, use the debug pix process command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.
debug pix process
no debug pix process
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for xlate and secondary connections processing:
hostname# debug pix processRelated Commands
debug pix uauth
To showpix uauth debug messages, use the debug pix uauth command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.
debug pix uauth
no debug pix uauth
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables debug messages that :
hostname# debug pix uauthRelated Commands
debug pix process
Shows debug messages for xlate and secondary connections processing.
show debug
Shows all enabled debuggers.
debug pptp
To show debug messages for PPTP, use the debug pptp command in privileged EXEC mode. To stop showing debug messages for PPTP, use the no form of this command.
debug pptp [level]
no debug pptp [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for PPTP application inspection:
hostname# debug pptpRelated Commands
debug radius
To show debug messages for AAA, use the debug radius command in privileged EXEC mode. To stop showing RADIUS messages, use the no form of this command.
debug radius [ all | decode | session | user username ] ]
no debug radius
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The debug radius command displays detailed information about RADIUS messaging between the security appliance and a RADIUS AAA server. The no debug all or undebug all commands turn off all enabled debugs.
Examples
The following example shows decoded RADIUS messages, which happen to be accounting packets:
hostname(config)# debug radius decodehostname(config)# RADIUS packet decode (accounting request)--------------------------------------Raw packet data (length = 216).....iParsed packet data.....Radius: Code = 4 (0x04)Radius: Identifier = 105 (0x69)Radius: Length = 216 (0x00D8)Radius: Vector: 842E0E99F44C00C05A0A19AB88A81312Radius: Type = 40 (0x28) Acct-Status-TypeRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x2Radius: Type = 5 (0x05) NAS-PortRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x1Radius: Type = 4 (0x04) NAS-IP-AddressRadius: Length = 6 (0x06)Radius: Value (IP Address) = 10.1.1.1 (0x0A010101)Radius: Type = 14 (0x0E) Login-IP-HostRadius: Length = 6 (0x06)Radius: Value (IP Address) = 10.2.0.50 (0xD0FE1291)Radius: Type = 16 (0x10) Login-TCP-PortRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x50Radius: Type = 44 (0x2C) Acct-Session-IdRadius: Length = 12 (0x0C)Radius: Value (String) =30 78 31 33 30 31 32 39 66 65 | 0x130129feRadius: Type = 1 (0x01) User-NameRadius: Length = 9 (0x09)Radius: Value (String) =62 72 6f 77 73 65 72 | browserRadius: Type = 46 (0x2E) Acct-Session-TimeRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x0Radius: Type = 42 (0x2A) Acct-Input-OctetsRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x256DRadius: Type = 43 (0x2B) Acct-Output-OctetsRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x3E1Radius: Type = 26 (0x1A) Vendor-SpecificRadius: Length = 30 (0x1E)Radius: Vendor ID = 9 (0x00000009)Radius: Type = 1 (0x01) Cisco-AV-pairRadius: Length = 24 (0x18)Radius: Value (String) =69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | ip:source-ip=10.31 2e 31 2e 31 30 | 1.1.10Radius: Type = 26 (0x1A) Vendor-SpecificRadius: Length = 27 (0x1B)Radius: Vendor ID = 9 (0x00000009)Radius: Type = 1 (0x01) Cisco-AV-pairRadius: Length = 21 (0x15)Radius: Value (String) =69 70 3a 73 6f 75 72 63 65 2d 70 6f 72 74 3d 33 | ip:source-port=334 31 33 | 413Radius: Type = 26 (0x1A) Vendor-SpecificRadius: Length = 40 (0x28)Radius: Vendor ID = 9 (0x00000009)Radius: Type = 1 (0x01) Cisco-AV-pairRadius: Length = 34 (0x22)Radius: Value (String) =69 70 3a 64 65 73 74 69 6e 61 74 69 6f 6e 2d 69 | ip:destination-i70 3d 32 30 38 2e 32 35 34 2e 31 38 2e 31 34 35 | p=10.2.0.50Radius: Type = 26 (0x1A) Vendor-SpecificRadius: Length = 30 (0x1E)Radius: Vendor ID = 9 (0x00000009)Radius: Type = 1 (0x01) Cisco-AV-pairRadius: Length = 24 (0x18)Radius: Value (String) =69 70 3a 64 65 73 74 69 6e 61 74 69 6f 6e 2d 70 | ip:destination-p6f 72 74 3d 38 30 | ort=80Related Commands
show running-config
Displays the configuration that is running on the security appliance.
debug redundant-interface
To show debug messages about redundant interfaces, use the debug redundant-interface command in privileged EXEC mode. To stop showing debug messages for redundant interfaces, use the no form of this command.
debug redundant-interface [level]
no debug redundant-interfac [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for redundant interfaces:
hostname# debug redundant-interfaceRelated Commands
debug rip
To display debug information for RIP, use the debug rip command in privileged EXEC mode. To disable the debug information display, use the no form of this command.
debug rip [database | events]
no debug rip [database | events]
Syntax Description
Defaults
All RIP events are shown in the debug output.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Preexisting
This command was preexisting.
7.2(1)
The database and events keywords were added.
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug rip command:
hostname# debug ripRIP: broadcasting general request on GigabitEthernet0/1RIP: broadcasting general request on GigabitEthernet0/2RIP: Received update from 10.89.80.28 on GigabitEthernet0/110.89.95.0 in 1 hops10.89.81.0 in 1 hops10.89.66.0 in 2 hops172.31.0.0 in 16 hops (inaccessible)0.0.0.0 in 7 hopsRIP: Sending update to 255.255.255.255 via GigabitEthernet0/1 (10.89.64.31)subnet 10.89.94.0, metric 1172.31.0.0 in 16 hops (inaccessible)RIP: Sending update to 255.255.255.255 via GigabitEthernet0/2 (10.89.94.31)subnet 10.89.64.0, metric 1subnet 10.89.66.0, metric 3172.31.0.0 in 16 hops (inaccessible)default 0.0.0.0, metric 8RIP: bad version 128 from 192.168.80.43Related Commands
router rip
Configures a RIP process.
show running-config rip
Displays the RIP commands in the running configuration.
debug rtp
To display debug information and error messages for RTP packets associated with H.323 and SIP inspection, use the debug rtp command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug rtp [level]
no debug rtp [level]
Syntax Description
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example shows how to enable debugging for RTP packets using the debug rtp command:
hostname# debug rtp 255debug rtp enabled at level 255Related Commands
debug rtsp
To show debug messages for RTSP application inspection, use the debug rtsp command in privileged EXEC mode. To stop showing debug messages for RTSP application inspection, use the no form of this command.
debug rtsp [level]
no debug rtsp [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for RTSP application inspection:
hostname# debug rtspRelated Commands
debug sdi
To display SDI authentication debug information, use the debug sdi command in privileged EXEC mode. To disable the display of SDI debug information, use the no form of this command.
debug sdi [level]
no debug sdi
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables SDI debug messages. The show debug command reveals that SDI debug messages are enabled.
hostname# debug sdidebug sdi enabled at level 1hostname# show debugdebug sdi enabled at level 1hostname#Related Commands
debug sequence
To add a sequence number to the beginning of all debug messages, use the debug sequence command in privileged EXEC mode. To disable the use of debug sequence numbers, use the no form of this command.
debug sequence [level]
no debug sequence
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables sequence numbers in debug messages. The debug parser cache command enables CLI parser debug messages. The show debug command reveals the current debug configuration. The CLI parser debug messages shown include sequence numbers before each message.
hostname# debug sequencedebug sequence enabled at level 1hostname# debug parser cachedebug parser cache enabled at level 1hostname# show debug0: parser cache: try to match 'show debug' in exec modedebug parser cache enabled at level 1debug sequence enabled at level 11: parser cache: hit at index 8hostname#Related Commands
debug session-command
To show debug messages for a session to an SSM, use the debug session-command command in privileged EXEC mode. To stop showing debug messages for sessions, use the no form of this command.
debug session-command [level]
no debug session-command [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for sessions:
hostname# debug session-commandRelated Commands
debug sip
To show debug messages for SIP application inspection, use the debug sip command in privileged EXEC mode. To stop showing debug messages for SIP application inspection, use the no form of this command.
debug sip [ha]
no debug sip [ha]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug sip command run on the active unit or failover group in a failover pair:
hostname# debug sip haSIP HA: Sending update SESSION message from faddr 10.132.80.120/5060 laddr 10.130.80.4/50295 Call-id: 001201e8-8a36000d-196df7f1-17cfef14@10.130.80.4 From: sip:1004@10.132.80.120:001201e88a3600124a7fad61-640406c0 To: sip:1009@10.132.80.120: State: 1SIP HA: msg sent to peer successful Version: 1 Action: update Object: sessionSIP HA: Sending update TX message from faddr 10.132.80.120/5060 laddr 10.130.80.4/50295 CSeq 101 INVITE State Transaction CallingThe following is sample output from the debug sip command run on the standby unit or failover group in a failover pair:
hostname# debug sip haSIP HA: Message received from peer, Version: 1 Action: add Object: sessionSIP HA: Created SIP session for faddr 10.132.80.120/5060 laddr 10.130.80.4/50295 Call-id: 001201e8-8a36000d-196df7f1-17cfef14@10.130.80.4 From: sip:1004@10.132.80.120:001201e88a3600124a7fad61-640406c0 To: sip:1009@10.132.80.120: 1 totalSIP HA: Message received from peer, Version: 1 Action: add Object: txSIP HA: Found an existing session faddr 10.132.80.120/5060 laddr 10.130.80.4/50295 Call-id: 001201e8-8a36000d-196df7f1-17cfef14@10.130.80.4 From: sip:1004@10.132.80.120:001201e88a3600124a7fad61-640406c0 To: sip:1009@10.132.80.120:SIP HA: Created SIP Transaction for faddr 10.132.80.120/5060 to laddr 10.130.80.4/50295 CSeq 101 INVITE State Transaction CallingRelated Commands
debug skinny
To show debug messages for SCCP (Skinny) application inspection, use the debug skinny command in privileged EXEC mode. To stop showing debug messages for SCCP application inspection, use the no form of this command.
debug skinny [level]
no debug skinny [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for SCCP application inspection:
hostname# debug skinnyRelated Commands
debug sla monitor
To display debug messages for the SLA monitor operation, use the debug sla monitor command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug sla monitor [error | trace] [sla-id]
no debug sla monitor [sla-id]
Syntax Description
error
(Optional) Output IP SLA Monitor Error Messages.
sla-id
(Optional) The ID of the SLA to debug.
trace
(Optional) Output IP SLA Monitor Trace Messages.
Defaults
Both error and trace messages are shown by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Only 32 SLA operations can be debugged at one time.
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables SLA operation error debugging:
hostname(config)# debug sla monitor errorThe following example shows how to display SLA operation trace messages for the specified SLA operation:
hostname(config)# debug sla monitor trace 123Related Commands
debug sqlnet
To show debug messages for SQL*Net application inspection, use the debug sqlnet command in privileged EXEC mode. To stop showing debug messages for SQL*Net application inspection, use the no form of this command.
debug sqlnet [level]
no debug sqlnet [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for SQL*Net application inspection:
hostname# debug sqlnetRelated Commands
debug ssh
To display debug information and error messages associated with SSH, use the debug ssh command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug ssh [level]
no debug ssh [level]
Syntax Description
Defaults
The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug ssh 255 command:
hostname# debug ssh 255debug ssh enabled at level 255SSH2 0: send: len 64 (includes padlen 17)SSH2 0: done calc MAC out #239SSH2 0: send: len 32 (includes padlen 7)SSH2 0: done calc MAC out #240SSH2 0: send: len 64 (includes padlen 15)SSH2 0: done calc MAC out #241SSH2 0: send: len 32 (includes padlen 16)SSH2 0: done calc MAC out #242SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #243SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #244SSH2 0: send: len 64 (includes padlen 8)SSH2 0: done calc MAC out #245SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #246SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #247SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #248SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #249SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #250SSH2 0: send: len 64 (includes padlen 8)SSH2 0: done calc MAC out #251SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #252SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #253SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #254SSH2 0: send: len 64 (includes padlen 8)SSH2 0: done calc MAC out #255SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #256SSH2 0: send: len 64 (includes padlen 7)SSH2 0: done calc MAC out #257SSH2 0: send: len 64 (includes padlen 18)SSH2 0: done calc MAC out #258Related Commands
debug sunrpc
To show debug messages for RPC application inspection, use the debug sunrpc command in privileged EXEC mode. To stop showing debug messages for RPC application inspection, use the no form of this command.
debug sunrpc [level]
no debug sunrpc [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for RPC application inspection:
hostname# debug sunrpcRelated Commands
debug switch ilpm
To show debug messages for models with a built-in switch, such as the ASA 5505 adaptive security appliance, show debug messages for PoE, use the debug switch ilpm command in privileged EXEC mode. To stop showing debug messages for PoE, use the no form of this command.
debug switch ilpm [events | errors] [level]
no debug switch ilpm [events | errors] [level]
Syntax Description
Defaults
By default, both events and errors are shown if you do not specify a keyword. The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for PoE ports:
hostname# debug switch ilpmRelated Commands
debug switch manager
To show debug messages for switch port models with a built-in switch, such as the ASA 5505 adaptive security appliance, show debug messages for VLAN assignment, and switchport command-caused events and errors, use the debug switch manager command in privileged EXEC mode. To stop showing debug messages for switch ports, use the no form of this command.
debug switch manager [events | errors] [level]
no debug switch manager [events | errors] [level]
Syntax Description
Defaults
By default, both events and errors are shown if you do not specify a keyword. The default level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Using debug commands might slow down traffic on busy networks.
Examples
The following example enables debug messages for switch ports:
hostname# debug switch managerRelated Commands
interface vlan
Adds a VLAN interface.
debug switch ilpm
Shows debug messages for PoE.
show debug
Shows all enabled debuggers.
debug tacacs
To display TACACS+ debug information, use the debug tacacs command in privileged EXEC mode. To disable the display of TACACS+ debug information, use the no form of this command.
debug tacacs [session | user username]
no debug tacacs [session | user username]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables TACACS+ debug messages. The show debug command reveals that TACACS+ debug messages are enabled.
hostname# debug tacacs user admin342hostname# show debugdebug tacacs user admin342hostname#Related Commands
debug tcp-map
To show debug messages for TCP application inspection maps, use the debug tcp-map command in privileged EXEC mode. To stop showing debug messages for TCP application inspection, use the no form of this command.
debug tcp-map
no debug tcp-map
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables debug messages for TCP application inspection maps. The show debug command reveals that debug messages for TCP application inspection maps are enabled.
hostname# debug tcp-mapdebug tcp-map enabled at level 1.hostname# show debugdebug tcp-map enabled at level 1.hostname#Related Commands
debug timestamps
To add timestamp information to the beginning of all debug messages, use the debug timestamps command in privileged EXEC mode. To disable the use of debug timestamps, use the no form of this command.
debug timestamps [level]
no debug timestamps
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables timestamps in debug messages. The debug parser cache command enables CLI parser debug messages. The show debug command reveals the current debug configuration. The CLI parser debug messages shown include timestamps before each message.
hostname# debug timestampsdebug timestamps enabled at level 1hostname# debug parser cachedebug parser cache enabled at level 1hostname# show debug1982769.770000000: parser cache: try to match 'show debug' in exec mode1982769.770000000: parser cache: hit at index 8hostname#Related Commands
debug vpn-sessiondb
To display VPN-session database debug information, use the debug vpn-sessiondb command in privileged EXEC mode. To disable the display of VPN-session database debug information, use the no form of this command.
debug vpn-sessiondb [level]
no debug vpn-sessiondb
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables VPN-session database debug messages. The show debug command reveals that VPN-session database debug messages are enabled.
hostname# debug vpn-sessiondbdebug vpn-sessiondb enabled at level 1hostname# show debugdebug vpn-sessiondb enabled at level 1hostname#Related Commands
debug wccp
To enable logging of WCCP events, use the debug wccp command in privileged EXEC mode. To disable the logging of WCCP debug messages, use the no form of this command.
debug wccp {events | packets | subblocks}
no debug wccp {events | packets | subblocks}
Syntax Description
events
Enables logging of WCCP session events.
packets
Enables logging of debug messages about WCCP packet information.
subblocks
Enables logging of debug messages about WCCP subblocks.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The high priority assigned to debugging output can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables the logging of all WCCP session events:
hostname# debug wccp eventshostname#The following example enables the logging of WCCP packet debug messages:
hostname# debug wccp packetshostname#The following example disables the logging of WCCP debug messages:
hostname# no debug wccphostname#Related Commands
debug webvpn
To log WebVPN debug messages, use the debug webvpn command in privileged EXEC mode. To disable the logging of WebVPN debug messages, use the no form of this command.
debug webvpn [chunk | cifs | citrix | failover | html | javascript | request | response | svc | transformation | url | util | xml] [level]
no debug webvpn [chunk | cifs | citrix | failover | html | javascript | request | response | svc | transformation | url | util | xml] [level]
Syntax Description
Defaults
The default value for level is 1.
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The high priority assigned to debugging output can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following example enables WebVPN debug messages, specifically for CIFS. The show debug command reveals that CIFS debug messages are enabled.
hostname# debug webvpn cifsINFO: debug webvpn cifs enabled at level 1.hostname# show debugdebug webvpn cifs enabled at level 1hostname#Related Commands
debug xdmcp
To show debug messages for XDMCP application inspection, use the debug xdmcp command in privileged EXEC mode. To stop showing debug messages for XDMCP application inspection, use the no form of this command.
debug xdmcp [level]
no debug xdmcp [level]
Syntax Description
level
(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
Defaults
The default value for level is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.
Note
Examples
The following example enables debug messages at the default level (1) for XDMCP application inspection:
hostname# debug xdmcpRelated Commands
debug xml
To display debug information for the XML parser, use the debug xml command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.
debug xml [element | event]
no debug xml [element | event]
Syntax Description
element
(Optional) Displays debug events related to processing individual XML elements.
event
(Optional) Displays XML parsing or error events.
Defaults
If no keywords are specified, all XML parser debug messages are shown.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug xml element command:
hostname# debug xml elementdebug xml element enabled at level 1XML Executes cmd: hostname hostnameXML Executes cmd: domain-name example.comXML Executes cmd: namesXML Executes cmd: dns-guardXML Executes cmd: !XML Executes cmd: interface Ethernet0XML Executes cmd: nameif outsideXML Executes cmd: security-level 0XML Executes cmd: ip address 192.168.5.151 255.255.255.0 standby 192.168.5.152XML Executes cmd: interface Ethernet1XML Executes cmd: nameif insideXML Executes cmd: security-level 100XML Executes cmd: ip address 192.168.0.151 255.255.255.0 standby 192.168.0.152XML Executes cmd: !XML Executes cmd: boot system flash:/fXML Executes cmd: ftp mode passiveXML Executes cmd: clock timezone jst 9XML Executes cmd: dns server-group DefaultDNSXML Executes cmd: domain-name cisco.com_tcp_listen: could not query index for interface 65535 port 23XML Executes cmd: pager lines 24XML Executes cmd: logging console debuggingXML Executes cmd: logging buffered debuggingXML Executes cmd: mtu outside 1500XML Executes cmd: mtu inside 1500XML Executes cmd: failoverXML Executes cmd: no asdm history enableXML Executes cmd: arp timeout 14000XML Executes cmd: route outside 0.0.0.0 0.0.0.0 192.168.5.1 1XML Executes cmd: timeout xlate 3:00:00XML Executes cmd: timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02XML Executes cmd: timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00XML Executes cmd: timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00XML Executes cmd: timeout uauth 0:05:00 absoluteXML Executes cmd: username user1 password mbO2jYs13AXlIAGa encryptedXML Executes cmd: username sugi password EB3OP7Hu2hSu6x/7 encryptedXML Executes cmd: http server enableXML Executes cmd: http 0.0.0.0 0.0.0.0 outsideXML Executes cmd: no snmp-server locationXML Executes cmd: no snmp-server contactXML Executes cmd: snmp-server enable traps snmp authentication linkup linkdown coldstartXML Executes cmd: telnet timeout 5XML Executes cmd: ssh timeout 5XML Executes cmd: console timeout 0XML Executes cmd: !XML Executes cmd: class-map inspection_defaultXML Executes cmd: match default-inspection-trafficXML Executes cmd: !XML Executes cmd: !XML Executes cmd: policy-map type inspect dns migrated_dns_map_1XML Executes cmd: parametersXML Executes cmd: message-length maximum 512XML Executes cmd: policy-map global_policyXML Executes cmd: class inspection_defaultXML Executes cmd: inspect ftpXML Executes cmd: inspect h323 h225XML Executes cmd: inspect h323 rasXML Executes cmd: inspect netbiosXML Executes cmd: inspect rshXML Executes cmd: inspect rtspXML Executes cmd: inspect skinnyXML Executes cmd: inspect esmtpXML Executes cmd: inspect sqlnetXML Executes cmd: inspect sunrpcXML Executes cmd: inspect tftpXML Executes cmd: inspect sipXML Executes cmd: inspect xdmcpXML Executes cmd: !XML Executes cmd: service-policy global_policy globalXML error info: cmd-id 87 type infoXML Executes cmd: prompt hostname contextXML Executes cmd: crashinfo save disableThe following is sample output from the debug xml event command:
hostname# debug xml eventdebug xml event enabled at level 1XML parsing: data = <con... len = 3176Exit XML parser, ret code = 0Related Commands
