Cisco ASA 5500 Series Command Reference, 8.2
show service-policy -- show xlate
Download this chapter
show service-policy -- show xlateshow service-policy -- show xlate
Download the complete book
Cisco Security Appliance Command Reference Book, Version 8.2--Whole Book PDFCisco Security Appliance Command Reference Book, Version 8.2--Whole Book PDF (PDF - 28 MB)
 Feedback

Table Of Contents

show service-policy through show xlate Commands

show service-policy

show shared license

show shun

show sip

show skinny

show sla monitor configuration

show sla monitor operational-state

show snmp-server engineid

show snmp-server group

show snmp-server statistics

show snmp-server user

show ssh sessions

show startup-config

show sunrpc-server active

show switch mac-address-table

show switch vlan

show tcpstat

show tech-support

show threat-detection rate

show threat-detection scanning-threat

show threat-detection shun

show threat-detection statistics host

show threat-detection statistics port

show threat-detection statistics protocol

show threat-detection statistics top

show tls-proxy

show track

show traffic

show uauth

show url-block

show url-cache statistics

show url-server

show version

show vlan

show vpn load-balancing

show vpn-sessiondb

show vpn-sessiondb ratio

show vpn-sessiondb summary

show wccp

show webvpn csd

show webvpn group-alias

show webvpn group-url

show webvpn sso-server

show webvpn svc

show xlate


show service-policy through show xlate Commands

show service-policy

To display the service policy statistics, use the show service-policy command in privileged EXEC mode.

show service-policy [global | interface intf] [csc | inspect inspection [arguments] | ips | police | priority | set connection [details] | shape]

show service-policy [global | interface intf] [flow protocol {host src_host | src_ip src_mask} [eq src_port] {host dest_host | dest_ip dest_mask} [eq dest_port] [icmp_number | icmp_control_message]]

Syntax Description

csc

(Optional) Shows detailed information about policies that include the csc command.

dest_ip dest_mask

For the flow keyword, the destination IP address and netmask of the traffic flow.

details

(Optional) For the set connection keyword, displays per-client connection information, if a per-client connection limit is enabled.

eq dest_port

(Optional) For the flow keyword, equals the destination port for the flow.

eq src_port

(Optional) For the flow keyword, equals the source port for the flow.

flow protocol

(Optional) Shows policies that match a particular flow identified by the 5-tuple (protocol, source IP address, source port, destination IP address, destination port). You can use this command to check that your service policy configuration will provide the services you want for specific connections.

Because the flow is described as a 5-tuple, not all policies are supported. See the following supported policy matches:

match access-list

match port

match rtp

match default-inspection-traffic

global

(Optional) Limits output to the global policy.

host dest_host

For the flow keyword, the host destination IP address of the traffic flow.

host src_host

For the flow keyword, the host source IP address of the traffic flow.

icmp_control_message

(Optional) For the flow keyword when you specify ICMP as the protocol, specifies an ICMP control message of the traffic flow.

icmp_number

(Optional) For the flow keyword when you specify ICMP as the protocol, specifies the ICMP protocol number of the traffic flow.

inspect inspection [arguments]

(Optional) Shows detailed information about policies that include an inspect command. Not all inspect commands are supported for detailed output. To see all inspections, use the show service-policy command without any arguments. The arguments available for each inspection vary; see the CLI help for more information.

interface intf

(Optional) Displays policies applied to the interface specified by the intf argument, where intf is the interface name given by the nameif command.

ips

(Optional) Shows detailed information about policies that include the ips command.

police

(Optional) Shows detailed information about policies that include the police command.

priority

(Optional) Shows detailed information about policies that include the priority command.

set connection

(Optional) Shows detailed information about policies that include the set connection command.

shape

(Optional) Shows detailed information about policies that include the shape command.

src_ip src_mask

For the flow keyword, the source IP address and netmask used in the traffic flow.


Defaults

If you do not specify any arguments, this command shows all global and interface policies.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.

7.1(1)

The csc keyword was added.

7.2(4)/8.0(4)

The shape keyword was added.


Usage Guidelines

The number of embryonic connections displayed in the show service-policy command output indicates the current number of embryonic connections to an interface for traffic matching that defined by the class-map command. The "embryonic-conn-max" field shows the maximum embryonic limit configured for the traffic class using the Modular Policy Framework. If the current embryonic connections displayed equals or exceeds the maximum, TCP intercept is applied to new TCP connections that match the traffic type defined by the class-map command.

When you make service policy changes to the configuration, all new connections use the new service policy. Existing connections continue to use the policy that was configured at the time of the connection establishment. show command output will not include data about the old connections. For example, if you remove a QoS service policy from an interface, then re-add a modified version, then the show service-policy command only displays QoS counters associated with new connections that match the new service policy; existing connections on the old policy no longer show in the command output. To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy. See the clear conn or clear local-host commands.

Note For an inspect icmp and inspect icmp error policies, the packet counts only include the echo request and reply packets.

Examples

The following is sample output from the show service-policy global command: 

hostname# show service-policy global

Global policy:

  Service-policy: inbound_policy

    Class-map: ftp-port

      Inspect: ftp strict inbound_ftp, packet 0, drop 0, reset-drop 0

The following is sample output from the show service-policy priority command: 

hostname# show service-policy priority

Interface outside:

Global policy:

  Service-policy: sa_global_fw_policy

Interface outside:

  Service-policy: ramap

    Class-map: clientmap

      Priority:

        Interface outside: aggregate drop 0, aggregate transmit 5207048

    Class-map: udpmap

      Priority:

        Interface outside: aggregate drop 0,  aggregate transmit 5207048

    Class-map: cmap

The following is sample output from the show service-policy flow command: 

hostname# show service-policy flow udp host 209.165.200.229 host 209.165.202.158 eq 5060

Global policy: 

  Service-policy: f1_global_fw_policy

    Class-map: inspection_default

      Match: default-inspection-traffic

      Action:

        Input flow:  inspect sip 

Interface outside:

  Service-policy: test

    Class-map: test

      Match: access-list test

        Access rule: permit ip 209.165.200.229 255.255.255.224 209.165.202.158 
255.255.255.224

      Action:

        Input flow:  ids inline

        Input flow:  set connection conn-max 10 embryonic-conn-max 20

The following is sample output from the show service-policy inspect http command. This example shows the statistics of each match command in a match-any class map. 

hostname# show service-policy inspect http

Global policy: 

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: http http, packet 1916, drop 0, reset-drop 0

        protocol violations

          packet 0

        class http_any (match-any) 

          Match: request method get, 638 packets

          Match: request method put, 10 packets

          Match: request method post, 0 packets

          Match: request method connect, 0 packets

          log, packet 648

The following is sample output from the show service-policy inspect waas command. This example shows the waas statistics. 

hostname# show service-policy inspect waas

Global policy: 

  Service-policy: global_policy

    Class-map: WAAS

      Inspect: waas, packet 12, drop 0, reset-drop 0

		SYN with WAAS option 4

		SYN-ACK with WAAS option 4

		Confirmed WAAS connections 4

		Invalid ACKs seen on WAAS connections 0

		Data exceeding window size on WAAS connections 0

The following is sample output from the show gtp requests command: 

hostname# show gtp requests

0 in use, 0 most used, 200 maximum allowed

You can use the vertical bar | to filter the display, as in the following example: 

hostname# show service-policy gtp statistics | grep gsn

This example shows the GTP statistics with the word gsn in the output.

The following command shows the statistics for GTP inspection: 

hostname# show service-policy inspect gtp statistics

GPRS GTP Statistics:

  version_not_support | 0 | msg_too_short | 0

  unknown_msg | 0 | unexpected_sig_msg | 0

  unexpected_data_msg | 0 | ie_duplicated | 0

  mandatory_ie_missing | 0 | mandatory_ie_incorrect | 0

  optional_ie_incorrect | 0 | ie_unknown | 0

  ie_out_of_order | 0 | ie_unexpected | 0

  total_forwarded | 0 | total_dropped | 0

  signalling_msg_dropped | 0 | data_msg_dropped | 0

  signalling_msg_forwarded | 0 | data_msg_forwarded | 0

  total created_pdp | 0 | total deleted_pdp | 0

  total created_pdpmcb | 0 | total deleted_pdpmcb | 0

  pdp_non_existent | 0

Table 29-1 describes each column of the output from the show service-policy inspect gtp statistics command.

Table 29-1 GPRS GTP Statistics

Column Heading
Description

version_not_support

Displays packets with an unsupported GTP version field.

msg_too_short

Displays packets less than 8 bytes in length.

unknown_msg

Displays unknown type messages.

unexpected_data_msg

Displays unexpected data messages.

mandatory_ie_missing

Displays messages missing a mandatory Information Element (IE).

mandatory_ie_incorrect

Displays messages with an incorrectly formatted mandatory Information Element (IE).

optional_ie_incorrect

Displays messages with an incorrectly formatted optional Information Element (IE).

ie_unknown

Displays messages with an unknown Information Element (IE).

ie_out_of_order

Displays messages with out-of-sequence Information Elements (IEs).

ie_unexpected

Displays messages with an unexpected Information Element (IE).

total_forwarded

Displays the total messages forwarded.

total_dropped

Displays the total messages dropped.

signalling_msg_dropped

Displays the signaling messages dropped.

data_msg_dropped

Displays the data messages dropped.

signalling_msg_forwarded

Displays the signaling messages forwarded.

data_msg_forwarded

Displays the data messages forwarded.

total created_pdp

Displays the total Packet Data Protocol (PDP) contexts created.

total deleted_pdp

Displays the total Packet Data Protocol (PDP) contexts deleted.

total created_pdpmcb

Displays the total PDPMCB sessions created.

total deleted_pdpmcb

Displays the total PDPMCB sessions deleted.

pdp_non_existent

Displays the messages received for a non-existent PDP context.


The following command displays information about the PDP contexts: 

hostname# show service-policy inspect gtp pdp-context

1 in use, 1 most used, timeout 0:00:00

Version TID | MS Addr | SGSN Addr | Idle | APN

v1 | 1234567890123425 | 1.1.1.1 | 11.0.0.2 0:00:13  gprs.cisco.com

 | user_name (IMSI): 214365870921435 | MS address: | 1.1.1.1

 | primary pdp: Y | nsapi: 2

 | sgsn_addr_signal: | 11.0.0.2 | sgsn_addr_data: | 11.0.0.2

 | ggsn_addr_signal: | 9.9.9.9 | ggsn_addr_data: | 9.9.9.9

 | sgsn control teid: | 0x000001d1 | sgsn data teid: | 0x000001d3

 | ggsn control teid: | 0x6306ffa0 | ggsn data teid: | 0x6305f9fc

 | seq_tpdu_up: | 0 | seq_tpdu_down: | 0

 | signal_sequence: | 0

 | upstream_signal_flow: | 0 | upstream_data_flow: | 0

 | downstream_signal_flow: | 0 | downstream_data_flow: | 0

 | RAupdate_flow: | 0

Table 29-2 describes each column the output from the show service-policy inspect gtp pdp-context command.

Table 29-2 PDP Contexts

Column Heading
Description

Version

Displays the version of GTP.

TID

Displays the tunnel identifier.

MS Addr

Displays the mobile station address.

SGSN Addr

Displays the serving gateway service node.

Idle

Displays the time for which the PDP context has not been in use.

APN

Displays the access point name.


Related Commands

Command
Description

clear configure service-policy

Clears service policy configurations.

clear service-policy

Clears all service policy configurations.

service-policy

Configures the service policy.

show running-config service-policy

Displays the service policies configured in the running configuration.


show shared license

To show shared license statistics, use the show shared license command in privileged EXEC mode. Optional keywords are available only for the licensing server.

show shared license [detail | client [hostname] | backup]

Syntax Description

backup

(Optional) Shows information about the backup server.

client

(Optional) Limits the display to participants.

detail

(Optional) Shows all statistics, including per participant.

hostname

(Optional) Limits the display to a particular participant.


Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.


Usage Guidelines

To clear the statistics, enter the clear shared license command.

Examples

The following is sample output from the show shared license command on the license participant: 

hostname>  show shared license

Primary License Server : 10.3.32.20

  Version              : 1

  Status               : Inactive

Shared license utilization:

  SSLVPN:

    Total for network :     5000

    Available         :     5000

    Utilized          :        0

  This device:

    Platform limit    :      250

    Current usage     :        0

    High usage        :        0

  Messages Tx/Rx/Error:

    Registration    : 0 / 0 / 0

    Get             : 0 / 0 / 0

    Release         : 0 / 0 / 0

    Transfer        : 0 / 0 / 0

Client ID           Usage   Hostname

  ASA0926K04D         0       5510-B

Table 29-3 describes the output from the show shared license command.

Table 29-3 show shared license Description

Field
Description

Primary License Server

The IP address of the primary server.

Version

The shared license version.

Status

If the command is issued on the backup server, "Active" means that this device has taken on the role as a Primary Shared Licensing server. "Inactive" means that the device is ready in standby mode, and the device is communicating with the primary server.

If failover is configured on the primary licensing server, the backup server may become "Active" for a brief moment during a failover but should return to "Inactive" after communications have synced up again.

Shared license utilization

SSLVPN

Total for network

Displays the total number of shared sessions available.

Available

Displays the remaining shared sessions available.

Utilized

Displays the shared sessions obtained for the active license server.

This device

Platform limit

Displays the total number of SSL VPN sessions for this device according to the installed license.

Current usage

Displays the number of shared SSL VPN session currently owned by this device from the shared pool.

High usage

Displays the highest number of shared SSL VPN sessions ever owned by this device.

Messages Tx/Rx/Error

Registration
Get
Release
Transfer

Shows the Transmit, Received, and Error packets of each type of connection.

Client ID

A unique client ID.

Usage

Displays the number of sessions in use.

Hostname

Displays the hostname for this device.


The following is sample output from the show shared license detail command on the license server: 

hostname>  show shared license detail

Backup License Server Info:

Device ID           : ABCD

Address             : 10.1.1.2

Registered          : NO

HA peer ID          : EFGH

Registered          : NO

  Messages Tx/Rx/Error:

    Hello           : 0 / 0 / 0

    Sync            : 0 / 0 / 0

    Update          : 0 / 0 / 0

Shared license utilization:

  SSLVPN:

    Total for network :      500

    Available         :      500

    Utilized          :        0

  This device:

    Platform limit    :      250

    Current usage     :        0

    High usage        :        0

  Messages Tx/Rx/Error:

    Registration    : 0 / 0 / 0

    Get             : 0 / 0 / 0

    Release         : 0 / 0 / 0

    Transfer        : 0 / 0 / 0

Client Info:

  Hostname          : 5540-A

  Device ID         : XXXXXXXXXXX

  SSLVPN:

    Current usage   : 0

    High            : 0

  Messages Tx/Rx/Error:

    Registration    : 1 / 1 / 0

    Get             : 0 / 0 / 0

    Release         : 0 / 0 / 0

    Transfer        : 0 / 0 / 0

...

Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server enable

Enables a unit to be the shared licensing server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show vpn-sessiondb

Shows license information about VPN sessions.


show shun

To display shun information, use the show shun command in privileged EXEC mode.

show shun [src_ip | statistics]

Syntax Description

src_ip

(Optional) Displays the information for that address.

statistics

(Optional) Displays the interface counters only.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.

8.2(2)

For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Examples

The following is sample output from the show shun command: 

hostname# show shun

shun (outside) 10.1.1.27 10.2.2.89 555 666 6

shun (inside1) 10.1.1.27 10.2.2.89 555 666 6

Related Commands

Command
Description

clear shun

Disables all the shuns that are currently enabled and clears the shun statistics.

shun

Enables a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection.


show sip

To display SIP sessions, use the show sip command in privileged EXEC mode.

show sip

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show sip command assists in troubleshooting SIP inspection engine issues and is described with the inspect protocol sip udp 5060 command. The show timeout sip command displays the timeout value of the designated protocol.

The show sip command displays information for SIP sessions established across the adaptive security appliance. Along with the debug sip and show local-host commands, this command is used for troubleshooting SIP inspection engine issues.

Note We recommend that you configure the pager command before using the show sip command. If there are a lot of SIP session records and the pager command is not configured, it will take a while for the show sip command output to reach its end.

Examples

The following is sample output from the show sip command: 

hostname# show sip

Total: 2

call-id c3943000-960ca-2e43-228f@10.130.56.44

 | state Call init, idle 0:00:01

call-id c3943000-860ca-7e1f-11f7@10.130.56.45

 | state Active, idle 0:00:06

This sample shows two active SIP sessions on the adaptive security appliance (as shown in the Total field). Each call-id represents a call.

The first session, with the call-id c3943000-960ca-2e43-228f@10.130.56.44, is in the state Call Init, which means the session is still in call setup. Call setup is complete only when the ACK is seen. This session has been idle for 1 second.

The second session is in the state Active, in which call setup is complete and the endpoints are exchanging media. This session has been idle for 6 seconds.

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug sip

Enables debug information for SIP.

inspect sip

Enables SIP application inspection.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.


show skinny

To troubleshoot SCCP (Skinny) inspection engine issues, use the show skinny command in privileged EXEC mode.

show skinny

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show skinny command assists in troubleshooting SCCP (Skinny) inspection engine issues.

Examples

The following is sample output from the show skinny command under the following conditions. There are two active Skinny sessions set up across the adaptive security appliance. The first one is established between an internal Cisco IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33. TCP port 2000 is the CallManager. The second one is established between another internal Cisco IP Phone at local address 10.0.0.22 and the same Cisco CallManager. 

hostname# show skinny

        LOCAL                   FOREIGN                 STATE

---------------------------------------------------------------

1       10.0.0.11/52238         172.18.1.33/2000                1

  MEDIA 10.0.0.11/22948         172.18.1.22/20798

2       10.0.0.22/52232         172.18.1.33/2000                1

  MEDIA 10.0.0.22/20798         172.18.1.11/22948

The output indicates a call has been established between both internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively.

The following is the xlate information for these Skinny connections: 

hostname# show xlate debug

2 in use, 2 most used

Flags: D | DNS, d | dump, I | identity, i | inside, n | no random,

 | o | outside, r | portmap, s | static

NAT from inside:10.0.0.11 to outside:172.18.1.11 flags si idle 0:00:16 timeout 0:05:00

NAT from inside:10.0.0.22 to outside:172.18.1.22 flags si idle 0:00:14 timeout 0:05:00

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug skinny

Enables SCCP debug information.

inspect skinny

Enables SCCP application inspection.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.


show sla monitor configuration

To display the configuration values, including the defaults, for SLA operations, use the show sla monitor configuration command in user EXEC mode.

show sla monitor configuration [sla-id]

Syntax Description

sla-id

(Optional) The ID number of the SLA operation. Valid values are from 1 to 2147483647.


Defaults

If the sla-id is not specified, the configuration values for all SLA operations are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

Use the show running config sla monitor command to see the SLA operation commands in the running configuration.

Examples

The following is sample output from the show sla monitor command. It displays the configuration values for SLA operation 123. Following the output of the show sla monitor command is the output of the show running-config sla monitor command for the same SLA operation. 

hostname> show sla monitor 124

SA Agent, Infrastructure Engine-II

Entry number: 124

Owner: 

Tag: 

Type of operation to perform: echo

Target address: 10.1.1.1

Interface: outside

Number of packets: 1

Request size (ARR data portion): 28

Operation timeout (milliseconds): 1000

Type Of Service parameters: 0x0

Verify data: No

Operation frequency (seconds): 3

Next Scheduled Start Time: Start Time already passed

Group Scheduled : FALSE

Life (seconds): Forever

Entry Ageout (seconds): never

Recurring (Starting Everyday): FALSE

Status of entry (SNMP RowStatus): Active

Enhanced History:

hostname# show running-config sla monitor 124

sla monitor 124

 type echo protocol ipIcmpEcho 10.1.1.1 interface outside

 timeout 1000

 frequency 3

sla monitor schedule 124 life forever start-time now

Related Commands

Command
Description

show running-config sla monitor

Displays the SLA operation configuration commands in the running configuration.

sla monitor

Defines an SLA monitoring operation.


show sla monitor operational-state

To display the operational state of SLA operations, use the show sla monitor operational-state command in user EXEC mode.

show sla monitor operational-state [sla-id]

Syntax Description

sla-id

(Optional) The ID number of the SLA operation. Valid values are from 1 to 2147483647.


Defaults

If the sla-id is not specified, statistics for all SLA operations are displayed.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

Use the show running-config sla monitor command to display the SLA operation commands in the running configuration.

Examples

The following is sample output from the show sla monitor operational-state command: 

hostname> show sla monitor operationl-state

Entry number: 124

Modification time: 14:42:23.607 EST Wed Mar 22 2006

Number of Octets Used by this Entry: 1480

Number of operations attempted: 4043

Number of operations skipped: 0

Current seconds left in Life: Forever

Operational state of entry: Active

Last time this entry was reset: Never

Connection loss occurred: FALSE

Timeout occurred: TRUE

Over thresholds occurred: FALSE

Latest RTT (milliseconds): NoConnection/Busy/Timeout

Latest operation start time: 18:04:26.609 EST Wed Mar 22 2006

Latest operation return code: Timeout

RTT Values:

RTTAvg: 0       RTTMin: 0       RTTMax: 0

NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

Related Commands

Command
Description

show running-config sla monitor

Displays the SLA operation configuration commands in the running configuration.

sla monitor

Defines an SLA monitoring operation.


show snmp-server engineid

To display the identification of the SNMP engine that has been configured on the adaptive security appliance, use the show snmp-server engineid command in privileged EXEC mode.

show snmp-server engineid

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.


Examples

The following is sample output from the show snmp-server engineid command: 

hostname# show snmp-server engineid

Local SNMP engineID: 80000009fe85f8fd882920834a3af7e4ca79a0a1220fe10685

Usage Guidelines

An SNMP engine is a copy of SNMP that can reside on a local device. The engine ID is a unique value that is assigned for each SNMP agent for each adaptive security appliance context. The engine ID is not configurable on the adaptive security appliance. The engine ID is 25 bytes long, and is used to generate encrypted passwords. The encrypted passwords are then stored in flash memory. The engine ID can be cached. In a failover pair, the engine ID is synchronized with the peer.

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.


show snmp-server group

To display the names of configured SNMP groups, the security model being used, the status of different views, and the storage type of each group, use the show snmp-server group command in privileged EXEC mode.

show snmp-server group

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.


Examples

The following is sample output from the show snmp-server group command: 

hostname# show snmp-server group

groupname: public                           security model:v1

readview : <no readview specified>          writeview: <no writeview specified>

notifyview: <no readview specified>

row status: active

groupname: public                           security model:v2c

readview : <no readview specified>          writeview: <no writeview specified>

notifyview: *<no readview specified>

row status: active

groupname: privgroup                   security model:v3 priv

readview : def_read_view               writeview: <no writeview specified>

notifyview: def_notify_view

row status: active

Usage Guidelines

SNMP users and groups are used according to the View-based Access Control Model (VACM) for SNMP. The SNMP group determines the security model to be used. The SNMP user should match the security model of the SNMP group. Each SNMP group name and security level pair must be unique.

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.


show snmp-server statistics

To display SNMP server statistics, use the show snmp-server statistics command in privileged EXEC mode.

show snmp-server statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following is sample output fromthe show snmp-server statistics command: 

hostname# show snmp-server statistics

0 SNMP packets input

    0 Bad SNMP version errors

    0 Unknown community name

    0 Illegal operation for community name supplied

    0 Encoding errors

    0 Number of requested variables

    0 Number of altered variables

    0 Get-request PDUs

    0 Get-next PDUs

    0 Get-bulk PDUs

    0 Set-request PDUs (Not supported)

0 SNMP packets output

    0 Too big errors (Maximum packet size 512)

    0 No such name errors

    0 Bad values errors

    0 General errors

    0 Response PDUs

    0 Trap PDUs

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

clear snmp-server statistics

Clears the SNMP packet input and output counters.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.


show snmp-server user

To display information about the configured characteristics of SNMP users, use the show snmp-server user command in privileged EXEC mode.

show snmp-server user [username]

Syntax Description

username

(Optional) Identifies a specific user or users about which to display SNMP information.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.


Examples

The following is sample output from the show snmp-server user command: 

hostname# show snmp-server user authuser

User name: authuser 

Engine ID: 00000009020000000C025808 

storage-type: nonvolatile       active access-list: N/A

Rowstatus: active 

Authentication Protocol: MD5

Privacy protocol: DES 

Group name: VacmGroupName

The output provides the following information:

The username, which is a string that identifies the name of the SNMP user.

The engine ID, which is a string that identifies the copy of SNMP on the adaptive security appliance.

The storage-type, which indicates whether or not the settings have been set in volatile or temporary memory on the adaptive security appliance, or in nonvolatile or persistent memory, in which settings remain after the adaptive security appliance has been turned off and on again.

The active access list, which is the standard IP access list associated with the SNMP user.

The Rowstatus, which indicates whether or not it is active or inactive.

The authentication protocol, which identifies which authentication protocol is being used. Options are MD5, SHA, or none. If authentication is not supported in your software image, this field does not appear.

The privacy protocol, which indicates whether or not DES packet encryption is enabled. If privacy is not supported in your software image, this field does not appear.

The group name, which indicates to which SNMP group the user belongs. SNMP groups are defined according to the View-based Access Control Model (VACM).

Usage Guidelines

An SNMP user must be part of an SNMP group. If you do not enter the username argument, the show snmp-server user command displays information about all configured users. If you enter the username argument and the user exists, the information about that user appears.

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

show running-config snmp-server

Displays the SNMP server configuration.

snmp-server

Configures the SNMP server.


show ssh sessions

To display information about the active SSH session on the adaptive security appliance, use the show ssh sessions command in privileged EXEC mode.

show ssh sessions [ip_address]

Syntax Description

ip_address

(Optional) Displays session information for only the specified IP address.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The SID is a unique number that identifies the SSH session. The Client IP is the IP address of the system running an SSH client. The Version is the protocol version number that the SSH client supports. If the SSH only supports SSH version 1, then the Version column displays 1.5. If the SSH client supports both SSH version 1 and SSH version 2, then the Version column displays 1.99. If the SSH client only supports SSH version 2, then the Version column displays 2.0. The Encryption column shows the type of encryption that the SSH client is using. The State column shows the progress that the client is making as it interacts with the adaptive security appliance. The Username column lists the login username that has been authenticated for the session. The Mode column describes the direction of the SSH data streams. For SSH version 2, which can use the same or different encryption algorithms, the Mode field displays in and out. For SSH version 1, which uses the same encryption in both directions, the Mode field displays nil (`-') and allows only one entry per connection.

Examples

The following example demonstrates the output of the show ssh sessions command: 

hostname# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State           Username

0   172.69.39.39    1.99    IN   aes128-cbc md5      SessionStarted  pat

                            OUT  aes128-cbc md5      SessionStarted  pat

1   172.23.56.236   1.5     -    3DES       -        SessionStarted  pat

2   172.69.39.29    1.99    IN   3des-cbc   sha1     SessionStarted  pat

                            OUT  3des-cbc   sha1     SessionStarted  pat

Related Commands

Command
Description

ssh disconnect

Disconnects an active SSH session.

ssh timeout

Sets the timeout value for idle SSH sessions.


show startup-config

To show the startup configuration or to show any errors when the startup configuration loaded, use the show startup-config command in privileged EXEC mode.

show startup-config [errors]

Syntax Description

errors

(Optional) Shows any errors that were generated when the adaptive security appliance loaded the startup configuration.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System1

Privileged EXEC

1 The errors keyword is only available in single mode and the system execution space,


Command History

Release
Modification

7.0(1)

The errors keyword was added.

8.3(1)

Support for password encryption was added.


Usage Guidelines

In multiple context mode, this command shows the startup configuration for your current execution space: the system configuration or the security context.

To clear the startup errors from memory, use the clear startup-config errors command.

The show startup-config command output displays encrypted, masked, or clear text passwords when password encryptionis either enabled or disabled.

Examples

The following is sample output from the show startup-config command: 

hostname# show startup-config

: Saved

: Written by enable_15 at 01:44:55.598 UTC Thu Apr 17 2003

Version 7.X(X)

!

interface GigabitEthernet0/0

 nameif inside

 security-level 100

 ip address 209.165.200.224

 webvpn enable

!

interface GigabitEthernet0/1

 shutdown

 nameif test

 security-level 0

 ip address 209.165.200.225

!

...

!

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname firewall1

domain-name example.com

boot system disk0:/cdisk.bin

ftp mode passive

names

name 10.10.4.200 outside

access-list xyz extended permit ip host 192.168.0.4 host 209.165.200.226

!

ftp-map ftp_map

!

ftp-map inbound_ftp

 deny-request-cmd appe stor stou

!

...

Cryptochecksum:4edf97923899e712ed0da8c338e07e63

The following is sample output from the show startup-config errors command: 

hostname# show startup-config errors

ERROR: 'Mac-addresses': invalid resource name

*** Output from config line 18, "limit-resource Mac-add..."

INFO: Admin context is required to get the interfaces

*** Output from config line 30, "arp timeout 14400"

Creating context 'admin'... WARNING: Invoked the stub function ibm_4gs3_context_

set_max_mgmt_sess

WARNING: Invoked the stub function ibm_4gs3_context_set_max_mgmt_sess

Done. (1)

*** Output from config line 33, "admin-context admin"

WARNING: VLAN *24* is not configured.

*** Output from config line 12, context 'admin', "nameif inside"

.....

*** Output from config line 37, "config-url disk:/admin..."

Related Commands

Command
Description

clear startup-config errors

Clears the startup errors from memory.

show running-config

Shows the running configuration.


show sunrpc-server active

To display the pinholes open for Sun RPC services, use the show sunrpc-server active command in privileged EXEC mode.

show sunrpc-server active

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Use the show sunrpc-server active command to display the pinholes open for Sun RPC services, such as NFS and NIS.

Examples

To display the pinholes open for Sun RPC services, enter the show sunrpc-server active command. The following is sample output from the show sunrpc-server active command: 

hostname# show sunrpc-server active

        LOCAL           FOREIGN                 SERVICE TIMEOUT

        -----------------------------------------------

        192.168.100.2/0 209.165.200.5/32780     100005 00:10:00

Related Commands

Command
Description

clear configure sunrpc-server

Clears the Sun remote processor call services from the adaptive security appliance.

clear sunrpc-server active

Clears the pinholes opened for Sun RPC services, such as NFS or NIS.

inspect sunrpc

Enables or disables Sun RPC application inspection and configures the port used.

show running-config sunrpc-server

Displays information about the SunRPC services configuration.


show switch mac-address-table

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the show switch mac-address-table command in privileged EXEC mode to view the switch MAC address table.

show switch mac-address-table

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

This command is for models with built-in switches only. The switch MAC address table maintains the MAC address-to-switch port mapping for traffic within each VLAN in the switch hardware. If you are in transparent firewall mode, use the show mac-address-table command to view the bridge MAC address table in the ASA software. The bridge MAC address table maintains the MAC address-to-VLAN interface mapping for traffic that passes between VLANs.

MAC address entries age out in 5 minutes.

Examples

The following is sample output from the show switch mac-address-table command. 

hostname# show switch mac-address-table

Legend: Age - entry expiration time in seconds

   Mac Address  | VLAN |       Type       | Age | Port

-------------------------------------------------------

 000e.0c4e.2aa4 | 0001 |     dynamic      | 287 | Et0/0

 0012.d927.fb03 | 0001 |     dynamic      | 287 | Et0/0

 0013.c4ca.8a8c | 0001 |     dynamic      | 287 | Et0/0

 00b0.6486.0c14 | 0001 |     dynamic      | 287 | Et0/0

 00d0.2bff.449f | 0001 |     static       |  -  | In0/1

 0100.5e00.000d | 0001 | static multicast |  -  | In0/1,Et0/0-7

Total Entries: 6

Table 29-4 shows each field description:

Table 29-4 show switch mac-address-table Fields

Field
Description

Mac Address

Shows the MAC address.

VLAN

Shows the VLAN associated with the MAC address.

Type

Shows if the MAC address was learned dynamically, as a static multicast address, or statically. The only static entry is for the internal backplane interface.

Age

Shows the age of a dynamic entry in the MAC address table.

Port

Shows the switch port through which the host with the MAC address can be reached.


Related Commands

Command
Description

show mac-address-table

Shows the MAC address table for models that do not have a built-in switch.

show switch vlan

Shows the VLAN and physical MAC address association.


show switch vlan

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the show switch vlan command in privileged EXEC mode to view the VLANs and the associated switch ports.

show switch vlan

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

This command is for models with built-in switches only. For other models, use the show vlan command.

Examples

The following is sample output from the show switch vlan command. 

hostname# show switch vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------

100  inside                           up        Et0/0, Et0/1

200  outside                          up        Et0/7

300  -                                down      Et0/1, Et0/2

400  backup                           down      Et0/3

Table 29-4 shows each field description:

Table 29-5 show switch vlan Fields

Field
Description

VLAN

Shows the VLAN number.

Name

Shows the name of the VLAN interface. If no name is set using the nameif command, or if there is no interface vlan command, the display shows a dash (-).

Status

Shows the status, up or down, to receive and send traffic to and from the VLAN in the switch. At least one switch port in the VLAN needs to be in an up state for the VLAN state to be up.

Ports

Shows the switch ports assigned to each VLAN. If a switch port is listed for multiple VLANs, it is a trunk port. The above sample output shows Ethernet 0/1 is a trunk port that carries VLAN 100 and 300.


Related Commands

Command
Description

clear interface

Clears counters for the show interface command.

interface vlan

Creates a VLAN interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.

show vlan

Shows the VLANs for models that do not have built-in switches.

switchport mode

Sets the mode of the switch port to access or trunk mode.


show tcpstat

To display the status of the adaptive security appliance TCP stack and the TCP connections that are terminated on the adaptive security appliance (for debugging), use the show tcpstat command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

show tcpstat

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show tcpstat command allows you to display the status of the TCP stack and TCP connections that are terminated on the adaptive security appliance. The TCP statistics displayed are described in Table 28.

Table 29-6 TCP Statistics in the show tcpstat Command 

Statistic
Description

tcb_cnt

Number of TCP users.

proxy_cnt

Number of TCP proxies. TCP proxies are used by user authorization.

tcp_xmt pkts

Number of packets that were transmitted by the TCP stack.

tcp_rcv good pkts

Number of good packets that were received by the TCP stack.

tcp_rcv drop pkts

Number of received packets that the TCP stack dropped.

tcp bad chksum

Number of received packets that had a bad checksum.

tcp user hash add

Number of TCP users that were added to the hash table.

tcp user hash add dup

Number of times a TCP user was already in the hash table when trying to add a new user.

tcp user srch hash hit

Number of times a TCP user was found in the hash table when searching.

tcp user srch hash miss

Number of times a TCP user was not found in the hash table when searching.

tcp user hash delete

Number of times that a TCP user was deleted from the hash table.

tcp user hash delete miss

Number of times that a TCP user was not found in the hash table when trying to delete the user.

lip

Local IP address of the TCP user.

fip

Foreign IP address of the TCP user.

lp

Local port of the TCP user.

fp

Foreign port of the TCP user.

st

State (see RFC 793) of the TCP user. The possible values are as follows: 

1   CLOSED

2   LISTEN

3   SYN_SENT

4   SYN_RCVD

5   ESTABLISHED

6   FIN_WAIT_1

7   FIN_WAIT_2

8   CLOSE_WAIT

9   CLOSING

10  LAST_ACK

11  TIME_WAIT

rexqlen

Length of the retransmit queue of the TCP user.

inqlen

Length of the input queue of the TCP user.

tw_timer

Value of the time_wait timer (in milliseconds) of the TCP user.

to_timer

Value of the inactivity timeout timer (in milliseconds) of the TCP user.

cl_timer

Value of the close request timer (in milliseconds) of the TCP user.

per_timer

Value of the persist timer (in milliseconds) of the TCP user.

rt_timer

Value of the retransmit timer (in milliseconds) of the TCP user.

tries

Retransmit count of the TCP user.


Examples

This example shows how to display the status of the TCP stack on the adaptive security appliance: 

hostname# show tcpstat

                CURRENT MAX     TOTAL

tcb_cnt         2       12      320

proxy_cnt       0       0       160

tcp_xmt pkts = 540591

tcp_rcv good pkts = 6583

tcp_rcv drop pkts = 2

tcp bad chksum = 0

tcp user hash add = 2028

tcp user hash add dup = 0

tcp user srch hash hit = 316753

tcp user srch hash miss = 6663

tcp user hash delete = 2027

tcp user hash delete miss = 0

lip = 172.23.59.230 fip = 10.21.96.254 lp = 443 fp = 2567 st = 4 rexqlen = 0

in0

  tw_timer = 0 to_timer = 179000 cl_timer = 0 per_timer = 0

rt_timer = 0

tries 0

Related Commands

Command
Description

show conn

Displays the connections used and those that are available.


show tech-support

To display the information that is used for diagnosis by technical support analysts, use the show tech-support command in privileged EXEC mode.

show tech-support [detail | file | no-config]

Syntax Description

detail

(Optional) Lists detailed information.

file

(Optional) Writes the output of the command to a file.

no-config

(Optional) Excludes the output of the running configuration.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

The detail and file keywords were added.

7.2(1)

The output display was enhanced to display more detailed information about processes that hog the CPU.


Usage Guidelines

The show tech-support command lets you list information that technical support analysts need to help you diagnose problems. This command combines the output from the show commands that provide the most information to a technical support analyst.

Examples

The following example shows how to display information that is used for technical support analysis, excluding the output of the running configuration: 

hostname# show tech-support no-config

Cisco XXX Firewall Version X.X(X)

Cisco Device Manager Version X.X(X)

Compiled on Fri 15-Apr-05 14:35 by root

XXX up 2 days 8 hours

Hardware:   XXX, 64 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.e300.73fd, irq 10

1: ethernet1: address is 0003.e300.73fe, irq 7

2: ethernet2: address is 00d0.b7c8.139e, irq 9

Licensed Features:

Failover:           Disabled

VPN-DES:            Enabled

VPN-3DES-AES:       Disabled

Maximum Interfaces: 3

Cut-through Proxy:  Enabled

Guards:             Enabled

URL-filtering:      Enabled

Inside Hosts:       Unlimited

Throughput:         Unlimited

IKE peers:          Unlimited

This XXX has a Restricted (R) license.

Serial Number: 480430455 (0x1ca2c977)

Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734 

Configuration last modified by enable_15 at 23:05:24.264 UTC Sat Nov 16 2002

------------------ show clock ------------------

00:08:14.911 UTC Sun Apr 17 2005

------------------ show memory ------------------

Free memory:        50708168 bytes

Used memory:        16400696 bytes

-------------     ----------------

Total memory:       67108864 bytes

------------------ show conn count ------------------

0 in use, 0 most used

------------------ show xlate count ------------------

0 in use, 0 most used

------------------ show vpn-sessiondb summary ------------------

Active Session Summary

Sessions:

                           Active : Cumulative : Peak Concurrent : Inactive

  SSL VPN               :       2 :          2 :               2

    Clientless only     :       0 :          0 :               0

    With client         :       2 :          2 :               2 :        0

  Email Proxy           :       0 :          0 :               0

  IPsec LAN-to-LAN      :       1 :          1 :               1

  IPsec Remote Access   :       0 :          0 :               0

  VPN Load Balancing    :       0 :          0 :               0

  Totals                :       3 :          3

License Information:

  Shared VPN License Information:

    SSL VPN                    :     1500

      Allocated to this device :       50

      Allocated in network     :       50

      Device limit             :      750

  IPsec   :    750    Configured :    750    Active :      1    Load :   0%

  SSL VPN :     52    Configured :     52    Active :      2    Load :   4%

                            Active : Cumulative : Peak Concurrent

  IPsec               :          1 :          1 :               1

  SSL VPN             :          2 :         10 :               2

    AnyConnect Mobile :          0 :          0 :               0

    Linksys Phone     :          0 :          0 :               0

  Totals              :          3 :         11

Tunnels:

                    Active : Cumulative : Peak Concurrent

  IKE         :          1 :          1 :               1

  IPsec       :          1 :          1 :               1

  Clientless  :          2 :          2 :               2

  SSL-Tunnel  :          2 :          2 :               2

  DTLS-Tunnel :          2 :          2 :               2

  Totals      :          8 :          8

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT

     4   1600   1600   1600

    80    400    400    400

   256    500    499    500

  1550   1188    795    919

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0003.e300.73fd

  IP address 172.23.59.232, subnet mask 255.255.0.0

  MTU 1500 bytes, BW 10000 Kbit half duplex

        1267 packets input, 185042 bytes, 0 no buffer

        Received 1248 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        20 packets output, 1352 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 9 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (13/128) software (0/2)

        output queue (curr/max blocks): hardware (0/1) software (0/1)

interface ethernet1 "inside" is up, line protocol is down

  Hardware is i82559 ethernet, address is 0003.e300.73fe

  IP address 10.1.1.1, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 10000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        1 packets output, 60 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        1 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/0)

        output queue (curr/max blocks): hardware (0/1) software (0/1)

interface ethernet2 "intf2" is administratively down, line protocol is down

  Hardware is i82559 ethernet, address is 00d0.b7c8.139e

  IP address 127.0.0.1, subnet mask 255.255.255.255

  MTU 1500 bytes, BW 10000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 packets output, 0 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/0)

        output queue (curr/max blocks): hardware (0/0) software (0/0)

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

------------------ show cpu hogging process ------------------

Process:      fover_parse, NUMHOG: 2, MAXHOG: 280, LASTHOG: 140

LASTHOG At:   02:08:24 UTC Jul 24 2005

PC:           11a4d5

Traceback:    12135e  121893  121822  a10d8b  9fd061  114de6 113e56f

              777135  7a3858  7a3f59  700b7f  701fbf  14b984

------------------ show process ------------------

    PC       SP       STATE       Runtime    SBASE     Stack Process

Hsi 001e3329 00763e7c 0053e5c8          0 00762ef4 3784/4096 arp_timer

Lsi 001e80e9 00807074 0053e5c8          0 008060fc 3832/4096 FragDBGC

Lwe 00117e3a 009dc2e4 00541d18          0 009db46c 3704/4096 dbgtrace

Lwe 003cee95 009de464 00537718          0 009dc51c 8008/8192 Logger

Hwe 003d2d18 009e155c 005379c8          0 009df5e4 8008/8192 tcp_fast

Hwe 003d2c91 009e360c 005379c8          0 009e1694 8008/8192 tcp_slow

Lsi 002ec97d 00b1a464 0053e5c8          0 00b194dc 3928/4096 xlate clean

Lsi 002ec88b 00b1b504 0053e5c8          0 00b1a58c 3888/4096 uxlate clean

Mwe 002e3a17 00c8f8d4 0053e5c8          0 00c8d93c 7908/8192 tcp_intercept_times

Lsi 00423dd5 00d3a22c 0053e5c8          0 00d392a4 3900/4096 route_process

Hsi 002d59fc 00d3b2bc 0053e5c8          0 00d3a354 3780/4096 XXX Garbage Collecr

Hwe 0020e301 00d5957c 0053e5c8          0 00d55614 16048/16384 isakmp_time_keepr

Lsi 002d377c 00d7292c 0053e5c8          0 00d719a4 3928/4096 perfmon

Hwe 0020bd07 00d9c12c 0050bb90          0 00d9b1c4 3944/4096 IPSec

Mwe 00205e25 00d9e1ec 0053e5c8          0 00d9c274 7860/8192 IPsec timer handler

Hwe 003864e3 00db26bc 00557920          0 00db0764 6952/8192 qos_metric_daemon

Mwe 00255a65 00dc9244 0053e5c8          0 00dc8adc 1436/2048 IP Background

Lwe 002e450e 00e7bb94 00552c30          0 00e7ad1c 3704/4096 XXX/trace

Lwe 002e471e 00e7cc44 00553368          0 00e7bdcc 3704/4096 XXX/tconsole

Hwe 001e5368 00e7ed44 00730674          0 00e7ce9c 7228/8192 XXX/intf0

Hwe 001e5368 00e80e14 007305d4          0 00e7ef6c 7228/8192 XXX/intf1

Hwe 001e5368 00e82ee4 00730534       2470 00e8103c 4892/8192 XXX/intf2

H*  0011d7f7 0009ff2c 0053e5b0        780 00e8511c 13004/16384 ci/console

Csi 002dd8ab 00e8a124 0053e5c8          0 00e891cc 3396/4096 update_cpu_usage

Hwe 002cb4d1 00f2bfbc 0051e360          0 00f2a134 7692/8192 uauth_in

Hwe 003d17d1 00f2e0bc 00828cf0          0 00f2c1e4 7896/8192 uauth_thread

Hwe 003e71d4 00f2f20c 00537d20          0 00f2e294 3960/4096 udp_timer

Hsi 001db3ca 00f30fc4 0053e5c8          0 00f3004c 3784/4096 557mcfix

Crd 001db37f 00f32084 0053ea40  121094970 00f310fc 3744/4096 557poll

Lsi 001db435 00f33124 0053e5c8          0 00f321ac 3700/4096 557timer

Hwe 001e5398 00f441dc 008121e0          0 00f43294 3912/4096 fover_ip0

Cwe 001dcdad 00f4523c 00872b48         20 00f44344 3528/4096 ip/0:0

Hwe 001e5398 00f4633c 008121bc          0 00f453f4 3532/4096 icmp0

Hwe 001e5398 00f47404 00812198          0 00f464cc 3896/4096 udp_thread/0

Hwe 001e5398 00f4849c 00812174          0 00f475a4 3832/4096 tcp_thread/0

Hwe 001e5398 00f495bc 00812150          0 00f48674 3912/4096 fover_ip1

Cwe 001dcdad 00f4a61c 008ea850          0 00f49724 3832/4096 ip/1:1

Hwe 001e5398 00f4b71c 0081212c          0 00f4a7d4 3912/4096 icmp1

Hwe 001e5398 00f4c7e4 00812108          0 00f4b8ac 3896/4096 udp_thread/1

Hwe 001e5398 00f4d87c 008120e4          0 00f4c984 3832/4096 tcp_thread/1

Hwe 001e5398 00f4e99c 008120c0          0 00f4da54 3912/4096 fover_ip2

Cwe 001e542d 00f4fa6c 00730534          0 00f4eb04 3944/4096 ip/2:2

Hwe 001e5398 00f50afc 0081209c          0 00f4fbb4 3912/4096 icmp2

Hwe 001e5398 00f51bc4 00812078          0 00f50c8c 3896/4096 udp_thread/2

Hwe 001e5398 00f52c5c 00812054          0 00f51d64 3832/4096 tcp_thread/2

Hwe 003d1a65 00f78284 008140f8          0 00f77fdc  300/1024 listen/http1

Mwe 0035cafa 00f7a63c 0053e5c8          0 00f786c4 7640/8192 Crypto CA

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:

        received (in 205213.390 secs):

                1267 packets    185042 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 205213.390 secs):

                20 packets      1352 bytes

                0 pkts/sec      0 bytes/sec

inside:

        received (in 205215.800 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 205215.800 secs):

                1 packets       60 bytes

                0 pkts/sec      0 bytes/sec

intf2:

        received (in 205215.810 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 205215.810 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

------------------ show perfmon ------------------

PERFMON STATS:    Current      Average

Xlates               0/s          0/s

Connections          0/s          0/s

TCP Conns            0/s          0/s

UDP Conns            0/s          0/s

URL Access           0/s          0/s

URL Server Req       0/s          0/s

TCP Fixup            0/s          0/s

TCPIntercept         0/s          0/s

HTTP Fixup           0/s          0/s

FTP Fixup            0/s          0/s

AAA Authen           0/s          0/s

AAA Author           0/s          0/s

AAA Account          0/s          0/s

Related Commands

Command
Description

show clock

Displays the clock for use with the Syslog Server (PFSS) and the Public Key Infrastructure (PKI) protocol.

show conn count

Displays the connections used and available.

show cpu

Display the CPU utilization information.

show failover

Displays the status of a connection and which adaptive security appliance is active

show memory

Displays a summary of the maximum physical memory and current free memory that is available to the operating system.

show perfmon

Displays information about the performance of the adaptive security appliance

show processes

Displays a list of the processes that are running.

show running-config

Displays the configuration that is currently running on the adaptive security appliance.

show xlate

Displays information about the translation slot.


show threat-detection rate

When you enable basic threat detection using the threat-detection basic-threat command, you can view statistics using the show threat-detection rate command in privileged EXEC mode.

show threat-detection rate [min-display-rate min_display_rate] [acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack]

Syntax Description

acl-drop

(Optional) Shows the rate for dropped packets caused by denial by access lists.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.

bad-packet-drop

(Optional) Shows the rate for dropped packets caused by denial by a bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length).

conn-limit-drop

(Optional) Shows the rate for dropped packets caused by the connection limits being exceeded (both system-wide resource limits, and limits set in the configuration).

dos-drop

(Optional) Shows the rate for dropped packets caused by a detected DoS attack (such as an invalid SPI, Stateful Firewall check failure).

fw-drop

(Optional) Shows the rate for dropped packets caused by basic firewall check failure. This option is a combined rate that includes all firewall-related packet drops in this command. It does not include non-firewall-related drops such as interface-drop, inspect-drop, and scanning-threat.

icmp-drop

(Optional) Shows the rate for dropped packets caused by denial by suspicious ICMP packets detected.

inspect-drop

(Optional) Shows the rate limit for dropped packets caused by packets failing application inspection.

interface-drop

(Optional) Shows the rate limit for dropped packets caused by an interface overload.

scanning-threat

(Optional) Shows the rate for dropped packets caused by a scanning attack detected. This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection (see the threat-detection scanning-threat command) takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.

syn-attack

(Optional) Shows the rate for dropped packets caused by an incomplete session, such as TCP SYN attack or no data UDP session attack.


Defaults

If you do not specify an event type, all events are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.

8.2(2)

For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinshed burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 10 minutes, then the burst interval is 10 seconds. If the last burst interval was from 3:00:00 to 3:00:10, and you use the show command at 3:00:15, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 59 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection rate command: 

hostname# show threat-detection rate

                          Average(eps)    Current(eps) Trigger         Total events

  10-min ACL  drop:                  0               0       0                   16

  1-hour ACL  drop:                  0               0       0                  112

  1-hour SYN attck:                  5               0       2                21438

  10-min  Scanning:                  0               0      29                  193

  1-hour  Scanning:                106               0      10               384776

  1-hour Bad  pkts:                 76               0       2               274690

  10-min  Firewall:                  0               0       3                   22

  1-hour  Firewall:                 76               0       2               274844

  10-min DoS attck:                  0               0       0                    6

  1-hour DoS attck:                  0               0       0                   42

  10-min Interface:                  0               0       0                  204

  1-hour Interface:                 88               0       0               318225

Related Commands

Command
Description

clear threat-detection rate

Clears basic threat detection statistics.

show running-config all threat-detection

Shows the threat detection configuration, including the default rate settings if you did not configure them individually.

threat-detection basic-threat

Enables basic threat detection.

threat-detection rate

Sets the threat detection rate limits per event type.

threat-detection scanning-threat

Enables scanning threat detection.


show threat-detection scanning-threat

If you enable scanning threat detection with the threat-detection scanning-threat command, then view the hosts that are categorized as attackers and targets using the show threat-detection scanning-threat command in privileged EXEC mode.

show threat-detection scanning-threat [attacker | target]

Syntax Description

attacker

(Optional) Shows attacking host IP addresses.

target

(Optional) Shows targetted host IP addresses.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.0(4)

The display was modified to include "& Subnet List" in the heading text.

8.2(2)

For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Examples

The following is sample output from the show threat-detection scanning-threat command: 

hostname# show threat-detection scanning-threat

Latest Target Host & Subnet List:

    192.168.1.0

    192.168.1.249

   Latest Attacker Host & Subnet List:

    192.168.10.234

    192.168.10.0

    192.168.10.2

    192.168.10.3

    192.168.10.4

    192.168.10.5

    192.168.10.6

    192.168.10.7

    192.168.10.8

    192.168.10.9

Related Commands

Command
Description

clear threat-detection shun

Releases hosts from being shunned.

show threat-detection shun

Shows the currently shunned hosts.

show threat-detection statistics protocol

Shows the protocol statistics.

show threat-detection statistics top

Shows the top 10 statistics.

threat-detection scanning-threat

Enables scanning threat detection.


show threat-detection shun

If you enable scanning threat detection with the threat-detection scanning-threat command, and you automatically shun attacking hosts, then view the currently shunned hosts using the show threat-detection shun command in privileged EXEC mode.

show threat-detection shun

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(2)

For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Usage Guidelines

To release a host from being shunned, use the clear threat-detection shun command.

Examples

The following is sample output from the show threat-detection shun command: 

hostname# show threat-detection shun

Shunned Host List:

10.1.1.6

198.1.6.7

Related Commands

Command
Description

clear threat-detection shun

Releases hosts from being shunned.

show threat-detection statistics host

Shows the host statistics.

show threat-detection statistics protocol

Shows the protocol statistics.

show threat-detection statistics top

Shows the top 10 statistics.

threat-detection scanning-threat

Enables scanning threat detection.


show threat-detection statistics host

After you enable threat statistics with the threat-detection statistics host command, view host statistics using the show threat-detection statistics host command in privileged EXEC mode. Threat detection statistics show both allowed and dropped traffic rates.

show threat-detection statistics [min-display-rate min_display_rate] host [ip_address [mask]]

Syntax Description

ip_address

(Optional) Shows statistics for a particular host.

mask

(Optional) Sets the subnet mask for the host IP address.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.

8.2(2)

For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded (for dropped traffic statistics only)

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinshed burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection statistics host command: 

hostname# show threat-detection statistics host

                          Average(eps)    Current(eps) Trigger         Total events

Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0

  1-hour Sent byte:               2938               0       0             10580308

  8-hour Sent byte:                367               0       0             10580308

 24-hour Sent byte:                122               0       0             10580308

  1-hour Sent pkts:                 28               0       0               104043

  8-hour Sent pkts:                  3               0       0               104043

 24-hour Sent pkts:                  1               0       0               104043

  20-min Sent drop:                  9               0       1                10851

  1-hour Sent drop:                  3               0       1                10851

  1-hour Recv byte:               2697               0       0              9712670

  8-hour Recv byte:                337               0       0              9712670

 24-hour Recv byte:                112               0       0              9712670

  1-hour Recv pkts:                 29               0       0               104846

  8-hour Recv pkts:                  3               0       0               104846

 24-hour Recv pkts:                  1               0       0               104846

  20-min Recv drop:                 42               0       3                50567

  1-hour Recv drop:                 14               0       1                50567

Host:10.0.0.0: tot-ses:1 act-ses:0 fw-drop:0 insp-drop:0 null-ses:0 bad-acc:0

  1-hour Sent byte:                  0               0       0                  614

  8-hour Sent byte:                  0               0       0                  614

 24-hour Sent byte:                  0               0       0                  614

  1-hour Sent pkts:                  0               0       0                    6

  8-hour Sent pkts:                  0               0       0                    6

 24-hour Sent pkts:                  0               0       0                    6

  20-min Sent drop:                  0               0       0                    4

  1-hour Sent drop:                  0               0       0                    4

  1-hour Recv byte:                  0               0       0                  706

  8-hour Recv byte:                  0               0       0                  706

 24-hour Recv byte:                  0               0       0                  706

  1-hour Recv pkts:                  0               0       0                    7

Table 29-7 shows each field description.

Table 29-7 show threat-detection statistics host Fields 

Field
Description

Host

Shows the host IP address.

tot-ses

Shows the total number of sessions for this host since it was added to the database.

act-ses

Shows the total number of active sessions that the host is currently involved in.

fw-drop

Shows the number of firewall drops. Firewall drops is a combined rate that includes all firewall-related packet drops tracked in basic threat detection, including access list denials, bad packets, exceeded connection limits, DoS attack packets, suspicious ICMP packets, TCP SYN attack packets, and no data UDP attack packets. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.

insp-drop

Shows the number of packets dropped because they failed application inspection.

null-ses

Shows the number of null sessions, which are TCP SYN sessions that did not complete within the 30-second timeout, and UDP sessions that did not have any data sent by its server 3 seconds after the session starts.

bad-acc

Shows the number of bad access attempts to host ports that are in a closed state. When a port is determined to be in a null session (see above), the port state of the host is set to HOST_PORT_CLOSE. Any client accessing the port of the host is immediately classified as a bad access without the need to wait for a timeout.

Average(eps)

Shows the average rate in events/sec over each time period.

The security appliance stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinshed burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Current(eps)

Shows the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger. For the example specified in the Average(eps) description, the current rate is the rate from 3:19:30 to 3:20:00

Trigger

Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.

Total events

Shows the total number of events over each rate interval. The unfinshed burst interval presently occurring is not included in the total events. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

20-min, 1-hour, 8-hour, and 24-hour

By default, there are three rate intervals shown. You can reduce the number of rate intervals using the threat-detection statistics host number-of-rate command. Because host statistics use a lot of memory, reducing the number of rate intervals from the default of 3 reduces the memory usage. If you set this keyword to 1, then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained.

Sent byte

Shows the number of successful bytes sent from the host.

Sent pkts

Shows the number of successful packets sent from the host.

Sent drop

Shows the number of packets sent from the host that were dropped because they were part of a scanning attack.

Recv byte

Shows the number of successful bytes received by the host.

Recv pkts

Shows the number of successful packets received by the host.

Recv drop

Shows the number of packets received by the host that were dropped because they were part of a scanning attack.


Related Commands

Command
Description

threat-detection scanning-threat

Enables scanning threat detection.

show threat-detection statistics top

Shows the top 10 statistics.

show threat-detection statistics port

Shows the port statistics.

show threat-detection statistics protocol

Shows the protocol statistics.

threat-detection statistics

Enables threat statistics.


show threat-detection statistics port

After you enable threat statistics with the threat-detection statistics port command, view TCP and UDP port statistics using the show threat-detection statistics port command in privileged EXEC mode. Threat detection statistics show both allowed and dropped traffic rates.

show threat-detection statistics [min-display-rate min_display_rate] port [start_port[-end_port]]

Syntax Description

start_port[-end_port]

(Optional) Shows statistics for a particular port or range of ports, between 0 and 65535.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.

8.2(2)

For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded (for dropped traffic statistics only)

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection statistics port command: 

hostname# show threat-detection statistics port

                          Average(eps)    Current(eps) Trigger         Total events

80/HTTP: tot-ses:310971 act-ses:22571

  1-hour Sent byte:               2939               0       0             10580922

  8-hour Sent byte:                367           22043       0             10580922

 24-hour Sent byte:                122            7347       0             10580922

  1-hour Sent pkts:                 28               0       0               104049

  8-hour Sent pkts:                  3             216       0               104049

 24-hour Sent pkts:                  1              72       0               104049

  20-min Sent drop:                  9               0       2                10855

  1-hour Sent drop:                  3               0       2                10855

  1-hour Recv byte:               2698               0       0              9713376

  8-hour Recv byte:                337           20236       0              9713376

 24-hour Recv byte:                112            6745       0              9713376

  1-hour Recv pkts:                 29               0       0               104853

  8-hour Recv pkts:                  3             218       0               104853

 24-hour Recv pkts:                  1              72       0               104853

  20-min Recv drop:                 24               0       2                29134

  1-hour Recv drop:                  8               0       2                29134

Table 29-7 shows each field description.

Table 29-8 show threat-detection statistics port Fields 

Field
Description

Average(eps)

Shows the average rate in events/sec over each time period.

The security appliance stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Current(eps)

Shows the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger. For the example specified in the Average(eps) description, the current rate is the rate from 3:19:30 to 3:20:00

Trigger

Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.

Total events

Shows the total number of events over each rate interval. The unfinished burst interval presently occurring is not included in the total events. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

port_number/port_name

Shows the port number and name where the packet or byte was sent, received, or droppped.

tot-ses

Shows the total number of sessions for this port.

act-ses

Shows the total number of active sessions that the port is currently involved in.

20-min, 1-hour, 8-hour, and 24-hour

Shows statistics for these fixed rate intervals.

Sent byte

Shows the number of successful bytes sent from the port.

Sent pkts

Shows the number of successful packets sent from the port.

Sent drop

Shows the number of packets sent from the port that were dropped because they were part of a scanning attack.

Recv byte

Shows the number of successful bytes received by the port.

Recv pkts

Shows the number of successful packets received by the port.

Recv drop

Shows the number of packets received by the port that were dropped because they were part of a scanning attack.


Related Commands

Command
Description

threat-detection scanning-threat

Enables scanning threat detection.

show threat-detection statistics top

Shows the top 10 statistics.

show threat-detection statistics host

Shows the host statistics.

show threat-detection statistics protocol

Shows the protocol statistics.

threat-detection statistics

Enables threat statistics.


show threat-detection statistics protocol

After you enable threat statistics with the threat-detection statistics protocol command, view IP protocol statistics using the show threat-detection statistics protocol command in privileged EXEC mode. Threat detection statistics show both allowed and dropped traffic rates.

show threat-detection statistics [min-display-rate min_display_rate] protocol [protocol_number | protocol_name]

Syntax Description

protocol_number

(Optional) Shows statistics for a specific protocol number, between 0 and 255.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.

protocol_name

(Optional) Shows statistics for a specific protocol name:

ah

eigrp

esp

gre

icmp

igmp

igrp

ip

ipinip

ipsec

nos

ospf

pcp

pim

pptp

snp

tcp

udp


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.

8.2(2)

For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded (for dropped traffic statistics only)

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection statistics protocol command: 

hostname# show threat-detection statistics protocol

                          Average(eps)    Current(eps) Trigger         Total events

ICMP: tot-ses:0 act-ses:0

  1-hour Sent byte:                  0               0       0                 1000

  8-hour Sent byte:                  0               2       0                 1000

 24-hour Sent byte:                  0               0       0                 1000

  1-hour Sent pkts:                  0               0       0                   10

  8-hour Sent pkts:                  0               0       0                   10

 24-hour Sent pkts:                  0               0       0                   10

Table 29-7 shows each field description.

Table 29-9 show threat-detection statistics protocol Fields 

Field
Description

Average(eps)

Shows the average rate in events/sec over each time period.

The security appliance stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Current(eps)

Shows the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger. For the example specified in the Average(eps) description, the current rate is the rate from 3:19:30 to 3:20:00

Trigger

Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.

Total events

Shows the total number of events over each rate interval. The unfinished burst interval presently occurring is not included in the total events. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

protocol_number/
protocol_name

Shows the protocol number and name where the packet or byte was sent, received, or droppped.

tot-ses

Not currently used.

act-ses

Not currently used.

20-min, 1-hour, 8-hour, and 24-hour

Shows statistics for these fixed rate intervals.

Sent byte

Shows the number of successful bytes sent from the protocol.

Sent pkts

Shows the number of successful packets sent from the protocol.

Sent drop

Shows the number of packets sent from the protocol that were dropped because they were part of a scanning attack.

Recv byte

Shows the number of successful bytes received by the protocol.

Recv pkts

Shows the number of successful packets received by the protocol.

Recv drop

Shows the number of packets received by the protocol that were dropped because they were part of a scanning attack.


Related Commands

Command
Description

threat-detection scanning-threat

Enables scanning threat detection.

show threat-detection statistics top

Shows the top 10 statistics.

show threat-detection statistics port

Shows the port statistics.

show threat-detection statistics host

Shows the host statistics.

threat-detection statistics

Enables threat statistics.


show threat-detection statistics top

After you enable threat statistics with the threat-detection statistics command, view the top 10 statistics using the show threat-detection statistics top command in privileged EXEC mode. If you did not enable the threat detection statistics for a particular type, then you cannot view those statistics with this command. Threat detection statistics show both allowed and dropped traffic rates.

show threat-detection statistics [min-display-rate min_display_rate] top [[access-list | host | port-protocol] [rate-1 | rate-2 | rate-3] | tcp-intercept [all] [detail] [long]]

Syntax Description

access-list

(Optional) Shows the top 10 ACEs that that match packets, including both permit and deny ACEs. Permitted and denied traffic are not differentiated in this display. If you enable basic threat detection using the threat-detection basic-threat command, you can track access list denies using the show threat-detection rate access-list command.

all

(Optional) For TCP Intercept, shows the history data of all the traced servers.

detail

(Optional) For TCP Intercept, shows history sampling data.

host

(Optional) Shows the top 10 host statistics for each fixed time period.

Note Due to the threat detection algorithm, an interface used for a failover link or state link could appear as one of the top 10 hosts. This occurrence is more likely when you use one interface for both the failover and state link. This is expected behavior, and you can ignore this IP address in the display.

long

(Optional) Shows the statistical history in a long format, with the real IP address and the untranslated IP address of the server.

min-display-rate min_display_rate

(Optional) Limits the display to statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647.

port-protocol

(Optional) Shows the top 10 combined statistics of TCP/UDP port and IP protocol types. TCP (protocol 6) and UDP (protocol 17) are not included in the display for IP protocols; TCP and UDP ports are, however, included in the display for ports. If you only enable statistics for one of these types, port or protocol, then you will only view the enabled statistics.

rate-1

(Optional) Shows the statistics for the smallest fixed rate intervals available in the display. For example, if the display shows statistics for the last 1 hour, 8 hours, and 24 hours, then when you use the rate-1 keyword, the adaptive security appliance shows only the 1 hour time interval.

rate-2

(Optional) Shows the statistics for the middle fixed rate intervals available in the display. For example, if the display shows statistics for the last 1 hour, 8 hours, and 24 hours, then when you use the rate-2 keyword, the adaptive security appliance shows only the 8 hour time interval.

rate-3

(Optional) Shows the statistics for the largest fixed rate intervals available in the display. For example, if the display shows statistics for the last 1 hour, 8 hours, and 24 hours, then when you use the rate-3 keyword, the adaptive security appliance shows only the 24 hour time interval.

tcp-intercept

Shows TCP Intercept statistics. The display includes the top 10 protected servers under attack.


Defaults

If you do not specify an event type, all events are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.

8.0(4)

The tcp-intercept keyword was added.

8.2(1)

The burst rate interval changed from 1/60th to 1/30th of the average rate.

8.2(2)

The long keyword was added for tcp-intercept. For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.


Usage Guidelines

The display output shows the following:

The average rate in events/sec over fixed time periods.

The current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger

The number of times the rates were exceeded (for dropped traffic statistics only)

The total number of events over the fixed time periods.

The adaptive security appliance computes the event counts 30 times over the average rate interval; in other words, the adaptive security appliance checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Examples

The following is sample output from the show threat-detection statistics top access-list command: 

hostname# show threat-detection statistics top access-list

                   Top    Average(eps)    Current(eps) Trigger         Total events

  1-hour ACL hits:

              100/3[0]             173               0       0               623488

              200/2[1]              43               0       0               156786

              100/1[2]              43               0       0               156786

  8-hour ACL hits:

              100/3[0]              21            1298       0               623488

              200/2[1]               5             326       0               156786

              100/1[2]               5             326       0               156786

Table 29-7 shows each field description.

Table 29-10 show threat-detection statistics top access-list Fields 

Field
Description

Top

Shows the ranking of the ACE within the time period, from [0] (highest count) to [9] (lowest count). You might not have enough statistics for all 10 positions, so less then 10 ACEs might be listed.

Average(eps)

Shows the average rate in events/sec over each time period.

The security appliance stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.

The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

Current(eps)

Shows the current burst rate in events/sec over the last completed burst interval, which is 1/30th of the average rate interval or 10 seconds, whichever is larger. For the example specified in the Average(eps) description, the current rate is the rate from 3:19:30 to 3:20:00.

Trigger

This column is always 0, because there are no rate limits triggered by access list traffic; denied and permitted traffic are not differentiated in this display. If you enable basic threat detection using the threat-detection basic-threat command, you can track access list denies using the show threat-detection rate access-list command.

Total events

Shows the total number of events over each rate interval. The unfinished burst interval presently occurring is not included in the total events. The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the adaptive security appliance calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.

1-hour, 8-hour

Shows statistics for these fixed rate intervals.

acl_name/line_number

Shows the access list name and line number of the ACE that caused the denies.


The following is sample output from the show threat-detection statistics top access-list rate-1 command: 

hostname# show threat-detection statistics top access-list rate-1

                   Top    Average(eps)    Current(eps) Trigger         Total events

  1-hour ACL hits:

              100/3[0]             173               0       0               623488

              200/2[1]              43               0       0               156786

              100/1[2]              43               0       0               156786

The following is sample output from the show threat-detection statistics top port-protocol command: 

hostname# show threat-detection statistics top port-protocol

Top          Name   Id    Average(eps)    Current(eps) Trigger      Total events

  1-hour Recv byte:

 1         gopher   70              71               0       0          32345678

 2  btp-clnt/dhcp   68              68               0       0          27345678

 3         gopher   69              65               0       0          24345678

 4    Protocol-96 * 96              63               0       0          22345678

 5      Port-7314 7314              62               0       0          12845678

 6 BitTorrent/trc 6969              61               0       0          12645678

 7     Port-8191-65535              55               0       0          12345678

 8           SMTP  366              34               0       0           3345678

 9         IPinIP *  4              30               0       0           2345678

10          EIGRP * 88              23               0       0           1345678

  1-hour Recv pkts:

...

...

  8-hour Recv byte:

...

...

  8-hour Recv pkts:

...

...

 24-hour Recv byte:

...

...

 24-hour Recv pkts:

...

...

Note: Id preceded by * denotes the Id is an IP protocol type

Table 29-11 shows each field description.

Table 29-11 show threat-detection statistics top port-protocol Fields 

Field
Description

Top

Shows the ranking of the port or protocol within the time period/type of statistic, from [0] (highest count) to [9] (lowest count). You might not have enough statistics for all 10 positions, so less then 10 ports/protocols might be listed.

Name

Shows the port/protocol name.

Id

Shows the port/protocol ID number. The asterisk (*) means the ID is an IP protocol number.

Average(eps)

See the description in Table 29-7.

Current(eps)

See the description in Table 29-7.

Trigger

Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.

Total events

See the description in Table 29-7.

Time_interval Sent byte

Shows the number of successful bytes sent from the listed ports and protocols for each time period.

Time_interval Sent packet

Shows the number of successful packets sent from the listed ports and protocols for each time period.

Time_interval Sent drop

Shows the number of packets sent for each time period from the listed ports and protocols that were dropped because they were part of a scanning attack.

Time_interval Recv byte

Shows the number of successful bytes received by the listed ports and protocols for each time period.

Time_interval Recv packet

Shows the number of successful packets received by the listed ports and protocols for each time period.

Time_interval Recv drop

Shows the number of packets received for each time period by the listed ports and protocols that were dropped because they were part of a scanning attack.

port_number/port_name

Shows the port number and name where the packet or byte was sent, received, or droppped.

protocol_number/protocol_name

Shows the protocol number and name where the packet or byte was sent, received, or droppped.


The following is sample output from the show threat-detection statistics top host command: 

hostname# show threat-detection statistics top host

                   Top    Average(eps)    Current(eps) Trigger         Total events

  1-hour Sent byte:

          10.0.0.1[0]            2938               0       0             10580308

  1-hour Sent pkts:

          10.0.0.1[0]              28               0       0               104043

  20-min Sent drop:

          10.0.0.1[0]               9               0       1                10851

  1-hour Recv byte:

          10.0.0.1[0]            2697               0       0              9712670

  1-hour Recv pkts:

          10.0.0.1[0]              29               0       0               104846

  20-min Recv drop:

          10.0.0.1[0]              42               0       3                50567

  8-hour Sent byte:

          10.0.0.1[0]             367               0       0             10580308

  8-hour Sent pkts:

          10.0.0.1[0]               3               0       0               104043

  1-hour Sent drop:

          10.0.0.1[0]               3               0       1                10851

  8-hour Recv byte:

          10.0.0.1[0]             337               0       0              9712670

  8-hour Recv pkts:

          10.0.0.1[0]               3               0       0               104846

  1-hour Recv drop:

          10.0.0.1[0]              14               0       1                50567

 24-hour Sent byte:

          10.0.0.1[0]             122               0       0             10580308

 24-hour Sent pkts:

          10.0.0.1[0]               1               0       0               104043

 24-hour Recv byte:

          10.0.0.1[0]             112               0       0              9712670

 24-hour Recv pkts:

          10.0.0.1[0]               1               0       0               104846

Table 29-12 shows each field description.

Table 29-12 show threat-detection statistics top host Fields 

Field
Description

Top

Shows the ranking of the host within the time period/type of statistic, from [0] (highest count) to [9] (lowest count). You might not have enough statistics for all 10 positions, so less then 10 hosts might be listed.

Average(eps)

See the description in Table 29-7.

Current(eps)

See the description in Table 29-7.

Trigger

See the description in Table 29-7.

Total events

See the description in Table 29-7.

Time_interval Sent byte

Shows the number of successful bytes sent to the listed hosts for each time period.

Time_interval Sent packet

Shows the number of successful packets sent to the listed hosts for each time period.

Time_interval Sent drop

Shows the number of packets sent for each time period to the listed hosts that were dropped because they were part of a scanning attack.

Time_interval Recv byte

Shows the number of successful bytes received by the listed hosts for each time period.

Time_interval Recv packet

Shows the number of successful packets received by the listed ports and protocols for each time period.

Time_interval Recv drop

Shows the number of packets received for each time period by the listed ports and protocols that were dropped because they were part of a scanning attack.

host_ip_address

Shows the host IP address where the packet or byte was sent, received, or droppped.


The following is sample output from the show threat-detection statistics top tcp-intercept command: 

hostname# show threat-detection statistics top tcp-intercept

Top 10 protected servers under attack (sorted by average rate)

Monitoring window size: 30 mins    Sampling interval: 30 secs

<Rank> <Server IP:Port> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack 
Time)>

----------------------------------------------------------------------------------

1    192.168.1.2:5000 inside 1249 9503 2249245 <various> Last: 10.0.0.3 (0 secs ago)

2    192.168.1.3:5000 inside 10 10 6080 10.0.0.200 (0 secs ago)

3    192.168.1.4:5000 inside 2 6 560 10.0.0.200 (59 secs ago)

4    192.168.1.5:5000 inside 1 5 560 10.0.0.200 (59 secs ago)

5    192.168.1.6:5000 inside 1 4 560 10.0.0.200 (59 secs ago)

6    192.168.1.7:5000 inside 0 3 560 10.0.0.200 (59 secs ago)

7    192.168.1.8:5000 inside 0 2 560 10.0.0.200 (59 secs ago)

8    192.168.1.9:5000 inside 0 1 560 10.0.0.200 (59 secs ago)

9    192.168.1.10:5000 inside 0 0 550 10.0.0.200 (2 mins ago)

10   192.168.1.11:5000 inside 0 0 550 10.0.0.200 (5 mins ago)

Table 29-13 shows each field description.

Table 29-13 show threat-detection statistics top tcp-intercept Fields 

Field
Description

Monitoring window size:

Shows the period of time over which the adaptive security appliance samples data for statistics. The default is 30 minutes. You can change this setting using the threat-detection statistics tcp-intercept rate-interval command. The adaptive security appliance samples data 30 times during this interval.

Sampling interval:

Shows the interval between samples. This value is always the rate interval divided by 30.

rank

Shows the ranking, 1 through 10, where 1 is the most attacked server, and 10 is the least attacked server.

server_ip:port

Shows the server IP address and the port on which it is being attacked.

interface

Shows the inerface through which the server is being attacked.

avg_rate

Shows the average rate of attack, in attacks per second over the sampling period

current_rate

Shows the current attack rate, in attacks per second.

total

Shows the total number of attacks.

attacker_ip

Shows the attacker IP address.

(last_attack_time ago)

Shows when the last attack occurred.


The following is sample output from the show threat-detection statistics top tcp-intercept long command with the real source IP address in parentheses: 

hostname# show threat-detection statistics top tcp-intercept long

Top 10 protected servers under attack (sorted by average rate)

Monitoring window size: 30 mins    Sampling interval: 30 secs

<Rank> <Server IP:Port (Real IP:Real Port)> <Interface> <Ave Rate> <Cur Rate> <Total> 
<Source IP (Last Attack Time)>

--------------------------------------------------------------------------------

1    10.1.0.2:6025 (209.165.200.227:6025) inside 18 709 33911 10.0.0.201 (0 secs ago)

2    10.1.0.2:6026 (209.165.200.227:6026) inside 18 709 33911 10.0.0.201 (0 secs ago)

3    10.1.0.2:6027 (209.165.200.227:6027) inside 18 709 33911 10.0.0.201 (0 secs ago)

4    10.1.0.2:6028 (209.165.200.227:6028) inside 18 709 33911 10.0.0.201 (0 secs ago)

5    10.1.0.2:6029 (209.165.200.227:6029) inside 18 709 33911 10.0.0.201 (0 secs ago)

6    10.1.0.2:6030 (209.165.200.227:6030) inside 18 709 33911 10.0.0.201 (0 secs ago)

7    10.1.0.2:6031 (209.165.200.227:6031) inside 18 709 33911 10.0.0.201 (0 secs ago)

8    10.1.0.2:6032 (209.165.200.227:6032) inside 18 709 33911 10.0.0.201 (0 secs ago)

9    10.1.0.2:6033 (209.165.200.227:6033) inside 18 709 33911 10.0.0.201 (0 secs ago)

10   10.1.0.2:6034 (209.165.200.227:6034) inside 18 709 33911 10.0.0.201 (0 secs ago)

The following is sample output from the show threat-detection statistics top tcp-intercept detail command: 

hostname# show threat-detection statistics top tcp-intercept detail

Top 10 Protected Servers under Attack (sorted by average rate)

Monitoring Window Size: 30 mins    Sampling Interval: 30 secs

<Rank> <Server IP:Port> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack 
Time)> 

----------------------------------------------------------------------------------

1    192.168.1.2:5000 inside 1877 9502 3379276 <various> Last: 10.0.0.45 (0 secs ago)

     Sampling History (30 Samplings):

             95348      95337      95341      95339      95338      95342

             95337      95348      95342      95338      95339      95340

             95339      95337      95342      95348      95338      95342

             95337      95339      95340      95339      95347      95343

             95337      95338      95342      95338      95337      95342

             95348      95338      95342      95338      95337      95343

             95337      95349      95341      95338      95337      95342

             95338      95339      95338      95350      95339      95570

             96351      96351      96119      95337      95349      95341

             95338      95337      95342      95338      95338      95342

......

Table 29-14 shows each field description.

Table 29-14 show threat-detection statistics top tcp-intercept detail Fields 

Field
Description

Monitoring window size:

Shows the period of time over which the adaptive security appliance samples data for statistics. The default is 30 minutes. You can change this setting using the threat-detection statistics tcp-intercept rate-interval command. The adaptive security appliance samples data 30 times during this interval.

Sampling interval:

Shows the interval between samples. This value is always the rate interval divided by 30.

rank

Shows the ranking, 1 through 10, where 1 is the most attacked server, and 10 is the least attacked server.

server_ip:port

Shows the server IP address and the port on which it is being attacked.

interface

Shows the inerface through which the server is being attacked.

avg_rate

Shows the average rate of attack, in attacks per second over the rate interval set by the threat-detection statistics tcp-intercept rate-interval command (by default, the rate interval is 30 minutes). The adaptive security appliance samples the data every 30 seconds over the rate interval.

current_rate

Shows the current attack rate, in attacks per second.

total

Shows the total number of attacks.

attacker_ip or <various> Last: attacker_ip

Shows the attacker IP address. If there is more than one attacker, then "<various>" displays followed by the last attacker IP address.

(last_attack_time ago)

Shows when the last attack occurred.

sampling data

Shows all 30 sampling data values, which show the number of attacks at each inerval.


Related Commands

Command
Description

threat-detection scanning-threat

Enables scanning threat detection.

show threat-detection statistics host

Shows the host statistics.

show threat-detection statistics port

Shows the port statistics.

show threat-detection statistics protocol

Shows the protocol statistics.

threat-detection statistics

Enables threat statistics.


show tls-proxy

To display TLS proxy and session information, use the show tls-proxy command in global configuration mode.

show tls-proxy tls_name [session [host host_addr | detail [cert-dump | count]]

Syntax Description

cert-dump

Dumps the local dynamic certificate. Output is a hex dump of the LDC.

count

Shows only the session counters.

detail

Shows detailed TLS proxy information including the cipher for each SSL leg and the LDC.

host host_addr

Specifies a particular host to show the sessions associated with.

session

Shows active TLS proxy sessions.

tls_name

Name of the TLS proxy to show.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC mode

·

·

·

·

·


Command History

Release
Modification

8.0(2)

This command was introduced.


Examples

The following is sample output from the show tls-proxy command: 

hostname# show tls-proxy

TLS-Proxy `proxy': ref_cnt 1, seq#1

	Server proxy: 

		Trust-point: local_ccm

	Client proxy:

		Local dynamic certificate issuer: ldc_signer

		Local dynamic certificate key-pair: phone_common

		Cipher-suite <unconfigured>

	Run-time proxies:

		Proxy 0x448b468: Class-map: skinny_ssl, Inspect: skinny

			Active sess 1, most sess 4, byte 3244

The following is sample output from the show tls-proxy session command: 

hostname# show tls-proxy session

outside 133.9.0.211:51291 inside 195.168.2.200:2443 P:0x4491a60(proxy)

S:0x482e790 byte 3388

The following is sample output from the show tls-proxy session detail command: 

hostname# show tls-proxy session detail

1 in use, 1 most used

outside 133.9.0.211:50433 inside 195.168.2.200:2443 P:0xcba60b60(proxy) S:0xcbc10748 byte 
1831704

	Client: State SSLOK  Cipher AES128-SHA Ch 0xca55efc8 TxQSize 0 LastTxLeft 0 Flags 0x1

	Server: State SSLOK  Cipher AES128-SHA Ch 0xca55efa8 TxQSize 0 LastTxLeft 0 Flags 0x9

Local Dynamic Certificate

	Status: Available

	Certificate Serial Number: 29

	Certificate Usage: General Purpose

	Public Key Type: RSA (1024 bits)

	Issuer Name: 

		cn=TLS-Proxy-Signer

	Subject Name:

		cn=SEP0002B9EB0AAD

		o=Cisco Systems Inc

		c=US

	Validity Date: 

		start date: 00:47:12 PDT Feb 27 2007

		end   date: 00:47:12 PDT Feb 27 2008

	Associated Trustpoints:

Related Commands

Command
Description

client

Defines a cipher suite and sets the local dynamic certificate issuer or keypair.

ctl-provider

Defines a CTL provider instance and enters provider configuration mode.

show running-config tls-proxy

Shows running configuration of all or specified TLS proxies.

tls-proxy

Defines a TLS proxy instance and sets the maximum sessions.


show track

To display information about object tracked by the tracking process, use the show track command in user EXEC mode.

show track [track-id]

Syntax Description

track-id

A tracking entry object ID. Valid values are from 1 to 500.


Defaults

If the track-id is not provided, then information about all tracking objects is displayed.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following is sample output from the show track command: 

hostname(config)# show track

Track 5

	Response Time Reporter 124 reachability

	Reachability is UP

	2 changes, last change 03:41:16

	Latest operation return code: OK

	Tracked by:

		STATIC-IP-ROUTING 0

Related Commands

Command
Description

show running-config track

Displays the track rtr commands in the running configuration.

track rtr

Creates a tracking entry to poll the SLA.


show traffic

To display interface transmit and receive activity, use the show traffic command in privileged EXEC mode.

show traffic

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

Special display for the ASA 5550 adaptive security appliance was added.


Usage Guidelines

The show traffic command lists the number of packets and bytes moving through through each interface since the last show traffic command was entered or since the adaptive adaptive security appliance came online. The number of seconds is the duration the adaptive adaptive security appliance has been online since the last reboot, unless the clear traffic command was entered since the last reboot. If this is the case, then the number of seconds is the duration since that command was entered.

For the ASA 5550 adaptive security appliance, the show traffic command also shows the aggregated throughput per slot. Because the ASA 5550 adaptive security appliance requires traffic to be evenly distributed across slots fro maximum throughput, this display helps you determine if the traffic is distributed evenly.

Examples

The following example shows output from the show traffic command: 

hostname# show traffic

outside: 
        received (in 102.080 secs): 
                2048 packets 204295 bytes 
                20 pkts/sec 2001 bytes/sec 
        transmitted (in 102.080 secs): 
                2048 packets 204056 bytes 
                20 pkts/sec 1998 bytes/sec 
 
Ethernet0: 
        received (in 102.080 secs): 
                2049 packets 233027 bytes 
                20 pkts/sec 2282 bytes/sec 
        transmitted (in 102.080 secs): 
                2048 packets 232750 bytes 
                20 pkts/sec 2280 bytes/sec

For the ASA 5550 adaptive security appliance, the following text is displayed at the end: 

----------------------------------------

        Per Slot Throughput Profile      

----------------------------------------

  Packets-per-second profile:

    Slot 0:       3148  50%|****************

    Slot 1:       3149  50%|****************

  Bytes-per-second profile:

    Slot 0:     427044  50%|****************

    Slot 1:     427094  50%|****************

Related Commands

Command
Description

clear traffic

Resets the counters for transmit and receive activity.


show uauth

To display one or all currently authenticated users, the host IP to which they are bound, and any cached IP and port authorization information, use the show uauth command in privileged EXEC mode.

show uauth [username]

Syntax Description

username

(Optional) Specifies, by username, the user authentication and authorization information to display.


Defaults

Omitting username displays the authorization information for all users.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show uauth command displays the AAA authorization and authentication caches for one user or for all users.

This command is used with the timeout command.

Each user host IP address has an authorization cache attached to it. The cache allows up to 16 address and service pairs for each user host. If the user attempts to access a service that has been cached from the correct host, the adaptive security appliance considers it preauthorized and immediately proxies the connection. Once you are authorized to access a website, for example, the authorization server is not contacted for each image as it is loaded (assuming the images come from the same IP address). This process significantly increases performance and reduces the load on the authorization server.

The output from the show uauth command displays the username that is provided to the authorization server for authentication and authorization purposes, the IP address to which the username is bound, and whether the user is authenticated only or has cached services.

Note When you enable Xauth, an entry is added to the uauth table (as shown by the show uauth command) for the IP address that is assigned to the client. However, when using Xauth with the Easy VPN Remote feature in Network Extension Mode, the IPSec tunnel is created from network to network, so that the users behind the firewall cannot be associated with a single IP address. For this reason, a uauth entry cannot be created upon completion of Xauth. If AAA authorization or accounting services are required, you can enable the AAA authentication proxy to authenticate users behind the firewall. For more information on AAA authentication proxies, see to the aaa commands.

Use the timeout uauth command to specify how long the cache should be kept after the user connections become idle. Use the clear uauth command to delete all the authorization caches for all the users, which will cause them to have to reauthenticate the next time that they create a connection.

Examples

This example shows sample output from the show uauth command when no users are authenticated and one user authentication is in progress: 

hostname(config)# show uauth     

                        Current    Most Seen

Authenticated Users       0          0

Authen In Progress        0          1

This example shows sample output from the show uauth command when three users are authenticated and authorized to use services through the adaptive security appliance: 

hostname(config)# show uauth

user `pat' from 209.165.201.2 authenticated

user `robin' from 209.165.201.4 authorized to:

                       port 192.168.67.34/telnet                        192.168.67.11/http                                    192.168.67.33/tcp/8001

                                                          192.168.67.56/tcp/25                              192.168.67.42/ftp

user `terry' from 209.165.201.7 authorized to:

                       port 192.168.1.50/http                                     209.165.201.8/http

Related Commands

Command
Description

clear uauth

Remove current user authentication and authorization information.

timeout

Set the maximum idle time duration.


show url-block

To display the number of packets held in the url-block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission, use the show url-block command in privileged EXEC mode.

show url-block [block statistics]

Syntax Description

block statistics

(Optional) Displays block buffer usage statistics.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show url-block block statistics command displays the number of packets held in the url block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission.

Examples

The following is sample output from the show url-block command: 

hostname# show url-block

 | url-block url-mempool 128 | url-block url-size 4 | url-block block 128

This shows the configuration of the URL block buffer.

The following is sample output from the show url-block block statistics command: 

hostname# show url-block block statistics

URL Pending Packet Buffer Stats with max block  128 | 

Cumulative number of packets held: | 896

Maximum number of packets held (per URL): | 3

Current number of packets held (global): | 38

Packets dropped due to

 | exceeding url-block buffer limit: | 7546

 | HTTP server retransmission: | 10

Number of packets released back to client: | 0

Related Commands

Commands
Description

clear url-block block statistics

Clears the block buffer usage counters.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


show url-cache statistics

To display information about the url-cache, which is used for URL responses received from an N2H2 or Websense filtering server, use the show url-cache statistics command in privileged EXEC mode.

show url-cache statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show url-cache statistics command displays the following entries:

Size—The size of the cache in kilobytes, set with the url-cache size option.

Entries—The maximum number of cache entries based on the cache size.

In Use—The current number of entries in the cache.

Lookups—The number of times the adaptive security appliance has looked for a cache entry.

Hits—The number of times the adaptive security appliance has found an entry in the cache.

You can view additional information about N2H2 Sentian or Websense filtering activity with the show perfmon command.

Examples

The following is sample output from the show url-cache statistics command: 

hostname# show url-cache statistics

URL Filter Cache Stats

----------------------

 | Size :                               1KB

 Entries :                                   36

             In Use :                                   30

 Lookups :                                   300

 | Hits :                                   290

Related Commands

Commands
Description

clear url-cache statistics

Removes url-cache command statements from the configuration.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching for responses received from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


show url-server

To display information about the URL filtering server, use the show url-server command in privileged EXEC mode.

show url-server statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show url-server statistics command displays the URL server vendor; number of URLs total, allowed, and denied; number of HTTPS connections total, allowed, and denied; number of TCP connections total, allowed, and denied; and the URL server status.

The show url-server command displays the following information:

For N2H2, url-server (if_name) vendor n2h2 host local_ip port number timeout seconds protocol [{TCP | UDP}{version 1 | 4}]

For Websense, url-server (if_name) vendor websense host local_ip timeout seconds protocol [{TCP | UDP}]

Examples

The following is sample output from the show url-server statistics command: 

hostname## show url-server statistics

Global Statistics:

------------------

URLs total/allowed/denied         994387/155648/838739

URLs allowed by cache/server      70483/85165

URLs denied by cache/server       801920/36819

HTTPSs total/allowed/denied       994387/155648/838739

HTTPs allowed by cache/server     70483/85165

HTTPs denied by cache/server      801920/36819

FTPs total/allowed/denied         994387/155648/838739

FTPs allowed by cache/server      70483/85165

FTPs denied by cache/server       801920/36819

Requests dropped                  28715

Server timeouts/retries           567/1350

Processed rate average 60s/300s   1524/1344 requests/second

Denied rate average 60s/300s      35648/33022 requests/second

Dropped rate average 60s/300s     156/189 requests/second

URL Server Statistics:

----------------------

192.168.0.1                       UP

Vendor                          websense

Port                            17035

Requests total/allowed/denied   366519/255495/110457

Server timeouts/retries         567/1350

Responses received              365952

Response time average 60s/300s  2/1 seconds/request

192.168.0.2                       DOWN

Vendor                          websense

Port                            17035

Requests total/allowed/denied   0/0/0

Server timeouts/retries         0/0

Responses received              0

Response time average 60s/300s  0/0 seconds/request

. . .

URL Packets Sent and Received Stats:

------------------------------------

Message                 Sent    Received

STATUS_REQUEST          411     0

LOOKUP_REQUEST          366519  365952

LOG_REQUEST             0       NA

Errors:

-------

RFC noncompliant GET method     0

URL buffer update failure       0

Semantics:

This command allows the operator to display url-server statistics organized on a global 
and per-server basis.  The output is reformatted to provide: more-detailed information and 
per-server organization.

Supported Modes:

privileged

router || transparent

single || multi/context

Privilege:

ATTR_ES_CHECK_CONTEXT

Debug support:

N/A

Migration Strategy (if any):

N/A

Related Commands

Commands
Description

clear url-server

Clears the URL filtering server statistics.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


show version

To display the software version, hardware configuration, license key, and related uptime data, use the show version command in user EXEC mode.

show version

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.

7.2(1)

In stateful failover mode, an additional line showing cluster uptime is displayed.


Usage Guidelines

The show version command allows you to display the software version, operating time since the last reboot, processor type, Flash partition type, interface boards, serial number (BIOS ID), activation key value, license type (R or UR), and time stamp for when the configuration was last modified.

The serial number listed with the show version command is for the Flash partition BIOS. This number is different from the serial number on the chassis. When you get a software upgrade, you will need the serial number that appears in the show version command, not the chassis number.

If you downgrade to an earlier release, your key for the current release might allow for more security contexts than the earlier release supports. When the value of the security contexts in the key exceeds the platform limit, the following message appears in the show activation-key output: 

The Running Activation Key feature: 50 security contexts exceeds the limit in the 
platform, reduce to 20 security contexts.

If you downgrade to an earlier release, your key for the current release might enable GTP/GPRS even though it is not allowed in the earlier release. When the key enables GTP/GPRS but the software version does not allow it, the following message appears in the show activation-key output: 

The Running Activation Key feature: GTP/GPRS is not allowed in the platform, disable 
GTP/GPRS.

The failover cluster uptime value indicates how long a failover set has been running. If one unit stops running, the uptime value continues to increase as long as the active unit continues to operate. Therefore, it is possible for the failover cluster uptime to be greater than the individual unit uptime. If you temporarily disable failover, and then reenable it, the failover cluster uptime reports the time the unit was up before failover was disabled plus the time the unit was up while failover was disabled.

Examples

The following example shows how to display the software version, hardware configuration, license key, and related uptime information. Note that in an environment where stateful failover is configured an additional line showing the failover cluster uptime is displayed. If failover is not configured, the line is not displayed: 

hostname# show version

Cisco Adaptive Security Appliance Software Version 8.0(0)

Device Manager Version 6.0(0)

Compiled on Mon 16-April-07 03:29 by root

System image file is "disk0:/cdisk.bin"

Config file at boot was "disk0:/main_backup.cfg"

hostname up 2 days 10 hours

failover cluster up 2 days 11 hours

Hardware:   ASA5520, 1024 MB RAM, CPU Pentium 4 Celeron 2000 MHz

BIOS Flash M50FW016 @ 0xffe00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00 

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

 0: Ext: GigabitEthernet0/0  : address is 000b.fcf8.c44e, irq 9

 1: Ext: GigabitEthernet0/1  : address is 000b.fcf8.c44f, irq 9

 2: Ext: GigabitEthernet0/2  : address is 000b.fcf8.c450, irq 9

 3: Ext: GigabitEthernet0/3  : address is 000b.fcf8.c451, irq 9

 4: Ext: Management0/0       : address is 000b.fcf8.c44d, irq 11

 5: Int: Not used            : irq 11

 6: Int: Not used            : irq 5

Licensed features for this platform:

Maximum Physical Interfaces  : Unlimited 

Maximum VLANs                : 150       

Inside Hosts                 : Unlimited 

Failover                     : Active/Active

VPN-DES                      : Enabled   

VPN-3DES-AES                 : Enabled   

Security Contexts            : 10        

GTP/GPRS                     : Enabled   

VPN Peers                    : 750       

WebVPN Peers                 : 500       

Advanced Endpoint Assessment : Disabled  

This platform has an ASA 5520 VPN Plus license.

Serial Number: P3000000098

Running Activation Key: 0x7c2e394b 0x0c842e53 0x98f3edf0 0x8c1888b0 0x0336f1ac 

Configuration register is 0x1

Configuration last modified by enable_15 at 14:17:59.410 EST Wed April 16 2007 

hostname#

The following message appears if you enter the show version command after the eject command has been executed, but the device has not been physically removed: 

Slot 1: Compact Flash has been ejected!

It may be removed and a new device installed.

Related Commands

Command
Description

eject

Allows shutdown of external compact Flash device before physical removal from the security appliance.

show hardware

Displays detail hardware information.

show serial

Displays the hardware serial information.

show uptime

Displays how long the adaptive security appliance has been up.


show vlan

To display all VLANs configured on the adaptive security appliance, use the show vlan command in privileged EXEC mode.

show vlan

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following example displays the configured VLANs: 

hostname# show vlan

10-11, 30, 40, 300

Related Commands

Command
Description

clear interface

Clears counters for the show interface command.

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.


show vpn load-balancing

To display the runtime statistics for the VPN load-balancing virtual cluster configuration, use the show vpn-load-balancing command in global configuration, privileged EXEC, or VPN load-balancing mode.

show vpn load-balancing

Syntax Description

This command has no variables or arguments.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

vpn load-balancing


Command History

Release
Modification

7.0(1)

This command was introduced.

7.1(1)

Added separate IPSec and SSL columns for both Load (%) display and Session display in the output example.


Usage Guidelines

The show vpn load-balancing command displays statistical information for the virtual VPN load-balancing cluster. If the local device is not participating in the VPN load-balancing cluster, this command indicates that VPN load balancing has not been configured for this device.

The asterisk (*) in the output indicates the IP address of the adaptive security appliance to which you are connected.

Examples

This example displays show vpn load-balancing command and its output for a situation in which the local device is participating in the VPN load-balancing cluster: 

hostname(config-load-balancing)# show vpn load-balancing

Status: enabled 
Role: Master 
Failover: n/a 
Encryption: enabled 
Cluster IP: 192.168.1.100 
Peers: 1 

												Load (%)					Sessions

Public IP 				 Role 		Pri 		Model 			   IPSec		  SSL 			  IPSec		  SSL 
---------------------------------------------------------------------------- 
* 192.168.1.40				 Master 		10 		PIX-515 				0 		0			0		0 
  192.168.1.110  Backup   5 							PIX-515 					0 		0			0		0 
hostname(config-load-balancing)#

If the local device is not participating in the VPN load-balancing cluster, the show vpn load-balancing command shows a different result: 

hostname(config)# show vpn load-balancing

VPN Load Balancing has not been configured.

Related Commands

Command
Description

clear configure vpn load-balancing

Removes vpn load-balancing command statements from the configuration.

show running-config vpn load-balancing

Displays the the current VPN load-balancing virtual cluster configuration.

vpn load-balancing

Enters vpn load-balancing mode.


show vpn-sessiondb

To display information about VPN sessions, use the show vpn-sessiondb command in privileged EXEC mode.The command includes options for displaying information in full or in detail, lets you specify type of sessions to display, and provides options to filter and sort the information. The syntax table and usage notes organize the choices accordingly.

show vpn-sessiondb [detail] [full] {remote | l2l | index indexnumber | webvpn | email-proxy | svc} [filter {name username | ipaddress IPaddr | a-ipaddress IPaddr | p-ipaddress IPaddr | tunnel-group groupname | protocol protocol-name | encryption encryption-algo | inactive}]
[sort {name | ipaddress | a-ipaddress | p-ip address | tunnel-group | protocol | encryption | inactivity}]

Syntax Description

detail

(Optional) Displays extended details about a session. For example, using the detail option for an IPSec session displays additional details such as the IKE hashing algorithm, authentication mode, and rekey interval.

If you choose detail, and the full option, the adaptive security appliance displays the detailed output in a machine-readable format.

filter filter_criteria

(Optional) Filters the output to display only the information you specify by using one or more of the filter options. For a list of filter_criteria options, see the "Usage Guidelines" section.

full

(Optional) Displays streamed, untruncated output. Output is delineated by | characters and a || string between records.

session_type

(Optional) To show data for a specific session type, enter one of the following keywords:

email-proxy—Displays email-proxy sessions.

index indexnumber—Displays a single session by index number. Specify the index number for the session, 1 - 750.

l2l—Displays VPN LAN-to-LAN session information.

ratio—Displays VPN Session protocol or encryption ratios.

remote—Displays IPsec remote access sessions.

summary—Displays the VPN session summary.

svc—Displays SSL VPN Client sessions.

vpn-lb—Displays VPN Load Balancing management sessions.

webvpn—Displays information about clientless SSL VPN sessions.

sort sort_criteria

(Optional) Sorts the output according to the sort option you specify. For a list of sort_criteria options, see the "Usage Guidelines" section.


s

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.

8.0(2)

Added VLAN field description.

8.0(5)

Added inactive as a filter option and inactivity as a sort option.

8.2(1)

License information was added to the output.


Usage Guidelines

You can use the following options to filter and to sort the session display:

Filter/Sort Option
Description

filter a-ipaddress IPaddr

Filters the output to display information for the specified assigned IP address or addresses only.

sort a-ipaddress

Sorts the display by assigned IP addresses.

filter encryption encryption-algo

Filters the output to display information for sessions using the specified encryption algorithm(s) only.

sort encryption

Sorts the display by encryption algorithm. Encryption algorithms include: aes128, aes192, aes256, des, 3des, rc4

filter inactive

Filters inactive sessions which have lost connectivity. Each session is time stamped with the SSL tunnel drop time. If the session is active, 00:00m:00s is displayed..

sort inactivity

Sorts inactive sessions.

filter ipaddress IPaddr

Filters the output to display information for the specified inside IP address or addresses only.

sort ipaddress

Sorts the display by inside IP addresses.

filter name username

sort name

Filters the output to display sessions for the specified username(s).

Sorts the display by usernames in alphabetical order.

filter p-address IPaddr

Filters the output to display information for the specified outside IP address only.

sort p-address

Sorts the display by the specified outside IP address or addresses.

filter protocol protocol-name

Filters the output to display information for sessions using the specified protocol(s) only.

sort protocol

Sorts the display by protocol. Protocols include: IKE, IMAP4S, IPSec, IPSecLAN2LAN, IPSecLAN2LANOverNatT, IPSecOverNatT, IPSecoverTCP, IPSecOverUDP, SMTPS, userHTTPS, vcaLAN2LAN

filter tunnel-group groupname

Filters the output to display information for the specified tunnel group(s) only.

sort tunnel-group

Sorts the display by tunnel group.

|

Modifies the output, using the following arguments: {begin | include | exclude | grep | [-v]} {reg_exp}


Examples

The following is sample output from the show vpn-sessiondb command: 

hostname# show vpn-sessiondb

Active Session Summary

Sessions:

                              Active : Cumulative : Peak Concurrent

  SSL VPN               :          0 :          0 :               0

    Clientless only     :          0 :          0 :               0

    With client         :          0 :          0 :               0

  Email Proxy           :          0 :          0 :               0

  IPsec LAN-to-LAN      :          0 :          0 :               0

  IPsec Remote Access   :          0 :          0 :               0

  VPN Load Balancing    :          0 :          0 :               0

  Totals                :          0 :          0

License Information:

  Multi-site VPN License Information:

    SSL VPN                    :    10000

      Allocated to this device :        0

      Allocated in network     :        0

      Device limit             :      250

  IPsec   :    250    Configured :    250    Active :      0    Load :   0%

  SSL VPN :     10    Configured :     10    Active :      0    Load :   0%

                            Active : Cumulative : Peak Concurrent

  IPsec               :          0 :          0 :               0

  SSL VPN             :          0 :          0 :               0

    AnyConnect Mobile :          0 :          0 :               0

    Linksys Phone     :          0 :          0 :               0

  Totals              :          0 :          0

Tunnels:

  No tunnels to display

Active NAC Sessions:

  No NAC sessions to display

Active VLAN Mapping Sessions:

  No VLAN Mapping sessions to display

The following is sample output from the show vpn-sessiondb detail l2l command, showing detailed information about LAN-to-LAN sessions: 

hostname# show vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection   : 172.16.0.1

Index        : 1                      IP Addr      : 172.16.0.1

Protocol     : IPSecLAN2LAN           Encryption   : AES256

Bytes Tx     : 48484156               Bytes Rx     : 875049248

Login Time   : 09:32:03 est Mon Aug 2 2004

Duration     : 6:16:26

Filter Name  :

IKE Sessions: 1 IPSec Sessions: 2

 

IKE:

  Session ID   : 1

  UDP Src Port : 500                    UDP Dst Port : 500

  IKE Neg Mode : Main                   Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 86400 Seconds          Rekey Left(T): 63814 Seconds

  D/H Group    : 5

 

IPSec:

  Session ID   : 2

  Local Addr   : 10.0.0.0/255.255.255.0

  Remote Addr  : 209.165.201.30/255.255.255.0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel                 PFS Group    : 5

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 10903 Seconds

  Bytes Tx     : 46865224               Bytes Rx     : 2639672

  Pkts Tx      : 1635314                Pkts Rx      : 37526

 

IPSec:

  Session ID   : 3

  Local Addr   : 10.0.0.1/255.255.255.0

  Remote Addr  : 209.165.201.30/255.255.255.0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel                 PFS Group    : 5

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 6282 Seconds

  Bytes Tx     : 1619268                Bytes Rx     : 872409912

  Pkts Tx      : 19277                  Pkts Rx      : 1596809

hostname#

The following is sample output from the show vpn-sessiondb detail full index 4 command, showing the details of single session: 

AsaNacDev# show vpn-sessiondb detail full index 4

Session Type: Remote Detailed |

Index: 2 | EasyVPN: 0 | Username: uuuu | Group: DfltGrpPolicy | Tunnel Group: 
regr3000multigroup | IP Addr: 192.168.2.80 | Public IP: 10.44.173.216 | Protocol: 
IPSecOverUDP | Encryption: 3DES | Login Time: 12:51:54 EDT Wed Jun 21 2006 |Duration: 
0h:02m:44s | Bytes Tx: 2134 | Bytes Rx: 8535 | Client Type: WinNT | Client Ver: 4.0.5 
(Rel) | Filter Name:  | NAC Result: N/A | Posture Token: : | VM Result: Static | VLAN: 10 
||

IKE Sessions: 1

 | IPSecOverUDP Sessions: 1

 |

Type: IKE | Session ID: 1 | Authentication Mode: preSharedKeys | UDP Source Port: 500 | 
UDP Destination Port: 500 | IKE Negotiation Mode: Aggressive | Encryption: 3DES | Hashing: 
SHA1 | Diffie-Hellman Group: 2 | Rekey Time Interval: 40000 Seconds| Rekey Left(T): 39836 
Seconds ||

Type: IPSecOverUDP | Session ID: 2 | Local IP Addr: 0.0.0.0/0.0.0.0/0/0 | Remote IP Addr: 
192.168.2.80/255.255.255.255/0/0 | Encryption: 3DES | Hashing: SHA1 | Encapsulation: 
Tunnel | UDP Destination Port: 10000 | Rekey Time Interval: 28800 Seconds | Rekey Left(T): 
28636 Seconds | Idle Time Out: 30 Minutes | Idle TO Left: 30 Minutes | Bytes Tx: 2134 | 
Bytes Rx: 8535 | Packets Tx: 15 | Packets Rx: 2134 | ||

VLAN Mapping: VLAN: 10 |

AsaNacDev# show vpn-sessiondb detail index 1

Session Type: Remote Detailed

Username     : user1

Index        : 1

Assigned IP  : 192.168.2.70           Public IP    : 10.86.5.114

Protocol     : IPSec                  Encryption   : AES128

Hashing      : SHA1                   

Bytes Tx     : 0                      Bytes Rx     : 604533

Client Type  : WinNT                  Client Ver   : 4.6.00.0049

Tunnel Group : bxbvpnlab

Login Time   : 15:22:46 EDT Tue May 10 2005

Duration     : 7h:02m:03s

Filter Name  : 

NAC Result   : Accepted

Posture Token: Healthy

VM Result    : Static

VLAN         : 10

IKE Sessions: 1 IPSec Sessions: 1 NAC Sessions: 1

IKE:

  Session ID   : 1

  UDP Src Port : 500                    UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeysXauth

  Encryption   : 3DES                   Hashing      : MD5

  Rekey Int (T): 86400 Seconds          Rekey Left(T): 61078 Seconds

  D/H Group    : 2

IPSec:

  Session ID   : 2

  Local Addr   : 0.0.0.0

  Remote Addr  : 192.168.2.70

  Encryption   : AES128                 Hashing      : SHA1                   

  Encapsulation: Tunnel                 

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 26531 Seconds          

  Bytes Tx     : 0                      Bytes Rx     : 604533                 

  Pkts Tx      : 0                      Pkts Rx      : 8126                   

NAC:

  Reval Int (T): 3000 Seconds           Reval Left(T): 286 Seconds

  SQ Int (T)   : 600 Seconds            EoU Age (T)  : 2714 Seconds

  Hold Left (T): 0 Seconds              Posture Token: Healthy

  Redirect URL : www.cisco.com

As shown in the examples, the fields displayed in response to the show vpn-sessiondb command vary, depending on the keywords you enter. Table 29-15 explains these fields.

Table 29-15 show vpn-sessiondb Command Fields 

Field
Description

Auth Mode

Protocol or mode used to authenticate this session.

Bytes Rx

Total number of bytes received from the remote peer or client by the adaptive security appliance.

Bytes Tx

Number of bytes transmitted to the remote peer or client by the adaptive security appliance.

Client Type

Client software running on the remote peer, if available.

Client Ver

Version of the client software running on the remote peer.

Connection

Name of the connection or the private IP address.

D/H Group

Diffie-Hellman Group. The algorithm and key size used to generate IPSec SA encryption keys.

Duration

Elapsed time (HH:MM:SS) between the session login time and the last screen refresh.

EAPoUDP Session Age

Number of seconds since the last successful posture validation.

Encapsulation

Mode used to apply IPSec ESP (Encapsulation Security Payload protocol) encryption and authentication (that is, the part of the original IP packet that has ESP applied).

Encryption

Data encryption algorithm this session is using, if any.

Encryption

Data encryption algorithm this session is using.

EoU Age (T)

EAPoUDP Session Age. Number of seconds since the last successful posture validation.

Filter Name

Username specified to restrict the display of session information.

Hashing

Algorithm used to create a hash of the packet, which is used for IPSec data authentication.

Hold Left (T)

Hold-Off Time Remaining. 0 seconds if the last posture validation was successful. Otherwise, the number of seconds remaining before the next posture validation attempt.

Hold-Off Time Remaining

0 seconds if the last posture validation was successful. Otherwise, the number of seconds remaining before the next posture validation attempt.

IKE Neg Mode

IKE (IPSec Phase 1) mode for exchanging key information and setting up SAs: Aggressive or Main.

IKE Sessions

Number of IKE (IPSec Phase 1) sessions; usually 1. These sessions establish the tunnel for IPSec traffic.

Index

Unique identifier for this record.

IP Addr

Private IP address assigned to the remote client for this session. This is also known as the "inner" or "virtual" IP address. It lets the client appear to be a host on the private network.

IPSec Sessions

Number of IPSec (Phase 2) sessions, which are data traffic sessions through the tunnel. Each IPSec remote-access session can have two IPSec sessions: one consisting of the tunnel endpoints, and one consisting of the private networks reachable through the tunnel.

License Information

Shoes information about the shared SSL VPN license.

Local IP Addr

IP address assigned to the local endpoint of the tunnel (that is the interface on the adaptive security appliance).

Login Time

Date and time (MMM DD HH:MM:SS) that the session logged in. Time is displayed in 24-hour notation.

NAC Result

State of Network Admission Control Posture Validation. It can be one of the following:

Accepted—The ACS successfully validated the posture of the remote host.

Rejected—The ACS could not successfully validate the posture of the remote host.

Exempted—The remote host is exempt from posture validation according to the Posture Validation Exception list configured on the adaptive security appliance.

Non-Responsive—The remote host did not respond to the EAPoUDP Hello message.

Hold-off—The adaptive security appliance lost EAPoUDP communication with the remote host after successful posture validation.

N/A—NAC is disabled for the remote host according to the VPN NAC group policy.

Unknown—Posture validation is in progress.

NAC Sessions

Number of Network Admission Control (EAPoUDP) sessions.

Packets Rx

Number of packets received from the remote peer by the adaptive security appliance.

Packets Tx

Number of packets transmitted to the remote peer by the adaptive security appliance.

PFS Group

Perfect Forward Secrecy group number.

Posture Token

Informational text string configurable on the Access Control Server. The ACS downloads the posture token to the adaptive security appliance for informational purposes to aid in system monitoring, reporting, debugging, and logging. A typical posture token is Healthy, Checkup, Quarantine, Infected, or Unknown.

Protocol

Protocol the session is using.

Public IP

Publicly routable IP address assigned to the client.

Redirect URL

Following posture validation or clientless authentication, the ACS downloads the access policy for the session to the adaptive security appliance. The Redirect URL is an optional part of the access policy payload. The adaptive security appliance redirects all HTTP (port 80) and HTTPS (port 443) requests for the remote host to the Redirect URL if it is present. If the access policy does not contain a Redirect URL, the adaptive security appliance does not redirect HTTP and HTTPS requests from the remote host.

Redirect URLs remain in force until either the IPSec session ends or until posture revalidation, for which the ACS downloads a new access policy that can contain a different redirect URL or no redirect URL.

Rekey Int (T)

Lifetime of the IPSec (IKE) SA encryption keys.

Rekey Left (T)

Lifetime remaining of the IPSec (IKE) SA encryption keys.

Rekey Time Interval

Lifetime of the IPSec (IKE) SA encryption keys.

Remote IP Addr

IP address assigned to the remote endpoint of the tunnel (that is the interface on the remote peer).

Reval Int (T)

Revalidation Time Interval. Interval in seconds required between each successful posture validation.

Reval Left (T)

Time Until Next Revalidation. 0 if the last posture validation attempt was unsuccessful. Otherwise, the difference between the Revalidation Time Interval and the number of seconds since the last successful posture validation.

Revalidation Time Interval

Interval in seconds required between each successful posture validation.

Session ID

Identifier for the session component (subsession). Each SA has its own identifier.

Session Type

Type of session: LAN-to-LAN or Remote

SQ Int (T)

Status Query Time Interval. Time in seconds allowed between each successful posture validation or status query response and the next status query response. A status query is a request made by the adaptive security appliance to the remote host to indicate whether the host has experienced any changes in posture since the last posture validation.

Status Query Time Interval

Time in seconds allowed between each successful posture validation or status query response and the next status query response. A status query is a request made by the adaptive security appliance to the remote host to indicate whether the host has experienced any changes in posture since the last posture validation.

Time Until Next Revalidation

0 if the last posture validation attempt was unsuccessful. Otherwise, the difference between the Revalidation Time Interval and the number of seconds since the last successful posture validation.

Tunnel Group

Name of the tunnel group referenced by this tunnel for attribute values.

UDP Dst Port
or
UDP Destination Port

Port number used by the remote peer for UDP.

UDP Src Port
or
UDP Source Port

Port number used by the adaptive security appliance for UDP.

Username

User login name with which the session is established.

VLAN

Egress VLAN interface assigned to this session. The adaptive security appliance forwards all traffic to that VLAN. One of the following elements specifies the value:

Group policy

Inherited group policy


Related Commands

Command
Description

show running-configuration vpn-sessiondb

Displays the VPN session database running configuration.

show vpn-sessiondb ratio

Displays VPN session encryption or protocol ratios.

show vpn-sessiondb summary

Displays a summary of all VPN sessions.


show vpn-sessiondb ratio

To display the ratio of current sessions as a percentage by protocol or encryption algorithm, use the show vpn-sessiondb ratio command in privileged EXEC mode.

show vpn-sessiondb ratio {protocol | encryption} [filter groupname]

Syntax Description

encryption

Identifies the encryption protocols you want to display. Refers to phase 2 encryption. Encryption algorithms include:

 

aes128

aes192

aes256

des

3des

rc4

filter groupname

Filters the output to include session ratios only for the tunnel group you specify.

protocol

Identifies the protocols you want to display. Protocols include:

 

IKE

IMAP4S

IPSec

IPSecLAN2LAN

IPSecLAN2LANOverNatT

IPSecOverNatT

IPSecoverTCP

IPSecOverUDP

SMTPS

userHTTPS

vcaLAN2LAN


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following is sample output for the show vpn-sessiondb ratio command, with encryption as the argument: 

hostname# show vpn-sessiondb ratio enc

Filter Group         : All

Total Active Sessions: 5

Cumulative Sessions  : 9

Encryption               Sessions       Percent        

none                     0               0%

DES                      1              20%

3DES                     0               0%

AES128                   4 									80%

AES192                   0               0%

AES256                   0               0%

The following is sample output for the show vpn-sessiondb ratio command with protocol as the argument: 

hostname# show vpn-sessiondb ratio protocol

Filter Group         : All

Total Active Sessions: 6

Cumulative Sessions  : 10

Protocol                 Sessions       Percent        

IKE                      0               0%

IPSec                    1              20%

IPSecLAN2LAN             0               0%

IPSecLAN2LANOverNatT     0               0%

IPSecOverNatT            0               0%

IPSecOverTCP             1 							20%

IPSecOverUDP             0               0%

L2TP                     0               0%

L2TPOverIPSec            0               0%

L2TPOverIPSecOverNatT    0               0%

PPPoE                    0               0%

vpnLoadBalanceMgmt       0               0%

userHTTPS                0               0%

IMAP4S                   3 					30%

POP3S                    0               0%

SMTPS                    3 							30%

Related Commandsshow vpn-sessiondb ratio

Command
Description

show vpn-sessiondb

Displays sessions with or without extended details, optionally filtered and sorted by criteria you specify.

show vpn-sessiondb summary

Displays a session summary, including total current session, current sessions of each type, peak and total cumulative, maximum concurrent sessions


show vpn-sessiondb summary

To display the number of IPSec, Cisco AnyConnect, and NAC sessions, use the show vpn-sessiondb summary command in privileged EXEC mode.

show vpn-sessiondb summary

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

8.0(5)

Added new output for active, cumulative, peak concurrent, and inactive.

8.0(2)

Added the VLAN Mapping Sessions table.

7.0(7)

This command was introduced.


Examples

The following is sample output for the show vpn-sessiondb summary command on an active device:

Note A device in standby does not differentiate active from inactive sessions. 

hostname# show vpn-sessiondb summary

Active Session Summary

Sessions:

                              Active : Cumulative : Peak Concurrent

					Active :	Cumulative :	Peak Concurrent :	Inactive :

  SSL VPN 			: 			0 :			1 :					1 : 
	Clientless only			 		0 :			1 :					1 : 
	With client					0 :			0 :					0 :			0 
Totals						0 :			1 

License Information:

	Shared VPN License Information:

		SSL VPN								: 12000

			Allocated to this device							:	 0

			Allocated to network							:	 0

			Device limit							: 750

IPsec		:	750 		Configured :	750				Active : 	0			Load : 	0%

SSL VPN		:	750		Configured :	750				Active :		 0		Load :	 0%

						Active : Cumulative : Peak Concurrent

SSL VPN 				:			0 :			1 :				1

Totals				:			0 :			1 :

Tunnels:

                    Active : Cumulative : Peak Concurrent

  Clientless  :          3 :        100 :               5

  SSL-Tunnel  :          2 :        156 :               5

  DTLS-Tunnel :          2 :        119 :               4

  Totals      :          7 :        375

Active NAC Sessions: 

  Accepted               : 0 

  Rejected               : 0 

  Exempted               : 0 

  Non-responsive         : 0 

Hold-off               : 0 

  N/A                    : 0 

Active VLAN Mapping Sessions: 

  Static                 : 0 

  Auth                   : 0 

  Access                 : 0 

  Guest                  : 0 

  Quarantine             : 0 

  N/A                    : 0 

F1-asa1#

A session is a VPN tunnel established with a specific peer. An IPSec LAN-to-LAN tunnel counts as one session, and it allows many host-to-host connections through the tunnel. An IPSec remote access session is one remote access tunnel that supports one user connection.

The Active SSL VPN With Client column shows the number of active connections passing data. The Cumulative SSL VPN With Client column shows the number of active sessions that have been established. It includes those that are inactive and increments only when a new session is added. The Peak Concurrent SSL VPN With Client column shows the peak number of concurrently active sessions that are passing data. The Inactive SSL VPN With Client column shows inactive sessions. These are AnyConnect sessions without an active SSL tunnel associated with them.

Table 29-16 explains the fields in the Active Sessions and Session Information tables.

Table 29-16 show vpn-sessiondb summary Command: Active Sessions and Session Information Fields

Field
Description

Concurrent Limit

Maximum number of concurrently active sessions permitted on this adaptive security appliance.

Cumulative Sessions

Number of sessions of all types since the adaptive security appliance was last booted or reset.

LAN-to-LAN

Number of IPSec LAN-to-LAN sessions that are currently active.

Peak Concurrent

Highest number of sessions of all types that were concurrently active since the adaptive security appliance was last booted or reset.

Percent Session Load

Percentage the vpn session allocation in use. This value equals the Total Active Sessions divided by the maximum number of sessions available, displayed as a percentage. The maximum number of sessions available can be either of the following:

Maximum number of IPSec and SSL VPN sessions licensed.

Maximum number of sessions configured using the following commands:

vpn-sessiondb max-session-limit

vpn-sessiondb max-webvpn-session-limit

Remote Access

Number of PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions that are currently active.

Total Active Sessions

Number of sessions of all types that are currently active.


The Active NAC Sessions table shows general statistics about remote peers that are subject to posture validation.

The Cumulative NAC Sessions table shows general statistics about remote peers that are or have been subject to posture validation.

Table 29-15 explains the fields in the Active NAC Sessions and Total Cumulative NAC Sessions tables.

Table 29-17 show vpn-sessiondb summary Command: Active NAC Sessions and Total Cumulative NAC Sessions Fields 

Field
Description

Accepted

Number of peers that passed posture validation and have been granted an access policy by an Access Control Server.

Exempted

Number of peers that are not subject to posture validation because they match an entry in the Posture Validation Exception list configured on the adaptive security appliance.

Hold-off

Number of peers for which the adaptive security appliance lost EAPoUDP communications after a successful posture validation. The NAC Hold Timer attribute (Configuration > VPN > NAC) determines the delay between this type of event and the next posture validation attempt for each peer.

N/A

Number of peers for which NAC is disabled according to the VPN NAC group policy.

Non-responsive

Number of peers not responsive to Extensible Authentication Protocol (EAP) over UDP requests for posture validation. Peers on which no CTA is running do not respond to these requests. If the adaptive security appliance configuration supports clientless hosts, the Access Control Server downloads the access policy associated with clientless hosts to the adaptive security appliance for these peers. Otherwise, the adaptive security appliance assigns the NAC default policy.

Rejected

Number of peers that failed posture validation or were not granted an access policy by an Access Control Server.


The Active VLAN Mapping Sessions table shows general statistics about remote peers that are subject to posture validation.

The Cumulative VLAN Mapping Sessions table shows general statistics about remote peers that are or have been subject to posture validation.

Table 29-18 explains the fields in the Active VLAN Mapping Sessions and Cumulative VLAN Mapping Sessions tables.

Table 29-18 show vpn-sessiondb summary Command: Active VLAN Mapping Sessions and Cumulative Active VLAN Mapping Sessions Fields 

Field
Description

Access

Reserved for future use.

Auth

Reserved for future use.

Guest

Reserved for future use.

N/A

Reserved for future use.

Quarantine

Reserved for future use.

Static

This field shows the number of VPN sessions assigned to a pre-configured VLAN.


Related Commands Total Active Sessions : 7

Command
Description

show vpn-sessiondb

Displays sessions with or without extended details, optionally filtered and sorted by criteria you specify.

show vpn-sessiondb ratio

Displays VPN session encryption or protocol ratios.


show wccp

To display global statistics related to Web Cache Communication Protocol (WCCP), use the show wccp command in privileged EXEC mode.

show wccp {web-cache | service-number}[detail | view]

Syntax Description

web-cache

Specifies statistics for the web-cache service.

service-number

(Optional) Identification number of the web-cache service group being controlled by the cache. The number can be from 0 to 256. For web caches using Cisco Cache Engines, the reverse proxy service is indicated by a value of 99.

detail

(Optional) Displays information about the router and all web caches.

view

(Optional) Displays other members of a particular service group have or have not been detected.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following example shows how to display WCCP information: 

hostname(config)# show wccp

Global WCCP information:

    Router information:

        Router Identifier:                   -not yet determined-

        Protocol Version:                    2.0

    Service Identifier: web-cache

        Number of Cache Engines:             0

        Number of routers:                   0

        Total Packets Redirected:            0

        Redirect access-list:                foo

        Total Connections Denied Redirect:   0

        Total Packets Unassigned:            0

        Group access-list:                   foobar

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total Bypassed Packets Received:     0

hostname(config)#

Related Commands

Commands
Description

wccp

Enables support of WCCP with service groups.

wccp redirect

Enables support of WCCP redirection.


show webvpn csd

To determine whether CSD is enabled and, if so, display the CSD version in the running configuration, or test a file to see if it is a valid CSD distribution package, use the show webvpn csd command in privileged EXEC mode.

show webvpn csd [image filename]

Syntax Description

filename

Specifies the name of a file to test for validity as a CSD distribution package. It must take the form securedesktop_asa_<n>_<n>*.pkg.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

privileged EXEC mode


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

Use the show webvpn csd command to check the operational status of CSD. The CLI responds with one of the following messages when you enter this command:

hostname#

CSD is in the running configuration, but it is disabled. Go to webvpn configuration mode and enter the csd enable command to enable CSD.

hostname# n.n.n.n is currently installed and enabled.

CSD is enabled. The distribution package read from the flash device determines the version number. You can access Cisco Secure Desktop Manager through the ASDM Configuration > CSD menu path. CSD is accessible to users only if the CSD configuration contains a location.

Use the show webvpn csd image command to test a file to see if it is a valid CSD distribution package. Similarly, the csd image command, when entered in webvpn configuration mode, installs CSD only if the file you name in the command is a valid CSD distribution package. Otherwise, it displays an "ERROR: Unable to use CSD image" message.

The show webvpn csd image command tests a file to see if it is a valid CSD distribution package without installing CSD automatically if the file is valid. The CLI responds with one of the following messages when you enter this command:

0 SNMP packets input

Make sure the filename is in the form the form securedesktop_asa_<n>_<n>*.pkg. If it is, replace the file with a fresh one obtained from the following website:

http://www.cisco.com/cisco/software/navigator.html

Then reenter the show webvpn csd image command. If the image is valid, use the csd image and csd enable commands in webvpn configuration mode to install and enable CSD.

This is a valid Cisco Secure Desktop image:
Version : 3.1.0.25
Built on : Wed 10/19/2005 14:51:23.82

Note that the CLI provides both the version and date stamp if the file is valid.

Examples

The following example indicates CSD is installed in the running configuration and enabled: 

hostname# show webvpn csd

Secure Desktop version 3.1.0.25 is currently installed and enabled.

hostname#

The following example shows the file specified is a valid CSD image: 

hostname#show webvpn csd image securedesktop_asa_3_1_0_25.pkg

This is a valid Cisco Secure Desktop image:

  Version  : 3.1.0.25

  Built on : Wed 10/19/2005 14:51:23.82 

hostname#

Related Commands

Command
Description

csd enable

Enables CSD for management and remote user access.

csd image

Copies the CSD image named in the command, from the flash drive specified in the path to the running configuration.


show webvpn group-alias

To display the aliases for a specific tunnel-group or for all tunnel groups, use the group-alias command in privileged EXEC mode.

show webvpn group-alias [tunnel-group]

Syntax Description

tunnel-group

(Optional) Specifies a particular tunnel group for which to show the group aliases.


Defaults

If you do not enter a tunnel-group name, this command displays all the aliases for all the tunnel groups.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.1

This command was introduced.


Usage Guidelines

WebVPN must be running when you enter the show webvpn group-alias command.

Each tunnel group can have multiple aliases or no alias.

Examples

The following example shows the show webvpn group-alias command that displays the aliases for the tunnel group "devtest" and the output of that command: 

hostname# show webvpn group-alias devtest

QA

Fra-QA

Related Commands

Command
Description

group-alias

Specifies one or more URLs for the group.

tunnel-group webvpn-attributes

Enters the config-webvpn mode for configuring WebVPN tunnel-group attributes.


show webvpn group-url

To display the URLs for a specific tunnel-group or for all tunnel groups, use the group-url command in privileged EXEC mode.

show webvpn group-url [tunnel-group]

Syntax Description

tunnel-group

(Optional) Specifies a particular tunnel group for which to show the URLs.


Defaults

If you do not enter a tunnel-group name, this command displays all the URLs for all the tunnel groups.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

WebVPN must be running when you enter the show webvpn group-url command. Each group can have multiple URLs or no URL.

Examples

The following example shows the show webvpn group-url command that displays the URLs for the tunnel group "frn-eng1" and the output of that command: 

hostname# show webvpn group-url

http://www.cisco.com

https://fra1.vpn.com

https://fra2.vpn.com

Related Commands

Command
Description

group-url

Specifies one or more URLs for the group.

tunnel-group webvpn-attributes

Enters the config-webvpn mode for configuring WebVPN tunnel-group attributes.


show webvpn sso-server

To display the operating statistics for Webvpn single sign-on servers, use the show webvpn sso-server command in privileged EXEC mode.

show webvpn sso-server [name]

Syntax Description

Syntax DescriptionSyntax Description

name

Optionally specifies the name of the SSO server. The server name must be between four and 31 characters in length.


Defaults

No default values or behavior.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

config-webvpn-sso-saml

config-webvpn-sso-siteminder

Privileged EXEC


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The show webvpn sso-server command displays operating statistics for any and all SSO servers configured on the security device.

If no SSO server name argument is entered, statistics for all SSO servers display.

Examples

The following example, entered in privileged EXEC mode, displays statistics for a SiteMinder-type SSO server named example: 

hostname# show webvpn sso-server example

Name: example

Type: SiteMinder

Authentication Scheme Version: 1.0

Web Agent URL: http://www.example.com/webvpn

Number of pending requests:        0

Number of auth requests:           0

Number of retransmissions:         0

Number of accepts:                 0

Number of rejects:                 0

Number of timeouts:                0

Number of unrecognized responses:  0

hostname#

The following example of the command issued without a specific SSO server name, displays statistics 
for all configured SSO servers on the adaptive security appliance:

hostname#(config-webvpn)# show webvpn sso-server

Name: high-security-server

Type: SAML-v1.1-POST

Assertion Consumer URL: 

Issuer:                 

Number of pending requests:        0

Number of auth requests:           0

Number of retransmissions:         0

Number of accepts:                 0

Number of rejects:                 0

Number of timeouts:                0

Number of unrecognized responses:  0

Name: my-server

Type: SAML-v1.1-POST

Assertion Consumer URL: 

Issuer:                 

Number of pending requests:        0

Number of auth requests:           0

Number of retransmissions:         0

Number of accepts:                 0

Number of rejects:                 0

Number of timeouts:                0

Number of unrecognized responses:  0

Name: server

Type: SiteMinder

Authentication Scheme Version: 1.0

Web Agent URL: 

Number of pending requests:        0

Number of auth requests:           0

Number of retransmissions:         0

Number of accepts:                 0

Number of rejects:                 0

Number of timeouts:                0

Number of unrecognized responses:  0

asa1(config-webvpn)#

Related Commands

Command
Description

max-retry-attempts

Configures the number of times the adaptive security appliance retries a failed SSO authentication attempt.

policy-server-secret

Creates a secret key used to encrypt authentication requests to a SiteMinder-type SSO server.

request-timeout

Specifies the number of seconds before a failed SSO authentication attempt times out.

sso-server

Creates a single sign-on server.

web-agent-url

Specifies the SSO server URL to which the adaptive security appliance makes SiteMinder SSO authentication requests.


show webvpn svc

To view information about SSL VPN client images installed on the adaptive security appliance and loaded in cache memory, or to test a file to see if it is a valid client image, use the show webvpn svc command from privileged EXEC mode.

show webvpn svc [image filename]

Syntax Description

image filename

Specifies the name of a file to test as an SSL VPN client image file.


Defaults

This command has no default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

Use the show webvpn svc command to view information about SSL VPN client images that are loaded in cache memory and available for download to remote PCs. Use the image filename keyword and argument to test a file to see if it is a valid image. If the file is not a valid image, the following message appears: 

ERROR: This is not a valid SSL VPN Client image file.

Examples

The following example shows the output of the show webvpn svc command for currently installed images: 

hostname# show webvpn svc

1. windows.pkg 1

SSL VPN Client

CISCO STC win2k+ 1.1.0

1,1,0,107

Thu 04/14/2005 09:27:54.43

2. window2.pkg 2

CISCO STC win2k+ 1.1.0

1,1,0,107

Thu 04/14/2005 09:27:54.43

The following example shows the output of the show webvpn svc image filename command for a valid image: 

F1(config-webvpn)# show webvpn svc image sslclient-win-1.0.2.127.pkg

This is a valid SSL VPN Client image:

  CISCO STC win2k+ 1.0.0

  1,0,2,127

  Fri 07/22/2005 12:14:45.43

Related Commands

Command
Description

svc enable

Enables the adaptive security appliance to download the SSL VPN client to remote PCs.

svc image

Causes the security appliance to load SSL VPN client files from flash memory to cache memory, and specifies the order in which the security appliance downloads portions of the client image to the remote PC as it attempts to match the client image with the operating system.

vpn-tunnel-protocol

Enables specific VPN tunnel protocols for remote VPN users, including SSL used by an SSL VPN client.


show xlate

To display information about the translation slots, use the show xlate command in privileged EXEC mode.

show xlate [global ip1[-ip2] [netmask mask]] [local ip1[-ip2] [netmask mask]]
[gport port1[-port2]] [lport port1[-port2]] [interface if_name] [state state] [debug] [detail]

show xlate count

Syntax Description

count

Displays the translation count.

debug

(Optional) Displays xlate debug information.

detail

(Optional) Displays detail xlate information.

global ip1[-ip2]

(Optional) Displays the active translations by global IP address or range of addresses.

gport port1[-port2]

Displays the active translations by the global port or range of ports.

interface if_name

(Optional) Displays the active translations by interface.

local ip1[-ip2]

(Optional) Displays the active translations by local IP address or range of addresses.

lport port1[-port2]

Displays the active translations by local port or range of ports.

netmask mask

(Optional) Specifies the network mask to qualify the global or local IP addresses.

state state

(Optional) Displays the active translations by state. You can enter one or more of the following states:

static—specifies static translations.

portmap—specifies PAT global translations.

norandomseq—specifies a nat or static translation with the norondomseq setting.

identity—specifies nat 0 identity address translations.

When specifying more than one state, separate the states with a space.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The show xlate command displays the contents of the translation slots. The show xlate detail command displays the following information:

{ICMP|TCP|UDP} PAT from interface:real-address/real-port to interface:mapped-address/mapped-port flags translation-flags

NAT from interface:real-address/real-port to interface:mapped-address/mapped-port flags translation-flags

The translation flags are defined in Table 29-19.

Table 29-19 Translation Flags

Flag
Description

s

Static translation slot

d

Dump translation slot on next cleaning cycle

r

Port map translation (Port Address Translation)

n

No randomization of TCP sequence number

i

Inside address translation

D

DNS A RR rewrite

I

Identity translation from nat 0


Note When the vpnclient configuration is enabled and the inside host is sending out DNS requests, the show xlate command may list multiple xlates for a static translation.

Examples

The following is sample output from the show xlate command. It shows how translation slot information with three active PATs. 

hostname# show xlate

3 in use, 3 most used

PAT Global 192.150.49.1(0) Local 10.1.1.15 ICMP id 340

PAT Global 192.150.49.1(1024) Local 10.1.1.15(1028)

PAT Global 192.150.49.1(1024) Local 10.1.1.15(516)

The following is sample output from the show xlate detail command.It shows the translation type and interface information with three active PATs.

The first entry is a TCP PAT for host port (10.1.1.15, 1025) on the inside network to host-port (192.150.49.1, 1024) on the outside network. The r flag indicates that the translation is a PAT. The i flag indicates that the translation applies to the inside address port.

The second entry is a UDP PAT for host port (10.1.1.15, 1028) on the inside network to host port (192.150.49.1, 1024) on the outside network. The r flag indicates that the translation is a PAT. The i flag indicates that the translation applies to the inside address port.

The third entry is an ICMP PAT for host-ICMP-id (10.1.1.15, 21505) on the inside network to host-ICMP-id (192.150.49.1, 0) on the outside network. The r flag indicates that the translation is a PAT. The i flag indicates that the translation applies to the inside address ICMP ID.

The inside address fields appear as source addresses on packets traversing from the more secure interface to the less secure interface. They appear as destination addresses on packets traversing from the less secure interface to the more secure interface. 

hostname# show xlate detail

3 in use, 3 most used

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,

       r - portmap, s - static

TCP PAT from inside:10.1.1.15/1026 to outside:192.150.49.1/1024 flags ri

UDP PAT from inside:10.1.1.15/1028 to outside:192.150.49.1/1024 flags ri

ICMP PAT from inside:10.1.1.15/21505 to outside:192.150.49.1/0 flags ri

The following is sample output from the show xlate command. It shows two static translations. The first translation has one associated connection (called "nconns"), and the second translation has four associated connections. 

hostname# show xlate

Global 209.165.201.10 Local 209.165.201.10 static nconns 1 econns 0 

Global 209.165.201.30 Local 209.165.201.30 static nconns 4 econns 0

Related Commands

Command
Description

clear xlate

Clears current translation and connection information.

show conn

Displays all active connections.

show local-host

Displays the local host network information.

show uauth

Displays the currently authenticated users.