-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
show tcpstat through show traffic Commands
show threat-detection scanning-threat
show threat-detection statistics host
show threat-detection statistics port
show threat-detection statistics protocol
show threat-detection statistics top
show tcpstat through show traffic Commands
show tcpstat
To display the status of the ASA TCP stack and the TCP connections that are terminated on the ASA (for debugging), use the show tcpstat command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.
show tcpstat
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The show tcpstat command allows you to display the status of the TCP stack and TCP connections that are terminated on the ASA. The TCP statistics displayed are described in Table 28.
Examples
This example shows how to display the status of the TCP stack on the ASA:
hostname# show tcpstatCURRENT MAX TOTALtcb_cnt 2 12 320proxy_cnt 0 0 160tcp_xmt pkts = 540591tcp_rcv good pkts = 6583tcp_rcv drop pkts = 2tcp bad chksum = 0tcp user hash add = 2028tcp user hash add dup = 0tcp user srch hash hit = 316753tcp user srch hash miss = 6663tcp user hash delete = 2027tcp user hash delete miss = 0lip = 172.23.59.230 fip = 10.21.96.254 lp = 443 fp = 2567 st = 4 rexqlen = 0in0tw_timer = 0 to_timer = 179000 cl_timer = 0 per_timer = 0rt_timer = 0tries 0Related Commands
show tech-support
To display the information that is used for diagnosis by technical support analysts, use the show tech-support command in privileged EXEC mode.
show tech-support [detail | file | no-config]
Syntax Description
detail
(Optional) Lists detailed information.
file
(Optional) Writes the output of the command to a file.
no-config
(Optional) Excludes the output of the running configuration.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The show tech-support command lets you list information that technical support analysts need to help you diagnose problems. This command combines the output from the show commands that provide the most information to a technical support analyst.
Examples
The following example shows how to display information that is used for technical support analysis. The output was shortened to begin with output from the show module command.
hostname# show tech-support | beg show module------------------ show module ------------------Mod Card Type Model Serial No.--- -------------------------------------------- ------------------ -----------0 ASA 5585-X Security Services Processor-10 wi ASA5585-SSP-10 JAD1626056JMod MAC Address Range Hw Version Fw Version Sw Version--- --------------------------------- ------------ ------------ ---------------0 a493.4c43.0d68 to a493.4c43.0d73 2.0 2.0(13)0 100.8(0)229Mod SSP Application Name Status SSP Application Version--- ------------------------------ ---------------- --------------------------Mod Status Data Plane Status Compatibility--- ------------------ --------------------- -------------0 Up Sys Not Applicable------------------ show environment ------------------Cooling Fans:-----------------------------------Power Supplies:--------------------------------Left Slot (PS0): 6900 RPM - OK (Power Supply Fan)Right Slot (PS1): 7200 RPM - OK (Fan Module Fan)Power Supplies:-----------------------------------Power Supply Unit Redundancy: N/ATemperature:--------------------------------Left Slot (PS0): 30 C - OK (Power Supply Temperature)Right Slot (PS1): 31 C - OK (Fan Module Temperature)Cooling Fans:--------------------------------Left Slot (PS0): 6900 RPM - OK (Power Supply Fan)Right Slot (PS1): 7100 RPM - OK (Fan Module Fan)Temperature:-----------------------------------Processors:--------------------------------Processor 1: 47.0 C - OK (CPU1 Core Temperature)Chassis:--------------------------------Ambient 1: 31.5 C - OK (Chassis Front Temperature)Ambient 2: 37.5 C - OK (Chassis Back Temperature)Ambient 3: 31.25 C - OK (CPU1 Front Temperature)Ambient 4: 32.0 C - OK (CPU1 Back Temperature)IO Hub:--------------------------------Circuit Die: 49.0 C - OK (Circuit Die Temperature)Power Supplies:--------------------------------Left Slot (PS0): 30 C - OK (Power Supply Temperature)Right Slot (PS1): 31 C - OK (Fan Module Temperature)Voltage:-----------------------------------Channel 1: 3.325 V - (3.3V (U142 VX1))Channel 2: 1.496 V - (1.5V (U142 VX2))Channel 3: 1.048 V - (1.05V (U142 VX3))Channel 4: 3.337 V - (3.3V_STDBY (U142 VP1))Channel 5: 11.665 V - (12V (U142 VP2))Channel 6: 4.950 V - (5.0V (U142 VP3))Channel 7: 6.853 V - (7.0V (U142 VP4))Channel 8: 9.616 V - (IBV (U142 VH))Channel 9: 1.046 V - (1.05VB (U209 VX2))Channel 10: 1.213 V - (1.2V (U209 VX3))Channel 11: 1.110 V - (1.1V (U209 VX4))Channel 12: 1.006 V - (1.0V (U209 VX5))Channel 13: 3.335 V - (3.3V STDBY (U209 VP1))Channel 14: 2.499 V - (2.5V (U209 VP2))Channel 15: 1.803 V - (1.8V (U209 VP3))Channel 16: 1.894 V - (1.9V (U209 VP4))Channel 17: 9.611 V - (IBV (U209 VH))Channel 18: 2.048 V - (VTT CPU0 (U83 VX2))Channel 19: 0.000 V - (VTT CPU1 (U83 VX3))Channel 20: 2.048 V - (VCC CPU0 (U83 VX4))Channel 21: 1.772 V - (VCC CPU1 (U83 VX5))Channel 22: 1.516 V - (1.5VA (U83 VP1))Channel 23: 0.000 V - (1.5VB (U83 VP2))Channel 24: 8.937 V - (IBV (U83 VH))------------------ show memory ------------------Free memory: 4927975152 bytes (76%)Used memory: 1514475792 bytes (24%)------------- ------------------Total memory: 6442450944 bytes (100%)------------------ show conn count ------------------0 in use, 0 most used------------------ show xlate count ------------------0 in use, 0 most used------------------ show vpn-sessiondb summary ------------------No sessions to display.------------------ show blocks ------------------SIZE MAX LOW CNT0 1450 1450 14504 100 99 9980 1000 1000 1000------------------ show memory detail ------------------Free memory: 276580360 bytes (52%)Used memory:Allocated memory in use: 67352568 bytes (13%)Reserved memory: 192937984 bytes (36%)----------------------------- ------------------Total memory: 536870912 bytes (100%)Least free memory: 276397760 bytes (51%)Most used memory: 260473152 bytes (49%)MEMPOOL_DMA POOL STATS:Non-mmapped bytes allocated = 40779776Number of free chunks = 66Number of mmapped regions = 0Mmapped bytes allocated = 0Max memory footprint = 40779776Keepcost = 10852432Max contiguous free mem = 10852432Allocated memory in use = 29908112Free memory = 10871664----- fragmented memory statistics -----fragment size count total(bytes) (bytes)---------------- ---------- --------------48 1 48**256 64 1894410852432 1 10852432** - top most releasable chunk.** - contiguous memory on top of heap.----- allocated memory statistics -----fragment size count total(bytes) (bytes)---------------- ---------- --------------112 1 112232 1 232248 1 248256 1 2561024 64 655362048 3 61448192 1 819216384 3 4915224576 2 4915232768 3 9830449152 1 4915265536 3 19660898304 3 294912131072 1 131072196608 3 589824262144 2 524288393216 1 393216786432 1 7864321048576 2 20971521572864 1 15728642097152 2 41943043145728 1 314572812582912 1 12582912MEMPOOL_GLOBAL_SHARED POOL STATS:Non-mmapped bytes allocated = 343932928Number of free chunks = 119Number of mmapped regions = 0Mmapped bytes allocated = 0Max memory footprint = 343932928Keepcost = 276525880Max contiguous free mem = 276525880Allocated memory in use = 67352568Free memory = 276580360----- fragmented memory statistics -----fragment size count total(bytes) (bytes)---------------- ---------- --------------16 37 59224 37 88832 21 67240 18 72048 1 48**56 1 56184 1 1842048 1 304832768 1 33616276525880 1 276525880** - top most releasable chunk.** - contiguous memory on top of heap.----- allocated memory statistics -----fragment size count total(bytes) (bytes)---------------- ---------- --------------48 544 2611256 2438 13652864 6806 43558472 524 3772880 1071 8568088 242 2129696 240 23040104 2258 234832112 66 7392120 157 18840128 162 20736136 8 1088144 11 1584152 457 69464160 387 61920168 151 25368176 204 35904184 391 71944192 20 3840208 112 23296216 1 216224 27 6048232 12 2784240 44 10560248 41 10168256 321 82176384 451 173184512 253 129536768 86 660481024 97 993281536 35 537602048 367 7516163072 84 2580484096 51 2088966144 13 798728192 35 28672012288 34 41779216384 127 208076824576 16 39321632768 35 114688049152 10 49152065536 126 825753698304 4 393216131072 21 2752512196608 7 1376256262144 7 1835008393216 2 786432524288 14 7340032786432 1 7864321048576 2 20971521572864 1 15728642097152 1 20971523145728 1 31457284194304 1 41943048388608 2 16777216Summary for all pools:Non-mmapped bytes allocated = 384712704Number of free chunks = 185Number of mmapped regions = 0Mmapped bytes allocated = 0Max memory footprint = 384712704Keepcost = 287378312Allocated memory in use = 97260680Free memory = 287452024------------------ show memory top-usage ------------------MEMPOOL_DMA pool binsize allocated byte totals:----- allocated memory statistics -----fragment size count total(bytes) (bytes)---------------- ---------- --------------12582912 1 125829122097152 2 41943043145728 1 31457281048576 2 20971521572864 1 1572864786432 1 786432196608 3 589824262144 2 524288393216 1 39321698304 3 294912----- Binsize PC top usage -----Binsize: 12582912 total (bytes): 12582912pc = 0x805ada0, size = 12960071 , count = 1Binsize: 2097152 total (bytes): 4194304pc = 0x805ada0, size = 5758350 , count = 2Binsize: 3145728 total (bytes): 3145728pc = 0x987071c, size = 3178567 , count = 1Binsize: 1048576 total (bytes): 2097152pc = 0x805ada0, size = 2309774 , count = 2Binsize: 1572864 total (bytes): 1572864pc = 0x805ada0, size = 1740871 , count = 1Binsize: 786432 total (bytes): 786432pc = 0x805ada0, size = 915271 , count = 1Binsize: 196608 total (bytes): 589824pc = 0x805ada0, size = 484622 , count = 2pc = 0x80567f1, size = 259271 , count = 1Binsize: 262144 total (bytes): 524288pc = 0x805ada0, size = 352071 , count = 1pc = 0x80567f1, size = 310471 , count = 1Binsize: 393216 total (bytes): 393216pc = 0x805ada0, size = 505671 , count = 1Binsize: 98304 total (bytes): 294912pc = 0x805ada0, size = 129671 , count = 1pc = 0x80567f1, size = 227342 , count = 2MEMPOOL_GLOBAL_SHARED pool binsize allocated byte totals:----- allocated memory statistics -----fragment size count total(bytes) (bytes)---------------- ---------- --------------8388608 2 1677721665536 126 8257536524288 14 73400324194304 1 41943043145728 1 3145728131072 21 27525121048576 2 20971522097152 1 209715216384 127 2080768262144 7 1835008----- Binsize PC top usage -----Binsize: 8388608 total (bytes): 16777216pc = 0x825b333, size = 16777216 , count = 2Binsize: 65536 total (bytes): 8257536pc = 0x916e48d, size = 7531232 , count = 107pc = 0x982de33, size = 263056 , count = 4pc = 0x982db72, size = 324956 , count = 4pc = 0x82d9092, size = 65536 , count = 1pc = 0x819b8f9, size = 77824 , count = 1pc = 0x819b65e, size = 77824 , count = 1pc = 0x9334871, size = 65536 , count = 1pc = 0x8a01e5a, size = 65536 , count = 1pc = 0x8a109f0, size = 65536 , count = 1pc = 0x9162fb0, size = 163968 , count = 2pc = 0x8f13da8, size = 66048 , count = 1pc = 0x8056c11, size = 66528 , count = 1pc = 0x8056bf5, size = 66528 , count = 1Binsize: 524288 total (bytes): 7340032pc = 0x8a9f8eb, size = 643264 , count = 1pc = 0x982db72, size = 5325112 , count = 8pc = 0x807bcb4, size = 524312 , count = 1pc = 0x821944f, size = 1282600 , count = 2pc = 0x9187575, size = 524312 , count = 1pc = 0x8056a14, size = 524352 , count = 1Binsize: 4194304 total (bytes): 4194304pc = 0x8cc1f27, size = 5242924 , count = 1Binsize: 3145728 total (bytes): 3145728pc = 0x821944f, size = 3698788 , count = 1Binsize: 131072 total (bytes): 2752512pc = 0x9137bc4, size = 163904 , count = 1pc = 0x806e421, size = 393216 , count = 3pc = 0x8f3f649, size = 154136 , count = 1pc = 0x911894b, size = 131072 , count = 1pc = 0x89f3fd0, size = 141212 , count = 1pc = 0x982de33, size = 593580 , count = 4pc = 0x8167e2b, size = 160864 , count = 1pc = 0x982db72, size = 983250 , count = 6pc = 0x9162fb0, size = 327808 , count = 2pc = 0x806e024, size = 184800 , count = 1Binsize: 1048576 total (bytes): 2097152pc = 0x982de33, size = 1081507 , count = 1pc = 0x821944f, size = 1120100 , count = 1Binsize: 2097152 total (bytes): 2097152pc = 0x8aa1252, size = 2097152 , count = 1Binsize: 16384 total (bytes): 2080768pc = 0x806e421, size = 1474560 , count = 90pc = 0x982de33, size = 135545 , count = 7pc = 0x9173a77, size = 36928 , count = 2pc = 0x88a6fec, size = 163840 , count = 10pc = 0x8f3f649, size = 24160 , count = 1pc = 0x982db72, size = 96195 , count = 5pc = 0x8a765c0, size = 17408 , count = 1pc = 0x92cb71b, size = 17388 , count = 1pc = 0x982dbee, size = 119925 , count = 7pc = 0x879defa, size = 19456 , count = 1pc = 0x8ebd433, size = 16432 , count = 1pc = 0x8ebd415, size = 16432 , count = 1Binsize: 262144 total (bytes): 1835008pc = 0x982db72, size = 1573315 , count = 5pc = 0x982de33, size = 580878 , count = 2------------------ show vlan ------------------64, 66, 70-72, 80-82, 142, 151, 950-951, 960-961Related Commands
show threat-detection memory
To show the memory used by advanced threat detection statistics, which are enabled by the threat-detection statistics command, use the show threat-detection memory command in privileged EXEC mode.
show threat-detection memory
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Some statistics can use a lot of memory and can affect ASA performance. This command lets you monitor memory usage so you can adjust your configuration if necessary.
Examples
The following is sample output from the show threat-detection memory command:
hostname# show threat-detection memoryCached chunks:CACHE TYPE BYTES USEDTD Host 70245888TD Port 2724TD Protocol 1476TD ACE 728TD Shared counters 14256=============================Subtotal TD Chunks 70265072Regular memory BYTES USEDTD Port 33824TD Control block 162064=============================Subtotal Regular Memory 195888Total TD memory: 70460960Related Commands
show threat-detection rate
When you enable basic threat detection using the threat-detection basic-threat command, you can view statistics using the show threat-detection rate command in privileged EXEC mode.
show threat-detection rate [min-display-rate min_display_rate] [acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack]
Syntax Description
Defaults
If you do not specify an event type, all events are shown.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
The display output shows the following:
•
•
•
•
The ASA computes the event counts 30 times over the average rate interval; in other words, the ASA checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinshed burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 10 minutes, then the burst interval is 10 seconds. If the last burst interval was from 3:00:00 to 3:00:10, and you use the show command at 3:00:15, then the last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 59 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.
Examples
The following is sample output from the show threat-detection rate command:
hostname# show threat-detection rateAverage(eps) Current(eps) Trigger Total events10-min ACL drop: 0 0 0 161-hour ACL drop: 0 0 0 1121-hour SYN attck: 5 0 2 2143810-min Scanning: 0 0 29 1931-hour Scanning: 106 0 10 3847761-hour Bad pkts: 76 0 2 27469010-min Firewall: 0 0 3 221-hour Firewall: 76 0 2 27484410-min DoS attck: 0 0 0 61-hour DoS attck: 0 0 0 4210-min Interface: 0 0 0 2041-hour Interface: 88 0 0 318225Related Commands
show threat-detection scanning-threat
If you enable scanning threat detection with the threat-detection scanning-threat command, then view the hosts that are categorized as attackers and targets using the show threat-detection scanning-threat command in privileged EXEC mode.
show threat-detection scanning-threat [attacker | target]
Syntax Description
attacker
(Optional) Shows attacking host IP addresses.
target
(Optional) Shows targeted host IP addresses.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Examples
The following is sample output from the show threat-detection scanning-threat command:
hostname# show threat-detection scanning-threatLatest Target Host & Subnet List:192.168.1.0192.168.1.249Latest Attacker Host & Subnet List:192.168.10.234192.168.10.0192.168.10.2192.168.10.3192.168.10.4192.168.10.5192.168.10.6192.168.10.7192.168.10.8192.168.10.9Related Commands
show threat-detection shun
If you enable scanning threat detection with the threat-detection scanning-threat command, and you automatically shun attacking hosts, then view the currently shunned hosts using the show threat-detection shun command in privileged EXEC mode.
show threat-detection shun
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
8.0(2)
This command was introduced.
8.2(2)
For threat events, the severity level was changed from a warning to a notification. Threat events can be triggered every five minutes.
Usage Guidelines
To release a host from being shunned, use the clear threat-detection shun command.
Examples
The following is sample output from the show threat-detection shun command:
hostname# show threat-detection shunShunned Host List:10.1.1.6198.1.6.7Related Commands
show threat-detection statistics host
After you enable threat statistics with the threat-detection statistics host command, view host statistics using the show threat-detection statistics host command in privileged EXEC mode. Threat detection statistics show both allowed and dropped traffic rates.
show threat-detection statistics [min-display-rate min_display_rate] host [ip_address [mask]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
The display output shows the following:
•
•
•
•
The ASA computes the event counts 30 times over the average rate interval; in other words, the ASA checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.
Examples
The following is sample output from the show threat-detection statistics host command:
hostname# show threat-detection statistics hostAverage(eps) Current(eps) Trigger Total eventsHost:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:01-hour Sent byte: 2938 0 0 105803088-hour Sent byte: 367 0 0 1058030824-hour Sent byte: 122 0 0 105803081-hour Sent pkts: 28 0 0 1040438-hour Sent pkts: 3 0 0 10404324-hour Sent pkts: 1 0 0 10404320-min Sent drop: 9 0 1 108511-hour Sent drop: 3 0 1 108511-hour Recv byte: 2697 0 0 97126708-hour Recv byte: 337 0 0 971267024-hour Recv byte: 112 0 0 97126701-hour Recv pkts: 29 0 0 1048468-hour Recv pkts: 3 0 0 10484624-hour Recv pkts: 1 0 0 10484620-min Recv drop: 42 0 3 505671-hour Recv drop: 14 0 1 50567Host:10.0.0.0: tot-ses:1 act-ses:0 fw-drop:0 insp-drop:0 null-ses:0 bad-acc:01-hour Sent byte: 0 0 0 6148-hour Sent byte: 0 0 0 61424-hour Sent byte: 0 0 0 6141-hour Sent pkts: 0 0 0 68-hour Sent pkts: 0 0 0 624-hour Sent pkts: 0 0 0 620-min Sent drop: 0 0 0 41-hour Sent drop: 0 0 0 41-hour Recv byte: 0 0 0 7068-hour Recv byte: 0 0 0 70624-hour Recv byte: 0 0 0 7061-hour Recv pkts: 0 0 0 7Table 59-2 shows each field description.
Related Commands
show threat-detection statistics port
After you enable threat statistics with the threat-detection statistics port command, view TCP and UDP port statistics using the show threat-detection statistics port command in privileged EXEC mode. Threat detection statistics show both allowed and dropped traffic rates.
show threat-detection statistics [min-display-rate min_display_rate] port [start_port[-end_port]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
The display output shows the following:
•
•
•
•
The ASA computes the event counts 30 times over the average rate interval; in other words, the ASA checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.
Examples
The following is sample output from the show threat-detection statistics port command:
hostname# show threat-detection statistics portAverage(eps) Current(eps) Trigger Total events80/HTTP: tot-ses:310971 act-ses:225711-hour Sent byte: 2939 0 0 105809228-hour Sent byte: 367 22043 0 1058092224-hour Sent byte: 122 7347 0 105809221-hour Sent pkts: 28 0 0 1040498-hour Sent pkts: 3 216 0 10404924-hour Sent pkts: 1 72 0 10404920-min Sent drop: 9 0 2 108551-hour Sent drop: 3 0 2 108551-hour Recv byte: 2698 0 0 97133768-hour Recv byte: 337 20236 0 971337624-hour Recv byte: 112 6745 0 97133761-hour Recv pkts: 29 0 0 1048538-hour Recv pkts: 3 218 0 10485324-hour Recv pkts: 1 72 0 10485320-min Recv drop: 24 0 2 291341-hour Recv drop: 8 0 2 29134Table 59-2 shows each field description.
Related Commands
show threat-detection statistics protocol
After you enable threat statistics with the threat-detection statistics protocol command, view IP protocol statistics using the show threat-detection statistics protocol command in privileged EXEC mode. Threat detection statistics show both allowed and dropped traffic rates.
show threat-detection statistics [min-display-rate min_display_rate] protocol [protocol_number | protocol_name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
The display output shows the following:
•
•
•
•
The ASA computes the event counts 30 times over the average rate interval; in other words, the ASA checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.
Examples
The following is sample output from the show threat-detection statistics protocol command:
hostname# show threat-detection statistics protocolAverage(eps) Current(eps) Trigger Total eventsICMP: tot-ses:0 act-ses:01-hour Sent byte: 0 0 0 10008-hour Sent byte: 0 2 0 100024-hour Sent byte: 0 0 0 10001-hour Sent pkts: 0 0 0 108-hour Sent pkts: 0 0 0 1024-hour Sent pkts: 0 0 0 10Table 59-2 shows each field description.
Related Commands
show threat-detection statistics top
After you enable threat statistics with the threat-detection statistics command, view the top 10 statistics using the show threat-detection statistics top command in privileged EXEC mode. If you did not enable the threat detection statistics for a particular type, then you cannot view those statistics with this command. Threat detection statistics show both allowed and dropped traffic rates.
show threat-detection statistics [min-display-rate min_display_rate] top [[access-list | host | port-protocol] [rate-1 | rate-2 | rate-3] | tcp-intercept [all] [detail] [long]]
Syntax Description
Defaults
If you do not specify an event type, all events are shown.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
The display output shows the following:
•
•
•
•
The ASA computes the event counts 30 times over the average rate interval; in other words, the ASA checks the rate at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already exceeds the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case, the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the unfinished burst interval. This exception lets you monitor a large increase in events in real time.
Examples
The following is sample output from the show threat-detection statistics top access-list command:
hostname# show threat-detection statistics top access-listTop Average(eps) Current(eps) Trigger Total events1-hour ACL hits:100/3[0] 173 0 0 623488200/2[1] 43 0 0 156786100/1[2] 43 0 0 1567868-hour ACL hits:100/3[0] 21 1298 0 623488200/2[1] 5 326 0 156786100/1[2] 5 326 0 156786Table 59-2 shows each field description.
The following is sample output from the show threat-detection statistics top access-list rate-1 command:
hostname# show threat-detection statistics top access-list rate-1Top Average(eps) Current(eps) Trigger Total events1-hour ACL hits:100/3[0] 173 0 0 623488200/2[1] 43 0 0 156786100/1[2] 43 0 0 156786The following is sample output from the show threat-detection statistics top port-protocol command:
hostname# show threat-detection statistics top port-protocolTop Name Id Average(eps) Current(eps) Trigger Total events1-hour Recv byte:1 gopher 70 71 0 0 323456782 btp-clnt/dhcp 68 68 0 0 273456783 gopher 69 65 0 0 243456784 Protocol-96 * 96 63 0 0 223456785 Port-7314 7314 62 0 0 128456786 BitTorrent/trc 6969 61 0 0 126456787 Port-8191-65535 55 0 0 123456788 SMTP 366 34 0 0 33456789 IPinIP * 4 30 0 0 234567810 EIGRP * 88 23 0 0 13456781-hour Recv pkts:......8-hour Recv byte:......8-hour Recv pkts:......24-hour Recv byte:......24-hour Recv pkts:......Note: Id preceded by * denotes the Id is an IP protocol typeTable 59-6 shows each field description.
Table 59-6 show threat-detection statistics top port-protocol Fields
Top
Shows the ranking of the port or protocol within the time period/type of statistic, from [0] (highest count) to [9] (lowest count). You might not have enough statistics for all 10 positions, so less then 10 ports/protocols might be listed.
Name
Shows the port/protocol name.
Id
Shows the port/protocol ID number. The asterisk (*) means the ID is an IP protocol number.
Average(eps)
See the description in Table 59-2.
Current(eps)
See the description in Table 59-2.
Trigger
Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic.
Total events
See the description in Table 59-2.
Time_interval Sent byte
Shows the number of successful bytes sent from the listed ports and protocols for each time period.
Time_interval Sent packet
Shows the number of successful packets sent from the listed ports and protocols for each time period.
Time_interval Sent drop
Shows the number of packets sent for each time period from the listed ports and protocols that were dropped because they were part of a scanning attack.
Time_interval Recv byte
Shows the number of successful bytes received by the listed ports and protocols for each time period.
Time_interval Recv packet
Shows the number of successful packets received by the listed ports and protocols for each time period.
Time_interval Recv drop
Shows the number of packets received for each time period by the listed ports and protocols that were dropped because they were part of a scanning attack.
port_number/
port_nameShows the port number and name where the packet or byte was sent, received, or droppped.
protocol_number/
protocol_nameShows the protocol number and name where the packet or byte was sent, received, or droppped.
The following is sample output from the show threat-detection statistics top host command:
hostname# show threat-detection statistics top hostTop Average(eps) Current(eps) Trigger Total events1-hour Sent byte:10.0.0.1[0] 2938 0 0 105803081-hour Sent pkts:10.0.0.1[0] 28 0 0 10404320-min Sent drop:10.0.0.1[0] 9 0 1 108511-hour Recv byte:10.0.0.1[0] 2697 0 0 97126701-hour Recv pkts:10.0.0.1[0] 29 0 0 10484620-min Recv drop:10.0.0.1[0] 42 0 3 505678-hour Sent byte:10.0.0.1[0] 367 0 0 105803088-hour Sent pkts:10.0.0.1[0] 3 0 0 1040431-hour Sent drop:10.0.0.1[0] 3 0 1 108518-hour Recv byte:10.0.0.1[0] 337 0 0 97126708-hour Recv pkts:10.0.0.1[0] 3 0 0 1048461-hour Recv drop:10.0.0.1[0] 14 0 1 5056724-hour Sent byte:10.0.0.1[0] 122 0 0 1058030824-hour Sent pkts:10.0.0.1[0] 1 0 0 10404324-hour Recv byte:10.0.0.1[0] 112 0 0 971267024-hour Recv pkts:10.0.0.1[0] 1 0 0 104846Table 59-7 shows each field description.
Table 59-7 show threat-detection statistics top host Fields
Top
Shows the ranking of the host within the time period/type of statistic, from [0] (highest count) to [9] (lowest count). You might not have enough statistics for all 10 positions, so less then 10 hosts might be listed.
Average(eps)
See the description in Table 59-2.
Current(eps)
See the description in Table 59-2.
Trigger
See the description in Table 59-2.
Total events
See the description in Table 59-2.
Time_interval Sent byte
Shows the number of successful bytes sent to the listed hosts for each time period.
Time_interval Sent packet
Shows the number of successful packets sent to the listed hosts for each time period.
Time_interval Sent drop
Shows the number of packets sent for each time period to the listed hosts that were dropped because they were part of a scanning attack.
Time_interval Recv byte
Shows the number of successful bytes received by the listed hosts for each time period.
Time_interval Recv packet
Shows the number of successful packets received by the listed ports and protocols for each time period.
Time_interval Recv drop
Shows the number of packets received for each time period by the listed ports and protocols that were dropped because they were part of a scanning attack.
host_ip_address
Shows the host IP address where the packet or byte was sent, received, or droppped.
The following is sample output from the show threat-detection statistics top tcp-intercept command:
hostname# show threat-detection statistics top tcp-interceptTop 10 protected servers under attack (sorted by average rate)Monitoring window size: 30 mins Sampling interval: 30 secs<Rank> <Server IP:Port> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack Time)>----------------------------------------------------------------------------------1 192.168.1.2:5000 inside 1249 9503 2249245 <various> Last: 10.0.0.3 (0 secs ago)2 192.168.1.3:5000 inside 10 10 6080 10.0.0.200 (0 secs ago)3 192.168.1.4:5000 inside 2 6 560 10.0.0.200 (59 secs ago)4 192.168.1.5:5000 inside 1 5 560 10.0.0.200 (59 secs ago)5 192.168.1.6:5000 inside 1 4 560 10.0.0.200 (59 secs ago)6 192.168.1.7:5000 inside 0 3 560 10.0.0.200 (59 secs ago)7 192.168.1.8:5000 inside 0 2 560 10.0.0.200 (59 secs ago)8 192.168.1.9:5000 inside 0 1 560 10.0.0.200 (59 secs ago)9 192.168.1.10:5000 inside 0 0 550 10.0.0.200 (2 mins ago)10 192.168.1.11:5000 inside 0 0 550 10.0.0.200 (5 mins ago)Table 59-8 shows each field description.
The following is sample output from the show threat-detection statistics top tcp-intercept long command with the real source IP address in parentheses:
hostname# show threat-detection statistics top tcp-intercept longTop 10 protected servers under attack (sorted by average rate)Monitoring window size: 30 mins Sampling interval: 30 secs<Rank> <Server IP:Port (Real IP:Real Port)> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack Time)>--------------------------------------------------------------------------------1 10.1.0.2:6025 (209.165.200.227:6025) inside 18 709 33911 10.0.0.201 (0 secs ago)2 10.1.0.2:6026 (209.165.200.227:6026) inside 18 709 33911 10.0.0.201 (0 secs ago)3 10.1.0.2:6027 (209.165.200.227:6027) inside 18 709 33911 10.0.0.201 (0 secs ago)4 10.1.0.2:6028 (209.165.200.227:6028) inside 18 709 33911 10.0.0.201 (0 secs ago)5 10.1.0.2:6029 (209.165.200.227:6029) inside 18 709 33911 10.0.0.201 (0 secs ago)6 10.1.0.2:6030 (209.165.200.227:6030) inside 18 709 33911 10.0.0.201 (0 secs ago)7 10.1.0.2:6031 (209.165.200.227:6031) inside 18 709 33911 10.0.0.201 (0 secs ago)8 10.1.0.2:6032 (209.165.200.227:6032) inside 18 709 33911 10.0.0.201 (0 secs ago)9 10.1.0.2:6033 (209.165.200.227:6033) inside 18 709 33911 10.0.0.201 (0 secs ago)10 10.1.0.2:6034 (209.165.200.227:6034) inside 18 709 33911 10.0.0.201 (0 secs ago)The following is sample output from the show threat-detection statistics top tcp-intercept detail command:
hostname# show threat-detection statistics top tcp-intercept detailTop 10 Protected Servers under Attack (sorted by average rate)Monitoring Window Size: 30 mins Sampling Interval: 30 secs<Rank> <Server IP:Port> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack Time)>----------------------------------------------------------------------------------1 192.168.1.2:5000 inside 1877 9502 3379276 <various> Last: 10.0.0.45 (0 secs ago)Sampling History (30 Samplings):95348 95337 95341 95339 95338 9534295337 95348 95342 95338 95339 9534095339 95337 95342 95348 95338 9534295337 95339 95340 95339 95347 9534395337 95338 95342 95338 95337 9534295348 95338 95342 95338 95337 9534395337 95349 95341 95338 95337 9534295338 95339 95338 95350 95339 9557096351 96351 96119 95337 95349 9534195338 95337 95342 95338 95338 95342......Table 59-9 shows each field description.
Related Commands
show tls-proxy
To display TLS proxy and session information, use the show tls-proxy command in global configuration mode.
show tls-proxy tls_name [session [host host_addr | detail [cert-dump | count] [statistics]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC mode
·
·
·
·
·
Command History
Examples
The following is sample output from the show tls-proxy command:
hostname# show tls-proxyTLS-Proxy `proxy': ref_cnt 1, seq#1Server proxy:Trust-point: local_ccmClient proxy:Local dynamic certificate issuer: ldc_signerLocal dynamic certificate key-pair: phone_commonCipher-suite <unconfigured>Run-time proxies:Proxy 0x448b468: Class-map: skinny_ssl, Inspect: skinnyActive sess 1, most sess 4, byte 3244The following is sample output from the show tls-proxy session command:
hostname# show tls-proxy sessionoutside 133.9.0.211:51291 inside 195.168.2.200:2443 P:0x4491a60(proxy)S:0x482e790 byte 3388The following is sample output from the show tls-proxy session detail command:
hostname# show tls-proxy session detail1 in use, 1 most usedoutside 133.9.0.211:50433 inside 195.168.2.200:2443 P:0xcba60b60(proxy) S:0xcbc10748 byte 1831704Client: State SSLOK Cipher AES128-SHA Ch 0xca55efc8 TxQSize 0 LastTxLeft 0 Flags 0x1Server: State SSLOK Cipher AES128-SHA Ch 0xca55efa8 TxQSize 0 LastTxLeft 0 Flags 0x9Local Dynamic CertificateStatus: AvailableCertificate Serial Number: 29Certificate Usage: General PurposePublic Key Type: RSA (1024 bits)Issuer Name:cn=TLS-Proxy-SignerSubject Name:cn=SEP0002B9EB0AADo=Cisco Systems Incc=USValidity Date:start date: 00:47:12 PDT Feb 27 2007end date: 00:47:12 PDT Feb 27 2008Associated Trustpoints:The following is sample output from the show tls-proxy session statistics command:
hostname# show tls-proxy session stasticsTLS Proxy Sessions (Established: 600)Mobility: 200UC-IME: 400Per-Session Licensed TLS Proxy Sessions(Established: 222, License Limit: 250)SIP: 2SCCP: 20Phone Proxy: 200Total TLS Proxy SessionsEstablished: 822Platform Limit: 1000Related Commands
show track
To display information about object tracked by the tracking process, use the show track command in user EXEC mode.
show track [track-id]
Syntax Description
Defaults
If the track-id is not provided, then information about all tracking objects is displayed.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
—
•
—
—
Command History
Examples
The following is sample output from the show track command:
hostname(config)# show trackTrack 5Response Time Reporter 124 reachabilityReachability is UP2 changes, last change 03:41:16Latest operation return code: OKTracked by:STATIC-IP-ROUTING 0Related Commands
show running-config track
Displays the track rtr commands in the running configuration.
track rtr
Creates a tracking entry to poll the SLA.
show traffic
To display interface transmit and receive activity, use the show traffic command in privileged EXEC mode.
show traffic
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The show traffic command lists the number of packets and bytes moving through each interface since the last show traffic command was entered or since the ASA came online. The number of seconds is the duration the ASA has been online since the last reboot, unless the clear traffic command was entered since the last reboot. If this is the case, then the number of seconds is the duration since that command was entered.
For the ASA 5550, the show traffic command also shows the aggregated throughput per slot. Because the ASA 5550 requires traffic to be evenly distributed across slots for maximum throughput, this output helps you determine if the traffic is distributed evenly.
Examples
The following is sample output from the show traffic command:
hostname# show trafficoutside: received (in 102.080 secs): 2048 packets 204295 bytes 20 pkts/sec 2001 bytes/sec transmitted (in 102.080 secs): 2048 packets 204056 bytes 20 pkts/sec 1998 bytes/sec Ethernet0: received (in 102.080 secs): 2049 packets 233027 bytes 20 pkts/sec 2282 bytes/sec transmitted (in 102.080 secs): 2048 packets 232750 bytes 20 pkts/sec 2280 bytes/secFor the ASA 5550, the following text is displayed at the end:
----------------------------------------Per Slot Throughput Profile----------------------------------------Packets-per-second profile:Slot 0: 3148 50%|****************Slot 1: 3149 50%|****************Bytes-per-second profile:Slot 0: 427044 50%|****************Slot 1: 427094 50%|****************Related Commands