Cisco ASA Series Command Reference - show uauth -- show xlate [Cisco ASA 5500-X Series Next-Generation Firewalls]

Table Of Contents

show uauth through show xlate Commands

show uauth

show url-block

show url-cache statistics

show url-server

show user-identity ad-agent

show user-identity ad-group-members

show user-identity ad-groups

show user-identity ad-users

show user-identity group

show user-identity ip-of-user

show user-identity memory

show user-identity statistics

show user-identity statistics top user

show user-identity user active

show user-identity user all

show user-identity user inactive

show user-identity user-not-found

show user-identity user-of-group

show user-identity user-of-ip

show version

show vlan

show vpn load-balancing

show vpn-sessiondb

show vpn-sessiondb license-summary

show vpn-sessiondb ratio

show vpn-sessiondb summary

show wccp

show webvpn csd

show webvpn group-alias

show webvpn group-url

show webvpn kcd

show webvpn sso-server

show webvpn anyconnect

show xlate

show uauth through show xlate Commands

show uauth

To display one or all currently authenticated users, the host IP to which they are bound, and any cached IP and port authorization information, use the show uauth command in privileged EXEC mode.

show uauth [username]
Syntax Description

username

(Optional) Specifies, by username, the user authentication and authorization information to display.

Defaults

Omitting username displays the authorization information for all users.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

—

—

•

Command History

Release

Modification

7.0(1)

This command was introduced.

7.2(1)

The idle time was added to the output.

7.2(2)

The idle time was removed from the output.

Usage Guidelines

The show uauth command displays the AAA authorization and authentication caches for one user or for all users.

This command is used with the timeout command.

Each user host IP address has an authorization cache attached to it. The cache allows up to 16 address and service pairs for each user host. If the user attempts to access a service that has been cached from the correct host, the ASA considers it preauthorized and immediately proxies the connection. Once you are authorized to access a website, for example, the authorization server is not contacted for each image as it is loaded (assuming the images come from the same IP address). This process significantly increases performance and reduces the load on the authorization server.

The output from the show uauth command displays the username that is provided to the authorization server for authentication and authorization purposes, the IP address to which the username is bound, and if the user is authenticated only or has cached services.

Note When you enable Xauth, an entry is added to the uauth table (as shown by the show uauth command) for the IP address that is assigned to the client. However, when using Xauth with the Easy VPN Remote feature in Network Extension Mode, the IPsec tunnel is created from network to network, so that the users behind the firewall cannot be associated with a single IP address. For this reason, a uauth entry cannot be created upon completion of Xauth. If AAA authorization or accounting services are required, you can enable the AAA authentication proxy to authenticate users behind the firewall. For more information on AAA authentication proxies, see to the aaa commands.

Use the timeout uauth command to specify how long the cache should be kept after the user connections become idle. Use the clear uauth command to delete all the authorization caches for all the users, which will cause them to have to reauthenticate the next time that they create a connection.

Examples

This example shows sample output from the show uauth command when no users are authenticated and one user authentication is in progress:
hostname(config)# show uauth     
                        Current    Most Seen
Authenticated Users	       1	            1
Authen In Progress 	       0	            1
user 'v039294' at 136.131.178.4, authenticated (idle for 0:00:00)
   access-list #ACSACL#-IP-v039294-521b0b8b (*)
   absolute   timeout: 0:00:00
   inactivity timeout: 0:05:00
This example shows sample output from the show uauth command when three users are authenticated and authorized to use services through the ASA:
hostname(config)# show uauth
user `pat' from 209.165.201.2 authenticated
user `robin' from 209.165.201.4 authorized to:
                       port 192.168.67.34/telnet                        192.168.67.11/http                                    192.168.67.33/tcp/8001
                                                          192.168.67.56/tcp/25                              192.168.67.42/ftp
user `terry' from 209.165.201.7 authorized to:
                       port 192.168.1.50/http                                     209.165.201.8/http
Related Commands

Command

Description

clear uauth

Remove current user authentication and authorization information.

timeout

Set the maximum idle time duration.

show url-block

To display the number of packets held in the url-block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission, use the show url-block command in privileged EXEC mode.

show url-block [block statistics]
Syntax Description

block statistics

(Optional) Displays block buffer usage statistics.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

•

Command History

Release

Modification

7.0(1)

This command was introduced.

Usage Guidelines

The show url-block block statistics command displays the number of packets held in the url block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission.

Examples

The following is sample output from the show url-block command:
hostname# show url-block
 | url-block url-mempool 128 | url-block url-size 4 | url-block block 128 
This shows the configuration of the URL block buffer.

The following is sample output from the show url-block block statistics command:
hostname# show url-block block statistics
URL Pending Packet Buffer Stats with max block  128 | 
Cumulative number of packets held: | 896
Maximum number of packets held (per URL): | 3
Current number of packets held (global): | 38
Packets dropped due to
 | exceeding url-block buffer limit: | 7546
 | HTTP server retransmission: | 10
Number of packets released back to client: | 0
Related Commands

Commands

Description

clear url-block block statistics

Clears the block buffer usage counters.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.

show url-cache statistics

To display information about the url-cache, which is used for URL responses received from an N2H2 or Websense filtering server, use the show url-cache statistics command in privileged EXEC mode.

show url-cache statistics
Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

•

Command History

Release

Modification

7.0(1)

This command was introduced.

Usage Guidelines

The show url-cache statistics command displays the following entries:

•Size—The size of the cache in kilobytes, set with the url-cache size option.

•Entries—The maximum number of cache entries based on the cache size.

•In Use—The current number of entries in the cache.

•Lookups—The number of times the ASA has looked for a cache entry.

•Hits—The number of times the ASA has found an entry in the cache.

You can view additional information about N2H2 Sentian or Websense filtering activity with the show perfmon command.

Examples

The following is sample output from the show url-cache statistics command:
hostname# show url-cache statistics
URL Filter Cache Stats
----------------------
 | Size :                               1KB
 Entries :                                   36
             In Use :                                   30
 Lookups :                                   300
 | Hits :                                   290
Related Commands

Commands

Description

clear url-cache statistics

Removes url-cache command statements from the configuration.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching for responses received from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.

show url-server

To display information about the URL filtering server, use the show url-server command in privileged EXEC mode.

show url-server statistics
Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

•

Command History

Release

Modification

7.0(1)

This command was introduced.

Usage Guidelines

The show url-server statistics command displays the URL server vendor; number of URLs total, allowed, and denied; number of HTTPS connections total, allowed, and denied; number of TCP connections total, allowed, and denied; and the URL server status.

The show url-server command displays the following information:

•For N2H2, url-server (if_name) vendor n2h2 host local_ip port number timeout seconds protocol [{TCP | UDP}{version 1 | 4}]

•For Websense, url-server (if_name) vendor websense host local_ip timeout seconds protocol [{TCP | UDP}]

Examples

The following is sample output from the show url-server statistics command:
hostname## show url-server statistics
Global Statistics:
------------------
URLs total/allowed/denied         994387/155648/838739
URLs allowed by cache/server      70483/85165
URLs denied by cache/server       801920/36819
HTTPSs total/allowed/denied       994387/155648/838739
HTTPs allowed by cache/server     70483/85165
HTTPs denied by cache/server      801920/36819
FTPs total/allowed/denied         994387/155648/838739
FTPs allowed by cache/server      70483/85165
FTPs denied by cache/server       801920/36819
Requests dropped                  28715
Server timeouts/retries           567/1350
Processed rate average 60s/300s   1524/1344 requests/second
Denied rate average 60s/300s      35648/33022 requests/second
Dropped rate average 60s/300s     156/189 requests/second
URL Server Statistics:
----------------------
192.168.0.1                       UP
Vendor                          websense
Port                            17035
Requests total/allowed/denied   366519/255495/110457
Server timeouts/retries         567/1350
Responses received              365952
Response time average 60s/300s  2/1 seconds/request
192.168.0.2                       DOWN
Vendor                          websense
Port                            17035
Requests total/allowed/denied   0/0/0
Server timeouts/retries         0/0
Responses received              0
Response time average 60s/300s  0/0 seconds/request
. . .
URL Packets Sent and Received Stats:
------------------------------------
Message                 Sent    Received
STATUS_REQUEST          411     0
LOOKUP_REQUEST          366519  365952
LOG_REQUEST             0       NA
Errors:
-------
RFC noncompliant GET method     0
URL buffer update failure       0
Semantics:
This command allows the operator to display url-server statistics organized on a global 
and per-server basis.  The output is reformatted to provide: more-detailed information and 
per-server organization.
Supported Modes:
privileged
router || transparent
single || multi/context
Privilege:
ATTR_ES_CHECK_CONTEXT
Debug support:
N/A
Migration Strategy (if any):
N/A
Related Commands

Commands

Description

clear url-server

Clears the URL filtering server statistics.

filter url

Directs traffic to a URL filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.

show user-identity ad-agent

To display information about the AD Agent for the Identify Firewall, use the show user-identity ad-agent command in privileged EXEC mode.

show user-identity ad-agent [statistics]
Syntax Description

statistics

(Optional) Displays statistical information about the AD Agent.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

You can monitor the AD Agent component of the Identity Firewall.

Use the show user-identity ad-agent command to obtain troubleshooting information for the AD Agent. This command displays the following information about the primary and secondary AD Agents:

•Status of the AD Agents

•Status of the domains

•Statistics for the AD Agents

Table 60-1 Description of the Command Output

Type

Values

Description

Mode

Configuration mode

Specifies full download or on-demand download.

AD Agent IP Address

IP address

Displays the active AD Agent IP address.

Backup

IP address

Displays the backup AD Agent IP address.

AD Agent Status

•Disabled

•Down

•Up (registered)

•Probing

•The Identity Firewall is disabled.

•The AD Agent is down.

•The AD Agent is up and running.

•The ASA is registered and the AD Agent is up and running.

•The ASA is trying to connect to the AD Agent.

Authentication Port

udp/1645

Displays the AD Agent authentication port.

Accounting Port

udp/1646

Displays the AD Agent accounting port.

ASA Listening Port

udp/3799

Displays the ASA listening port.

Interface

Interface

Displays the interface that the ASA uses to contact the AD Agent.

IP Address

IP address

Displays the IP address that the ASA uses to contact the AD Agent.

Uptime

Time

Displays the AD Agent up time.

Average RTT

Milliseconds

Displays the average round trip time the ASA uses to contact the AD Agent.

Domain

Domain nickname

Status: up

Status: down

Displays the Microsoft Active Directory domain for the AD Agent.

Examples

This example shows how to display information for the AD Agent for the Identify Firewall:
hostname# show user-identity ad-agent
Primary AD Agent:
 Status                    up (registered)
 Mode:                     full-download
 IP address:               172.23.62.125
 Authentication port:      udp/1645
 Accounting port:          udp/1646
 ASA Listening port:       udp/3799
 Interface:                mgmt
 Up time:                  15 mins 41 secs
 Average RTT:              57 msec
Secondary AD Agent:
 Status                    up
 Mode:                     full-download
 IP address:               172.23.62.136
 Authentication port:      udp/1645
 Accounting port:          udp/1646
 ASA Listening port:       udp/3799
 Interface:                mgmt
 Up time:                  7 mins 56 secs
 Avg RTT:                  15 msec
Related Commands

Command

Description

clear user-identity ad-agent statistics

Clears the statistics data of AD Agents maintained by the ASA for the Identity Firewall.

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity ad-group-members

Displays the group members in the domain of the AD Agent for the Identify Firewall.

show user-identity ad-group-members

To display the group members in the domain of the AD Agent for the Identify Firewall, use the show user-identity ad-group-members command in privileged EXEC mode.

show user-identity ad-group-members [domain_nickname\]user_group_name [timeout seconds seconds]
Syntax Description

domain_nickname

(Optional) Specifies the domain name for the Identity Firewall.

timeout seconds seconds

(Optional) Sets a timer for retrieving group member statistics and specifies the length of time for the timer.

user_group_name

(Optional) Specifies the group name from which to retrieve statistics.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

The show user-identity ad-group-members command displays the immediate members (the users and groups) of the specified user group.

Note This command does not display information for locally defined groups on the ASA configured with the object-group user command.

The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server. Running this command is equivalent to running an LDAP browser command that allows you to check members of a specified user group. ASA issues one level of LDAP query to retrieve the immediate members of the specified group in the distinguishedName format. Running this command does not update the ASA internal cache of imported user groups.

When you do not specify domain_nickname, the ASA displays information for the group that has user_group_name in the default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

The group name is the AD group's unique sAMAccountName not the CN name. To display information for a specific group sAMAccountName, use the show user-identity ad-groups filter filter_string command to retrieve group's sAMAccountName.

Examples

This example shows how to display members of the group sample1 for the Identity Firewall:
hostname# show user-identity ad-group-member group.sample1
Domain:CSCO        AAA Server Group:  CISCO_AD_SERVER
Group Member List Retrieved Successfully
Number of Members in AD Group group.schiang: 12
dn: CN=user1,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
dn: CN=user2,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
...
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity ad-groups

Displays information about the AD Agent for the Identify Firewall.

show user-identity ad-groups

To display information for a specific group for the Identify Firewall, use the show user-identity ad-groups command in privileged EXEC mode.

show user-identity ad-groups domain_nickname {filter filter_string | import-user-group [count]}
Syntax Description

count

(Optional) Displays the number of activated groups.

domain_nickname

Specifies the domain name for the Identity Firewall.

filter filter_string

Specifies to displays groups that contain the specified filter string in the CN attribute of the domain controller of the Microsoft Active Directory.

import-user-group

Displays only the activated groups for the Identity Firewall.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

When you run the show user-identity ad-groups command, the ASA sends an LDAP query to the Microsoft Active Directory to retrieve all user groups that are part of the specified domain nickname. The argument domain_nickname can be the real domain nickname or LOCAL. The ASA only retrieves groups that have the group objectclass attribute. The ASA displays the retrieved groups in distinguishedName format.

When you specify the filter filter_string keyword and argument, the ASA displays groups that contain the specified filter string in the CN attribute of the domain controller. Because the access-list and object-group commands only take sAMAccountName, you can run the show user-identity ad-users filter filter_string command to retrieve the sAMAccountName for a group. When you do not specify filter filter_string, the ASA displays all Active Directory groups.

When you specify the import-user-group count keywords, the ASA displays all Active Directory groups that are activated (because they are part an access-group, import-user-group, or service-policy configuration) and stored in the local database. The ASA only displays the sAMAccountName for the groups.

Examples

These examples show how to display user groups that are part of the specified domain nickname for the Identity Firewall:
hostname# show user-identity ad-groups CSCO filter sampleuser1
Domain: CSCO        AAA Server Group:       CISCO_AD_SERVER
Group list retrieved successfully
Number of Active Directory Groups       6
dn: CN=group.reg.sampleuser1,OU=Organizational,OU=Cisco Groups,DC=cisco,DC=com
sAMAccountName: group.reg.sampleuser1
dn: CN=group.temp.sampleuser1,OU=Organizational,OU=Cisco Groups,DC=cisco,DC=com
sAMAccountName: group.temp.sampleuser1
...
hostname# show user-identity ad-groups CSCO import-user-group count
Total AD groups in domain CSCO stored in local: 2
hostname# show user-identity ad-groups CSCO import-user-group 
Domain: CSCO
Groups:
        group.SampleGroup1
        group.SampleGroup2
...
This example shows how to run the command to apply a filter string to the results from an access-list and object-group command. Running the show user-identity ad-users CSCO filter SampleGroup1 command obtains the sAMAccountName of specified string:
hostname# show user-identity ad-users CSCO filter SampleGroup1 
Domain:CSCO    AAA Server Group:  CISCO_AD_SERVER
User list retrieved successfully
Number of Active Directory Users: 2
dn: CN=SampleUser1,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
sAMAccountName: SampleUser2
dn: CN=SAMPLEUSER2-WXP05,OU=Workstations,OU=Cisco Computers,DC=cisco,DC=com
sAMAccountName: SAMPLEUSER2-WXP05$
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity ad-users

To display Microsoft Active Directory users for the Identify Firewall, use the show user-identity ad-users command in privileged EXEC mode.

show user-identity ad-users domain_nickname [filter filter_string]
Syntax Description

domain_nickname

Specifies the domain name for the Identity Firewall.

filter filter_string

(Optional) Specifies to displays users that contain the specified filter string in the CN attribute of the domain controller of the Microsoft Active Directory.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

When you run the show user-identity ad-users command, the ASA sends an LDAP query to the Microsoft Active Directory to retrieve all users that are part of the specified domain nickname. The argument domain_nickname can be the real domain nickname or LOCAL.

When you specify the filter filter_string keyword and argument, the ASA displays users that contain the specified filter string in the CN attribute of the domain controller. The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server.

The ASA only retrieves users that have the user objectclass attribute and the samAccountType attribute 805306368. Other objects, such as machine objects, can be included in the user objectclass; however, the samAccountType 805306368 filters out the non-user objects. When you do not specify a filter string, the ASA displays all Active Directory users.

The ASA displays the retrieved users in distinguishedName format.

Examples

This example shows how to display information about Active Directory users for the Identity Firewall:
hostname# show user-identity ad-users CSCO filter user
Domain: CSCO        AAA Server Group:  CISCO_AD_SERVER
User list retrieved successfully
Number of Active Directory Users: 10
dn: CN=sampleuser1,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
sAMAccountName: sampleuser1
dn: CN=sampleuser2,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
sAMAccountName: sampleuser2
dn: CN=user3,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
sAMAccountName: user3
...
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity group

To display the user groups configured for the Identify Firewall, use the show user-identity group command in privileged EXEC mode.

show user-identity group
Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

Use the show user-identity group command to obtain troubleshooting information for the user groups configured for the Identity Firewall. The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server. This command displays the list of activated user groups in the following format:

domain\group_name

The ASA only displays top groups that are applied to a security policy. The maximum number of activated top groups is 256. Groups are activated when they are part an access-group, import-user-group, or service-policy configuration.

Examples

This example shows how to display the activated groups for the Identity Firewall:
hostname# show user-identity group
Group ID        Activated Group Name (Domain\\Group)
--------        ------------------------------------
       1        LOCAL\\og1
       2        LOCAL\\marketing
       3        CISCO\\group.sampleuser1
       4        IDFW\\grp1
...
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity ip-of-user

To display the IP address for a specified user for the Identify Firewall, use the show user-identity ip-of-user command in privileged EXEC mode.

show user-identity ip-of-user [domain_nickname\]user-name [detail]
Syntax Description

detail

(Optional) Displays the detailed output about the user and IP address.

domain_nickname

(Optional) Specifies the domain name for the Identity Firewall.

user-name

Specifies the user for which to obtain an IP address.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

This command displays user information and the IP addresses for the specified user. Users can have more than one IP address associated with them.

When you do not specify the domain_nickname argument, the ASA displays information for the user with user_name in default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

When you specify the detail keyword, the ASA displays the total number of active connections, the user-statistics period and the drops, and the input packets and output packets during the period over all IP addresses for the specified user. When you do not specify the detail option, the ASA displays only the domain nickname and status of each IP address.

Note The ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall.

Examples

These examples show how to display IP addresses of specified users for the Identity Firewall:
hostname# show user-identity ip-of-user sampleuser1
CSCO\172.1.1.1 (Login)
CSCO\172.100.3.23 (Login) 
CSCO\10.23.51.3 (Inactive) 
hostname# show user-identity ip-of-user sampleuser1 detail
CSCO\172.1.1.1 (Login) Login time: 1440 mins;  Idle time: 10 mins; 2 active conns
CSCO\172.100.3.23 (Login) Login time: 20 mins;  Idle time: 10 mins; 10 active conns
CSCO\10.23.51.3 (Inactive) Login time: 3000 mins;  Idle time: 2040 mins; 8 active conns
Total number of active connections: 20
1-hour recv packets: 12560
1-hour sent packets: 32560
20-min drops: 560
hostname# show user-identity ip-of-user sampleuser2
ERROR: no such user 
hostname# show user-identity ip-of-user sampleuser3
ERROR: no IP address, user not login now
IPv6 support
hostname# show user-identity ip-of-user sampleuser4
CSCO\172.1.1.1 (Login)
CSCO\8080:1:3::56 (Login) 
CSCO\8080:2:3::34 (Inactive) 
hostname# show user-identity ip-of-user sampleuser4 detail
CSCO\172.1.1.1 (Login) Login time: 1440 mins;  Idle time: 10 mins; 8 active conns
CSCO\8080:1:3::56 (Login) Login time: 20 mins;  Idle time: 10 mins; 12 active conns	
CSCO\8080:2:3::34 (Inactive) Total number of active connections: 20
1-hour recv packets: 12560
1-hour sent packets: 32560
20-min drops: 560
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user-of-ip

Displays the user information associated with the specified IP address

show user-identity memory

To display the memory of various modules of the Identify Firewall, use the show user-identity memory command in privileged EXEC mode.

show user-identity memory
Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

You can monitor the memory usage that the Identity Firewall consumes on the ASA. Running the show user-identity memory command displays the memory for user records, group records, host records, and their associated hash table. The ASA also displays the memory used by the identity-based tmatch table.

The command displays the memory usage in bytes of various modules in the Identity Firewall:

•Users

•Groups

•User Statistics

•LDAP

The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server. The Active Directory server authenticates users and generates user logon security logs.

•AD Agent

•Miscellaneous

•Total Memory Usage

How you configure the Identity Firewall to retrieve user information from the AD Agent impacts the amount of memory used by the feature. You specify whether the ASA uses on demand retrieval or full download retrieval. Selecting On Demand has the benefit of using less memory as only users of received packets are queried and stored. See "Configuring Identity Options" in the CLI configuration guide for a description of these options.

Examples

This example shows how to display the memory status of the modules of the Identity Firewall:
hostname# show user-identity memory
Users:       22416048 bytes
Groups:           320 bytes
User stats:         0 bytes
LDAP:             300 bytes
AD agent:         500 bytes
Misc:           32428 bytes
Total:       22449596 bytes
Users:       22416048 bytes
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity statistics

To display statistics for a user or user group for the Identify Firewall, use the show user-identity statistics command in privileged EXEC mode.

show user-identity statistics [user [domain_nickname\]user_name | user-group [domain_nickname\]user_group_name]
Syntax Description

domain_nickname

(Optional) Specifies the domain name for the Identity Firewall.

user user_name

(Optional) Specifies the user name from which to retrieve statistics.

user-group domain_nickname\
user_group_name

(Optional) Specifies the group name from which to retrieve statistics.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

Run the show user-identity statistics command to display the statistics for a user or user group.

When you do not specify the domain_nickname argument with the user keyword, the ASA displays information for the user with user_name in default domain.

When you do not specify domain_nickname with the user-group keyword, the ASA displays information for the group that has user_group_name in the default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

Examples

These examples show how to display statistics about users for the Identity Firewall:
hostname# show user-identity statistics user 
Current monitored users:11  Total not monitored users:0
                          Average(eps)    Current(eps) Trigger      Total events
User: CSCO\user1 tot-ses:4911 act-ses:1213 fw-drop:0 insp-drop:0 null-ses:4861 bad-acc:0
  20-min Recv attack:                4              10      14              4861
    1-hour Recv pkts:                  1              10        0              4901
User: CSCO\user2 tot-ses:2456 act-ses:607 fw-drop:0 insp-drop:0 null-ses:2431 bad-acc:0
  20-min Sent attack:                 4              10        4              4862
  1-hour Sent pkts:                     0               5         0              2451
...
hostname# show user-identity statistics user user1
Current                          Average(eps)    Current(eps) Trigger      Total events
User: -(user1-) tot-ses:4911 act-ses:1213 fw-drop:0 insp-drop:0 null-ses:4861 bad-acc:0
  20-min Recv attack:                4              10       14              4861
  1-hour Recv pkts:                   1              10       0              4901
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity statistics top user

To display statistics for the top 10 users for the Identify Firewall, use the show user-identity statistics top user command in privileged EXEC mode.

show user-identity statistics top user
Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

The show user-identity statistics top user command displays statistics for received EPS packets, sent EPS packets, and sent attacks for the top 10 users. For each user (displayed as domain\user_name), the ASA displays the average EPS packet, the current EPS packet, the trigger, and total events for that user.

Examples

This example shows how to display information about the top 10 users for the Identity Firewall:
hostname# show user-identity statistics top user
Top          Name   Id    Average(eps)    Current(eps) Trigger      Total events
  1-hour Recv pkts:
01    APAC\sampleuser1
                                    0               0       0               391
  1-hour Sent pkts:
01    APAC\sampleuser2
                                    0               0       0               196
02    CSCO\sampleuser3
                                    0               0       0               195
  10-min Sent attack:
01    CSCO\sampleuser4
                                    0               0       0               352
02    CSCO\sampleuser3 
                                    0               0       0               350
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user active

To display the active users for the Identify Firewall, use the show user-identity user active command in privileged EXEC mode.

show user-identity user active [domain domain_nickname | user-group [domain_nickname\]user_group_name | user [domain_nickname\]user_name] [list [detail]]
Syntax Description

detail

(Optional) Displays the detailed output of the active user sessions.

domain domain_nickname

Displays statistics for the active users in a specified domain.

list

(Optional) Displays a list summarizing the active user statistics.

user domain_nickname\user_name

(Optional) Displays statistic for a specified user.

user-group domain_nickname\user_group_name

(Optional) Displays statistics for a specified user group.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

You can display information about all users contained in the IP-user mapping database used by the Identity Firewall.

The show user-identity user active command displays the following information for users:

• domain\user_name

• Active Connections

• Minutes Idle

The default domain name can be the real domain name, a special reserved word, or LOCAL. The Identity Firewall uses the LOCAL domain name for all locally defined user groups or locally defined users (users who log in and authenticate by using a VPN or web portal). When default domain is not specified, the default domain is LOCAL.

A user's name is appended with the number of minutes idle. The login time and idle time are stored on a per user basis instead of per the IP address of a user.

When the user-group keyword is specified, only the activated user-groups are displayed. Groups are activated when they are part an access-group, import-user-group, or service-policy configuration.

When you do not specify domain_nickname with the user-group keyword, the ASA displays information for the group that has user_group_name in the default domain.

Note When the user-identity action domain-controller-down is configured with the disable-user-identity-rule keyword and the specified domain is down, or when user-identity action ad-agent-down command is configured with the disable-user-identity-rule keyword and the AD agent is down, all the logged on users are displayed as disabled in the user statistics.

Note The ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall.

Examples

The following examples show how to display information about active users for the Identity Firewall:
hostname# show user-identity user active 
Total active users: 30  Total IP addresses: 35
  LOCAL: 0 users, 0 IP addresses
  cisco.com: 0 users, 0 IP addresses
  d1: 0 users, 0 IP addresses
  IDFW: 0 users, 0 IP addresses
  idfw.com: 0 users, 0 IP addresses
  IDFWTEST: 30 users, 35 IP addresses
hostname# show user-identity user active domain CSCO 
Total active users: 48020 Total IP addresses:10000
  CSCO: 48020 users, 10000 IP addresses
hostname# show user-identity user active domain CSCO list 
Total active users: 48020 Total IP addresses: 10000
  CSCO: 48020 users, 10000 IP addresses
   CSCO\sampleuser1: 20 active conns; idle 0 mins
   CSCO\member-1: 20 active conns; idle 5 mins
   CSCO\member-2: 20 active conns; idle 20 mins
   CSCO\member-3: 3 active conns; idle 101 mins
   ...
hostname# show user-identity user active list 
Total active users: 48032  Total IP addresses: 10000
   CSCO\sampleuser1: 20 active conns; idle 0 mins
   CSCO\member-1: 20 active conns; idle 6 mins
   APAC\sampleuser2: 20 active conns; idle 0 mins
   CSCO\member-2: 20 active conns; idle 1 mins
   CSCO\member-3: 20 active conns; idle 0 mins
   APAC\member-2: 20 active conns; idle 22 mins
   CSCO\member-4: 3 active conns; idle 101 mins
   ...
hostname# show user-identity user active list detail 
Total active users: 48032 Total IP addresses: 10010
  CSCO: 48020 users, 10000 IP addresses
  APAC: 12 users, 10 IP addresses	
   CSCO\sampleuser1: 20 active conns; idle 0 mins
     172.1.1.1: login 360 mins, idle 0 mins, 15 active conns 
     172.100.3.23: login 200 min, idle 15 mins , 5 active conns
     10.23.51.3: inactive
     1-hour recv packets: 12560
     1-hour sent packets: 32560
     20-min drops: 560
   CSCO\member-1: 4 active connections;  idle 350 mins
   ...
  APAC\sampleuser12: 3 active conns; idle 101 mins
     172.1.1.1: login 360 mins, idle 101 mins, 1 active conns
     172.100.3.23: login 200 min, idle 150 mins, 2 active conns
     10.23.51.3: inactive
     1-hour recv packets: 12560
     1-hour sent packets: 32560
     20-min drops: 560
hostname# show user-identity user active list detail
Total users: 25  Total IP addresses: 5
   LOCAL\idfw: 0 active conns
    6.1.1.1: inactive
  cisco.com\sampleuser1: 0 active conns
  cisco.com\sampleuser2: 0 active conns
  cisco.com\sampleuser3: 0 active conns
    20.0.0.3: login 0 mins, idle 0 mins, 0 active conns (disabled)
  cisco.com\sampleuser4: 0 active conns; idle 0 mins 
    20.0.0.2: login 0 mins, idle 0 mins, 0 active conns (disabled)
  cisco.com\sampleuser5: 0 active conns
  ...
hostname# show user-identity user active user sampleuser1 list detail 
CSCO\sampleuser1: 20 active conns; idle 3 mins
     172.1.1.1: login 360 mins, idle 20 mins, 15 active conns
     172.100.3.23: login 200 mins, idle 3 mins, 5 active conns
     10.23.51.3: inactive
     1-hour recv packets: 12560
     1-hour sent packets: 32560
     20-min drops: 560
hostname# show user-identity user active user APAC\sampleuser2 
APAC\sampleuser2: 20 active conns; idle 2 mins
hostname# show user-identity user active user-group APAC\\marketing list 
   APAC\sampleuser1: 20 active conns; idle 2 mins
   APAC\member-1: 20 active conns; idle 0 mins
   APAC\member-2: 20 active conns; idle 0 mins
   APAC\member-3: 20 active conns; idle 6 mins
...
hostname# show user-identity user active user-group APAC\\inactive list
ERROR: group is not activated
Related Commands

Command

Description

clear user-identity active-user-database

Sets the status of a specified user, all users belong to a specified user group, or all users to logged out for the Identity Firewall.

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user all

To display statistics about users for the Identify Firewall, use the show user-identity user all command in privileged EXEC mode.

show user-identity user all [list] [detail]
Syntax Description

detail

(Optional) Displays the detailed output about all users for the Identity Firewall.

list

(Optional) Displays a list summarizing the statistics for all users for the Identity Firewall.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

Use the show user-identity all command to display information for all users contained in the IP-user mapping database used by the Identity Firewall.

When you include the detail keyword with this command and the command output shows an IP address is inactive, the IP address is not associated with the user. Searching for the user associated with that IP address will return an error.

Note When the user-identity action domain-controller-down is configured with the disable-user-identity-rule keyword and the specified domain is down, or when user-identity action ad-agent-down command is configured with the disable-user-identity-rule keyword and the AD agent is down, all the logged on users are displayed as disabled in the user statistics.

Note The ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall.

Examples

The following examples show how to display statistics about all users for the Identity Firewall:
hostname# show user-identity user all list
Total inactive users: 1201  Total IP addresses: 100
hostname# show user-identity user all list
Total users: 7
  LOCAL\idfw: 0 active conns
  cisco.com\sampleuser1: 0 active conns
  cisco.com\sampleuser2: 0 active conns
  cisco.com\sampleuser3: 0 active conns
  cisco.com\sampleuser4: 0 active conns; idle 300 mins
  cisco.com\sampleuser5: 0 active conns
  cisco.com\sampleuser6: 0 active conns
  cisco.com\sampleuser7: 0 active conns
hostname# show user-identity user all list detail
Total users: 7 Total IP addresses: 3
  LOCAL\idfw: 0 active conns
    10.1.1.1: inactive
  cisco.com\sampleuser1: 0 active conns
  cisco.com\sampleuser2: 0 active conns
  cisco.com\sampleuser3: 0 active conns; idle 300 mins
    171.69.42.8: inactive
    10.0.0.2: login 300 mins, idle 300 mins, 5 active conns
  cisco.com\sampleuser4: 0 active conns
  cisco.com\sampleuser5: 0 active conns
  cisco.com\sampleuser6: 0 active conns
     1-hour recv packets: 12560
     1-hour sent packets: 32560
     20-min drops: 560
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user inactive

To display information about the inactive users for the Identify Firewall, use the show user-identity user inactive command in privileged EXEC mode.

show user-identity user inactive [domain domain_nickname | user-group [domain_nickname\]user_group_name]
Syntax Description

domain domain_nickname

(Optional) Displays statistics for the inactive users in the specified domain name for the Identity Firewall.

user-group domain_nickname\
user_group_name

(Optional) Displays statistics for the inactive users in the specified user group.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

Use the show user-identity user inactive command to display information about users who have no active traffic for longer than the value configured with the user-identity inactive-user-timer command.

When the user-group keyword is specified, only the activated user-groups are displayed. Groups are activated when they are part an access-group, import-user-group, or service-policy configuration.

When you do not specify domain_nickname with the user-group keyword, the ASA displays information for the group that has user_group_name in the default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

Examples

These examples show how to display the status of inactive users for the Identity Firewall:
hostname# show user-identity user inactive
Total inactive users: 1201
   APAC\sampleuser1
   CSCO\sampleuser2
172.1.1.1: inactive     ...
...
hostname# show user-identity user inactive domain CSCO
Total inactive users: 1101
    CSCO: 1101
   CSCO\sampleuser1
   CSCO\sampleuser2
   CSCO\sampleuser3
...
hostname# show user-identity user inactive user-group CSCO\\marketing
Total inactive users: 21
   CSCO\sampleuser1
   CSCO\sampleuser2
...
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

user-identity inactive-user-timer

Specifies the amount of time before a user is considered idle for the Cisco Identify Firewall instance.

show user-identity user-not-found

To display the IP addresses of the Active Directory users not found for the Identify Firewall, use the show user-identity user-not-found command in privileged EXEC mode.

show user-identity user-not-found
Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

Use the show user-identity user-not-found command to display the IP addresses of the users who are not found in Microsoft Active Directory.

The ASA maintains a local user-not-found database of these IP addresses. The ASA keeps only the last 1024 packets (contiguous packets from the same source IP address are treated as one packet) of the user-not-found list and not the entire list in the database.

Examples

This example shows how to display information about not-found users for the Identity Firewall:
hostname# show user-identity user-not-found
172.13.1.2
171.1.45.5
169.1.1.2
172.13.12
...
Related Commands

Command

Description

clear user-identity user-not-found

Clears the ASA local user-not-found database for the Identity Firewall.

user-identity enable

Creates the Cisco Identify Firewall instance.

user-identity user-not-found

Enables user-not-found tracking for the Identify Firewall.

show user-identity user-of-group

To display the users of a specified user group for the Identify Firewall, use the show user-identity user-of-group command in privileged EXEC mode.

show user-identity user-of-group [domain_nickname\]user_group_name
Syntax Description

domain_nickname

Specifies the domain name for the Identity Firewall.

user_group_name

Specifies the user group for which to display statistics.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

Use the show user-identity user-of-group command to display users whose group ID matches the specified user group. (The ASA scans the IP-user hash list for this information and rather than sending an LDAP query to Active Directory. The AD Agent maintains a cache of user ID and IP address mappings and notifies the ASA of changes.)

The user group name you specify must be activated, meaning the group is an import user group (defined as a user group in an access list or service policy configuration) or a local user group (defined in an object-group user).

The group can have more than one user member. The members of the user group are all immediate members (including users and groups) of the specified group.

When you do not specify domain_nickname with the user_group_name argument, the ASA displays information for the group that has user_group_name in the default domain. The argument domain_nickname can be the real domain nickname or LOCAL.

When the command out put indicates a user's status is inactive, the user can be logged out or has never logged in.

Examples

These examples show how to display users of a specified user group for the Identity Firewall:
hostname# show user-identity user-of-group group.samplegroup1
Group: CSCO\\group.user1 Total users: 13
CSCO\user2 10.0.0.10(Login) 20.0.0.10(Inactive) ...
CSCO\user3 10.0.0.11(Inactive)
CSCO\user4 10.0.0.12 (Login)
CSCO\user5 10.0.0.13 (Login)
CSCO\user6 10.0.0.14 (Inactive)
....
hostname# show user-identity user-of-group group.local1
Group: LOCAL\\group.local1    Total users: 2
CSCO\user1 10.0.4.12 (Login)
LOCAL\user2 10.0.3.13 (Login)
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show user-identity user-of-ip

To display information about a user with a specific IP address for the Identify Firewall, use the show user-identity user-of-ip command in privileged EXEC mode.

show user-identity user-of-ip ip_address [detail]
Syntax Description

detail

(Optional) Displays the detailed output about user with the specified IP address.

ip_address

Indicates the IP address of the user for which to display information.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.4(2)

The command was introduced.

Usage Guidelines

Use the show user-identity user-of-ip command to display the user information associated with the specified IP address.

When you specify the detail keyword, the ASA displays user login time, idle time, the number of active connections, the user-statistics period and the drops, and the input packets and output packets during the period. When you do not specify the detail keyword, the ASA only displays the domain nickname, user name, and status.

When user status is inactive, the user can be logged out or has never logged in.

When you include the detail keyword with this command and the command output for an IP address displays an error, the IP address is inactive, meaning that the IP address is not associated with a user.

Note The ASA displays detailed user statistics, such as received packets, sent packets and drops in the specified time period, only when you enable user-statistics scanning or accounting for the Identity Firewall. See the CLI configuration guide for information about configuring the Identity Firewall.

Examples

These examples show how to display the status of the active users for the Identity Firewall:
hostname# show user-identity user-of-ip 172.1.1.1 
CSCO\sampleuser1 (Login)
hostname# show user-identity user-of-ip 172.1.1.1 detail
CSCO\sampleuser1 (Login) Login time: 240 mins;  Idle time: 10 mins
Number of active connections: 20
1-hour sent packets: 3678
1-hour rcvd packets: 1256
20-min sent drops: 60
hostname# show user-identity user-of-ip 172.1.2.2 detail
CSCO\sampleuser2 (Login) Login time: 1440 mins; Idle time: 100 mins
Number of active connections: 0
1-hour sent packets: 3678
1-hour rcvd packets: 1256
20-min sent drops: 60
hostname# show user-identity user-of-ip 172.1.7.7
ERROR: no user with this IP address
IPv6 Support
hostname# show user-identity user-of-ip 8080:1:1::4 
CSCO\sampleuser1 (Login)
hostname# show user-identity user-of-ip 8080:1:1::4 detail
CSCO\sampleuser1 (Login) Login time: 240 mins;  Idle time: 10 mins
Number of active connections: 20
1-hour sent packets: 3678
1-hour rcvd packets: 1256
20-min sent drops: 60
hostname# show user-identity user-of-ip 8080:1:1::6 detail
CSCO\sampleuser2 (Login) Login time: 1440 mins; Idle time: 100 mins
Number of active connections: 0
1-hour sent packets: 3678
1-hour rcvd packets: 1256
20-min sent drops: 60
hostname# show user-identity user-of-ip 8080:1:1::100
ERROR: no user with this IP address
Related Commands

Command

Description

user-identity enable

Creates the Cisco Identify Firewall instance.

show version

To display the software version, hardware configuration, license key, and related uptime data, use the show version command in user EXEC mode.

show version
Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

User EXEC

•

•

•

•

•

Command History

Release

Modification

7.2(1)

In stateful failover mode, an additional line showing cluster uptime is displayed.

8.3(1)

The output now includes whether a feature uses the permanent or time-based key, as well as the duration of the time-based key in use.

8.4(1)

Support for No Payload Encryption models (NPE) was added.

Usage Guidelines

The show version command allows you to display the software version, operating time since the last reboot, processor type, Flash partition type, interface boards, serial number (BIOS ID), activation key value, license type, and time stamp for when the configuration was last modified.

The serial number listed with the show version command is for the flash partition BIOS. This number is different from the serial number on the chassis. When you get a software upgrade, you will need the serial number that appears in the show version command, not the chassis number.

The failover cluster uptime value indicates how long a failover set has been running. If one unit stops running, the uptime value continues to increase as long as the active unit continues to operate. Therefore, it is possible for the failover cluster uptime to be greater than the individual unit uptime. If you temporarily disable failover, and then reenable it, the failover cluster uptime reports the time the unit was up before failover was disabled plus the time the unit was up while failover was disabled.

If you have a No Payload Encryption model, then when you view the license, VPN and Unified Communications licenses will not be listed.

For the Total VPN Peers on the ASA 5505, the total combined number of VPN sessions of all types depends on your licenses. If you enable AnyConnect Essentials, then the total is the model maximum of 25. If you enable AnyConnect Premium, then the total is the AnyConnect Premium value plus the Other VPN value, not to exceed 25 sessions. Unlike other models, where the Other VPN value equals the model limit for all VPN sessions, the ASA 5505 has a lower Other VPN value than the model limit, so the total value can vary depending on the AnyConnect Premium license.

Examples

The following is sample output from the show version command, and shows the software version, hardware configuration, license key, and related uptime information. Note that in an environment where stateful failover is configured an additional line showing the failover cluster uptime is displayed. If failover is not configured, the line is not displayed. This display shows a warning message about minimum memory requirements.
*************************************************************************
**                                                                     **
**   *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***   **
**                                                                     **
**          ----> Minimum Memory Requirements NOT Met! <----           **
**                                                                     **
**  Installed RAM:  512 MB                                             **
**  Required  RAM: 2048 MB                                             **
**  Upgrade part#: ASA5520-MEM-2GB=                                    **
**                                                                     **
**  This ASA does not meet the minimum memory requirements needed to   **
**  run this image. Please install additional memory (part number      **
**  listed above) or downgrade to ASA version 8.2 or earlier.          **
**  Continuing to run without a memory upgrade is unsupported, and     **
**  critical system features will not function properly.               **
**                                                                     **
*************************************************************************
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
Compiled on Thu 20-Jan-12 04:05 by builders
System image file is "disk0:/cdisk.bin"
Config file at boot was "disk0:/tomm_backup.cfg"
asa3 up 3 days 3 hours
Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 128MB
BIOS Flash AT49LW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00 
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPsec microcode  : CNlite-MC-IPSECm-MAIN-2.06
 0: Ext: GigabitEthernet0/0  : address is 0013.c480.82ce, irq 9
 1: Ext: GigabitEthernet0/1  : address is 0013.c480.82cf, irq 9
 2: Ext: GigabitEthernet0/2  : address is 0013.c480.82d0, irq 9
 3: Ext: GigabitEthernet0/3  : address is 0013.c480.82d1, irq 9
 4: Ext: Management0/0       : address is 0013.c480.82cd, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 10             perpetual
GTP/GPRS                          : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Enabled        perpetual
  Shared AnyConnect Premium Peers : 12000          perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 12             62 days
Total UC Proxy Sessions           : 12             62 days
Botnet Traffic Filter             : Enabled        646 days
Intercompany Media Engine         : Disabled       perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key:
0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter        : Enabled    646 days
0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2
Total UC Proxy Sessions      : 10         62 days
Serial Number: JMX0938K0C0
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c 
Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 
Configuration register is 0x1
Configuration last modified by docs at 15:23:22.339 EDT Fri Oct 30 2012
The following message appears if you enter the show version command after the eject command has been executed, but the device has not been physically removed:
Slot 1: Compact Flash has been ejected!
It may be removed and a new device installed.
Related Commands

Command

Description

eject

Allows shutdown of external compact flash device before physical removal from the ASA.

show hardware

Displays detail hardware information.

show serial

Displays the hardware serial information.

show uptime

Displays how long the ASA has been up.

show vlan

To display all VLANs configured on the ASA, use the show vlan command in privileged EXEC mode.

show vlan
Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

—

•

Command History

Release

Modification

7.2(1)

This command was introduced.

Examples

The following example displays the configured VLANs:
hostname# show vlan
10-11,30,40,300
Related Commands

Command

Description

clear interface

Clears counters for the show interface command.

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.

show vpn load-balancing

To display the runtime statistics for the VPN load-balancing virtual cluster configuration, use the show vpn-load-balancing command in global configuration, privileged EXEC, or VPN load-balancing mode.

show vpn load-balancing
Syntax Description

This command has no variables or arguments.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

•

—

•

—

Privileged EXEC

•

—

•

—

Vpn load-balancing

•

—

•

—

Command History

Release

Modification

7.0(1)

This command was introduced.

7.1(1)

Added separate IPsec and SSL columns for both Load (%) display and Session display in the output example.

8.4(0)

New information was added to the displayed output.

Usage Guidelines

The show vpn load-balancing command displays statistical information for the virtual VPN load-balancing cluster. If the local device is not participating in the VPN load-balancing cluster, this command indicates that VPN load balancing has not been configured for this device.

The asterisk (*) in the output indicates the IP address of the ASA to which you are connected.

Examples

This example displays show vpn load-balancing command and its output for a situation in which the local device is participating in the VPN load-balancing cluster:
hostname# sh vpn load-balancing
--------------------------------------------------------------------------
    Status     Role   Failover   Encryption        Cluster IP   Peers      
--------------------------------------------------------------------------
   Enabled   Master        n/a     Disabled 	192.0.2.255	 		 	 0
Peers:
--------------------------------------------------------------------------
       Public IP     Role  Pri             Model  Load-Balancing Version   
--------------------------------------------------------------------------
		192.0.2.255 		 		Master    5          ASA-5520 			 			 			 		3 
Total License Load:
--------------------------------------------------------------------------
       Public IP    AnyConnect Premium/Essentials          Other VPN      
                   -------------------------------   ---------------------
                        Limit    Used   Load          Limit    Used   Load
--------------------------------------------------------------------------
     192.0.2.255			 			750       0     0%            750       1     0%
Licenses Used By Inactive Sessions :
--------------------------------------------------------------------------
       Public IP    AnyConnect Premium/Essentials     Inactive Load      
--------------------------------------------------------------------------
     192.0.2.255			 							0                0%
On the primary device, the Total License Load output includes information about the primary and backup device; however, the backup device only shows information about itself and not the primary device. Thus, the primary device knows about all licensed members, but the licensed members themselves only know about their own licenses.

The output also contains a License Used by Inactive Session section. When an AnyConnect session goes inactive, the ASA keeps that session as long as the session has not terminated by normal means. That way, AnyConnect sessions can reconnect using the same webvpn cookie and not have to re-authenticate. The inactive sessions will remain in that state until either the AnyConnect client resumes the session or an idle timeout occurs. The licenses for those sessions are maintained for these inactive sessions and are represented in this License Used by Inactive Session section.

If the local device is not participating in the VPN load-balancing cluster, the show vpn load-balancing command shows a different result:
hostname(config)# show vpn load-balancing
VPN Load Balancing has not been configured.
Related Commands

Command

Description

clear configure vpn load-balancing

Removes vpn load-balancing command statements from the configuration.

show running-config vpn load-balancing

Displays the the current VPN load-balancing virtual cluster configuration.

vpn load-balancing

Enters vpn load-balancing mode.

show vpn-sessiondb

To display information about VPN sessions, use the show vpn-sessiondb command in privileged EXEC mode.The command includes options for displaying information in full or in detail, lets you specify type of sessions to display, and provides options to filter and sort the information. The syntax table and usage notes organize the choices accordingly

show vpn-sessiondb [detail] [ospfv3] [failover] [full] [summary] [ratio {encryption | protocol}] [license-summary] {anyconnect | email-proxy | index indexnumber | l2l | ra-ikev1-ipsec | vpn-lb | webvpn} [filter {name username | ipaddress IPaddr | a-ipaddress IPaddr | p-ipaddress IPaddr | tunnel-group groupname | protocol protocol-name | encryption encryption-algo | inactive}] [sort {name | ipaddress | a-ipaddress | p-ip address | tunnel-group | protocol | encryption | inactivity}]
Syntax Description

anyconnect

Displays AnyConnect VPN client sessions, including OSPFv3 session information.

detail

(Optional) Displays extended details about a session. For example, using the detail option for an IPsec session displays additional details such as the IKE hashing algorithm, authentication mode, and rekey interval.

If you choose detail, and the full option, the ASA displays the detailed output in a machine-readable format.

email-proxy

Displays email-proxy sessions.

encryption

Displays the ratio of encryption types as a ratio of the total number of sessions.

failover

Displays the session information for the failover IPsec tunnels.

filter filter_criteria

(Optional) Filters the output to display only the information you specify by using one or more of the filter options. For a list of filter_criteria options, see the "Usage Guidelines" section.

full

(Optional) Displays streamed, untruncated output. Output is delineated by | characters and a || string between records.

index indexnumber

Displays a single session by index number. Specify the index number for the session, 1 - 750.

l2l

Displays VPN LAN-to-LAN session information.

license-summary

Displays a summary of license information about the ASA.

ospfv3

Displays OSPFv3 session information.

protocol

Displays the ratio of protocol types as a ratio of the total number of sessions.

ra-ikev1-ipsec

Displays IPsec IKEv1 sessions.

ratio

Displays the ratio of encryption or protocol types, depending on the keyword you choose, as a ratio of the total number of sessions.

sort sort_criteria

(Optional) Sorts the output according to the sort option you specify. For a list of sort_criteria options, see the "Usage Guidelines" section.

summary

Displays VPN session summary information.

vpn-lb

Displays VPN Load Balancing management sessions.

webvpn

Displays clientless SSL VPN sessions, including OSPFv3 session information.

Defaults

There is no default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

—

•

—

Command History

Release

Modification

7.2(1)

This command was introduced.

8.0(2)

Added VLAN field description.

8.0(5)

Added inactive as a filter option and inactivity as a sort option.

8.2(1)

License information was added to the output.

8.4(1)

The svc keyword was changed to anyconnect. The remote keyword was changed to ra-ikev1-ipsec. The ratio keyword was added.

9.0(1)

The ospfv3 keyword was added, and the OSPFv3 session information is now included in the VPN session summary.

The fitler a-ipversion and filter p-ipversion options were added to allow filtering on all AnyConnect, LAN-to-LAN, and Clientless SSL VPN sessions assigned IPv4 or IPv6 addresses.

9.1(2)

We added the failover tunnel type and failover keyword to support failover IPsec tunnels. See the failover ipsec pre-shared-key command.

9.1(4)

Output when using the detail anyconnect options has been updated to reflect the assigned IPv6 address and to indicate the GRE Transport Mode security association when doing IKEv2 dual traffic.

Usage Guidelines

You can use the following options to filter and to sort the session display:

Filter/Sort Option

Description

filter a-ipaddress IPaddr

Filters the output to display information for the specified assigned IP address or addresses only.

sort a-ipaddress

Sorts the display by assigned IP addresses.

filter a-ipversion {v4 | v6}

Filters the output to display information about all AnyConnect sessions assigned IPv4 or IPv6 addresses.

filter encryption encryption-algo

Filters the output to display information for sessions using the specified encryption algorithm(s) only.

sort encryption

Sorts the display by encryption algorithm. Encryption algorithms include: aes128, aes192, aes256, des, 3des, rc4

filter inactive

Filters inactive sessions which have gone idle and have possibly lost connectivity (due to hibernation, mobile device disconnection, and so on). The number of inactive sessions increases when TCP keepalives are sent from the ASA without a response from the AnyConnect client. Each session is time stamped with the SSL tunnel drop time. If the session is actively passing traffic over the SSL tunnel, 00:00m:00s is displayed.

Note The ASA does not send TCP keepalives to some devices (such as the iphone, ipad, and ipod) in order to save battery life, so the failure detection cannot distinguish between a disconnect and a sleep. For this reason, the inactivity counter remains as 00:00:00 by design.

sort inactivity

Sorts inactive sessions.

filter ipaddress IPaddr

Filters the output to display information for the specified inside IP address or addresses only.

sort ipaddress

Sorts the display by inside IP addresses.

filter name username

sort name

Filters the output to display sessions for the specified username(s).

Sorts the display by usernames in alphabetical order.

filter p-address IPaddr

Filters the output to display information for the specified outside IP address only.

sort p-address

Sorts the display by the specified outside IP address or addresses.

filter p-ipversion {v4 | v6}

Filters the output to display information about all AnyConnect sessions originating from endpoints with IPv4 or IPv6 addresses.

filter protocol protocol-name

Filters the output to display information for sessions using the specified protocol(s) only.

sort protocol

Sorts the display by protocol. Protocols include: IKE, IMAP4S, IPsec, IPsecLAN2LAN, IPsecLAN2LANOverNatT, IPsecOverNatT, IPsecoverTCP, IPsecOverUDP, SMTPS, userHTTPS, vcaLAN2LAN

filter tunnel-group groupname

Filters the output to display information for the specified tunnel group(s) only.

sort tunnel-group

Sorts the display by tunnel group.

|

Modifies the output, using the following arguments: {begin | include | exclude | grep | [-v]} {reg_exp}

Examples

The following is sample output from the show vpn-sessiondb command:
hostname# show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary                                                        
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :      1 :         78 :           2 :        0
  SSL/TLS/DTLS               :      1 :         72 :           2 :        0
  IKEv2 IPsec                :      0 :          6 :           1 :        0
Clientless VPN               :      0 :          8 :           2
  Browser                    :      0 :          8 :           2
---------------------------------------------------------------------------
Total Active and Inactive    :      1             Total Cumulative :     86
Device Total VPN Capacity    :    750
Device Load                  :     0%
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concurrent   
                             ----------------------------------------------
IKEv2                        :      0 :          6 :               1
IPsecOverNatT                :      0 :          6 :               1
Clientless                   :      0 :         17 :               2
AnyConnect-Parent            :      1 :         69 :               2
SSL-Tunnel                   :      1 :         75 :               2
DTLS-Tunnel                  :      1 :         56 :               2
---------------------------------------------------------------------------
Totals                       :      3 :        229
---------------------------------------------------------------------------
---------------------------------------------------------------------------
IPv6 Usage Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concurrent   
                             ----------------------------------------------
AnyConnect SSL/TLS/DTLS      :        :            :
  IPv6 Peer                  :      1 :         41 :           2
  Tunneled IPv6              :      1 :         70 :           2
AnyConnect IKEv2             :        :            :
  IPv6 Peer                  :      0 :          4 :           1
Clientless                   :        :            :
  IPv6 Peer                  :      0 :          1 :           1
---------------------------------------------------------------------------
The following is sample output from the show vpn-sessiondb detail l2l command, showing detailed information about LAN-to-LAN sessions:
hostname# show vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed
Connection   : 172.16.0.0
Index        : 1
IP Addr      : 172.16.0.0
Protocol     : IKEv2 IPsec
Encryption   : IKEv2: (1)AES256  IPsec: (1)AES256
Hashing      : IKEv2: (1)SHA1  IPsec: (1)SHA1
Bytes Tx     : 240                    Bytes Rx     : 160
Login Time   : 14:50:35 UTC Tue May 1 2012
Duration     : 0h:00m:11s
IKEv2 Tunnels: 1
IPsec Tunnels: 1
IKEv2:
  Tunnel ID    : 1.1
  UDP Src Port : 500                    UDP Dst Port : 500
  Rem Auth Mode: preSharedKeys
  Loc Auth Mode: preSharedKeys
  Encryption   : AES256                 Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 86389 Seconds
  PRF          : SHA1                   D/H Group    : 5
  Filter Name  :
  IPv6 Filter  :
IPsec:
  Tunnel ID    : 1.2
  Local Addr   : 10.0.0.0/255.255.255.0
  Remote Addr  : 209.165.201.30/255.255.255.0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel                 PFS Group    : 5
  Rekey Int (T): 120 Seconds            Rekey Left(T): 107 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
  Bytes Tx     : 240                    Bytes Rx     : 160
  Pkts Tx      : 3                      Pkts Rx      : 2
NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 13 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :
The following is sample output from the show vpn-sessiondb detail index 1 command:
AsaNacDev# show vpn-sessiondb detail index 1
Session Type: Remote Detailed
Username     : user1
Index        : 1
Assigned IP  : 192.168.2.70           Public IP    : 10.86.5.114
Protocol     : IPsec                  Encryption   : AES128
Hashing      : SHA1                   
Bytes Tx     : 0                      Bytes Rx     : 604533
Client Type  : WinNT                  Client Ver   : 4.6.00.0049
Tunnel Group : bxbvpnlab
Login Time   : 15:22:46 EDT Tue May 10 2005
Duration     : 7h:02m:03s
Filter Name  : 
NAC Result   : Accepted
Posture Token: Healthy
VM Result    : Static
VLAN         : 10
IKE Sessions: 1 IPsec Sessions: 1 NAC Sessions: 1
IKE:
  Session ID   : 1
  UDP Src Port : 500                    UDP Dst Port : 500
  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeysXauth
  Encryption   : 3DES                   Hashing      : MD5
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 61078 Seconds
  D/H Group    : 2
IPsec:
  Session ID   : 2
  Local Addr   : 0.0.0.0
  Remote Addr  : 192.168.2.70
  Encryption   : AES128                 Hashing      : SHA1                   
  Encapsulation: Tunnel                 
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 26531 Seconds          
  Bytes Tx     : 0                      Bytes Rx     : 604533                 
  Pkts Tx      : 0                      Pkts Rx      : 8126                   
NAC:
  Reval Int (T): 3000 Seconds           Reval Left(T): 286 Seconds
  SQ Int (T)   : 600 Seconds            EoU Age (T)  : 2714 Seconds
  Hold Left (T): 0 Seconds              Posture Token: Healthy
  Redirect URL : www.cisco.com 
The following is sample output from the show vpn-sessiondb ospfv3 command:
asa# show vpn-sessiondb ospfv3 
Session Type: OSPFv3 IPsec
Connection   : 
Index        : 1                      IP Addr      : 0.0.0.0
Protocol     : IPsec
Encryption   : IPsec: (1)none         Hashing      : IPsec: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 0
Login Time   : 15:06:41 EST Wed Feb 1 2012
Duration     : 1d 5h:13m:11s
The following is sample output from the show vpn-sessiondb detail ospfv3 command:
asa# show vpn-sessiondb detail ospfv3 
Session Type: OSPFv3 IPsec Detailed
Connection   : 
Index        : 1                      IP Addr      : 0.0.0.0
Protocol     : IPsec
Encryption   : IPsec: (1)none         Hashing      : IPsec: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 0
Login Time   : 15:06:41 EST Wed Feb 1 2012
Duration     : 1d 5h:14m:28s
IPsec Tunnels: 1
IPsec:
  Tunnel ID    : 1.1
  Local Addr   : ::/0/89/0
  Remote Addr  : ::/0/89/0
  Encryption   : none                   Hashing      : SHA1                   
  Encapsulation: Transport              
  Idle Time Out: 0 Minutes              Idle TO Left : 0 Minutes              
  Bytes Tx     : 0                      Bytes Rx     : 0                      
  Pkts Tx      : 0                      Pkts Rx      : 0                      
NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 105268 Seconds
  Hold Left (T): 0 Seconds              Posture Token: 
  Redirect URL : 
The following is sample output from the show vpn-sessiondb summary command:
asa# show vpn-sessiondb summary 
---------------------------------------------------------------------------
VPN Session Summary                                                        
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
OSPFv3 IPsec                 :      1 :          1 :           1
---------------------------------------------------------------------------
Total Active and Inactive    :      1             Total Cumulative :      1
Device Total VPN Capacity    :  10000
Device Load                  :     0%
-----------------------------------------------------------------------
The following is sample output from the show vpn-sessiondb det anyconnect command:
asa1# sho vpn-sessiondb det anyconnect
Session Type: AnyConnect Detailed
Username     : rashmi                 Index        : 2
Assigned IP  : 65.2.1.100             Public IP    : 75.2.1.60
Assigned IPv6: 2001:1000::10
Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent
License      : AnyConnect Premium
Encryption   : IKEv2: (1)3DES  IPsecOverNatT: (1)3DES  AnyConnect-Parent: (1)none
Hashing      : IKEv2: (1)SHA1  IPsecOverNatT: (1)SHA1  AnyConnect-Parent: (1)none
Bytes Tx     : 0                      Bytes Rx     : 21248
Pkts Tx      : 0                      Pkts Rx      : 238
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy          Tunnel Group : test1
Login Time   : 22:44:59 EST Tue Aug 13 2013
Duration     : 0h:02m:42s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
IKEv2 Tunnels: 1
IPsecOverNatT Tunnels: 1
AnyConnect-Parent Tunnels: 1
AnyConnect-Parent:
  Tunnel ID    : 2.1
  Public IP    : 75.2.1.60
  Encryption   : none                   Hashing      : none
  Auth Mode    : userPassword
  Idle Time Out: 400 Minutes            Idle TO Left : 397 Minutes
  Conn Time Out: 500 Minutes            Conn TO Left : 497 Minutes
  Client OS    : Windows
  Client Type  : AnyConnect
  Client Ver   : 3.1.05050
IKEv2:
  Tunnel ID    : 2.2
  UDP Src Port : 64251                  UDP Dst Port : 4500
  Rem Auth Mode: userPassword
  Loc Auth Mode: rsaCertificate
  Encryption   : 3DES                   Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 86241 Seconds
  PRF          : SHA1                   D/H Group    : 2
  Filter Name  : mixed1
  Client OS    : Windows
IPsecOverNatT:
  Tunnel ID    : 2.3
  Local Addr   : 75.2.1.23/255.255.255.255/47/0
  Remote Addr  : 75.2.1.60/255.255.255.255/47/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Transport, GRE
  Rekey Int (T): 28400 Seconds          Rekey Left(T): 28241 Seconds
  Idle Time Out: 400 Minutes            Idle TO Left : 400 Minutes
  Conn Time Out: 500 Minutes            Conn TO Left : 497 Minutes
  Bytes Tx     : 0                      Bytes Rx     : 21326
  Pkts Tx      : 0                      Pkts Rx      : 239
NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 165 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :
As shown in the examples, the fields displayed in response to the show vpn-sessiondb command vary, depending on the keywords you enter. Table 60-2 explains these fields.

Table 60-2 show vpn-sessiondb Command Fields

Field

Description

Auth Mode

Protocol or mode used to authenticate this session.

Bytes Rx

Total number of bytes received from the remote peer or client by the ASA.

Bytes Tx

Number of bytes transmitted to the remote peer or client by the ASA.

Client Type

Client software running on the remote peer, if available.

Client Ver

Version of the client software running on the remote peer.

Connection

Name of the connection or the private IP address.

D/H Group

Diffie-Hellman Group. The algorithm and key size used to generate IPsec SA encryption keys.

Duration

Elapsed time (HH:MM:SS) between the session login time and the last screen refresh.

EAPoUDP Session Age

Number of seconds since the last successful posture validation.

Encapsulation

Mode used to apply IPsec ESP (Encapsulation Security Payload protocol) encryption and authentication (that is, the part of the original IP packet that has ESP applied).

Encryption

Data encryption algorithm this session is using, if any.

EoU Age (T)

EAPoUDP Session Age. Number of seconds since the last successful posture validation.

Filter Name

Username specified to restrict the display of session information.

Hashing

Algorithm used to create a hash of the packet, which is used for IPsec data authentication.

Hold Left (T)

Hold-Off Time Remaining. 0 seconds if the last posture validation was successful. Otherwise, the number of seconds remaining before the next posture validation attempt.

Hold-Off Time Remaining

0 seconds if the last posture validation was successful. Otherwise, the number of seconds remaining before the next posture validation attempt.

IKE Neg Mode

IKE (IPsec Phase 1) mode for exchanging key information and setting up SAs: Aggressive or Main.

IKE Sessions

Number of IKE (IPsec Phase 1) sessions; usually 1. These sessions establish the tunnel for IPsec traffic.

Index

Unique identifier for this record.

IP Addr

Private IP address assigned to the remote client for this session. This is also known as the "inner" or "virtual" IP address. It lets the client appear to be a host on the private network.

IPsec Sessions

Number of IPsec (Phase 2) sessions, which are data traffic sessions through the tunnel. Each IPsec remote-access session can have two IPsec sessions: one consisting of the tunnel endpoints, and one consisting of the private networks reachable through the tunnel.

License Information

Shows information about the shared SSL VPN license.

Local IP Addr

IP address assigned to the local endpoint of the tunnel (that is the interface on the ASA).

Login Time

Date and time (MMM DD HH:MM:SS) that the session logged in. Time is displayed in 24-hour notation.

NAC Result

State of Network Admission Control Posture Validation. It can be one of the following:

•Accepted—The ACS successfully validated the posture of the remote host.

•Rejected—The ACS could not successfully validate the posture of the remote host.

•Exempted—The remote host is exempt from posture validation according to the Posture Validation Exception list configured on the ASA.

•Non-Responsive—The remote host did not respond to the EAPoUDP Hello message.

•Hold-off—The ASA lost EAPoUDP communication with the remote host after successful posture validation.

•N/A—NAC is disabled for the remote host according to the VPN NAC group policy.

•Unknown—Posture validation is in progress.

NAC Sessions

Number of Network Admission Control (EAPoUDP) sessions.

Packets Rx

Number of packets received from the remote peer by the ASA.

Packets Tx

Number of packets transmitted to the remote peer by the ASA.

PFS Group

Perfect Forward Secrecy group number.

Posture Token

Informational text string configurable on the Access Control Server. The ACS downloads the posture token to the ASA for informational purposes to aid in system monitoring, reporting, debugging, and logging. A typical posture token is Healthy, Checkup, Quarantine, Infected, or Unknown.

Protocol

Protocol the session is using.

Public IP

Publicly routable IP address assigned to the client.

Redirect URL

Following posture validation or clientless authentication, the ACS downloads the access policy for the session to the ASA. The Redirect URL is an optional part of the access policy payload. The ASA redirects all HTTP (port 80) and HTTPS (port 443) requests for the remote host to the Redirect URL if it is present. If the access policy does not contain a Redirect URL, the ASA does not redirect HTTP and HTTPS requests from the remote host.

Redirect URLs remain in force until either the IPsec session ends or until posture revalidation, for which the ACS downloads a new access policy that can contain a different redirect URL or no redirect URL.

Rekey Int (T)

Lifetime of the IPsec (IKE) SA encryption keys.

Rekey Left (T)

Lifetime remaining of the IPsec (IKE) SA encryption keys.

Rekey Time Interval

Lifetime of the IPsec (IKE) SA encryption keys.

Remote IP Addr

IP address assigned to the remote endpoint of the tunnel (that is the interface on the remote peer).

Reval Int (T)

Revalidation Time Interval. Interval in seconds required between each successful posture validation.

Reval Left (T)

Time Until Next Revalidation. 0 if the last posture validation attempt was unsuccessful. Otherwise, the difference between the Revalidation Time Interval and the number of seconds since the last successful posture validation.

Revalidation Time Interval

Interval in seconds required between each successful posture validation.

Session ID

Identifier for the session component (subsession). Each SA has its own identifier.

Session Type

Type of session: LAN-to-LAN or Remote

SQ Int (T)

Status Query Time Interval. Time in seconds allowed between each successful posture validation or status query response and the next status query response. A status query is a request made by the ASA to the remote host to indicate whether the host has experienced any changes in posture since the last posture validation.

Status Query Time Interval

Time in seconds allowed between each successful posture validation or status query response and the next status query response. A status query is a request made by the ASA to the remote host to indicate whether the host has experienced any changes in posture since the last posture validation.

Time Until Next Revalidation

0 if the last posture validation attempt was unsuccessful. Otherwise, the difference between the Revalidation Time Interval and the number of seconds since the last successful posture validation.

Tunnel Group

Name of the tunnel group referenced by this tunnel for attribute values.

UDP Dst Port
or
UDP Destination Port

Port number used by the remote peer for UDP.

UDP Src Port
or
UDP Source Port

Port number used by the ASA for UDP.

Username

User login name with which the session is established.

VLAN

Egress VLAN interface assigned to this session. The ASA forwards all traffic to that VLAN. One of the following elements specifies the value:

•Group policy

•Inherited group policy

Related Commands

Command

Description

show running-configuration vpn-sessiondb

Displays the VPN session database running configuration (max-other-vpn-limit, max-anyconnect-premium-or-essentials-limit).

show vpn-sessiondb ratio

Displays VPN session encryption or protocol ratios.

show vpn-sessiondb summary

Displays a summary of all VPN sessions.

show vpn-sessiondb license-summary

To display a summary of VPN license information for the ASA, use the show vpn-sessiondb license-summary command in privileged EXEC mode.

show vpn-sessiondb license-summary
Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

—

•

•

Command History

Release

Modification

8.4(1)

This command was introduced.

9.0(1)

Support for multiple context mode was added.

Examples

The following is sample output for the show vpn-sessiondb ratio command, with encryption as the argument:
hostname(config)# show vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary                                 
---------------------------------------------------------------------------
                                     Status : Installed : Burst:  Limit
                                  -----------------------------------------
AnyConnect Premium               :  ENABLED :      750 :         20 :   NONE
AnyConnect Essentials            : DISABLED :      750 :         10 :   NONE
Other VPN (Available by Default) :  ENABLED :      750 :       750 :   NONE
Shared License Server            :  DISABLED 
Shared License Participant					: DISABLED
AnyConnect for Mobile            : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment     : DISABLED(Requires Premium)
VPN-3DES-AES                     :  ENABLED
VPN-DES                          :  ENABLED
AnyConnect for Cisco VPN Phone   : DISABLED
---------------------------------------------------------------------------
---------------------------------------------------------------------------
VPN Licenses Usage Summary                                                 
---------------------------------------------------------------------------
                          Local : Shared :   All  :   Peak :  Eff.  :      
                         In Use : In Use : In Use : In Use :  Limit : Usage
                       ----------------------------------------------------
AnyConnect Premium     :      0 :      0 :      0 :      0 :      2 :    0%
  AnyConnect Client    :                 :      0 :      0          :    0%
    AnyConnect Mobile  :                 :      0 :      0          :    0%
  Clientless VPN       :                 :      0 :      0          :    0%
Other VPN              :                 :      0 :      0 :    750 :    0%
  Cisco VPN Client/    :                 :      0 :      0          :    0%
  L2TP Clients
  Site-to-Site VPN     :                 :      0 :      0          :    0%
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Shared License Network Summary                                             
---------------------------------------------------------------------------
AnyConnect Premium                                                         
  Total shared licenses in network                              :     12000
  Shared licenses held by this participant                      :         0
  Shared licenses held by all participants in the network       :         0
---------------------------------------------------------------------------
hostname(config)# 
Related Commandsshow vpn-sessiondb ratio

Command

Description

show vpn-sessiondb

Displays sessions with or without extended details, optionally filtered and sorted by criteria you specify.

show vpn-sessiondb summary

Displays a session summary, including total current session, current sessions of each type, peak and total cumulative, maximum concurrent sessions

show vpn-sessiondb ratio

To display the ratio of current sessions as a percentage by protocol or encryption algorithm, use the show vpn-sessiondb ratio command in privileged EXEC mode.

show vpn-sessiondb ratio {protocol | encryption} [filter groupname]
Syntax Description

encryption

Identifies the encryption protocols you want to display. Refers to phase 2 encryption. Encryption algorithms include:

aes128

aes192

aes256

des

3des

rc4

filter groupname

Filters the output to include session ratios only for the tunnel group you specify.

protocol

Identifies the protocols you want to display. Protocols include:

IKEv1

IKEv2

IPsec

IPsecLAN2LAN

IPsecLAN2LANOverNatT

IPsecOverNatT

IPsecOverTCP

IPsecOverUDP

L2TPOverIPsec

L2TPOverIPsecOverNatT

Clientless

Port-Forwarding

IMAP4S

POP3S

SMTPS

AnyConnect-Parent

SSL-Tunnel

DTLS-Tunnel

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

—

•

•

Command History

Release

Modification

7.0(1)

This command was introduced.

8.4(1)

The output was enhanced to include IKEv2.

9.0(1)

Support for multiple context mode was added.

Examples

The following is sample output for the show vpn-sessiondb ratio command, with encryption as the argument:
hostname# show vpn-sessiondb ratio encryption
Filter Group         : All
Total Active Sessions: 5
Cumulative Sessions  : 9
Encryption               Sessions       Percent        
none                     0               0%
DES                      1              20%
3DES                     0               0%
AES128                   4 									80%
AES192                   0               0%
AES256                   0               0%
The following is sample output for the show vpn-sessiondb ratio command with protocol as the argument:
hostname# show vpn-sessiondb ratio protocol
Filter Group         : All
Total Active Sessions: 6
Cumulative Sessions  : 10
Protocol                 Sessions       Percent        
IKE                      0               0%
IPsec                    1              20%
IPsecLAN2LAN             0               0%
IPsecLAN2LANOverNatT     0               0%
IPsecOverNatT            0               0%
IPsecOverTCP             1 							20%
IPsecOverUDP             0               0%
L2TP                     0               0%
L2TPOverIPsec            0               0%
L2TPOverIPsecOverNatT    0               0%
PPPoE                    0               0%
vpnLoadBalanceMgmt       0               0%
userHTTPS                0               0%
IMAP4S                   3 					30%
POP3S                    0               0%
SMTPS                    3 							30%
Related Commandsshow vpn-sessiondb ratio

Command

Description

show vpn-sessiondb

Displays sessions with or without extended details, optionally filtered and sorted by criteria you specify.

show vpn-sessiondb summary

Displays a session summary, including total current session, current sessions of each type, peak and total cumulative, maximum concurrent sessions

show vpn-sessiondb summary

To display the number of IPsec, Cisco AnyConnect, and NAC sessions, use the show vpn-sessiondb summary command in privileged EXEC mode.

show vpn-sessiondb summary
Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

—

•

•

Command History

Release

Modification

7.0(7)

This command was introduced.

8.0(2)

Added the VLAN Mapping Sessions table.

8.0(5)

Added new output for active, cumulative, peak concurrent, and inactive.

9.0(1)

Support for multiple context mode was added.

Examples

The following is sample output for the show vpn-sessiondb summary command with one IPsec IKEv1 and one clientless session:

Note A device in standby does not differentiate active from inactive sessions.
hostname# show vpn-sessiondb summary
VPN Session Summary
Sessions: 
							Active :	Cumulative :	Peak Concurrent :	Inactive :
	Clientless VPN		 					:		1:			2:				1  
	Browser							:		1:			2:				1 
	IKEv1 IPsec/L2TP IPsec					0		:		1:			1:				1 
Total Active and Inactive: 2						 			Total Cumulative: 3
Device Total VPN Capacity: 10000
Device Load						: 0%
License Information:
	Shared VPN License Information:
		SSL VPN								: 12000
			Allocated to this device							:	 0
			Allocated to network							:	 0
			Device limit							: 750
IPsec		:	750 		Configured :	750				Active : 	0			Load : 	0%
SSL VPN		:	750		Configured :	750				Active :		 0		Load :	 0%
						Active : Cumulative : Peak Concurrent
SSL VPN 				:			0 :			1 :				1
Totals				:			0 :			1 :
Active NAC Sessions: 
  Accepted               : 0 
  Rejected               : 0 
  Exempted               : 0 
  Non-responsive         : 0 
Hold-off               : 0 
  N/A                    : 0 
Active VLAN Mapping Sessions: 
  Static                 : 0 
  Auth                   : 0 
  Access                 : 0 
  Guest                  : 0 
  Quarantine             : 0 
  N/A                    : 0 
F1-asa1#
You can use the SSL output to determine the physical device resources in respect to the number of licenses. A single user session may occupy a license but could use multiple tunnels. For example, an AnyConnect user with DTLS often has the parent session, SSL tunnel, and DTLS tunnels associated with it.

Note The parent session represents when the client is not actively connected. It does not represent an encrypted tunnel. If the client shuts down, or sleeps, IPsec, IKE, TLS, and DLTLS tunnels are closed, but the parent session remains until the idle time or maximum connect time limit is reached. This enables the user to reconnect without reauthenticating.

With this example, you would see three tunnels allocated on the device, even if only one user is logged in. An IPsec LAN-to-LAN tunnel counts as one session, and it allows many host-to-host connections through the tunnel. An IPsec remote access session is one remote access tunnel that supports one user connection.

From the output you can see which sessions are active. If a session has no underlying tunnels associated to it, the status is waiting to resume mode (displayed as Clientless in the session output). This mode means that dead peer detection from the head-end device has started, and the head-end device can no longer communicate with the client. When you encounter this condition, you can hold the session to allow the user to roam networks, go to sleep, recover the session, and so on. These sessions count towards the actively connected sessions (from a license standpoint) and are cleared with a user idle timeout, a user logging out, or a resumption of the original session.

The Active SSL VPN With Client column shows the number of active connections passing data. The Cumulative SSL VPN With Client column shows the number of active sessions that have been established. It includes those that are inactive and increments only when a new session is added. The Peak Concurrent SSL VPN With Client column shows the peak number of concurrently active sessions that are passing data. The Inactive SSL VPN With Client column shows how long the AnyConnect client was disconnected. You can use this Inactivity timeout value to determine when licenses are expired. The ASA can then determine whether reconnection is possible. These are AnyConnect sessions without an active SSL tunnel associated with them.

Table 60-3 explains the fields in the Active Sessions and Session Information tables.

Table 60-3 show vpn-sessiondb summary Command: Active Sessions and Session Information Fields

Field

Description

Concurrent Limit

Maximum number of concurrently active sessions permitted on this ASA.

Cumulative Sessions

Number of sessions of all types since the ASA was last booted or reset.

LAN-to-LAN

Number of IPsec LAN-to-LAN sessions that are currently active.

Peak Concurrent

Highest number of sessions of all types that were concurrently active since the ASA was last booted or reset.

Percent Session Load

Percentage of the vpn session allocation in use. This value equals the Total Active Sessions divided by the maximum number of sessions available, displayed as a percentage. The maximum number of sessions available can be either of the following:

•Maximum number of IPsec and SSL VPN sessions licensed

•vpn-sessiondb ? (maximum number of sessions configured)

•max-anyconnect-premium-or-essentials-limit (maximum AnyConnect Premium or Essentials session limit)

•max-other-vpn-limit (maximum other VPN session limit)

Remote Access

ra-ikev1-ipsec—Number of IKEv1 IPsec remote-access user, L2TP over IPsec, and IPsec through NAT sessions that are currently active.

Total Active Sessions

Number of sessions of all types that are currently active.

The Active NAC Sessions table shows general statistics about remote peers that are subject to posture validation.

The Cumulative NAC Sessions table shows general statistics about remote peers that are or have been subject to posture validation.

Table 60-2 explains the fields in the Active NAC Sessions and Total Cumulative NAC Sessions tables.

Table 60-4 show vpn-sessiondb summary Command: Active NAC Sessions and Total Cumulative NAC Sessions Fields

Field

Description

Accepted

Number of peers that passed posture validation and have been granted an access policy by an Access Control Server.

Exempted

Number of peers that are not subject to posture validation because they match an entry in the Posture Validation Exception list configured on the ASA.

Hold-off

Number of peers for which the ASA lost EAPoUDP communications after a successful posture validation. The NAC Hold Timer attribute (Configuration > VPN > NAC) determines the delay between this type of event and the next posture validation attempt for each peer.

N/A

Number of peers for which NAC is disabled according to the VPN NAC group policy.

Non-responsive

Number of peers not responsive to Extensible Authentication Protocol (EAP) over UDP requests for posture validation. Peers on which no CTA is running do not respond to these requests. If the ASA configuration supports clientless hosts, the Access Control Server downloads the access policy associated with clientless hosts to the ASA for these peers. Otherwise, the ASA assigns the NAC default policy.

Rejected

Number of peers that failed posture validation or were not granted an access policy by an Access Control Server.

The Active VLAN Mapping Sessions table shows general statistics about remote peers that are subject to posture validation.

The Cumulative VLAN Mapping Sessions table shows general statistics about remote peers that are or have been subject to posture validation.

Table 60-5 explains the fields in the Active VLAN Mapping Sessions and Cumulative VLAN Mapping Sessions tables.

Table 60-5 show vpn-sessiondb summary Command: Active VLAN Mapping Sessions and Cumulative Active VLAN Mapping Sessions Fields

Field

Description

Access

Reserved for future use.

Auth

Reserved for future use.

Guest

Reserved for future use.

N/A

Reserved for future use.

Quarantine

Reserved for future use.

Static

This field shows the number of VPN sessions assigned to a pre-configured VLAN.

Related Commands Total Active Sessions : 7

Command

Description

show vpn-sessiondb

Displays sessions with or without extended details, optionally filtered and sorted by criteria you specify.

show vpn-sessiondb ratio

Displays VPN session encryption or protocol ratios.

show wccp

To display global statistics related to Web Cache Communication Protocol (WCCP), use the show wccp command in privileged EXEC mode.

show wccp {web-cache | service-number}[detail | view]
Syntax Description

detail

(Optional) Displays information about the router and all web caches.

service-number

(Optional) Identification number of the web-cache service group being controlled by the cache. The number can be from 0 to 256. For web caches using Cisco Cache Engines, the reverse proxy service is indicated by a value of 99.

view

(Optional) Displays other members of a particular service group have or have not been detected.

web-cache

Specifies statistics for the web-cache service.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

7.2(1)

This command was introduced.

Examples

The following example shows how to display WCCP information:
hostname(config)# show wccp
Global WCCP information:
    Router information:
        Router Identifier:                   -not yet determined-
        Protocol Version:                    2.0
    Service Identifier: web-cache
        Number of Cache Engines:             0
        Number of routers:                   0
        Total Packets Redirected:            0
        Redirect access-list:                foo
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   foobar
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
hostname(config)# 
Related Commands

Commands

Description

wccp

Enables support of WCCP with service groups.

wccp redirect

Enables support of WCCP redirection.

show webvpn csd

To determine whether CSD is enabled, display the CSD version in the running configuration, determine what image is providing the Host Scan package, and to test a file to see if it is a valid CSD distribution package, use the show webvpn csd command in privileged EXEC mode.

show webvpn csd [image filename]

Syntax Description

filename

Specifies the name of a file to test for validity as a CSD distribution package. It must take the form csd_n.n.n-k9.pkg.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC mode

•

—

•

—

Command History

Release

Modification

7.1(1)

This command was introduced.

Examples

Use the show webvpn csd command to check the operational status of CSD. The CLI responds with a message indicating if CSD is installed and if it is enabled, if Host Scan is installed and if it is enabled, and which image is supplying the Host Scan package if there is both a CSD package and a Host Scan package installed.
hostname# show webvpn csd
These are the messages you could receive:

•user `pat' from 209.165.201.2 authenticated

user `robin' from 209.165.201.4 authorized to:

• port 192.168.67.34/telnet 192.168.67.11/http 192.168.67.33/tcp/8001n.n.n.n is currently installed but not enabled

192.168.67.56/tcp/25 192.168.67.42/ftp

•user `terry' from 209.165.201.7 authorized to:n.n.n.n is currently installed and enabled
Standalone Hostscan package is not installed (Hostscan is currently installed and 
enabled via the CSD package)
The message, "                       port 192.168.1.50/http                                     209.165.201.8/httpn.n.n.n is currently installed ..." means that the image is loaded on the ASA and in the running configuration. The image can be either enabled or not enabled. You can go to webvpn configuration mode and enter the csd enable command to enable CSD.

The messaage, "URL Filter Cache Stats" means that the Host Scan package delivered with the CSD package is the Host Scan package in use.

•----------------------n.n.n.n is currently installed and enabled

Entries :                                   36n.n.n.n is currently installed and enabled

The message, "             In Use :                                   30n.n.n.n is currently installed and enabled Hostscan version n.n.n.n is currently installed and enabled" means that both CSD and a Host Scan package, delivered either as a standalone package or as part of an AnyConnect image, are installed. If Host Scan is enabled and both CSD and an AnyConnect image with Host Scan, or a standalone Host Scan package, are installed and enabled, the Host Scan package delivered as a standalone package or as part of an AnyConnect image takes precedence over the one provided with a CSD package.

•Lookups :                                   300n.n.n.n is currently installed but not enabled

hostname#n.n.n.n is currently installed but not enabled

Use the show webvpn csd image filename command to test a file to determine if a CSD distribution package is valid.

hostname# show webvpn csd image csd_n.n.n-k9.pkg

The CLI responds with one of the following messages when you enter this command:

•hostname#

Make sure the filename is in the form the form csd_n.n.n_k9.pkg. If the csd package does not have this naming convention, replace the file with one obtained from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/securedesktop

Then reenter the show webvpn csd image command. If the image is valid, use the csd image and csd enable commands in webvpn configuration mode to install and enable CSD.

•Secure Desktop is not installed

Hostscan is not installed

Secure Desktop version

Standalone Hostscan package is not installed (Hostscan is currently installed via the CSD package but not enabled)

Note that the CLI provides both the version and date stamp if the file is valid.

Related Commands

Command

Description

csd enable

Enables CSD for management and remote user access.

csd image

Copies the CSD image named in the command, from the flash drive specified in the path to the running configuration.

show webvpn group-alias

To display the aliases for a specific tunnel-group or for all tunnel groups, use the group-alias command in privileged EXEC mode.

show webvpn group-alias [tunnel-group]
Syntax Description

tunnel-group

(Optional) Specifies a particular tunnel group for which to show the group aliases.

Defaults

If you do not enter a tunnel-group name, this command displays all the aliases for all the tunnel groups.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

—

•

—

Command History

Release

Modification

7.1

This command was introduced.

Usage Guidelines

WebVPN must be running when you enter the show webvpn group-alias command.

Each tunnel group can have multiple aliases or no alias.

Examples

The following example shows the show webvpn group-alias command that displays the aliases for the tunnel group "devtest" and the output of that command:
hostname# show webvpn group-alias devtest
QA
Fra-QA
Related Commands

Command

Description

group-alias

Specifies one or more URLs for the group.

tunnel-group webvpn-attributes

Enters the config-webvpn mode for configuring WebVPN tunnel-group attributes.

show webvpn group-url

To display the URLs for a specific tunnel-group or for all tunnel groups, use the group-url command in privileged EXEC mode.

show webvpn group-url [tunnel-group]
Syntax Description

tunnel-group

(Optional) Specifies a particular tunnel group for which to show the URLs.

Defaults

If you do not enter a tunnel-group name, this command displays all the URLs for all the tunnel groups.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

—

•

—

Command History

Release

Modification

7.1(1)

This command was introduced.

Usage Guidelines

WebVPN must be running when you enter the show webvpn group-url command. Each group can have multiple URLs or no URL.

Examples

The following example shows the show webvpn group-url command that displays the URLs for the tunnel group "frn-eng1" and the output of that command:
hostname# show webvpn group-url
http://www.cisco.com
https://fra1.example.com
https://fra2.example.com
Related Commands

Command

Description

group-url

Specifies one or more URLs for the group.

tunnel-group webvpn-attributes

Enters the config-webvpn mode for configuring WebVPN tunnel-group attributes.

show webvpn kcd

Use the show webvpn kcd command in webvpn configuration mode to display the Domain Controller information and Domain join status on the ASA.

show webvpn kcd
Syntax Description

None.

Defaults

There are no defaults for this command.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

webvpn configuration

•

—

•

—

Command History

Release

Modification

8.4(1)

This command was introduced.

Usage Guidelines

The show webvpn kcd command in webvpn configuration mode displays the Domain Controller information and Domain join status on the ASA.

Examples

The following example shows important details to note from the show webvpn kcd command and the interpretation of the status message.

This example shows that the registration is under way and not finished:

Secure Desktop version show webvpn kcd
Kerberos Realm: CORP.TEST.INTERNAL
Domain Join: In-Progress

This example shows that a registration was successful and that the ASA has joined the domain:
hostname# show webvpn kcd 
Kerberos Realm: CORP.TEST.INTERNAL 
Domain Join: Complete
Related Commands

Command

Description

clear aaa kerberos

Clears all the Kerberos tickets cached on the ASA.

kcd-server

Allows the ASA to join an Active Directory domain.

show aaa kerberos

Displays all the Kerberos tickets cached on the ASA.

show webvpn sso-server

To display the operating statistics for Webvpn single sign-on servers, use the show webvpn sso-server command in privileged EXEC mode.

show webvpn sso-server [name]
Syntax Description

Syntax DescriptionSyntax Description

name

Optionally specifies the name of the SSO server. The server name must be between four and 31 characters in length.

Defaults

No default values or behavior.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Config-webvpn-sso-saml

•

—

•

—

Config-webvpn-sso-siteminder

•

—

•

—

Privileged EXEC

•

—

•

—

Command History

Release

Modification

7.1(1)

This command was introduced.

Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The show webvpn sso-server command displays operating statistics for any and all SSO servers configured on the security device.

If no SSO server name argument is entered, statistics for all SSO servers display.

Examples

The following example, entered in privileged EXEC mode, displays statistics for a SiteMinder-type SSO server named example:
hostname# show webvpn sso-server example
Name: example
Type: SiteMinder
Authentication Scheme Version: 1.0
Web Agent URL: http://www.example.com/webvpn
Number of pending requests:        0
Number of auth requests:           0
Number of retransmissions:         0
Number of accepts:                 0
Number of rejects:                 0
Number of timeouts:                0
Number of unrecognized responses:  0
hostname#
The following example of the command issued without a specific SSO server name, displays statistics 
for all configured SSO servers on the ASA:
hostname#(config-webvpn)# show webvpn sso-server
Name: high-security-server
Type: SAML-v1.1-POST
Assertion Consumer URL: 
Issuer:                 
Number of pending requests:        0
Number of auth requests:           0
Number of retransmissions:         0
Number of accepts:                 0
Number of rejects:                 0
Number of timeouts:                0
Number of unrecognized responses:  0
Name: my-server
Type: SAML-v1.1-POST
Assertion Consumer URL: 
Issuer:                 
Number of pending requests:        0
Number of auth requests:           0
Number of retransmissions:         0
Number of accepts:                 0
Number of rejects:                 0
Number of timeouts:                0
Number of unrecognized responses:  0
Name: server
Type: SiteMinder
Authentication Scheme Version: 1.0
Web Agent URL: 
Number of pending requests:        0
Number of auth requests:           0
Number of retransmissions:         0
Number of accepts:                 0
Number of rejects:                 0
Number of timeouts:                0
Number of unrecognized responses:  0
asa1(config-webvpn)# 
Related Commands

Command

Description

max-retry-attempts

Configures the number of times the ASA retries a failed SSO authentication attempt.

policy-server-secret

Creates a secret key used to encrypt authentication requests to a SiteMinder-type SSO server.

request-timeout

Specifies the number of seconds before a failed SSO authentication attempt times out.

sso-server

Creates a single sign-on server.

web-agent-url

Specifies the SSO server URL to which the ASA makes SiteMinder SSO authentication requests.

show webvpn anyconnect

To view information about SSL VPN client images installed on the ASA and loaded in cache memory, or to test a file to see if it is a valid client image, use the show webvpn anyconnect command from privileged EXEC mode.

show webvpn anyconnect [image filename]

Syntax Description

image filename

Specifies the name of a file to test as an SSL VPN client image file.

Defaults

This command has no default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

•

—

•

—

Command History

Release

Modification

7.1(1)

This command was introduced.

8.4(1)

The show webvpn anyconnect form of the command replaced show webvpn svc.

Usage Guidelines

Use the show webvpn anyconnect command to view information about SSL VPN client images that are loaded in cache memory and available for download to remote PCs. Use the image filename keyword and argument to test a file to see if it is a valid image. If the file is not a valid image, the following message appears:
ERROR: This is not a valid SSL VPN Client image file.
Examples

The following example shows the output of the show webvpn anyconnect command for currently installed images:
hostname# show webvpn anyconnect
1. windows.pkg 1
SSL VPN Client
CISCO STC win2k+ 1.1.0
1,1,0,107
Thu 04/14/2005 09:27:54.43
2. window2.pkg 2
CISCO STC win2k+ 1.1.0
1,1,0,107
Thu 04/14/2005 09:27:54.43
The following example shows the output of the show webvpn anyconnect image filename command for a valid image:
hostname(config-webvpn)# show webvpn anyconnect image sslclient-win-1.0.2.127.pkg
This is a valid SSL VPN Client image:
  CISCO STC win2k+ 1.0.0
  1,0,2,127
  Fri 07/22/2005 12:14:45.43
Related Commands

Command

Description

anyconnect enable

Enables the ASA to download the SSL VPN client to remote PCs.

anyconnect image

Causes the security appliance to load SSL VPN client files from flash memory to cache memory, and specifies the order in which the security appliance downloads portions of the client image to the remote PC as it attempts to match the client image with the operating system.

vpn-tunnel-protocol

Enables specific VPN tunnel protocols for remote VPN users, including SSL used by an SSL VPN client.

show xlate

To display information about NAT sessions (xlates), use the show xlate command in privileged EXEC mode.

show xlate [global ip1[-ip2] [netmask mask]] [local ip1[-ip2] [netmask mask]]
[gport port1[-port2]] [lport port1[-port2]] [interface if_name] [type type]
show xlate count
Syntax Description

count

Displays the translation count.

global ip1[-ip2]

(Optional) Displays the active translations by mapped IP address or range of addresses.

gport port1[-port2]

Displays the active translations by the mapped port or range of ports.

interface if_name

(Optional) Displays the active translations by interface.

local ip1[-ip2]

(Optional) Displays the active translations by real IP address or range of addresses.

lport port1[-port2]

Displays the active translations by real port or range of ports.

netmask mask

(Optional) Specifies the network mask to qualify the mapped or real IP addresses.

state state

(Optional) Displays the active translations by type. You can enter one or more of the following types:

•static

•portmap

•dynamic

•twice-nat

When specifying more than one type, separate the types with a space.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

•

•

•

•

—

Command History

Release

Modification

8.3(1)

This command was modified to support the new NAT implementation.

8.4(3)

The e flag was added to show use of extended PAT. In addition, the destination address to which the xlate is extended is shown.

9.0(1)

This command was modified to support IPv6.

Usage Guidelines

The show xlate command displays the contents of the translation slots.

When the vpnclient configuration is enabled and the inside host is sending out DNS requests, the show xlate command may list multiple xlates for a static translation.

In an ASA clustering environment, up to three xlates may be duplicated to different nodes in the cluster to handle a PAT session. One xlate is created on the unit that owns the connection. One xlate is created on a different unit to backup the PAT address. Finally, one xlate exists on the director that replicates the flow. In the case where the backup and director is the same unit, two instead of three xlates may be created.

Examples

The following is sample output from the show xlate command.
hostname# show xlate
5 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
       e - extended
NAT from any:10.90.67.2 to any:10.9.1.0/24
    flags idle 277:05:26 timeout 0:00:00
NAT from any:10.1.1.0/24 to any:172.16.1.0/24
    flags idle 277:05:26 timeout 0:00:00
NAT from any:10.90.67.2 to any:10.86.94.0
    flags idle 277:05:26 timeout 0:00:00
NAT from any:10.9.0.9, 10.9.0.10/31, 10.9.0.12/30, 
    10.9.0.16/28, 10.9.0.32/29, 10.9.0.40/30, 
    10.9.0.44/31 to any:0.0.0.0
    flags idle 277:05:26 timeout 0:00:00
NAT from any:10.1.1.0/24 to any:172.16.1.0/24
    flags idle 277:05:14 timeout 0:00:00
The following is sample output from the show xlate command showing use of the e - extended flag and the destination address to which the xlate is extended.
hostname# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
       e - extended
ICMP PAT from inside:10.2.1.100/6000 to outside:172.16.2.200/6000(172.16.2.99)
	flags idle 0:00:06 timeout 0:00:30
TCP PAT from inside:10.2.1.99/5 to outside:172.16.2.200/5(172.16.2.90)
	flags idle 0:00:03 timeout 0:00:30
UDP PAT from inside:10.2.1.101/1025 to outside:172.16.2.200/1025(172.16.2.100)
	flags idle 0:00:10 timeout 0:00:30
The following is sample output from the show xlate command showing a translation from IPv4 to IPv6.
hostname# show xlate
1 in use, 2 most used
NAT from outside:0.0.0.0/0 to in:2001::/96
flags sT idle 0:16:16 timeout 0:00:00
Related Commands

Command

Description

clear xlate

Clears current translation and connection information.

show conn

Displays all active connections.

show local-host

Displays the local host network information.

show uauth

Displays the currently authenticated users.