Table Of Contents

show isakmp ipsec-over-tcp stats through show ospf virtual-links Commands

show isakmp ipsec-over-tcp stats

show isakmp sa

show isakmp stats

show kernel

show kernel bridge

show lacp

show lacp cluster

show local-host

show logging

show logging flow-export-syslogs

show logging rate-limit

show mac-address-table

show management-access

show memory

show memory api

show memory app-cache

show memory binsize

show memory delayed-free-poisoner

show memory profile

show memory top-usage

show memory tracking

show memory webvpn

show memory-caller address

show mfib

show mfib active

show mfib count

show mfib interface

show mfib reserved

show mfib status

show mfib summary

show mfib verbose

show mgcp

show mmp

show mode

show module

show monitor-interface

show mrib client

show mrib route

show mroute

show nac-policy

show nameif

show nat

show nat pool

show ntp associations

show ntp status

show object-group

show ospf

show ospf border-routers

show ospf database

show ospf flood-list

show ospf interface

show ospf neighbor

show ospf request-list

show ospf retransmission-list

show ospf summary-address

show ospf traffic

show ospf virtual-links

show isakmp ipsec-over-tcp stats through show ospf virtual-links Commands

---

show isakmp ipsec-over-tcp stats

To display runtime statistics for IPsec over TCP, use the show isakmp ipsec-over tcp stats command in global configuration mode or privileged EXEC mode.

show isakmp ipsec-over-tcp stats

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	•	—
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	The show isakmp ipsec-over-tcp stats command was introduced.
7.2(1)	The show isakmp ipsec-over-tcp stats command was deprecated. The show crypto isakmp ipsec-over-tcp stats command replaces it.
9.0(1)	Support for multiple context mode was added.

Usage Guidelines

The output from this command includes the following fields:

•Embryonic connections

•Active connections

•Previous connections

•Inbound packets

•Inbound dropped packets

•Outbound packets

•Outbound dropped packets

•RST packets

•Received ACK heart-beat packets

•Bad headers

•Bad trailers

•Timer failures

•Checksum errors

•Internal errors

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics:

hostname(config)# show isakmp ipsec-over-tcp stats

Global IPsec over TCP Statistics

--------------------------------

Embryonic connections: 2

Active connections: 132

Previous connections: 146

Inbound packets: 6000

Inbound dropped packets: 30

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 260

Received ACK heart-beat packets: 10

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

hostname(config)# 

Related Commands

Command	Description
clear configure crypto isakmp	Clears all the ISAKMP configuration.
clear configure crypto isakmp policy	Clears all ISAKMP policy configuration.
clear crypto isakmp sa	Clears the IKE runtime SA database.
crypto isakmp enable	Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.
show running-config crypto isakmp	Displays all the active ISAKMP configuration.

show isakmp sa

To display the IKE runtime SA database, use the show isakmp sa command in global configuration mode or privileged EXEC mode.

show isakmp sa [detail]

Syntax Description

detail

Displays detailed output about the SA database.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	•	—
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	The show isakmp sa command was introduced.
7.2(1)	This command was deprecated. The show crypto isakmp sa command replaces it.
9.0(1)	Support for multiple context mode was added.

Usage Guidelines

The output from this command includes the following fields:

IKE Peer	Type	Dir	Rky	State
209.165.200.225	L2L	Init	No	MM_Active

Detail not specified.

IKE Peer	Type	Dir	Rky	State	Encrypt	Hash	Auth	Lifetime
209.165.200.225	L2L	Init	No	MM_Active	3des	md5	preshrd	86400

Detail specified.

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database:

hostname(config)# show isakmp sa detail

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

1 209.165.200.225 User  Resp  No   AM_Active  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

2 209.165.200.226 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

3 209.165.200.227 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

4 209.165.200.228 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

hostname(config)# 

Related Commands

Command	Description
clear configure isakmp	Clears all the ISAKMP configuration.
clear configure isakmp policy	Clears all ISAKMP policy configuration.
clear isakmp sa	Clears the IKE runtime SA database.
isakmp enable	Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.
show running-config isakmp	Displays all the active ISAKMP configuration.

show isakmp stats

To display runtime statistics, use the show isakmp stats command in global configuration mode or privileged EXEC mode.

show isakmp stats

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	•	—
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	The show isakmp stats command was introduced.
7.2(1)	This command was deprecated. The show crypto isakmp stats command replaces it.
9.0(1)	Support for multiple context mode was added.

Usage Guidelines

Each one of the counters maps to an associated cikePhase1GW counter. For details on each of these counters, refer to CISCO-IPSEC-FLOW-MONITOR-MIB.my.

•Active/Standby Tunnels—cikePhase1GWActiveTunnels

•Previous Tunnels—cikePhase1GWPreviousTunnels

•In Octets—cikePhase1GWInOctets

•In Packets—cikePhase1GWInPkts

•In Drop Packets—cikePhase1GWInDropPkts

•In Notifys—cikePhase1GWInNotifys

•In P2 Exchanges—cikePhase1GWInP2Exchgs

•In P2 Exchange Invalids—cikePhase1GWInP2ExchgInvalids

•In P2 Exchange Rejects—cikePhase1GWInP2ExchgRejects

•In P2 Sa Delete Requests—cikePhase1GWInP2SaDelRequests

•Out Octets—cikePhase1GWOutOctets

•Out Packets—cikePhase1GWOutPkts

• Out Drop Packets—cikePhase1GWOutDropPkts

• Out Notifys—cikePhase1GWOutNotifys

• Out P2 Exchanges—cikePhase1GWOutP2Exchgs

• Out P2 Exchange Invalids—cikePhase1GWOutP2ExchgInvalids

• Out P2 Exchange Rejects—cikePhase1GWOutP2ExchgRejects

• Out P2 Sa Delete Requests—cikePhase1GWOutP2SaDelRequests

• Initiator Tunnels—cikePhase1GWInitTunnels

• Initiator Fails—cikePhase1GWInitTunnelFails

• Responder Fails—cikePhase1GWRespTunnelFails

• System Capacity Fails—cikePhase1GWSysCapFails

• Auth Fails—cikePhase1GWAuthFails

• Decrypt Fails—cikePhase1GWDecryptFails

• Hash Valid Fails—cikePhase1GWHashValidFails

• No Sa Fails—cikePhase1GWNoSaFails

The output from this command includes the following fields:

•Global IKE Statistics

•Active Tunnels

•In Octets

•In Packets

•In Drop Packets

•In Notifys

•In P2 Exchanges

•In P2 Exchange Invalids

•In P2 Exchange Rejects

•In P2 Sa Delete Requests

•Out Octets

•Out Packets

•Out Drop Packets

•Out Notifys

•Out P2 Exchanges

•Out P2 Exchange Invalids

•Out P2 Exchange Rejects

•Out P2 Sa Delete Requests

•Initiator Tunnels

•Initiator Fails

•Responder Fails

•System Capacity Fails

•Auth Fails

•Decrypt Fails

•Hash Valid Fails

•No Sa Fails

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics:

hostname(config)# show isakmp stats

Global IKE Statistics

Active Tunnels: 132

Previous Tunnels: 132

In Octets: 195471

In Packets: 1854

In Drop Packets: 925

In Notifys: 0

In P2 Exchanges: 132

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 119029

Out Packets: 796

Out Drop Packets: 0

Out Notifys: 264

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

hostname(config)# 

Related Commands

Command	Description
clear configure isakmp	Clears all the ISAKMP configuration.
clear configure isakmp policy	Clears all ISAKMP policy configuration.
clear isakmp sa	Clears the IKE runtime SA database.
isakmp enable	Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.
show running-config isakmp	Displays all the active ISAKMP configuration.

show kernel

To display information that the Linux brctl utility provides that you can use for debugging, use the show kernel command in privileged EXEC mode.

show kernel [process | bridge | cgroup-controller | ifconfig | module ]

Syntax Description

bridge	Displays tap bridges.
cgroup-controller	Displays the cgroup-controller statistics.
ifconfig	Displays the tap and bridge interface statistics.
module	Displays the modules that are installed and running.
process	Displays the current status of the active kernel processes running on the ASA.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
8.0(2)	This command was introduced.
8.4(1)	The cgroup-controller keyword was added.
8.6(1)	The ifconfig, module, and bridge keywords were added.

Usage Guidelines

This command displays statistics for the various processes running on the kernel.

Examples

The following example displays output from the show kernel process command:

hostname# show kernel process

PID PPID PRI NI      VSIZE      RSS      WCHAN STAT  RUNTIME COMMAND

  1    0  16  0     991232      268 3725684979    S       78 init

  2    1  34 19          0        0 3725694381    S        0 ksoftirqd/0

  3    1  10 -5          0        0 3725736671    S        0 events/0

  4    1  20 -5          0        0 3725736671    S        0 khelper

  5    1  20 -5          0        0 3725736671    S        0 kthread

  7    5  10 -5          0        0 3725736671    S        0 kblockd/0

  8    5  20 -5          0        0 3726794334    S        0 kseriod

 66    5  20  0          0        0 3725811768    S        0 pdflush

 67    5  15  0          0        0 3725811768    S        0 pdflush

 68    1  15  0          0        0 3725824451    S        2 kswapd0

 69    5  20 -5          0        0 3725736671    S        0 aio/0

171    1  16  0     991232       80 3725684979    S        0 init

172  171  19  0     983040      268 3725684979    S        0 rcS

201  172  21  0    1351680      344 3725712932    S        0 lina_monitor

202  201  16  0 1017602048   899932 3725716348    S      212 lina

203  202  16  0 1017602048   899932          0    S        0 lina

204  203  15  0 1017602048   899932          0    S        0 lina

205  203  15  0 1017602048   899932 3725712932    S        6 lina

206  203  25  0 1017602048   899932          0    R 13069390 lina

hostname# 

Table 51-1 shows each field description.

Table 51-1 show kernel process Fields

Field	Description
PID	The process ID.
PPID	The parent process ID.
PRI	The priority of the process.
NI	The nice value, which is used in priority computation. The values range from 19 (nicest) to -19 (not nice to others),
VSIZE	The virtual memory size in bytes.
RSS	The resident set size of the process, in kilobytes.
WCHAN	The channel in which the process is waiting.
STAT	The state of the process: •R—Running •S—Sleeping in an interruptible wait •D—Waiting in an uninterruptible disk sleep •Z—zombie •T—Traced or stopped (on a signal) •P—Paging
RUNTIME	The number of jiffies that the process has been scheduled in user mode and kernel mode. The runtime is the sum of utime and stime.
COMMAND	The process name.

The following example displays output from the show kernel module command:

hostname# show kernel module

Module                  Size  Used by    Tainted: P

cpp_base              861808  2

kvm_intel              44104  8

kvm                   174304  1 kvm_intel

msrif                   4180  0

tscsync                 3852  0

The following example displays output for the show kernel ifconfig commands:

hostname# show kernel ifconfig

br0       Link encap:Ethernet  HWaddr 42:9E:B8:6C:1F:23

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:43 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:1708 (1.6 KiB)  TX bytes:0 (0.0 B)

br1       Link encap:Ethernet  HWaddr 6A:03:EC:BA:89:26

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.255.255.255

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tap0      Link encap:Ethernet  HWaddr 6A:0C:48:32:FE:F4

          inet addr:127.0.2.2  Bcast:127.255.255.255  Mask:255.0.0.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:148 errors:0 dropped:0 overruns:0 frame:0

          TX packets:186 errors:0 dropped:13 overruns:0 carrier:0

          collisions:0 txqueuelen:500

          RX bytes:10320 (10.0 KiB)  TX bytes:12452 (12.1 KiB)

tap1      Link encap:Ethernet  HWaddr 8E:E7:61:CF:E9:BD

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:259 errors:0 dropped:0 overruns:0 frame:0

          TX packets:187 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500

          RX bytes:19368 (18.9 KiB)  TX bytes:14638 (14.2 KiB)

tap2      Link encap:Ethernet  HWaddr 6A:03:EC:BA:89:26

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tap3      Link encap:Ethernet  HWaddr 42:9E:B8:6C:1F:23

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:187 errors:0 dropped:0 overruns:0 frame:0

          TX packets:256 errors:0 dropped:3 overruns:0 carrier:0

          collisions:0 txqueuelen:500

          RX bytes:14638 (14.2 KiB)  TX bytes:19202 (18.7 KiB)

tap4      Link encap:Ethernet  HWaddr 6A:5C:60:BC:9C:ED

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Related Commands

Command	Description
show module	Shows information about the installed modules in the ASA.

show kernel bridge

To display the Linux bridges, their member ports, and MAC addresses that have been learned at each port that you can use for debugging, use the show kernel bridge command in privileged EXEC mode.

show kernel bridge [mac-address bridge name]

Syntax Description

bridge name	Displays the bridge name.
mac-address	Displays the MAC address associated with each port.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
8.6(1)	This command was introduced.

Usage Guidelines

This command shows the Linux bridges, their member ports, and the MAC addresses that have been learned at each port (including remote MAC addresses) that you can use for debugging.

Examples

The following example displays output from the show kernel bridge command:

hostname# show kernel bridge

bridge name    bridge id        STP enabled interfaces

br0        8000.0e3cd8a8909f    no        tap1

                            tap3

br1       8000.26d29f51a490     no        tap2

                            tap4

                            tap5hostname# 

The following example displays output from the show kernel bridge mac-address command:

hostname# show kernel bridge mac-address br1

port no    mac addr       is local?   ageing timer

 1    00:21:d8:cb:dc:f7    no          12.93

 3    00:22:bd:d8:7d:da    no          12.93

 2    26:d2:9f:51:a4:90    yes          0.00

 1    4e:a4:e0:73:1f:ab    yes          0.00

 3    52:04:38:3d:79:c0    yes          0.00

Related Commands

Command	Description
show kernel	Shows information about the installed modules in the ASA.

show lacp

To display EtherChannel LACP information such as traffic statistics, system identifier, and neighbor details, enter this command in privileged EXEC mode.

show lacp {[channel_group_number] {counters | internal | neighbor} | sys-id}

Syntax Description

channel_group_number	(Optional) Specifies the EtherChannel channel group number, between 1 and 48, and only shows information about this channel group.
counters	Shows counters for the number of LACPDUs and markers sent and received.
internal	Shows internal information.
neighbor	Shows neighbor information.
sys-id	Shows the LACP system ID.

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
8.4(1)	We introduced this command.

Examples

The following is sample output from the show lacp sys-id command:

hostname# show lacp sys-id 

32768,001c.c4e5.cfee

The following is sample output from the show lacp counters command:

hostname# show lacp counters

             LACPDUs         Marker      Marker Response    LACPDUs

Port       Sent   Recv     Sent   Recv    Sent    Recv      Pkts Err

---------------------------------------------------------------------

Channel group: 1

Gi3/1      736    728      0      0        0      0         0     

Gi3/2      739    730      0      0        0      0         0     

Gi3/3      739    732      0      0        0      0         0 

The following is sample output from the show lacp internal command:

hostname# show lacp internal

Flags:  S - Device is requesting Slow LACPDUs 

        F - Device is requesting Fast LACPDUs

        A - Device is in Active mode       P - Device is in Passive mode     

Channel group 1 

                             LACP port     Admin     Oper    Port        Port

Port      Flags   State      Priority      Key       Key     Number      State

-----------------------------------------------------------------------------

Gi3/1     SA      bndl       32768         0x1       0x1     0x302       0x3d  

Gi3/2     SA      bndl       32768         0x1       0x1     0x303       0x3d  

Gi3/3     SA      bndl       32768         0x1       0x1     0x304       0x3d  

The following is sample output from the show lacp neighbor command:

hostname# show lacp neighbor

Flags:  S - Device is requesting Slow LACPDUs 

        F - Device is requesting Fast LACPDUs

        A - Device is in Active mode       P - Device is in Passive mode     

Channel group 1 neighbors

Partner's information:

          Partner Partner    LACP Partner  Partner   Partner  Partner     Partner

Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State

-----------------------------------------------------------------------------------

Gi3/1     SA      bndl       32768         0x0       0x1      0x306       0x3d  

Gi3/2     SA      bndl       32768         0x0       0x1      0x303       0x3d  

Gi3/3     SA      bndl       32768         0x0       0x1      0x302       0x3d  

Related Commands

Command	Description
channel-group	Adds an interface to an EtherChannel.
interface port-channel	Configures an EtherChannel.
lacp max-bundle	Specifies the maximum number of active interfaces allowed in the channel group.
lacp port-priority	Sets the priority for a physical interface in the channel group.
lacp system-priority	Sets the LACP system priority.
port-channel load-balance	Configures the load-balancing algorithm.
port-channel min-bundle	Specifies the minimum number of active interfaces required for the port-channel interface to become active.
show port-channel	Displays EtherChannel information in a detailed and one-line summary form. This command also displays the port and port-channel information.
show port-channel load-balance	Displays port-channel load-balance information along with the hash result and member interface selected for a given set of parameters.

show lacp cluster

To show the cLACP system MAC and ID, use the show lacp cluster command in privileged EXEC mode.

show lacp cluster {system-mac | system-id}

Syntax Description

system-mac	Shows the system ID and whether it was auto-generated or entered manually.
system-id	Shows the system ID and priority.

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
9.0(1)	We introduced this command.

Usage Guidelines

Set the cLACP system ID and priority using the clacp system-mac command.

Examples

The following is sample output from the show lacp cluster system-mac command:

hostname(cfg-cluster)# show lacp cluster system-mac

lacp cluster system MAC is automatically generated: a300.010a.010a.

The following is sample output from the show lacp cluster system-id command:

hostname(cfg-cluster)# show lacp cluster system-id

5    ,a300.010a.010a

Related Commands

Command	Description
clacp system-mac	Sets the cLACP system ID and priority.

show local-host

To display the network states of local hosts, use the show local-host command in privileged EXEC mode.

show local-host | include interface [ip_address] [detail] [all][brief] [connection {tcp start[-end] | udp start[-end] | embryonic start[-end]}]

Syntax Description

all	(Optional) Includes local hosts connecting to the ASA and from the ASA.
brief	(Optional) Displays brief information on local hosts.
connection	(Optional) Displays three types of filters based on the number and type of connections: TCP, UDP and embryonic. These filters can be used individually or jointly.
detail	(Optional) Displays the detailed network states of local host information, including more information about active xlates and network connections.
include interface	Specifies the IP addresses being used on each interface.
ip_address	(Optional) Specifies the local host IP address.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.2(1)	For models with host limits, this command now shows which interface is considered to be the outside interface.
7.2(4)	Two new options, connection and brief, were added to the show local-host command so that the output is filtered by the number of connections for the inside hosts.
9.1(2)	The Smart Call Home information sent to Cisco for telemetry-based alerts from the show local-host command has been changed to the show local-host | include interface command.

Usage Guidelines

The show local-host command lets you display the network states of local hosts. A local-host is created for any host that forwards traffic to, or through, the ASA.

This command lets you show the translation and connection slots for the local hosts. This command provides information for hosts that are configured with the nat 0 access-list command when normal translation and connection states may not apply.

This command also displays the connection limit values. If a connection limit is not set, the value displays as 0 and the limit is not applied.

For models with host limits, In routed mode, hosts on the inside (Work and Home zones) count towards the limit only when they communicate with the outside (Internet zone). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Work and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit.

In the event of a SYN attack (with TCP intercept configured), the show local-host command output includes the number of intercepted connections in the usage count. This field typically displays only full open connections.

In the show local-host command output, the TCP embryonic count to host counter is used when a maximum embryonic limit (TCP intercept watermark) is configured for a host using a static connection. This counter shows the total embryonic connections to the host from other hosts. If this total exceeds the maximum configured limit, TCP intercept is applied to new connections to the host.

Examples

The following is sample output from the show local-host command:

hostname# show local-host

Interface inside: 0 active, 0 maximum active, 0 denied

Interface outside: 1 active, 2 maximum active, 0 denied

The following is sample output from the show local-host command on an ASA with host limits:

hostname# show local-host

Detected interface 'outside' as the Internet interface. Host limit applies to all other 
interfaces.

Current host count: 3, towards licensed host limit of: 50

Interface inside: 1 active, 1 maximum active, 0 denied

Interface outside: 0 active, 0 maximum active, 0 denied

The following is sample output from the show local-host command on an ASA with host limits. But without a default route, the host limits apply to all interfaces. The default route interface might not be detected if the default route or the interface that the route uses is down.

hostname# show local-host

Unable to determine Internet interface from default route. Host limit applied to all 
interfaces.

Current host count: 3, towards licensed host limit of: 50

Interface c1in: 1 active, 1 maximum active, 0 denied

Interface c1out: 0 active, 0 maximum active, 0 denied

The following is sample output from the show local-host command on an ASA with unlimited hosts:

hostname# show local-host

Licensed host limit: Unlimited

Interface c1in: 1 active, 1 maximum active, 0 denied

Interface c1out: 0 active, 0 maximum active, 0 denied

The following examples show the network states of local hosts:

hostname# show local-host all

Interface outside: 1 active, 2 maximum active, 0 denied

local host: <11.0.0.4>,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited 

Conn:

105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464

105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464

Interface inside: 1 active, 2 maximum active, 0 denied

local host: <17.3.8.2>,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited 

Conn:

105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464

105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464

Interface NP Identity Ifc: 2 active, 4 maximum active, 0 denied

local host: <11.0.0.3>,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited 

Conn:

105 out 11.0.0.4 in 11.0.0.3 idle 0:01:44 bytes 4464

105 out 11.0.0.4 in 11.0.0.3 idle 0:01:42 bytes 4464

local host: <17.3.8.1>,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited 

Conn:

105 out 17.3.8.2 in 17.3.8.1 idle 0:01:44 bytes 4464

105 out 17.3.8.2 in 17.3.8.1 idle 0:01:42 bytes 4464

hostname# show local-host 10.1.1.91

Interface third: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 1 maximum active, 0 denied

local host: <10.1.1.91>,

TCP flow count/limit = 1/unlimited

TCP embryonic count to (from) host = 0 (0)

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Xlate:

PAT Global 192.150.49.1(1024) Local 10.1.1.91(4984)

Conn:

TCP out 192.150.49.10:21 in 10.1.1.91:4984 idle 0:00:07 bytes 75 flags UI Interface

outside: 1 active, 1 maximum active, 0 denied

hostname# show local-host 10.1.1.91 detail

Interface third: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 1 maximum active, 0 denied

local host: <10.1.1.91>,

TCP flow count/limit = 1/unlimited

TCP embryonic count to (from) host = 0 (0)

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Xlate:

TCP PAT from inside:10.1.1.91/4984 to outside:192.150.49.1/1024 flags ri

Conn:

TCP outside:192.150.49.10/21 inside:10.1.1.91/4984 flags UI Interface outside: 1 active, 1 
maximum active, 0 denied

The following example shows all hosts who have at least four UDP connections and have between one 
to 10 TCP connections at the same time:

hostname# show local-host connection udp 4 tcp 1-10 

Interface mng: 0 active, 3 maximum active, 0 denied 

Interface INSIDE: 4 active, 5 maximum active, 0 denied 

local host: <10.1.1.11>, 

TCP flow count/limit = 1/unlimited TCP embryonic count to host = 0 TCP intercept 
watermark = unlimited UDP flow count/limit = 4/unlimited 

Xlate: 

Global 192.168.1.24 Local 10.1.1.11 Conn: UDP out 192.168.1.10:80 in 
10.1.1.11:1730 idle 0:00:21 bytes 0 flags - UDP out 192.168.1.10:80 in 
10.1.1.11:1729 idle 0:00:22 bytes 0 flags - UDP out 192.168.1.10:80 in 
10.1.1.11:1728 idle 0:00:23 bytes 0 flags - UDP out 192.168.1.10:80 in 
10.1.1.11:1727 idle 0:00:24 bytes 0 flags - TCP out 192.168.1.10:22 in 
10.1.1.11:27337 idle 0:01:55 bytes 2641 flags UIO Interface OUTSIDE: 3 active, 5 
maximum active, 0 denied 

The following example shows local-host addresses and connection counters using the brief option:

hostname# show local-host connection udp 2 

Interface mng: 0 active, 3 maximum active, 0 denied 

Interface INSIDE: 4 active, 5 maximum active, 0 denied 

local host: <10.1.1.11>, 

TCP flow count/limit = 1/unlimited 

TCP embryonic count to host = 0 

TCP intercept watermark = unlimited UDP flow count/limit = 4/unlimited 

Interface OUTSIDE: 3 active, 5 maximum active, 0 denied 

The following examples shows the output when using the brief and connection options:

hostname# show local-host brief 

Interface inside: 1 active, 1 maximum active, 0 denied

Interface outside: 1 active, 1 maximum active, 0 denied

Interface mgmt: 5 active, 6 maximum active, 0 denied

hostname# show local-host connection  

Interface inside: 1 active, 1 maximum active, 0 denied

Interface outside: 1 active, 1 maximum active, 0 denied

Interface mgmt: 5 active, 6 maximum active, 0 denied

Related Commands

Command	Description
clear local-host	Releases network connections from local hosts displayed by the show local-host command.
nat	Associates a network with a pool of global IP addresses.

show logging

To show the logs in the buffer or other logging settings, use the show logging command in privileged EXEC mode.

show logging [message [syslog_id | all] | asdm | queue | setting]

Syntax Description

all	(Optional) Displays all syslog message IDs, along with whether they are enabled or disabled.
asdm	(Optional) Displays ASDM logging buffer content.
message	(Optional) Displays messages that are at a non-default level. See the logging message command to set the message level.
queue	(Optional) Displays the syslog message queue.
setting	(Optional) Displays the logging setting, without displaying the logging buffer.
syslog_id	(Optional) Specifies a message number to display.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.
8.0(2)	Indicates whether a syslog server is configured to use an SSL/TLS connection.
8.4(1)	For the show logging command, the output includes an enry for the current state of the audit block.

Usage Guidelines

If the logging buffered command is in use, the show logging command without any keywords shows the current message buffer and the current settings.

The show logging queue command allows you to display the following:

•Number of messages that are in the queue

•Highest number of messages recorded that are in the queue

•Number of messages that are discarded because block memory was not available to process them

•Separate queues for traps and other syslog messages

---

Note Zero is an acceptable number for the configured queue size and represents the maximum queue size allowed. The output for the show logging queue command will display the actual queue size if the the configured queue size is zero.

---

Examples

The following is sample output from the show logging command:

hostname(config)# show logging 

Syslog logging: enabled

    Facility: 20

    Timestamp logging: enabled

    Standby logging:disabled

    Debug-trace logging: disabled

    Console logging: level informational, 3962 messages logged

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: level informational, facility 20, 20549 messages logged

        Logging to inside 10.2.5.3 tcp/50001 connected

    Permit-hostdown state 

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: disabled

---

Note Valid values of state are enabled, disabled, disabled-blocking, and disabled-not blocking.

---

The following is sample output from the show logging command with a secure syslog server configured:

hostname(config)# logging host inside 10.0.0.1 TCP/1500 secure

hostname(config)# show logging 

Syslog logging: disabled

	Facility:

	Timestamp logging: disabled

	Deny Conn when Queue Full: disabled

	Console logging: level debugging, 135 messages logged

	Monitor logging: disabled

	Buffer logging: disabled

	Trap logging: list show _syslog, facility, 20, 21 messages logged

		Logging to inside 10.0.0.1 tcp/1500 SECURE

	History logging: disabled

	Device ID: disabled

	Mail logging: disabled

	ASDM logging disabled

The following is sample output from the show logging queue command:

hostname(config)# show logging queue

Logging Queue length limit: 512 msg(s)

0 msg(s) discarded due to queue overflow

0 msg(s) discarded due to memory allocation failure

Current 0 msgs on queue, 0 msgs most on queue

The following is sample output from the show logging message all command:

hostname(config)# show logging message all

syslog 111111: default-level alerts (enabled)

syslog 101001: default-level alerts (enabled)

syslog 101002: default-level alerts (enabled)

syslog 101003: default-level alerts (enabled)

syslog 101004: default-level alerts (enabled)

syslog 101005: default-level alerts (enabled)

syslog 102001: default-level alerts (enabled)

syslog 103001: default-level alerts (enabled)

syslog 103002: default-level alerts (enabled)

syslog 103003: default-level alerts (enabled)

syslog 103004: default-level alerts (enabled)

syslog 103005: default-level alerts (enabled)

syslog 103011: default-level alerts (enabled)

syslog 103012: default-level informational (enabled)

Related Commands

Command	Description
logging asdm	Enables logging to ASDM
logging buffered	Enables logging to the buffer.
logging host	Defines a syslog server.
logging message	Sets the message level or disables messages.
logging queue	Configures the logging queue.

show logging flow-export-syslogs

To display all of the syslog messages whose information is also captured by NetFlow and that will be affected by the logging flow-export-syslogs enable | disable commands, use the show logging flow-export-syslogs command in privileged EXEC mode.

show logging flow-export-syslogs

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
8.1(1)	This command was introduced.

Usage Guidelines

After you enter the logging flow-export syslogs disable command, make sure that you know which syslog messages have been disabled. The disabled syslog messages are as follows:

Syslog Message	Description
106015	A TCP flow was denied because the first packet was not a SYN packet.
106023	A flow that is denied by an ingress ACL or an egress ACL that is attached to an interface through the access-group command.
106100	A flow that is permitted or denied by an ACL.
302013 and 302014	A TCP connection and deletion.
302015 and 302016	A UDP connection and deletion.
302017 and 302018	A GRE connection and deletion.
302020 and 302021	An ICMP connection and deletion.
313001	An ICMP packet to the ASA was denied.
313008	An ICMPv6 packet to the ASA was denied.
710003	An attempt to connect to the ASA was denied.

Examples

The following is sample output from the show logging flow-export-syslogs command, which lists the syslog messages that will be disabled:

hostname(config)# show logging flow-export-syslogs

Syslog ID          Type	                 Status								

302013	           Flow Created          Enabled 

302015	           Flow Created          Enabled	

302017	           Flow Created          Enabled	

302020	           Flow Created          Enabled	

302014	           Flow Deleted          Enabled	

302016	           Flow Deleted          Enabled	

302018	           Flow Deleted          Enabled	

302021	           Flow Deleted          Enabled	

106015	           Flow Denied           Enabled	

106023	           Flow Denied           Enabled	

313001	           Flow Denied           Enabled	

313008	           Flow Denied           Enabled	

710003	           Flow Denied           Enabled	

106100	           Flow Created/Denied   Enabled	

Related Commands

Commands	Description
flow-export destination interface-name ipv4-address | hostname udp-port	Specifies the IP address or hostname of the NetFlow collector, and the UDP port on which the NetFlow collector is listening.
flow-export template timeout-rate minutes	Controls the interval at which the template information is sent to the NetFlow collector.
logging flow-export-syslogs enable	Enables syslog messages after you have entered the logging flow-export-syslogs disable command, and the syslog messages that are associated with NetFlow data.
show flow-export counters	Displays a set of runtime counters for NetFlow.

show logging rate-limit

To display disallowed syslog messages, use the show logging rate-limit command in privileged EXEC mode.

show logging rate-limit

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

After the information is cleared, nothing more displays until the hosts reestablish their connections.

Examples

The following example shows sample output from the show logging rate-limit command:

hostname(config)# show logging rate-limit

%ASA-7-710005: TCP request discarded from 171.69.39.0/2678 to management:10.89.130.244/443

%ASA-7-711002: Task ran for 27 msec, Process = ssm_mgmt_ifc_poll_thread, PC = 896fcac, 
Traceback = 

%ASA-7-711002: Task ran for 27 msec, Process = ssm_mgmt_ifc_poll_thread, PC = 896fcac, 
Traceback =   0x0807C0FA

%ASA-6-106015: Deny TCP (no connection) from 171.69.39.0/2685 to 10.89.130.244/443 flags 
FIN PSH ACK  on interface management

%ASA-7-710005: TCP request discarded from 171.69.39.0/2685 to management:10.89.130.244/443

%ASA-6-302013: Built inbound TCP connection 2116 for management:171.69.39.0/2689 
(171.69.39.0/2689) to identity:10.89.130.244/443 (10.89.130.244/443)

%ASA-6-725001: Starting SSL handshake with client management:171.69.39.0/2689 for TLSv1 
session.

%ASA-6-725003: SSL client management:171.69.39.0/2689 request to resume previous session.

%ASA-6-725002: Device completed SSL handshake with client management:171.69.39.0/2689

%ASA-6-605005: Login permitted from 171.69.39.0/2689 to management:10.89.130.244/https for 
user "enable_15"

%ASA-5-111007: Begin configuration: 171.69.39.0 reading from http [POST]

Related Commands

Command	Description
show logging	Displays the enabled logging options.

show mac-address-table

To show the MAC address table, use the show mac-address-table command in privileged EXEC mode.

show mac-address-table [interface_name | count | static]

Syntax Description

count	(Optional) Lists the total number of dynamic and static entries.
interface_name	(Optional) Identifies the interface name for which you want to view MAC address table entries.
static	(Optional) Lists only static entries.

Defaults

If you do not specify an interface, all interface MAC address entries are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	—	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following is sample output from the show mac-address-table command:

hostname# show mac-address-table

interface				    mac address				       type			      Time Left

-----------------------------------------------------------------------

outside					0009.7cbe.2100				   static				-

inside					0010.7cbe.6101				   static				-

inside					0009.7cbe.5101				   dynamic				10

The following is sample output from the show mac-address-table command for the inside interface:

hostname# show mac-address-table inside

interface				    mac address       type			      Time Left

-----------------------------------------------------------------------

inside					0010.7cbe.6101				   static				-

inside					0009.7cbe.5101				   dynamic				10

The following is sample output from the show mac-address-table count command:

hostname# show mac-address-table count

Static     mac-address bridges (curr/max): 0/65535

Dynamic    mac-address bridges (curr/max): 103/65535

Related Commands

Command	Description
firewall transparent	Sets the firewall mode to transparent.
mac-address-table aging-time	Sets the timeout for dynamic MAC address entries.
mac-address-table static	Adds a static MAC address entry to the MAC address table.
mac-learn	Disables MAC address learning.

show management-access

To display the name of the internal interface configured for management access, use the show management-access command in privileged EXEC mode.

show management-access

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The management-access command lets you define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The interface names are defined by the nameif command and displayed in quotes, " ", in the output of the show interface command.)

Examples

The following example shows how to configure a firewall interface named "inside" as the management access interface and display the result:

hostname(config)# management-access inside

hostname(config)# show management-access

management-access inside

Related Commands

Command	Description
clear configure management-access	Removes the configuration of an internal interface for management access of the ASA.
management-access	Configures an internal interface for management access.

show memory

To display a summary of the maximum physical memory and current free memory available to the operating system, use the show memory command in privileged EXEC mode.

[cluster exec] show memory [detail]

Syntax Description

cluster exec	(Optional) In a clustering environment, enables you to issue the show memory command in one unit and run the command in all the other units at the same time.
detail	(Optional) Displays a detailed view of free and allocated system memory.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	The cluster exec option was added.

Usage Guidelines

The show memory command lets you display a summary of the maximum physical memory and current free memory available to the operating system. Memory is allocated as needed.

You can also display the information from the show memory command using SNMP.

You can use the show memory detail output with the show memory binsize command to debug memory leaks.

The show memory detail command output can be broken down into three sections: Summary, DMA Memory, and HEAP Memory. The summary displays how the total memory is allocated. Memory that is not tied to DMA or reserved is considered the HEAP. The Free Memory value is the unused memory in the HEAP. The Allocated memory in use value is how much of the HEAP has been allocated. The breakdown of HEAP allocation is displayed later in the output. Reserved memory and DMA Reserved memory are used by different system processes and primarily VPN services.

Values displayed in the allocated memory statistics total (bytes) column do not reflect real values (MEMPOOL_GLOBAL_SHARED POOL STATS) in the show memory detail command output.

The output shows that the block of size 49,152 was allocated then returned to the free pool, and another block of size 131,072 was allocated. In this case, you would think that free memory decreased by 131,072-49,152=81,920 bytes, but it actually decreased by 100,000 bytes (see the Free memory line).

hostname# show memory detail

MEMPOOL_GLOBAL_SHARED POOL STATS:            MEMPOOL_GLOBAL_SHARED POOL STATS:

Non-mmapped bytes allocated =   1862270976   Non-mmapped bytes allocated =   1862270976

Number of free chunks       =           99   Number of free chunks       =          100

Number of mmapped regions   =            0   Number of mmapped regions   =            0

Mmapped bytes allocated     =            0   Mmapped bytes allocated     =            0

Max memory footprint        =   1862270976   Max memory footprint        =   1862270976

Keepcost                    =   1762019304   Keepcost                    =   1761869256

Max contiguous free mem     =   1762019304   Max contiguous free mem     =   1761869256

Allocated memory in use     =    100133944   Allocated memory in use     =    100233944

Free memory                 =   1762137032   Free memory                 =   1762037032

----- fragmented memory statistics -----     ----- fragmented memory statistics -----

 fragment size       count          total     fragment size       count          total

    (bytes)                        (bytes)       (bytes)                        (bytes)

----------------  ----------  -------------- ----------------  ----------  --------------

        32768             1          33176           32768             1          33176

                                                     49152             1          50048

   1762019304             1     1762019304*     1761869256             1     1761869256*

----- allocated memory statistics -----      ----- allocated memory statistics -----

 fragment size       count          total     fragment size       count          total

    (bytes)                        (bytes)       (bytes)                        (bytes)

----------------  ----------  -------------- ----------------  ----------  --------------

        49152            10         491520           49152             9         442368

        65536           125        8192000           65536           125        8192000

        98304             3         294912           98304             3         294912

       131072            18        2359296          131072            19        2490368

The following output confirms that a block of size 150,000 was allocated, instead of 131,072:

hostname# show memory binsize 131072

MEMPOOL_DMA pool bin stats:

MEMPOOL_GLOBAL_SHARED pool bin stats:

pc = 0x8eda524, size = 150000   , count = 1   

pc = 0x8f08054, size = 163904   , count = 1   

pc = 0x846e477, size = 139264   , count = 1   

pc = 0x8068691, size = 393216   , count = 3   

pc = 0x8eea09b, size = 131072   , count = 1   

pc = 0x88ca830, size = 141212   , count = 1   

pc = 0x9589e93, size = 593580   , count = 4   

pc = 0x9589bd2, size = 616004   , count = 4   

pc = 0x8f2e060, size = 327808   , count = 2   

pc = 0x8068284, size = 182000   , count = 1   

0x8eda524 <logger_buffer_init_int+148 at syslog/main.c:403>

The approximate number of total bytes shown in the show memory detail command output is by design. There are two reasons for this:

•For each fragment size, if you had to get the sum of all fragments, a performance impact would occur because there can be very large number of allocations for a single fragment size and to get the accurate value, you need to walk over thousands of chunks.

•For each binsize, you need to walk through the doubly linked list of allocations and there could be many allocations. In this case, you cannot hog the CPU for an extended period and would need to suspend allocations periodically. After you resume allocations, other processes may have allocated or deallocated memory and memory states may have changed. As a result, the total bytes column gives an approximate value instead of the real value.

Examples

The following is sample output from the show memory command:

hostname# show memory

Free memory:       845044716 bytes (79%)

Used memory:       228697108 bytes (21%)

-------------     ----------------

Total memory:     1073741824 bytes (100%)

The following is sample output from the show memory detail command:

hostname# show memory detail

Free memory:                   130546920 bytes (49%) 

Used memory:                   137888536 bytes (51%) 

Allocated memory in use:        33030808 bytes (12%) 

Reserved memory:                65454208 bytes (24%) 

DMA Reserved memory:            39403520 bytes (15%) 

---------------------------------------------------- 

Total memory:                  268435456 bytes (100%) 

Dynamic Shared Objects(DSO):           0 bytes 

DMA memory: 

  Unused memory:                3212128 bytes (8%) 

  Crypto reserved memory:       2646136 bytes (7%) 

  Crypto free:                  1605536 bytes (4%) 

  Crypto used:                  1040600 bytes (3%) 

  Block reserved memory:       33366816 bytes (85%) 

  Block free:                  31867488 bytes (81%) 

  Block used:                   1499328 bytes (4%) 

  Used memory:                   178440 bytes (0%) 

----------------------------------------------------

  Total memory:                39403520 bytes (100%) 

  HEAP memory: 

  Free memory:                 130546920 bytes (80%) 

  Used memory:                  33030808 bytes (20%) 

  Init used memory by library:   4218752 bytes (3%) 

  Allocated memory: 	          28812056 bytes (18%) 

---------------------------------------------------- 

  Total memory:                163577728 bytes (100%) 

Least free memory: 122963528 bytes (75%) 

Most used memory:   40614200 bytes (25%) 

----- fragmented memory statistics ----- 

fragment size    count      total 

(bytes)                     (bytes) 

---------------- ---------- -------------- 

16               113        1808 

<More> 

The following is sample output from the show memory command on the ASA 5525 after enabling the jumbo-frame reservation command and issuing the write memory command and the reload command:

hostname# show memory

Free memory:        3008918624 bytes (70%)

Used memory:        1286048672 bytes (30%)

-------------       ----------------------

Total memory:       4294967296 bytes (100%)

The following is sample output from the show memory command on the ASA 5525 without enabling the jumbo-frame reservation command:

hostname# show memory

Free memory:        3318156400 bytes (77%)

Used memory:         976810896 bytes (23%)

-------------       ------------------

Total memory:       4294967296 bytes (100%)

The following is sample output from the show memory command on the ASA 5515 after enabling the jumbo-frame reservation command:

hostname# show memory

Free memory:        3276619472 bytes (76%)

Used memory:        1018347824 bytes (24%)

-------------       ------------------

Total memory:       4294967296 bytes (100%)

The following is sample output from the show memory command on the ASA 5515 without enabling the jumbo-frame reservation command:

hostname# show memory

Free memory:        3481145472 bytes (81%)

Used memory:         813821824 bytes (19%)

-------------       ------------------

Total memory:       4294967296 bytes (100%)

The following is sample output from the show memory command on the ASA 5585 after enabling the jumbo-frame reservation command:

hostname# show memory

Free memory:        8883297824 bytes (69%)

Used memory:        4001604064 bytes (31%)

-------------       ------------------

Total memory:      12884901888 bytes (100%)

The following is sample output from the show memory command on the ASA 5585 without enabling the jumbo-frame reservation command:

hostname# show memory

Free memory:        9872205104 bytes (77%)

Used memory:        3012696784 bytes (23%)

-------------       ------------------

Total memory:      12884901888 bytes (100%)

The following is sample output from the show memory command on the ASA 5520, which does not support the jumbo-frame command:

hostname# show memory

ree memory:         206128232 bytes (38%)

Used memory:         330742680 bytes (62%)

-------------       -----------------

Total memory:        536870912 bytes (100%)

The following is sample output from the show memory command on the ASA 5505, which does not support the jumbo-frame command:

hostname# show memory

Free memory:          48457848 bytes (18%)

Used memory:         219977608 bytes (82%)

-------------        -----------------

Total memory:        268435456 bytes (100%

Related Commands

Command	Description
show memory profile	Displays information about the memory usage (profiling) of the ASA.
show memory binsize	Displays summary information about the chunks allocated for a specific bin size.

show memory api

To display the malloc stack APIs that are registered in the system , use the show memory api command in privileged EXEC mode.

show memory api

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

This command displays the malloc stack APIs that are registered in the system.

If any of the memory debugging features are turned on (that is, delay-free-poisoner, memory tracker, or memory profiler), their APIs appear in the show memory api command output.

Examples

This following is sample output from the show memory api command:

hostname# show memory api

Resource Manager (0) ->

Tracking (0) ->

Delayed-free-poisoner (0) ->

Core malloc package (0) 

Related Commands

Command	Description
show memory profile	Displays information about the memory usage (profiling) of the ASA.
show memory binsize	Displays summary information about the chunks allocated for a specific bin size.

show memory app-cache

To observe memory usage by application, use the show memory app-cache command in privileged EXEC mode.

show memory app-cache [threat-detection | host | flow | tcb | http | access-list] [detail]

Syntax Descriptionshow memory app-cache [threat-detection | host | flow | tcb | http | access-list] [detail]

access-list	(Optional) Shows the application level memory cache for access lists.
detail	(Optional) Shows a detailed view of free and allocated system memory.
flow	(Optional) Shows the application level memory cache for flows.
host	(Optional) Shows application level memory cache for hosts.
http	(Optional) Shows application level memory cache for HTTP.
tcb	(Optional) Shows application level memory cache for TCB.
threat-detection	(Optional) Shows application level memory cache for threat detection.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
8.0(1)	This command was introduced.
8.1(1)	The access-list and http options were added.

Usage Guidelines

This command enables you to observe memory usage by application.

Examples

The following is sample output from the show memory app-cache threat-detection command:

hostname(config)# show memory app-cache threat-detection 

LIMIT COUNT ALLOC FAILED BYTES USED 

TOTAL 1350 460 115167 0 130926168 

The following is sample output from the show memory app-cache threat-detection detail command:

hostname(config)# show memory app-cache threat-detection detail 

CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED

TD ACE stats 50 0 2 0 1936 

TD Host/Port counte 100 0 2 0 48 

TD Host/Port counte 100 0 2 0 48 

TD Host/Port counte 100 0 2 0 48 

TD Host/Port counte 100 0 2 0 48 

TD Host stats 50 50 16120 0 116515360

TD Subnet stats 50 2 113 0 207016 

TD Host/Port counte 100 100 24618 0 3544992

TD Host/Port counte 100 100 24618 0 3544992

TD Host/Port counte 100 100 24618 0 3544992

TD Host/Port counte 100 100 24618 0 3544992

TD Host/Port counte 100 2 113 0 5424 

TD Host/Port counte 100 2 113 0 5424

TD Host/Port counte 100 2 113 0 5424

TD Host/Port counte 100 2 113 0 5424

LIMIT COUNT ALLOC FAILED BYTES USED 

TOTAL 1350 460 115167 0 130926168

The following is sample output from the show memory app-cache host detail command:

hostname(config)# show memory app-cache host detail

CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED

SNP Host Core 0 1000 1000 5116 0 961808

SNP Host Core 1 1000 1000 4968 0 933984 

SNP Host Core 2 1000 1000 5413 0 1017644

SNP Host Core 3 1000 1000 4573 0 859724 

LIMIT COUNT ALLOC FAILED BYTES USED

TOTAL 4000 4000 20070 0 3773160

The following is sample output from the show memory app-cache flow detail command:

hostname(config)# show memory app-cache flow detail 

CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED

SNP Conn Core 0 1000 1000 893 0 639388

SNP Conn Core 1 1000 948 980 0 701680

SNP Conn Core 2 1000 1000 1175 0 841300

SNP Conn Core 3 1000 1000 901 0 645116

LIMIT COUNT ALLOC FAILED BYTES USED

TOTAL 4000 3948 3949 0 2827484

The following is sample output from the show memory app-cache access-list detail command:

hostname(config)# show memory app-cache access-list detail

CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED

NP ACL log c Core 0 1000 0 1 0 68

NP ACL log c Core 1 1000 0 6 0 408

NP ACL log c Core 2 1000 0 19 0 1292

NP ACL log c Core 3 1000 0 0 0 0

NP ACL log f Core 0 1000 0 0 0 0

NP ACL log f Core 1 1000 0 0 0 0

NP ACL log f Core 2 1000 0 0 0 0

NP ACL log f Core 3 1000 0 0 0 0

LIMIT COUNT ALLOC FAILED BYTES USED

TOTAL 8000 0 26 0 1768

The following is sample output from the show memory app-cache http detail command:

hostname(config)# show memory app-cache http detail

CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED

Inspect HTTP Core 0 1000 0 0 0 0

Inspect HTTP Core 1 1000 0 0 0 0

Inspect HTTP Core 2 1000 0 0 0 0

Inspect HTTP Core 3 1000 0 0 0 0

HTTP Result Core 0 1000 0 0 0 0

HTTP Result Core 1 1000 0 0 0 0

HTTP Result Core 2 1000 0 0 0 0

HTTP Result Core 3 1000 0 0 0 0

LIMIT COUNT ALLOC FAILED BYTES USED

TOTAL 8000 0 0 0 0

The following is sample output from the show memory app-cache tcb detail command:

hostname(config)# show memory app-cache tcb detail

CACHE NAME LIMIT COUNT ALLOC FAILED BYTES USED

SNP TCB Core 0 1000 1000 968 0 197472

SNP TCB Core 1 1000 1000 694 0 141576

SNP TCB Core 2 1000 1000 1304 0 266016

SNP TCB Core 3 1000 1000 1034 0 210936

LIMIT COUNT ALLOC FAILED BYTES USED

TOTAL 4000 4000 4000 0 816000

Related Commands

Command	Description
show memory profile	Displays information about the memory usage (profiling) of the ASA.
show memory binsize	Displays summary information about the chunks allocated for a specific bin size.
show memory	Displays a summary of the maximum physical memory and current free memory available to the operating system.

show memory binsize

To display summary information about the chunks allocated for a specific bin size, use the show memory binsize command in privileged EXEC mode.

show memory binsize size

Syntax Description

size	Displays chunks (memory blocks) of a specific bin size. The bin size is from the "fragment size" column of the show memory detail command output.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

This command has no usage guidelines.

Examples

The following example displays summary information about a chunk allocated to a bin size of 500:

hostname# show memory binsize 500

pc = 0x00b33657, size = 460      , count = 1

Related Commands

Command	Description
show memory-caller address	Displays the address ranges configured on the ASA.
show memory profile	Displays information about the memory usage (profiling) of the ASA.
show memory	Displays a summary of the maximum physical memory and current free memory available to the operating system.

show memory delayed-free-poisoner

To display a summary of the memory delayed-free-poisoner queue usage, use the show memory delayed-free-poisoner command in privileged EXEC mode.

show memory delayed-free-poisoner

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Use the clear memory delayed-free-poisoner command to clear the queue and statistics.

Examples

This following is sample output from the show memory delayed-free-poisoner command:

hostname# show memory delayed-free-poisoner

delayed-free-poisoner statistics:

		 3335600:  memory held in queue

		    6095:  current queue count

		       0:  elements dequeued

		       3:  frees ignored by size

		    1530:  frees ignored by locking

		      27:  successful validate runs

		       0:  aborted validate runs

		01:09:36:  local time of last validate

Table 51-2 describes the significant fields in the show memory delayed-free-poisoner command output.

Table 51-2 show memory delayed-free-poisoner Command Output Descriptions

Field	Description
memory held in queue	The memory that is held in the delayed free-memory poisoner tool queue. Such memory is normally in the "Free" quantity in the show memory output if the delayed free-memory poisoner tool is not enabled.
current queue count	The number of elements in the queue.
elements dequeued	The number of elements that have been removed from the queue. This number begins to increase when most or all of the otherwise free memory in the system ends up in being held in the queue.
frees ignored by size	The number of free requests not placed into the queue because the request was too small to hold required tracking information.
frees ignored by locking	The number of free requests intercepted by the tool not placed into the queue because the memory is in use by more than one application. The last application to free the memory back to the system ends up placing such memory regions into the queue.
successful validate runs	The number of times since monitoring was enabled or cleared using the clear memory delayed-free-poisoner command that the queue contents were validated (either automatically or by the memory delayed-free-poisoner validate command).
aborted validate runs	The number of times since monitoring was enabled or cleared using the clear memory delayed-free-poisoner command that requests to check the queue contents have been aborted because more than one task (either the periodic run or a validate request from the CLI) attempted to use the queue at a time.
local time of last validate	The local system time when the last validate run completed.

Related Commands

Command	Description
clear memory delayed-free-poisoner	Clears the delayed free-memory poisoner tool queue and statistics.
memory delayed-free-poisoner enable	Enables the delayed free-memory poisoner tool.
memory delayed-free-poisoner validate	Forces validation of the elements in the delayed free-memory poisoner tool queue.

show memory profile

To display information about the memory usage (profiling) of the ASA, use the show memory profile command in privileged EXEC mode.

show memory profile [peak] [detail | collated | status]

Syntax Description

collated	(Optional) Collates the memory information displayed.
detail	(Optional) Displays detailed memory information.
peak	(Optional) Displays the peak capture buffer rather than the "in use" buffer.
status	(Optional) Displays the current state of memory profiling and the peak capture buffer.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	—	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Use the show memory profile command to troubleshoot memory usage level and memory leaks. You can still see the profile buffer contents even if profiling has been stopped. Starting profiling clears the buffer automatically.

---

Note The ASA might experience a temporary reduction in performance when memory profiling is enabled.

---

Examples

The following is sample output from the show memory profile command:

hostname# show memory profile 

Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004

Total = 0 

The output of the show memory profile detail command is divided into six data columns and one header column, at the far left. The address of the memory bucket corresponding to the first data column is given at the header column (the hexidecimal number). The data itself is the number of bytes that is held by the text/code that falls in the bucket address. A period (.) in the data column means no memory is held by the text at this bucket. Other columns in the row correspond to the bucket address that is greater than the increment amount from the previous column. For example, the address bucket of the first data column in the first row is 0x001069e0. The address bucket of the second data column in the first row is 0x001069e4 and so on. Normally the header column address is the next bucket address; that is, the address of the last data column of the previous row plus the increment. All rows without any usage are suppressed. More than one such contiguous row can be suppressed, indicated with three periods at the header column (...).

The following is sample output from the show memory profile detail command:

hostname# show memory profile detail 

Range: start = 0x00100020, end = 0x00e006e0, increment = 00000004 

Total = 48941152 

...

0x001069e0 . 24462 . . . .

... 

0x00106d88 . 1865870 . . . .

...

0x0010adf0 . 7788 . . . .

... 

0x00113640 . . . . 433152 .

...

0x00116790 2480 . . . . . 

<snip> 

The following is sample output from the show memory profile collated command:

hostname# show memory profile collated

Range: start = 0x00100020, end = 0x00e006e0, increment = 00000004

Total = 48941152

24462 0x001069e4

1865870 0x00106d8c

7788 0x0010adf4

433152 0x00113650

2480 0x00116790

<More> 

The following is sample output from the show memory profile peak command, which shows the peak capture buffer:

hostname# show memory profile peak

Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004  
Total = 102400 

The following is sample output from the show memory profile peak detail command, which shows the peak capture buffer and the number of bytes that is held by the text/code that falls in the corresponding bucket address:

hostname# show memory profile peak detail 

Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004

Total = 102400

... 

0x00404c8c . . 102400 . . . 

The following is sample output from the show memory profile status command, which shows the current state of memory profiling and the peak capture buffer:

hostname# show memory profile status 

InUse profiling: ON

Peak profiling: OFF

Memory used by profile buffers: 11518860 bytes

Profile:

0x00100020-0x00bfc3a8(00000004)

Related Commands

Command	Description
memory profile enable	Enables the monitoring of memory usage (memory profiling).
memory profile text	Configures a program text range of memory to profile.
clear memory profile	Clears the memory buffers held by the memory profiling function.

show memory top-usage

To display the top number of allocated fragment sizes from the show memory detail command, use the show memory top-usage command in privileged EXEC mode.

show memory top-usage [num]

Syntax Description

num	(Optional) Shows the number of bin sizes to list. Valid values are from 1-64.

Defaults

The default for num is 10.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
8.4(6)	This command was introduced.

Usage Guidelines

Use the show memory top-usage command to display the top number of allocated fragment sizes from the show memory detail command.

This command does not use clustering and does not need to be disabled when clustering is enabled.

Examples

The following is sample output from the show memory top-usage command:

hostname# show memory top-usage 3

MEMPOOL_DMA pool binsize allocated byte totals:

----- allocated memory statistics -----

 fragment size       count          total

    (bytes)                        (bytes)

----------------  ----------  --------------

      1572864             9       14155776

     12582912             1       12582912

      6291456             1        6291456

----- Binsize PC top usage -----

Binsize: 1572864                total (bytes): 14155776

pc = 0x805a870, size = 16422399 , count = 9

Binsize: 12582912               total (bytes): 12582912

pc = 0x805a870, size = 12960071 , count = 1

Binsize: 6291456                total (bytes): 6291456

pc = 0x9828a6c, size = 7962695  , count = 1

MEMPOOL_GLOBAL_SHARED pool binsize allocated byte totals:

----- allocated memory statistics -----

 fragment size       count          total

    (bytes)                        (bytes)

----------------  ----------  --------------

     12582912             1       12582912

      2097152             6       12582912

        65536           181       11862016

----- Binsize PC top usage -----

Binsize: 12582912               total (bytes): 12582912

pc = 0x8249763, size = 37748736 , count = 1

Binsize: 2097152                total (bytes): 12582912

pc = 0x8a7ebfb, size = 2560064  , count = 1

pc = 0x8aa4413, size = 2240064  , count = 1

pc = 0x8a9bb13, size = 2240064  , count = 1

pc = 0x8a80542, size = 2097152  , count = 1

pc = 0x97e7172, size = 2097287  , count = 1

pc = 0x8996463, size = 2272832  , count = 1

Binsize: 65536                  total (bytes): 11862016

pc = 0x913db2b, size = 11635232 , count = 161

pc = 0x91421eb, size = 138688   , count = 2

pc = 0x97e7172, size = 339740   , count = 4

pc = 0x97e7433, size = 197229   , count = 3

pc = 0x82c3412, size = 65536    , count = 1

pc = 0x8190e09, size = 155648   , count = 2

pc = 0x8190af6, size = 77824    , count = 1

pc = 0x93016a1, size = 65536    , count = 1

pc = 0x89f1a40, size = 65536    , count = 1

pc = 0x9131140, size = 163968   , count = 2

pc = 0x8ee56c8, size = 66048    , count = 1

pc = 0x8056a01, size = 66528    , count = 1

pc = 0x80569e5, size = 66528    , count = 1

Related Commands

Command	Description
show memory tracking	Shows all currently collected information.

show memory tracking

To display currently allocated memory tracked by the tool, use the show memory tracking command in privileged EXEC mode.

show memory tracking [address | dump | detail]

Syntax Description

address	(Optional) Shows memory tracking by address.
detail	(Optional) Shows the internal memory tracking state.
dump	(Optional) Shows the memory tracking address.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	—	•	•

Command History

Release	Modification
7.0(8)	This command was introduced.

Usage Guidelines

Use the show memory tracking command to show currently allocated memory tracked by the tool.

Examples

The following is sample output from the show memory tracking command:

hostname# show memory tracking

memory tracking by caller: 

17 bytes from 1 allocates by 0x080c50c2 

37 bytes from 1 allocates by 0x080c50f6 

57 bytes from 1 allocates by 0x080c5125 

20481 bytes from 1 allocates by 0x080c5154 

The following is sample output from the show memory tracking address command:

hostname# show memory tracking address

memory tracking by caller: 

17 bytes from 1 allocates by 0x080c50c2 

37 bytes from 1 allocates by 0x080c50f6 

57 bytes from 1 allocates by 0x080c5125 

20481 bytes from 1 allocates by 0x080c5154 

memory tracking by address: 

37 byte region @ 0xa893ae80 allocated by 0x080c50f6 

57 byte region @ 0xa893aed0 allocated by 0x080c5125 

20481 byte region @ 0xa8d7cc50 allocated by 0x080c5154 

17 byte region @ 0xa8a6f370 allocated by 0x080c50c2 

The following is sample output from the show memory tracking dump command:

hostname# show memory tracking dump 

Tracking data for the 57 byte region at 0xa893aed0: 

Timestamp: 05:59:36.309 UTC Sun Jul 29 2007 

Traceback: 

0x080c5125 

0x080b3695 

0x0873f606 

0x08740573 

0x080ab530 

0x080ac788 

0x080ad141 

0x0805df8f 

Dumping 57 bytes of the 57 byte region: 

a893aed0: 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c | ................ 

a893aee0: 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c | ................ 

a893aef0: 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c | ................ 

a893af00: 0c 0c 0c 0c 0c 0c 0c 0c 0c | ......... 

Related Commands

Command	Description
clear memory tracking	Clears all currently collected information.

show memory webvpn

To generate memory usage statistics for WebVPN, use the show memory webvpn command in privileged EXEC mode.

show memory webvpn [allobjects | blocks | dumpstate [cache | disk0 | disk1 | flash | ftp | system | tftp] | pools | profile [clear | dump | start | stop] | usedobjects {{begin | exclude | grep | include} line line}]

Syntax Description

allobjects	Displays WebVPN memory consumption details for pools, blocks , and all used and freed objects.
begin	Begins with the line that matches.
blocks	Displays WebVPN memory consumption details for memory blocks.
cache	Specifies a filename for a WebVPN memory cache state dump.
clear	Clears the WebVPN memory profile.
disk0	Specifies a filename for WebVPN memory disk0 state dump.
disk1	Specifies a filename for WebVPN memory disk1 state dump:.
dump	Puts WebVPN memory profile into a file.
dumpstate	Puts WebVPN memory state into a file.
exclude	Excludes the line(s) that match.
flash	Specifies a filename for the WebVPN memory flash state dump.
ftp	Specifies a filename for the WebVPN memory FTP state dump.
grep	Includes or excludes lines that match.
include	Includes the line(s) that match.
line	Identifies the line(s) to match.
line	Specifies the line(s) to match.
pools	Shows WebVPN memory consumption details for memory pools.
profile	Obtains the WebVPN memory profile and places it in a file.
system	Specifies a filename for the WebVPN memory system state dump.
start	Starts gathering the WebVPN memory profile.
stop	Stops getting the WebVPN memory profile.
tftp	Specifies a filename for a WebVPN memory TFTP state dump.
usedobjects	Displays WebVPN memory consumption details for used objects.

Defaults

No default behavior or value.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—
Global configuration	•	—	•	—	—
Webvpn configuration	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Examples

The following is sample output from the show memory webvpn allobjects command:

hostname# show memory webvpn allobjects 

Arena 0x36b14f8 of 4094744 bytes (61 blocks of size 66048), maximum 134195200

130100456 free bytes (97%; 1969 blocks, zone 0)

Arena is dynamically allocated, not contiguous 

Features: GroupMgmt: SET, MemDebugLog: unset 

Pool 0xd719a78 ("cp_entries" => "pool for class cpool entries") (next 0xd6d91d8)

Size: 66040 (1% of current, 0% of limit) 

Object frame size: 32

Load related limits: 70/50/30 

Callbacks: !init/!prep/!f2ca/!dstr/!dump

Blocks in use: 

Block 0xd719ac0..0xd729cb8 (size 66040), pool "cp_entries" 

Watermarks { 0xd7098f8 <= 0xd70bb60 <= 0xd719a60 } = 57088 ready 

Block size 66040 not equal to arena block 66048 (realigned-to-8)

Used objects: 0 

Top allocated count: 275 

Objects dump: 

0. Object 0xd70bb50: FREED (by "jvclass_pool_free") 

Related Commands

Command	Description
memory-size	Sets the amount of memory on the ASA that WebVPN services can use.

show memory-caller address

To display the address ranges configured on the ASA, use the show memory-caller address command in privileged EXEC mode.

show memory-caller address

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	—	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

You must first configure an address ranges with the memory caller-address command before you can display them with the show memory-caller address command.

Examples

The following examples show how to configure the address ranges with the memory caller-address command, and the resulting output of the show memory-caller address command:

hostname# memory caller-address 0x00109d5c 0x00109e08

hostname# memory caller-address 0x009b0ef0 0x009b0f14

hostname# memory caller-address 0x00cf211c 0x00cf4464 

hostname# show memory-caller address

Move down stack frame for the addresses:

pc = 0x00109d5c-0x00109e08 

pc = 0x009b0ef0-0x009b0f14 

pc = 0x00cf211c-0x00cf4464 

If address ranges are not configured before entering the show memory-caller address command, no addresses display:

hostname# show memory-caller address

Move down stack frame for the addresses:

Related Commands

Command	Description
memory caller-address	Configures a block of memory for the caller PC.

show mfib

To display MFIB in terms of forwarding entries and interfaces, use the show mfib command in user EXEC or privileged EXEC mode.

show mfib [group [source]] [verbose] [cluster]

Syntax Description

cluster	(Optional) Displays the MFIB epoch number and the current timer value.
group	(Optional) Displays the IP address of the multicast group.
source	(Optional) Displays the IP address of the multicast route source. This is a unicast IP address in four-part dotted-decimal notation.
verbose	(Optional) Displays additional information about the entries.

Defaults

Without the optional arguments, information for all groups is shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	The cluster keyword was added. Applies to the ASA 5580 and 5585-X only.

Examples

The following is sample output from the show mfib command:

hostname# show mfib 224.0.2.39

Entry Flags: C - Directly Connected, S - Signal, IA - Inherit A flag,

             AR - Activity Required, D - Drop

Forwarding counts: Pkt Count/Pkts per second/Avg Pkt Size/Kbits per second

Other counts: Total/RPF failed/Other drops

Interface flags: A - Accept, F - Forward, NS - Negate Signalling

             IC - Internal Copy, NP - Not platform switched

             SP - Signal Present

Interface Counts: FS Pkt Count/PS Pkt Count

(*,224.0.1.39) Flags: S K

  Forwarding: 0/0/0/0, Other: 0/0/0

Related Commands

Command	Description
show mfib verbose	Displays detail information about the forwarding entries and interfaces.

show mfib active

To display active multicast sources, use the show mfib active command in user EXEC or privileged EXEC mode.

show mfib [group] active [kbps]

Syntax Description

group	(Optional) IP address of the multicast group.
kbps	(Optional) Limits the display to multicast streams that are greater-than or equal to this value.

This command has no arguments or keywords.

Defaults

The default value for kbps is 4. If a group is not specified, all groups are shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The output for the show mfib active command displays either positive or negative numbers for the rate PPS. The ASA displays negative numbers when RPF packets fail or when the router observes RPF packets with an interfaces out (OIF) list. This type of activity may indicate a multicast routing problem.

Examples

The following is sample output from the show mfib active command:

hostname# show mfib active

Active IP Multicast Sources - sending >= 4 kbps

Group: 224.2.127.254, (sdr.cisco.com)

   Source: 192.168.28.69 (mbone.ipd.anl.gov)

     Rate: 1 pps/4 kbps(1sec), 4 kbps(last 1 secs), 4 kbps(life avg)

Group: 224.2.201.241, ACM 97

   Source: 192.168.52.160 (webcast3-e1.acm97.interop.net)

     Rate: 9 pps/93 kbps(1sec), 145 kbps(last 20 secs), 85 kbps(life avg)

Group: 224.2.207.215, ACM 97

   Source: 192.168.52.160 (webcast3-e1.acm97.interop.net)

     Rate: 3 pps/31 kbps(1sec), 63 kbps(last 19 secs), 65 kbps(life avg)

Related Commands

Command	Description
show mroute active	Displays active multicast streams.

show mfib count

To display MFIB route and packet count data, use the show mfib count command in user EXEC or privileged EXEC mode.

show mfib [group [source]] count

Syntax Description

group	(Optional) IP address of the multicast group.
source	(Optional) IP address of the multicast route source. This is a unicast IP address in four-part dotted-decimal notation.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

This command displays packet drop statistics.

Examples

The following sample output from the show mfib count command:

hostname# show mfib count

MFIB global counters are :

* Packets [no input idb] : 0

* Packets [failed route lookup] : 0

* Packets [Failed idb lookup] : 0

* Packets [Mcast disabled on input I/F] : 0

Related Commands

Command	Description
clear mfib counters	Clears MFIB router packet counters.
show mroute count	Displays multicast route counters.

show mfib interface

To display packet statistics for interfaces that are related to the MFIB process, use the show mfib interface command in user EXEC or privileged EXEC mode.

show mfib interface [interface]

Syntax Description

interface

(Optional) Interface name. Limits the display to the specified interface.

Defaults

Information for all MFIB interfaces is shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following example is sample output from the show mfib interface command:

hostname# show mfib interface

IP Multicast Forwarding (MFIB) status:

    Configuration Status: enabled

    Operational Status: running

MFIB interface       status    CEF-based output   

                            [configured,available]

           Ethernet0   up   [        no,       no]

           Ethernet1   up   [        no,       no]

           Ethernet2   up   [        no,       no]

Related Commands

Command	Description
show mfib	Displays MFIB information in terms of forwarding entries and interfaces.

show mfib reserved

To display reserved groups, use the show mfib reserved command in user EXEC or privileged EXEC mode.

show mfib reserved [count | verbose | active [kpbs]]

Syntax Description

active	(Optional) Displays active multicast sources.
count	(Optional) Displays packet and route count data.
kpbs	(Optional) Limits the display to active multicast sources greater than or equal to this value.
verbose	(Optional) Displays additional information.

Defaults

The default value for kbps is 4.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

This command displays MFIB entries in the range 224.0.0.0 through 224.0.0.225.

Examples

The following is sample output from the show mfib reserved command:

hostname# command example

Entry Flags: C - Directly Connected, S - Signal, IA - Inherit A flag,

             AR - Activity Required, D - Drop Forwarding Counts: Pkt Count/Pkts per 
second/Avg Pkt Size/Kbits per second Other counts: Total/RPF failed/Other drops Interface 
Flags: A - Accept, F - Forward, NS - Negate Signalling 

             IC - Internal Copy, NP - Not platform switched

             SP - Signal Present

Interface Counts: FS Pkt Count/PS Pkt Count

(*,224.0.0.0/4) Flags: C K

   Forwarding: 0/0/0/0, Other: 0/0/0

(*,224.0.0.0/24) Flags: K

   Forwarding: 0/0/0/0, Other: 0/0/0

(*,224.0.0.1) Flags:

   Forwarding: 0/0/0/0, Other: 0/0/0

   outside Flags: IC

   dmz Flags: IC

   inside Flags: IC

Related Commands

Command	Description
show mfib active	Displays active multicast streams.

show mfib status

To display the general MFIB configuration and operational status, use the show mfib status command in user EXEC or privileged EXEC mode.

show mfib status

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following is sample output from the show mfib status command:

hostname# show mfib status

IP Multicast Forwarding (MFIB) status:

    Configuration Status: enabled

    Operational Status: running

Related Commands

Command	Description
show mfib	Displays MFIB information in terms of forwarding entries and interfaces.

show mfib summary

To display summary information about the number of MFIB entries and interfaces, use the show mfib summary command in user EXEC or privileged EXEC mode.

show mfib summary

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following is sample output from the show mfib summary command:

hostname# show mfib summary

IPv6 MFIB summary:

  54     total entries [1 (S,G), 7 (*,G), 46 (*,G/m)]

  17     total MFIB interfaces

Related Commands

Command	Description
show mroute summary	Displays multicast routing table summary information.

show mfib verbose

To display detail information about the forwarding entries and interfaces, use the show mfib verbose command in user EXEC or privileged EXEC mode.

show mfib verbose

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following is sample output from the show mfib verbose command:

hostname# show mfib verbose

Entry Flags: C - Directly Connected, S - Signal, IA - Inherit A flag,

             AR - Activity Required, D - Drop

Forwarding counts: Pkt Count/Pkts per second/Avg Pkt Size/Kbits per second

Other counts: Total/RPF failed/Other drops

Interface flags: A - Accept, F - Forward, NS - Negate Signalling

             IC - Internal Copy, NP - Not platform switched

             SP - Signal Present

Interface Counts: FS Pkt Count/PS Pkt Count

(*,224.0.1.39) Flags: S K

  Forwarding: 0/0/0/0, Other: 0/0/0

(*,224.0.1.40) Flags: S K

  Forwarding: 0/0/0/0, Other: 0/0/0

(*,224.0.0.0/8) Flags: K

  Forwarding: 0/0/0/0, Other: 0/0/0

Related Commands

Command	Description
show mfib	Displays MFIB information in terms of forwarding entries and interfaces.
show mfib summary	Displays summary information about the number of MFIB entries and interfaces.

show mgcp

To display MGCP configuration and session information, use the show mgcp command in privileged EXEC mode.

show mgcp {commands | sessions} [detail]

Syntax Description

commands	Lists the number of MGCP commands in the command queue.
detail	(Optional) Lists additional information about each command (or session) in the output.
sessions	Lists the number of existing MGCP sessions.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The show mgcp commands command lists the number of MGCP commands in the command queue. The show mgcp sessions command lists the number of existing MGCP sessions. The detail option includes additional information about each command (or session) in the output.

Examples

The following are examples of the show mgcp command options:

hostname# show mgcp commands

1 in use, 1 most used, 200 maximum allowed

CRCX, gateway IP: host-pc-2, transaction ID: 2052, idle: 0:00:07

hostname# 

hostname# show mgcp commands detail

1 in use, 1 most used, 200 maximum allowed

CRCX, idle: 0:00:10

Gateway IP | host-pc-2

Transaction ID  2052

Endpoint name | aaln/1

Call ID | 9876543210abcdef

Connection ID | 

Media IP | 192.168.5.7

Media port | 6058

hostname# 

hostname# show mgcp sessions

1 in use, 1 most used

Gateway IP host-pc-2, connection ID 6789af54c9, active 0:00:11

hostname# 

hostname# show mgcp sessions detail

1 in use, 1 most used

Session active 0:00:14

Gateway IP | host-pc-2

Call ID | 9876543210abcdef

Connection ID | 6789af54c9

Endpoint name | aaln/1

Media lcl port  6166

Media rmt IP | 192.168.5.7

Media rmt port  6058

hostname# 

Related Commands

Commands	Description
class-map	Defines the traffic class to which to apply security actions.
debug mgcp	Enables MGCP debug information.
inspect mgcp	Enables MGCP application inspection.
mgcp-map	Defines an MGCP map and enables MGCP map configuration mode.
show conn	Displays the connection state for different connection types.

show mmp

To display information about existing MMP sessions, use the show mmp command in privileged EXEC mode.

show mmp [address]

Syntax Description 

address

Specifies the IP address of an MMP client/server.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History 

Release	Modification
8.0(4)	The command was introduced.

Examples

The following example shows the use of the show mmp command to display information about existing MMP sessions:

hostname# show mmp 10.0.0.42

MMP session:: inside:10.0.0.42/5443 outside:172.23.62.204/2442

session-id=71AD3EB1-7BE8-42E0-8DC3-E96E41D4ADD5

data:: rx-bytes=1258, tx-bytes=1258

Related Commands 

Command	Description
debug mmp	Displays inspect MMP events.
inspect mmp	Configures the MMP inspection engine.
show debug mmp	Displays current debug settings for the MMP inspection module.

show mode

To show the security context mode for the running software image and for any image in Flash memory, use the show mode command in privileged EXEC mode.

show mode

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following is sample output from the show mode command. The following example shows the current mode and the mode for the non-running image "image.bin":

hostname# show mode flash:/image.bin

Firewall mode: multiple

The mode can be multiple or single.

Related Commands

Command	Description
context	Creates a security context in the system configuration and enters context configuration mode.
mode	Sets the context mode to single or multiple.

show module

To show information about a module installed on the ASA, use the show module command in user EXEC mode.

show module [id | all] [details | recover | log [console]]]

Syntax Description

all	(Default) Shows information for all modules.
console	(Optional) Shows console log information for the module.
details	(Optional) Shows additional information, including remote management configuration for modules.
id	Specifies the module ID. For a hardware module, specify the slot number, which can be 0 (for the ASA) or 1 (for an installed module). For a software module, specify the module name, either ips or cxsc.
ips	(Optional) Shows information for the IPS SSP software module.
log	(Optional) Shows log information for the module.
recover	(Optional) Shows the settings for the hw-module or sw-module module recover command.

Defaults

By default, information for all modules is shown.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context1	System
User EXEC	•	•	•	•	•

1 The show module recover command is only available in the system execution space.

Command History

Release	Modification
7.0(1)	This command was introduced.
7.1(1)	This command was modified to include more detail in the output.
8.2(1)	Information about the SSC is included in the output.
8.2(5)	Information about support for the ASA 5585-X and for the IPS SSP on the ASA 5585-X was added.
8.4(4.1)	We added support for the ASA CX module.
8.6(1)	For the ASA 5512-X through ASA 5555-X: the log and console keywords were added; the ips device ID was added.
9.1(1)	We added support for the ASA CX software module by adding the cxsc module ID.

Usage Guidelines

This command shows information about the modules installed in the ASA. The ASA itself also appears as a module in the display (in slot 0).

Examples

The following is sample output from the show module command. Module 0 is the base device; module 1 is a CSC SSM.

hostname# show module

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  0 ASA 5520 Adaptive Security Appliance         ASA5520            P3000000034

  1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         0

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version

--- --------------------------------- ------------ ------------ ---------------

  0 000b.fcf8.c30d to 000b.fcf8.c311  1.0          1.0(10)0     7.1(0)5

  1 000b.fcf8.012c to 000b.fcf8.012c  1.0          1.0(10)0     CSC SSM 5.0 (Build#1187)

Mod SSM Application Name           SSM Application Version

--- ------------------------------ --------------------------

  1 CSC SSM scan services are not

  1 CSC SSM                        5.0 (Build#1187)

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable

  1 Up                 Up

Table 26-3 describes each field listed in the output.

Table 51-3 show module Output Fields 

Field	Description
Mod	The module number, 0 or 1.
Ports	The number of ports.
Card Type	For the device shown in module 0, the type is the platform model. For the SSM in module 1, the type is the SSM type.
Model	The model number for this module.
Serial No.	The serial number.
MAC Address Range	The MAC address range for interfaces on this SSM or, for the device, the built-in interfaces.
Hw Version	The hardware version.
Fw Version	The firmware version.
Sw Version	The software version.
SSM Application Name	The name of the application running on the SSM.
SSM Application Version	The version of the application running on the SSM.
Status	For the device in module 0, the status is Up Sys. The status of the SSM in module 1 can be any of the following: •Initializing—The SSM is being detected and the control communication is being initialized by the device. •Up—The SSM has completed initialization by the device. •Unresponsive—The device encountered an error while communicating with this SSM. •Reloading—The SSM is reloading. •Shutting Down—The SSM is shutting down. •Down—The SSM is shut down. •Recover—The SSM is attempting to download a recovery image. •No Image Present—The IPS software has not been installed.
Data Plane Status	The current state of the data plane.
Compatibility	The compatibility of the SSM relative to the rest of the device.
Slot	The physical slot number (used only in dual SSP mode).

The output of the show module details command varies according to which module is installed. For example, output for the CSC SSM includes fields about components of the CSC SSM software.

The following is generic sample output from the show module 1 details command:

hostname# show module 1 details

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-20

Model:              ASA-SSM-20

Hardware version:   V1.0

Serial Number:      12345678

Firmware version:   1.0(7)2

Software version:   4.1(1.1)S47(0.1)

MAC Address Range:  000b.fcf8.0156 to 000b.fcf8.0156

Data plane Status:  Up

Status:             Up

Mgmt IP addr:       10.89.147.13

Mgmt web ports:     443

Mgmt TLS enabled:   true

Table 26-4 describes each field listed in the output.

Table 51-4 show module details Output Fields 

Field	Description
Mgmt IP addr	Shows the IP address for the SSM management interface.
Mgmt web ports	Shows the ports configured for the SSM management interface.
Mgmt TLS enabled	Shows whether transport layer security is enabled (true or false) for connections to the management interface of the SSM.

The following is sample output from the show module 1 recover command:

hostname# show module 1 recover

Module 1 recover parameters. . .

Boot Recovery Image: Yes

Image URL:           tftp://10.21.18.1/ids-oldimg

Port IP Address:     10.1.2.10

Port Mask :          255.255.255.0

Gateway IP Address:  10.1.2.254

The following is sample output from the show module 1 details command when an SSC is installed:

hostname# show module 1 details

Getting details from the Service Module, please wait...

ASA 5505 Security Services Card

Model: ASA-SSC

Hardware version: 0.1

Serial Number: JAB11370240

Firmware version: 1.0(14)3

Software version: 6.2(1)E2

MAC Address Range: 001d.45c2.e832 to 001d.45c2.e832

App. Name: IPS

App. Status: Up

App. Status Desc:

App. Version: 6.2(1)E2

Data plane Status: Up

Status: Up

Mgmt IP Addr: 209.165.201.29

Mgmt Network Mask: 255.255.224.0

Mgmt Gateway: 209.165.201.30 

Mgmt Access List: 209.165.201.31/32

					209.165.202.158/32

					209.165.200.254/24

Mgmt Vlan: 20

The following is sample output from the show module 1 details command when an IPS SSP is installed in an ASA 5585-X:

hostname# show module 1 details

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-20

Model: ASA-SSM-20

Hardware version: V1.0

Serial Number: 12345678

Firmware version: 1.0(7)2

Software version: 4.1(1.1)S47(0.1)

MAC Address Range: 000b.fcf8.0156 to 000b.fcf8.0156

Data plane Status: Up

Status: Up

Mgmt IP addr: 10.89.147.13

Mgmt web ports: 443

Mgmt TLS enabled: true

The following is sample output from the show module ips command when the IPS software is installed in an ASA 5525-X:

hostname# show module ips

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  0 ASA 5525 Adaptive Security Appliance         ASA5525            FCH1445V00M

  1 IPS 5525 Intrusion Protection System         IPS5525            FCH1445V00M

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version

--- --------------------------------- ------------ ------------ ---------------

  0 588d.0990.8928 to 588d.0990.8931  1.0                       8.6(1)

  1 588d.0990.8926 to 588d.0990.8926  N/A          N/A          7.2(1)

Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

  1 IPS                            Up               7.2(1)

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable

  1 Up                 Up

The following is sample output from the show module ips command when the IPS software installed in an ASA 5525-X has been licensed:

hostname# show module ips

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  1   IPS 5525 Intrusion Protection System       IPS5525            FCH1504V03P

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version

--- --------------------------------- ------------ ------------ ---------------

  1 503d.e59c.6f89 to 503d.e59c.6f89  N/A          N/A          7.2(1)

Mod SSM Application Name           Status           SSM Application  Version

--- ------------------------------ ---------------- ---------------- ----------

  1 IPS                            Up               7.2(1)

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  1 Up                 Up

Mod License Name      License Status  Time Remaining

--- ----------------- --------------- ---------------

  1 IPS Module        Enabled         7 days

The following is sample output from the show module all command when a CXSC SSP is installed in an ASA 5585-X:

hostname# show module all

Mod Card Type                                     Model              Serial No. 

--- --------------------------------------------  ------------------ -----------

  0 ASA 5585-X Security Services Processor-10 wi  ASA5585-SSP-10     JAF1504CBRM

  1 ASA 5585-X CXSC Security Services Processor-1 ASA5585-SSP-IPS10  JAF1510BLSE

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     

--- --------------------------------- ------------ ------------ ---------------

  0 5475.d05b.1d54 to 5475.d05b.1d5f  1.0          2.0(7)0      100.7(14)13

  1 5475.d05b.248c to 5475.d05b.2497  1.0          0.0(0)0      1.0

Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

  1 CXSC Security Module             Up               1.0

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable 

  1 Up                 Up 

The following is sample output from the show module 1 details command when a CXSC SSP is installed in an ASA 5585-X:

hostname# show module 1 details

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-20

Model: ASA5585-S10C10-K8

Hardware version:   1.0

Serial Number:      123456789

Firmware version:   1.0(9)0

Software version:   CXSC Security Module Version 1.0

App. name:          CXSC Security Module

App. version:       Version 1.0

Data plane Status:  Up

Status:             Up

HTTP Service:       Up

Activated:          Yes

Mgmt IP addr:       100.0.1.4

Mgmt web port:      8443

Related Commands

Command	Description
debug module-boot	Shows debugging messages about the module booting process.
hw-module module recover	Recovers an module by loading a recovery image from a TFTP server.
hw-module module reset	Shuts down an module and performs a hardware reset.
hw-module module reload	Reloads the module software.
hw-module module shutdown	Closes the module software in preparation for being powered off without losing configuration data.

show monitor-interface

To display information about the interfaces monitored for failover, use the show monitor-interface command in privileged EXEC mode.

show monitor-interface

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.
8.2(2)	This command was modified. The output includes IPv6 addresses.

Usage Guidelines

Because an interface can have more than one IPv6 address configured on it, only the link-local address is displayed in the show monitor-interface command. If both IPv4 and IPv6 addresses are configured on an interface, both addresses appear in the output. If there is no IPv4 address configured on the interface, the IPv4 address in the output appears as 0.0.0.0. If there is no IPv6 address configured on an interface, the address is simply omitted from the output.

Monitored failover interfaces can have the following status:

•Unknown—Initial status. This status can also mean the status cannot be determined.

•Normal—The interface is receiving traffic.

•Normal (Waiting)—The interface is up but has not yet received a hello packet from the corresponding interface on the peer unit. Verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces.

•Testing—Hello messages are not heard on the interface for five poll times.

•Link Down—The interface or VLAN is administratively down.

•No Link—The physical link for the interface is down.

•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Examples

The following is sample output from the show monitor-interface command:

hostname# show monitor-interface

This host: Primary - Active 

                Interface outside (10.86.94.88): Normal (Waiting)

                Interface management (192.168.1.1): Normal (Waiting)

                Interface failif (0.0.0.0/fe80::223:4ff:fe77:fed): Normal (Waiting)

        Other host: Secondary - Failed 

                Interface outside (0.0.0.0): Unknown (Waiting)

                Interface management (0.0.0.0): Unknown (Waiting)

                Interface failif (0.0.0.0): Unknown (Waiting)

Related Commands

Command	Description
monitor-interface	Enables health monitoring on a specific interface

show mrib client

To display information about the MRIB client connections, use the show mrib client command in user EXEC or privileged EXEC mode.

show mrib client [filter] [name client_name]

Syntax Description

filter	(Optional) Displays client filter. Used to view information about the MRIB flags that each client owns and the flags in which each clients is interested.
name client_name	(Optional) Name of a multicast routing protocol that acts as a client of MRIB, such as PIM or IGMP.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The filter option is used to display the route and interface level flag changes that various MRIB clients have registered. This command option also shows what flags are owned by the MRIB clients.

Examples

The following sample output from the show mrib client command using the filter keyword:

hostname# show mrib client filter

MFWD:0 (connection id 0)

interest filter:

entry attributes: S C IA D

interface attributes: F A IC NS DP SP

groups:

include 0.0.0.0/0

interfaces:

include All

ownership filter:

groups:

include 0.0.0.0/0

interfaces:

include All

igmp:77964 (connection id 1)

ownership filter:

interface attributes: II ID LI LD

groups:

include 0.0.0.0/0

interfaces:

include All

pim:49287 (connection id 5)

interest filter:

entry attributes: E

interface attributes: SP II ID LI LD

groups:

include 0.0.0.0/0

interfaces:

include All

ownership filter:

entry attributes: L S C IA D

interface attributes: F A IC NS DP

groups:

include 0.0.0.0/0

interfaces:

include All

Related Commands

Command	Description
show mrib route	Displays MRIB table entries.

show mrib route

To display entries in the MRIB table, use the show mrib route command in user EXEC or privileged EXEC mode.

show mrib route [[source | *] [group[/prefix-length]]]

Syntax Description

*	(Optional) Display shared tree entries.
/prefix-length	(Optional) Prefix length of the MRIB route. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.
group	(Optional) IP address or name of the group.
source	(Optional) IP address or name of the route source.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC or Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The MFIB table maintains a subset of entries and flags updated from MRIB. The flags determine the forwarding and signaling behavior according to a set of forwarding rules for multicast packets.

In addition to the list of interfaces and flags, each route entry shows various counters. Byte count is the number of total bytes forwarded. Packet count is the number of packets received for this entry. The show mfib count command displays global counters independent of the routes.

Examples

The following is sample output from the show mrib route command:

hostname# show mrib route

IP Multicast Routing Information Base

Entry flags: L - Domain-Local Source, E - External Source to the Domain,

    C - Directly-Connected Check, S - Signal, IA - Inherit Accept, D - Drop

Interface flags: F - Forward, A - Accept, IC - Internal Copy,

    NS - Negate Signal, DP - Don't Preserve, SP - Signal Present,

    II - Internal Interest, ID - Internal Disinterest, LI - Local Interest,

LD - Local Disinterest

(*,224.0.0.0/4) RPF nbr: 10.11.1.20 Flags: L C

   Decapstunnel0 Flags: NS

(*,224.0.0.0/24) Flags: D

(*,224.0.1.39) Flags: S

(*,224.0.1.40) Flags: S

   POS0/3/0/0 Flags: II LI

(*,238.1.1.1) RPF nbr: 10.11.1.20 Flags: C

   POS0/3/0/0 Flags: F NS LI

   Decapstunnel0 Flags: A

(*,239.1.1.1) RPF nbr: 10.11.1.20 Flags: C

   POS0/3/0/0 Flags: F NS

   Decapstunnel0 Flags: A

Related Commands

Command	Description
show mfib count	Displays route and packet count data for the MFIB table.
show mrib route summary	Displays a summary of the MRIB table entries.

show mroute

To display the IPv4 multicast routing table, use the show mroute command in privileged EXEC mode.

show mroute [group [source] | reserved] [active [rate] | count | pruned | summary]

Syntax Description

active rate	(Optional) Displays only active multicast sources. Active sources are those sending at the specified rate or higher. If the rate is not specified, active sources are those sending at a rate of 4 kbps or higher.
count	(Optional) Displays statistics about the group and source, including number of packets, packets per second, average packet size, and bits per second.
group	(Optional) IP address or name of the multicast group as defined in the DNS hosts table.
pruned	(Optional) Displays pruned routes.
reserved	(Optional) Displays reserved groups.
source	(Optional) Source hostname or IP address.
summary	(Optional) Displays a one-line, abbreviated summary of each entry in the multicast routing table.

Defaults

If not specified, the rate argument defaults to 4 kbps.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The show mroute command displays the contents of the multicast routing table. The ASA populates the multicast routing table by creating (S,G) and (*,G) entries based on PIM protocol messages, IGMP reports, and traffic. The asterisk (*) refers to all source addresses, the "S" refers to a single source address, and the "G" is the destination multicast group address. In creating (S, G) entries, the software uses the best path to that destination group found in the unicast routing table (through RPF).

To view the mroute commands in the running configuration, use the show running-config mroute command.

Examples

The following is sample output from the show mroute command:

hostname(config)# show mroute

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, 

       C - Connected, L - Local, I - Received Source Specific Host Report,

       P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

       J - Join SPT

Timers: Uptime/Expires

Interface state: Interface, State

(*, 239.1.1.40), 08:07:24/never, RP 0.0.0.0, flags: DPC

  Incoming interface: Null

  RPF nbr: 0.0.0.0

  Outgoing interface list:

    inside, Null, 08:05:45/never

    tftp, Null, 08:07:24/never

(*, 239.2.2.1), 08:07:44/never, RP 140.0.0.70, flags: SCJ

  Incoming interface: outside

  RPF nbr: 140.0.0.70

  Outgoing interface list:

    inside, Forward, 08:07:44/never

The following fields are shown in the show mroute output:

•Flags—Provides information about the entry.

–D—Dense. Entry is operating in dense mode.

–S—Sparse. Entry is operating in sparse mode.

–B—Bidir Group. Indicates that a multicast group is operating in bidirectional mode.

–s—SSM Group. Indicates that a multicast group is within the SSM range of IP addresses. This flag is reset if the SSM range changes.

–C—Connected. A member of the multicast group is present on the directly connected interface.

–L—Local. The ASA itself is a member of the multicast group. Groups are joined locally by the igmp join-group command (for the configured group).

–I—Received Source Specific Host Report. Indicates that an (S, G) entry was created by an (S, G) report. This (S, G) report could have been created by IGMP. This flag is set only on the DR.

–P—Pruned. Route has been pruned. The software keeps this information so that a downstream member can join the source.

–R—RP-bit set. Indicates that the (S, G) entry is pointing toward the RP.

–F—Register flag. Indicates that the software is registering for a multicast source.

–T—SPT-bit set. Indicates that packets have been received on the shortest path source tree.

–J—Join SPT. For (*, G) entries, indicates that the rate of traffic flowing down the shared tree is exceeding the SPT-Threshold set for the group. (The default SPT-Threshold setting is 0 kbps.) When the J - Join shortest path tree (SPT) flag is set, the next (S, G) packet received down the shared tree triggers an (S, G) join in the direction of the source, thereby causing the ASA to join the source tree.

For (S, G) entries, indicates that the entry was created because the SPT-Threshold for the group was exceeded. When the J - Join SPT flag is set for (S, G) entries, the ASA monitors the traffic rate on the source tree and attempts to switch back to the shared tree for this source if the traffic rate on the source tree falls below the SPT-Threshold of the group for more than 1 minute.

---

Note The ASA measures the traffic rate on the shared tree and compares the measured rate to the SPT-Threshold of the group once every second. If the traffic rate exceeds the SPT-Threshold, the J - Join SPT flag is set on the (*, G) entry until the next measurement of the traffic rate. The flag is cleared when the next packet arrives on the shared tree and a new measurement interval is started.

---

If the default SPT-Threshold value of 0 kbps is used for the group, the J - Join SPT flag is always set on (*, G) entries and is never cleared. When the default SPT-Threshold value is used, the ASA immediately switches to the shortest path source tree when traffic from a new source is received.

•Timers:Uptime/Expires—Uptime indicates per interface how long (in hours, minutes, and seconds) the entry has been in the IP multicast routing table. Expires indicates per interface how long (in hours, minutes, and seconds) until the entry will be removed from the IP multicast routing table.

•Interface state—Indicates the state of the incoming or outgoing interface.

–Interface—The interface name listed in the incoming or outgoing interface list.

–State—Indicates that packets will either be forwarded, pruned, or null on the interface depending on whether there are restrictions due to access lists or a time-to-live (TTL) threshold.

•(*, 239.1.1.40) and (* , 239.2.2.1)—Entries in the IP multicast routing table. The entry consists of the IP address of the source followed by the IP address of the multicast group. An asterisk (*) in place of the source indicates all sources.

•RP—Address of the RP. For routers and access servers operating in sparse mode, this address is always 224.0.0.0.

•Incoming interface—Expected interface for a multicast packet from the source. If the packet is not received on this interface, it is discarded.

•RPF nbr—IP address of the upstream router to the source.

•Outgoing interface list—Interfaces through which packets will be forwarded.

Related Commands

Command	Description
clear configure mroute	Removes the mroute commands from the running configuration.
mroute	Configures a static multicast route.
show mroute	Displays IPv4 multicast routing table.
show running-config mroute	Displays configured multicast routes.

show nac-policy

To show the NAC policy usage statistics and the assignment of NAC policies to group policies, use the show nac-policy command in privileged EXEC mode.

show nac-policy [nac-policy-name]

Syntax Description

nac-policy-name

(Optional) Name of the NAC policy for which to display usage statistics.

Defaults

If you do not specify a name, the CLI lists all NAC policy names along with their respective statistics.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	—	—	•

Command History

Release	Modification
8.0(2)	This command was introduced.

Examples

The following example shows the data for the NAC policies named framework1 and framework2:

asa2(config)# show nac-policy

nac-policy framework1 nac-framework

  applied session count = 0

  applied group-policy count = 2

  group-policy list:    GroupPolicy2    GroupPolicy1

nac-policy framework2 nac-framework is not in use.

The first line of each NAC policy indicates its name and type (nac-framework). The CLI shows the text "is not in use" next to the policy type if the policy is not assigned to any group policies. Otherwise, the CLI displays the usage data for the group policy. Table 51-5 explains the fields in the show nac-policy command.

Table 51-5 show nac-policy Command Fields 

Field	Description
applied session count	Cumulative number of VPN sessions to which this ASA applied the NAC policy.
applied group-policy count	Cumulative number of group polices to which this ASA applied the NAC policy.
group-policy list	List of group policies to which this NAC policy is assigned. In this case, the usage of a group policy does not determine whether it appears in this list; if the NAC policy is assigned to a group policy in the running configuration, then the group policy appears in this list.

Related Commands

clear nac-policy	Resets the NAC policy usage statistics.
show vpn-session.db	Displays information about VPN sessions, including NAC results.
show vpn-session_summary.db	Displays the number IPsec, Cisco WebVPN, and NAC sessions.

show nameif

To view the interface name set using the nameif command, use the show nameif command in privileged EXEC mode.

show nameif [physical_interface[.subinterface] | mapped_name]

Syntax Description

mapped_name	(Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.
physical_interface	(Optional) Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values.
subinterface	(Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface.

Defaults

If you do not specify an interface, the ASA shows all interface names.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

In multiple context mode, if you mapped the interface ID in the allocate-interface command, you can only specify the mapped name in a context. The output for this command shows only the mapped name in the Interface column.

Examples

The following is sample output from the show nameif command:

hostname# show nameif

Interface                Name                     Security

GigabitEthernet0/0       outside                  0

GigabitEthernet0/1       inside                   100

GigabitEthernet0/2       test2                    50

Related Commands

Command	Description
allocate-interface	Assigns interfaces and subinterfaces to a security context.
interface	Configures an interface and enters interface configuration mode.
nameif	Sets the interface name.
show interface ip brief	Shows the interface IP address and status.

show nat

To display statistics of NAT policies, use the show nat command in privileged EXEC mode.

show nat [interface name] [ip_addr mask | {object | object-group} name] [translated [interface name] [ip_addr mask | {object | object-group} name]] [detail] [divert-table [ipv6] [interface name]]

Syntax Description

detail	(Optional) Includes more verbose expansion of the object fields.
divert-table	(Optional) Shows the NAT divert table.
interface name	(Optional) Specifies the source interface.
ip_addr mask	(Optional) Specifies an IP address and subnet mask.
ipv6	(Optional) Shows IPv6 entries in the divert table.
object name	(Optional) Specifies a network object or service object.
object-group name	(Optional) Specifies a network object group
translated	(Optional) Specifies the translated parameters.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
8.3(1)	This command was introduced.
9.0(1)	This command now supports IPv6 traffic, as well as translations between IPv4 and IPv6.

Usage Guidelines

Use the show nat command to show runtime representation of the NAT policy. Use the detail optional keyword to expand the object and view the object values. Use the additional selector fields to limit the show nat command output.

Examples

The following is sample output from the show nat command:

hostname# show nat

   Manual NAT Policies (Section 1)

   1 (any) to (any) source dynamic S S' destination static D' D

       translate_hits = 0, untranslate_hits = 0

   Auto NAT Policies (Section 2)

   1 (inside) to (outside) source dynamic A 2.2.2.2

       translate_hits = 0, untranslate_hits = 0

   Manual NAT Policies (Section 3)

   1 (any) to (any) source dynamic C C' destination static B' B service R R'

       translate_hits = 0, untranslate_hits = 0

hostname# show nat detail

   Manual NAT Policies (Section 1)

   1 (any) to (any) source dynamic S S' destination static D' D

       translate_hits = 0, untranslate_hits = 0

       Source - Real: 1.1.1.2/32, Mapped: 2.2.2.3/32

       Destination - Real: 10.10.10.0/24, Mapped: 20.20.20.0/24

   Auto NAT Policies (Section 2)

   1 (inside) to (outside) source dynamic A 2.2.2.2

       translate_hits = 0, untranslate_hits = 0

       Source - Real: 1.1.1.1/32, Mapped: 2.2.2.2/32

   Manual NAT Policies (Section 3)

	1 (any) to (any) source dynamic C C' destination static B' B service R R'

       translate_hits = 0, untranslate_hits = 0

       Source - Real: 11.11.11.10-11.11.11.11, Mapped: 192.168.10.10/32

       Destination - Real: 192.168.1.0/24, Mapped: 10.75.1.0/24

       Service - Real: tcp source eq 10 destination eq ftp-data , Mapped: tcp source eq 

       100 destination eq 200

The following is sample output from the show nat detail command between IPv6 and IPv4:

hostname# show nat detail

1 (in) to (outside) source dynamic inside_nw outside_map destination static inside_map any

translate_hits = 0, untranslate_hits = 0

Source - Origin: 2001::/96, Translated: 192.168.102.200-192.168.102.210

Destination - Origin: 2001::/96, Translated: 0.0.0.0/0

The following is sample output from the show nat divert ipv6 command:

hostname# show nat divert ipv6

Divert Table

id=0xcb9ea518, domain=divert-route

type=static, hits=0, flags=0x21, protocol=0

src ip/id=2001::/ffff:ffff:ffff:ffff:ffff:ffff::, port=0-0

dst ip/id=2001::/ffff:ffff:ffff:ffff:ffff:ffff::, port=0-0

input_ifc=in, output_ifc=outside

id=0xcf24d4b8, domain=divert-route

type=static, hits=0, flags=0x20, protocol=0

src ip/id=::/::, port=0-0

dst ip/id=2222::/ffff:ffff:ffff:ffff:ffff:ffff::, port=0-0

input_ifc=in, output_ifc=mgmt

Related Commands

Command	Description
clear nat counters	Clears NAT policy counters.
nat	Identifies addresses on one interface that are translated to mapped addresses on another interface.

show nat pool

To display statistics of NAT pool usage, use the show nat pool command in privileged EXEC mode.

show nat pool

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
8.3(1)	This command was introduced.
8.4(3)	The output was modified to show the destination address for extended PAT. The PAT range was also modified depending on the use of the flat and include-reserve keywords.
9.0(1)	This command now supports IPv6 traffic.

Usage Guidelines

A NAT pool is created for each mapped protocol/IP address/port range, where the port ranges are 1-511, 512-1023, and 1024-65535 by default. If you use the flat keyword for a PAT pool in the nat command, you will see fewer, larger ranges.

Each NAT pool exists for at least 10 minutes after the last usage. The 10 minute hold-down timer is canceled if you clear the translations with clear xlate.

Examples

The following is sample output for the NAT pools created by a dynamic PAT rule shown by the show running-config object network command.

hostname(config)# show running-config object network

object network myhost

 host 10.10.10.10

 nat (pppoe2,inside) dynamic 10.76.11.25

hostname# show nat pool

TCP inside, address 10.76.11.25, range 1-511, allocated 0

TCP inside, address 10.76.11.25, range 512-1023, allocated 0

TCP inside, address 10.76.11.25, range 1024-65535, allocated 1

The following is sample output from the show nat pool command showing use of the PAT pool flat option. Without the include-reserve keyword, two ranges are shown; the lower range is used when a source port below 1024 is mapped to the same port.

hostname# show nat pool

ICMP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 2

TCP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-1024, allocated 0

TCP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1024-65535, allocated 2

UDP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-1024, allocated 0

UDP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1024-65535, allocated 2

The following is sample output from the show nat pool command showing use of the PAT pool flat include-reserve options.

hostname# show nat pool

ICMP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 2

TCP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 2

UDP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 2

The following is sample output from the show nat pool command showing use of the PAT pool extended flat include-reserve options. The important items are the parenthetical addresses. These are the destination addresses used to extend PAT.

ICMP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 0

ICMP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.99), range 1-65535, 
allocated 2

TCP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.100), range 1-65535, 
allocated 1

UDP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.100), range 1-65535, 
allocated 1

TCP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 0

ICMP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.100), range 1-65535, 
allocated 1

TCP PAT pool outside:dynamic-pat, address 172.16.2.200(172.16.2.99), range 1-65535, 
allocated 2

UDP PAT pool outside:dynamic-pat, address 172.16.2.200, range 1-65535, allocated 0

Related Commands

Command	Description
nat	Identifies addresses on one interface that are translated to mapped addresses on another interface.
show nat	Displays NAT policy statistics.

show ntp associations

To view NTP association information, use the show ntp associations command in user EXEC mode.

show ntp associations [detail]

Syntax Description

detail

(Optional) Shows additional details about each association.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC	•	•	•	—	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show ntp associations command:

hostname> show ntp associations

     address         ref clock     st  when  poll  reach  delay  offset    disp

 ~172.31.32.2      172.31.32.1       5    29  1024  377     4.2   -8.59     1.6

+~192.168.13.33    192.168.1.111     3    69   128  377     4.1    3.48     2.3

*~192.168.13.57    192.168.1.111     3    32   128  377     7.9   11.18     3.6

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Table 51-6 shows each field description.

Table 51-6 show ntp associations Fields

Field	Description
(leading characters in display lines)	The first characters in a display line can be one or more of the following characters: •* —Synchronized to this peer. •# —Almost synchronized to this peer. •+ —Peer selected for possible synchronization. •- —Peer is a candidate for selection. •~ —Peer is statically configured, but not synchronized.
address	The address of the NTP peer.
ref clock	The address of the reference clock of the peer.
st	The stratum of the peer.
when	The time since the last NTP packet was received from the peer.
poll	The polling interval (in seconds).
reach	The peer reachability (as a bit string, in octal).
delay	The round-trip delay to the peer (in milliseconds).
offset	The relative time of the peer clock to the local clock (in milliseconds).
disp	The dispersion value.

The following is sample output from the show ntp associations detail command:

hostname> show ntp associations detail

172.23.56.249 configured, our_master, sane, valid, stratum 4

ref ID 172.23.56.225, time c0212639.2ecfc9e0 (20:19:05.182 UTC Fri Feb 22 2002)

our mode client, peer mode server, our poll intvl 128, peer poll intvl 128

root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021

delay 4.47 msec, offset -0.2403 msec, dispersion 125.21

precision 2**19, version 3

org time c02128a9.731f127b (20:29:29.449 UTC Fri Feb 22 2002)

rcv time c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)

xmt time c02128a9.6b3f729e (20:29:29.418 UTC Fri Feb 22 2002)

filtdelay =     4.47    4.58    4.97    5.63    4.79    5.52    5.87   0.00

filtoffset =   -0.24   -0.36   -0.37    0.30   -0.17    0.57   -0.74   0.00

filterror =     0.02    0.99    1.71    2.69    3.66    4.64    5.62   16000.0

Table 51-7 shows each field description.

Table 51-7 show ntp associations detail Fields 

Field	Description
IP-address configured	The server (peer) IP address.
(status)	•our_master—The ASA is synchronized to this peer. •selected—Peer is selected for possible synchronization. •candidate—Peer is a candidate for selection.
(sanity)	•sane—The peer passes basic sanity checks. •insane—The peer fails basic sanity checks.
(validity)	•valid—The peer time is believed to be valid. •invalid—The peer time is believed to be invalid. •leap_add—The peer is signalling that a leap second will be added. •leap-sub—The peer is signalling that a leap second will be subtracted.
stratum	The stratum of the peer.
(reference peer)	unsynced—The peer is not synchronized to any other machine. ref ID—The address of the machine that the peer is synchronized to.
time	The last time stamp the peer received from its master.
our mode client	Our mode relative to the peer, which is always client.
peer mode server	The mode of the peer relative to the server.
our poll intvl	Our poll interval to the peer.
peer poll intvl	The peer poll interval to us.
root delay	The delay along the path to the root (ultimate stratum 1 time source).
root disp	The dispersion of the path to the root.
reach	The peer reachability (as a bit string in octal).
sync dist	The peer synchronization distance.
delay	The round-trip delay to the peer.
offset	The offset of the peer clock relative to our clock.
dispersion	The dispersion of the peer clock.
precision	The precision of the peer clock (in hertz).
version	The NTP version number that the peer is using.
org time	The originate time stamp.
rcv time	The receive time stamp.
xmt time	The transmit time stamp.
filtdelay	The round-trip delay (in milliseconds) of each sample.
filtoffset	The clock offset (in milliseconds) of each sample.
filterror	The approximate error of each sample.

Related Commands

Command	Description
ntp authenticate	Enables NTP authentication.
ntp authentication-key	Sets an encrypted authentication key to synchronize with an NTP server.
ntp server	Identifies an NTP server.
ntp trusted-key	Provides a key ID for the ASA to use in packets for authentication with an NTP server.
show ntp status	Shows the status of the NTP association.

show ntp status

To show the status of each NTP association, use the show ntp status command in user EXEC mode.

show ntp status

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
User EXEC	•	•	•	—	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

See the "Examples" section for a description of the display output.

Examples

The following is sample output from the show ntp status command:

hostname> show ntp status

Clock is synchronized, stratum 5, reference is 172.23.56.249

nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6

reference time is c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)

clock offset is -0.2403 msec, root delay is 42.51 msec

root dispersion is 135.01 msec, peer dispersion is 125.21 msec

Table 51-8 shows each field description.

Table 51-8 show ntp status Fields 

Field	Description
Clock	•synchronized—The ASA is synchronized to an NTP server. •unsynchronized—The ASA is not synchronized to an NTP server.
stratum	NTP stratum of this system.
reference	The address of the NTP server to which the ASA is synchronized.
nominal freq	The nominal frequency of the system hardware clock.
actual freq	The measured frequency of the system hardware clock.
precision	The precision of the clock of this system (in hertz).
reference time	The reference time stamp.
clock offset	The offset of the system clock to the synchronized peer.
root delay	The total delay along the path to the root clock.
root dispersion	The dispersion of the root path.
peer dispersion	The dispersion of the synchronized peer.

Related Commands

Command	Description
ntp authenticate	Enables NTP authentication.
ntp authentication-key	Sets an encrypted authentication key to synchronize with an NTP server.
ntp server	Identifies an NTP server.
ntp trusted-key	Provides a key ID for the ASA to use in packets for authentication with an NTP server.
show ntp associations	Shows the NTP servers with which the ASA is associated.

show object-group

To display object group information and the relevant hit count if the object group is of the network object-group type, use the show object-group command in privileged EXEC mode.

show object-group [protocol | service | icmp-type | id object-group name]

Syntax Description

icmp-type	(Optional) An ICMP-type object group.
id	(Optional) Identifies the existing object group.
object-group name	(Optional) Assigns a given name to the object group.
protocol	(Optional) Protocol-type object group.
service	(Optional) Service-type object.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
8.3(1)	This command was introduced.

Usage Guidelines

A routine attempt to show object groups also shows the object hit count if the object group is of the network object-group type. Hit counts do not display for service, protocol, and icmp-type object groups.

Examples

The following is sample output from the show object-group command and shows information about the network object group named "Anet":

hostname# show object-group id Anet

Object-group network Anet (hitcnt=10)  

   Description OBJ SEARCH ALG APPLIED

   network-object 1.1.1.0 255.255.255.0 (hitcnt=4)

   network-object 2.2.2.0 255.255.255.0 (hitcnt=6)

The following is sample output from the show object-group command and shows information about a service group:

hostname (config)# show object-group service

object-group service B-Serobj

   description its a service group

   service-object tcp eq bgp

   object-group protocol C-grp-proto

   protocol-object ospf

The following is sample output from the show object-group command and shows information about a protocol:

hostname (config)# show object-group protocol

object-group protocol C-grp-proto

   protocol-object ospf

Related Commands

Command	Description
clear object-group	Clears the network objects hit count for a given object group.
show access list	Shows all access lists, relevant expanded access list entries, and hit counts.

show ospf

To display the general information about the OSPF routing processes, use the show ospf command in privileged EXEC mode.

show ospf [pid [area_id]]

Syntax Description

area_id	(Optional) ID of the area that is associated with the OSPF address range.
pid	(Optional) The ID of the OSPF process.

Defaults

Lists all OSPF processes if no pid is specified.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Usage Guidelines

If the pid is included, only information for the specified routing process is included.

Examples

The following is sample output from the show ospf command, showing how to display general information about a specific OSPF routing process:

hostname# show ospf 5

 Routing Process "ospf 5" with ID 127.0.0.1 and Domain ID 0.0.0.5

 Supports only single TOS(TOS0) routes

 Supports opaque LSA

 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs

 Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs

 Number of external LSA 0. Checksum Sum 0x     0

 Number of opaque AS LSA 0. Checksum Sum 0x     0

 Number of DCbitless external and opaque AS LSA 0

 Number of DoNotAge external and opaque AS LSA 0

 Number of areas in this router is 0. 0 normal 0 stub 0 nssa

 External flood list length 0

The following is sample output from the show ospf command, showing how to display general information about all OSPF routing processes:

hostname# show ospf

 Routing Process "ospf 5" with ID 127.0.0.1 and Domain ID 0.0.0.5

 Supports only single TOS(TOS0) routes

 Supports opaque LSA

 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs

 Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs

 Number of external LSA 0. Checksum Sum 0x     0

 Number of opaque AS LSA 0. Checksum Sum 0x     0

 Number of DCbitless external and opaque AS LSA 0

 Number of DoNotAge external and opaque AS LSA 0

 Number of areas in this router is 0. 0 normal 0 stub 0 nssa

 External flood list length 0

 Routing Process "ospf 12" with ID 172.23.59.232 and Domain ID 0.0.0.12

 Supports only single TOS(TOS0) routes

 Supports opaque LSA

 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs

 Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs

 Number of external LSA 0. Checksum Sum 0x     0

 Number of opaque AS LSA 0. Checksum Sum 0x     0

 Number of DCbitless external and opaque AS LSA 0

 Number of DoNotAge external and opaque AS LSA 0

 Number of areas in this router is 0. 0 normal 0 stub 0 nssa

 External flood list length 0

Related Commands

Command	Description
router ospf	Enables OSPF routing and configures global OSPF routing parameters.

show ospf border-routers

To display the internal OSPF routing table entries to ABRs and ASBRs, use the show ospf border-routers command in privileged EXEC mode.

show ospf border-routers

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Examples

The following is sample output from the show ospf border-routers command:

hostname# show ospf border-routers

OSPF Process 109 internal Routing Table

Codes: i - Intra-area route, I - Inter-area route

i 192.168.97.53 [10] via 192.168.1.53, fifth, ABR, Area 0, SPF 20

i 192.168.103.51 [10] via 192.168.96.51, outside, ASBR, Area 192.168.12.0, SPF 14

i 192.168.103.52 [10] via 192.168.96.51, outside, ABR/ASBR, Area 192.168.12.0, SPF 14

Related Commands

Command	Description
router ospf	Enables OSPF routing and configures global OSPF routing parameters.

show ospf database

To display the information contained in the OSPF topological database on the ASA, use the show ospf database command in privileged EXEC mode.

show ospf [pid [area_id]] database [router | network | summary | asbr-summary | external | nssa-external] [lsid] [internal] [self-originate | adv-router addr]

show ospf [pid [area_id]] database database-summary

Syntax Description

addr	(Optional) Router address.
adv-router	(Optional) Advertised router.
area_id	(Optional) ID of the area that is associated with the OSPF address range.
asbr-summary	(Optional) Displays an ASBR list summary.
database	Displays the database information.
database-summary	(Optional) Displays the complete database summary list.
external	(Optional) Displays routes external to a specified autonomous system.
internal	(Optional) Routes that are internal to a specified autonomous system.
lsid	(Optional) LSA ID.
network	(Optional) Displays the OSPF database information about the network.
nssa-external	(Optional) Displays the external not-so-stubby-area list.
pid	(Optional) ID of the OSPF process.
router	(Optional) Displays the router.
self-originate	(Optional) Displays the information for the specified autonomous system.
summary	(Optional) Displays a summary of the list.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the ASA. You do not need to be in an OSPF configuration mode to use the OSPF-related show commands.

Examples

The following is sample output from the show ospf database command:

hostname# show ospf database

OSPF Router with ID(192.168.1.11) (Process ID 1)

                 Router Link States(Area 0)

Link ID   ADV Router   Age   Seq# Checksum Link count

192.168.1.8 192.168.1.8 1381 0x8000010D    0xEF60 2

192.168.1.11 192.168.1.11 1460 0x800002FE    0xEB3D 4

192.168.1.12 192.168.1.12 2027 0x80000090    0x875D 3

192.168.1.27 192.168.1.27 1323 0x800001D6    0x12CC 3

                 Net Link States(Area 0)

Link ID ADV Router   Age   Seq# Checksum

172.16.1.27 192.168.1.27 1323 0x8000005B    0xA8EE

172.17.1.11 192.168.1.11 1461 0x8000005B    0x7AC

                 Type-10 Opaque Link Area Link States (Area 0)

Link ID ADV Router   Age Seq# Checksum Opaque ID

10.0.0.0 192.168.1.11 1461 0x800002C8    0x8483   0

10.0.0.0 192.168.1.12 2027 0x80000080    0xF858   0

10.0.0.0 192.168.1.27 1323 0x800001BC    0x919B   0

10.0.0.1 192.168.1.11 1461 0x8000005E    0x5B43   1

The following is sample output from the show ospf database asbr-summary command:

hostname# show ospf database asbr-summary

OSPF Router with ID(192.168.239.66) (Process ID 300)

Summary ASB Link States(Area 0.0.0.0)

Routing Bit Set on this LSA

LS age: 1463

Options: (No TOS-capability)

LS Type: Summary Links(AS Boundary Router)

Link State ID: 172.16.245.1 (AS Boundary Router address)

Advertising Router: 172.16.241.5

LS Seq Number: 80000072

Checksum: 0x3548

Length: 28

Network Mask: 0.0.0.0 

TOS: 0 Metric: 1 

The following is sample output from the show ospf database router command:

hostname# show ospf database router

OSPF Router with id(192.168.239.66) (Process ID 300)

Router Link States(Area 0.0.0.0)

Routing Bit Set on this LSA

LS age: 1176

Options: (No TOS-capability)

LS Type: Router Links

Link State ID: 10.187.21.6

Advertising Router: 10.187.21.6

LS Seq Number: 80002CF6

Checksum: 0x73B7

Length: 120

AS Boundary Router

Number of Links: 8

Link connected to: another Router (point-to-point)

(link ID) Neighboring Router ID: 10.187.21.5

(Link Data) Router Interface address: 10.187.21.6

Number of TOS metrics: 0

TOS 0 Metrics: 2 

The following is sample output from the show ospf database network command:

hostname# show ospf database network

OSPF Router with id(192.168.239.66) (Process ID 300)

Displaying Net Link States(Area 0.0.0.0)

LS age: 1367

Options: (No TOS-capability)

LS Type: Network Links

Link State ID: 10.187.1.3 (address of Designated Router)

Advertising Router: 192.168.239.66

LS Seq Number: 800000E7

Checksum: 0x1229

Length: 52

Network Mask: 255.255.255.0

Attached Router: 192.168.239.66

Attached Router: 10.187.241.5

Attached Router: 10.187.1.1

Attached Router: 10.187.54.5

Attached Router: 10.187.1.5

The following is sample output from the show ospf database summary command:

hostname# show ospf database summary

OSPF Router with id(192.168.239.66) (Process ID 300)

Displaying Summary Net Link States(Area 0.0.0.0)

LS age: 1401

Options: (No TOS-capability)

LS Type: Summary Links(Network)

Link State ID: 10.187.240.0 (summary Network Number)

Advertising Router: 10.187.241.5

LS Seq Number: 80000072

Checksum: 0x84FF

Length: 28

Network Mask: 255.255.255.0 TOS: 0 Metric: 1

The following is sample output from the show ospf database external command:

hostname# show ospf database external

OSPF Router with id(192.168.239.66) (Autonomous system 300)

                   Displaying AS External Link States

LS age: 280

Options: (No TOS-capability)

LS Type: AS External Link

Link State ID: 172.16.0.0 (External Network Number)

Advertising Router: 10.187.70.6

LS Seq Number: 80000AFD

Checksum: 0xC3A

Length: 36

Network Mask: 255.255.0.0

      Metric Type: 2 (Larger than any link state path)

TOS: 0

Metric: 1

Forward Address: 0.0.0.0

External Route Tag: 0

Related Commands

Command	Description
router ospf	Enables OSPF routing and configures global OSPF routing parameters.

show ospf flood-list

To display a list of OSPF LSAs waiting to be flooded over an interface, use the show ospf flood-list command in privileged EXEC mode.

show ospf flood-list interface_name

Syntax Description

interface_name

The name of the interface for which to display neighbor information.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the ASA. You do not need to be in an OSPF configuration mode to use the OSPF-related show commands.

Examples

The following is sample output from the show ospf flood-list command:

hostname# show ospf flood-list outside

  Interface outside, Queue length 20

  Link state flooding due in 12 msec

  Type  LS ID          ADV RTR          Seq NO       Age   Checksum

     5  10.2.195.0     192.168.0.163    0x80000009   0     0xFB61

     5  10.1.192.0     192.168.0.163    0x80000009   0     0x2938

     5  10.2.194.0     192.168.0.163    0x80000009   0     0x757

     5  10.1.193.0     192.168.0.163    0x80000009   0     0x1E42

     5  10.2.193.0     192.168.0.163    0x80000009   0     0x124D

     5  10.1.194.0     192.168.0.163    0x80000009   0     0x134C

Related Commands

Command	Description
router ospf	Enables OSPF routing and configures global OSPF routing parameters.

show ospf interface

To display the OSPF-related interface information, use the show ospf interface command in privileged EXEC mode.

show ospf interface [interface_name]

Syntax Description

interface_name

(Optional) Name of the interface for which to display the OSPF-related information.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Usage Guidelines

When used without the interface_name argument, the OSPF information for all interfaces is shown.

Examples

The following is sample output from the show ospf interface command:

hostname# show ospf interface inside

inside is up, line protocol is up

Internet Address 192.168.254.202, Mask 255.255.255.0, Area 0.0.0.0

AS 201, Router ID 192.77.99.1, Network Type BROADCAST, Cost: 10

Transmit Delay is 1 sec, State OTHER, Priority 1

Designated Router id 192.168.254.10, Interface address 192.168.254.10

Backup Designated router id 192.168.254.28, Interface addr 192.168.254.28

Timer intervals configured, Hello 10, Dead 60, Wait 40, Retransmit 5

Hello due in 0:00:05

Neighbor Count is 8, Adjacent neighbor count is 2

  Adjacent with neighbor 192.168.254.28 (Backup Designated Router)

  Adjacent with neighbor 192.168.254.10 (Designated Router) 

Related Commands

Command	Description
interface	Enters interface configuration mode.

show ospf neighbor

To display the OSPF-neighbor information on a per-interface basis, use the show ospf neighbor command in privileged EXEC mode.

show ospf neighbor [detail | interface_name [nbr_router_id]]

Syntax Description

detail	(Optional) Lists detail information for the specified router.
interface_name	(Optional) Name of the interface for which to display neighbor information.
nbr_router_id	(Optional) Router ID of the neighbor router.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Examples

The following is sample output from the show ospf neighbor command. It shows how to display the OSPF-neighbor information on a per-interface basis.

hostname# show ospf neighbor outside 

Neighbor 192.168.5.2, interface address 10.225.200.28

    In the area 0 via interface outside

    Neighbor priority is 1, State is FULL, 6 state changes

    DR is 10.225.200.28 BDR is 10.225.200.30

    Options is 0x42

    Dead timer due in 00:00:36

    Neighbor is up for 00:09:46

  Index 1/1, retransmission queue length 0, number of retransmission 1

    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

    Last retransmission scan length is 1, maximum is 1

    Last retransmission scan time is 0 msec, maximum is 0 msec 

Related Commands

Command	Description
neighbor	Configures OSPF routers interconnecting to non-broadcast networks.
router ospf	Enables OSPF routing and configures global OSPF routing parameters.

show ospf request-list

To display a list of all LSAs that are requested by a router, use the show ospf request-list command in privileged EXEC mode.

show ospf request-list nbr_router_id interface_name

Syntax Description

interface_name	Name of the interface for which to display neighbor information. Displays the list of all LSAs that are requested by the router from this interface.
nbr_router_id	Router ID of the neighbor router. Displays the list of all LSAs that are requested by the router from this neighbor.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Examples

The following is sample output from the show ospf request-list command:

hostname# show ospf request-list 192.168.1.12 inside

          OSPF Router with ID (192.168.1.11) (Process ID 1)

  Neighbor 192.168.1.12, interface inside address 172.16.1.12

  Type   LS ID          ADV RTR        Seq NO       Age   Checksum

     1   192.168.1.12   192.168.1.12   0x8000020D   8     0x6572

Related Commands

Command	Description
show ospf retransmission-list	Displays a list of all LSAs waiting to be resent.

show ospf retransmission-list

To display a list of all LSAs waiting to be resent, use the show ospf retransmission-list command in privileged EXEC mode.

show ospf retransmission-list nbr_router_id interface_name

Syntax Description

interface_name	Name of the interface for which to display neighbor information.
nbr_router_id	Router ID of the neighbor router.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the ASA. You do not need to be in an OSPF configuration mode to use the OSPF-related show commands.

The nbr_router_id argument displays the list of all LSAs that are waiting to be resent for this neighbor.

The interface_name argument displays the list of all LSAs that are waiting to be resent for this interface.

Examples

The following is sample output from the show ospf retransmission-list command, where the nbr_router_id argument is 192.168.1.11 and the if_name argument is outside:

hostname# show ospf retransmission-list 192.168.1.11 outside

          OSPF Router with ID (192.168.1.12) (Process ID 1)

  Neighbor 192.168.1.11, interface outside address 172.16.1.11

  Link state retransmission due in 3764 msec, Queue length 2

  Type   LS ID          ADV RTR        Seq NO       Age   Checksum

     1   192.168.1.12   192.168.1.12   0x80000210   0     0xB196

Related Commands

Command	Description
show ospf request-list	Displays a list of all LSAs that are requested by a router.

show ospf summary-address

To display a list of all summary address redistribution information that is configured under an OSPF process, use the show ospf summary-address command in privileged EXEC mode.

show ospf summary-address

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Examples

The following shows sample output from the show ospf summary-address command. It shows how to display a list of all summary address redistribution information before a summary address has been configured for an OSPF process with the ID of 5.

hostname# show ospf 5 summary-address

OSPF Process 2, Summary-address

10.2.0.0/255.255.0.0 Metric -1, Type 0, Tag 0

10.2.0.0/255.255.0.0 Metric -1, Type 0, Tag 10

Related Commands

Command	Description
summary-address	Creates aggregate addresses for OSPF.

show ospf traffic

To display a list of different types of packets that have been processed (sent or received) by a particular OSPF instance, use the show ospf traffic command in privileged EXEC mode. With this command, you can get a snapshot of the different types of OSPF packets that are being being processed without enabling debugging. If there are two OSPF instances configured, the show ospf traffic command displays the statistics for both instances with the process ID of each instance. You can also display the statistics for a single instance by using the show ospf process_id traffic command.

show ospf traffic

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
9.0(1)	This command was introduced.

Usage Guidelines

With this command, you can get a snapshot of the different types of OSPF packets that are being being processed without enabling debugging. If there are two OSPF instances configured, the show ospf traffic command displays the statistics for both instances with the process ID of each instance. You can also display the statistics for a single instance by using the show ospf process_id traffic command.

Examples

The following shows sample output from the show ospf traffic command.

hostname# show ospf traffic

OSPF statistics (Process ID 70):

       Rcvd: 244 total, 0 checksum errors

             234 hello, 4 database desc, 1 link state req

             3 link state updates, 2 link state acks

       Sent: 485 total

             472 hello, 7 database desc, 1 link state req

             3 link state updates, 2 link state acks

Related Commands

Command	Description
show ospf virtual-links	Displays the parameters and the current state of OSPF virtual links.

show ospf virtual-links

To display the parameters and the current state of OSPF virtual links, use the show ospf virtual-links command in privileged EXEC mode.

show ospf virtual-links

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
9.0(1)	Multiple context mode is supported.

Examples

The following is sample output from the show ospf virtual-links command:

hostname# show ospf virtual-links

Virtual Link to router 192.168.101.2 is up

Transit area 0.0.0.1, via interface Ethernet0, Cost of using 10

Transmit Delay is 1 sec, State POINT_TO_POINT

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Hello due in 0:00:08

Adjacency State FULL 

Related Commands

Command	Description
area virtual-link	Defines an OSPF virtual link.