Scribd Logo
Upload

Welcome to Scribd!

  • 33 views

    Cisco ASA - Troubleshooting Basic Traffic Flow

    Uploaded by

    Raj
    The document provides steps to troubleshoot basic traffic flow issues using a Cisco ASA device. It describes using the packet tracer tool to simulate traffic and check for ACL or other issues. It also provides instructions for capturing live traffic using the capture feature, exporting captures, and using the show capture command. Finally, it discusses using the asp drop capture to troubleshoot why traffic may be dropped.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Cisco ASA - Troubleshooting Basic Traffic Flow

    Uploaded by

    Raj
    33 views2 pages
    The document provides steps to troubleshoot basic traffic flow issues using a Cisco ASA device. It describes using the packet tracer tool to simulate traffic and check for ACL or other issues. It also provides instructions for capturing live traffic using the capture feature, exporting captures, and using the show capture command. Finally, it discusses using the asp drop capture to troubleshoot why traffic may be dropped.

    Original Description:

    ASA basic traffic troubleshooting

    Original Title

    ASA Troubleshooting

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides steps to troubleshoot basic traffic flow issues using a Cisco ASA device. It describes using the packet tracer tool to simulate traffic and check for ACL or other issues. It also provides instructions for capturing live traffic using the capture feature, exporting captures, and using the show capture command. Finally, it discusses using the asp drop capture to troubleshoot why traffic may be dropped.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    33 views2 pages

    Cisco ASA - Troubleshooting Basic Traffic Flow

    Uploaded by

    Raj
    The document provides steps to troubleshoot basic traffic flow issues using a Cisco ASA device. It describes using the packet tracer tool to simulate traffic and check for ACL or other issues. It also provides instructions for capturing live traffic using the capture feature, exporting captures, and using the show capture command. Finally, it discusses using the asp drop capture to troubleshoot why traffic may be dropped.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Raj.6.kumar@bt.

    com

    Cisco ASA - Troubleshooting Basic traffic flow


    Let's look at the below diagram. A Cisco ASA has two interfaces inside and outside.

    Problem: PC-A is not able to SSH PC-B.

    How to troubleshoot?:

    If you do not have live traffic then let's start from ASA. On ASA we have packet tracer tool that can simulate a traffic flow for us.

    Packet-tracer input <ingress_interface> <protocol> <source_ip> <source_port/icmp_type and code> <destination_ip> <destination_port> detailed

    To test our traffic the exact command will be

    Packet-tracer input inside tcp 192.168.1.2 23456 192.168.5.2 22 detailed

    It checks if there is any existing connection in the connection table. Since it is the first packet of communication and there is no connection entry in conn table. ASA then checks for
    interface ACL. If there is any ACL entry that denies traffic, packet tracer will show it as "Dropped". Then we know where the problem is.

    But if ACL allows the traffic and so does complete packet flow, then everything is good on the ASA. It is something else. To figure out the problem we will now need live traffic.

    Once we have a live traffic running, do a capture.

    Apply a capture on ingress interface "Inside"

    Capture <name_of_capture> interface <name_of_interface> match <protocol> <host_1/network> <host_2/network>

    To capture the traffic between two hosts : 192.168.1.2 and 192.168.5.2


    Capture capin interface inside match ip host 192.168.1.2 host 192.168.5.2

    To capture traffic between 192.168.1.2 to 192.168.5.0/24


    Capture capin interface inside match ip host 192.168.1.2 192.168.5.0 255.255.255.0

    To capture only TCP 389 traffic between 192.168.1.2 and 192.168.5.2


    Capture capin interface inside match tcp host 192.168.1.2 host 192.168.5.2 eq 389

    To capture any ICMP traffic:


    Capture capin interface inside match icmp any any

    How to see the capture?


    Show capture <name_of_the_capture>
    Show capture capin

    This will show you all the packets that has been captured in this capture. Let's say you have applied a capture for any any and would like to see if one particular IP has been captured
    or not, then
    Show capture capin | in 192.1.2.2
    It will show if there are any packets for 192.1.2.2

    Continue………………………………………………………………………………………………………..

    ASA Page 1
    Where are these captures stored?
    These captures are stored in buffer memory. You can even export them and then open in wireshark as well.

    You can export them using a browser: https://192.168.1.1/capture/name_of_capture/pcap


    Example https://192.168.1.1/capin/pcap

    https://<ip_address_of_asa>/capture/<capname>/pcap

    You can also send the capture to a TFTP server or save to flash.
    copy /pcap capture: flash: ---- hit enter

    ASA# copy /pcap capture: flash:


    Source capture name [!capin]? capin
    Destination filename [capin]? capin.pcap
    !!!!!!!!!!!!
    332 packets copied in 0.10 secs

    ASA# sh flash: | in capin.pcap


    778 45450 Dec 07 2018 07:24:10 capin.pcap

    Let's say you have applied two captures, one on inside interface and other one at outside interface.

    You can see traffic in inside capture but not in outside capture, that means ASA is dropping it for some reason. Now we need to find why is it dropping.

    You can run "sh asp drop" and check which drop counter is increasing. If the numbers are very high and you cannot make a difference then clear the counter " clear asp drop".
    Run the command again " show asp drop". This will give you an idea due to which reason packet is being dropped.

    It doesn't tell you exactly if your packet exact was dropped but give you an idea by looking at the counters.

    To see if your packet was dropped, you can apply "asp drop capture".

    Capture asp type asp-drop all circular

    "asp" is the name of the capture


    "circular" will make sure your latest traffic is captured and buffer keeps overwriting. But you will need to be really quick to see this capture, as there will be too much traffic that ASA
    will drop.
    So you are interested to see if traffic destined to 192.168.5.2 is being dropped or not. You will need live traffic for this. Ask the user to have live traffic running and then you check
    this.

    Sh cap asp | in 192.168.5.2


    Run this command multiple times, quickly. You will see if your traffic is being dropped or not. It will show you exact source and destination IP.

    Stay tuned for more…..

    ASA Page 2

    You might also like