Firewall commands - debug
Debug packets or ICMP tracings through the firewall. The debug command provides information which helps troubleshoot protocols operating with and through the firewall. (Configuration mode.)
[no] debug crypto ca [level]
[no] debug crypto ipsec [level]
[no] debug crypto isakmp [level]
[no] debug dhcpc detail | error | packet
[no] debug dhcpd event | packet
[no] debug fover option
[no] debug h323 h225 [asn | event]
[no] debug h323 h245 [asn | event]
[no] debug h323 ras [asn | event]
[no] debug icmp trace
[no] debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] | [proto udp [sport src_port] [dport dest_port]] [rx | tx | both] [no] debug pdm history
[no] debug ppp error | io | uauth | upap | chap | negotiation
[no] debug rip
[no] debug rtsp
[no] debug sip
[no] debug sqlnet
[no] debug ssh
[no] debug ssl [cypher | device]
[no] debug vpdn event | error | packet
show debug
Syntax Description
crypto ca
Display information about certification authority (CA) traffic.
level
The level of debugging feedback. The higher the level number, the more information is displayed. The default level is 1. The levels correspond to the following events:
- Level 1: Interesting events
- Level 2: Normative and interesting events
- Level 3: Diminutive, normative, and interesting events
Refer to the "Examples" section at the end of this command page for an example of how the debugging level appears within the show debug command.
crypto ipsec
crypto isakmp
dhcpc detail
Display detailed information about the DHCP client packets.
dhcpc error
Display error messages associated with the DHCP client.
dhcpc packet
Display packet information associated with the DHCP client.
dhcpd event
Display event information associated with the DHCP server.
Display packet information associated with the DHCP server.
fover option
Display firewall information.
Display information about the packet-based multimedia communications systems standard.
h225 asn
Display the output of the decoded PDUs.
h225 events
Display the events of the H.225 signalling, or turn both traces on.
h245 asn
Display the output of the decoded PDUs.
h245 events
Display the events of the H.245 signalling, or turn both traces on.
ras asn
Display the output of the decoded PDUs.
ras events
Display the events of the RAS signalling, or turn both traces on.
Display packet information.
if_name
Interface name from which the packets are arriving; for example, to monitor packets coming into the firewall from the outside, set if_name to outside.
src source_ip
Source IP address.
netmask mask
Network mask.
dst dest_ip
Destination IP address.
proto icmp
Display ICMP packets only.
proto tcp
Display TCP packets only.
sport src_port
Source port.
dport dest_port
Destination port.
debug pdm history
Turns on the PDM history metrics debugging information. The no version of this command disables PDM history metrics debugging.
proto udp
Display UDP packets only.
rx
Display only packets received at the firewall.
tx
Display only packets that were transmitted from the firewall.
both
Display both received and transmitted packets.
sqlnet
Debug SQL*Net traffic.
ppp
Debug L2TP or PPTP traffic, which is configured with the vpdn command.
ppp error
ppp io
Display the packet information for L2TP or PPTP PPP virtual interface.
ppp uauth
Display the L2TP or PPTP PPP virtual interface AAA user authentication debugging messages.
upap
Display PAP authentication.
chap
Display CHAP/MS-CHAP authentication.
negotiation
Equivalent of the error, uauth, upap and chap debug command options.
Debug the fixup protocol Session Initiation Protocol (SIP) module.
Debug information and error messages associated with the ssh command.
ssl
Debug information and error messages associated with the ssl command.
cypher
Display information about the cipher negotiation between the HTTP server and the client.
device
Display information about the SSL device including session initiation and ongoing status.
vpdn event
vpdn error
Usage Guidelines
The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command.
When creating the digital certificates, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug crypto ca command is enabled. For example, if you enter an Entrust fingerprint value incorrectly, the only warning message that indicates the value is incorrect appears in the debug crypto ca command output.
Output from the debug crypto ipsec and debug crypto isakmp commands does not display in a Telnet console session.
The debug dhcpc detail command displays detailed packet information about the DHCP client. The debug dhcpc error command displays DHCP client error messages. The debug dhcpc packet command displays packet information about the DHCP client. Use the no form of the debug dhcpc command to disable debugging.
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.
The debug h323 command allows you to debug H.323 connections. Use the no form of the command to disable debugging. This command works when the fixup protocol h323 command is enabled.
The debug h323 command, particularly the debug h323 h225 asn, debug h323 h245 asn, and debug h323 ras asn commands, might delay the sending of messages and cause slower performance in a real-time environment.
The debug icmp trace command shows ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the firewall including pings to the firewall unit's own interfaces.
The debug sqlnet command reports on traffic between Oracle SQL*Net clients and servers through the firewall.
The debug ssh command reports on information and error messages associated with the ssh command.
The debug ppp and debug vpdn commands provide information about PPTP traffic. PPTP is configured with the vpdn command.
Use of the debug commands can slow down busy networks.
debug fover command Options
Option Description cable
Failover cable status
fail
Failover internal exception
fmsg
Failover message
get
IP network packet received
ifc
Network interface status trace
open
Failover device open
put
IP network packet transmitted
rx
Failover cable receive
rxdmp
Cable recv message dump (serial console only)
rxip
tx
Failover cable transmit
txdmp
Cable xmit message dump (serial console only)
txip
verify
Failover message verify
switch
Failover Switching status
Trace Channel Feature
The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on the screen during a firewall console or Telnet session.
If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session. By default, a session not using Trace Channel has output disabled by default.
The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the firewall serial console:
- If you are only using the firewall serial console, all debug commands display on the serial console.
- If you have both a serial console session and a Telnet console session accessing the console, then no matter where you enter the debug commands, the output displays on the Telnet console session.
- If you have two or more Telnet console sessions, the first session is the Trace Channel. If that session closes, the serial console session becomes the Trace Channel. The next Telnet console session that accesses the console will then become the Trace Channel.
The debug commands, except the debug crypto commands, are shared between all Telnet and serial console sessions.
The downside of the Trace Channel feature is that if one administrator is using the serial console and another administrator starts a Telnet console session, the serial console debug command output will suddenly stop without warning. In addition, the administrator on the Telnet console session will suddenly be viewing debug command output, which may be unexpected. If you are using the serial console and debug command output is not appearing, use the who command to see if a Telnet console session is running.
Use of the debug packet command on a firewall experiencing a heavy load may result in the output displaying so fast that it may be impossible to stop the output by entering the no debug packet command from the console. You can enter the no debug packet command from a Telnet session.
To let users ping through the firewall, add the access-list acl_grp permit icmp anyany command statement to the configuration and bind it to each interface you want to test with the access-group command. This lets pings go outbound and inbound.
To stop a debug packet trace command, enter the following command:
no debug packet if_nameReplace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.
To stop a debug icmp trace command, enter the following command:
no debug icmp traceExample
The following is partial sample output from the debug dhcpc packet and the debug dhcpc detail commands. The ip address dhcp setroute command was configured after entering the debug dhcpc commands to obtain debugging information.
debug dhcpc packet debug dhcpc detail ip address outside dhcp setroute DHCP:allocate request DHCP:new entry. add to queue DHCP:new ip lease str = 0x80ce8a28 DHCP:SDiscover attempt # 1 for entry: Temp IP addr:0.0.0.0 for peer on Interface:outside Temp sub net mask:0.0.0.0 DHCP Lease server:0.0.0.0, state:1 Selecting DHCP transaction id:0x8931 Lease:0 secs, Renewal:0 secs, Rebind:0 secs Next timer fires after:2 seconds Retry count:1 Client-ID:cisco-0000.0000.0000-outside DHCP:SDiscover:sending 265 byte length DHCP packet DHCP:SDiscover 265 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0 DHCP client msg received, fip=10.3.2.2, fport=67 DHCP:Received a BOOtrEP pkt DHCP:Scan:Message type:DHCP Offer DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB DHCP:Scan:Lease Time:259200 DHCP:Scan:Subnet Address Option:255.255.254.0 DHCP:Scan:DNS Name Server Option:10.1.1.70, 10.1.1.140 DHCP:Scan:Domain Name:example.com DHCP:Scan:NBNS Name Server Option:10.1.2.228, 10.1.2.87 DHCP:Scan:Router Address Option:10.3.2.1 DHCP:rcvd pkt source:10.3.2.2, destination: 255.255.255.255 ...The following example executes the debug icmp trace command:
debug icmp traceWhen you ping a host through the firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (209.165.201.2) to the firewall unit's outside interface (209.165.201.1).
Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2NO DEBUG ICMP trACE
ICMP trace off
This example shows that the ICMP packet length is 32 bytes, the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.
The following is sample output from the show debug command output:
show debug
debug ppp error
debug vpdn event
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto ca 1
debug icmp trace
debug packet outside both
debug sqlnet
The preceding sample output includes the debug crypto commands.
You can debug the contents of packets with the debug packet command:
debug packet inside
--------- PACKET ----------- IP --4.3.2.1 ==> 255.3.2.1ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x60id = 0x3902 flags = 0x0 frag off=0x0ttl = 0x20 proto=0x11 chksum = 0x5885-- UDP --source port = 0x89 dest port = 0x89len = 0x4c checksum = 0xa6a0-- DATA --00000014: 00 01 00 00|....00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46| .... EIEPEGEGEFF00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43| CCNFAEDCACACACAC00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01| ACAAA.. ..... ..00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00| ......\Q......--------- END OF PACKET ---------This display lists the information as it appears in a packet.
The following is sample output from the show debug command:
show debug