Log into the CLI and run
show logging application ise-psc.log
or
show logging application ise-psc.log tail
Tag: Cisco
Wireless Client troubleshooting.
Wireless Lan Controller client debug
debug client
debug dhcp message enable
debug aaa all enable -> very busy
debug dot1x aaa enable
debug mobility handoff enable
debug disable all -> to turn off.
ASA Netflow
flow-export destination INSIDE 10.1.1.1 2058
access-list FLOW_EXPORT_ACL extended permit ip any any
class-map FLOW_EXPORT_CLASS
match access-list FLOW_EXPORT_ACL
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 65535
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
class FLOW_EXPORT_CLASS
flow-export event-type all destination 10.1.1.1
ASA Syslog
logging enable
logging timestamp
logging buffer-size 100000
logging buffered alerts
logging trap debugging
logging host INSIDE 77.77.77.245
To turn logging off on a per message basis.
no logging message 305011 Built dynamic TCP translation
no logging message 305012 Teardown dynamic TCP translation
no logging message 401004 shun
no logging message 711001 traceback
no logging message 304001 Accessed URL
logging message 505013 level informational – change level
logging message 505015 level informational – change level
logging rate-limit 5 30 message 106017 – Rate-limit message
logging rate-limit 10 5 message 305006 – Rate-limit message
snmp-server traps for ipsec-isakmp
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 1.1.1.1 community1 ipsec isakmp
How to see open ports on a IOS router.
show ip sockets details or show socket detail – will give you a list of open ports.
If that command is not supported you can look at the pid and do a show sockets (pid) detail
Rack01R1#sh processes | i DHCP
42 Mwe 61554938 72 4486 16 5496/6000 0 DHCPD Timer
132 Mwe 61D37488 780188 1074772 72510568/12000 0 DHCPD Receive
151 Msi 6155CC30 464 8975 51 5124/6000 0 DHCPD Database
248 Mwe 6153E90C 93604 537591 174 6424/9000 0 DHCP Client
Rack01R1#show sockets 132 detail
FD LPort FPort Proto Type TransID
0 67 0 UDP DGRAM 0x672F5140
State: SS_ISBOUND
Options: SO_BROADCAST
Total open sockets – TCP:0, UDP:1, SCTP:0
You can also get some information for the control-plane host.
Rack01R1#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
udp *:67 *:0 DHCPD Receive LISTEN
udp *:68 *:0 BootP client LISTEN
Generate and test simulated traffic on IOS.
Generate HTTP traffic
Rack07R1#copy http://33.33.6.3/File1 null:
%Error opening http://33.33.6.3/File1 (No such file or directory)
Generate FTP traffic
Rack07R1#copy ftp://33.33.6.3/File1 null:
Accessing ftp://33.33.6.3/File1…
%Error opening ftp://33.33.6.3/File1 (Undefined error)
Test http or gernerate traffic on any port with telnet
Rack07R1#telnet 33.33.6.3 80
Trying 33.33.6.3, 80 … Open
get
HTTP/1.1 400 Bad Request
Date: Fri, 15 Mar 2002 21:45:45 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 33.33.6.3 closed by foreign host]
ICMP
Rack07R1#debug ip icmp
ICMP packet debugging is on
Rack07R1#ping 33.33.6.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.6.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/16 ms
Rack07R1#
Jan 13 19:51:50.812: ICMP: echo reply sent, src 33.33.6.3, dst 33.33.6.3
Jan 13 19:51:50.816: ICMP: echo reply rcvd, src 33.33.6.3, dst 33.33.6.3
Jan 13 19:51:50.828: ICMP: echo reply sent, src 33.33.6.3, dst 33.33.6.3
Jan 13 19:51:50.836: ICMP: echo reply rcvd, src 33.33.6.3, dst 33.33.6.3
other traffic – debug ip packet detail
Test Radius and Tacacs
Rack07R1#test aaa group tacacs+ cisco cisco new-code
Rack07R1#test aaa group radius cisco cisco new-code
ASA Failover
Using two interfaces:Configure primary first.
On the primary
failover
failover lan unit primary
failover lan interface LFAIL GigabitEthernet0/6
failover key cisco1
failover replication http
failover link LSTATE GigabitEthernet0/7
failover interface ip LFAIL 172.20.248.17 255.255.255.252 standby 172.20.248.18
failover interface ip LSTATE 172.20.248.21 255.255.255.252 standby 172.20.248.22
monitor-interface INSIDE <- if not physical on the secondary failover lan unit secondary failover lan interface LFAIL GigabitEthernet0/6 failover key cisco1 failover interface ip LFAIL 172.20.248.17 255.255.255.252 standby 172.20.248.18 failover Using management interface with Vlans.
interface Management0/0
!
interface Management0/0.303
description LAN Failover Interface
vlan 303
!
interface Management0/0.304
description STATE Failover Interface
vlan 304
failover
failover lan unit primary
failover lan interface LAN-FO Management0/0.303
failover key cisco1
failover link STATE-FO Management0/0.304
failover interface ip LAN-FO 192.168.2.37 255.255.255.252 standby 192.168.2.38
failover interface ip STATE-FO 192.168.2.41 255.255.255.252 standby 192.168.2.42
On the secondary unit.
failover lan unit secondary
failover lan interface LAN-FO Management0/0.303
failover key cisco1
failover interface ip LAN-FO 192.168.2.37 255.255.255.252 standby 192.168.2.38
failover
IPSEC VPN cert trustpoint notes
on the router this makes the identifier the dn
crypto isakmp identity dn
On the ASA
tunnel-group 200.0.23.3 type ipsec-l2l
tunnel-group 200.0.23.3 ipsec-attributes
pre-shared-key cisco
trust-point ROUTER2
peer-id-validate nocheck
trust point needs to be set two different places.
tunnel-group for receiving
tunnel-group 200.0.23.3 type ipsec-l2l
tunnel-group 200.0.23.3 ipsec-attributes
pre-shared-key cisco
trust-point ROUTER2
crypto map for initiating it.
crypto map CRYPTO 10 set trustpoint ROUTER2
ASA capture tips.
ASA and FWSM Capture
Here are some options for doing a capture on the ASA.
asa# access-list CAP1 ext permit ip any any
asa# capture CAPTRAFFIC access-list CAP1 circular-buffer interface outside
These are the options.
asa# capture CAPTRAFFIC ?
access-list Capture packets that match access-list
buffer Configure size of capture buffer, default is 512 KB
circular-buffer Overwrite buffer from beginning when full, default is non-circular
ethernet-type Capture Ethernet packets of a particular type, default is IP interface Capture packets on a specific interface
match Capture packets matching five-tuple
packet-length Configure maximum length to save from each packet, default is 68 bytes
real-time Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations.
trace Trace the captured packets
type Capture packets based on a particular type
To view capture output:
show capture CAPTRAFFIC
To see the traffic that the ASA is dropping.
asa# capture capasp type asp-drop all
If you want to see the actual capture pcap output
capture capinout type raw-data interface OUTSIDE [Capturing – 2164 bytes]
match udp host 172.16.1.176 any
Then in a web browser you can download the capture from the ASA.
https://172.16.254.1/capture/capinout/pcap
Then you can open it in wireshark and see what the traffic was in detail.