Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Troubleshooting Techniques
Omar Santos
os@cisco.com
Cisco PSIRT
Security Research and Operations
Agenda
Q&A
Understanding the
problem could be
For problems relating to the Cisco ASA, always:
Determine the flow: Protocol, Source IP, Destination IP, Source Port, Destination Port
Determine the logical (named) interfaces through which the flow passes
TCP outside
172.16.164.216:5620 inside
Example Flow
TCP Flow
Source IP
: 10.1.1.9
Destination IP : 198.133.219.25
Source Port
: 11030
Destination Port
80
Interfaces
Source: Inside
Destination: Outside
Packet Flow
Servers
10.1.1.9
Eng
Accounting
Outside
198.133.219.25
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
Yes
ACL
Permit
No
DROP
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
If no existing connection
TCP SYN or UDP packet, pass to ACL and other policy checks in Session Manager
on
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
In ASA 8.2 and below, incoming packet was subjected to ACL check prior to un-translation
NAT rules can determine the egress interface at this stage
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
Yes
No
DROP
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
10
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
Egress
Interface
No
No
DROP
DROP
No
DROP
L3
Route
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
11
Existing
Conn
Ingress
Interface
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Packet is virtually forwarded to egress interface (not forwarded to the Ethernet NIC yet)
Egress interface is determined first by translation rules or existing conn entry, only THEN
172.16.0.0/16
Outside
172.16.12.0/24
172.16.12.4
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
13
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
Egress
Interface
No
DROP
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Once a Layer 3 route has been found, and next hop IP address identified, Layer 2
resolution is performed
Layer 2 rewrite of MAC header
If Layer 2 resolution fails no syslog
show arp will not display an entry for the L3 next hop
debug arp will indicate if we are not receiving an ARP reply
arp-req: generating request for 10.1.2.33 at interface outside
arp-req: request for 10.1.2.33 still pending
14
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
17
Uses of Syslogs
Primary mechanism for recording connections to and through the firewall
The best troubleshooting tool available
Archival Purposes
Console
Syslog/FTP Server
Trap
SNMP Server
Syslog.
Flash
Local
Buffer
ASDM
18
Ver. 7.2
Ver. 8.0
Ver. 8.1
Ver. 8.2
Ver. 8.3
Ver. 8.4
Ver. 9.1
Emergencies
Alerts
62 (62)
77 (77)
78 (78)
87 (87)
87 (87)
95 (95)
109 (109)
117 (117)
Critical
29 (91)
35 (112)
49 (127)
50 (137)
56 (143)
57 (152)
63 (172)
72 (189)
Errors
274 (365)
334 (446)
361 (488)
363 (500)
384 (527)
408 (560)
448 (620)
521 (710)
Warnings
179 (544)
267 (713)
280 (768)
281 (781)
315 (842)
324 (884)
357 (997)
420 (1130)
Notifications
161 (705)
206 (919)
216 (984)
218 (999)
237 (1079)
246 (1130)
265 (1242)
285 (1415)
Informational
234 (939)
302 (1221)
335 (1319)
337 (1336)
368 (1447)
377 (1507)
395 (1637)
430 (1845)
Debugging
217 (1156)
258 (1479)
266 (1585)
267 (1603)
269 (1716)
269 (1776)
276 (1913)
295 (2140)
19
Problem:
Levels
0Emergency
1Alert
2Critical
3Errors
4Warnings
5Notifications
6Informational
7Debugging
20
If you are having problems abnormal connection termination, temporally increase your logging
level (or change the syslog level, and check the teardown reason
%ASA-6-302014: Teardown TCP connection 90 for outside:10.1.1.1/80 to inside:192.168.1.101/1107 duration 0:00:30 bytes 0
SYN Timeout
%ASA-6-302014: Teardown TCP connection 3681 for DMZ:172.16.171.125/21 to inside:192.168.1.110/24245 duration 0:01:03
bytes 12504 TCP Reset-O
21
21
Description
Conn-Timeout
Connection Ended Because It Was Idle Longer Than the Configured Idle Timeout
Deny Terminate
FIN Timeout
Force Termination After Ten Minutes Awaiting the Last ACK or After Half-Closed Timeout
Flow Terminated by
TCP Intercept
Invalid SYN
Idle Timeout
Connection Timed Out Because It Was Idle Longer than the Timeout Value
IPS Fail-Close
SYN Control
22
Description
SYN Timeout
TCP Fins
TCP Reset-I
TCP Reset-O
Unauth Deny
Unknown
Catch-All Error
Xlate Clear
23
Flow Creation
Flow Teardown
Flow Denied
24
enable
buffered debugging
console debugging
trap debugging
history debugging
host inside 192.168.1.10
host inside 192.168.1.11
host DMZ 192.168.2.121
25
Console logging is a
bottleneck (low rate)
logging enable
logging flow-export-syslogs disable
26
27
2
*NOT RANKED BY IMPORTANCE.
2014 Cisco and/or its affiliates. All rights reserved.
28
Xlate Table
show xlate displays information about NAT translations through the ASA
Second biggest memory consumer after conn table, no hardcoded size limit
You can limit the output to just the local or global IP
asa# show xlate local 10.2.1.2
5014 in use, 5772 most used
TCP PAT from inside:192.168.103.220/57762 to outside:10.2.1.2/43756 flags ri
idle 0:00:00 timeout 0:00:30
TCP PAT from inside:192.168.103.220/57761 to outside:10.2.1.2/54464 flags ri
idle 0:00:00
timeout
0:00:30
Depleted
NAT/PAT
pools
may cause connectivity issues
29
Check specific
translation policies in
the applied order.
30
CONNECTION TABLE
3
*NOT RANKED BY IMPORTANCE.
2014 Cisco and/or its affiliates. All rights reserved.
31
Connection Table
asa# show conn detail
2 in use, 64511 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module,
Narrow down the output with x - per session, Y - director stub flow, y - backup stub flow, Bidirectional byte count; use
NSEL to report each
show conn address <ip> Z - Scansafe redirection, z - forwarding stub flow
TCP outside:198.133.219.25/80 dmz:10.9.9.3/4101,
flags UIO, idle 8s, uptime 10s, timeout 1h, bytes 127
UDP outside:172.18.124.1/123 dmz:10.1.1.9/123,
flags -, idle 15s, uptime 16s, timeout 2m, bytes 1431
direction separately.
32
33
Connection Flags
Outbound Connection
inside
client
Inbound Connection
outside
ASA
inside
server
client
outside
ASA
server
34
PACKET CAPTURE
4
*NOT RANKED BY IMPORTANCE.
2014 Cisco and/or its affiliates. All rights reserved.
35
Packet Capture
Inside Capture
Outside Capture
Outside
Capture OUT
4 packets captured
1: 10:51:26.139046
2: 10:51:26.139503
3: 10:51:27.140739
4: 10:51:27.141182
4 packets shown
asa# no capture IN
2014 Cisco and/or its affiliates. All rights reserved.
802.1Q
802.1Q
802.1Q
802.1Q
vlan#10
vlan#10
vlan#10
vlan#10
P0
P0
P0
P0
icmp:
icmp:
icmp:
icmp:
echo
echo
echo
echo
request
reply
request
reply
Packet Capture
Capture buffer maintained in RAM (512KB by default, 30 MB max)
https://x.x.x.x/admin/capture/OUT/pcap/outsidecapture.pcap
Configured capture name
37
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Ingress Packets
Captured
Yes
Yes
Stateful
Inspection
NAT IP
Header
Egress
Interface
No
DROP
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Egress Packets
Captured
Packets are captured at the first and last points they can be in the flow
Ingress packets are captured before most packet processing
Egress packets are captured after all processing
Transit packets show the destination MAC address rewritten
Self-sourced packets may show an empty MAC address (0000.0000.0000)
2014 Cisco and/or its affiliates. All rights reserved.
38
Frame drop:
Invalid encapsulation (invalid-encap)
Invalid tcp length (invalid-tcp-hdr-length)
Invalid udp length (invalid-udp-length)
No valid adjacency (no-adjacency)
No route to host (no-route)
Reverse-path verify failed (rpf-violated)
Flow is denied by access rule (acl-drop)
First TCP packet not SYN (tcp-not-syn)
10942
Bad TCP Checksum (bad-tcp-cksum)
10897
9382
10
5594
1009
15
25247101
36888
893
39
40
PACKET TRACER
5
*NOT RANKED BY IMPORTANCE.
2014 Cisco and/or its affiliates. All rights reserved.
41
Packet Tracer
Unique capability to record the path of a specially tagged packet through ASA
Best way to understand the packet path in the specific software version
Inject a simulated packet to analyse the behaviour and validate configuration
Feature order
and name
Packet information as it
enters the ingress interface
Include detailed internal flow and
policy structure information
42
2014
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,dmz) source dynamic any interface destination static interface Win7-vm service rdp-outside rdp-outside
Additional Information:
NAT divert to egress interface dmz
Untranslate 172.18.254.139/3389 to 192.168.103.221/3389
Cisco and/or its affiliates. All.
rights reserved.
43
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,dmz) source dynamic any interface destination static interface Win7-vm service rdp-outside rdp-outside
Additional Information:
Dynamic translate 172.18.124.66/1234 to 192.168.103.221/1234
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16538274, packet dispatched to next module
2014 Cisco and/or its affiliates. All rights reserved.
44
Associated
configuration
45
S
S
.
P
.
ack
ack
ack
Ack
46
Action
Syslog ID
Console
Time based
File on disk
Crash
Output Destination
None
Manual
48
48
Manual events
Gather the output of 10 different commands and save to a file
49
49
Applet name
Trigger syslogs
Action Command
Output Destination
-rwx
-rwx
-rwx
161286
161331
161277
eem-loginConfigBackup-0.log
eem-loginConfigBackup-1.log
eem-loginConfigBackup-2.log
50
50
1
*NOT
RANKED BY IMPORTANCE.
2014 Cisco and/or its affiliates. All rights reserved.
52
Authentication Problems
debug webvpn <1-255>
Good Authentication
53
|
|
|
|
|
|
|
|
|
|
....S.....E....f
.T....user1...o\
.........X.18...
.p...209.165.200
.225..209.165.20
0.226=.....B.209
.165.200.226....
...$......ip:sou
rce-ip=209.165.2
00.226
user1
54
Note: In this Example the Administrator Attempts to Authenticate to the Active Directory Server Using the TEST Utility Within ASDM
55
55
You can combine the debugs listed above with the debug webvpn
and debug aaa common when troubleshooting clientless
authentication problems.
56
56
57
58
59
anyconnect
detail
email-proxy
full
index
l2l
license-summary
ra-ikev1-ipsec
ratio
summary
vpn-lb
webvpn
|
<cr>
AnyConnect sessions
Show detailed output
Email-Proxy sessions
Output formatted for data management programs
Index of session
IPsec LAN-to-LAN sessions
Show VPN License summary
IKEv1 IPsec/L2TP-IPsec Remote Access sessions
Show VPN Session protocol or encryption ratios
Show VPN Session summary
VPN Load Balancing Mgmt sessions
WebVPN sessions
Output modifiers
60
debug webvpn
omar-asa# debug webvpn ?
<1-255>
anyconnect
chunk
cifs
citrix
compression
cstp-auth
customization
failover
html
javascript
kcd
listener
mus
nfs
request
response
session
transformation
url
util
xml
<cr>
61
63
64
65
66
condition
engine
ike-common
ikev1
ikev2
ipsec
ss-api
vpnclient
67
Debugs IKEv2 timer expiration. Useful when clients are complaining that their
connection is being timed-out too often.
Note: debug crypto ike-common can be used for both IKEv1 and IKEv2
68
68
69
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
70
71
72
To Launch DART go to
the Status Overview
Tab and click on
Diagnostics
1
73
73
DART Wizard
Under Bundle Creation Option, select Default or Custom. The Default option includes the typical log files and
diagnostic information. DARTBundle.zip is saved to the local desktop. If you choose Custom, the DART wizard
allows you to specify where and what files want to include in the bundle.
74
74
DART Wizard
continued
75
75
OS:
OS username:
Upload URL:
DART Mode:
Bundle on client computer:
=============================================================================================================================================
Cisco AnyConnect Secure Mobility Client:
Files Included in Bundle:
ID
Filename
Description
Truncate? Final Size Orig. Size
---------------------------------------------------------------------------------------------------------------------------ac-install
update_pre3.0.txt
AnyConnect install logs. Includes web
No
10 bytes
10 bytes
and standalone install logs
ac-install
anyconnect-win-2.3.0254-web
AnyConnect install logs. Includes web
No
322.35K
322.35K
-deploy-k9-install-22203701
and standalone install logs
062010.log
ac-install
update.txt
AnyConnect install logs. Includes web
No
10 bytes
10 bytes
and standalone install logs
ac-install
VPNManifest.dat
AnyConnect install logs. Includes web
No
181 bytes
181 bytes
and standalone install logs
ac-install
AnyConnectLocalPolicy.xml
AnyConnect install logs. Includes web
No
589 bytes
589 bytes
and standalone install logs
ac-install
UpdateHistory_20110405_1244
AnyConnect install logs. Includes web
No
705 bytes
705 bytes
00_log.txt
and standalone install logs
ac-logs
AnyConnect_pre3.0.txt
AnyConnect application logs
No
3.62M
3.62M
ac-logs
AnyConnect.txt
AnyConnect application logs
No
227.40K
227.40K
ac-logs
AnyConnect.evtx
AnyConnect application logs
No
1.06M
1.06M
ac-profile
CALO.xml
AnyConnect Profile
No
1.46K
1.46K
ac-profile
AnyConnectProfile.xsd
AnyConnect Profile
No
93.22K
93.22K
global-preferenc
preferences_global.xml
AnyConnect Global Preferences
No
546 bytes
546 bytes
es
user-preferences
preferences.xml
AnyConnect User Preferences
No
590 bytes
590 bytes
va-runtime
setupapi.app.log
Virtual Adapter runtime logs
No
320.88K
320.88K
va-runtime
setupapi.dev.log
Virtual Adapter runtime logs
No
9.70M
9.70M
2014 Cisco and/or its affiliates. All rights reserved.
----------------------------------------------------------------------------------------------------------------------------
76
Thank you.