how to debug an ACL I've created on a 4404 WLC, specifically I want to monitor what packets are being denied by the ACL as something that should be working isn't
I've created an explicit deny statement at the end of the ACL and verified that the counter increases each time I try the problem software update.
What I can't work out is how to get the WLC to tell me what packets are being denied by the explicit deny statement, all I can find are 'show acl' commands which just give me the counts.
The equivalent on a router would be debug ip packet acl and adding the log keyword onto an ACE. I suppose I could configure a SPAN session on the WLC uplink to the switch but that seems overkill?
I'm trying to sort out someone else's 800 series router config IOS 12.2 that was just added onto for years and never cleaned up. There are about 10 route map statements near the end. As far as I can tell, only two are being used. Doesn't a route map statment have to be called(referenced) in another statement in order to actually be used such as either under an interface or in a nat statement?
I am trying to create a very basic template in compliance manager that checks for interfaces that aren't members of specific VLANs. VLAN 10 being one of them. I want to match interfaces assigned to VLAN 20. According to the documentation I have read, the following range statement should work because 10 falls between 3 and 19:
With the preceeding statement, however, interfaces assigned to both VLAN 10 and VLAN 20 are matching the rule. With this specific rule (not a range), only interfaces w/VLAN 20 are processed by the template, which is expected. We actually have numerous VLANs that we want to exclude/include. I only mentioned VLANs 10 and 20 for brevity.
I am having a problem w/ my PIX501 w/ "Cisco PIX Firewall Version 6.3(4)", upon issuing the command i get this WARNING, is this normal? because it works perfectly fine in version 7.2(2)..
THE ERROR:
PIX1(config)# nat (outside) 1 222.127.244.52 255.255.255.252 WARNING: Binding inside nat statement to outermost interface. WARNING: Keyword "outside" is probably missing.
i have 3 access-list configured IN | Out on my Border router (MARTIAN) ,i have to look which one block some of the traffic passing through ,for that matter i have enabled the below commands on my ISR 2900: with nothing output.
I have been using "debug ip packet" on a Cisco 2921 running IOS 15.1(4)M1. The problem I have is that, although I am using an ACL to limit the output, I am seeing some output that is distracting from what I am trying to see. Specifically, I am seeing the following:
Mar 19 20:22:36.135: IP: s=192.168.20.253, d=224.0.0.2, pak 30DB6D4C consumed in input feature , packet consumed, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE [ code]...
These would appear to be HSRP messages. But I don't understand why they are appearing when I configure "debug ip packet 101". The ACL is pretty simple:
Using 'debug ip packet acl# det on a 2911. On an older Cisco router you could set up an ACL
access-list 150 permit tcp any any eq 1023 and then run debug ip packet 151 det and this would give a good debug output for any traffic matching a TCP port of 1023.Now when I try this on a 29xx ( Version 15.1(4)M3 ) I get the screen filling with a lot of multicats HSRP communications.
I have tried rewriting the acl to have other deny statements after the permit to limit the source or destination hosts and/or the ports but the HSRP data is still there.
like this access-list 150 permit tcp any any eq 1023 access-list 150 deny udp any any eq 1985(code)
Iam fairly new to Cisco IOS and am having trouble getting an IPSEC tunnel to come up between 2 cisco 881-s. I have entered both debug crypto isakmp and debug crypto verbose but when I try to ping an internal IP at the other location through my VLAN1 interface no debugging info comes up.
Also my ACL-s for the crypto maps show no activity. I have tried many things so my configuration files are starting to get really messy.
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
Debug is not showing up on the console. I have configured logging console. My older switches, if an interface goes down or is brought up, it shows up on the console, but not on the new 4507s.
WS-C4507R-E cat4500e-ipbase-mz.122-53.SG2.bin TG-4507#sh loggingSyslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator.
I'm troubleshooting one way audio with our anyconnect phones.I think it is a routing issue.typically I wouldnt run debug ip packet detail on a production router, however I just found out that you can use acl's to specify the traffic to be debugged.
R1(config)#access-list 199 permit tcp host 10.1.1.1 host 172.16.1.1 R1(config)#access-list 199 permit tcp host 172.16.1.1 host 10.1.1.1 R1(config)#end R1#debug ip packet 199 detail IP packet debugging is on (detailed) for access list 199
The use of debug commands requires the allocation of system resources like memory and processing power and in extreme situations can cause a heavily-loaded system to stall. Use debug commands with care. Use an ACL in order to selectively define the traffic that needs to be examined to reduce the impact of the debug command. Such a configuration does not filter any packets.
Any way of narrowing down a degub for a peer address only? For example, I currently run 'debug crypto isakmp 127' which captures everything, but can I run the same dVPN debug for peer address 1.1.1.1?I know you can run 'sh crypto ipsec sa peer 1.1.1.1'.We're using an ASA5520 (8.4.2).
I am quite new to wireless side and had a small Q regarding watching debug output while i am ssh to the WLC? I tried the other day and did not see any messages, now this could be for the reason that nothing triggered or perhaps it needs something like terminal monitor?? i couldnt find any such command. my WLC is 5508 running 7.3 version.
I have a 2600 with a PRI card, when I try to do an isdn test call int s1/0:23 ######### the debug constantly comes back with "Cause i = 0x83E020 - Mandatory information element missing" Vendor states he doesn't see the SDN 'flag' coming through. I have both the isdn nsf-service, and the dialer map configured to use a class with the outgoing sdn command.
I use a C892 router with the IOS c890-universalk9-mz.152-1.T.bin. I just ran the command "debug ip packet 151 detail" and then the router stopped to work because it was overloaded. The ACL151 I used is as follow:
Extended IP access list 151 10 permit ip host 10.1.1.1 host 91.1.1.1 In the syslog then I got hundred of messages from IPSec: Jan 11 09:43:35.677: IP: s=10.80.10.254, d=10.64.19.99, pak 8A7453CC consumed in output feature , packet consumed, IPSec: to crypto engine(70), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
[code]....
For me it seems just like that this ACL is not applied and that I have a debug then for the whole traffic.
There is a plenty of tunnels ended and it works.But i have one tunnel, which doesn't work.I tried turn on "debug crypto isakmp" and it show this: RECV PACKET from 10.200.79.161 ISAKMP Header. [code]
So there is problem with IPSEC and with no matching SA, but i don't know which one.Then i try to turn on "debug crypto ipsec 255" but it displays nothing. [code]
I have a Cisco 857 which seems to be dropping connection on its public interface.I would like to see the logs of the ppp or something which may identify the problem of why the device has lots its connection.
I know what you can setup logs for a specific IP, but it is possible to setup logs for debug messages?Also what other logs would identify the problem?
What would cause debug output to not show on a remote session via telnet connection where you've enabled terminal monitor?
The reason I ask is I was working with a client and we were debugging WCCP. I ran the debug ip wccp packets and events commands, then entered terminal monitor. After this, we saw nothing. We should have at least seen particular WCCP-related packets because we saw the necessary cluster view was established which can't be done without the exchange of these packets.
Can having syslog (logging) configured cause the issue? Did I use the command incorrectly?
I've created a BVI2 where I bridged dot11 0.2 and vlan2 in order to have wired and wireless clients in the same vlan.Some wired client are not reachable from the lan. Wireless clients have no pbl in reaching each other.Monitoring a MAC address that is supposed to be behind the FA2 I have noticed that it moves to vlan2 when in fact it should be behind the FA2.Of course when "show mac-address-table" says it is behind Fa2 the ping to that MAC address works whereas when the TCAM reports it is behind vlan2 it doesn't. Once the MAC address is behind the vlan2 if I clear the mac-address-table and that mac-address is still put behinf Fa2 then the pings works again, sometime I have to perform twice the clear command before the MAC address goes back to the right location.I'd like to understand why the router moves that MAC address from Fa2 to vlan2 and that's the reason for my question in the subject.I don't have any problems for port Fa0 and Fa1."Show int fa2" doesn't show any problem/errors or the likes.BTW even if I force that MAC address to be statically behind FA2 the ping works fine but then stops and if I do "show mac-add" the static entry for it is still there... so looks like there us something that overrides that static entry. If clear everything and I have the mac-address be behind Fa2 then everything starts to work again. I used Fa3 instead of Fa2 and I get the same results.
I have strange problem with 1800 router , I can't see any debug messaging , the ping from PC to this router is Ok , but no icmp debug appears , even I enable "debug ip icmp " the version of router is : C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(6)T6
We are experiencing intermittent issues with the IPS on our ASA5585 vs 8.4(2). Probably something with the dataplane. So I want to keep debug cplane 255 activated and logged with log debug-trace setting to syslog server. But when session times out the debug command is cleared so the output stops. Since it is a intermittent issue I want to keep debug activated...Totally different behaviour then with routers which keeps it activated. how to keep debug activated on a ASA.
I am currently configuring a Cisco 881 router and am having some vpn connection issues:I can connect with one user (me) and all other connection attempts form other users are denied. When I disconnect, other users can connect - the scenario is that only one user can connect at any given time.
Here is my config:
Building configuration... Current configuration : 11423 bytes ! ! Last configuration change at 13:11:23 PCTime Fri Jul 27 2012 by zephyr1 ! NVRAM config last updated at 13:25:30 PCTime Fri Jul 27 2012 by zephyr1 ! version 15.0
I consider the NAT mechanism to be quite straight forward, but although the firewall ACLs allow the traffic, it is being denied. The ASDM log and packet-tracer indicate the problem being an ACL.
# the internal resource object network mabe-mbp host 10.0.0.36 ! # these are ALL of the rules on the outside/inside interfaces access-list outside_access_in extended permit tcp host 1.2.3.90 any eq 12380 log disabled access-list outside_access_out extended permit ip any any log access-list inside_access_in extended permit ip any any log access-list inside_access_out extended permit ip any any log (code)
I have a cisco 870 router which I'm trying to connect to my ISP all the interfaces are in a up, up state. But I'm unable to ping any IP address on the internet. When I do a debug ppp I can see that the username and password are correct with the dialer 1 interface as there is no errors and I can see success. But when I shutdown the atm0 interface and then do a no shutdown I see a message called authentication failed.How does the atm0 interface work with the dialer,Also I spoke to the ISP and they can't see any connection being made but the debug shows success. I also get a default gateway via the ISP but it is the incorrect default gateway as I can't ping the internet and the ISP confirms that the default gateway is incorrect.
