Reloading the Security Appliance
Step 4
(Optional) To disable the ICMP inspection engine, enter the following command:
hostname(config)# no service-policy ICMP-POLICY
Traceroute
You can trace the route of a packet using the traceroute feature, which is accessed with the traceroute
command. A traceroute works by sending UDP packets to a destination on an invalid port. Because the
port is not valid, the routers along the way to the destination respond with an ICMP Time Exceeded
Message, and report that error to the security appliance.
Packet Tracer
In addition, you can trace the lifespan of a packet through the security appliance to see whether the
packet is operating correctly with the packet tracer tool. This tool lets you do the following:
•
•
•
•
•
The packet-tracer command provides detailed information about the packets and how they are
processed by the security appliance. If a command from the configuration did not cause the packet to
drop, the packet-tracer command will provide information about the cause in an easily readable
manner. For example, when a packet is dropped because of an invalid header validation, the following
message appears: "packet dropped due to bad ip header (reason)."
Reloading the Security Appliance
In multiple mode, you can only reload from the system execution space. To reload the security appliance,
enter the following command:
hostname# reload
Performing Password Recovery
This section describes how to recover passwords if you have forgotten them or you are locked out
because of AAA settings, and how to disable password recovery for extra security. This section includes
the following topics:
•
•
•
Cisco Security Appliance Command Line Configuration Guide
43-6
Debug all packet drops in a production network.
Verify the configuration is working as intended.
Show all rules applicable to a packet, along with the CLI commands that caused the rule addition.
Show a time line of packet changes in a data path.
Inject tracer packets into the data path.
Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance, page 43-7
Recovering Passwords for the PIX 500 Series Security Appliance, page 43-8
Disabling Password Recovery, page 43-9
Chapter 43
Troubleshooting the Security Appliance
OL-12172-03