Traceroute - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Reloading the Security Appliance
hostname(config)# no access-list ICMPACL
(Optional) To disable the ICMP inspection engine, enter the following command:
Step 4
hostname(config)# no service-map ICMP-POLICY
Traceroute
You can trace the route of a packet using the traceroute feature, which is accessed with the traceroute
command. A traceroute works by sending UDP packets to a destination on an invalid port. Because the
port is not valid, the routers along the way to the destination will respond with an ICMP Time Exceeded
Message, and report that error back to the security appliance.
Packet Tracer
In addition to capturing packets and the traceroute feature, it is possible to trace the lifespan of a packet
through the security appliance to see if it is behaving as expected with the packet tracer tool. The packet
tracer tool lets you do the following:
•
•
•
•
•
The packet-tracer command provides detailed information about the packets and how they are
processed by the security appliance. In the instance that a command from the configuration did not cause
the packet to drop, the packet-tracer command will provide information about the cause in an easily
readable manner. For example if a packet was dropped because of an invalid header validation, a
message is displayed that says, "packet dropped due to bad ip header (reason)."
Reloading the Security Appliance
In multiple mode, you can only reload from the system execution space. To reload the security appliance,
enter the following command:
hostname# reload
Performing Password Recovery
This section describes how to recover if you forget passwords, or you create a lockout situation because
of AAA settings. You can also disable password recovery for extra security. This section includes the
following topics:
•
Cisco Security Appliance Command Line Configuration Guide
43-6
Debug all packet drops in production network.
Verify the configuration is working as intended.
Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
Show a time line of packet changes in a data path.
Inject tracer packets into the data path.
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance, page 43-7
Chapter 43
Troubleshooting the Security Appliance
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
