[c-nsp] ASA Debug

Joerg Mayer jmayer at loplof.de
Mon Mar 1 00:37:38 EST 2010


On Mon, Mar 01, 2010 at 03:32:08AM +0000, Jimmy Stewpot wrote:
> I am interested to know if there is some more information relating to the debugging of the Cisco ASA products/software. I have extensive experience with other firewall/security products and have been unable to find how to do flow debugging on the ASA's. What I am trying to diagnose is why we keep getting Deny/Drop packets for SIP on a random basis. I would like to diagnose/debug the flow of the packet through the device so that we can see why its not being inspected by the SIP ALG and in turn gets dropped. I've set the following options
> 
> logging monitor debugging
> logging buffered debugging
> logging trap debugging 
> 
> And it still does not really go into any further detail. I've also setup captures so that we can analyse the packets coming in. If I compare one working SIP call to a dropped incoming call then there is no obvious difference. Any additional advice would be greatly appreciated.

Please try packet tracer. It's a builtin tool (cli and gui) that simulates
the processing of a specific packet (src and dst ip and port etc). Don't
expect immediate results: Reading and interpreting the results *may*
take some getting used to in the less trivial cases.

Ciao
      Joerg
-- 
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.


More information about the cisco-nsp mailing list