Cisco ASA useful commands
There are thousands of commands available on the Cisco ASA. I found some of the commands very useful when troubleshooting.
1. Removing a tunnel-group
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key lksdjflksd565glmfb
ASA (config)# clear configure tunnel-group 1.1.1.1
2. Viewing a list of Remote access VPN users
ASA# show vpn-sessiondb anyconnect | incl U
Username : user1 Index : 6787
Username : user2 Index : 8765
3. Displays information about a particular user
ASA# show vpn-sessiondb anyconnect filter name user1
Session Type: AnyConnect
Username : user1 Index : 6787
Assigned IP : 10.10.1.10 Public IP : 1.1.1.1
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA1
Bytes Tx : 3894551326 Bytes Rx : 1305056771
Group Policy : GRP-POLICY. Tunnel Group : RA-VPN
Login Time : 16:50:12 BST Tue May 7 2020
Duration : 0d 8h:26m:44s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 00000000019e9025eb16f50
Security Grp : 10:Sales
4. View the IPsec SAs built between peers.
The show crypto ipsec sa command shows the IPsec SAs that are built between the peers. The encrypted tunnel is built between IP addresses 2.2.2.2 and 1.1.1.1for the traffic that flows between the networks 10.10.1.0 and 10.20.1.0. You can also see the two ESP SAs built for the inbound and outbound traffic.
ASA/act/sec# show crypto ipsec sa peer 1.1.1.1
peer address: 1.1.1.1
Crypto map tag: map, seq num: 10, local addr: 2.2.2.2
access-list VPN-ACL extended permit ip 10.10.1.0 255.255.255.0 10.20.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 16905, #pkts encrypt: 16905, #pkts digest: 16905
#pkts decaps: 16906, #pkts decrypt: 16906, #pkts verify: 16906
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16905, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CEFTYUBA
current inbound spi : CTYCBHYJ
5. ping tcp
This command allows the ASA device to send any TCP packet (TCP SYN) from any source IP to any destination IP on any port. This is very handy for troubleshooting. In this example, I'm testing connectivity from 10.10.1.10 to example.net (93.184.216.34) on port 80
ping tcp $source_interface $dest_ip $dest_port source $src_ip $ $src_port
ASA# ping tcp inside 93.184.216.34 80 source 10.10.1.10 25000
Type escape sequence to abort.
Sending 5 TCP SYN requests to 93.184.216.34 port 80
from 10.10.1.10 starting port 25000, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 69/70/73 ms
6. Find the name of an object for 10.1.1.1
ASA# show running-config object network in-line | i 10.10.1.1
object network web-server1 host 10.10.1.1
Note - in-line is used to view the output in one line
ASA# show run object network ?
in-line display the output in one line
| Output modifiers
<cr>
7. View the contents of an object
ASA# show run object id web-server1
object network web-server1
host 10.10.1.1
8. View the contents of an object group
ASA# show run object-group id public-servers
object-group network public-servers
network-object host 10.10.1.1
network-object host 10.10.1.2
9. packet-tracer utility
You can use packet-tracer command to identify whether traffic is able to traverse through the firewall.
ASA# packet-tracer input $source_interface $traffic_type $src_ip $src_port $dest_ip $ dest_port
ASA# packet-tracer input inside tcp 10.10.10.10 25000 8.8.8.8 80
10. View active IP-SGT Bindings
You can use show cts sgt-map command to find the sgt-tag assigned to a specific IP via ISE.
ASA# show cts sgt-map
Active IP-SGT Bindings Information
IP Address SGT Source
================================================================
10.10.1.10 11 SXP
10.10.15.11 13 SXP
10.10.50.12 22 SXP
10.10.12.16 17 SXP
11. View detail information about Remote access VPN user such as OS and AnyConnect client version
Note - You can remove the filter to view the entire output.
ASA# show vpn-sessiondb detail anyconnect filter name user1 | incl Client
Client OS : mac-intel
Client OS Ver: 10.13.6
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Mac OS X 4.7.04056
Client OS : Mac OS X
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Mac OS X 4.7.04056
Client OS : Mac OS X
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Mac OS X 4.7.04056
Thanks for reading
As always, your feedback and comments are more than welcome.