Cisco Troubleshooting commands
Switch troubleshooting:
Clear mac address-table dynamic - helps determie if a previously learnt mac address is relearnt
Show mac address-table
Show vlan
Show interfaces trunk
Show interfaces switchport – summary information for a port on the switch
Traceroute src_mac dst_mac – uses CDP to list the switches to be transited for the traffic travelling form source to dest mac
Show interfaces status – link status on switches. Info includes VLAN status, duplex settings, description, type
Sho interfaces stats – statistics for each interface
show interfaces if_number counters – number of input and output unicast, multicast and broadcast packets
show interfaces if_number counters errors – number of interface errors
Show ip cef – shows router’s Layer 3 forwarding information in addition to multicast, broadcast and local IP address
Show adjacency – verifies if valid adjacencies exist
show platform
sho mls cef
sho ip route ip-address
sho ip arp ip-address
sho interfaces vlan vlan-id
sho ip cef ip-address
sho adjacency interface-id detai
sho platform forward
sho ip route ip-address – is it a routing problem
show ip arp ip-nexthop-address – if entry missing or incomplete, then it is either destination missing or a Layer 2 problem.
Show ip cef dest-ip-address
Show adjacency [ip-address] [detail] – “detail” shows the frame re-write information (Complete Ethernet header).
show ip cef adjacency ………
Show platform forward ingress-if ingress-vlan source-mac dest-mac protocol-type source-ip dest-ip type-protocol [ICMP-type and code]
show cef not-cef-switched
Routing
Show ip route ip-address
show ip route ip-address network-mask
show ip route ip-address network-mask longer-prefixes
Show ip cef ip-address – searches the FIB for the route
Show ip cef ip-address net mask
show ip cef exact-route source destination – the exact adjacency that will be used to forward packets with the source and destination address. Can be used when RIB and FIB contain two or more equal routes for a particular prefix. show ip cef exact-route 50.50.50.2 192.168.20.1 internal
Show adjacency detail – full frame header that will be used to encapsulate the packet. If the correct route is in routing table, but packets do not arrive at destination, it is worth checking Layer 3-Layer 2 mapping.
OSPF
Show ip ospf – information about ospf process and areas configuration
show ip ospf interface [brief] – all interfaces that have an IP that is covered by one of the network statements under
show ip ospf neighbour – all discovered neighbours
show ip ospf database – contents of the LSA database
show ip ospf statistics – when and how often has the SPF algorithm been executed. Helpful when diagnosing router instability.
show ip route profile – the frequency of routing table changes with 5-sec intervals
debug ip routing – any changes to the routing table such as installing and removing a route. Useful to trouble shoot routing protocol instability
debug ip ospf packet – useful to verify that Hellos are sent or received as expected
debug ip ospf events – reception and transmission of hellos, establishing adjacencies, reception and transmission of LSAs.
debug ip ospf adjacency – adjacency building process and neighbour relationship transitions from one state to another
debug ip ospf monitor – displays when the SPF algorithm is scheduled to run and summary of the results after it has been completed. It can show which LSA trigger the SPF, e.g. a flapping link
BGP
Show ip bgp summary – router ID and AS number, statistics and the memory usage of the BGP process, overview and state of the configured neighbours.
Show ip bgp neighbours [ip-address]- detailed information about all neighbours
Sho ip bgp [network / mask]– the contents of the bgp table, paths and attributes
Show ip bgp neighbour ip-address routes – all routes received by a neighbour
Show ip bgp neighbour ip-address advertised-routes
Show ip bgp regexp regularexpression – all routes that are matched by a particular expression
Show ip bgp rib-failure – bgp routes that have not been installed in routing table
clear ip bgp {* | address | peer-group-name} [soft in|out]
Debug ip bgp – bgp related event, mainly in establishing peer relationships. Does not display content of the BGP updates and is relatively save to use.
Debug ip bgp updates – transmission and reception of BGP updates. Can produce very large amount of data and can overload the router
Debug ip bgp ip-address updates access-list – to limit updates
Debug ip tcp transactions
NAT
clear nat translations - specify which translations to clear. Clearing it all can cause disruption
show ip nat translations
show ip nat statistics [verbose]
debug ip nat – information about each packet that the router translates.
debug ip nat detailed – also displays information about certain error and failure conditions
debug ip packet [access-list]
debug condition interface if_number – information about the packets entering or leaving the router on the specified interfaces
IP NetFlow
(config-if)#ip flow ingress
(config)#ip flow export version version_no
(config)#ip flow export destination ip_add port_no
or
(config-if)#ip route-cache flow
show ip cache flow
show ip flow export
show ip flow interface
debug ip flow export
IPSec VPN
show crypto ipsec sa
show crypto engine connections active - This command shows each phase 2 SA built and the amount of traffic sent. Since phase 2 (security associations) SAs are unidirectional, each SA shows traffic in only one direction (encryptions are outbound, decryptions are inbound).
show crypto map
To restrict debug only to particular peer:
debug crypto condition peer ipv4 x.x.x.x
debug crypto isakmp
debug crypto ipsec
debug crypto isakmp
debug crypto ipsec
show interface tunnel
debug tunnel
PIXASA Troubleshooting
show xlate [detail | debugging] - show NAT translations slots
show local-host [ip_address] [brief | detail | all ] - Shows all NATs, and sessions to, form and via the ASA
show connections - show information about TCP sessions (PIX)
Others
t terminal monitor - to send the debug messages to vty (when ssh or telnet)
show debugging - to see debug currently running
debug ip icmp
show debugging - to see debug currently running
debug ip icmp
Security
Note for all routers, ASA, PIX: ACLs (Access lists) are always checked before the NAT translations.
On ASA devices: By default all traffic is permitted from interfaces with higher to interfaces with lower level of security and always blocked from lower to higher.
Packet inspection on Cisco ASA:
RoutingTable-> ACL_in-> NAT-> VPN-> QoS-> ACL_out
