🧰 Cisco ASA Troubleshooting Commands

📘 Overview

These commands help troubleshoot system health, VPN (IPsec and AnyConnect), NAT/ACL issues, performance, and high availability on a Cisco ASA firewall.

All examples are sanitized — replace IPs and hostnames with environment-specific values.

🔹 1. Basic System Health

Command	Description
`show version`	Displays ASA software version, license, and uptime.
`show firewall`	Shows ASA operational mode and state.
`show clock`	Displays system date/time (check for NTP sync).
`show cpu usage`	Shows CPU utilization summary.
`show memory`	Displays memory usage.
`show processes cpu-usage sorted`	Lists processes by CPU usage.
`show processes memory`	Lists processes by memory use.
`show perfmon`	Provides performance metrics (throughput, connections).
`show service-policy`	Displays service-policy statistics and inspections.

Tips & Best Practices

Ensure NTP is configured; time mismatches break VPN/cert validation.
Monitor CPU/memory during high load or VPN tunnel spikes.
Use show perfmon to identify packet drops or throughput bottlenecks.

🔹 2. Interface, Routing & Traffic Troubleshooting

Command	Description
`show interface ip brief`	Summarizes interface names, IPs, and link status.
`show interface <name>`	Displays detailed interface statistics.
`show nameif`	Lists security levels and logical interface names.
`show run interface`	Displays interface configuration.
`show arp`	Displays current ARP table.
`show route`	Displays routing table (static and dynamic).
`show conn`	Displays all active connections.
`show conn long address <ip>`	Filters connections for a specific host.
`packet-tracer input <iface> <proto> <src-ip> <src-port> <dst-ip> <dst-port>`	Simulates packet flow through NAT, ACL, and routing logic.

Example

packet-tracer input inside tcp 10.10.10.10 25000 8.8.8.8 443

Purpose Validate path, NAT, and ACL decisions without sending real traffic.

🔹 3. NAT, ACL, and Object Verification

Command	Description
`show run nat`	Displays all NAT rules in order.
`show xlate`	Shows current translation entries.
`show access-list`	Displays access-lists with hit counts.
`show access-group`	Lists ACLs applied to interfaces.
`show run object`	Displays network/service object definitions.
`show run object-group`	Displays object-group contents.

Tip: Use | include <ip> to quickly locate NAT or ACL entries.

🔹 4. VPN Troubleshooting (Site-to-Site & Remote Access)

🟩 4.1 Site-to-Site / IPsec VPN

Command	Description
`show crypto ikev1 sa`	Displays IKEv1 Phase 1 Security Associations.
`show crypto ikev2 sa`	Displays IKEv2 Phase 1 Security Associations.
`show crypto ipsec sa`	Displays IPsec Phase 2 tunnels and counters.
`show crypto ipsec stats`	Displays IPsec traffic statistics.
`show run crypto ikev2`	Displays configured IKEv2 policies.
`show run crypto map`	Displays crypto map assignments and peers.

Phase State Indicators

State	Meaning
`MM_ACTIVE`	IKEv1 Phase 1 completed successfully.
`QM_IDLE`	IKEv2 Phase 2 completed.
`AM_ACTIVE`	Aggressive Mode negotiation complete.

Common Issues

Symptom	Likely Cause	Resolution
Tunnel stuck at `MM_WAIT_MSG4`	PSK or crypto mismatch	Verify PSK and IKE policy parameters.
Tunnel up but no traffic	ACL mismatch or missing NAT exemption	Match subnets correctly, exempt VPN traffic.
One-way traffic	Routing or NAT issue	Check route back to VPN pool, disable double NAT.
Frequent disconnects	DPD or rekey timers	Align lifetimes and keepalive intervals.

Debug & Clear Commands

debug crypto ikev1
debug crypto ikev2 protocol 127
debug crypto ipsec
clear crypto isakmp sa
clear crypto ipsec sa peer <peer-ip>

🟦 4.2 Remote Access (AnyConnect VPN)

Command	Description
`show vpn-sessiondb anyconnect`	Displays active AnyConnect sessions.
`show vpn-sessiondb detail anyconnect filter name <username>`	Shows detailed session info (IP, OS, client version).
`show crypto ca certificates`	Displays installed SSL certificates.
`debug dap trace 255`	Enables Dynamic Access Policy debugging.
`show access-list DAP-ip-user-<session-id>`	Displays final ACL applied to user session.

Common AnyConnect Issues

Problem	Root Cause	Resolution
Connection fails	Invalid certificate or license exhaustion	Validate cert chain and license usage.
Connected, but no access	Split-tunnel or NAT configuration	Ensure proper routes and NAT exemptions.
No Internet after VPN connect	“Tunnel-all” mode active	Allow local LAN access or push DNS/gateway route.
Session drops frequently	MTU or timeout	Lower MTU (1350–1400), adjust idle timers.
Login failure	AAA or SAML mismatch	Verify RADIUS/LDAP/SAML configuration.

🟨 4.3 AnyConnect Client-Side Troubleshooting

Check	Purpose
Confirm version compatibility	Client version must match ASA compatibility.
Use DART tool	Collect diagnostic logs from AnyConnect client.
Check Windows Event Viewer	Look under “Cisco AnyConnect Secure Mobility Client.”

Common Client Errors

Error	Cause	Resolution
“Unable to establish VPN”	SSL/TLS or cert mismatch	Verify ASA cert trust chain.
“Login failed”	Incorrect AAA/SAML attributes	Check AAA server or IDP logs.
“Connection terminated”	Fragmentation or NAT timeout	Lower MTU or adjust NAT timeouts.
“No Internet after connect”	Split-tunnel config	Update split-tunnel ACL/policy.

Useful Cisco References

🔹 5. Logging & Packet Capture

Command	Description
`logging enable`	Enables syslog.
`logging timestamp`	Adds timestamps to logs.
`logging host <interface> <syslog-ip>`	Sends logs to syslog server.
`logging trap errors`	Sets log level to “errors.”
`show logging`	Displays log buffer.
`show run logging`	Displays current logging configuration.

Packet Capture

Command	Description
`capture cap1 interface inside match ip any host <ip>`	Captures packets for a specific host.
`show capture cap1`	Displays capture buffer.
`copy /pcap capture:cap1 tftp:`	Exports capture in `.pcap` format.
`capture cap1 packet-length 1600 match tcp any any eq 443`	Captures payloads for HTTPS.

🔹 6. High Availability (Failover)

Command	Description
`show failover`	Displays failover role (Active/Standby).
`show failover history`	Shows failover events.
`show failover state`	Displays state synchronization status.
`show failover statistics`	Displays failover counters.
`show run all failover`	Displays complete failover configuration.

Notes

Ensure identical versions and licenses on both peers.
Sync NAT, ACL, and VPN configs.
Use failover exec mate for remote file transfer or upgrades.

🔹 7. Performance Monitoring

Command	Description
`show perfmon`	Monitors throughput and connection rate.
`show service-policy`	Monitors L7 policy hits.
`show processes cpu-usage sorted`	Displays CPU-hungry processes.

Best Practices

Avoid long-running debug sessions.
Monitor “block pools” (esp. 256-byte).
Track session table capacity under show perfmon.

🔹 8. Backup & Restore

Command	Description
`copy running-config tftp:`	Saves current config to TFTP server.
`copy tftp: running-config`	Restores config from backup.
`more system:running-config`	Displays full decrypted configuration.

⚙️ 9. Common Troubleshooting Scenarios

🟥 Scenario 1 – VPN Tunnel Down

Symptoms: MM_WAIT_MSG4 or “no proposal chosen.”
Steps:

show crypto ikev2 sa
show crypto ipsec sa
debug crypto ikev2 protocol 127
Verify PSK, policy, and ACLs.

🟨 Scenario 2 – AnyConnect Users Cannot Access Internal Servers

Symptoms: Users connect but cannot reach apps.
Steps:

show vpn-sessiondb anyconnect
show route (check return path)
show xlate (verify NAT exemption)
Review ACLs and split-tunnel list.

🟦 Scenario 3 – High CPU or Memory Usage

Symptoms: ASA sluggish, dropped VPNs.
Steps:

show processes cpu-usage sorted
show memory
show perfmon
Review logging volume (disable debug).

🟩 Scenario 4 – Packet Drop or Inspection Error

Symptoms: Users experience slow or intermittent access.
Steps:

show service-policy
show asp drop frame
show asp drop flow
Disable inspection for the affected protocol temporarily.

🟧 Scenario 5 – Failover Flapping

Symptoms: Active/Standby toggles repeatedly.
Steps:

show failover history
show failover statistics
Check interfaces for link failures or HA heartbeat loss.
Ensure failover link has consistent speed/duplex.

📘 ASA