debug commands
Before getting into the discussion of any debug command, you should understand how the packet flows through the router when CBAC is configured. Figure 5-5 shows the flow chart of the packet flow with CBAC configuration.
Figure 5-5. Packet Flow Across a Router with CBAC Configuration
Following is a brief description of the packet flow based on Figure 5-5 when CBAC is configured.
| 1. | The packet comes into the input interface. |
| 2. | If it is an IPsec packet, the IPsec packet goes through the IDs checking for atomic signatures in the input interface. The auth-proxy is not called for an IPsec packet, but the inbound ACL of the input interface is applied. IPsec decrypts the packet, and the decrypted packet is put back in the input queue. |
| 3. | The decrypted packet goes through the IDS checking for atomic signatures for the input interface. |
| 4. | Authentication-proxy starts here. |
| 5. | The inbound ACL of the input interface is applied. If it is a decrypted IPsec packet ACL, and you are running version 12.3.8(T) and above, then ACL check will be skipped at this stage. Otherwise, this ACL will be performed. |
| 6. | |
| 7. | Routing occurs. |
| 8. | NAT outbound is applied. |
| 9. | IDS checking for atomic signatures for output interface occurs. |
| 10. | Outbound ACL of the output interface is applied. |
| 11. | Firewall processing occurs. |
| 12. | IDS checking for composite signatures occurs. |
| 13. | If IPsec is required, then IPsec encrypts the packet. |
| 14. | The packet goes out the output interface. |
An important point to note here is that the preceding flow is applied for both inbound and outbound direction on both outside and inside interfaces.
debug commands are used to see the details of the sequence of events that is discussed in the preceding section. The mostly frequently used debug commands are:
-
debug ip inspect object-creation
-
debug ip inspect object deletion
-
debug ip inspect events
-
debug ip inspect tcp
-
debug ip inspect application_protocol
The first three commands are used in conjunction with either of the last two commands depending on requirements. If Application layer protocol is inspected, then the last command is used; otherwise debug ip inspect tcp is used.
Example 5-14 shows a sample output of debug ip inspect object-creation, debug ip inspect object deletion, and debug ip inspect events. This information is extremely important to see when you have any issues with CBAC