Diagnostic Commands and Tools

Diagnostic Commands and Tools

The importance of the show commands cannot be overemphasized for troubleshooting FWSM. Under some rare circumstances, you may require to run the debug commands. Details about the show and debug commands are discussed in the following sections.

Show Commands

show commands on both the switch side and the FWSM side are important for diagnosing problems with FWSM. As the FWSM is a multi-processor system, much information cannot be viewed on the Control Plane; it can be viewed and interpreted only with the show command. This section shows you how to use some of the show commands on switches and on the FWSM.

show Commands on the Switch

The following list summarizes the use of show commands on a switch:

  • show command for module installation verification

    show module This command is used to verify the installation of the FWSM module on the switch. You can find out if the module is coming online or not, and view the status information. This is a very important first-hand command to diagnose any HW-related issue with the FWSM blade. You can find the slot number, which can be used to session into the blade.

  • show command for firewall VLAN mappings verification on the switch

    show firewall Use this command, with additional arguments, to find VLAN mappings that are configured on the switch to the firewall modules so that the VLANs can be downloaded and used by the FWSM. Example 4-3 shows the VLAN mappings in Native IOS.

Example 4-3. Using the show firewall Command Efficiently

! To Verify the VLAN groups configured in the RP
Router# show firewall vlan-group
Group vlans
-----     ------
 2       10,100
! To verify the VLAN groups associated with a particular module.
Router# show firewall module 7 vlan-group
Module Vlan-groups
 7            2,
Router#

show Commands on the FWSM

There are several important show commands available on the FWSM to verify the configuration and statistics of different components and the features of the FWSM. The following list contains some of those commands:

  • show command for VLAN download verification on the FWSM

    The show vlan command is used on the FWSM side to find out if or what VLANs are downloaded to the module from the switch. If the VLAN mappings from the switch to the FWSM are functioning correctly, the output shown in Example 4-4 should be same as the information reported on the switch in Example 4-3.

    Example 4-4. VLANS Downloaded to the FWSM From the Switch

    FWSM# show vlan
    10, 100,
    FWSM#

  • show command for statistics on different NPs

    The show np[#] stats command is by far the most important debug command to troubleshoot issues on the NPs. The NP1 and NP2 are fast paths, and NP3 is the Session Management Path.

  • show commands to find out ACL limitations in NP3

    Different ACLs have different maximum size limitations in the NP. To view the ACL limits, use the following commands:

    show np 3 acl stats
    show np 3 acl count
    show np 3 acl tree

  • show commands for connections

    Connections are distributed into different Network Processors on FWSM. To find the details of the connections, execute the following command:

    show conn long x

    The "x" parameter specifies the amount of the connection information you want to display. Actually the only meaningful values are "0" (default), "1", "2", and "3". More than "3" will give you the same amount of information as "3". Therefore, this is the command you will commonly use:

    Show conn long 3

    To find the connection information that is made up to the CP complex, execute the following command:

    show pc conn

  • show commands for checking the Gigabit Ethernet Port Statistics on the CP

    Two Gigabit Ethernet ports (ports 3 and 4 of NP3 processors) are connected to the CP. This information, and additional statistics, can be verified with the following command:

    Show nic

  • show command for retrieving console message from buffer

    There is no external console port visible on the FWSM. For debugging, there is a console port (inside the blade), which works with a baud rate of 19600. When no Telnet session is available, the output is saved to a buffer. The buffer output can be examined subsequently when a Telnet connection is made using the following command:

    show console-output [mn]

    Here m-n refers to message numbers. Example 4-5 displays the show console-output command.

    Example 4-5. The show console-output Command

    FWSM(config)# show console-output 6-8
    Message #6 : Found PCI card in slot:4 bus:1 dev:5 (vendor:0x1014 deviceid:0x1e8)
    Message #7 : Ignoring PCI card in slot:4 (vendor:0x1014 deviceid:0x1e8)
    Message #8 : Found PCI card in slot:5 bus:1 dev:4 (vendor:0x1014 deviceid:0x1e8)
    FWSM(config)#

Note

Buffer size is limited to 4K bytes.