Troubleshooting Commands
The two most important troubleshooting commands on Security Appliance are the
following:
■ debug
■ show
The debug command provides real-time information that helps you troubleshoot protocols
operating with and through a Security Appliance. There are more than three dozen debug
commands that are available on Security Appliance.
Like the debug command, the show command also has many options available on Security
Appliance. One helpful show command is the show tech-support command.
The debug packet command sends its output to the Trace Channel. All other debug
commands do not. Use of Trace Channel changes the way you can view output on your
screen during a Security Appliance console or Telnet session. If a debug command does not
use Trace Channel, each session operates independently, which means any commands started
in the session appear only in the session. By default, a session not using Trace Channel has
Example 4-5 Sample SNMP Configuration on a PIX Firewall
snmp-server host 10.10.1.22
snmp-server location DC-HQ
snmp-server contact Yung Park
snmp-server community SnMpKey
snmp-server enable traps
Troubleshooting Commands 99
output disabled by default. The location of the Trace Channel depends on whether you have
a simultaneous Telnet console session running at the same time as the console session or you
are using only the Security Appliance serial console:
■ If you are only using the Security Appliance serial console, all debug commands display
on the serial console.
■ If you have both a serial console session and a Telnet console session accessing the
console, no matter where you enter the debug commands, the output displays on the
Telnet console session.
■ If you have two or more Telnet console sessions, the first session is the Trace Channel. If
that session closes, the serial console session becomes the Trace Channel. The next Telnet
console session that accesses the console will then become the Trace Channel.
The debug commands, except the debug crypto commands, are shared between all Telnet and
serial console sessions.
The following is sample output from the show debug command output:
Pixfw#show debug
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto ca 1
debug icmp trace
The show tech-support command lists information that technical support analysts need to
help you diagnose Security Appliance problems. Using this command is very similar to
running half a dozen show commands at once. The syntax for the command is as follows:
show tech-support [no-config]
The no-config option excludes the output of the running configuration. Example 4-6 shows
a sample output of the show tech-support command with the no-config option.
Example 4-6 Sample Output of the show tech-support no config Command
Pix_fw# show tech-support no-config
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 2.1(1)
Compiled on Tue 16-Sept-03 17:49 by morlee
PIXFW01 up 17 days 5 hours
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
continues