Table Of Contents

database path through debug xml Commands

database path

ddns (DDNS-update-method)

ddns update (interface configuration)

ddns update method (global configuration mode)

debug aaa

debug appfw

debug arp

debug arp-inspection

debug asdm history

debug context

debug cplane

debug crypto ca

debug crypto ca server

debug crypto engine

debug crypto ipsec

debug crypto isakmp

debug ctiqbe

debug ctl-provider

debug dap

debug ddns

debug dhcpc

debug dhcpd

debug dhcpd ddns

debug dhcprelay

debug disk

debug dns

debug eap

debug eigrp fsm

debug eigrp neighbors

debug eigrp packets

debug eigrp transmit

debug eigrp user-interface

debug entity

debug eou

debug esmtp

debug fixup

debug fover

debug fsm

debug ftp client

debug generic

debug gtp

debug h323

debug http

debug http-map

debug icmp

debug igmp

debug ils

debug imagemgr

debug inspect tls-proxy

debug ip eigrp

debug ipsec-over-tcp

debug ipv6

debug iua-proxy

debug kerberos

debug l2tp

debug ldap

debug mac-address-table

debug menu

debug mfib

debug mgcp

debug mmp

debug module-boot

debug mrib

debug nac

debug ntdomain

debug ntp

debug ospf

debug parser cache

debug phone-proxy

debug pim

debug pix acl

debug pix cls

debug pix pkt2pc

debug pix process

debug pix uauth

debug pptp

debug radius

debug redundant-interface

debug rip

debug rtp

debug rtsp

debug sdi

debug sequence

debug session-command

debug sip

debug skinny

debug sla monitor

debug sqlnet

debug ssh

debug sunrpc

debug switch ilpm

debug switch manager

debug tacacs

debug tcp-map

debug timestamps

debug vpn-sessiondb

debug wccp

debug webvpn

debug xdmcp

debug xml

database path through debug xml Commands

---

database path

To specify a path or location for the local CA server database, use the database command in CA server configuration mode. To reset the path to flash memory, the default setting, use the no form of this command.

[no] database path mount-name directory-path

Syntax Description

directory-path	Specifies the path to a directory on the mount point where the CA files are stored.
mount-name	Specifies the mount name.

Defaults

By default, the CA server database is stored in flash memory.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
CA server configuration	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

The local CA files stored in the database include the certificate database, user database files, temporary PKCS12 files, and the current CRL file. The mount-name is the same as the name argument for the mount command used to specify a file system for the adaptive security appliance.

---

Note These CA files are internal stored files and should not be modified.

---

Examples

The following example defines the mount point for the CA database as cifs_share. It also defines the database files directory on the mount point as ca_dir/files_dir.

hostname(config)# crypto ca server

hostname(config-ca-server)# database path cifs_share ca_dir/files_dir/

hostname(config-ca-server)# 

Related Commands

Command	Description
crypto ca server	Provides access to CA Server Configuration mode CLI command set, which allows the user to configure and manage a local CA.
crypto ca server user-db write	Writes the user information configured in the local CA database to disk.
debug crypto ca server	Shows debug messages when the user configures the local CA server.
mount	Makes Common Internet File System (CIFS) and/or File Transfer Protocol (FTPFS) file systems accessible to the security appliance
show crypto ca server	Displays the characteristics of the CA configuration on the adaptive security appliance.
show crypto ca server cert-db	Displays the certificates issued by the CA server.

ddns (DDNS-update-method)

To specify a DDNS update method type, use the ddns command in DDNS-update-method mode. To remove an update method type from the running configuration, use the no form of this command.

ddns [both]

no ddns [both]

Syntax Description

both	(Optional) Specifies updating to both the DNS A and PTR resource records (RRs).

Defaults

Update only A RRs.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
DDNS-update-method	•	—	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

Dynamic DNS (DDNS) updates the name to address and address to name mappings maintained by DNS. Of the two methods for performing DDNS updates—the IETF standard defined by RFC 2136 and a generic HTTP method—the adaptive security appliance supports the IETF method in this release.

Name and address mappings are contained in two types of resource records (RR):

•The A resource record contains domain name to IP address mappings.

•The PTR resource record contains IP address to domain name mappings.

DDNS updates can be used to maintain consistent information between the A and PTR RR types.

When issued in DDNS-update-method configuration mode, the ddns command defines whether the update is just to A RR, or to both A RR and PTR RR.

Examples

The following example configures updating to both the A and PTR RRs for the DDNS update method named ddns-2:

hostname(config)# ddns update method ddns-2

hostname(DDNS-update-method)# ddns both

Related Commands

Command	Description
ddns update (interface config mode)	Associates a dynamic DNS (DDNS) update method with a adaptive security appliance interface or a DDNS update hostname.
ddns update method (global config mode)	Creates a method for dynamically updating DNS resource records.
dhcp-client update dns	Configures the update parameters that the DHCP client passes to the DHCP server.
dhcpd update dns	Enables a DHCP server to perform DDNS updates.
interval maximum	Configures the maximum interval between update attempts by a DDNS update method.

ddns update (interface configuration)

To associate a dynamic DNS (DDNS) update method with a adaptive security appliance interface or an update hostname, use the ddns update command in interface configuration mode. To remove the association between the DDNS update method and the interface or the hostname from the running configuration, use the no form of this command.

ddns update [method-name | hostname hostname]

no ddns update [method-name | hostname hostname]

Syntax Description

hostname	Specifies that the next term in the command string is a hostname.
hostname	Specifies a hostname to be used for updates.
method-name	Specifies a method name for association with the interface being configured.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	—	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

After defining a DDNS update method, you must associate it with a adaptive security appliance interface to trigger DDNS updates.

A hostname could be a Fully Qualified Domain Name (FQDN) or just a hostname. If just a hostname, the adaptive security appliance appends a domain name to the hostname to create a FQDN.

Examples

The following example associates the interface GigabitEthernet0/2 with the DDNS update method named ddns-2 and the hostname hostname1.example.com:

hostname(config)# interface GigabitEthernet0/2

hostname(config-if)# ddns update ddns-2

hostname(config-if)# ddns update hostname hostname1.example.com

Related Commands

Command	Description
ddns (DDNS-update- method mode)	Specifies a DDNS update method type for a created DDNS method.
ddns update method (global config mode)	Creates a method for dynamically updating DNS resource records.
dhcp-client update dns	Configures the update parameters that the DHCP client passes to the DHCP server.
dhcpd update dns	Enables a DHCP server to perform DDNS updates.
interval maximum	Configures the maximum interval between update attempts by a DDNS update method.

ddns update method (global configuration mode)

To create a method for dynamically updating a DNS resource records (RRs), use the ddns update method command in global configuration mode. To remove a dynamic DNS (DDNS) update method from the running configuration, use the no form of this command.

ddns update method name

no ddns update method name

Syntax Description

name	Specifies the name of a method for dynamically updating DNS records.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

DDNS updates the name to address and address to name mappings maintained by DNS. The update method configured by the ddns update method command determines what and how often dynamic DNS updates are performed. Of the two methods for performing DDNS updates—the IETF standard defined by RFC 2136 and a generic HTTP method—the adaptive security appliance supports the IETF method in this release.

Name and address mappings are contained in two types of resource records (RR):

•The A resource record contains domain name to IP address mappings.

•The PTR resource record contains IP address to domain name mappings.

DDNS updates can be used to maintain consistent information between the A and PTR RR types.

---

Note Before ddns update method will work, you must configure a reachable default DNS server using the dns command with domain lookup enabled on the interface.

---

Examples

The following example configures the DDNS update method named ddns-2:

hostname(config)# ddns update method ddns-2

Related Commands

Command	Description
ddns (DDNS-update- method mode)	Specifies a DDNS update method type for a created DDNS method.
ddns update (interface config mode)	Associates a dynamic DNS (DDNS) update method with a adaptive security appliance interface or a DDNS update hostname.
dhcp-client update dns	Configures the update parameters that the DHCP client passes to the DHCP server.
dhcpd update dns	Enables a DHCP server to perform dynamic DNS updates.
interval maximum	Configures the maximum interval between update attempts by a DDNS update method.

debug aaa

To show debug messages for AAA, use the debug aaa command in privileged EXEC mode. To stop showing AAA messages, use the no form of this command.

debug aaa [ accounting | authentication | authorization | common | internal | vpn [ level ] ]

no debug aaa

Syntax Description

accounting	(Optional) Show debug messages for accounting only.
authentication	(Optional) Show debug messages for authentication only.
authorization	(Optional) Show debug messages for authorization only.
common	(Optional) Show debug messages for different states within the AAA feature.
internal	(Optional) Show debug messages for AAA functions supported by the local database only.
level	(Optional) Specifies the debug level. Valid with the vpn keyword only.
vpn	(Optional) Show debug messages for VPN-related AAA functions only.

Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was modified to include new keywords.

Usage Guidelines

The debug aaa command displays detailed information about AAA activity. The no debug all or undebug all commands turn off all enabled debugs.

Examples

The following example enables debugging for AAA functions supported by the local database:

hostname(config)# debug aaa internal

debug aaa internal enabled at level 1

hostname(config)# uap allocated. remote address: 10.42.15.172, Session_id: 2147483841 

uap freed for user . remote address: 10.42.15.172, session id: 2147483841

Related Commands

Command	Description
show running-config aaa	Displays running configuration related to AAA.

debug appfw

To display detailed information about application inspection, use the debug appfw command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug appfw [chunk | event | eventverb | regex]

no debug appfw [chunk | event | eventverb | regex]

Syntax Description

chunk	(Optional) Displays runtime information about processing of chunked transfer encoded packets.
event	(Optional) Displays debug information about packet inspection events.
eventverb	(Optional) Displays the action taken by the adaptive security appliance in response to an event.
regex	(Optional) Displays information about matching patterns with predefined signatures.

Defaults

All options are enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The debug appfw command displays detailed information about HTTP application inspection. The no debug all or undebug all commands turn off all enabled debug commands.

Examples

The following example enables the display of detailed information about application inspection:

hostname# debug appfw

Related Commands

Commands	Description
http-map	Defines an HTTP map for configuring enhanced HTTP inspection.
inspect http	Applies a specific HTTP map to use for application inspection.

debug arp

To show debug messages for ARP, use the debug arp command in privileged EXEC mode. To stop showing debug messages for ARP, use the no form of this command.

debug arp

no debug arp

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for ARP:

hostname# debug arp

Related Commands

Command	Description
arp	Adds a static ARP entry.
show arp statistics	Shows ARP statistics.
show debug	Shows all enabled debuggers.

debug arp-inspection

To show debug messages for ARP inspection, use the debug arp-inspection command in privileged EXEC mode. To stop showing debug messages for ARP inspection, use the no form of this command.

debug arp-inspection

no debug arp-inspection

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	—	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for ARP inspection:

hostname# debug arp-inspection

Related Commands

Command	Description
arp	Adds a static ARP entry.
arp-inspection	For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.
show debug	Shows all enabled debuggers.

debug asdm history

To view debug information for ASDM, use the debug asdm history command in privileged EXEC mode.

debug asdm history level

Syntax Description

level

(Optional) Specifies the debug level.

Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was changed from the debug pdm history command to the debug asdm history command.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables level 1 debugging of ASDM:

hostname# debug asdm history

debug asdm history enabled at level 1

hostname#

Related Commands

Command	Description
show asdm history	Displays the contents of the ASDM history buffer.

debug context

To show debug messages when you add or delete a security context, use the debug context command in privileged EXEC mode. To stop showing debug messages for contexts, use the no form of this command.

debug context [level]

no debug context [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	—	—	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for context management:

hostname# debug context

Related Commands

Command	Description
context	Creates a security context in the system configuration and enters context configuration mode.
show context	Shows context information.
show debug	Shows all enabled debuggers.

debug cplane

To show debug messages about the control plane that connects internally to an SSM, use the debug cplane command in privileged EXEC mode. To stop showing debug messages for the control plane, use the no form of this command.

debug cplane [level]

no debug cplane [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for the control plane:

hostname# debug cplane

Related Commands

Command	Description
hw-module module recover	Recovers an intelligent SSM by loading a recovery image from a TFTP server.
hw-module module reset	Shuts down an SSM and performs a hardware reset.
hw-module module reload	Reloads the intelligent SSM software.
hw-module module shutdown	Shuts down the SSM software in preparation for being powered off without losing configuration data.
show module	Shows SSM information.

debug crypto ca

To show debug messages for PKI activity (used with CAs), use the debug crypto ca command in privileged EXEC mode. To stop showing debug messages for PKI, use the no form of this command.

debug crypto ca [messages | transactions] [level]

no debug crypto ca [messages | transactions] [level]

Syntax Description

messages	(Optional) Shows only debug messages for PKI input and output messages.
transactions	(Optional) Shows only debug messages for PKI transactions.
level	(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number. Level 1 (the default) shows messages only when errors occur. Level 2 shows warnings. Level 3 shows informational messages. Levels 4 and up show additional information for troubleshooting.

Defaults

By default, this command shows all debug messages. The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for PKI:

hostname# debug crypto ca

Related Commands

Command	Description
debug crypto engine	Shows debug messages for the crypto engine.
debug crypto ipsec	Shows debug messages for IPSec.
debug crypto isakmp	Shows debug messages for ISAKMP.

debug crypto ca server

To set the local CA server debug message level and begin listing associated debug messages, use the debug crypto ca server command in ca server configuration mode. To stop listing all debug messages, use the no form of the command.

debug crypto ca server [level]

no debug crypto ca server [level]

Syntax Description

level

Sets the debug message level to display, the range of values is between 1 and 255.

Defaults

The default debug level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
CA server configuration	•	—	•	—	—
Global configuration	•	—	•	—	—
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

Using debug commands might slow down traffic on busy networks. Levels 5 and higher are reserved for raw data dumps and should be avoided during normal debugging because of excessive debug output.

Examples

The following example sets the debug level to 3:

hostname(config-ca-server)# debug crypto ca server 3

hostname(config-ca-server)#

The following example turns off all debugging:

hostname(config-ca-server)# no debug crypto ca server

hostname(config-ca-server)#

Related Commands

Command	Description
cdp-url	Specifies the certificate revocation list (CRL) distribution point (CDP) to be include in the certificates issued by the CA.
crypto ca server	Provides access to CA Server Configuration mode CLI command set, which allows you to configure and manage the local CA.
database path	Specifies a path or location for the local CA server database.
show crypto ca server	Displays the characteristics of the certificate authority configuration on the adaptive security appliance in ASCII text format.
show crypto ca server certificate	Displays the local CA configuration in base64 format.
show crypto ca server crl	Displays the current CRL of the local CA.

debug crypto engine

To show debug messages for the crypto engine, use the debug crypto engine command in privileged EXEC mode. To stop showing debug messages for the crypto engine, use the no form of this command.

debug crypto engine [level]

no debug crypto engine [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for the crypto engine:

hostname# debug crypto engine

Related Commands

Command	Description
debug crypto ca	Shows debug messages for the CA.
debug crypto ipsec	Shows debug messages for IPSec.
debug crypto isakmp	Shows debug messages for ISAKMP.

debug crypto ipsec

To show debug messages for IPSec, use the debug crypto ipsec command in privileged EXEC mode. To stop showing debug messages for IPSec, use the no form of this command.

debug crypto ipsec [level]

no debug crypto ipsec [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for IPSec:

hostname# debug crypto ipsec

Related Commands

Command	Description
debug crypto ca	Shows debug messages for the CA.
debug crypto engine	Shows debug messages for the crypto engine.
debug crypto isakmp	Shows debug messages for ISAKMP.

debug crypto isakmp

To show debug messages for ISAKMP, use the debug crypto isakmp command in privileged EXEC mode. To stop showing debug messages for ISAKMP, use the no form of this command.

debug crypto isakmp [timers] [level]

no debug crypto isakmp [timers] [level]

Syntax Description

timers

(Optional) Shows debug messages for ISAKMP timer expiration.

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number. Level 1 (the default) shows messages only when errors occur. Levels 2 through 7 show additional information. Level 254 shows decrypted ISAKMP packets in a human readable format. Level 255 shows hexadecimal dumps of decrypted ISAKMP packets.

Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for ISAKMP:

hostname# debug crypto isakmp

Related Commands

Command	Description
debug crypto ca	Shows debug messages for the CA.
debug crypto engine	Shows debug messages for the crypto engine.
debug crypto ipsec	Shows debug messages for IPSec.

debug ctiqbe

To show debug messages for CTIQBE application inspection, use the debug ctiqbe command in privileged EXEC mode. To stop showing debug messages for CTIQBE application inspection, use the no form of this command.

debug ctiqbe [level]

no debug ctiqbe [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.

---

Note Enabling the debug ctiqbe command may slow down traffic on busy networks.

---

Examples

The following example enables debug messages at the default level (1) for CTIQBE application inspection:

hostname# debug ctiqbe

Related Commands

Command	Description
inspect ctiqbe	Enables CTIQBE application inspection.
show ctiqbe	Displays information about CTIQBE sessions established through the adaptive security appliance.
show conn	Displays the connection state for different connection types.
timeout	Sets the maximum idle time duration for different protocols and session types.

debug ctl-provider

To show debug messages for Certificate Trust List providers, use the debug ctl-provider command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.

debug ctl-provider [errors | events | parser]

no debug ctl-provider [errors | events | parser]

Syntax Description

errors	Specifies CTL provider error debugging.
events	Specifies CTL provider event debugging.
parser	Specifies CTL provider parser debugging.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for CTL provider:

hostname# debug ctl-provider

Related Commands

Command	Description
ctl	Parses the CTL file from the CTL client and install trustpoints.
ctl-provider	Configures a CTL provider instance in CTL provider mode.
export	Specifies the certificate to be exported to the client
service	Specifies the port to which the CTL provider listens.

debug dap

To enable logging of Dynamic Access Policy events, use the debug dap command in privileged EXEC mode. To disable the logging of DAP debug messages, use the no form of this command.

debug dap {errors | trace}

no debug dap [errors | trace]

Syntax Description

errors	Specifies DAP processing errors.
trace	Specifies a DAP function trace.

Defaults

No default value or behaviors.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

The high priority assigned to debugging output can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows how to enable DAP trace debugging:

hostname # debug dap trace

hostname # 

Related Commands

Command	Description
dynamic-access-policy-record	Creates a DAP record.

debug ddns

To show debug messages for DDNS, use the debug ddns command in privileged EXEC mode. To disable debug messages, use the no form of this command.

debug ddns

no debug ddns

Syntax Description

This command has no arguments or keywords.

Defaults

The default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

The debug ddns command displays detailed information about DDNS. The undebug ddns turns off DDNS debugging information as does the no debug ddns command.

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows an example of enabling DDNS debug messages:

hostname# debug ddns

debug ddns enabled at level 1

Related Commands

Command	Description
ddns (DDNS-update- method mode)	Specifies a DDNS update method type for a created DDNS method.
ddns update (interface config mode)	Associates a DDNS update method with a adaptive security appliance interface or a DDNS update hostname.
ddns update method (global config mode)	Creates a method for dynamically updating DNS resource records.
show running-config ddns	Displays the type and interval of all configured DDNS methods in the running configuration.

debug dhcpc

To enable debugging of the DHCP client, use the debug dhcpc command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug dhcpc {detail | packet | error} [level]

no debug dhcpc {detail | packet | error} [level]

Syntax Description

detail	Displays detail event information that is associated with the DHCP client.
error	Displays error messages that are associated with the DHCP client.
level	(Optional) Specifies the debug level. Valid valuse range from 1 to 255.
packet	Displays packet information that is associated with the DHCP client.

Defaults

The default debug level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Displays DHCP client debug information.

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows how to enable debugging for the DHCP client:

hostname# debug dhcpc detail 5

debug dhcpc detail enabled at level 5

Related Commands

Command	Description
show ip address dhcp	Displays detailed information about the DHCP lease for an interface.
show running-config interface	Displays the running configuration of the specified interface.

debug dhcpd

To enable debugging of the DHCP server, use the debug dhcpd command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug dhcpd {event | packet} [level]

no debug dhcpd {event | packet} [level]

Syntax Description

event	Displays event information that is associated with the DHCP server.
level	(Optional) Specifies the debug level. Valid valuse range from 1 to 255.
packet	Displays packet information that is associated with the DHCP server.

Defaults

The default debug level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server.

Use the no form of the debug dhcpd commands to disable debugging.

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows an example of enabling DHCP event debugging:

hostname# debug dhcpd event

debug dhcpd event enabled at level 1

Related Commands

Command	Description
show dhcpd	Displays DHCP binding, statistic, or state information.
show running-config dhcpd	Displays the current DHCP server configuration.

debug dhcpd ddns

To enable debugging of the DHCP DDNS, use the debug dhcpd ddns command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug dhcpd ddns [level]

no debug dhcpd ddns [level]

Syntax Description

level

(Optional) Specifies the debug level. Valid values range from 1 to 255.

Defaults

The default debug level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

The debug dhcpd ddns command displays detailed information about DHCP and DDNS. The undebug dhcpd ddns command turns off DHCP and DDNS debugging information as does the no debug dhcpd ddns command.

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows DHCP DDNS debugging being enabled:

hostname# debug dhcpd ddns

debug dhcpd ddns enabled at level 1

Related Commands

Command	Description
dhcpd update dns	Enables a DHCP server to perform dynamic DNS updates.
show running-config dhcpd	Displays the current DHCP server configuration.
show running-config ddns	Display the DDNS update methods of the running configuration.

debug dhcprelay

To enable debugging of the DHCP relay server, use the debug dhcpreleay command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug dhcprelay {event | packet | error} [level]

no debug dhcprelay {event | packet | error} [level]

Syntax Description

error	Displays error messages that are associated with the DHCP relay agent.
event	Displays event information that is associated with the DHCP relay agent.
level	(Optional) Specifies the debug level. Valid valuse range from 1 to 255.
packet	Displays packet information that is associated with the DHCP relay agent.

Defaults

The default debug level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example shows how to enable debugging for DHCP relay agent error messages:

hostname# debug dhcprelay error

debug dhcprelay error enabled at level 1

Related Commands

Command	Description
clear configure dhcprelay	Removes all DHCP relay agent settings.
clear dhcprelay statistics	Clears the DHCP relay agent statistic counters.
show dhcprelay statistics	Displays DHCP relay agent statistic information.
show running-config dhcprelay	Displays the current DHCP relay agent configuration.

debug disk

To display file system debug information, use the debug disk command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug disk {file | file-verbose | filesystem} [level]

no debug disk {file | file-verbose | filesystem}

Syntax Description

file	Enables file-level disk debug messages.
file-verbose	Enables verbose file-level disk debug messages.
filesystem	Enables file system debug messages.
level	(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug disk and the show debug commands.

hostname# debug disk file

debug disk file enabled at level 1

hostname# show debug

debug vpn-sessiondb  enabled at level 1

hostname# dir

IFS: Opening: file flash:/, flags 1, mode 0

IFS: Opened: file flash:/ as fd 3

IFS: Getdent: fd 3

IFS: Getdent: fd 3

IFS: Getdent: fd 3

IFS: Getdent: fd 3

Directory of flash:/

IFS: Close: fd 3

IFS: Opening: file flash:/, flags 1, mode 0

4      -rw-  5124096     14:42:27 Apr 04 2005  cdisk.binIFS: Opened: file flash:/ as fd 3

9      -rw-  5919340     14:53:39 Apr 04 2005  ASDMIFS: Getdent: fd 3

11     drw-  0           15:18:56 Apr 21 2005  syslog

IFS: Getdent: fd 3

IFS: Getdent: fd 3

IFS: Getdent: fd 3

IFS: Close: fd 3

16128000 bytes total (5047296 bytes free)

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug dns

To show debug messages for DNS, use the debug dns command in privileged EXEC mode. To stop showing debug messages for DNS, use the no form of this command.

debug dns [resolver | all] [level]

no debug dns [resolver | all] [level]

Syntax Description

all	(Default) Shows all messages, including messages about the DNS cache.
level	(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
resolver	(Optional) Shows only DNS resolver messages.

Defaults

The default level is 1. If you do not specify any keywords, the adaptive security appliance shows all mesages.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for DNS:

hostname# debug dns

Related Commands

Command	Description
class-map	Defines the traffic class to which to apply security actions.
inspect dns	Enables DNS application inspection.
policy-map	Associates a class map with specific security actions.
service-policy	Applies a policy map to one or more interfaces.

debug eap

To enable logging of EAP events to debug NAC messaging, use the debug eap command in privileged EXEC mode. To disable the logging of EAP debug messages, use the no form of this command.

debug eap {all | errors | events | packets | sm}

no debug eap [all | errors | events | packets | sm]

Syntax Description

all	Enables logging of debug messages about all EAP information.
errors	Enables logging of EAP packet errors.
events	Enables logging of EAP session events.
packets	Enables logging of debug messages about EAP packet information.
sm	Enables logging of debug messages about EAP state machine information.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

When you use this command, the adaptive security appliance records EAP session state changes and EAP status query events, and generates a complete record of EAP and packet contents in hexadecimal format.

The high priority assigned to debugging output can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables the logging of all EAP session events:

hostname# debug eap events

hostname# 

The following example enables the logging of all EAP debug messages:

hostname# debug eap all

hostname# 

The following example disables the logging of all EAP debug messages:

hostname# no debug eap

hostname# 

Related Commands

Command	Description
debug eou	Enables logging of EAPoUDP events to debug NAC messaging.
debug nac	Enables logging of NAC events.
eou initialize	Clears the resources assigned to one or more NAC sessions and initiates a new, unconditional posture validation for each of the sessions.
eou revalidate	Forces immediate posture revalidation of one or more NAC sessions.
show debug	Displays current debug configuration.

debug eigrp fsm

To display debug information the DUAL finite state machine, use the debug eigrp fsm command in privileged EXEC mode. To disable the debug information display, use the no form of this command.

debug eigrp fsm

no debug eigrp fsm

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

This command lets you observe EIGRP feasible successor activity and to determine whether route updates are being installed and deleted by the routing process.

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug eigrp fsm command:

hostname# debug eigrp fsm

DUAL: dual_rcvupdate(): 172.25.166.0 255.255.255.0 via 0.0.0.0 metric 750080/0

DUAL: Find FS for dest 172.25.166.0 255.255.255.0. FD is 4294967295, RD is 4294967295 
found

DUAL: RT installed 172.25.166.0 255.255.255.0 via 0.0.0.0

DUAL: dual_rcvupdate(): 192.168.4.0 255.255.255.0 via 0.0.0.0 metric 4294967295/4294967295

DUAL: Find FS for dest 192.168.4.0 255.255.255.0. FD is 2249216, RD is 2249216

DUAL:   0.0.0.0 metric 4294967295/4294967295not found Dmin is 4294967295

DUAL: Dest 192.168.4.0 255.255.255.0 not entering active state.

DUAL: Removing dest 192.168.4.0 255.255.255.0, nexthop 0.0.0.0

DUAL: No routes. Flushing dest 192.168.4.0 255.255.255.0

In the fist line, DUAL stands for diffusing update algorithm. It is the basic mechanism within EIGRP that makes the routing decisions. The next three fields are the Internet address and mask of the destination network and the address through which the update was received. The metric field shows the metric stored in the routing table and the metric advertised by the neighbor sending the information. If shown, the term "Metric... inaccessible" usually means that the neighbor router no longer has a route to the destination, or the destination is in a hold-down state.

In the following output, EIGRP is attempting to find a feasible successor for the destination. Feasible successors are part of the DUAL loop avoidance methods. The FD field contains more loop avoidance state information. The RD field is the reported distance, which is the metric used in update, query, or reply packets.

The indented line with the "not found" message means a feasible successor was not found for 192.168.4.0 and EIGRP must start a diffusing computation. This means it begins to actively probe (sends query packets about destination 192.168.4.0) the network looking for alternate paths to 192.164.4.0.

DUAL: Find FS for dest 192.168.4.0 255.255.255.0. FD is 2249216, RD is 2249216

DUAL:   0.0.0.0 metric 4294967295/4294967295not found Dmin is 4294967295

The following output indicates the route DUAL successfully installed into the routing table:

DUAL: RT installed 172.25.166.0 255.255.255.0 via 0.0.0.0

The following output shows that no routes to the destination were discovered and that the route information is being removed from the topology table:

DUAL: Dest 192.168.4.0 255.255.255.0 not entering active state.

DUAL: Removing dest 192.168.4.0 255.255.255.0, nexthop 0.0.0.0

DUAL: No routes. Flushing dest 192.168.4.0 255.255.255.0

Related Commands

Command	Description
show eigrp topology	Displays the EIGRP topology table.

debug eigrp neighbors

To display debug information for neighbors discovered by EIGRP, use the debug eigrp neighbors command in privileged EXEC mode. To disable the debug information display, use the no form of this command.

debug eigrp neighbors [siatimer | static]

no debug eigrp neighbors [siatimer | static]

Syntax Description

siatimer	(Optional) Displays EIGRP stuck in active messages.
static	(Optional) Displays EIGRP static neighbor messages.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug eigrp neighbors static command. The example shows a static neighbor being added, and then removed, and the corresponding debug messages.

hostname# debug eigrp neighbors static

EIGRP Static Neighbors debugging is on

hostname# configure terminal

hostname(config) router eigrp 100

hostname(config-router)# neighbor 10.86.194.3 interface outside

hostname(config-router)# 

EIGRP: Multicast Hello is disabled on Ethernet0/0!

EIGRP: Add new static nbr 10.86.194.3 to AS 100 Ethernet0/0

hostname(config-router)# no neighbor 10.86.194.3 interface outside

hostname(config-router)# 

EIGRP: Static nbr 10.86.194.3 not in AS 100 Ethernet0/0 dynamic list

EIGRP: Delete static nbr 10.86.194.3 from AS 100 Ethernet0/0

EIGRP: Multicast Hello is enabled on Ethernet0/0!

hostname(config-router)# no debug eigrp neighbors static

EIGRP Static Neighbors debugging is off

Related Commands

Command	Description
neighbor	Defines an EIGRP neighbor.
show eigrp neighbors	Displays the EIGRP neighbor table.

debug eigrp packets

To display debug information for EIGRP packets, use the debug eigrp packets command in privileged EXEC mode. To disable the debug information display, use the no form of this command.

debug eigrp packets [SIAquery | SIAreply | ack | hello | probe | query | reply | request | retry | stub | terse | update | verbose]

no debug eigrp packets [SIAquery | SIAreply | ack | hello | probe | query | reply | request | retry | stub | terse | update | verbose]

Syntax Description

ack	(Optional) Limits the debug output to EIGRP ack packets.
hello	(Optional) Limits the debug output to EIGRP hello packets.
probe	(Optional) Limits the debug output to EIGRP probe packets.
query	(Optional) Limits the debug output to EIGRP query packets.
reply	(Optional) Limits the debug output to EIGRP reply packets.
request	(Optional) Limits the debug output to EIGRP request packets.
retry	(Optional) Limits the debug output to EIGRP retry packets.
SIAquery	(Optional) Limits the debug output to EIGRP stuck in active query packets.
SIAreply	(Optional) Limits the debug output to EIGRP stuck in active reply packets.
stub	(Optional) Limits the debug output to EIGRP stub routing packets.
terse	(Optional) Displays all EIGRP packets except hello packets.
update	(Optional) Limits the debug output to EIGRP update packets.
verbose	(Optional) Outputs all packet debug messages.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

You can specify more than one packet type in a single command, for example:

debug eigrp packets query reply

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug eigrp packets command:

hostname# debug eigrp packets

EIGRP: Sending HELLO on Ethernet0/1

       AS 109, Flags 0x0, Seq 0, Ack 0

EIGRP: Sending HELLO on Ethernet0/1

       AS 109, Flags 0x0, Seq 0, Ack 0

EIGRP: Sending HELLO on Ethernet0/1

       AS 109, Flags 0x0, Seq 0, Ack 0

EIGRP: Received UPDATE on Ethernet0/1 from 192.195.78.24,

       AS 109, Flags 0x1, Seq 1, Ack 0

EIGRP: Sending HELLO/ACK on Ethernet0/1 to 192.195.78.24,

       AS 109, Flags 0x0, Seq 0, Ack 1

EIGRP: Sending HELLO/ACK on Ethernet0/1 to 192.195.78.24,

       AS 109, Flags 0x0, Seq 0, Ack 1

EIGRP: Received UPDATE on Ethernet0/1 from 192.195.78.24,

       AS 109, Flags 0x0, Seq 2, Ack 0

The output shows transmission and receipt of EIGRP packets. The sequence and acknowledgment numbers used by the EIGRP reliable transport algorithm are shown in the output. Where applicable, the network-layer address of the neighboring router is also included.

Related Commands

Command	Description
show eigrp traffic	Displays the number of EIGRP packets sent and received.

debug eigrp transmit

To display transmittal messages sent by EIGRP, use the debug eigrp transmit command in privileged EXEC mode. To disable the debug information display, use the no form of this command.

debug eigrp transmit [ack] [build] [detail] [link] [packetize] [peerdown] [sia] [startup] [strange]

no debug eigrp transmit [ack] [build] [detail] [link] [packetize] [peerdown] [sia] [startup] [strange]

Syntax Description

ack	(Optional) Information for acknowledgment (ACK) messages sent by the system.
build	(Optional) Build information messages (messages that indicate that a topology table was either successfully built or could not be built).
detail	(Optional) Additional detail for debug output.
link	(Optional) Information regarding topology table linked-list management.
packetize	(Optional) Information regarding packetize events.
peerdown	(Optional) Information regarding the impact on packet generation when a peer is down.
sia	(Optional) Stuck-in-active messages.
startup	(Optional) Information regarding peer startup and initialization packets that have been transmitted.
strange	(Optional) Unusual events relating to packet processing.

Defaults

If at least one transmittal event is not specified, all transmittal events are shown in the debug output.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

You can specify more than one transmittal event in a single command, For example:

hostname# debug eigrp ack build link

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug eigrp transmit command. The example shows a network command being entered and the transmittal event debug message that is generated.

hostname# debug eigrp transmit

EIGRP Transmission Events debugging is on

    (ACK, PACKETIZE, STARTUP, PEERDOWN, LINK, BUILD, STRANGE, SIA, DETAIL)

hostname# configure terminal

hostname(config)# router eigrp 100

hostname(config-router)# network 10.86.194.0 255.255.255.0 

DNDB UPDATE 10.86.194.0 255.255.255.0, serno 0 to 1, refcount 0

hostname(config-router)# no debug eigrp transmit 

EIGRP Transmission Events debugging is off

Related Commands

Command	Description
show eigrp traffic	Displays the number of EIGRP packets sent and received.

debug eigrp user-interface

To display debug information for EIGRP user events, use the debug eigrp user-interface command in privileged EXEC mode. To disable the debug information display, use the no form of this command.

debug eigrp user-interface

no debug eigrp user-interface

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug eigrp user-interface command. The output is caused by an administrator removing a passive-interface command from an EIGRP configuration.

hostname# debug eigrp user-interface

EIGRP UI Events debugging is on

hostname# configure terminal

hostname(config) router eigrp 100

hostname(config-router)# no passive-interface inside

CSB2AF: FOUND (AS=100, Name=, VRF=0, AFI=ipv4)

hostname(config-router)# no debug eigrp user-interface

EIGRP UI Events debugging is off

Related Commands

Command	Description
router eigrp	Enables an EIGRP routing process and enters router configuration mode.
show running-config eigrp	Displays the EIGRP commands in the running configuration.

debug entity

To display MIB debug information, use the debug entity command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug entity [level]

no debug entity

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables MIB debug messages. The show debug command reveals that MIB debug messages are enabled.

hostname# debug entity

debug entity  enabled at level 1

hostname# show debug

debug entity  enabled at level 1

hostname#

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug eou

To enable logging of EAPoUDP events to debug NAC messaging, use the debug eou command in privileged EXEC mode. To disable the logging of EAPoUDP debug messages, use the no form of this command.

debug eou {all | eap | errors | events | packets | sm}

no debug eou [all | eap | errors | events | packets | sm]

Syntax Description

all	Enables logging of debug messages about all EAPoUDP information.
eap	Enables logging of debug messages about EAPoUDP packets.
errors	Enables logging of EAPoUDP packet errors.
events	Enables logging of EAPoUDP session events.
packets	Enables logging of debug messages about EAPoUDP packet information.
sm	Enables logging of debug messages about EAPoUDP state machine information.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

When you use this command, the adaptive security appliance records EAPoUDP session state changes and timer events, and generates a complete record of EAPoUDP header and packet contents in hexadecimal format.

The high priority assigned to debugging output can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables the logging of all EAPoUDP session events:

hostname# debug eou events

hostname# 

The following example enables the logging of all EAPoUDP debug messages:

hostname# debug eou all

hostname# 

The following example disables the logging of all EAPoUDP debug messages:

hostname# no debug eou

hostname# 

Related Commands

Command	Description
debug eap	Enables logging of EAP events to debug NAC messaging.
debug nac	Enables logging of NAC events.
eou initialize	Clears the resources assigned to one or more NAC sessions and initiates a new, unconditional posture validation for each of the sessions.
eou revalidate	Forces immediate posture revalidation of one or more NAC sessions.
show debug	Displays current debug configuration.

debug esmtp

To show debug messages for SMTP/ESMTP application inspection, use the debug esmtp command in privileged EXEC mode. To stop showing debug messages for SMTP/ESMTP application inspection, use the no form of this command.

debug esmtp [level]

no debug esmtp [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.

---

Note Enabling the debug esmtp command may slow down traffic on busy networks.

---

Examples

The following example enables debug messages at the default level (1) for SMTP/ESMTP application inspection:

hostname# debug esmtp

Related Commands

Command	Description
class-map	Defines the traffic class to which to apply security actions.
inspect esmtp	Enables ESMTP application inspection.
policy-map	Associates a class map with specific security actions.
service-policy	Applies a policy map to one or more interfaces.
show conn	Displays the connection state for different connection types, including SMTP.

debug fixup

To display detailed information about application inspection, use the debug fixup command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug fixup

no debug fixup

Defaults

All options are enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The debug fixup command displays detailed information about application inspection. The no debug all or undebug all commands turn off all enabled debug commands.

Examples

The following example enables the display of detailed information about application inspection:

hostname# debug fixup

Related Commands

Commands	Description
class-map	Defines the traffic class to which to apply security actions.
inspect protocol	Enables application inspection for specific protocols.
policy-map	Associates a class map with specific security actions.

debug fover

To display failover debug information, use the debug fover command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug fover {cable | cmd-exec | fail | fmsg | ifc | open | rx | rxdmp | rxip | switch | sync | tx | txdmp | txip | verify}

no debug fover {cable | fail | fmsg | ifc | open | rx | rxdmp | rxip | switch | sync | tx | txdmp | txip | verify}

Syntax Description

cable	Failover LAN status or serial cable status.
cmd-exec	failover exec command execution trace.
fail	Failover internal exception.
fmsg	Failover message.
ifc	Network interface status trace.
open	Failover device open.
rx	Failover message receive.
rxdmp	Failover receive message dump (serial console only).
rxip	IP network failover packet receive.
switch	Failover switching status.
sync	Failover configuration/command replication.
tx	Failover message transmit.
txdmp	Failover transmit message dump (serial console only).
txip	IP network failover packet transmit.
verify	Failover message verify.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was modified. It includes additional debug keywords.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug fover cmd-exec command. After debugging is enabled, a failover exec command is entered. The results of the failover exec command is shown after the debug output.

hostname(config)# debug fover cmd-exec

fover event trace on

hostname(config)# failover exec mate show running-config failover

ci/console: Sending cmd: show runn failovero to peer for execution, seq = 4

ci/console: frep_execv_cmd: replicating exec cmd: show runn failover...

fover_parse: Fover rexec response: seq=4, size=228, data="fail..."

ci/console: Fover rexec waiting at clock tick 2670960

fover_parse: Fover rexec ack: seq = 4, ret_val = 0

ci/console: Fover rexec conteinuer at clock tick: 2671040

ci/console: Fover exec succeeded, seq = 5

failover

failover lan interface failover GigabitEthernet0/3

failover polltime unit 1 holdtime 3

failover key *****

failover link failover GigabitEthernet0/3

failover interface ip failover 10.0.5.1 255.255.255.0 standby 10.0.5.2

ciscoasa(config)#

Related Commands

Command	Description
show failover	Displays information about the failover configuration and operational statistics.

debug fsm

To display FSM debug information, use the debug fsm command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug fsm [level]

no debug fsm

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables FSM debug messages. The show debug command reveals that FSM debug messages are enabled.

hostname# debug fsm

debug fsm  enabled at level 1

hostname# show debug

debug fsm  enabled at level 1

hostname#

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug ftp client

To show debug messages for FTP, use the debug ftp client command in privileged EXEC mode. To stop showing debug messages for FTP, use the no form of this command.

debug ftp client [level]

no debug ftp client [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.

---

Note Enabling the debug ftp client command may slow down traffic on busy networks.

---

Examples

The following example enables debug messages at the default level (1) for FTP:

hostname# debug ftp client

Related Commands

Command	Description
copy	Uploads or downloads image files or configuration files to or from an FTP server.
ftp mode passive	Configures the mode for FTP sessions.
show running-config ftp mode	Displays FTP client configuration.

debug generic

To display miscellaneous debug information, use the debug generic command in privileged EXEC mode. To disable the display of miscellaneous debug information, use the no form of this command.

debug generic [level]

no debug generic

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables miscellaneous debug messages. The show debug command reveals that miscellaneous debug messages are enabled.

hostname# debug generic

debug generic  enabled at level 1

hostname# show debug

debug generic  enabled at level 1

hostname#

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug gtp

To display detailed information about GTP inspection, use the debug gtp command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug gtp {error | event | ha | parser}

no debug gtp {error | event | ha | parser}

Syntax Description

error	Displays debug information on errors encountered while processing the GTP message.
event	Displays debug information on GTP events.
ha option	Debugs information on GTP HA events.
parser	Displays debug information for parsing the GTP messages.

Defaults

All options are enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The debug gtp command displays detailed information about GTP inspection. The no debug all or undebug all commands turn off all enabled debug commands.

---

Note GTP inspection requires a special license.

---

Examples

The following example enables the display of detailed information about GTP inspection:

hostname# debug gtp

Related Commands

Commands	Description
clear service-policy inspect gtp	Clears global GTP statistics.
gtp-map	Defines a GTP map and enables GTP map configuration mode.
inspect gtp	Applies a GTP map to use for application inspection.
show service-policy inspect gtp	Displays the GTP configuration.
show running-config gtp-map	Shows the GTP maps that have been configured.

debug h323

To show debug messages for H.323, use the debug h323 command in privileged EXEC mode. To stop showing debug messages for H.323, use the no form of this command.

debug h323 {h225 | h245 | ras} [asn | event]

no debug h323 {h225 | h245 | ras} [asn | event]

Syntax Description

h225	Specifies H.225 signaling.
h245	Specifies H.245 signaling.
ras	Specifies the registration, admission, and status protocol.
asn	(Optional) Displays the output of the decoded protocol data units (PDU)s.
event	(Optional) Displays the signaling events or turns on both traces.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.

---

Note Enabling the debug h323 command may slow down traffic on busy networks.

---

Examples

The following example enables debug messages at the default level (1) for H.225 signaling:

hostname# debug h323 h225

Related Commands

Command	Description
inspect h323	Enables H.323 application inspection.
show h225	Displays information for H.225 sessions established across the adaptive security appliance.
show h245	Displays information for H.245 sessions established across the adaptive security appliance by endpoints using slow start.
show h323-ras	Displays information for H.323 RAS sessions established across the adaptive security appliance.
timeout h225 | h323	Configures idle time after which an H.225 signalling connection or an H.323 control connection will be closed.

debug http

To display detailed information about HTTP traffic, use the debug http command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug http [ level ]

no debug http [ level ]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The defafult for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

The debug http command displays detailed information about HTTP traffic. The no debug all or undebug all commands turn off all enabled debug commands.

Examples

The following example enables the display of detailed information about HTTP traffic:

hostname# debug http

Related Commands

Commands	Description
http	Specifies hosts that can access the HTTP server internal to the adaptive security appliance.
http-proxy	Configures an HTTP proxy server.
http redirect	Redirects HTTP traffic to HTTPS.
http server enable	Enables the adaptive security appliance HTTP server.

debug http-map

To show debug messages for HTTP application inspection maps, use the debug http-map command in privileged EXEC mode. To stop showing debug messages for HTTP application inspection, use the no form of this command.

debug http-map

no debug http-map

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.

---

Note Enabling the debug http-map command may slow down traffic on busy networks.

---

Examples

The following example enables debug messages at the default level (1) for HTTP application inspection:

hostname# debug http-map

Related Commands

Command	Description
class-map	Defines the traffic class to which to apply security actions.
debug appfw	Displays detailed information about HTTP application inspection.
http-map	Defines an HTTP map for configuring enhanced HTTP inspection.
inspect http	Applies a specific HTTP map to use for application inspection.
policy-map	Associates a class map with specific security actions.

debug icmp

To display detailed information about ICMP inspection, use the debug icmp command in privileged EXEC mode. To disable debugging, use the no form of this command.

debug icmp trace [ level ]

no debug icmp trace [ level ]

Syntax Description

level	(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.
trace	Displays debug information about ICMP trace activity.

Defaults

All options are enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

The debug icmp command displays detailed information about ICMP inspection. The no debug all or undebug all commands turn off all enabled debugs.

Examples

The following example enables the display of detailed information about ICMP inspection:

hostname# debug icmp

Related Commands

Commands	Description
clear configure icmp	Clears the ICMP configuration.
icmp	Configures access rules for ICMP traffic that terminates at a adaptive security appliance interface.
show conn	Displays the state of connections through the adaptive security appliance for different protocols and session types.
show icmp	Displays ICMP configuration.
timeout icmp	Configures idle timeout for ICMP.

debug igmp

To display IGMP debug information, use the debug igmp command in privileged EXEC mode. To stop the display of debug information, use the no form of this command.

debug igmp [group group_id | interface if_name]

no debug igmp [group group_id | interface if_name]

Syntax Description

group group_id	Displays IGMP debug information for the specified group.
interface if_name	Display IGMP debug information for the specified interface.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug igmp command:

hostname#debug igmp

IGMP debugging is on

IGMP: Received v2 Query on outside from 192.168.3.2

IGMP: Send v2 general Query on dmz

IGMP: Received v2 Query on dmz from 192.168.4.1

IGMP: Send v2 general Query on outside

IGMP: Received v2 Query on outside from 192.168.3.1

IGMP: Send v2 general Query on inside

IGMP: Received v2 Query on inside from 192.168.1.1

IGMP: Received v2 Report on inside from 192.168.1.6 for 224.1.1.1

IGMP: Updating EXCLUDE group timer for 224.1.1.1

Related Commands

Command	Description
show igmp groups	Displays the multicast groups with receivers that are directly connected to the adaptive security appliance and that were learned through IGMP.
show igmp interface	Displays multicast information for an interface.

debug ils

To show debug messages for ILS, use the debug ils command in privileged EXEC mode. To stop showing debug messages for ILS, use the no form of this command.

debug ils [level]

no debug ils [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

To see the current debug command settings, enter the show debug command. To stop the debug output, enter the no debug command. To stop all debug messages from being displayed, enter the no debug all command.

---

Note Enabling the debug ils command may slow down traffic on busy networks.

---

Examples

The following example enables debug messages at the default level (1) for ILS application inspection:

hostname# debug ils

Related Commands

Command	Description
class-map	Defines the traffic class to which to apply security actions.
inspect ils	Enables ILS application inspection.
policy-map	Associates a class map with specific security actions.
service-policy	Applies a policy map to one or more interfaces.

Related Commands

debug imagemgr

To display Image Manager debug information, use the debug imagemgr command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug imagemgr [level]

no debug imagemgr

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following shows sample output from the debug imagemgr and the show debug commands.

hostname# debug imagemgr

debug imagemgr  enabled at level 1

hostname# show debug

debug imagemgr  enabled at level 1

hostname#

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug inspect tls-proxy

To show debug messages for TLS proxy inspection, use the debug inspect tls-proxy command in privileged EXEC mode. To stop showing debug messages, use the no form of this command.

debug inspect tls-proxy [all | errors | events | packets]

no debug inspect tls-proxy [all | errors | events | packets]

Syntax Description

all	Specifies all TLS proxy debugging.
errors	Specifies TLS proxy error debugging.
events	Specifies TLS proxy event debugging.
packets	Specifies TLS proxy packet debugging.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for TLS proxy:

hostname# debug inspect tls-proxy

Related Commands

Command	Description
client	Defines a cipher suite and sets the local dynamic certificate issuer or keypair.
ctl-provider	Defines a CTL provider instance and enters provider configuration mode.
show tls-proxy	Shows the TLS proxies.
tls-proxy	Defines a TLS proxy instance and sets the maximum sessions.

debug ip eigrp

To display debug information EIGRP protocol packets, use the debug ip eigrp command in privileged EXEC mode. To disable the debug information display, use the no form of this command.

debug ip eigrp [as-number] [ip-addr mask | neighbor nbr-addr | notifications | summary]

no debug ip eigrp [as-number] [ip-addr mask | neighbor nbr-addr | notifications | summary]

Syntax Description

as-number	(Optional) Specifies the autonomous system number of the EIGRP process for which you are viewing the event log. Because the adaptive security appliance only supports one EIGRP routing process, you do not need to specify the autonomous system number.
ip-addr mask	(Optional) Limits debug output to messages that fall within the range defined by the IP address and network mask.
neighbor nbr-addr	(Optional) Limits debug output to the specified neighbor.
notifications	(Optional) Limits debug output to EIGRP protocol events and notifications.
summary	(Optional) Limits debug output to summary route processing.
user-interface	(Optional) Limits debug output to user events.

Defaults

If no keywords or arguments are specified, only debug messages from the IPv4 ASDM are displayed.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

This command helps you analyze the packets that are sent and received on an interface.

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug ip eigrp command:

hostname# debug ip eigrp

IP-EIGRP Route Events debugging is on

EIGRP-IPv4(Default-IP-Routing-Table:1): Processing incoming UPDATE packet

EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 
130560 SM 360960 - 256000 104960

EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 
130560 SM 360960 - 256000 104960

EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 
130560 SM 360960 - 256000 104960

EIGRP-IPv4(Default-IP-Routing-Table:1): 172.69.43.0 255.255.255.0, - do advertise out 
Ethernet0/1

EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 172.69.43.0 255.255.255.0 metric 371200 - 
256000 115200

EIGRP-IPv4(Default-IP-Routing-Table:1): 192.135.246.0 255.255.255.0, - do advertise out 
Ethernet0/1

EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.135.246.0 255.255.255.0 metric 46310656 - 
45714176 596480

EIGRP-IPv4(Default-IP-Routing-Table:1): 172.69.40.0 255.255.255.0, - do advertise out 
Ethernet0/1

EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 172.69.40.0 255.255.255.0 metric 2272256 - 
1657856 614400

EIGRP-IPv4(Default-IP-Routing-Table:1): 192.135.245.0 255.255.255.0, - do advertise out 
Ethernet0/1

EIGRP-IPv4(Default-IP-Routing-Table:1): Ext 192.135.245.0 255.255.255.0 metric 40622080 - 
40000000 622080

EIGRP-IPv4(Default-IP-Routing-Table:1): 192.135.244.0 255.255.255.0, - do advertise out 
Ethernet0/1

Table 9-1describes the significant fields shown in the display.

Table 9-1 debug ip eigrp Field Descriptions

Field	Description
IP-EIGRP:	Indicates IP EIGRP messages.
Ext	Indicates that the following address is an external route rather than an internal route, which would be labeled as Int.
M	Displays the computed metric, which includes the value in the SM field and the cost between this router and the neighbor. The first number is the composite metric. The next two numbers are the inverse bandwidth and the delay, respectively.
SM	Displays the metric as reported by the neighbor.

Related Commands

Command	Description
debug eigrp packets	Displays debug information for EIGRP packets.

debug ipsec-over-tcp

To display IPSec-over-TCP debug information, use the debug ipsec-over-tcp command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug ipsec-over-tcp [level]

no debug ipsec-over-tcp

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables IPSec-over-TCP debug messages. The show debug command reveals that IPSec-over-TCP debug messages are enabled.

hostname# debug ipsec-over-tcp

debug ipsec-over-tcp  enabled at level 1

hostname# show debug

debug ipsec-over-tcp  enabled at level 1

hostname#

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug ipv6

To display ipv6 debug messages, use the debug ipv6 command in privileged EXEC mode. To stop the display of debug messages, use the no form of this command.

debug ipv6 {icmp | interface | mld | nd | packet | routing}

no debug ipv6 {icmp | interface | nd | packet | routing}

Syntax Description

icmp	Displays debug messages for IPv6 ICMP transactions, excluding ICMPv6 neighbor discovery transactions.
interface	Displays debug information for IPv6 interfaces.
mld	Displays debug messages for Multicast Listener Discovery (MLD).
nd	Displays debug messages for ICMPv6 neighbor discovery transactions.
packet	Displays debug messages for IPv6 packets.
routing	Displays debug messages for IPv6 routing table updates and route cache updates.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output for the debug ipv6 icmp command:

hostname# debug ipv6 icmp

13:28:40:ICMPv6:Received ICMPv6 packet from 2000:0:0:3::2, type 136

13:28:45:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 135

13:28:50:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 136

13:28:55:ICMPv6:Received ICMPv6 packet from FE80::203:A0FF:FED6:1400, type 135

Related Commands

Command	Description
ipv6 icmp	Defines access rules for ICMP messages that terminate on a adaptive security appliance interface.
ipv6 address	Configures an interface with an IPv6 address or addresses.
ipv6 nd dad attempts	Defines the number of neighbor discovery attempts performed during duplicate address detection.
ipv6 route	Defines a static entry in the IPv6 routing table.

debug iua-proxy

To display IUA proxy debug information, use the debug iua-proxy command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug iua-proxy [level]

no debug iua-proxy

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables IUA-proxy debug messages. The show debug command reveals that IUA-proxy debug messages are enabled.

hostname# debug iua-proxy

debug iua-proxy  enabled at level 1

hostname# show debug

debug iua-proxy  enabled at level 1

hostname#

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug kerberos

To display Kerberos authentication debug information, use the debug kerberos command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug kerberos [level]

no debug kerberos

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables Kerberos debug messages. The show debug command reveals that Kerberos debug messages are enabled.

hostname# debug kerberos

debug kerberos  enabled at level 1

hostname# show debug

debug kerberos  enabled at level 1

hostname#

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug l2tp

To display L2TP debug information, use the debug l2tp command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug l2tp {data | error | event | packet} level

no debug l2tp {data | error | event | packet} level

Syntax Description

data	displays data packet trace information.
error	Displays error events.
event	Displays L2TP connection events.
packet	Displays packet trace information.
level	(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables L2TP debug messages for connection events. The show debug command reveals that L2TP debug messages are enabled.

hostname# debug l2tp event 1

hostname# show debug

debug l2tp event enabled at level 1

hostname#

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug ldap

To display LDAP debug information, use the debug ldap command in privileged EXEC mode. To disable the display of debug information, use the no form of this command.

debug ldap [level]

no debug ldap

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default value for level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example enables LDAP debug messages. The show debug command reveals that LDAP debug messages are enabled.

hostname# debug ldap

debug ldap  enabled at level 1

hostname# show debug

debug ldap  enabled at level 1

hostname#

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug mac-address-table

To show debug messages for the MAC address table, use the debug mac-address-table command in privileged EXEC mode. To stop showing debug messages for the MAC address table, use the no form of this command.

debug mac-address-table [level]

no debug mac-address-table [level]

Syntax Description

level

(Optional) Sets the debug message level to display, between 1 and 255. The default is 1. To display additional messages at higher levels, set the level to a higher number.

Defaults

The default level is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	—	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Using debug commands might slow down traffic on busy networks.

Examples

The following example enables debug messages for the MAC address table:

hostname# debug mac-address-table

Related Commands

Command	Description
mac-address-table aging-time	Sets the timeout for dynamic MAC address entries.
mac-address-table static	Adds static MAC address entries to the MAC address table.
mac-learn	Disables MAC address learning.
show debug	Shows all enabled debuggers.
show mac-address-table	Shows MAC address table entries.

debug menu

To display detailed debug information for specific features, use the debug menu command in privileged EXEC mode.

debug menu

---

Caution The debug menu command should be used only under the supervision of Cisco TAC.

---

Syntax Description

This command should be used only under the supervision of Cisco TAC.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	•	•

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

This command should be used only under the supervision of Cisco TAC.

Related Commands

Command	Description
show debug	Displays current debug configuration.

debug mfib

To display MFIB debug information, use the debug mfib command in privileged EXEC mode. To stop displaying debug information, use the no form of this command.

debug mfib {db | init | mrib | pak | ps | signal} [group]

no debug mfib {db | init | mrib | pak | ps | signal} [group]

Syntax Description

db	(Optional) Displays debug information for route database operations.
group	(Optional) IP address of the multicast group.
init	(Optional) Displays system initialization activity.
mrib	(Optional) Displays debug information for communication with MFIB.
pak	(Optional) Displays debug information for packet forwarding operations.
ps	(Optional) Displays debug information for process switching operations.
signal	(Optional) Displays debug information for MFIB signaling to routing protocols.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Examples

The following example displays MFIB dabase operation debug information:

hostname# debug mfib db

MFIB IPv4 db debugging enabled

Related Commands

Command	Description
show mfib	Displays MFIB forwarding entries and interfaces.

debug mgcp

To display detailed information about MGCP application inspection, use the debug mgcp command in privileged EXEC mode. To disable debugging, Use the no form of this command.

debug mgcp {messages | parser | sessions}

no debug mgcp {messages | parser | sessions}

messages	Displays debug information about MGCP messages.
parser	Displays debug information for parsing MGCP messages.
sessions	Displays debug information about MGCP sessions.

Defaults

All options are enabled.

Command Modes

The following table shows the modes in which you can enter the command: