Troubleshooting

This chapter describes how to troubleshoot the ASA and ASAv and includes the following sections:

Configuring and Running Captures with the Packet Capture Wizard

You can use the Packet Capture Wizard to configure and run captures for troubleshooting errors. The captures can use ACLs to limit the type of traffic captured, the source and destination addresses and ports, and one or more interfaces. The wizard runs one capture on each of the ingress and egress interfaces. You can save the captures on your PC to examine them in a packet analyzer.

Note This tool does not support clientless SSL VPN capture.

To configure and run captures, perform the following steps:

Step 1 In the main ASDM application window, choose Wizards > Packet Capture Wizard.

The Overview of Packet Capture screen appears, with a list of the tasks through which the wizard will guide you to complete. Those tasks include the following:

    • Selecting an ingress interface.
    • Selecting an egress interface.
    • Setting the buffer parameters.
    • Running the captures.
    • Saving the captures to your PC (optional).

Step 2 Click Next.

In a clustering environment, the Cluster Option screen appears. Go to Step 3.

Note For more information about clustering, see Chapter9, “ASA Cluster”

In a non-clustering environment, the Ingress Traffic Selector screen appears. Go to Step 4.

Step 3 In the Cluster Option screen, choose one of the following options for running a capture: This device only or The whole cluster, then click Next to display the Ingress Selector screen.

Step 4 To capture packets on an interface, click the Select Interface radio button. To capture packets on the ASA CX dataplane, click the Use backplane channel radio button.

Step 5 In the Packet Match Criteria area, do one of the following:

    • To specify the ACL to use for matching packets, click the Specify access-list radio button, then choose the ACL from the Select ACL drop-down list. To add a previously configured ACL to the current drop-down list, click Manage to display the ACL Manager pane. Choose an ACL, and click OK.
    • To specify packets parameters, click the Specify Packet Parameters radio button.

Step 6 To continue, see Ingress Traffic Selector.

Step 7 Click Next to display the Egress Traffic Selector screen. To continue, see Egress Traffic Selector.

Note The source port services, destination port services, and ICMP type are read-only and are based on the choices that you made in the Ingress Traffic Selector screen.

Step 8 Click Next to display the Buffers & Captures screen. To continue, see Buffers.

Step 9 In the Capture Parameters area, to obtain the latest capture every 10 seconds automatically, check the Get capture every 10 seconds check box. By default, this capture uses the circular buffer.

Step 10 In the Buffer Parameters area, you specify the buffer size and packet size. The buffer size is the maximum amount of memory that the capture can use to store packets. The packet size is the longest packet that the capture can hold. We recommend that you use the longest packet size to capture as much information as possible.

a. Enter the packet size. The valid size ranges from 14 - 1522 bytes.

b. Enter the buffer size. The valid size ranges from 1534 - 33554432 bytes.

c. Check the Use circular buffer check box to store captured packets.

Note When you choose this setting, if all the buffer storage is used, the capture starts overwriting the oldest packets.

Step 11 Click Next to display the Summary screen, which shows the cluster options for all units in the cluster (if you are using clustering), traffic selectors, and buffer parameters that you have entered. To continue, see Summary.

Step 12 Click Next to display the Run Captures screen, and then click Start to begin capturing packets. Click Stop to end the capture. To continue, see Run Captures. If you are using clustering, go to Step 14.

Step 13 Click Get Capture Buffer to determine how much buffer space you have remaining. Click Clear Buffer on Device to remove the current content and allow room in the buffer to capture more packets.

Step 14 In a clustering environment, on the Run Captures screen, perform one or more of the following steps:

    • Click Get Cluster Capture Summary to view a summary of packet capture information for all units in the cluster, followed by packet capture information for each unit.
    • Click Get Capture Buffer to determine how much buffer space you have remaining in each unit of the cluster. The Capture Buffer from Device dialog box appears.
    • Click Clear Capture Buffer to remove the current content for one or all of the units in a cluster and allow room in the buffer to capture more packets.

Step 15 Click Save captures to display the Save Capture dialog box. You have the option of saving either the ingress capture, the egress capture, or both. To continue, see Save Captures.

Step 16 To save the ingress packet capture, click Save Ingress Capture to display the Save capture file dialog box. Specify the storage location on your PC, and click Save.

Step 17 Click Launch Network Sniffer Application to start the packet analysis application specified in Tools > Preferences for analyzing the ingress capture.

Step 18 To save the egress packet capture, click Save Egress Capture to display the Save capture file dialog box. Specify the storage location on your PC, and click Save.

Step 19 Click Launch Network Sniffer Application to start the packet analysis application specified in Tools > Preferences for analyzing the egress capture.

Step 20 Click Close, then click Finish to exit the wizard.

 

Ingress Traffic Selector

To configure the ingress interface, source and destination hosts or networks, and the protocol for packet capture, perform the following steps:

Step 1 In the Point of Ingress area, choose the ingress interface name from the drop-down list.

Step 2 Enter the ingress source host and network. To capture packets on the ASA CX dataplane, click the Use backplane channel radio button.

Step 3 Enter the ingress destination host and network.

Step 4 Enter the protocol type to capture. Available protocols are ah, eigrp, esp, gre, icmp, icmp6, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, snp, tcp, or udp.

a. Enter the ICMP type for ICMP only. Available types include all, alternate address, conversion-error, echo, echo-reply, information-reply, information-request, mask-reply, mask-request, mobile-redirect, parameter-problem, redirect, router-advertisement, router-solicitation, source-quench, time-exceeded, timestamp-reply, timestamp-request, traceroute, or unreachable.

b. Specify the source and destination port services for the TCP and UDP protocols only. Available options include the following:

To include all services, choose All Services.

To include a service group, choose Service Groups.

To include a specific service, choose one of the following: aol, bgp, chargen, cifx, citrix-ica, ctiqbe, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, hostname, http, https, ident, imap4, irc, kerberos, klogin, kshell, ldap, ldaps, login, lotusnotes, lpd, netbios-ssn, nntp, pcanywhere-data, pim-auto-rp, pop2, pop3, pptp, rsh, rtsp, sip, smtp, sqlnet, ssh, sunrpc, tacacs, talk, telnet, uucp, or whois.

 

Egress Traffic Selector

To configure the egress interface, source and destination hosts/networks, and source and destination port services for packet capture, perform the following steps:

Step 1 To capture packets on an interface, click the Select Interface radio button. To capture packets on the ASA CX dataplane, click the Use backplane channel radio button.

Step 2 In the Point of Egress area, choose the egress interface name from the drop-down list.

Step 3 Enter the egress source host and network.

Step 4 Enter the egress destination host and network.

The protocol type selected during the ingress configuration is already listed.

 

Buffers

To configure the packet size, buffer size, and use of the circular buffer for packet capture, perform the following steps.

Step 1 Enter the longest packet that the capture can hold. Use the longest size available to capture as much information as possible.

Step 2 Enter the maximum amount of memory that the capture can use to store packets.

Step 3 Use the circular buffer to store packets. When the circular buffer has used all of the buffer storage, the capture will overwrite the oldest packets first.

 

Summary

The Summary screen shows the cluster options (if you are using clustering), traffic selectors, and the buffer parameters for the packet capture selected in the previous wizard screens.

Run Captures

To start and stop the capture session, view the capture buffer, launch a network analyzer application, save packet captures, and clear the buffer, perform the following steps:

Step 1 To begin the packet capture session on a selected interface, click Start.

Step 2 To stop the packet capture session on a selected interface, click Stop.

Step 3 To obtain a snapshot of the captured packets on the interface, click Get Capture Buffer.

Step 4 To show the capture buffer on the ingress interface, click Ingress.

Step 5 To show the capture buffer on the egress interface, click Egress.

Step 6 To clear the buffer on the device, click Clear Buffer on Device.

Step 7 To start the packet analysis application for analyzing the ingress capture or the egress capture specified in Tools > Preferences, click Launch Network Sniffer Application.

Step 8 To save the ingress and egress captures in either ASCII or PCAP format, click Save Captures.

 

Save Captures

To save the ingress and egress packet captures to ASCII or PCAP file format for further packet analysis, perform the following steps:

Step 1 To save the capture buffer in ASCII format, click ASCII.

Step 2 To save the capture buffer in PCAP format, click PCAP.

Step 3 To specify a file in which to save the ingress packet capture, click Save ingress capture.

Step 4 To specify a file in which to save the egress packet capture, click Save egress capture.

 

vCPU Usage in the ASAv

The ASAv vCPU usage shows the amount of vCPUs used for the data path, control point, and external processes.

The vSphere reported vCPU usage includes the ASAv usage as described plus:

  • ASAv idle time
  • %SYS overhead used for the ASAv VM
  • Overhead of moving packets between vSwitches, vNICs, and pNICs. This overhead can be quite significant.

CPU Usage Example

The following is an example in which the reported vCPU usage is substantially different:

  • ASAv reports: 40%
  • DP: 35%
  • External Processes: 5%
  • vSphere reports: 95%
  • ASA (as ASAv reports): 40%
  • ASA idle polling: 10%
  • Overhead: 45%

The overhead is used to perform hypervisor functions and to move packets between NICs and vNICs using the vSwitch.

Usage can exceed 100% because the ESXi server can use additional compute resources for overhead on behalf of the ASAv.

VMware CPU Usage Reporting

In vSphere, click the VM Performance tab, then click Advanced to display the Chart Options drop-down list, which shows vCPU usage for each state (%USER, %IDLE, %SYS, and so on) of the VM. This information is useful for understanding VMware’s perspective on where CPU resources are being used.

On the ESXi server shell (you access the shell by using SSH to connect to the host), esxtop is available. Esxtop has a similar look and feel to the Linux top command and provides VM state information for vSphere performance, including the following:

  • Details on vCPU, memory, and network usage
  • vCPU usage for each state of each VM.
  • Memory (type M while running) and network (type N while running), as well as statistics and the number of RX drops

ASAv and vCenter Graphs

There are differences in the CPU % numbers between the ASAv and vCenter:

  • The vCenter graph numbers are always higher than the ASAv numbers.
  • vCenter calls it %CPU usage; the ASAv calls it %CPU utilization.

The terms “%CPU utilization” and “%CPU usage” mean different things:

  • CPU utilization provides statistics for physical CPUs.
  • CPU usage provides statistics for logical CPUs, which is based on CPU hyperthreading. But because only one vCPU is used, hyperthreading is not turned on.

vCenter calculates the CPU % usage as follows:

Amount of actively used virtual CPUs, specified as a percentage of the total available CPUs

This calculation is the host view of the CPU usage, not the guest operating system view, and is the average CPU utilization over all available virtual CPUs in the virtual machine.

For example, if a virtual machine with one virtual CPU is running on a host that has four physical CPUs and the CPU usage is 100%, the virtual machine is using one physical CPU completely. The virtual CPU usage calculation is as follows:

Usage in MHz / number of virtual CPUs x core frequency

When you compare the usage in MHz, both the vCenter and ASAv numbers match. According to the vCenter graph, MHz % CPU usage is calculated as:

60/(2499 x 1 vCPU) = 2.4