C H A P T E R 43 Troubleshooting The Security Appliance - Cisco FirePOWER ASA 5500 series Configuration Manual

Testing Your Configuration
Step 2 To set system messages to be sent to Telnet or SSH sessions, enter the following command:
hostname(config)# logging monitor debug
You can alternately use logging buffer debug to send messages to a buffer, and then view them later
using the show logging command.
Step 3 To send the system messages to your Telnet or SSH session, enter the following command:
hostname(config)# terminal monitor
To enable system messages, enter the following command:
Step 4
hostname(config)# logging on
The following example shows a successful ping from an external host (209.165.201.2) to the security
appliance outside interface (209.165.201.1):
hostname(config)# debug icmp trace
Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2
The preceding example shows the ICMP packet length (32 bytes), the ICMP packet identifier (1), and
the ICMP sequence number (the ICMP sequence number starts at 0 and is incremented each time a
request is sent).
Pinging Security Appliance Interfaces
To test that the security appliance interfaces are up and running and that the security appliance and
connected routers are routing correctly, you can ping the security appliance interfaces. To ping the
security appliance interfaces, perform the following steps:
Step 1 Create a sketch of your single mode security appliance or security context showing the interface names,
security levels, and IP addresses.
Note Although this procedure uses IP addresses, the ping command also supports DNS names and names
assigned to a local IP address with the name command.
The sketch should also include any directly connected routers, and a host on the other side of the router
from which you will ping the security appliance. You will use this information for this procedure as well
as the procedure in the
Cisco Security Appliance Command Line Configuration Guide
43-2
"Pinging Through the Security Appliance" section on page
Chapter 43 Troubleshooting the Security Appliance
43-4. For example:
OL-10088-01