1-5
Cisco ASA Series CLI Configuration Guide
Chapter 1 Troubleshooting
Capturing Packets
both include forwarded data traffic and cluster LU messages. The TTL field in the IP address header is
encoded to differentiate between these two types of packets. When forwarded data packets are captured,
their clustering trailers are included in the capture file for debugging purposes.
In multiple context mode, although the cluster interface belongs to the system context, users can see the
interface, so they can configure captures on the cluster link in user contexts. In the system context, both
control plane and data plane packets are available. The data plane captures LU packets and forwarded
data packets that belong only to the system context. In user contexts, control plane packets are not
visible. Only forwarded data packets that belong to a specified user context and LU packets are captured.
For security purposes, each context can only see the packets that belong to it.
Guidelines and Limitations
This section includes the guidelines and limitation for this feature.
Most of the limitations are the result of the distributed nature of the ASA architecture and the hardware
accelerators that are being used in the ASA.
• You can only capture IP traffic; you cannot capture non-IP packets such as ARPs.
• For cluster control link capture in multiple context mode, only the packet that is associated with the
context sent in the cluster control link is captured.
• In multicontext mode, the copy capture command is available only in the system space. The syntax
is as follows:
copy /pcap capture:Context-name/in-cap tftp:
Where in-cap is the capture configured in the context context-name
• The cluster exec capture realtime command is not supported. The following error message
appears:
Error: Real-time capture can not be run in cluster exec mode.
• For a shared VLAN, the following guidelines apply:
–
You can only configure one capture for the VLAN; if you configure a capture in multiple
contexts on the shared VLAN, then only the last capture that was configured is used.
–
If you remove the last-configured (active) capture, no captures become active, even if you have
previously configured a capture in another context; you must remove the capture and add it
again to make it active.
–
All traffic that enters the interface to which the capture is attached is captured, including traffic
to other contexts on the shared VLAN.
–
Therefore, if you enable a capture in Context A for a VLAN that is also used by Context B, both
Context A and Context B ingress traffic are captured.
• For egress traffic, only the traffic of the context with the active capture is captured. The only
exception is when you do not enable the ICMP inspection (therefore the ICMP traffic does not have
a session in the accelerated path). In this case, both ingress and egress ICMP traffic for all contexts
on the shared VLAN is captured.
• Configuring a capture typically involves configuring an access list that matches the traffic that needs
to be captured. After an access list that matches the traffic pattern is configured, then you need to
define a capture and associate this access list to the capture, along with the interface on which the
capture needs to be configured.
After you have performed a cluster-wide capture, to copy the same cluster-wide capture file to a TFTP
server, enter the following command on the master unit:
To Next Page
Loading...
Need help?
General
