Cisco Network Security Troubleshooting Handbook

The importance of the show and debug commands cannot be overemphasized for IOS firewall troubleshooting. Although show commands are useful to find the actual status of a connection, debug commands provide the details of the connections. Details about the show and debug commands are discussed in the following sections:

show Commands

The show command for CBAC that is available on the Cisco IOS router has the following options:

show ip inspect {name inspection-name | config | interfaces | session [detail] | all}

The most commonly used command is show ip inspect session detail, which shows the status of the session and other meaningful information as shown in Example 5-11:

Example 5-11. Sample Output Of Show IP Inspect Session Detail

Router# show ip inspect session detail Established Sessions ! The status SIS_OPEN means the session is established Session 817298C4 (10.1.1.2:11005)=>(200.1.1.1:23) tcp SIS_OPEN Created 00:00:06, Last heard 00:00:03 Bytes sent (initiator:responder) [37:83] acl created 1 Inbound access-list 101 applied to interface FastEthernet0/1 Half-open Sessions ! The status SIS_OPENING means the session is not established. In the case of TCP, three ! way handshake is not completed. In the case of UDP, the reply packets have not seen by ! the inspection engine. Session 81729A34 (10.1.1.2:11006)=>(200.1.1.10:23) tcp SIS_OPENING Created 00:00:03, Last heard 00:00:01 Bytes sent (initiator:responder) [0:0] acl created 1 Inbound access-list 101 applied to interface FastEthernet0/1

The most important information is the connection status. The connection status across CBAC can be in one of the following four states:

  • SIS_OPENING This is the state of the session when a SYN has been received but the complete three-way handshake is not over.

  • SIS_OPEN This is the state of the session when the intial three-way handshake is over and the session has moved to an established state.

  • SIS_CLOSING This is the state of the session when a FIN is received but the entire closing sequence has not been achieved.

  • SIS_CLOSE This is is that state of the session when the FIN and FINACKs have been received by both sides and the session is closed.

If you want to view the configuration, you can execute show ip inspect all as shown in Example 5-12:

Example 5-12. Sample Output of show ip inspect all

Router# show ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name myfw tcp alert is on audit-trail is off timeout 3600 Interface Configuration Interface FastEthernet0/0 Inbound inspection rule is myfw tcp alert is on audit-trail is off timeout 3600 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set Router#

show access-list shows if the access controls element (ACE) is created for the return traffic on the opposite direction of the inspection rule as shown in Example 5-13:

Example 5-13. Displaying a Dynamic Access-List Created by CBAC

Router# show access-list 101 !ACL 101 before CBAC created dynamic ACE Extended IP access list 101 10 deny ip any any (1563 matches) Router# show access-list 101 Extended IP access list 101 ! The following ACE is dynamically created by the CBAC permit tcp host 200.1.1.1 eq telnet host 10.1.1.2 eq 11015 (12 matches) 10 deny ip any any (1571 matches) Router#

debug commands

Before getting into the discussion of any debug command, you should understand how the packet flows through the router when CBAC is configured. Figure 5-5 shows the flow chart of the packet flow with CBAC configuration.

Figure 5-5. Packet Flow Across a Router with CBAC Configuration

Following is a brief description of the packet flow based on Figure 5-5 when CBAC is configured.

1.

The packet comes into the input interface.

2.

If it is an IPsec packet, the IPsec packet goes through the IDs checking for atomic signatures in the input interface. The auth-proxy is not called for an IPsec packet, but the inbound ACL of the input interface is applied. IPsec decrypts the packet, and the decrypted packet is put back in the input queue.

3.

The decrypted packet goes through the IDS checking for atomic signatures for the input interface.

4.

Authentication-proxy starts here.

5.

The inbound ACL of the input interface is applied. If it is a decrypted IPsec packet ACL, and you are running version 12.3.8(T) and above, then ACL check will be skipped at this stage. Otherwise, this ACL will be performed.

6.

NAT inbound is applied.

7.

Routing occurs.

8.

NAT outbound is applied.

9.

IDS checking for atomic signatures for output interface occurs.

10.

Outbound ACL of the output interface is applied.

11.

Firewall processing occurs.

12.

IDS checking for composite signatures occurs.

13.

If IPsec is required, then IPsec encrypts the packet.

14.

The packet goes out the output interface.

An important point to note here is that the preceding flow is applied for both inbound and outbound direction on both outside and inside interfaces.

debug commands are used to see the details of the sequence of events that is discussed in the preceding section. The mostly frequently used debug commands are:

  • debug ip inspect object-creation

  • debug ip inspect object deletion

  • debug ip inspect events

  • debug ip inspect tcp

  • debug ip inspect application_protocol

The first three commands are used in conjunction with either of the last two commands depending on requirements. If Application layer protocol is inspected, then the last command is used; otherwise debug ip inspect tcp is used.

Example 5-14 shows a sample output of debug ip inspect object-creation, debug ip inspect object deletion, and debug ip inspect events. This information is extremely important to see when you have any issues with CBAC.

Example 5-14. Sample Output of Object Creation And Deletion

Router#debug ip inspect object-creation Router#debug ip inspect object-creation Router#debug ip inspect events ! The asterisk means it's getting process switched *Apr 3 01:53:30.707: CBAC Pak 8161F0B0 sis 81729A34 initiator_addr (10.1.1.2:11 007) responder_addr (200.1.1.1:23) initiator_alt_addr (10.1.1.2:11007) responder_alt_addr (200.1.1.1:23) ! Session is getting created based on the above layer IV information *Apr 3 01:53:30.711: CBAC OBJ_CREATE: create sis 81729A34 ! Access list of getting created for return traffic *Apr 3 01:53:30.711: CBAC OBJ_CREATE: create acl wrapper 8172EB80 -- acl item 8 16C8CFC *Apr 3 01:53:30.711: CBAC Src 200.1.1.1 Port [23:23] *Apr 3 01:53:30.711: CBAC Dst 10.1.1.2 Port [11007:11007] *Apr 3 01:53:30.711: CBAC OBJ_CREATE: create host entry 817AC174 addr 200.1.1.1 bucket 201 *Apr 3 01:53:30.847: CBAC OBJ_DELETE: delete host entry 817AC174 addr 200.1.1.1 ! Once the connection is done, the following 2 lines will be shown *Apr 3 01:59:01.907: CBAC OBJ_DELETE: delete sis 81729A34 *Apr 3 01:59:01.907: CBAC OBJ_DELETE: delete create acl wrapper 8172EB80 -- acl item 816C8CFC

Example 5-15 shows a sample output of debug ip inspect tcp for a successful TCP connection.

Example 5-15. Sample Output of debug ip inspect tcp

Router#debug ip inspect tcp ! TCP 3-way handshake is getting done *Apr 3 02:01:35.742: CBAC sis 81729A34 pak 81455E10 TCP SYN SEQ 1004792293 LEN 0 (10.1.1.2:11008) => (200.1.1.1:23) *Apr 3 02:01:35.746: CBAC* sis 81729A34 pak 81534BC0 TCP SYN ACK 1004792294 SEQ 354756859 LEN 0 (200.1.1.1:23) <= (10.1.1.2:11008) *Apr 3 02:01:35.750: CBAC* sis 81729A34 pak 814E8284 TCP ACK 354756860 SEQ 1004 792294 LEN 0 (10.1.1.2:11008) => (200.1.1.1:23) *Apr 3 02:01:35.750: CBAC* sis 81729A34 pak 814E8284 TCP PSH ACK 354756860 SEQ 1004792294 LEN 12 (10.1.1.2:11008) => (200.1.1.1:23) *Apr 3 02:01:35.750: CBAC* sis 81729A34 pak 814E8284 TCP ACK 354756860 SEQ 1004 792306 LEN 0 (10.1.1.2:11008) => (200.1.1.1:23) *Apr 3 02:01:35.750: CBAC* sis 81729A34 pak 81534BC0 TCP PSH ACK 1004792294 SEQ 354756860 LEN 12 (200.1.1.1:23) <= (10.1.1.2:11008) *Apr 3 02:01:35.754: CBAC* sis 81729A34 pak 814E8284 TCP PSH ACK 354756872 SEQ 1004792306 LEN 3 (10.1.1.2:11008) => (200.1.1.1:23) .... .... !Upon seeing the FIN, connections are getting torn down. *Apr 3 02:02:00.378: CBAC* sis 81729A34 pak 81534BC0 TCP FIN PSH ACK 1004792337 SEQ 354756955 LEN 0 (200.1.1.1:23) <= (10.1.1.2:11008) *Apr 3 02:02:00.382: CBAC* sis 81729A34 pak 814E8284 TCP ACK 354756956 SEQ 1004 792337 LEN 0 (10.1.1.2:11008) => (200.1.1.1:23) *Apr 3 02:02:00.386: CBAC* sis 81729A34 pak 814E8284 TCP FIN PSH ACK 354756956 SEQ 1004792337 LEN 0 (10.1.1.2:11008) => (200.1.1.1:23) *Apr 3 02:02:00.390: CBAC* sis 81729A34 pak 81534BC0 TCP ACK 1004792338 SEQ 354 756956 LEN 0 (200.1.1.1:23) <= (10.1.1.2:11008) Router#

If you have NAT configured with CBAC, you can run debug ip nat in conjunction with debug ip packet detail ACL. The ACL can be the name or number that defines the source and destination of the traffic that you want to troubleshoot.

Syslog

The debug commands discussed in the preceding section might overwhelm the router if they are sent to the console or monitor. So, it is better to send the commands to the buffer and capture the debug output if syslog server is not available:

  • Disable the console and monitor logging for debug messages

    router(config)# no logging console debugging

  • Enable buffered logging and increase the buffer size to 1000000

    router(config)# logging buffered 1000000 router(config)# logging buffered debugging

  • Enable the required CBAC-related debug as discussed earlier.

  • When the problem occurs, collect the debug output in the buffer and examine the output with the following command:

    router# show logging

Packet Capture (Sniffer Traces)

Sometimes you may run into a problem, in which syslog, after running the debug commands, may not give very conclusive results because there may be other network-related issues that may affect the packet flow. Under this rare circumstance, capturing the sniffer traces simultaneously from incoming and outgoing interfaces segments may help in isolating the problem. A very popular and free downloadable sniffer software is Ethereal, www.ethereal.com

Категории