Zur besseren Fehleranalyse kann es Hilfreich sein, die TCP Übertragung über einer Cisco ASA direkt zu analysieren. Über CLI und Webbrowser kann dies direkt auf der ASA geprüft werden.

aktivieren des Tracing

Der Inhalt eines Tracing muss in ein Dumpfile abgespeichert werden. Zum erstellen eine Dunpfiles muss folgende Zeile eingetragen werden:

capture dumpfile1 interface inside match icmp host 192.168.130.25 any

Anzeigen des Dumpfiles auf CLI

show capture
capture dumpfile1 type raw-data interface Inside [Capturing - 1824 bytes]
  match icmp host 192.168.130.25 any
show capture dumpfile1
16 packets captured
   1: 12:33:37.841463 192.168.130.25 > 192.168.130.3: icmp: echo request
   2: 12:33:37.841692 192.168.130.3 > 192.168.130.25: icmp: echo reply
   3: 12:33:38.845125 192.168.130.25 > 192.168.130.3: icmp: echo request
   4: 12:33:38.845338 192.168.130.3 > 192.168.130.25: icmp: echo reply
   5: 12:33:39.845140 192.168.130.25 > 192.168.130.3: icmp: echo request
   6: 12:33:39.845338 192.168.130.3 > 192.168.130.25: icmp: echo reply
   7: 12:33:40.845171 192.168.130.25 > 192.168.130.3: icmp: echo request
   8: 12:33:40.845384 192.168.130.3 > 192.168.130.25: icmp: echo reply
   9: 12:33:41.845827 192.168.130.25 > 192.168.130.3: icmp: echo request
  10: 12:33:41.846040 192.168.130.3 > 192.168.130.25: icmp: echo reply
  11: 12:33:42.849260 192.168.130.25 > 192.168.130.3: icmp: echo request
  12: 12:33:42.849473 192.168.130.3 > 192.168.130.25: icmp: echo reply
  13: 12:33:43.850114 192.168.130.25 > 192.168.130.3: icmp: echo request
  14: 12:33:43.850328 192.168.130.3 > 192.168.130.25: icmp: echo reply
  15: 12:33:44.857392 192.168.130.25 > 192.168.130.3: icmp: echo request
  16: 12:33:44.857606 192.168.130.3 > 192.168.130.25: icmp: echo reply

 

Detailierte Anzeige des Dumpfiles:

show capture dumpfile1 detail
6 packets captured
   1: 12:33:37.841463 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
   2: 12:33:37.841692 0023.33bb.86b3 7ee5.81a4.c453 0x0800 98: 192.168.130.3 > 192.168.130.25: icmp: echo reply (ttl 255, id 29212)
   3: 12:33:38.845125 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
   4: 12:33:38.845338 0023.33bb.86b3 7ee5.81a4.c453 0x0800 98: 192.168.130.3 > 192.168.130.25: icmp: echo reply (ttl 255, id 18963)
   5: 12:33:39.845140 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
   6: 12:33:39.845338 0023.33bb.86b3 7ee5.81a4.c453 0x0800 98: 192.168.130.3 > 192.168.130.25: icmp: echo reply (ttl 255, id 10148)
   7: 12:33:40.845171 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
   8: 12:33:40.845384 0023.33bb.86b3 7ee5.81a4.c453 0x0800 98: 192.168.130.3 > 192.168.130.25: icmp: echo reply (ttl 255, id 28185)
   9: 12:33:41.845827 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
  10: 12:33:41.846040 0023.33bb.86b3 7ee5.81a4.c453 0x0800 98: 192.168.130.3 > 192.168.130.25: icmp: echo reply (ttl 255, id 5376)
  11: 12:33:42.849260 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
  12: 12:33:42.849473 0023.33bb.86b3 7ee5.81a4.c453 0x0800 98: 192.168.130.3 > 192.168.130.25: icmp: echo reply (ttl 255, id 24089)
  13: 12:33:43.850114 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
  14: 12:33:43.850328 0023.33bb.86b3 7ee5.81a4.c453 0x0800 98: 192.168.130.3 > 192.168.130.25: icmp: echo reply (ttl 255, id 31467)
  15: 12:33:44.857392 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
  16: 12:33:44.857606 0023.33bb.86b3 7ee5.81a4.c453 0x0800 98: 192.168.130.3 > 192.168.130.25: icmp: echo reply (ttl 255, id 25903)

Ausgabe in Hexdump eines Dumpfiles

show capture dumpfile1 detail dump
16 packets captured
   1: 12:33:37.841463 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
0x0000   4500 0054 0000 4000 4001 b53b c0a8 8219        E..T..@.@..;....
0x0010   c0a8 8203 0800 0c9d 8602 0001 1aa3 444a        ..............DJ
0x0020   0e6f 0d00 0809 0a0b 0c0d 0e0f 1011 1213        .o..............
0x0030   1415 1617 1819 1a1b 1c1d 1e1f 2021 2223        ............ !"#
0x0040   2425 2627 2829 2a2b 2c2d 2e2f 3031 3233        $%&'()*+,-./0123
0x0050   3435 3637                                      4567
   2: 12:33:37.841692 0023.33bb.86b3 7ee5.81a4.c453 0x0800 98: 192.168.130.3 > 192.168.130.25: icmp: echo reply (ttl 255, id 29212)
0x0000   4500 0054 721c 0000 ff01 c41e c0a8 8203        E..Tr...........
0x0010   c0a8 8219 0000 149d 8602 0001 1aa3 444a        ..............DJ
0x0020   0e6f 0d00 0809 0a0b 0c0d 0e0f 1011 1213        .o..............
0x0030   1415 1617 1819 1a1b 1c1d 1e1f 2021 2223        ............ !"#
0x0040   2425 2627 2829 2a2b 2c2d 2e2f 3031 3233        $%&'()*+,-./0123
0x0050   3435 3637                                      4567
   3: 12:33:38.845125 7ee5.81a4.c453 0023.33bb.86b3 0x0800 98: 192.168.130.25 > 192.168.130.3: icmp: echo request (DF) (ttl 64, id 0)
0x0000   4500 0054 0000 4000 4001 b53b c0a8 8219        E..T..@.@..;....
0x0010   c0a8 8203 0800 038e 8602 0002 1ba3 444a        ..............DJ
0x0020   167d 0d00 0809 0a0b 0c0d 0e0f 1011 1213        .}..............
0x0030   1415 1617 1819 1a1b 1c1d 1e1f 2021 2223        ............ !"#
0x0040   2425 2627 2829 2a2b 2c2d 2e2f 3031 3233        $%&'()*+,-./0123
0x0050   3435 3637                                      4567
...

 

Ausgabe mittels Webbrowser

Mittels eines Webbrowsers kann das aktive Dumpfile unter https://IP/capture/dumpfile1 angezeigt werden.

CiscoASA Dumpfile über Browser

CiscoASA Dumpfile über Browser