Troubleshooting Commands

clear ip nat statistics

To clear the NAT datapath map and session information, use the clear ip nat statistics command in privileged EXEC mode.

clear ip nat statistics

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.8.1a

This command is supported for Cisco Catalyst SD-WAN.

Usage Guidelines

Use the ip nat clear statistics command to clear the NAT datapath map and session information.

The following is a sample output from the ip nat clear statistics command:

Device# ip nat clear statistics

clear sdwan app-fwd cflowd flow-all

To clear the cflowd flows in all VPNs, use the clear sdwan app-fwd cflowd flow-all command in privileged exec mode.

clear sdwan app-fwd cflowd flow-all

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged exec (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to clear all the cflowd flows from all VPNs in a Cisco IOS XE Catalyst SD-WAN device.

Example

The following example shows how to clear the cflowd flows from all VPNs from a Cisco IOS XE Catalyst SD-WAN device.

Device# clear sdwan app-fwd cflowd flow-all 

clear sdwan app-fwd cflowd statistics

To clear the cflowd packet statistics, use the clear sdwan app-fwd cflowd statistics command in privileged EXEC mode.

clear sdwan app-fwd cflowd statistics

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to clear the cflowd packet statistics from a Cisco IOS XE Catalyst SD-WAN device.

Example

The following example shows how to clear the cflowd packet statistics from a Cisco IOS XE Catalyst SD-WAN device.

Device# clear sdwan app-fwd cflowd statistics

clear sdwan app-route statistics

To clear the app-route statistics from a Cisco IOS XE Catalyst SD-WAN device, use the clear sdwan app-route statistics command in privileged EXEC mode.

clear sdwan app-route statistics

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to clear the application aware routing statistics from a Cisco IOS XE Catalyst SD-WAN device.

Example

The following example shows how to clear the app-route statistics from a Cisco IOS XE Catalyst SD-WAN device.

Device# clear sdwan app-route statistics 

clear sdwan appqoe dreopt

To clear DRE cache and restart DRE service, use the clear sdwan appqoe dreopt cache command in privileged EXEC mode.

clear sdwan appqoe dreopt { cache | statistics [peer ] [ peer-no peer-id ] | auto-bypass [ server server-ip server-port ] }

Syntax Description

cache

Clears DREOPT cache.

statistics

Clears global DRE statistics.

peer

(Optional) Clears DREOPT peer statistics table.

peer-no peer-id

(Optional) Clears DREOPT statistics using peer-no for the specified peer ID.

auto-bypass

Clears DRE auto-bypass table.

server server-ipserver-port

Clears DRE auto-bypass entries for the specified server IP address and server port.

Command Default

This command has no default behavior.

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

This command can be used in SD-WAN controller mode.

Example

The following example shows how to clear DRE cache.

Device# clear sdwan appqoe dreopt cache                                                                                                   
DRE cache successfully cleared

clear sdwan bfd transitions

To clear all Bidirectional Forwarding Detection (BFD) transition counters from a Cisco IOS XE Catalyst SD-WAN device, use the clear sdwan bfd transitions command in privileged EXEC mode.

clear sdwan bfd transitions

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The BFD protocol detects link failures as part of the Cisco SD-WAN high availability solution and by default, it is enabled on all Cisco IOS XE Catalyst SD-WAN devices. You cannot disable this protocol. The BFD protocol functionalities include path liveliness and quality measurement.

This command is used to clear all BFD transitions counters from a Cisco IOS XE Catalyst SD-WAN device.

Example

The following example clears all BFD transition counters from a Cisco IOS XE Catalyst SD-WAN device.

Device# clear sdwan bfd transitions

Command

Description
show sdwan bfd sessions Displays information about the BFD sessions.
show sdwan bfd history Displays the history of the BFD sessions.

clear sdwan control connection-history

To erase the connection history on a Cisco IOS XE Catalyst SD-WAN device, use the clear sdwan control connection-history command in privileged EXEC mode.

clear sdwan control connection-history

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Cisco IOS XE SD-WAN devices establish control plane connection with Cisco SD-WAN Controllers (Cisco SD-WAN Manager, Cisco Catalyst SD-WAN Controller, and Cisco Catalyst SD-WAN Validator), and maintains these connections with Cisco Catalyst SD-WAN Controller and Cisco SD-WAN Manager.

This command can be used to erase all the connection history information from the Cisco IOS XE Catalyst SD-WAN devices.

Example

The following example erases the connection history information from a Cisco IOS XE Catalyst SD-WAN device:

Device# clear sdwan control connections-history 

clear sdwan control connections

To reset the DTLS connections from a Cisco IOS XE Catalyst SD-WAN device to the SD-WAN controllers, use the clear sdwan control connections command in privileged EXEC mode.

clear sdwan control connections

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Cisco IOS XE SD-WAN devices establish control plane connection with Cisco SD-WAN Controllers (Cisco SD-WAN Manager, Cisco Catalyst SD-WAN Controller, and Cisco Catalyst SD-WAN Validator), and maintains these connections with Cisco Catalyst SD-WAN Controller and Cisco SD-WAN Manager.

This command can be used to reset the DTLS connections from a Cisco IOS XE Catalyst SD-WAN device to the Cisco SD-WAN Controllers.

Example

The following example shows how to reset the DTLS connections.

Device# clear sdwan control connections 

clear sdwan control port-index

To reset port-hop back to the base port on Cisco IOS XE Catalyst SD-WAN devices, use the clear sdwan control port-index command in privileged EXEC mode.

clear sdwan control port-index

Syntax Description

This command has no keywords or arguments.

Command Default

This command has no default behavior.

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a

This command was introduced.

Usage Guidelines

Use the clear sdwan control port-index command to reach back to 12346 base port on all the WAN interfaces.

The following example shows how to clear SD-WAN control port-index:

Device# clear sdwan control port-index

clear sdwan dns app-fwd cflowd flow-all

To clear the DNS cache for all cflowd flows, use the clear sdwan dns app-fwd cflowd flow-all command in privileged EXEC mode.

clear sdwan dns app-fwd cflowd flow-all

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to clear the DNS cache for all cflowd flows in a Cisco IOS XE Catalyst SD-WAN device.

Example

The following example shows how to clear the DNS cache for all cflowd flows in a Cisco IOS XE Catalyst SD-WAN device.

Device# clear sdwan dns app-fwd cflowd flow-all

clear sdwan dns app-fwd cflowd statistics

To clear the cflowd statistics from a Cisco IOS XE Catalyst SD-WAN device, use the clear sdwan dns app-fwd cflowd statistics command in privileged EXEC mode.

clear sdwan dns app-fwd cflowd statistics

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to clear the cflowd statistics from a Cisco IOS XE Catalyst SD-WAN device.

Example

The following example shows how to clear the cflowd statistics from a Cisco IOS XE Catalyst SD-WAN device.

Device# clear sdwan dns app-fwd cflowd statistics

clear sdwan dns app-fwd dpi flow-all

To clear the DNS Deep Packet Inspection (DPI) flows from a Cisco IOS XE Catalyst SD-WAN device, use the clear sdwan dns app-fwd dpi flow-all command in privileged exec mode.

clear sdwan dns app-fwd dpi flow-all

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged exec (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to clear the DNS DPI flows from a Cisco IOS XE Catalyst SD-WAN device.

Example

The following example shows how to clear the dpi flows from a Cisco IOS XE Catalyst SD-WAN device.

Device# clear sdwan dns app-fwd dpi flow-all 

clear sdwan dns app-fwd dpi summary

To clear all known dpi statistics for all related app information, use the clear sdwan dns app-fwd dpi summary command in privileged EXEC mode. This command does not have a no form.

clear sdwan dns app-fwd dpi summary

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use this command to clear out any dpi statistics for all related app information.

Example

The following example clears the dpi statistics for all related app information.

Device#clear sdwan dns app-fwd dpi summary
Table 1. Related Commands

Commands

Description

clear sdwan dns app-fwd dpi flow-all

Clears all dpi flows in the entire system.

clear sdwan dns app-route statistics

To clear all app-route statistics, use the clear sdwan dns app-route statistics command in privileged EXEC mode. This command does not have a no form.

clear sdwan dns app-route statistics

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC(#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use this command to clear all app route related statistics from the system.

Example

The following example clears all app route statistics from the router.

Device# clear sdwan dns app-route statistics

clear sdwan dns cache

To clear the cache of DNS entries on a Cisco IOS XE Catalyst SD-WAN device, use the clear sdwan dns cache command in privileged EXEC mode.

clear sdwan dns cache

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The DNS cache is populated when a Cisco IOS XE Catalyst SD-WAN device establishes a connection with the Cisco Catalyst SD-WAN Validator. For a Cisco IOS XE Catalyst SD-WAN device, this connection is transient, and the DNS cache is cleared when the connection to the Cisco Catalyst SD-WAN Validator is closed.

This command can be used to clear the DNS cache from a Cisco IOS XE Catalyst SD-WAN device.

Example

The following example shows how to clear the DNS cache from a Cisco IOS XE Catalyst SD-WAN device.

Device# clear sdwan dns cache

Command

Description
show sdwan control local-properties Displays control plane local properties, including entries in the DNS cache.

clear sdwan installed-certificates

To clear all the installed certificates from a Cisco IOS XE Catalyst SD-WAN device, use the clear sdwan installed-certificates command in privileged EXEC mode.

clear sdwan installed-certificates

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to clear all the installed certificates from a Cisco IOS XE Catalyst SD-WAN device, including the public and private keys, and the root certificate. After clearing all certificates from a device, the command resets the device to factory default.

Example

The following example shows how to clear all the installed certificates from a Cisco IOS XE Catalyst SD-WAN device.

Device# clear sdwan installed-certificates

clear sdwan notification stream viptela

To clear the SD-WAN notification stream viptela, use the clear sdwan notification stream viptela command in privileged EXEC mode.

clear sdwan notification stream viptela

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC(#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use this command to clear the sdwan notification stream viptela.

Example

The following example shows how to clear the sdwan notification stream viptela.

Device#clear sdwan notification stream viptela

clear sdwan omp

To clear Cisco SD-WAN Overlay Management Protocol (OMP) peers, routes,and TLOCs, use the clear sdwan omp command in privileged exec mode.

clear sdwan omp { all | peer [ ipv4 address ] | routes | tlocs }

Syntax Description

all Clears all OMP peering sessions with all OMP peers.
peer Clears the OMP peering sessions with a specific peer.
ipv4 address (Optional) Specifies an IPv4 address of the OMP peer.
routes Clears OMP routes.
tlocs Clears OMP TLOCs.

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged exec (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

By default, all Cisco IOS XE Catalyst SD-WAN Edge devices establishes OMP peering with Cisco Catalyst SD-WAN Controllers.

This command can be used to clear Cisco SD-WAN OMP peers, routes, and TLOCs that it learns from the Cisco Catalyst SD-WAN Controller.

Example

The following example shows how to reset OMP peering sessions.

Device# clear sdwan omp all 

The following example shows how to clear OMP peering session with a specific peer.

Device# clear sdwan omp peer 10.10.10.10 

The following example shows how to clear OMP routes.

Device# clear sdwan omp routes

clear sdwan policy

To reset counters for IPv6 access lists, route policies, or data policies, use the clear sdwan policy command in privileged EXEC mode.

clear sdwan policy { access-list [acl-name ] | app-route-policy [policy-name ] | ipv6-access-list [access-list-name ] | data-policy [policy-name ] }

Syntax Description

acl-name

(Optional) Clears the counters associated with the specified access list.

policy-name

(Optional) Clears the counters associated with the specified application-aware routing policy.

access-list-name

(Optional) Clears Cisco SD-WAN policy IPv6 access-list counters.

policy-name

(Optional) Clears the counters associated with the specified data policy.

Command Default

None

Command Modes

Privileged exec (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The SD-WAN centralized policies comes from the Cisco Catalyst SD-WAN Controller to Cisco IOS XE Catalyst SD-WAN devices.

This command can be used to clear counters for IPv6 access lists, data policies, or route policies.

Example

The following example shows how to clear all access lists.

Device# clear sdwan policy access-list  

The following example shows how to clear all app-route-policy.

Device# clear sdwan policy app-route-policy 

The following example shows how to clear all IPv6 access lists.

Device# clear sdwan policy ipv6-access-list 

clear sdwan reverse-proxy context

To clear the signed certificate installed for authentication with a reverse proxy device and reset the control connections to the reverse proxy device, use the clear sdwan reverse-proxy context command in privileged EXEC mode.

clear sdwan reverse-proxy context

Syntax Description

This command has no keywords or arguments

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Release 17.6.1a

Command introduced.

Example

Device# clear sdwan reverse-proxy context

clear sdwan tunnel gre-keepalive

To clear the GRE tunnel keepalives, use the clear sdwan tunnel gre-keepalive command in privileged EXEC mode.

clear sdwan tunnel gre-keepalive

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC(#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use clear sdwan tunnel gre-keepalive command to clear the SD-WAN tunnel gre-keepalives.

Example

The following example shows how to clear the SD-WAN tunnel gre keepalives.

Device# clear sdwan tunnel gre-keepalive
Table 2. Related Commands

Commands

Description

clear sdwan tunnel statistics

Clears SD-WAN tunnel statistics.

clear sdwan tunnel statistics

To reset the information about the packets received on the IPsec connections for the Cisco IOS XE Catalyst SD-WAN devices, use the clear sdwan tunnel statistics command in privileged EXEC mode.

clear sdwan tunnel statistics

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to reset the information about the packets transmitted and received on the IPsec connections that originate on Cisco IOS XE Catalyst SD-WAN devices.

Example

The following example shows how to reset the information about the packets transmitted and received on the IPsec connections.

Device# clear sdwan tunnel statistics

clear sdwan umbrella dp-stats

To clear the umbrella dp-stats, use the clear sdwan umbrella dp-stats command in privileged EXEC mode. This command does not have a no form.

clear sdwan umbrella dp-stats

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC(#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use clear sdwan umbrella dp-stats command to clear the SD-WAN umbrella datapath stats.

Example

The following example shows how to clear the SD-WAN umbrella data path stats.

Device# clear sdwan umbrella dp-stats

clear sdwan utd engine standard logging events

To clear SD-WAN UTD engine logging events, use the clear sdwan utd engine standard logging events command in privileged EXEC mode.

clear sdwan utd engine standard logging events

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC(#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use clear sdwan utd engine standard logging events command to clear the SD-WAN UTD engine logging events.

Example

The following example shows how to clear the SD-WAN UTD engine logging events.

Device# clear sdwan utd engine standard logging events

clear sdwan utd engine standard statistics daq vrf

To clear SD-WAN UTD engine statistics for all VRFs or a specific VRF, use the clear sdwan utd engine standard statistics daq vrf command in privileged EXEC mode. This command does not have a no form.

clear sdwan utd engine standard statistics daq vrf { global | name }

Syntax Description

global

Clears SD-WAN UTD engine standard statistics for all VRFs.

name

Clears SD-WAN UTD engine standard statistics for a specific VRF.

Command Default

None

Command Modes

Privileged EXEC(#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use this command to clear the SD-WAN UTD engine standard statistics for all VRFs or a specific VRF.

Example

The following example shows how to clear the SD-WAN UTD engine statistics for all VRFs.

Device# clear sdwan utd engine standard statistics daq vrf global

clear sdwan utd engine standard statistics url-filtering vrf

To clear SD-WAN UTD engine url-filtering statistics all VRFs or for a specific VRF, use the clear sdwan utd engine standard statistics url-filtering vrf command in privileged EXEC mode. This command does not have a no form.

clear sdwan utd engine standard statistics url-filtering vrf { global | name }

Syntax Description

global

Clears SD-WAN UTD engine standard statistics for all VRFs.

name

Clears SD-WAN UTD engine standard statistics for a specific VRF.

Command Default

None

Command Modes

Privileged EXEC(#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use this command to clear the SD-WAN UTD engine standard url-filtering statistics for all VRFs or for a specific VRF.

Example

The following example shows how to clear the SD-WAN UTD engine url filtering statistics for all VRFs.

Device# clear sdwan utd engine standard statistics url-filter vrf global

clear sdwan utd statistics

To clear SD-WAN UTD statistics, use the clear sdwan utd statistics command in privileged EXEC mode. This command does not have a no form.

clear sdwan utd statistics { channel [ service | threat-defense ] | default [ channel | context | policy | tls-decrypt | vrf ] | divert | drop | general | policy [all ] | sn | summary | tls-decrypt | vrf [ default | global | id | name ] }

Syntax Description

channel

Clears channel-specific UTD dataplane statistics.

service

Clears UTD dataplane stats for service channel.

threat-defense

Clears UTD dataplane stats for threat-defense channel.

default

Clears SD-WAN UTD statistics default.

context

Clears SD-WAN UTD statistics default context.

policy

Clears UTD dataplane policy statistics.

tls-decrypt

Clears SD-WAN UTD statistics tls-decrypt.

vrf

Clears SD-WAN UTD statistics VRF.

divert

Clears SD-WAN UTD statistics divert.

drop

Clears SD-WAN UTD statistics drop.

general

Clears SD-WAN UTD statistics general.

policy

Clears UTD dataplane policy statistics.

all

Clears UTD dataplane policy statistics all.

sn

Clears SD-WAN UTD statistics sn.

summary

Clears SD-WAN UTD statistics summary.

vrf

Clears SD-WAN UTD statistics VRF.

default

Clears SD-WAN UTD statistics VRF default.

global

Clears SD-WAN UTD statistics VRF global.

id

Clears SD-WAN UTD statistics VRF ID.

name

Clears SD-WAN UTD statistics VRF name.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use this command to clear SD-WAN UTD statistics.

Example

The following example shows how to clear the SD-WAN UTD statistics from the default VRF.

Device# clear sdwan utd statistics vrf default

clear sdwan zbfw statistics drop

To clear SD-WAN ZBFW drop statistics, use the clear sdwan zbfw statistics drop command in privileged EXEC mode. This command does not have a no form.

clear sdwan zbfw statistics drop

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC(#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use clear sdwan zbfw statistics drop command to clear the SD-WAN ZBFW drop statistics.

Example

The following example shows how to clear the SD-WAN ZBFW drop statistics.

Device# clear sdwan zbfw statistics drop

debug packet-trace condition

To enable packet tracing on edge devices, use the debug packet-trace condition command in privileged EXEC mode.

debug packet-trace condition [ start | stop ] [bidirectional ] [circular ] [ destination-ip ip-address ] [ ingress-if interface ] [logging ] [ source-ip ip-address ] [ vpn-id vpn-id ]

Syntax Description

bidirectional

(Optional) Enables bidirectional flow debugging for source IP and destination IP.

circular

(Optional) Enables circular packet tracing. In this mode, the 1024 packets in the buffer are continuously overwritten.

clear

(Optional) Clears all the debug configurations and packet tracer memory.

destination-ip

(Optional) Specifies the destination IPv4 address.

ingress-if

(Optional) Specifies the ingress interface name. Note: It is must to choose VPN to configure the interface.

logging

(Optional) Enables the packet tracer debug logging.

source-ip

(Optional) Specifies the source IP address.

start

(Optional) Starts the conditional debugging.

stop

(Optional) Stops the conditional debugging.

vpn-id

(Optional) Enables the packet tracing for the specified VPN.

Command Default

None

Command Modes

Privileged EXEC (#)

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.8.1a

This command was introduced.

Usage Guidelines

The parameters after the keywords start and stop can be configured in any order.

Example

The following example shows how to configure conditions for packet tracing:

Device# debug packet-trace condition source-ip 10.0.0.1
Device# debug packet-trace condition vpn-id 0
Device# debug packet-trace condition interface ge0/1
Device# debug packet-trace condition stop

debug platform condition match

To filter IPv4 and IPv6 debugging output for certain debug commands on the basis of specified conditions, use the debug platform condition match protocol command in privileged EXEC mode. To remove the specified condition, use the no form of this command.

debug platform condition interface interface name match [{ ipv4 | ipv6 }] protocol [{ tcp | udp | protocol_id }] [{ src ip | src ip mask | src port | destination ip | destination ip mask | destination port }] [{ both | ingress | egress }] [ bidirectional ]

no debug platform condition match protocol

Syntax Description

interface interface

Filters the output on the basis of the interface specified.

match

Enables conditional debugging for matching packets.

IPv4

(Optional) Filters the output on the basis of the specified IPv4 address.

Ipv6

(Optional) Filters the output on the basis of the specified IPv6 address.

protocol

Filters the output on the basis of the specified protocol.

tcp

(Optional) Specifies TCP to filter the output on the basis of the TCP.

udp

(Optional) Specifies UDP to filter the output on the basis of the UDP.

protocol_id

(Optional) Specifies protocol ID to filter the output on the basis of the protocol ID.

src ip

(Optional) Specifies the source IP address to filter the output on the basis of the source IP.

src ip mask

(Optional) Specifies the source IP subnet mask to filter the output on the basis of the source IP subnet mask.

destination ip

(Optional) Specifies the destination IP address to filter output on the basis of the destination IP address.

destination ip mask

(Optional) Specifies the destination IP address to filter output on the basis of the destination IP subnet mask.

destination port

(Optional) Specifies the destination port address to filter output on the basis of the destination port.

both

(Optional) Filters output on the basis of both incoming and outgoing packets.

ingress

(Optional) Filters output on the basis of incoming packets.

egress

(Optional) Filters output on the basis of outgoing packets.

bidirectional

(Optional) Filters output in both the directions.

Command Default

None

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.8.1a

This command was introduced.

The following example shows how to create the equivalent bidirectional Access Control List (ACL) to match the packet flow in both directions.

Device# debug packet-trace condition source-ip 10.0.0.1
Device# debug packet-trace condition destination-ip 10.0.0.2
Device# debug platform condition match ipv4 host 10.0.0.1 host 10.0.0.2 both bidirectional
Device# debug packet-trace condition stop

debug platform condition start

To start conditional debugging on a system, use the debug platform condition start command in privileged EXEC mode.

debug platform condition start

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.8.1a

This command was introduced.

The following example shows how to start conditional debugging on a system:


Device# debug platform condition interface Gi0/0/1 efp-id 100 access-list 700 
Device# debug platform feature evc dataplane
Device# debug platform condition start

debug platform condition stop

To stop conditional debugging on a system, use the debug platform condition stop command in privileged EXEC mode.

debug platform condition stop

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.8.1a

This command was introduced.

The following example shows how to stop conditional debugging on a system.


Device# debug platform condition interface Gi0/0/1 efp-id 100 access-list 700 
Device# debug platform feature evc dataplane
Device# debug platform condition start
Device# debug platform condition stop

debug platform condition feature sdwan controlplane bfd

To start conditional debugging on a system for BFD sessions on a control plane, use the debug platform condition feature sdwan controlplane bfd command in privileged EXEC mode.

debug platform condition feature sdwan controlplane bfd

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.15.1a This command was introduced.

The following example shows how to enable debugging mode for BFD sessions on a control plane:


Device# debug platform condition feature sdwan controlplane bfd 
  ld         BFD LD
  tloc-pair  BFD tloc pair

Device# debug platform condition feature sdwan controlplane bfd ld 20008
Device# debug platform condition
Device# debug platform condition start

Device# debug platform condition feature sdwan controlplane bfd tloc-pair 
encap ipsec local-color mpls remote-color mpls system-ip 172.16.255.1 
debug platfom condition start

debug platform software sdwan fpm

To enable debugging mode for Forwarding Policy Manager, use the debug platform software sdwan fpm command in privileged EXEC mode. To disable debugging mode for Forwarding Policy Manager, use the undebug form of the command.

debug platform software sdwan fpm { all | config | dpi | policy | ttm }

undebug platform software sdwan fpm { all | config | dpi | policy | ttm }

Syntax Description

all

Controls the debugging of events related to the forwarding policy manager, including configuration changes, application-aware routing events, and communication with the tunnel table manager.

config

Controls the debugging of messages that are logged as a result of a policy configuration change made either directly on the router or because the changes have been pushed from the Cisco vSmart controller to the router.

dpi

Controls the debugging of all application-aware routing (deep packet inspection) events.

policy

Controls the debugging of messages that are logged as the result of policy programming events.

ttm

Controls the debugging of communication between the forwarding policy manager and the tunnel table manager.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use the debug platform software sdwan fpm command to enable debugging mode for Forwarding Policy Manager. Debug output is placed in the bootflash:/tracelogs folder on the local device.

Examples

The following example shows how to enable debugging mode for Forwarding Policy Manager. After the information is collected, you can disable it, using the undebug form of the command:

Device# debug debug platform software sdwan fpm all
Device# undebug debug platform software sdwan fpm all

debug vdaemon

To enable and disable debugging mode for vdaemon software function on Cisco SD-WAN controllers. The debug output is saved to the /var/log/tmplog/vdebug file on the local device.

debug vdaemon { all | cert | confd | error | events | ftm | hello | misc | mts | ncs | packets | peer sess-id logging module verbosity level | rtm | ssl | ttm }

no debug vdaemon { all | cert | confd | error | events | ftm | hello | misc | mts | ncs | packets | peer sess-id logging module verbosity level | rtm | ssl | ttm }

Syntax Description

all

Enables the display of debugging output for all vdaemon processes.

cert

Enables the display of debugging output for vdaemon certificate functions.

confd

Enables the display of debugging output for vdaemon process CLI functions.

error

Enables the display of debugging output errors for vdaemon actions.

events

Enables the display of debugging output for vdaemon process events.

ftm

Enables the display of debugging output for vdaemon ftm actions.

hello

Enables the display of debugging output for vdaemon hello packets.

misc

Enables the display of debugging output for miscellaneous vdaemon process events.

mt

Enables the display of debugging output for vdaemon multi-tenant actions.

ncs

Enables the display of debugging output for vdaemon networked control system (NCS) actions.

packets

Enables the display of debugging output for all vdaemon process packets.

peer sess-id logging module verbosity level

Enables the display of debugging output for communication between peer sessions.

logging module: verifies the logs for the peer.

verbosity level: Enables verbose logs for the module specified only of the peer whose session id is provided.

rtm

Enables the display of debugging output for communication between the Cloud OnRamp for SaaS and the route table manager.

ssl

Enables the display of debugging output for vdaemon SSL actions.

ttm

Enables the display of debugging output for communication between the Cloud OnRamp for SaaS and the tunnel table manager.

Command Default

None

Command Modes

Privileged EXEC

Command History

Release Modification

Cisco IOS XE Release 17.3.1a

This command was introduced.

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

The following new keywords are added:

  • ftm

  • mt

  • ncs

  • rtm

  • ssl

  • ttm

  • peer sess-id logging module verbosity level

The following is a sample output for debug vdaemon peer command.

Device# debug vdaemon peer sess-ID 22     
Sess ID: 0000000012   
Sess ID: 0000000022   

Device# debug vdaemon ttm ?                                                                                 
Possible completions:          
  debug     Debug logs         
  error     Error logs         
  notice    Notice logs        
  verbose   Verbose logs       
  |         Output modifiers   
  <cr>                            

Device# debug vdaemon ttmverbose

debug platform software sdwan vdaemon

To enable debugging mode for vdaemon peer on Cisco SD-WAN Controllers, use the debug platform software sdwan vdaemon peer command in privileged EXEC mode. To disable debugging mode, use the no form of the command.

debug platform software sdwan vdaemon session-id

no debug platform software sdwan vdaemon peer session-id

Syntax Description

peer

Specifies the peer name.

session-id

Specifies the session ID.

Command Default

None

Command Modes

Privileged EXEC

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

This command was introduced.

Example

Device# debug platform software sdwan vdaemon peer 

session-id
Device#  no debug platform software sdwan vdaemon peer 
session-id

set platform software trace

To configure the binary trace level for one or all modules of a Cisco SD-WAN process on a specific hardware slot, issue the command set platform software trace in the Privileged EXEC mode.

set platform software trace process slot module level

Syntax Description

process

Specify a Cisco SD-WAN process.

For the list of Cisco SD-WAN processes for which binary trace is supported see the table 'Supported Cisco SD-WAN Daemons' under 'Usage Guidelines'.

level

Hardware slot from which process messages must be logged.

module

Configure the trace level for one or all the modules of the process.

slot

Select one of the following trace levels:

  • debug: Debug messages

  • emergency: Emergency possible message

  • error: Error messages

  • info: Informational messages

  • noise: Maximum possible message

  • notice: Notice messages

  • verbose: Verbose debug messages

  • warning: Warning messages

Command Default

Notice level

Command Modes

Privileged EXEC

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.4.1a

Command support introduced for select Cisco SD-WAN processes. See the table 'Supported Cisco SD-WAN Daemons' under 'Usage Guidelines'.

Cisco IOS XE Catalyst SD-WAN Release 17.11.1a

New parameters are introduced for better binary configuration.

Usage Guidelines

Table 3. Supported Cisco SD-WAN Daemons

Cisco SD-WAN Daemons

Supported from Release

  • fpmd

  • ftm

  • ompd

  • vdaemon

  • cfgmgr

Cisco IOS XE Catalyst SD-WAN Release 17.4.1a

Example

In the following example, the binary trace level for the 'config' module of the 'fpmd' process on the 'RP active' FRU is set to 'debug'.

Device# set platform software trace fpmd RP active config debug

set platform software trace vdaemon

To set the trace level for a specific module within a process on Cisco SD-WAN Controllers, use the set platform software trace command in privileged EXEC mode. The tracing functionality logs internal events. Trace files are automatically created and saved to the tracelogs subdirectory.

set platform software trace vdaemon R0 RP verbose

Syntax Description

R0

Specifies the route processor with slot 0.

RP

Specifies the route processor.

verbose

(Optional) Displays verbose information, meaning all information that can be displayed on the console during the process will be displayed.

Command Default

Trace levels are not set.

Command Modes

Privileged EXEC

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

This command was introduced.

Cisco IOS XE Release 17.12.1a

The following new modules are added:

  • vdaemon-cert

  • vdaemon-ftm

  • vdaemon-mt

  • vdaemon-ncs

  • vdaemon-rtm

  • vdaemon-ssl

  • vdaemon-ttm

Example

This example shows the trace level verbose for all the modules in the route processor with slot 0:

Device# set platform software trace vdaemon R0 vdaemon verbose
vdaemon-affinity  vdaemon-cert  vdaemon-confd  vdaemon-err
vdaemon-event     vdaemon-ftm   vdaemon-hello  vdaemon-misc
vdaemon-mt        vdaemon-ncs   vdaemon-pkt    vdaemon-pwk
vdaemon-rtm       vdaemon-ssl   vdaemon-ttm 

This example shows the trace level verbose for all the modules in the route processor:


Device#  set platform software trace vdaemon RP active vdaemon verbose                                                   
vdaemon-affinity  vdaemon-cert   vdaemon-cfgdb  vdaemon-confd 
vdaemon-err       vdaemon-event  vdaemon-ftm    vdaemon-hello 
vdaemon-misc      vdaemon-mt     vdaemon-ncs    vdaemon-pkt   
vdaemon-pwk       vdaemon-rtm    vdaemon-ssl    vdaemon-ttm   

show sdwan control connections

To display the information about active control connections and control plane connections on Cisco IOS XE SD-WAN devices, use the show sdwan control connections command in privileged EXEC mode.

show sdwan control connections [detail]

Syntax Description

detail

(Optional) Displays detailed information about active control plane connections.

Command Modes

Privileged EXEC (#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

This command was introduced.

Cisco IOS XE Catalyst SD-WAN Release 17.12.1a

Added the peer-session-id details in the control connection summary display.

Example

Device# show sdwan control connections detail

--------------------------------------------------------------------
LOCAL-COLOR- lte SYSTEM-IP- 172.16.255.19   PEER-PERSONALITY- vsmart
--------------------------------------------------------------------
site-id             100
domain-id           1
protocol            tl
sprivate-ip          10.0.5.19
private-port        23556
public-ip           10.0.5.19
public-port         23556
org-name            Cisco Systems Regression
state               up [Local Err: NO_ERROR] [Remote Err: NO_ERROR]
uptime              0:00:00:42
hello interval      1000
hello tolerance     12000
controller-grp-id   0
shared-region-id-set N/A
peer-session-id      0x004ff14166

monitor capture (access list/class map)

To configure a monitor capture specifying an access list or a class map as the core filter for the packet capture, use the monitor capture command in privileged EXEC mode. To disable the monitor capture with the specified access list or class map as the core filter, use the no form of this command.

monitor capture capture-name { access-list access-list-name | class-map class-map-name }

no monitor capture capture-name { access-list access-list-name | class-map class-map-name }

Syntax Description

capture-name

Specify the name of the capture.

access-list access-list-name

Specify an access list with the specified name.

class-map class-map-name

Specify a class map with the specified name.

Command Default

A monitor capture with the specified access list or a class map as the core filter for the packet capture is not configured.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

This command was introduced.

Usage Guidelines

Configure the access list using the ip access-list command or the class map using the class-map command before using the monitor capture command. You can specify a class map, or an access list, or an explicit inline filter as the core filter. If you have already specified the filter when you entered the monitor capture match command, the command replaces the existing filter.

The following example shows how to define a core system filter using an existing access control list:

Device> enable
Device# configure terminal
Device(config)# ip access-list standard acl1
Device(config-std-nacl)# permit any
Device(config-std-nacl)# exit
Device(config)# exit
Device# monitor capture mycap access-list acl1
Device# end

The following example shows how to define a core system filter using an existing class map:

Device> enable
Device# configure terminal
Device(config)# ip access-list standard acl1
Device(config-std-nacl)# permit any
Device(config-std-nacl)# exit
Device(config)# class-map match-all cmap
Device(config-cmap)# match access-group name acl
Device(config-cmap)# exit
Device(config)# exit
Device# monitor capture mycap class-map classmap1
Device# end

monitor capture (interface/control plane)

To configure monitor capture specifying an attachment point and the packet flow direction, use the monitor capture command in privileged EXEC mode. To disable the monitor capture with the specified attachment point and the packet flow direction, use the no form of this command.

monitor capture capture-name {interface type number | control-plane} {in | out | both}

no monitor capture capture-name {interface type number | control-plane} {in | out | both}

Syntax Description

capture-name

Specify the name of the capture.

interface type number

Specify an interface with the specified type and number as an attachment point.

control-plane

Specify a control plane as an attachment point.

in

Specifies the inbound traffic direction.

out

Specifies the outbound traffic direction.

both

Specifies both inbound and outbound traffic directions.

Command Default

The monitor packet capture filter specifying is not configured.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

This command was introduced.

Usage Guidelines

Repeat the monitor capture command as many times as required to add multiple attachment points.

The following example shows how to add an attachment point to an interface:

Device> enable
Device# monitor capture mycap interface GigabitEthernet 2 in
Device# end

The following example shows how to add an attachment point to a control plane:

Device> enable
Device# monitor capture mycap control-plane out
Device# end

monitor capture match ipv4

To define a core filter for monitoring packet capture for IPv4 packets, use the monitor capture match ipv4 command in privileged EXEC mode. To remove this filter, use the no form of this command.

monitor capture capture-name match ipv4 source-prefix/length destination-prefix/length [bidirectional]

no monitor capture capture-name [match]

Syntax Description

capture-name

Name of the capture.

source-prefix/length

Network prefix and length of the IPv4 source address.

destination-prefix/length

Network prefix and length of the IPv4 destination address.

bidirectional

(Optional) Captures bidirectional packets.

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.7.1a

This command is supported for Cisco Catalyst SD-WAN.

Usage Guidelines

For usage guidelines, see the Cisco IOS XE monitor capture match command.

The following example shows how to define a core filter for monitoring packet capture for IPv4 packets:

Device# monitor capture match CISCO ipv4 198.51.100.0/24 192.0.2.0/24 bidirectional

monitor capture match ipv6

To define a core filter for monitoring packet capture for IPv6 packets, use the monitor capture match ipv6 command in privileged EXEC mode. To remove this filter, use the no form of this command.

monitor capture capture_name match ipv6 { { ipv6-source-prefix/length | | any | | host ipv6-source-address } { ipv6-destination-prefix/length | | any | | host ipv6-destination-address } | protocol { protocol_num | | tcp | | udp } { ipv6-source-prefix/length | | any | | host ipv6-source-address } [ eq | | lt | | gt | | neg | | range port-num ] { ipv6-destination-prefix/length | | any | | host ipv6-destination-address } [ eq | | lt | | gt | | neg | | range port-num ] } [bidirectional]

no monitor capture capture_name

Syntax Description

capture_name

Name of the capture.

interface_name

Specify GigabitEthernet IEEE 802.3z interface name.

interface_num

Specify the GigabitEthernet interface number.

Range: 1 to 32.

match

Describes filters inline.

ipv6

IPv6 packets only.

ipv6-prefix/length

IPv6 source or destination prefix.

Range for the Length value: 0 to 128.

host ipv6-address

Specifies a single source or destination IPv6 host.

protocol_num

Specifies an IP protocol number.

any

Specifies the network prefix and length of any IPv4 or IPv6 destination address.

TCP | UDP

Filter by TCP or UDP protocol.

eq

(Optional) Specifies that only packets with a port number that is equal to the port number associated with the IP address are matched.

lt

(Optional) Specifies that only packets with a port number that is lower than the port number associated with the IP address are matched.

gt

(Optional) Specifies that only packets with a port number that is greater than the port number associated with the IP address are matched.

neg

(Optional) Specifies that only packets with a port number that is not equal to the port number associated with the IP address are matched.

range port-num

(Optional) Specifies the range of port numbers.

Range: 0 to 65535.

bidirectional

(Optional) Captures bidirectional packets.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

This command was introduced.

Usage Guidelines

Use the monitor capture command to specify the core filter as a class map, access list, or explicit inline filter. Any filter has already specified before you enter the monitor capture match command is replaced.

The following example shows how to set a filter for IPv6 source and destination traffic:

Device# monitor capture test match ipv6 protocol tcp host 2001:3c0:1::71 host 2001:380:1::71 bidirectional

privilege exec level

To set the privilege level for exec commands, use the privilege exec level command in global configuration mode. To reset the exec command to the default privilege level of 15, use the no form of this command.

privilege exec level level command

no privilege exec level level command

Syntax Description

level

Privilege level 0 - 15.

command

The exec command for which you want to set thes privilege level.

Command Default

The default exec privilege level is 15.

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Cisco Internetwork Operating System (IOS) currently has 16 privilege levels that range from 0 through 15. Users have access to limited commands at lower privilege levels compared to higher privilege levels. You can use this command to set the privilege level for exec commands.

Example

The following example shows how to set the exec command show logging to privilege level 1.

Device(config)# privilege exec level 1 show logging

request platform software sdwan admin-tech

To collect system status information in a compressed tar file for troubleshooting and diagnostics, use the request platform software sdwan admin-tech command in privileged EXEC mode.

request platform software sdwan admin-tech { exclude-certs | exclude-cores | exclude-logs | exclude-tech | timeout }

Syntax Description

exclude-certs

Minimum supported release: Cisco IOS XE Catalyst SD-WAN Release 17.15.1a

Do not include any certificates in the compressed tar file. Certificates are stored in the /var/crash directory on a local Cisco IOS XE Catalyst SD-WAN device.

exclude-cores

Do not include any core files in the compressed tar file. Core files are stored in the /var/crash directory on a local Cisco IOS XE Catalyst SD-WAN device.

exclude-logs

Do not include any log files in the compressed tar file. Log files are stored in the /var/log directory on a local Cisco IOS XE Catalyst SD-WAN device.

exclude-tech

Do not include any process (daemon) and operational-related files in the compressed tar file. These files are stored in the /var/tech directory on a local Cisco IOS XE Catalyst SD-WAN device.

timeout

Minimum supported release: Cisco IOS XE Catalyst SD-WAN Release 17.15.1a

admin-tech timeout value. When the admin-tech is truncated, you can provide custom timeout value for admin-tech.

Default: 30 minutes.

Command Modes

Privileged EXEC mode (#)

Command History

Release Modification

Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Cisco IOS XE Catalyst SD-WAN Release 17.15.1a

Added the exclude-certs and timeout keywords.

Usage Guidelines

This command can be used to collect system status information in a compressed tar file for troubleshooting and diagnostics. This tar file, which is saved in the vmanage-admin's home directory, contains the output of various commands and the contents of various files on the local device, including syslog files, files for each process (daemon) running on the device, core files, and configuration rollback files. For aid in troubleshooting, send the file to Cisco SD-WAN customer support.

If your Cisco IOS XE Catalyst SD-WAN device contains a large number of crash log files, it might take a few minutes for the request admin-tech command to complete.

On a Cisco IOS XE Catalyst SD-WAN device, you can run only one request admin-tech command at a time. If a command is in progress, Cisco IOS XE Catalyst SD-WAN device does not let a second one start.

Example

The following example shows how to collect system status information in a compressed tar file for troubleshooting and diagnostics.

Device# request platform software sdwan admin-tech 
Requested admin-tech initiated. 
Created admin-tech file '/home/vmanage-admin/cEdge-20201115-110540-admin-tech.tar.gz' 
IOS filename::  'bootflash:vmanage-admin/cEdge-20201115-110540-admin-tech.tar.gz' 
 

request platform software sdwan auto-suspend reset

To bring all BFD sessions out of suspension, use the request platform software sdwan auto-suspend reset command in privileged EXEC mode.

request platform software sdwan auto-suspend reset { local-sys-ip local-ip-address local-color local-color remote-sys-ip remote-ip-address remote-color remote-color encap encap-type }

Syntax Description

local-sys-ip local-ip-address

Specifies the local system IP address.

local-color local-color

Identifier for the transport tunnel. The color specifies a specific WAN transport provider.

remote-sys-ip remote-ip-address

Specifies the IP address of the remote system.

remote-color remote-color

Specifies a WAN transport provider.

encap encap-value

Specifies the encapsulation type for the BFD session.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.10.1a

This command was introduced.

Usage Guidelines

Use this command to bring all BFD sessions out of suspension.

Example

The following example shows how to reset a local color lte BFD session:

# request platform software sdwan auto-suspend reset local-color lte

The following example shows how to reset a BFD session with a local system IP, local color lte, and remote system IP with a remote color:

# request platform software sdwan auto-suspend reset local-sys-ip 172.16.12.255 local-color lte remote-sys-ip 10.10.1.1 remote-color 3g

The following example shows how to reset a BFD session with a local system IP, local color lte, remote system IP with a remote color, and an encapsulation type of IPsec:

# request platform software sdwan auto-suspend reset local-sys-ip 172.16.12.255 local-color lte remote-sys-ip 10.10.1.1 remote-color 3g encap ipsec

request platform software sdwan certificate install

To install a certificate on the Cisco SD-WAN WAN Edge device, use the request platform software sdwan certificate install command in privileged EXEC mode.

request platform software sdwan certificate install file-path { vpn vpn-id }

Syntax Description

file-path

Path to the certificate file. Install the certificate in specified filename.

file-path can be one of the following:

  • bootflash

  • flash

  • webui

vpn vpn -id

VPN in which the certificate file is located.

When you include this option, one of the interfaces in the specified VPN is used to retrieve the file.

Command Default

None.

Command Modes

Privileged EXEC mode (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to install a certificate on a Cisco IOS XE Catalyst SD-WAN device. Certificates are used on Public Key Infrastructure (PKI) deployments.

Example

The command can be used to install a certificate on a Cisco IOS XE Catalyst SD-WAN device. Certificates are used on Public Key Infrastructure (PKI) deployments.

Device# request platform software sdwan certificate install bootflash:cert.csr 

request platform software sdwan config reset

To clear the SD-WAN configuration from a Cisco IOS XE Catalyst SD-WAN device, use the request platform software sdwan config reset command in privileged EXEC mode.

request platform software sdwan config reset

Command Default

None

Command Modes

Privileged EXEC mode (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to clear the SD-WAN configuration from a Cisco IOS XE Catalyst SD-WAN device. This command is disruptive, since all the SD-WAN configurations of the Cisco IOS XE Catalyst SD-WAN device will be wiped out.

This may be needed in order to restart the PnP process.


Note


In releases prior to Cisco IOS XE Catalyst SD-WAN Release 17.7.1a, the request platform software sdwan config reset command displayed a prompt requesting that you reload the Cisco IOS XE Catalyst SD-WAN device.

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.7.1a, you no longer see the prompt requesting you to reload the Cisco IOS XE Catalyst SD-WAN device. The Cisco IOS XE Catalyst SD-WAN device reloads automatically with an appropriate message on the console.

When this command encounters a Virtual Teletype (VTY) line without autoboot, you need to change the config-register value so that the autoboot bit is set as 0xXXX2.

You can check the value of config-register using the show version or show bootvar commands.
Device# show bootvar 
BOOT variable = bootflash:packages.conf,1;bootflash:prev_packages.conf,1;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102
Standby not ready to show bootvar

You can change the value of config-register by pushing the configuration to the device using a CLI add-on template or by using the CLI.

config-transaction
config-register 0x2102
commit

Example

The following example shows how to clear the SD-WAN configuration from a Cisco IOS XE Catalyst SD-WAN device.

Device# request platform software sdwan config reset 

request platform software sdwan csr upload

To upload a Certificate Signing Request (CSR) to a Cisco IOS XE Catalyst SD-WAN device, use the request platform software sdwan csr upload command in privileged EXEC mode.

request platform software sdwan csr upload file-path

Syntax Description

file-path

Path of the certificate file. Upload the CSR in the file at the specified path.

file-path can be one of the following:

  • bootflash

  • flash

  • webui

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to upload a CSR to a Cisco IOS XE Catalyst SD-WAN device. They are used on Public Key Infrastructure (PKI) deployments.

Example

The following example shows how to upload a CSR to a Cisco IOS XE Catalyst SD-WAN device.

Device# request platform software sdwan csr upload bootflash:cert.csr 
Uploading CSR via VPN 0 
Generating CSR on the hardware Router .. 
Enter organization-unit name            : SDWAN-Org 
Re-enter organization-unit name          : SDWAN-Org 
Organization-unit name differs. Certificate will be deleted. Proceed? [yes,NO] Yes 

request platform software sdwan port_hop color

To manually request the port hopping for TLOCs with a specific color, use the request platform software sdwan port_hop color command in privileged EXEC mode.

request platform software sdwan port_hop color color

Syntax Description

color

Color of an individual WAN transport interface.

Values: 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1, private2, private3, private4, private5, private6, public-internet, red, and silver.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used when NAT entries become stale.

Manually rotate to the next OMP port in the group of preselected OMP port numbers when a connection cannot be established, and continue the port hopping until a connection can be established. Each connection attempt times out in about 60 seconds.

Example

The following example shows how to rotate to the next OMP port in the group of preselected OMP port numbers to the TLOC with color LTE.

Device# request platform software sdwan port_hop color lte 

request platform software sdwan root-cert-chain install

To install a file containing the root certificate key chain, use the request platform software sdwan root-cert-chain install command in privileged EXEC mode.

request platform software sdwan root-cert-chain install file-path { vpn vpn-id }

Syntax Description

file-path

Install the specified file containing the root certificate chain.

file-path can be one of the following:

  • bootflash

  • flash

  • webui

vpn vpn-id

VPN in which the certificate file is located. When you include this option, one of the interfaces in the specified VPN is used to retrieve the file.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to install a file containing the root certificate key chain. It is used on Public Key Infrastructure (PKI) deployments.

Example

The following example shows how to install a file containing the root certificate key chain.

Device# request platform software sdwan root-cert-chain install bootflash:root-chain

request platform software sdwan root-cert-chain uninstall

To uninstall a file containing the root certificate key chain, use the request platform software sdwan root-cert-chain uninstall command in privileged EXEC mode.

request platform software sdwan root-cert-chain uninstall

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to uninstall a file containing the root certificate key chain. It is used on Public Key Infrastructure (PKI) deployments.

Example

The following example shows how to uninstall a file containing the root certificate key chain.

Device# request platform software sdwan root-cert-chain uninstall 

request platform software sdwan software activate

To activate a software image on a local Cisco IOS XE Catalyst SD-WAN device, use the request platform software sdwan software activate command in privileged EXEC mode.

request platform software sdwan software activate build-number { clean | now }

Syntax Description

build-number

Name of the software image to activate on the device.

clean

Activates the specified software image, but do not associate the existing configuration file, and do not associates any files that store information about the device history, such as log and trace files, with the newly activated software image.

Note

 
Beginning with Cisco IOS XE Catalyst SD-WAN Release 17.10.1a, this option is no longer supported.
now

Activates the specified software image immediately, with no prompt asking you to confirm that you want to activate.

Note

 
Beginning with Cisco IOS XE Catalyst SD-WAN Release 17.14.1a, this option is no longer supported.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification

Cisco IOS XE SD-WAN 16.10.1

This command was introduced.

Cisco IOS XE Catalyst SD-WAN Release 17.10.1a

The clean option is no longer supported.

Cisco IOS XE Catalyst SD-WAN Release 17.14.1a

The now option is no longer supported.

Usage Guidelines

This command can be used to activate a software image on a local Cisco IOS XE Catalyst SD-WAN device through CLI. The Cisco IOS XE Catalyst SD-WAN device reloads when the activation is complete.

Example

The following example shows how to activate a software image on a local Cisco IOS XE Catalyst SD-WAN device through CLI.

Device# request platform software sdwan software activate 17.03.01a.0.354

request platform software sdwan software install

To install a software image on a Cisco IOS XE Catalyst SD-WAN device, use the request platform software sdwan software install command in privileged EXEC mode.

request platform software sdwan software install file-path { vpn vpn-id } { reboot { no-sync } } { download-timeout minutes }

Syntax Description

file-path

Installs the software image in the specified file system. The file system must be located on the local device.

file-path can be one of the following:

  • bootflash

  • flash

  • webui

vpn vpn-id

VPN in which the image is located. When you include this option, one of the interfaces in the specified VPN is used to retrieve the software image.

reboot no-sync

Reboots the device after installation of the software image completes. By default, the device's current configuration is copied to the other hard-disk partition and is installed with the new software image. If you include the no-sync option, the software is installed in the other hard-disk partition, and it is installed with the factory-default configuration. The existing configuration and any files that store information about the device history, such as log and trace files, are not copied to the other partition. Effectively, the no-sync option restores the device to its initial factory configuration.

download-timeout minutes

Specifies the installation timeout value. How long to wait before cancelling requests to install software. The duration ranges from 1 through 1440 minutes (24 hours). The default time is 60 minutes.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to install a software image on a Cisco IOS XE Catalyst SD-WAN device. Before the software is installed, the software image is verified to determine that it is valid and that it has been signed. If the verification process fails, the software image installation is not performed.

Example

The following example shows how to install a software image on a Cisco IOS XE Catalyst SD-WAN device.

Device# request platform software sdwan software install bootflash:isr4300-universalk9.17.03.02.SPA.bin

request platform software sdwan software remove

To remove a software image from a local Cisco IOS XE Catalyst SD-WAN device, use the request platform software sdwan software remove command in privileged EXEC mode.

request platform software sdwan software remove build-number

Syntax Description

build-number

Name of the software image to delete from the device. You cannot delete the active image.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to remove a software image from a local Cisco IOS XE Catalyst SD-WAN device. You cannot delete the active image.

Example

The following example shows how to remove a software image from a local Cisco IOS XE Catalyst SD-WAN device.

Device# request platform software sdwan software remove 17.03.01a.0.354

request platform software sdwan software secure-boot

To check and enforce the secure boot state of the system software images, use the request platform software sdwan software secure-boot command in privileged EXEC mode.

request platform software sdwan software secure-boot [ list | set | status ]

Syntax Description

list Checks secure boot state and checks whether software images on the device are secure or not secure.
set Removes insecure software images from the device and remove an insecure boot loader.
status Displays the security status of the software images installed on the device.

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.6.1a

The command is deprecated.

request platform software sdwan software set-default

To set a software image as the default image on a Cisco IOS XE Catalyst SD-WAN device, use the request platform software sdwan software set-default command in privileged EXEC mode.

request platform software sdwan software set-default build-number

Syntax Description

build-number

Name of the software image to designate as the default image on a Cisco IOS XE Catalyst SD-WAN device.

Command Default

None.

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to set a software image to be the default image on a Cisco IOS XE Catalyst SD-WAN device. Performing this operation overwrites the factory-default software image, replacing it with an image of your choosing. It is recommended that you set a software image to be the default only after verifying that the software is operating as desired on a Cisco IOS XE Catalyst SD-WAN device and in your network.

Example

The following example shows how to set a software image to be the default image on a Cisco IOS XE Catalyst SD-WAN device.

Device# request platform software sdwan software set-default 17.03.01a.0.354

request platform software sdwan software upgrade-confirm

To confirm that the upgrade to a new software image is successful, use the request platform software sdwan software upgrade-confirm command in privileged EXEC mode.

request platform software sdwan software upgrade-confirm

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE SD-WAN 16.10.1

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

This command can be used to confirm that the upgrade to a new software image is successful. If the device configuration includes the sdwan system upgrade-confirm command, issuing the request platform software sdwan software upgrade-confirm command within the time limit configured in the upgrade-confirm command confirms that the upgrade to the new software image has been successful. If this command is not issued, the device reverts automatically to the previously running software image.

If you have initiated the software upgrade from Cisco SD-WAN Manager, Cisco SD-WAN Manager automatically issues the request platform software sdwan software upgrade-confirm command when the Cisco IOS XE Catalyst SD-WAN device finishes rebooting. If you have initiated the software upgrade manually from the Cisco IOS XE Catalyst SD-WAN device, you issue the request platform software sdwan software upgrade-confirm command from the CLI.

Example

The following example shows how to confirm that the upgrade to a new software image is successful from the CLI and the device configuration includes the sdwan system upgrade-confirm command.

Device# request platform software sdwan software upgrade-confirm

set platform software trace

To configure the binary trace level for one or all modules of a Cisco SD-WAN process on a specific hardware slot, issue the command set platform software trace in the Privileged EXEC mode.

set platform software trace process slot module trace-level

Syntax Description

process

Specify a Cisco SD-WAN process.

  • all: Specify all the processes

  • backplaneswitch-manager: Backplane Switch Manager Process

  • bt-logger: Binary-Tracing Logger Process

  • btrace-manager: Btrace Manager Process

  • cfgmgr: SDWAN Cfgmgr process

  • chassis-manager: Chassis-Manager

  • cli-agent: CLI Agent

  • cxpd: SDWAN CXP process

  • dbgd: SDWAN DBG process

  • dbm: Database Manager

  • dmiauthd: DMI Authentication Daemon

  • emd: Environmental Monitoring

  • flow-file-export: Flow file export

  • forwarding-manager: Forwarding Manager

  • fpmd: SDWAN FPM process

  • ftmd: SDWAN FTM process

  • host-manager: Host Manager

  • htx: AppQoE HTX Process

  • install-manager: Install Manager Process

  • iomd: IOMD Process

  • ios: IOS Process

  • iox-manager: IOx Manager Process

  • license-manager: License Manager Process

  • logger: Logging Manager

  • mdt-pubd: Model Defined Telemetry Publisher

  • ncsshd_bp: NETCONF SSH Daemon BINOS Proxy Daemon

  • ndbman: Netconf DataBase Manager

  • nginx: Nginx Webserver Process

  • ompd: SDWAN OMP process

  • pluggable-services: Pluggable Services

  • qfp-control-process: QFP Client Control Process

  • qfp-driver: QFP Driver Process

  • qfp-ha-server: QFP HA Server

  • qfp-service-process: QFP Client Serivce Process

  • replication-mgr: Replication Manager

  • service-mgr: Service Manager Process

  • shell-manager: Shell Manager

  • smd: Session Manager Process

  • system-integrity: system-integrity (pistisd) Process

  • ttmd: SDWAN TTM process

  • vdaemon: SDWAN vDaemon process

  • virt-manager: Virtualization Manager

level

Hardware slot from which process messages must be logged.

module

Specify the trace level for one or all the modules of the process.

  • all-modules: All trace modules

  • aom: Asynchronous object manager

  • backwalk: Backwalk

  • bcrdu: Crimson Dynamic Update

  • bcrft: Crimson Function Tracking

  • bcrpgc: Crimson Profile Guided Compiling

  • bidb: Interface descriptor blocks

  • bipc: Inter-process communication

  • bipc_tls: BIPC-TLS communication

  • bso: BSO query

  • btrace: Tracing

  • btrace_ra: Tracing RA

  • ccolib-api: CCOLIB_API

  • cdllib: CLI

  • chasfs: Chassis filesystem

  • cond_debug: Conditional debug

  • crimson-oper: Crimson operational data

  • cxpd-analytics: cloudexpress analytics

  • cxpd-app: cloudexpress app

  • cxpd-config: cloudexpress config

  • cxpd-dpi: cloudexpress dpi

  • cxpd-ftm: cloudexpress ftm

  • cxpd-misc: cloudexpress misc

  • cxpd-omp: cloudexpress omp

  • cxpd-oper: cloudexpress oper

  • cxpd-rtm: cloudexpress rtm

  • cxpd-telemetry: cloudexpress telemetry

  • cxpd-ttm: cloudexpress ttm

  • dassist: DB assist access layer

  • dbal: DB access layer

  • dbdm: DB dependency management

  • dfs_user: DFS

  • dns-resolver: DNS Resolver

  • dnsclient: dnsclient library

  • evlib: Event

  • evutil: Event utility

  • green-be: Green backend

  • green-fe: Green frontend

  • httpcon-curl: HTTPCON library, curl

  • httpcon-main: HTTPCON library, main

  • installer-api INSTALLER_API

  • libmonitor: monitor library

  • mqipc: Message queue

  • oormon: Out of resource monitoring

  • prelib: Preload

  • scooby: Scooby

  • serdes: Serdes

  • service-dir: Service directory

  • services: Services

  • tdldb-assist: DB table assist library

  • tdldbpersist: DB PERSISTENCE

  • tdllib: Type management

  • thpool: Thread Pool

  • tl3_stm: TL3 software transactional memory

  • ublock: Micro blocks

  • uihandler: CLI command handlers

  • uipeer User interface peer

  • uistatus User interface peer status

  • uswap: Crimson User land Swap

  • vconfd: vconfd library

  • vipcommon-http: common library, http

  • vipcommon-misc: common library, misc

  • vipcommon-mqipc: common library, mqipc

  • vipcommon-msgq: common library, msgq

  • vipcommon-pwk: common library, pwk

  • vipcommon-rtmsg: common library, rtmsg

  • vipcommon-sql: common library, sql

slot

Select one of the following trace levels:

  • debug: Debug messages

  • emergency: Emergency possible message

  • error: Error messages

  • info: Informational messages

  • noise: Maximum possible message

  • notice: Notice messages

  • verbose: Verbose debug messages

  • warning: Warning messages

Command Default

The default tracing level for all modules is notice.

Command Modes

Privileged EXEC

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.11.1a New keywords introduced:
  • cxpd-analytics: cloudexpress analytics

  • cxpd-app: cloudexpress app

  • cxpd-config: cloudexpress config

  • cxpd-dpi: cloudexpress dpi

  • cxpd-ftm: cloudexpress ftm

  • cxpd-misc: cloudexpress misc

  • cxpd-omp: cloudexpress omp

  • cxpd-oper: cloudexpress oper

  • cxpd-rtm: cloudexpress rtm

  • cxpd-telemetry: cloudexpress telemetry

  • cxpd-ttm: cloudexpress ttm

Cisco IOS XE Catalyst SD-WAN Release 17.4.1a

Command support introduced for select Cisco SD-WAN processes. See the table 'Supported Cisco SD-WAN Daemons' under 'Usage Guidelines'.

Usage Guidelines

Table 4. Supported Cisco SD-WAN Daemons

Cisco SD-WAN Daemons

Supported from Release

  • fpmd

  • ftm

  • ompd

  • vdaemon

  • cfgmgr

Cisco IOS XE Catalyst SD-WAN Release 17.4.1a

Example

In the following example, the binary trace level for the 'config' module of the 'fpmd' process on the 'R0' FRU is set to 'debug'.

Device# set platform software trace fpmd R0 config debug

show aaa servers

To display the status and number of packets that are sent to and received from all public and private authentication, authorization, and accounting (AAA) RADIUS servers as interpreted by the AAA Server MIB, use the show aaa servers command in user EXEC or privileged EXEC mode.

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a This command was introduced.

Usage Guidelines

For more information about this command, see the Cisco IOS XE show aaa servers

The following is sample output from the show aaa servers private command. Only the first four lines of the display pertain to the status of private RADIUS servers, and the output fields in this part of the display are described in the table below.


Device# show aaa server private
RADIUS: id 24, priority 1, host 172.31.164.120, auth-port 1645, acct-port 1646
     State: current UP, duration 375742s, previous duration 0s
     Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 5, timeouts 1, failover 0, retransmission 1
             Response: accept 4, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 14ms
             Transaction: success 4, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Author: request 0, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Account: request 5, timeouts 0, failover 0, retransmission 0
             Request: start 3, interim 0, stop 2
             Response: start 3, interim 0, stop 2
             Response: unexpected 0, server error 0, incorrect 0, time 12ms
             Transaction: success 5, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Elapsed time since counters last cleared: 4d8h22m
     Estimated Outstanding Access Transactions: 0
     Estimated Outstanding Accounting Transactions: 0
     Estimated Throttled Access Transactions: 0
     Estimated Throttled Accounting Transactions: 0
     Maximum Throttled Transactions: access 0, accounting 0
     Requests per minute past 24 hours:
             high - 8 hours, 22 minutes ago: 0
             low  - 8 hours, 22 minutes ago: 0
             average: 0

show autoip status

To display the status of automatic IP address detection for a device and display information that is detected, use the show autoip status command in privileged EXEC mode.

show autoip status

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.7.1a

This command was introduced.

The following is sample output from the show autoip status command when an available IP address has been detected:

Device# show autoip status

===========================
AutoIP process is stopped
===========================
Last status       :success
Finally in use    :
IP address        : 192.168.0.6
Gateway IP address: 192.168.0.3
Subnet            : 192.168.47.0
Subnet mask       : 255.255.255.0
DNS server1       : 8.8.8.8
DNS server 2      : 8.8.4.4
Interface         : GigabitEthernet0/0/0

The following is sample output from the show autoip status command when detection is in progress:

Device# show autoip status

===========================
AutoIP process is running
===========================
Last status       :fail
Currently in use  :
IP address        : 192.168.1.2
Gateway IP address: 192.168.1.1
Subnet            : 192.168.40.0
Subnet mask       : 255.255.255.0
DNS server1       : 8.8.8.8
DNS server 2      : 8.8.4.4
Interface         : GigabitEthernet0/0/0

show class map type inspect

To display Layer 3 and Layer 4 or Layer 7 (application-specific) inspect type class maps and their matching criteria, use the show class map type inspect command in privileged EXEC mode.

Command Modes

Privileged EXEC (#)

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.11.1a

This command is supported in Cisco Catalyst SD-WAN

Usage Guidelines

For usage guidelines, see the Cisco IOS XE show class-map type inspect command.

Example

The following example displays the Layer 3 and Layer 4 or Layer 7 (application-specific) inspect type class maps and their matching criteria.

Device# show class-map type inspect
 Class Map type inspect match-all seq_1-seq-11-cm_ (id 2)
   Match access-group name seq_1-seq-Rule_3-acl_

 Class Map type inspect match-all seq_1-seq-1-cm_ (id 1)
   Match access-group name seq_1-seq-rule1-v6-acl_

show cellular

To display information about the Global Navigation Satellite System (GNSS) configuration, use the show cellular command in privileged EXEC (#) mode.

show cellular slot_number

Syntax Description

gps detail

Shows the GNSS details.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.15.1a

This command is supported in Cisco Catalyst SD-WAN.

The following sample output displays the GNSS details such as feature status, mode, constellation configuration, GPS port selection, current GPS status, location coordinates, timestamp, and details of individual satellites such as GPS, GLONASS, Galileo, and BeiDou.

Device# show cellular 0/3/0 gps detail
GPS Feature = enabled
GPS Mode Configured = standalone
Current Constellation Configured = gnss
GPS Port Selected = Dedicated GPS port
GPS Status = GPS coordinates acquired
Last Location Fix Error = Offline [0x0]
Latitude = 37 Deg 25 Min 6.0448 Sec North
Longitude = 121 Deg 55 Min 9.6295 Sec West
Timestamp (GMT) = Fri Jul 12 16:11:30 2024

Fix type = 2D, Height = 20m
HDOP = 0.7, GPS Mode Used = standalone

Satellite Info
----------------
GPS:
Satellite #5, elevation 60, azimuth 108, SNR 31 *
Satellite #11, elevation 24, azimuth 50, SNR 34 *
Satellite #12, elevation 40, azimuth 163, SNR 33 *
Satellite #15, elevation 1, azimuth 151, SNR 19 *
Satellite #18, elevation 30, azimuth 248, SNR 33 *
Satellite #20, elevation 46, azimuth 59, SNR 36 *
Satellite #25, elevation 64, azimuth 206, SNR 35 *
Satellite #26, elevation 6, azimuth 320, SNR 27 *
Satellite #28, elevation 13, azimuth 274, SNR 33 *
Satellite #29, elevation 59, azimuth 327, SNR 37 *
Satellite #31, elevation 8, azimuth 305, SNR 27 *
Satellite #46, elevation 0, azimuth 0, SNR 34 **
Glonass:
Satellite #74, elevation 35, azimuth 312, SNR 34 *
Satellite #82, elevation 21, azimuth 52, SNR 35 *
Satellite #73, elevation 52, azimuth 248, SNR 41 *
Satellite #80, elevation 20, azimuth 187, SNR 34 *
Satellite #84, elevation 30, azimuth 278, SNR 22
Satellite #83, elevation 51, azimuth 9, SNR 27 *
Satellite #67, elevation 24, azimuth 61, SNR 36 *
Satellite #66, elevation 2, azimuth 16, SNR 0
Satellite #68, elevation 21, azimuth 115, SNR 0
Galileo:
Satellite #13, elevation 33, azimuth 247, SNR 38 *
Satellite #15, elevation 75, azimuth 330, SNR 39 *
Satellite #27, elevation 68, azimuth 271, SNR 37 *
Satellite #3, elevation 2, azimuth 118, SNR 0
Satellite #5, elevation 4, azimuth 71, SNR 0 *
Satellite #21, elevation 21, azimuth 316, SNR 0
Satellite #30, elevation 42, azimuth 164, SNR 0
Beidou:
Satellite #6, elevation 3, azimuth 322, SNR 30
Satellite #12, elevation 15, azimuth 274, SNR 30 *
Satellite #19, elevation 33, azimuth 108, SNR 0
Satellite #20, elevation 21, azimuth 54, SNR 0 *
Satellite #22, elevation 14, azimuth 161, SNR 0
Satellite #24, elevation 28, azimuth 295, SNR 0
Satellite #26, elevation 37, azimuth 232, SNR 0 *
Satellite #29, elevation 25, azimuth 73, SNR 0 *

show clock

To display view the system clock on a device, use the show clock command in privileged EXEC mode.

show clock

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

This command was introduced.

The following sample output displays the system clock with the date and time.


Device# show clock
*00:42:53.470 UTC Tue Jul 26 2022                                                                                                        
                                                                                                                           

show configuration commit list

To display the configuration commit list, use the show configuration commit list command in global configuration mode.

show configuration commit list

Command Default

None

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

This command was introduced.

The following sample output displays the configuration commit list.


Device(config)# show configuration commit list
2022-07-26 00:41:21                                                                                                                      
SNo. ID       User       Client      Time Stamp          Label       Comment                                                             
~~~~ ~~       ~~~~       ~~~~~~      ~~~~~~~~~~          ~~~~~       ~~~~~~~                                                             
0    10001    vmanage-ad netconf     2022-05-12 10:17:03                                                                                 
1    10014    vmanage-ad netconf     2022-04-04 06:36:45                                                                                 
2    10013    vmanage-ad netconf     2022-04-04 06:20:41                                                                                 
3    10012    vmanage-ad netconf     2022-04-04 06:20:38                                                                                 
4    10011    admin      cli         2022-03-27 21:02:40                                                                                 
5    10010    admin      cli         2022-03-27 20:14:42                                                                                 
6    10009    admin      cli         2022-03-27 20:12:57                                                                                 
7    10008    admin      cli         2022-03-27 20:11:21                                                                                 
8    10007    cfgmgr     system      2022-03-27 20:10:21                                                                                 
9    10006    system     system      2022-03-27 19:57:34                                                                                 
10   10005    system     system      2022-03-27 19:57:32                                                                                 
11   10004    system     system      2022-03-27 19:57:31                                                                                 
12   10003    system     system      2022-03-27 19:57:30                                                                                 
13   10002    system     system      2022-03-27 19:57:30                                                                                 
14   10001    system     system      2022-03-27 19:57:28                                                                                 
15   10000    dmidlib_sy system      2022-03-27 19:57:25                                                                                 
                                                                                                                           

show crypto ipsec sa

To display the settings used by IPsec security associations (SAs), use the show crypto ipsec sa command in privileged EXEC mode.

Supported Parameters

active

(Optional) Displays high availability (HA)-enabled IPsec SAs that are in the active state.

address

(Optional) Displays all existing SAs. The SAs are sorted by the destination address (either the local address or the address of the IPsec remote peer) and then by protocol (Authentication Header [AH] or Encapsulation Security Protocol [ESP]).

detail

(Optional) Displays detailed information of all settings.

identity [detail]

(Optional) Displays only the flow information. The SA information isn’t displayed.

interface type number

(Optional) Displays all SAs created for an interface type. The interface types are: ATM, Dialer, GigabitEthernet, Loopback, Serial, Vlan, VirtualPortGroup .

ipv6

(Optional) Displays IPv6 IPsec SA information.

detailed

(Optional) Displays detailed error counters.

platform

(Optional) Displays platform-specific information about the IPsec flow.

ipv4-address

(Optional) Displays IPsec SAs for an IPv4 peer.

ipv6-address

(Optional) Displays IPsec SAs for an IPv6 peer.

map map-name [detail]

(Optional) Displays any existing SAs that were created for the crypto map set using a value for the map-name argument.

peer [detail | [vrf vrf] [ipv4-address [detail] | ipv6-address [detail | platform]]]

(Optional) Displays all existing SAs with the peer IP address.

standby

(Optional) Displays HA-enabled IPsec SAs that are in the standby state.

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Command qualified for use in Cisco vManage CLI templates and modified the display of current outbound SPI and SPI entries.

Usage Guidelines

For more information about this command, see the Cisco IOS XE show crypto ipsec sa command.

Example 1:

The following sample output from the show crypto ipsec sa command shows that the SPI values isn't valid or displayed for Cisco SD-WAN IPSec tunnels.


Device# show crypto ipsec sa
interface: Tunnel1
    Crypto map tag: Tunnel1-vesen-head-0, local addr 10.1.15.15
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.15.15/255.255.255.255/0/12346)
   remote ident (addr/mask/prot/port): (10.1.16.16/255.255.255.255/0/12366)
   current_peer 10.1.16.16 port 12366
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 449884, #pkts encrypt: 449884, #pkts digest: 449884
    #pkts decaps: 449874, #pkts decrypt: 449874, #pkts verify: 449874
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 10.1.15.15, remote crypto endpt.: 10.1.16.16
     plaintext mtu 1438, path mtu 1480, ip mtu 1480, ip mtu idb Tunnel1
     current outbound spi:  [Not Available]
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
      spi: [Not Available]
        transform: esp-gcm 256 ,
        in use settings ={Transport UDP-Encaps, esn}
        conn id: 2003, flow_id: CSR:3, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-vesen-head-0
        sa timing: remaining key lifetime is not applicable
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
 
      inbound ah sas:
 
      inbound pcp sas:
 
      outbound esp sas:
       spi: [Not Available]
        transform: esp-gcm 256 ,
        in use settings ={{Transport UDP-Encaps, esn}
        conn id: 2003, flow_id: CSR:3, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-vesen-head-0
        sa timing: remaining key lifetime is not applicable
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
 
      outbound ah sas:
 
      outbound pcp sas:
Example 2:

The following is a sample output from the show crypto ipsec sa command that shows an IKE-based IPSec tunnel.

Device# show crypto ipsec sa
interface: Tunnel100
    Crypto map tag: Tunnel100-head-0, local addr 192.168.70.11
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.70.11/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.70.12/255.255.255.255/47/0)
   current_peer 192.168.70.12 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2292, #pkts encrypt: 2292, #pkts digest: 2292
    #pkts decaps: 112, #pkts decrypt: 112, #pkts verify: 112
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 192.168.70.11, remote crypto endpt.: 192.168.70.12
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
     current outbound spi: 0x19967EA7(429293223)
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
      spi: 0xB13A9E4F(2973408847)
       transform: esp-gcm 256 ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: CSR:3, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100-head-0
        sa timing: remaining key lifetime 24 days, 23 hours, 41 mins
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0x19967EA7(429293223)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: CSR:4, sibling_flags FFFFFFFF80000048, crypto map: Tunnel100-head-0
        sa timing: remaining key lifetime 24 days, 23 hours, 41 mins
        Kilobyte Volume Rekey has been disabled
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
 
     outbound ah sas:
 
     outbound pcp sas:

The following table describes the significant fields shown in the displays.

Table 5. show crypto ipsec sa Field Descriptions

Field

Description

interface

Interface on which the SA is created.

Crypto map tag

Policy tag for IPsec.

protected vrf

IVRF name that applies to the IPsec interface.

local ident (addr/mask/prot/port)

Local selector that is used for encryption and decryption.

remote ident (addr/mask/prot/port)

Remote selector that is used for encryption and decryption.

Group

Name of the GDOI group corresponding to the IPsec SA.

current_peer

Peer that communicates with the IPsec tunnel.

PERMIT, flags

Indicates that the IPsec SA is triggered by the access control list (ACL) permit action.

pkts encaps

Number of packets that were successfully encapsulated by IPsec.

pkts encrypt

Number of packets that were successfully encrypted by IPsec.

pkts digest

Number of packets that were successfully hash digested by IPsec.

pkts decaps

Number of packets that were successfully decapsulated by IPsec.

pkts decrypt

Number of packets that were successfully decrypted by IPsec.

pkts verify

Number of received packets that passed the hash digest check.

pkts compressed

Number of packets that were successfully compressed by IPsec.

pkts decompressed

Number of packets that were successfully decompressed by IPsec.

pkts not compressed

Number of outbound packets that weren’t compressed.

pkts compr. failed

Number of packets that failed compression by IPsec.

pkts not decompressed

Number of inbound packets that weren’t compressed.

pkts decompress failed

Number of packets that failed decompression by IPSec.

send errors

Number of outbound packets with errors.

recv errors

Number of inbound packets with errors.

local crypto endpt.

Local endpoint terminated by IPsec.

remote crypto endpt.

Remote endpoint terminated by IPsec.

path mtu

MTU size that is calculated based on the Internet Control Message Protocol (ICMP) unreachable packet, including the IPsec overhead, if any.

ip mtu

Interface MTU size that depends on the IPsec overhead.

ip mtu idb

Interface description block (IDB) that is used to determine the crypto IP MTU.

current outbound spi

Current outbound Security Parameters Index (SPI).

This value isn't valid and is set to "Not Available".

inbound esp sas

Encapsulating Security Payload (ESP) for the SA for the inbound traffic.

spi

SPI for classifying the inbound packet.

This value isn't valid and is set to "Not Available".

transform

Security algorithm that is used to provide authentication, integrity, and confidentiality.

in use settings

Transform that the SA uses (such as tunnel mode, transport mode, UDP-encapsulated tunnel mode, or UDP-encapsulated transport mode).

conn id

ID that is stored in the crypto engine to identify the IPsec/Internet Key Exchange (IKE) SA.

flow_id

SA identity.

crypto map

Policy for IPsec.

sa timing: remaining key lifetime (k/sec)

Seconds or kilobytes remaining before a rekey occurs.

HA last key lifetime sent (k)

Last stored kilobytes lifetime value for HA.

ike_cookies

ID that identifies the IKE SAs.

IV size

Size of the initialization vector (IV) that is used for the cryptographic synchronization data used to encrypt the payload.

replay detection support

Replay detection feature enabled by a specific SA.

Status

Indicates whether the SA is active.

inbound ah sas

Authentication algorithm for the SA for inbound traffic.

inbound pcp sas

Compression algorithm for the SA for inbound traffic.

outbound esp sas

Encapsulating security payload for the SA for outbound traffic.

outbound ah sas

Authentication algorithm for the SA for outbound traffic.

outbound pcp sas

Compression algorithm for the SA for outbound traffic.

DENY, flags

Indicates that the IPsec SA is triggered by the ACL deny action.

pkts decompress failed

Packets decompressed by IPsec that failed.

pkts no sa (send)

Outbound packets that couldn’t find the associated IPsec SA.

pkts invalid sa (rcv)

Received packets that failed the IPsec format check.

pkts invalid prot (recv)

Received packets that have the wrong protocol field.

pkts verify failed

Received packets that failed the hash digest check.

pkts invalid identity (recv)

Packets that couldn’t find the associated selector after decryption.

pkts invalid len (rcv)

Inbound packets that have an incorrect pad length for the software crypto engine.

pkts replay rollover (send)

Sent packets that failed the replay test check.

pkts replay rollover (rcv)

Received packets that failed the replay test check.

pkts internal err (send)

Sent packets that failed because of a software or hardware error.

pkts internal err (rcv)

Received packets that failed because of a software or hardware error.

protected vrf

IVRF name that applies to the IPsec interface.

pkts tagged (send)

Packets tagged with a Cisco TrustSec SGT in the outbound direction.

pkts untagged (rcv)

Packets not tagged with a Cisco TrustSec SGT in the inbound direction.

show cts environment-data

To display the TrustSec environment data, use the show cts environment-data command in user EXEC or privileged EXEC mode

show cts environment-data

Command Default

None

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a This command was introduced.

The following sample outputs displays the environment data.


Device# show cts environment-data

 CTS Environment Data                                                                                                                                             
====================                                                                                                                                             
Current state = START                                                                                                                                            
Last status = In Progress                                                                                                                                        
Environment data is empty                                                                                                                                        
State Machine is running                                                                                                                                         
Retry_timer (60 secs) is not running                                                                                                                             

show cts pac

To display the Protected Access Credentials (PACs), use the show cts pacs command in user EXEC or privileged EXEC mode

Command Default

None

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a This command was introduced.

Usage Guidelines

Use this command to identify the Network Device Admission Control (NDAC) authenticator and to verify NDAC completion.

The following sample output displays the Protected Access Credential (PAC) received from a Cisco ACS with the authenticator ID (A-ID–Info):


Device# show cts pac

 AID: 1100E046659D4275B644BF946EFA49CD
PAC-Info:
PAC-type = Cisco Trustsec
AID: 1100E046659D4275B644BF946EFA49CD
I-ID: device1
A-ID-Info: acs1
Credential Lifetime: 13:59:27 PDT Jun 5 2010
PAC-Opaque: 000200B000030001000400101100E046659D4275B644BF946EFA49CD0006009400
0301008285A14CB259CA096487096D68D5F34D000000014C09A6AA00093A808ACA80B39EB656AF0B
CA91F3564DF540447A11F9ECDFA4AEC3A193769B80066832495B8C40F6B5B46B685A68411B7DF049
A32F2B03F89ECF948AC4BB85CF855CA186BEF8E2A8C69A7C0BE1BDF6EC27D826896A31821A7BA523
C8BD90072CB8A8D0334F004D4B627D33001B0519D41738F7EDDF3A
Refresh timer is set for 00:01:24 

show cts role-based counters

To display Security Group access control list (ACL) enforcement statistics, use the show cts role-based counters command in user EXEC and privileged EXEC mode.

show cts role-based counters { default | { ipv4 | ipv6 } } { { [ from | [ sgt_number | unknown ] | { ipv4 | ipv6 | to | [ sgt_number | unknown ] | { ipv4 | ipv6 } } ] } } { to | [ sgt_number | unknown ] | { ipv4 | ipv6 } } { ipv4 | ipv6 }

Syntax Description

default

Specifies default policy counters.

from

Specifies the source security group.

ipv4

Specifies security groups on IPv4 networks.

ipv6

Specifies security groups on IPv6 networks.

to

Specifies the destination security group.

sgt_num

Security Group Tag number. Valid values are from 0 to 65533.

unknown

Specifies all source groups.

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a This command was introduced.

Usage Guidelines

Use the show cts role-based counters command to display the Security Group ACL (SGACL) enforcement statistics. Use the clear cts role-based counters to reset all or a range of statistics.

Specify the source SGT with the from keyword and the destination SGT with the to keyword. All statistics are displayed when both the from and to keywords are omitted.

The default keyword displays the statistics of the default unicast policy. When neither ipv4 nor ipv6 are specified this command displays only IPv4 counters.

The following sample output displays all enforcement statistics for IPv4 and IPv6 events:


Device# show cts role-based counters

 Role-based counters
 
From To SW-Denied HW-Denied SW-Permitted HW_Permitted
2 5 129 89762 421 7564328
3 5 37 123456 1325 12345678
3 7 0 65432 325 2345678 

show cts role-based permissions

To display the Cisco TrustSec role-based access control list (RBACL) permissions, use the show cts role-based permissions command in privileged EXEC mode.

show cts role-based permissions { { default } | { from } | { ipv4 } | { ipv6 } | { to } } { details }

show cts role-based permissions { { default } | { from } | { ipv4 } | { to } } { details }

Syntax Description

default

(Optional) Displays the default permission list.

from

(Optional) Displays the source group.

ipv4

(Optional) Displays the IPv4 RBACLs.

ipv6

(Optional) Displays the IPv6 RBACLs.

to

(Optional) Displays the destination group.

details

(Optional) Displays the attached access control list (ACL) details.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a This command was introduced.

Usage Guidelines

This show command displays the content of the RBACL permission matrix. You can specify the source SGT by using the from keyword and the destination SGT by using the to keyword. When both from and to are specified the RBACLs of a single cell are displayed. An entire column is displayed when only the to is used. An entire row is displayed when the from keyword is used.

The entire permission matrix is displayed when both the from clause and to keywords are omitted.

The command output is sorted by destination SGT as a primary key and the source SGT as a secondary key. The RBACLs for each cell is displayed in the same order they are defined in the configuration or acquired from Cisco ACS.

The details keyword is provided when a single cell is selected by specifying both from and to keywords. When the details keyword is specified the ACEs of the RBACLs of a single cell are displayed.

The following is sample output from the show cts role-based permissions command:


Device# show cts role-based permissions

 Role-based permissions from group 2 to group 5:
srb2
srb5
Role-based permissions from group 3 to group 5:
srb3
srb5
Role-based permissions from group 3 to group 7:
srb4 

The following is sample output from the show cts role-based permissions command


Device# show cts role-based permissions

 Role-based permissions from group 2 to group 5:
srb2
srb5 

show cts role-based sgt-map

To display the Security Group Tag (SGT) Exchange Protocol (SXP) source IP-to-SGT bindings table, use the show cts role-based sgt-map command in user EXEC or privileged EXEC mode.

show cts role-based sgt-map [ ipv4_dec | ipv4_cidr | ipv6_hex | ipv6_cidr | all | { ipv4 | ipv6 } | host | [ ipv4_decimal | ipv6_dec ] | summary | { ipv4 | ipv6 } | vrf | instance_name | [ ipv4_dec | ipv4_cidr | ipv6_dec | ipv6_cidr | all | [ ipv4 | ipv6 ] | host | [ ipv4_decimal | ipv6_dec ] | summary | [ ipv4 | ipv6 ] ] ]

Syntax Description

ipv4_dec

IPv4 address in dot-decimal notation. For example (208.77.188.166)

ipv4_cidr

IPv4 address range in Classless Inter-Domain Routing (CIDR) For example, 10.0.0.0/8, where the /8 signifies that the 8 most significant bits identify the networks, and the 24 least-significant bits, the hosts.

ipv6_hex

IPv6 address in hexadecimal separated by colons. For example, 2001:db8:85a3::8a2e:370:7334.

ipv6_cidr

A range of IPv6 address in hexadecimal CIDR notation.

hostipv4_decimalipv6_hex

Specifies mappings for a specific IPv4 or IPv6 host. Use dot decimal and hex colon notation for IPv4 and IPv6 respectively.

all

Specifies all mappings to be displayed.

summaryipv4ipv6

Summary of IPv4 or IPv6 mappings. Displays both IPv4 and IPv6 if you do not specify a keyword.

vrfinstance_name

Specifies a VPN routing and forwarding instance for mappings.

Command Default

None

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a This command was introduced.

Usage Guidelines

Use this command to verify that source IP addresses to the appropriate Security Group Tags bindings are correct. This command shows information about active IP-SGT bindings for the specified IP host address or subnet.

This command displays a single binding when host IP address is specified. It displays all the bindings for IP addresses within a given subnet if <network>/<length> is specified.

A summary of the active bindings by source is displayed at the end of the keyword all output and also if the keyword summary is entered.

The following sample output displays the bindings of IP address and SGT source names:


Device# show cts role-based sgt-map vrf 1 all

Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.1.1.1 500 CLI
10.2.2.2 600 SXP
IP-SGT Active Bindings Summary
============================================
Total number of CLI bindings = 1
Total number of SXP bindings = 1
Total number of active bindings = 2

show cts sxp connections

To display Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (CTS-SXP) connection or source IP-to-SGT mapping information, use the show cts sxp connections command in user EXEC or privileged EXEC mode.

Supported Parameters

connections

Displays Cisco TrustSec SXP connections information.

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a This command was introduced.

Usage Guidelines

For more information about this command, see the Cisco IOS XE show cts sxp

The following example displays the SXP connections using the brief keyword:


Device# show cts sxp connection brief

 SXP              : Enabled
 Default Password : Set
 Default Source IP: Not Set
Connection retry open period: 10 secs
Reconcile period: 120 secs
Retry open timer is not running
-----------------------------------------------------------------------------
Peer_IP          Source_IP        Conn Status       Duration
-----------------------------------------------------------------------------
10.10.10.1          10.10.10.2          On                0:00:02:14 (dd:hr:mm:sec)
10.10.2.1          10.10.2.2          On                0:00:02:14 (dd:hr:mm:sec)
Total num of SXP Connections = 2

The following example displays the CTS-SXP connections:


Device# show cts sxp connections

 SXP              : Enabled
 Default Password : Set
 Default Source IP: Not Set
Connection retry open period: 10 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------
Peer IP          : 10.10.10.1
Source IP        : 10.10.10.2
Set up           : Peer
Conn status      : On
Connection mode  : SXP Listener
Connection inst# : 1
TCP conn fd      : 1
TCP conn password: not set (using default SXP password)
Duration since last state change: 0:00:01:25 (dd:hr:mm:sec)
----------------------------------------------
Peer IP          : 10.10.2.1
Source IP        : 10.10.2.2
Set up           : Peer
Conn status      : On
Connection mode  : SXP Listener
TCP conn fd      : 2
TCP conn password: not set (using default SXP password)
Duration since last state change: 0:00:01:25 (dd:hr:mm:sec)
Total num of SXP Connections = 2

The following example displays the CTS-SXP connections for a bi-directional connection when the device is both the speaker and listener:


Device# show cts sxp connections

SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running
----------------------------------------------
Peer IP : 2.0.0.2
Source IP : 1.0.0.2
Conn status : On (Speaker) :: On (Listener)
Conn version : 4
Local mode : Both
Connection inst# : 1
TCP conn fd : 1(Speaker) 3(Listener)
TCP conn password: default SXP password
Duration since last state change: 1:03:38:03 (dd:hr:mm:sec) :: 0:00:00:46 (dd:hr:mm:sec)

The following example displays output from a CTS-SXP listener with a torn down connection to the SXP speaker. Source IP-to-SGT mappings are held for 120 seconds, the default value of the Delete Hold Down timer.


Device# show cts sxp connections

 SXP              : Enabled
 Default Password : Set
 Default Source IP: Not Set
Connection retry open period: 10 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------
Peer IP          : 10.10.10.1
Source IP        : 10.10.10.2
Set up           : Peer
Conn status      : Delete_Hold_Down
Connection mode  : SXP Listener
Connection inst# : 1
TCP conn fd      : -1
TCP conn password: not set (using default SXP password)
Delete hold down timer is running
Duration since last state change: 0:00:00:16 (dd:hr:mm:sec)
----------------------------------------------
Peer IP          : 10.10.2.1
Source IP        : 10.10.2.2
Set up           : Peer
Conn status      : On
Connection inst# : 1
TCP conn fd      : 2
TCP conn password: not set (using default SXP password)
Duration since last state change: 0:00:05:49 (dd:hr:mm:sec)
Total num of SXP Connections = 2

show crypto key mypubkey rsa

To display the RSA public keys of your router, use the show crypto key mypubkey rsa command in privileged EXEC mode.

Command History

Release Modification

Cisco IOS XE Catalyst SD-WAN Release 17.7.1a

This command was introduced.

Usage Guidelines

For more information about this command, see the Cisco IOS XE