- Preface
- Chapter 1 - Overview
- Chapter 2 - Using Troubleshooting Tools
- Chapter 3 - Troubleshooting Installation Issues
- Chapter 4 - Troubleshooting Licensing Issues
- Chapter 5 - Troubleshooting Module Interactions
- Chapter 6 - Troubleshooting Policy Engine Issues
- Chapter 7 - Troubleshooting High Availability Issues
- Chapter 8 - Troubleshooting System Issues
- Chapter 9 - Before Contacting Technical Support
- Index
Troubleshooting System Issues
This chapter describes the Cisco Virtual Security Gateway (VSG) system and how to identify and correct problems related to the system.
This chapter includes the following sections:
Information About the System
The Cisco VSG provides firewall functionality for the VMs that have the vEths with port profiles created by the Virtual Supervisor Module (VSM). To allow the Cisco VSG to function properly, the Cisco VSG should have registered with a Cisco Virtual Network Management Center (VNMC) and the Cisco VSGs data interface MAC address should be seen by the VSM.
The example shows how to display infomration about the system:
vsg# show vsg
Model: VSG
HA ID: 218
VSG Software Version: 4.2(1)VSG1(1) build [4.2(1)VSG1(1)]
VNMC IP: 10.193.77.223
VSG-PERF-1_1#
VSG-PERF-1_1# show vnm-pa status
VNM Policy-Agent status is - Installed Successfully. Version 1.0(1j)-vsg
vsg#
Make sure that the Cisco VSG MAC address is learned by the VSM by entering the show vsn details command as follows:
vsm# show vsn detail
#VSN VLAN: 754, IP-ADDR: 200.1.1.10
MODULE VSN-MAC-ADDR FAIL-MODE VSN-STATE
3 00:50:56:83:00:01 Close Up
#VSN Ports, Port-Profile, Org and Security-Profile Association:
#VSN VLAN: 754, IP-ADDR: 200.1.1.10
Port-Profile: profile-traffic, Security-Profile: sec-profile-perf, Org: root/Tenant-perf-1.1
Module Vethernet
3 9
vsm#
For more information, see the following documents:
•Cisco Virtual Security Gateway, Release 4.2(1)VSG1(1)
•Cisco Virtual Network Management Center, Release 1.0.1 Installation
•Quick Start Guide for Cisco Virtual Security Gateway and Cisco Virtual Network Management Center.
Problems with VM Traffic
When troubleshooting problems with intra-host VM traffic, follow these guidelines:
•Make sure that at least one of the VMware virtual NICs is on the correct DVS port group and is connected.
•If the VMware virtual NIC is down, determine if there is a conflict between the MAC address configured in the OS and the MAC address assigned by VMware. You can see the assigned MAC addresses in the .vmx file.
When troubleshooting problems with inter-host VM traffic, follow these guidelines:
•Determine if there is exactly one uplink sharing a VLAN with the VMware virtual NIC. If there is more than one, they must be in a port channel.
•Ping a SVI on the upstream switch using the show intX counters command.
VEM Troubleshooting Commands
This section includes the following topics:
•Displaying Miscellaneous VEM Details
Displaying VEM information
Use the following commands to display Virtual Ethernet Module (VEM) information:
•vemlog—Displays and controls VEM kernel logs
•vemcmd—Displays configuration and status information
•vem-support all—Displays support information
•vem status—Displays status information
•vem version—Displays version information
•vemcmd show arp all—Displays the ARP table on the VEM
• vemcmd show vsn config—Displays all the Cisco VSGs configured on the VEM, and the Cisco VSG licensing status (firewall on or off).
•vemcmd show vsn binding—Displays all of the VM LTL port to the Cisco VSG bindings
•vemcmd show learnt—Displays all of the VMs that have been learned by the VEM
Displaying Miscellaneous VEM Details
These commands provide additional VEM details:
•vemlog show last number-of-entries—Displays the circular buffer
This example shows the results of the command:
[root@esx-cos1 ~]# vemlog show last 5
Timestamp Entry CPU Mod Lv Message
Oct 13 13:15:52.615416 1095 1 1 4 Warning vssnet_port_pg_data_ ...
Oct 13 13:15:52.620028 1096 1 1 4 Warning vssnet_port_pg_data_ ...
Oct 13 13:15:52.630377 1097 1 1 4 Warning svs_switch_state ...
Oct 13 13:15:52.633201 1098 1 1 8 Info vssnet new switch ...
Oct 13 13:16:24.990236 1099 1 0 0 Suspending log
•vemlog show info—Displays information about entries in the log
This example shows the results of the command:
[root@esx-cos1 ~]# vemlog show info
Enabled: Yes
Total Entries: 1092
Wrapped Entries: 0
Lost Entries: 0
Skipped Entries: 0
Available Entries: 6898
Stop After Entry: Not Specified
•vemcmd help—Displays the type of information you can display
This example shows the results of the command:
[root@esx-cos1 ~]# vemcmd help
show card Show the card's global info
show vlan [vlan] Show the VLAN/BD table
show bd [bd] Show the VLAN/BD table
show l2 <bd-number> Show the L2 table for a given BD/VLAN
show l2 all Show the L2 table
show port [priv|vsm] Show the port table
show pc Show the port channel table
show portmac Show the port table MAC entries
show trunk [priv|vsm] Show the trunk ports in the port table
show stats Show port stats
VEM Log Commands
Use the following commands to control the vemlog:
•vemlog stop—tops the log
•vemlog clear—Clears the log
•vemlog start number-of-entries—Starts the log and stops it after the specified number of entries
•vemlog stop number-of-entries—Stops the log after the next specified number of entries
•vemlog resume—Starts the log, but does not clear the stop value
Display the list of debug filters by entering the vemlog show debug | grp vpath command.
This example shows the results of the command:
~ # vemlog show debug | grep vpath
vpath ENWID P ( 95) ENW ( 7)
vpathapi ENWID P ( 95) ENW ( 7)
vpathfm ENWID P ( 95) ENW ( 7)
vpathfsm ENWID P ( 95) ENW ( 7)
vpathutils ENWID P ( 95) ENW ( 7)
vpathtun ENWID P ( 95) ENW ( 7)
~ #