The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the troubleshooting tools that are available for the Cisco Virtual Security Gateway (VSG).
Use the CLI from a local console or remotely use the CLI through a Telnet or Secure Shell (SSH) session. The CLI provides a command structure that is similar to the Cisco NX-OS software, with context-sensitive help, show commands, multi-user support, and role-based access control.
Each feature has show commands that provide information about the feature configuration, status, and performance. Additionally, you can use the following commands for more information:
vsg
# show system error-id 0x401e0008
The ping utility generates a series of echo packets to a destination across a TCP/IP internetwork. When the echo packets arrive at the destination, they are rerouted and sent back to the source. Using ping, you can verify connectivity and latency to a particular destination across an IP routed network.
Ping allows you to ping a port or end device. By specifying the IPv4 address, you can send a series of frames to a target destination. When these frames reach the target, they are looped back to the source and a time stamp is taken. Ping helps you to verify the connectivity and latency to a destination.
Use traceroute to do the following tasks:
The traceroute command identifies the path taken on a hop-by-hop basis and includes a time stamp at each hop in both directions. This command tests the connectivity of ports along the path between the generating switch and the switch closest to the destination.
If the destination cannot be reached, the path discovery starts, which traces the path up to the point of failure.
This section includes the following topics:
The show processes command identifies the running processes and the status of each process as follows:
Process states are as follows:
This example shows how to identify the available options for the show processes command:
vsg
# show processes ?
This example shows how to display the complete output from the Cisco VSG:
You can use the show processes cpu command to display CPU usage. The command output includes the following information:
This example shows how to display all CPU processes:
vsg
# show processes cpu
You can use the show system resources command to display system-related CPU and memory statistics as follows:
This example shows how to display statistics about available system resources:
vsg
# show system resources
The system message logging software saves messages in a log file or directs messages to other devices. This feature provides the following capabilities:
A syslog can store a chronological log of system messages locally or send the messages to a central syslog server. Syslog messages can also be sent to the console for immediate use. These messages can vary in detail depending on the configuration.
Syslog messages are categorized into seven severity levels from debug to critical events. Severity levels that are reported can be limited for specific services within the switch.
Log messages are not saved across system reboots. However, a maximum of 100 log messages with a severity level of critical and below (levels 0, 1, and 2) can logged and saved to a local file or server.
This section includes the following topics:
The Cisco VSG supports the following logging levels:
By default, the switch logs normal but significant system messages to a log file and sends these messages to the system console. Users can specify which system messages are saved, based on the type of facility and the severity level. Messages are time stamped to enhance real-time debugging and management.
System logging messages are sent to the console based on the default or configured logging facility and severity values.
Users can disable logging to the console or enable logging to a given Telnet or Secure Shell (SSH) session.
Note When logging to a console session is disabled or enabled, that state is applied to all future console sessions. If you exit and log in again to a new session, the state is preserved. When logging to a Telnet or SSH session that is enabled or disabled, that state applies only to that session. The state is not preserved after you exit the session.
The no logging console command is enabled by default. Use this command to disable console logging.
The terminal monitor command is disabled by default. Use this command to enable logging for Telnet or SSH.
For more information about configuring syslog, see the Cisco Prime Network Services Controller GUI Configuration Guide.
This section includes the following topics:
The configuration is displayed using this format:
You can configure event logs for either the inspection process or one of its modules. For example, you can use the event-log inspect error terminal command to enable error events for the inspection process and to display these messages on the terminal where the command was entered.
You can display the event log configuration by using the show event-log all command. This example shows how to display the event logs for all the processes and their modules:
Event logs are always logged in a process that is specific to the message buffer. Process logging in the event log buffer does not incur any overhead. In addition to using the show event-log command, you can display messages on a terminal where the event logs are enabled by using the terminal option, which is useful for reproducing a certain behavior.
The show command shows all the processes that are integrated with the event log Cisco VSG infrastructure. You can display inspection event logs using the show system internal event-log inspect command. The Cisco VSG event log infrastructure is a layer on top of the Cisco NX-OS event log infrastructure. Event logs can be redirected to a file and exported.
To display event logs on the terminal, use the terminal option while configuring the event. Different terminals can view different event logs. For example, use the event-log inspect ftp info terminal command to enable the information event logs for the inspection FTP module and to display the logs on the terminal. Use the event-log inspect rsh error terminal command to display only the error logs that are related to the RSH module. This command helps to debug various modules at the same time.
You can save the event log configuration by using the event-log save config command. This command allows you to save all of the currently enabled event logs in a file. This file is read at the time of the module/process initialization with the event log infrastructure. The event log configuration that is relevant to the process is reapplied during initialization, which makes the event log configuration persistent across the process/system reboot. Some important things about the event log configuration are as follows:
Event logs CLIs for the Cisco VSG are classified based on the process and its modules. This section describes event log commands.
Virtual Network Service (VNS) agent-related event logs are maintained on the Virtual Supervisor Module (VSM), not on the Cisco VSG.
Core events are those events that are related to the port attach, port detach, Internet Protocol Database (IPDB), and port-profile CLI.
This example shows how to enable/disable error messages for the vns_agent core module:
This example shows how to enable/disable informational messages for the vns_agent core module:
This example shows how to enable/disable notice event messages for the vns_agent core module:
Because the vPath module works based on core-module events, you should always enable core module event logs before you enable the vPath module events.
This example shows how to enable/disable error messages for the vns_agent vPath module:
This example shows how to enable/disable informational messages for the vns_agent vPath module:
This example shows how to enable/disable notice event messages for the vns_agent vPath module:
Because the license module works based on core-module events, you should always enable the core module event logs before enabling the license module.
This example shows how to enable/disable error messages for the vns_agent license module:
This example shows how to enable/disable informational messages for the vns_agent license module:
The inspection process uses event log commands for the inspection process and the File Transfer Protocol (FTP), Remote Shell (RSH), and Trivial File Transfer Protocol (TFTP) modules. These processes are all available on the Cisco VSG.
Use the event-log inspect error command to display configuration errors, process initialization errors, and so forth. This example shows how to enable/disable error messages for the inspection process:
This example shows how to enable/disable informational messages for the inspection process:
Use the event-log inspect ftp error command to display FTP packet processing errors. This example shows how to enable/disable error messages for the inspection FTP module:
The command output is as follows:
This example shows how to enable/disable informational event log messages for the inspection FTP module:
The command output is as follows:
This example shows how to enable/disable warning messages for the inspection FTP module:
The command output is as follows:
This example shows how to enable/disable packet trace messages for the inspection FTP module:
The command output is as follows:
This example shows how to enable/disable error messages for the inspection RSH module:
This example shows how to enable/disable informational messages for the inspection RSH module:
The command output is as follows:
This example shows how to enable/disable packet trace messages for the inspection RSH module:
The command output is as follows:
This example shows how to enable/disable error messages for the inspection TFTP module:
This example shows how to enable/disable informational messages for the inspection TFTP module:
The command output is as follows:
This section includes the following topics:
The service path process exposes event log output for the VSN service path, flow manager, and AC infrastructure modules.
The event-log service-path sp error command can display a failure to initialize the FE, and so forth. This example shows how to enable/disable error messages for the service path module:
Use the event-log service-path sp info command to display FE initialization messages, control path messages, and so forth. This example shows how to enable/disable informational messages for the service path module:
The event-log service-path sp pkt-error command can display failures to read or write a packet, a corrupted packet, and so forth.
This example shows how to enable/disable packet error messages for the service path module:
The event-log service-path sp pkt-info command can display the field description of a packet, where the packet arrived from or going to, decisions taken on the packet, and so forth.
This example shows how to enable/disable packet informational messages for the service path module:
The event-log service-path sp pkt-detail command can display the first few 100 bytes of the incoming packets.
This example shows how to enable/disable detailed packet messages for the service path module:
This example shows how to enable/disable the packet messages for the service path flow manager module:
The event-log service-path ac error command can display failures to initialize the AC, timer, FD, pending queue, and so forth.
This example shows how to enable/disable error messages for the AC module:
The event-log service-path ac info command can display AC initialization messages, control path messages, and so forth.
This example shows how to enable/disable informational messages for the AC module:
The event log configuration has the following restrictions:
This section includes the following topics:
You can display the NSC policy agent status by entering the show nsc-pa status command.
This example shows how to display the NSC policy agent installation status:
You can display a consolidated view of all VSNs in use by using the show vservice node mac brief command.
This example shows how to display all VSNs in use:
The MAC address is shown as 0 for L3 mode since the VSG is configured behind a router that can perform proxy ARP.
You can display detailed information for all VSNs in use by using the show vservice node detail command. Information is displayed for each of the associated VEMs. The command output displays the port profile, security profile, organization, and list of Cisco Nexus 1000V Series Switch ports that have inherited this configuration. Also displayed are any configuration mismatches between the VSM and VEM missing ports for a given port profile, all ports of a port profile that are not configured with the same security profile, and so forth.
This example shows how to display all VSNs in use:
VSM-hpv# show vservice node detail
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Type:vsg IPAddr:10.1.0.150 Fail:close L3
You can display information for each virtual Ethernet (vEth) interface by using the show vservice port brief command. By default, all attached vEths are listed. Use the Module option for output of vEth interfaces from specific module.
This example shows how to display the vEth interfaces from specific module:
Ensure that the VM Name value matches the name of the VM associated with this vNIC. For VSN Data IP in the brackets in the Node, Profile Name, and Org values, ensure that correct values for this VM are displayed. The Profile ID value should never be zero. For IP addresses, ensure that the list of IP addresses matches the IP addresses configured for the specific vNIC for that VM.
You can display VSN connections by using the show vservice connection command.
This example shows how to display VSN connections:
You can display VSN statistics by using the show vservice statistics command.
This example shows how to display the VSN statistics:
You can clear the VSN statistics by using the clear vservice statistics command.
This example shows how to clear VSN statistics:
The attribute manager maintains a set of tables and does a lookup that is based on the fields in the packet. The VNSP table is the main table. Use the show vsg security-profile command to display runtime information for the VNSP table.
Hash tables are maintained based on IP addresses (IP address to DV port entry) and the VNSP ID (VNSP ID to VNSP entry). An IP address is used to determine which policy set to evaluate for a given traffic type. The VNSP ID is used (the valid VNSP ID in the packet header) to determine which policy set to evaluate.
This section details the following commands:
Enter the show nsc-pa status command to display the Cisco Prime NSC policy agent status.
This example shows how to display the Cisco Prime NSC policy agent status:
You can display the following statistics that pertain to one vPath by using the show service-path statistics command:
Note If no module is given, the command displays the aggregate statistics of all the modules in the given SVS domain.
This command provides the following keyword filters:
This example shows how to display the statistics using the svs-domain-id keyword filter:
You can clear the service path statistics globally by using the clear service-path statistics command when no option is given. When the SVS domain ID and the module are provided, entering the command clears the statistics of the specified module.
This command provides the following keyword filters:
This example shows how to clear the service path statistics:
You can display the connections (flow-table) maintained in the Cisco VSG by using the show service-path connection command. These connections are provided per VEM module per SVS domain.
This command provides the following keyword filters:
This example shows how to display the connections in the Cisco VSG:
You can clear the connections (flow-table) maintained in the Cisco VSG by using the clear service-path connection command.
This example shows how to clear the flow-table connection output:
You can display relevant information for a particular VM by using the show vsg vmuuid command. The attribute manager looks up the VM attributes for the VM based on this association before doing a policy evaluation.
When debugging issues, such as when the wrong VM attributes are fetched, check the output of this command as well as the IP address to DV port mapping.
This example shows how to display the relevant information for a VM:
You can display information for a specific VNSP or all VNSPs by using the show vsg security-profile command. The attribute manager looks up custom attributes for a particular VNSP that is based on this association before doing a policy evaluation.By default, information is displayed for all VNSPs. You can specify a particular VNSP by using the vnsp-name argument.
When debugging issues such as the wrong policy set, check if the correct policy set is associated with the VNSP. If custom attribute values are not correct, this command displays some details.
The detailed version of this command includes names of the VMs that are using the security profile in addition to their security-profile information. A VNSP name can be specified to get details of a specific security profile.
This example shows how to display detailed information about a specific Cisco VSG security profile with the name sp_deny@root:
You can display the associated VNSP ID and policy for all VNSPs by using the show vsg security-profile command. The attribute manager uses this association when looking up a VNSP and associated policy from the packet that reaches the data0 interface of the Cisco VSG. When vPath redirects the packets to the Cisco VSG, the VNSP ID is added in the packet header.
This example shows how to display brief tabular information for the Cisco VSG security profile:
You can display VM to zone mappings on a Cisco VSG by using the show vsg zone command.
This example shows how to display the VM to zone mappings on a Cisco VSG:
You can display statistics on the policy engine by using the show policy-engine stats command.
This example shows how to display the statistics for the Cisco VSG policy engine:
This example shows how to use the help (?) feature of the command to display command options:
You can clear the policy-engine statistics by using the clear policy-engine command.
This example shows how to see the options for clearing the policy-engine statistics:
When the stats argument is used, the statistics are cleared and the only response for a successful action is a return to the prompt. This example shows how to clear the policy engine statistics:
You can display statistics that are collected in the AC driver module by using the show ac-driver statistics command. These statistics indicate how many packets are received, how many of those received packets are from vPath, how many packets are passed up to the service path, how many packets are passed as a response to the vPath, and any error statistics, and so on.
This example shows how to display the AC driver module statistics:
You can clear the statistics that are collected in the AC driver module by using the clear ac-driver statistics command.
This example shows how to clear the statistics collected in the AC driver module:
You can display internal statistics of the following processes by using the show system internal ac ipc-stats fe command:
This example shows how to display the statistics for the inspection-ftp process:
You can clear the internal statistics for the following processes by using the clear system internal ac ipc-stats fe command:
This example shows how to clear the statistics for the inspection-ftp process:
You can display the following inspect FTP statistics pertaining to one vPath by using the show inspect ftp statistics command:
This example shows how to display FTP statistics:
Use the clear inspect ftp statistics command to clear the inspect FTP statistics globally when no option is given. When the SVS domain ID and the module are provided, the command clears the statistics of the specified module.
This command provides the following keyword filters:
This example shows how to clear the inspect FTP statistics: