|
|
Table Of Contents
debug sss aaa authorization event
debug sss aaa authorization fsm
debug source event
To display information on source-route bridging (SRB) activity, use the debug source event command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug source event
no debug source event
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
Some of the output from the debug source bridge and debug source error commands is identical to the output of this command.
Note
In order to use the debug source event command to display traffic source-routed through an interface, you first must disable fast switching of SRB frames with the no source bridge route-cache interface configuration command.
Examples
The following is sample output from the debug source event command:
Router# debug source eventRSRB0: forward (srn 5 bn 1 trn 10), src: 8110.2222.33c1 dst: 1000.5a59.04f9[0800.3201.00A1.0050]RSRB0: forward (srn 5 bn 1 trn 10), src: 8110.2222.33c1 dst: 1000.5a59.04f9[0800.3201.00A1.0050]RSRB0: forward (srn 5 bn 1 trn 10), src: 8110.2222.33c1 dst: 1000.5a59.04f9[0800.3201.00A1.0050]RSRB0: forward (srn 5 bn 1 trn 10), src: 8110.2222.33c1 dst: 1000.5a59.04f9[0800.3201.00A1.0050]RSRB0: forward (srn 5 bn 1 trn 10), src: 8110.2222.33c1 dst: 1000.5a59.04f9[0800.3201.00A1.0050]Table 302 describes the significant fields shown in the display.
In the following example messages, SRBnumber or RSRBnumber denotes a message associated with interface Token Ring number. A number of 99 denotes the remote side of the network.
SRBnumber: no path, s: source-MAC-addr d: dst-MAC-addr rif: rifIn the preceding example, a bridgeable packet came in on interface Token Ring number but there was nowhere to send it. This is most likely a configuration error. For example, an interface has source bridging turned on, but it is not connected to another source bridging interface or a ring group.
In the following example, a bridgeable packet has been forwarded from Token Ring number to the target ring. The two interfaces are directly linked.
SRBnumber: direct forward (srn ring bn bridge trn ring)In the following examples, a proxy explorer reply was not generated because the address could not be reached from this interface. The packet came from the node with the first address.
SRBnumber: br dropped proxy XID, address for address, wrong vring (rem)SRBnumber: br dropped proxy TEST, address for address, wrong vring (rem)SRBnumber: br dropped proxy XID, address for address, wrong vring (local)SRBnumber: br dropped proxy TEST, address for address, wrong vring (local)SRBnumber: br dropped proxy XID, address for address, no pathSRBnumber: br dropped proxy TEST, address for address, no pathIn the following example, an appropriate proxy explorer reply was generated on behalf of the second address. It is sent to the first address.
SRBnumber: br sent proxy XID, address for address[rif]SRBnumber: br sent proxy TEST, address for address[rif]The following example indicates that the broadcast bits were not set, or that the routing information indicator on the packet was not set:
SRBnumber: illegal explorer, s: source-MAC-addr d: dst-MAC-addr rif: rifThe following example indicates that the direction bit in the RIF field was set, or that an odd packet length was encountered. Such packets are dropped.
SRBnumber: bad explorer control, D set or oddThe following example indicates that a spanning explorer was dropped because the spanning option was not configured on the interface:
SRBnumber: span dropped, input off, s: source-MAC-addr d: dst-MAC-addr rif: rifThe following example indicates that a spanning explorer was dropped because it had traversed the ring previously:
SRBnumber: span violation, s: source-MAC-addr d: dst-MAC-addr rif: rifThe following example indicates that an explorer was dropped because the maximum hop count limit was reached on that interface:
SRBnumber: max hops reached - hop-cnt, s: source-MAC-addr d: dst-MAC-addr rif: rifThe following example indicates that the ring exchange request was sent to the indicated peer. This request tells the remote side which rings this node has and asks for a reply indicating which rings that side has.
RSRB: sent RingXreq to ring-group/ip-addrThe following example indicates that a message was sent to the remote peer. The label variable can be AHDR (active header), PHDR (passive header), HDR (normal header), or DATA (data exchange), and op can be Forward, Explorer, Ring Xchg, Req, Ring Xchg, Rep, Unknown Ring Group, Unknown Peer, or Unknown Target Ring.
RSRB: label: sent op to ring-group/ip-addrThe following example indicates that the remote bridge and ring pair were removed from or added to the local ring group table because the remote peer changed:
RSRB: removing bn bridge rn ring from ring-group/ip-addrRSRB: added bridge bridge, ring ring for ring-group/ip-addrThe following example shows miscellaneous remote peer connection establishment messages:
RSRB: peer ring-group/ip-addr closed [last state n]RSRB: passive open ip-addr(remote port) -> local portRSRB: CONN: opening peer ring-group/ip-addr, attempt nRSRB: CONN: Remote closed ring-group/ip-addr on openRSRB: CONN: peer ring-group/ip-addr open failed, reason[code]The following example shows that an explorer packet was propagated onto the local ring from the remote ring group:
RSRBn: sent local explorer, bridge bridge trn ring, [rif]The following messages indicate that the RSRB code found that the packet was in error:
RSRBn: ring group ring-group not foundRSRBn: explorer rif [rif] not long enoughThe following example indicates that a buffer could not be obtained for a ring exchange packet (this is an internal error):
RSRB: couldn't get pak for ringXchgThe following example indicates that a ring exchange packet was received that had an incorrect length (this is an internal error):
RSRB: XCHG: req/reply badly formed, length pak-length, peer peer-idThe following example indicates that a ring entry was removed for the peer; the ring was possibly disconnected from the network, causing the remote router to send an update to all its peers.
RSRB: removing bridge bridge ring ring from peer-id ring-typeThe following example indicates that a ring entry was added for the specified peer; the ring was possibly added to the network, causing the other router to send an update to all its peers.
RSRB: added bridge bridge, ring ring for peer-idThe following example indicates that no memory was available to add a ring number to the ring group specified (this is an internal error):
RSRB: no memory for ring element ring-groupThe following example indicates that memory was corrupted for a connection block (this is an internal error):
RSRB: CONN: corrupt connection blockThe following example indicates that a connector process started, but that there was no packet to process (this is an internal error):
RSRB: CONN: warning, no initial packet, peer: ip-addr peer-pointerThe following example indicates that a packet was received with a version number different from the one pre-sent on the router:
RSRB: IF New version. local=local-version, remote=remote-version,pak-op-code peer-idThe following example indicates that a packet with a bad op code was received for a direct encapsulation peer (this is an internal error):
RSRB: IFin: bad op op-code (op code string) from peer-idThe following example indicates that the virtual ring header will not fit on the packet to be sent to the peer (this is an internal error):
RSRB: vrif_sender, hdr won't fitThe following example indicates that the specified peer is being opened. The retry count specifies the number of times the opening operation is attempted.
RSRB: CONN: opening peer peer-id retry-countThe following example indicates that the router, configured for FST encapsulation, received a version reply to the version request packet it had sent previously:
RSRB: FST Rcvd version reply from peer-id (version version-number)The following example indicates that the router, configured for FST encapsulation, sent a version request packet to the specified peer:
RSRB: FST Version Request. op = opcode, peer-idThe following example indicates that the router received a packet with a bad op code from the specified peer (this is an internal error):
RSRB: FSTin: bad op opcode (op code string) from peer-idThe following example indicates that the TCP connection between the router and the specified peer is being aborted:
RSRB: aborting ring-group/peer-id (vrtcpd_abort called)The following example indicates that an attempt to establish a TCP connection to a remote peer timed out:
RSRB: CONN: attempt timed outThe following example indicates that a packet was dropped because the ring group number in the packet did not correlate with the ring groups configured on the router:
RSRBnumber: ring group ring-group not founddebug span
To display information on changes in the spanning-tree topology when debugging a transparent bridge, use the debug span command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug span
no debug span
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
This command is useful for tracking and verifying that the spanning-tree protocol is operating correctly.
Examples
The following is sample output from the debug span command for an IEEE bridge protocol data unit (BPDU) packet:
Router# debug spanST: Ether4 0000000000000A080002A02D6700000000000A080002A02D6780010000140002000F00The following is sample output from the debug span command:
ST: Ether4 0000000000000A080002A02D6700000000000A080002A02D6780010000140002000F00A B C D E F G H I J K L M N OTable 303 describes the significant fields shown in the display.
The following is sample output from the debug span command for a DEC BPDU packet:
Router# debug spanST: Ethernet4 E1190100000200000C01A2C90064008000000C0106CE0A01050F1E6AThe following is sample output from the debug span command:
E1 19 01 00 0002 00000C01A2C9 0064 0080 00000C0106CE 0A 01 05 0F 1E 6AA B C D E F G H I J K L M N OTable 304 describes the significant fields shown in the display.
debug spanning-tree
To debug spanning-tree activities, use the debug spanning-tree command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug spanning-tree {all | backbonefast | bpdu | bpdu-opt | config | etherchannel | events | exceptions | general | pvst+ | root | snmp | uplinkfast}
no debug spanning-tree {all | backbonefast | bpdu | bpdu-opt | config | etherchannel | events | exceptions | general | pvst+ | root | snmp | uplinkfast}
Syntax Description
Defaults
Debugging is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The undebug spanning-tree command is the same as the no debug spanning-tree command.
Related Commands
show debugging
Displays information about the types of debugging that are enabled.
show spanning-tree
Displays spanning-tree state information.
debug ss7 mtp1
Note
To initiate Signaling System 7 (SS7) Message Transfer Part Level 1 (MTP1) debugging, enter the debug ss7 mtp1 command in global configuration mode during a low-traffic period. To disable debugging output, use the no form of this command.
debug ss7 mtp1 [mtp2 | ipc | link-state | oir | rx | scc-regs | siram | tdm-info | tx]
no debug ss7 mtp1
Syntax Description
Defaults
Debug is disabled.
Command Modes
Global configuration
Command History
12.2(11)T
This command was introduced on the Cisco AS5350 and Cisco AS5400 Signaling Link Terminal (SLT).
Usage Guidelines
The following debug commands are not used in this release:
•
•
•
•
Examples
To turn on message tracing between the host processor and the trunk firmware for each trunk card inserted, use the debug ss7 mtp1 ipc command.
For example, there is a digital link in slot 7, trunk 0, channel-group 0 (therefore, timeslot 1). When you enter show ss7 mtp1 links, the following output is displayed:
Router# show ss7 mtp1 linksSS7 MTP1 Links [num = 1, platform max = 4]:sessioninterface type SCC state channel--------- ----- --- ------- -------7/0:0 digital 7/3 STOPPED 0Notice that the link is stopped in this example. Enter the following commands:
Router# debug ss7 mtp1 ipcRouter# configure terminalRouter(config)# interface serial 7/0:0Router(config-if)# no shutdownRouter(config-if)# endYou would see trace output similar to the following:
00:01:27:from Trunk(7):TRUNK_SERIAL_STOP(3), link_type=200:01:27:from Trunk(7):TRUNK_SERIAL_START(3), link_type=2In this case, the output means that for the SS7 link that is using SCC3 on the trunk card in slot 7 (link 7/0:0), the host processor has told the board firmware to STOP then START.
To show low-level (MTP1) state changes for the internal state-machine implemented for each SS7 link, use the debug ss7 mtp1 link-state command. The following output shows the different MTP1 states link Serial 7/0:0 goes through during shutdown, no shutdown, and debug.
For example, if you stopped the SS7 link 7/0:0 (shutdown), then restarted it (no shutdown), you could see MTP1 state changes by enabling debugging, as follows:
Router# debug ss7 mtp1 link-stateRouter# configure terminalRouter(config)# interface serial 7/0:0Router(config-if)# shutdown01:02:20:%TRUNK_SERIAL-3-STATE_GENERIC:At ../src-7k-as5400/as5400_ss7_link.c:511 [Serial7/0:0]:STOP:STARTED -> STOP_PENDINGss7_link_ll_stop 7/0:0:Tx shadow ring has0 unsent buffers01:02:20:%TRUNK_SERIAL-3-STATE_GENERIC:At ../src-7k-as5400/as5400_ss7_link.c:1010 [Serial7/0:0]: FW_STOPPED:STOP_PENDING -> STOPPEDNow restart the link:
Router(config-if)# no shutdown01:02:26:ss7_link_start:slot=7/SCCport=3 current state is STOPPED01:02:26:%TRUNK_SERIAL-3-STATE_GENERIC:At ../src-7k-as5400/as5400_ss7_link.c:1417 [Serial7/0:0]: START:STOPPED -> START_PENDING01:02:26:%TRUNK_SERIAL-3-STATE_GENERIC:At ../src-7k-as5400/as5400_ss7_link.c:1164 [Serial7/0:0]: STOP_START:START_PENDING -> STOP_START_PENDINGss7_link_ll_stop 7/0:0:Tx shadow ring has 0 unsent buffers01:02:26:%TRUNK_SERIAL-3-STATE_GENERIC:At ../src-7k-as5400/as5400_ss7_link.c:1010 [Serial7/0:0]: FW_STOPPED:STOP_START_PENDING -> START_PENDING01:02:26:%TRUNK_SERIAL-3-STATE_GENERIC:At ../src-7k-as5400/as5400_ss7_link.c:1234 [Serial7/0:0]: FW_STARTED:START_PENDING -> STARTEDTo show detailed information about how TDM timeslots on the DFC trunk card on the host backplane are allocated and deallocated based on link configuration activity, use the debug ss7 mtp1 tdm-info command.
For example, if you wanted to create a digital SS7 link on timeslot 1 of trunk 0 for an 8PRI board in slot 7, and you would like to see traces of the TDM resources allocated, you would enable TDM debugging using the debug ss7 mtp1 tdm-info command then create the new SS7 link as described above, as in the following example:
Router# debug ss7 mtp1 tdm-infoRouter# configure terminalRouter(config)# controller t1 7/0Router(config-controller)# channel-group 0 timeslots 1Router(config-controller)# exitRouter(config)# interface serial 7/0:0Router(config-if)# encapsulation ss7Due to the debug flag, the following information is displayed:
05:26:55: ss7_link_flink_tdm_setup:card type for slot 7 is T1 8PRI05:26:55: ds0-side BEFORE call to tdm_allocate_bp_ts()slot = 7unit = 0 (trunk)channel = 4stream = 0group = 005:26:55: scc-side BEFORE call to tdm_allocate_bp_ts()slot = 7unit = 29channel = 3 (SCC-port)stream = 3group = 005:26:55:05:26:55:TDM(PRI:0x28002000):Close PRI framer st0 ch405:26:55:<<< tdm_allocate_bp_ts(ss7_ch) SUCCEEDED >>>05:26:55:scc-side AFTER call to tdm_allocate_bp_ts()bp_channel = 4bp_stream = 0bp_ts->bp_stream = 0bp_ts->bp_channel = 4bp_ts->vdev_slot = 7bp_ts->vdev_channel = 3bp_ts->vdev_slot = 7 should be same as the CLI slot, and bp_ts->vdev_channel = 3should be *->channel.
When you later remove the SS7 link, other information is displayed showing how resources are cleaned up.
Related Commands
debug ss7 mtp2
To trace backhaul Signaling System 7 (SS7) Message Transfer Part Level 2 (MTP2 ) message signaling units (MSUs), enter the debug ss7 mtp2 command in global configuration mode during a low-traffic period. To disable debugging output, use the no form of this command.
debug ss7 mtp2 [aerm | backhaul | cong | iac | lsc | lssu | msu | packet [all] | rcv | suerm | timer | txc][channel]
no debug ss7 mtp2
Syntax Description
Defaults
Debug is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
If you do not specify a channel number with each keyword, the command displays information for channel 0.
Examples
The following is sample output from the debug ss7 mtp2 aerm command. See the MTP2 specification tables for details:
Router# debug ss7 mtp2 aerm 0*Mar 8 08:59:30.991:itu2AERM_Start chnl=0 MTP2AERM_IDLE*Mar 8 08:59:35.070:itu2AERM_Stop chnl=0 MTP2AERM_MONITORINGThe following is an example of debug ss7 mtp2 backhaul command output for channel 0:
Router# debug ss7 mtp2 backhaul 0*Mar 1 03:08:04.433: MTP2: send Disc Ind ch=0 reason=0x14-T2 expired waiting for SIO*Mar 1 03:08:04.433: MTP2: send LSC Ind ch=0 event=0x8-lost link alignment cause=0x0*Mar 1 03:08:08.721: MTP2: rcvd Conn Req - Normal ch=0*Mar 1 03:08:10.311: MTP2: rcvd Statistics Req-Send&Reset ch=0*Mar 1 03:08:10.311: MTP2: send Stats Cfm ch=0*Mar 1 03:08:20.440: MTP2: send Disc Ind ch=0 reason=0x14-T2 expired waiting for SIO*Mar 1 03:08:20.444: MTP2: send LSC Ind ch=0 event=0x8-lost link alignment cause=0x0*Mar 1 03:08:24.719: MTP2: rcvd Conn Req - Normal ch=0*Mar 1 03:08:36.438: MTP2: send Disc Ind ch=0 reason=0x14-T2 expired waiting for SIO*Mar 1 03:08:36.438: MTP2: send LSC Ind ch=0 event=0x8-lost link alignment cause=0x0*Mar 1 03:08:40.312: MTP2: rcvd Statistics Req-Send&Reset ch=0*Mar 1 03:08:40.312: MTP2: send Stats Cfm ch=0*Mar 1 03:08:40.721: MTP2: rcvd Conn Req - Normal ch=0*Mar 1 03:08:52.444: MTP2: send Disc Ind ch=0 reason=0x14-T2 expired waiting for SIO*Mar 1 03:08:52.444: MTP2: send LSC Ind ch=0 event=0x8-lost link alignment cause=0x0*Mar 1 03:08:56.719: MTP2: rcvd Conn Req - Normal ch=0*Mar 1 03:09:08.438: MTP2: send Disc Ind ch=0 reason=0x14-T2 expired waiting for SIO*Mar 1 03:09:08.438: MTP2: send LSC Ind ch=0 event=0x8-lost link alignment cause=0x0The following is an example of debug ss7 mtp2 cong command output. See the MTP2 specification tables for details:
Router# debug ss7 mtp2 cong 0*Mar 8 09:10:56.219:itu2CongestionOnset chnl=0 MTP2CONGESTION_IDLE*Mar 8 09:10:59.332:itu2CongestionAbatement chnl=0MTP2CONGESTION_ACTIVE*Mar 8 09:11:01.143:itu2CongestionAbatement chnl=0 MTP2CONGESTION_IDLEThe following is an example of debug ss7 mtp2 iac command output. See the MTP2 specification tables for details:
Router# debug ss7 mtp2 iac 0*Mar 8 09:17:58.367:itu2IAC_Start chnl=0 MTP2IAC_IDLE*Mar 8 09:17:58.739:itu2IAC_Rcvd_SIO chnl=0 MTP2IAC_NOT_ALIGNED*Mar 8 09:17:58.739:itu2IAC_Rcvd_SIN chnl=0 MTP2IAC_ALIGNED*Mar 8 09:17:58.739:itu2IAC_Rcvd_SIN chnl=0 MTP2IAC_PROVING*Mar 8 09:18:02.814:itu2IAC_T4_TMO chnl=0 MTP2IAC_PROVINGThe following is an example of debug ss7 mtp2 lsc command output. See the MTP2 specification tables for details:
Router# debug ss7 mtp2 lsc 0*Mar 8 09:20:21.105:itu2LSC_Rcvd_SIOS chnl=0 MTP2LSC_INSERVICE*Mar 8 09:20:21.121:itu2LSC_Retrieve_BSNT chnl=0 MTP2LSC_OOS*Mar 8 09:20:22.058:itu2LSC_SetEmergency chnl=0 MTP2LSC_OOS*Mar 8 09:20:22.058:itu2LSC_Start chnl=0 MTP2LSC_OOS*Mar 8 09:20:33.785:itu2LSC_AlignmentNotPossible chnl=0MTP2LSC_INITIAL_ALIGNMENT*Mar 8 09:20:38.758:itu2LSC_SetEmergency chnl=0 MTP2LSC_OOS*Mar 8 09:20:38.758:itu2LSC_Start chnl=0 MTP2LSC_OOS*Mar 8 09:20:44.315:itu2LSC_Rcvd_SIO chnl=0 MTP2LSC_INITIAL_ALIGNMENT*Mar 8 09:20:44.315:itu2LSC_Rcvd_SIO chnl=0 MTP2LSC_INITIAL_ALIGNMENT*Mar 8 09:20:44.319:itu2LSC_Rcvd_SIE chnl=0 MTP2LSC_INITIAL_ALIGNMENT*Mar 8 09:20:44.319:itu2LSC_Rcvd_SIE chnl=0 MTP2LSC_INITIAL_ALIGNMENT*Mar 8 09:20:48.397:itu2LSC_AlignmentComplete chnl=0MTP2LSC_INITIAL_ALIGNMENTThe following is an example of debug ss7 mtp2 msu command output for channel 2. The output for this command can slow traffic under busy conditions, so enter it when there is low traffic. See the MTP2 specification tables for details about the command output:
Router# debug ss7 mtp2 msu 2*Mar 1 01:01:12.447: MTP2: send MSU Ind ch=2 len=25*Mar 1 01:01:12.455: MTP2: rcvd MSU Req ch=2 len=252
Caution
The following is an example of debug ss7 mtp2 packet command output for channel 0:
Router# debug ss7 mtp2 packet 0*Mar 1 00:53:00.052: MTP2 incoming trace enabled on channel 0.*Mar 1 00:53:00.052: MTP2 outgoing trace enabled on channel 0.*Mar 1 00:53:07.220: ---- Incoming Rudp msg (20 bytes) ----SM_msg_type 0x00008000protocol_type 0x0001msg_ID 0x0001msg_type 0x0044channel_ID 0x0000bearer_ID 0x0000length 0x0004data 0x00000001*Mar 1 00:53:07.224: ---- Outgoing Rudp msg (132 bytes) ----SM_msg_type 0x00008000protocol_type 0x0001msg_ID 0x0001msg_type 0x0045channel_ID 0x0000bearer_ID 0x0000length 0x0074data 0x0000001E 0x00000000 0x00000000 0x000000000x00000000 0x00000000 0x00000000 0x000000000x00000000 0x00000000 0x00000000 0x000000000x00000002 0x00000000 0x00008317 0x000000000x00000002 0x00000000 0x00000008 0x009B5C970x00000000 0x0032A2A7 0x0000061C 0x000000BF0x00000000 0x00000000 0x00000006 0x000000000x000000ED*Mar 1 00:53:11.343: ---- Outgoing Rudp msg (41 bytes) ----SM_msg_type 0x00008000protocol_type 0x0001msg_ID 0x0000msg_type 0x0011channel_ID 0x0000bearer_ID 0x0000length 0x0019data 0x8201190A 0x03190A00 0x11F01122 0x334455660x778899AA 0xBBCCDDEE*Mar 1 00:53:11.351: ---- Incoming Rudp msg (41 bytes) ----SM_msg_type 0x00008000protocol_type 0x0001msg_ID 0x0001msg_type 0x0010channel_ID 0x0000bearer_ID 0x0000length 0x0019data 0xB203190A 0x01190A00 0x21F01122 0x334455660x778899AA 0xBBCCDDEE*Mar 1 00:53:13.739: ---- Incoming Rudp msg (27 bytes) ----SM_msg_type 0x00008000protocol_type 0x0001msg_ID 0x0001msg_type 0x0010channel_ID 0x0000bearer_ID 0x0000length 0x000Bdata 0x9503190A 0x01190A00The following is an example of debug ss7 mtp2 rcv command output. See the MTP2 specification tables for details:
Router# debug ss7 mtp2 rcv 0*Mar 8 09:22:35.160:itu2RC_Stop chnl=0 MTP2RC_INSERVICE*Mar 8 09:22:35.164:itu2RC_Start chnl=0 MTP2RC_IDLE*Mar 8 09:22:52.565:BSNR not in windowbsnr=2 bibr=0x80 fsnr=66 fibr=0x80 fsnf=0 fsnl=127 fsnx=0fsnt=127*Mar 8 09:22:52.569:BSNR not in windowbsnr=2 bibr=0x80 fsnr=66 fibr=0x80 fsnf=0 fsnl=127 fsnx=0fsnt=127*Mar 8 09:22:52.569:AbnormalBSN_flag == TRUE*Mar 8 09:22:52.569:itu2RC_Stop chnl=0 MTP2RC_INSERVICE*Mar 8 09:22:57.561:itu2RC_Start chnl=0 MTP2RC_IDLEThe following is an example of debug ss7 mtp2 suerm command output. See the MTP2 specification tables for details:
Router# debug ss7 mtp2 suerm 0*Mar 8 09:33:51.108:itu2SUERM_Stop chnl=0 MTP2SUERM_MONITORING*Mar 8 09:34:00.155:itu2SUERM_Start chnl=0 MTP2SUERM_IDLE
Caution
The following is an example of debug ss7 mtp2 timer command output for channel 0:
Router# debug ss7 mtp2 timer 0*Mar 1 01:08:13.738: Timer T7 (ex delay) Start chnl=0*Mar 1 01:08:13.762: Timer T7 (ex delay) Stop chnl=0*Mar 1 01:08:13.786: Timer T7 (ex delay) Start chnl=0*Mar 1 01:08:13.810: Timer T7 (ex delay) Stop chnl=0*Mar 1 01:08:43.819: Timer T7 (ex delay) Start chnl=0*Mar 1 01:08:43.843: Timer T7 (ex delay) Stop chnl=0*Mar 1 01:08:48.603: Timer T7 (ex delay) Start chnl=0*Mar 1 01:08:48.627: Timer T7 (ex delay) Stop chnl=0*Mar 1 01:09:13.784: Timer T7 (ex delay) Start chnl=0*Mar 1 01:09:13.808: Timer T7 (ex delay) Stop chnl=0*Mar 1 01:09:13.885: Timer T7 (ex delay) Start chnl=0*Mar 1 01:09:13.909: Timer T7 (ex delay) Stop chnl=0
Caution
The following is an example of debug ss7 mtp2 txc command output for channel 2. The transmission control is functioning and updating backward sequence numbers (BSNs). See the MTP2 specification for details:
Router# debug ss7 mtp2 txc 2*Mar 1 01:10:13.831: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:13.831: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:13.831: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:13.839: itu2TXC_PDU2xmit chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:13.863: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:13.863: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:23.603: itu2TXC_PDU2xmit chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:23.627: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:23.627: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:23.631: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:23.631: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:23.635: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:43.900: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:43.900: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:43.900: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:43.908: itu2TXC_PDU2xmit chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:43.928: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICE*Mar 1 01:10:43.932: itu2TXC_bsn_update chnl=2 MTP2TXC_INSERVICThe following MTP2 specification tables explain codes that appear in the command output.
0x0
Cause unknown—default
0x1
Management initiated
0x2
Abnormal BSN (backward sequence number)
0x3
Abnormal FIB (Forward Indicator Bit)
0x4
Congestion discard
Related Commands
debug ss7 sm
To display debugging messages for an Signaling System 7 (SS7) Session Manager, use the debug ss7 sm command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ss7 sm [session session-id | set | timer]
no debug ss7 sm session
Syntax Description
Defaults
Debug is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to watch the Session Manager and Reliable User Data Protocol (RUDP) sessions. The Session Manager is responsible for establishing the RUDP connectivity to the Virtual Switch Controller (VSC).
Support for up to four Session Manager sessions was added. Session Manager sessions are now numbered 0 to 3. This feature changes the CLI syntax, and adds sessions 2 and 3.
Examples
The following is an example of debug ss7 sm command output using the session keyword. The Session Manager has established the connection (RUDP_CONN_OPEN_SIG) for session 3.
Router# debug ss7 sm session 3*Mar 8 09:37:52.119:SM:rudp signal RUDP_SOFT_RESET_SIG, session = 3*Mar 8 09:37:58.129:SM:rudp signal RUDP_CONN_RESET_SIG, session = 3*Mar 8 09:37:58.129:SM:Opening session[0] to 10.5.0.4:8060*Mar 8 09:37:58.137:SM:rudp signal RUDP_CONN_OPEN_SIG, session = 3The following is an example of debug ss7 sm session command output for session 0. The Session Manager has established the connection (RUDP_CONN_OPEN_SIG):
Router# debug ss7 sm session 0*Mar 8 09:37:52.119:SM:rudp signal RUDP_SOFT_RESET_SIG, session = 0*Mar 8 09:37:58.129:SM:rudp signal RUDP_CONN_RESET_SIG, session = 0*Mar 8 09:37:58.129:SM:Opening session[0] to 10.5.0.4:8060*Mar 8 09:37:58.137:SM:rudp signal RUDP_CONN_OPEN_SIG, session = 0Related Commands
encapsulation ss7
Assigns a channel group and selects the DS0 time slots desired for SS7 links.
debug sse
To display information for the silicon switching engine (SSE) processor, use the debug sse command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sse
no debug sse
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
Use the debug sse command to display statistics and counters maintained by the SSE.
Examples
The following is sample output from the debug sse command:
Router# debug sseSSE: IP number of cache entries changed 273 274SSE: bridging enabledSSE: interface Ethernet0/0 icb 0x30 addr 0x29 status 0x21A040 protos 0x11SSE: interface Ethernet0/1 icb 0x33 addr 0x29 status 0x21A040 protos 0x11SSE: interface Ethernet0/2 icb 0x36 addr 0x29 status 0x21A040 protos 0x10SSE: interface Ethernet0/3 icb 0x39 addr 0x29 status 0x21A040 protos 0x11SSE: interface Ethernet0/4 icb 0x3C addr 0x29 status 0x21A040 protos 0x10SSE: interface Ethernet0/5 icb 0x3F addr 0x29 status 0x21A040 protos 0x11SSE: interface Hssi1/0 icb 0x48 addr 0x122 status 0x421E080 protos 0x11SSE: cache update took 316ms, elapsed 320msThe following line indicates that the SSE cache is being updated due to a change in the IP fast-switching cache:
SSE: IP number of cache entries changed 273 274The following line indicates that bridging functions were enabled on the SSE:
SSE: bridging enabledThe following lines indicate that the SSE is now loaded with information about the interfaces:
SSE: interface Ethernet0/0 icb 0x30 addr 0x29 status 0x21A040 protos 0x11SSE: interface Ethernet0/1 icb 0x33 addr 0x29 status 0x21A040 protos 0x11SSE: interface Ethernet0/2 icb 0x36 addr 0x29 status 0x21A040 protos 0x10SSE: interface Ethernet0/3 icb 0x39 addr 0x29 status 0x21A040 protos 0x11SSE: interface Ethernet0/4 icb 0x3C addr 0x29 status 0x21A040 protos 0x10SSE: interface Ethernet0/5 icb 0x3F addr 0x29 status 0x21A040 protos 0x11SSE: interface Hssi1/0 icb 0x48 addr 0x122 status 0x421E080 protos 0x11The following line indicates that the SSE took 316 ms of processor time to update the SSE cache. The value of 320 ms represents the total time elapsed while the cache updates were performed.
SSE: cache update took 316ms, elapsed 320msdebug ssg ctrl-errors
To display all error messages for control modules, use the debug ssg ctrl-errors command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg ctrl-errors
no debug ssg ctrl-errors
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to show error messages for the control modules. These modules include all those that manage the user authentication and service login and logout (RADIUS, PPP, Subblock, and Accounting). An error message is the result of an error detected during normal execution.
Examples
The following output is generated by using the debug ssg ctrl-errors command when a host logs in to and logs out of a service:
Router# debug ssg ctrl-errorsMar 29 13:51:30 [192.168.5.1.15.21] 59:00:15:38:%VPDN-6-AUTHORERR:L2F NASLowSlot6 cannot locate a AAA server for Vi6 user User1Mar 29 13:51:31 [192.168.5.1.15.21] 60:00:15:39:%LINEPROTO-5-UPDOWN:Lineprotocol on Interface Virtual-Access6, changed state to downRelated Commands
debug ssg ctrl-events
Displays all event messages for control modules.
debug ssg ctrl-packets
Displays packet contents handled by control modules.
debug ssg ctrl-events
To display all event messages for control modules, use the debug ssg ctrl-events command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg ctrl-events
no debug ssg ctrl-events
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays event messages for the control modules, which include all modules that manage the user authentication and service login and logout (RADIUS, PPP, Subblock, and Accounting). An event message is an informational message generated during normal execution.
Examples
The following output is generated by the debug ssg ctrl-events command when a host logs in to a service:
Router# debug ssg ctrl-eventsMar 16 16:20:30 [192.168.6.1.7.141] 799:02:26:51:SSG-CTL-EVN:Service logon is accepted.Mar 16 16:20:30 [192.168.6.1.7.141] 800:02:26:51:SSG-CTL-EVN:Send cmd 11 to host 172.16.6.13. dst=192.168.100.24:36613Related Commands
debug ssg ctrl-packets
Displays packet contents handled by control modules.
ssg local-forwarding
Displays all error messages for control modules.
debug ssg ctrl-packets
To display packet contents handled by control modules, use the debug ssg ctrl-packets command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg ctrl-packets
no debug ssg ctrl-packets
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to show packet messages for the control modules. These modules include all those that manage the user authentication and service login and logout (RADIUS, PPP, Subblock, and Accounting). A packet message displays the contents of a package.
Examples
The following output is generated by using the debug ssg ctrl-packets command when a host logs out of a service:
Router# debug ssg ctrl-packetsMar 16 16:23:38 [192.168.6.1.7.141] 968:02:30:00:SSG-CTL-PAK:Received Packet:Mar 16 16:23:38 [192.168.6.1.7.141] 980:02:30:00:SSG-CTL-PAK:Sent packet:Mar 16 16:23:39 [192.168.6.1.7.141] 991:02:30:00:SSG-CTL-PAK:Mar 16 16:23:39 [192.168.6.1.7.141] 992:Received Packet:Related Commands
debug ssg ctrl-events
Displays all event messages for control modules.
ssg local-forwarding
Enables NRP-SSG to forward packets locally.
debug ssg data
To display all data-path packets, use the debug ssg data command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg data
no debug ssg data
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug ssg data command shows packets for the data modules. These modules include all those that forward data packets (Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), tunneling, fast switching, IP stream, and multicast).
Examples
The following output is generated by using the debug ssg data command when a host logs in to and out of a service:
Router# debug ssg dataMar 29 13:45:16 [192.168.5.1.15.21] 45:00:09:24:SSG-DATA:PS-UP-SetPakOutput=1(Vi6:172.16.5.50->199.199.199.199)Mar 29 13:45:16 [192.168.5.1.15.21] 46:00:09:24:SSG-DATA:PS-DN-SetPakOutput=1(Fa0/0/0:171.69.2.132->172.16.5.50)Mar 29 13:45:16 [192.168.5.1.15.21] 47:00:09:24:SSG-DATA:FS-UP-SetPakOutput=1(Vi6:172.16.5.50->171.69.43.34)Mar 29 13:45:16 [192.168.5.1.15.21] 48:00:09:24:Related Commands
debug ssg data-nat
To display all data-path packets for Network Address Translation (NAT) processing, use the debug ssg data-nat command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg data-nat
no debug ssg data-nat
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug ssg data-nat command displays packets for the data modules. These modules include all those that forward NAT data packets.
Examples
The following output is generated by using the debug ssg data-nat command when a host logs in to and out of a service:
Router# debug ssg data-natMar 29 13:43:14 [192.168.5.1.15.21] 35:00:07:21:SSG-DATA:TranslateIP Dst199.199.199.199->171.69.2.132Mar 29 13:43:14 [192.168.5.1.15.21] 36:00:07:21:SSG-DATA:TranslateIP Src171.69.2.132->199.199.199.199Mar 29 13:43:30 [192.168.5.1.15.21] 39:00:07:38:SSG-DATA:TranslateIP Dst199.199.199.199->171.69.2.132Mar 29 13:43:30 [192.168.5.1.15.21] 40:00:07:38:SSG-DATA:TranslateIP Src171.69.2.132->199.199.199.199Related Commands
debug ssg dhcp
To enable the display of control errors and events related to Service Selection Gateway (SSG) Dynamic Host Configuration Protocol (DHCP), use the debug ssg dhcp command in privileged EXEC mode. To disable this feature, use the no form of this command.
debug ssg dhcp{error | event} [ip_address]
no debug ssg dhcp{error | event} [ip_address]
Syntax Description
Command Default
Displays SSG-DHCP information for all IP addresses.
Command Modes
Privileged EXEC
Command History
Examples
SSG DHCP Event Messages
The following example shows user login events when DHCP intercept is enabled using the ssg intercept dhcp command.
Router# debug ssg dhcp01:01:03: DHCPD: remote id 020a00000501010110000000000001:01:03: DHCPD: circuit id 0000000001:01:03: SSG-DHCP-EVN: DHCP-DISCOVER event received. SSG-dhcp awareness feature enabled01:01:03: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d30.3030.632e.3331.6561.2e61.3963.312d.4661.302f.31 on interface FastEthernet1/0.01:01:03: DHCPD: Seeing if there is an internally specified pool class:01:01:03: DHCPD: htype 1 chaddr 000c.31ea.a9c101:01:03: DHCPD: remote id 020a00000501010110000000000001:01:03: DHCPD: circuit id 0000000001:01:03: SSG-DHCP-EVN: Get pool name called for 000c.31ea.a9c1. No hostobject01:01:03: SSG-DHCP-EVN: Get pool class called, class name =01:01:03: DHCPD: No internally specified class returned01:01:03: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d30.3030.632e.3331.6561.2e61.3963.312d.4661.302f.31 (5.1.1.2).01:01:03: DHCPD: child pool: 5.1.1.0 / 255.255.255.0 (Default-pool)01:01:03: DHCPD: pool Default-pool has no parent.01:01:03: DHCPD: child pool: 5.1.1.0 / 255.255.255.0 (Default-pool)01:01:03: DHCPD: pool Default-pool has no parent.01:01:03: DHCPD: child pool: 5.1.1.0 / 255.255.255.0 (Default-pool)01:01:03: DHCPD: pool Default-pool has no parent.01:01:03: DHCPD: broadcasting BOOTREPLY to client 000c.31ea.a9c1.01:01:03: DHCPD: DHCPREQUEST received from client 0063.6973.636f.2d30.3030.632e.3331.6561.2e61.3963.312d.4661.302f.31.01:01:03: DHCPD: Sending notification of ASSIGNMENT:01:01:03: DHCPD: address 5.1.1.2 mask 255.255.255.001:01:03: DHCPD: htype 1 chaddr 000c.31ea.a9c101:01:03: DHCPD: lease time remaining (secs) = 18001:01:03: SSG-DHCP-EVN:5.1.1.2: IP address notification received.01:01:03: SSG-DHCP-EVN:5.1.1.2: HostObject not present01:01:03: DHCPD: No default domain to append - abort update01:01:03: DHCPD: Sending DHCPACK to client 0063.6973.636f.2d30.3030.632e.3331.6561.2e61.3963.312d.4661.302f.31 (5.1.1.2).01:01:03: DHCPD: child pool: 5.1.1.0 / 255.255.255.0 (Default-pool)01:01:03: DHCPD: pool Default-pool has no parent.01:01:03: DHCPD: child pool: 5.1.1.0 / 255.255.255.0 (Default-pool)01:01:03: DHCPD: pool Default-pool has no parent.01:01:03: DHCPD: child pool: 5.1.1.0 / 255.255.255.0 (Default-pool)01:01:03: DHCPD: pool Default-pool has no parent.01:01:03: DHCPD: broadcasting BOOTREPLY to client 000c.31ea.a9c1.SSG DHCP Error Messages
The following example shows user login errors when a user tries to log into two different services that require IP addresses to be assigned from different pools.
Router# debug ssg dhcp error01:21:58: SSG-CTL-EVN: Checking maximum service count.01:21:58: SSG-CTL-EVN: Service logon is accepted.01:21:58: SSG-CTL-EVN: Activating the ConnectionObject.01:21:58: SSG-DHCP-ERR:6.2.1.2: DHCP pool name of this service is different from, users already logged in service DHCP pool name01:21:58: SSG-CTL-EVN: Connection Activation Failed for host 6.2.1.201:21:58: SSG-CTL-EVN: Send cmd 11 to host S6.2.1.2. dst=10.76.86.90:4241201:21:58: SSG-CTL-PAK: Sent packet:01:21:58: RADIUS: id= 0, code= Access-Reject, len= 79Related Commands
debug ssg errors
To display all error messages for the system modules, use the debug ssg errors command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg errors
no debug ssg errors
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug ssg errors command displays error messages for the system modules, which include the basic Cisco IOS and other support modules (such as Object Model, Timeout, and Initialization). An error message is the result of an error detected during normal execution.
Examples
The following output is generated by using the debug ssg errors command when a PPP over Ethernet (PPPoE) client logs in with an incorrect password:
Router# debug ssg errorsMar 16 08:46:20 [192.168.6.1.7.141] 225:00:16:06:SSG:SSGDoAccounting:reg_invoke_do_acct returns FALSERelated Commands
debug ssg events
Displays event messages for system modules.
debug ssg packets
Displays packet contents handled by system modules.
debug ssg events
To display event messages for system modules, use the debug ssg events command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg events
no debug ssg events
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug ssg events command displays event messages for the system modules, which include the basic Cisco IOS modules and other support modules (such as Object Model, Timeout, and Initialization). An event message is an informational message that appears during normal execution.
Examples
The following output is generated by using the debug ssg events command when a PPP over Ethernet (PPPoE) client logs in with the username "username" and the password "cisco":
Router# debug ssg eventsMar 16 08:39:39 [192.168.6.1.7.141] 167:00:09:24:%LINK-3-UPDOWN:Interface Virtual-Access3, changed state to upMar 16 08:39:39 [192.168.6.1.7.141] 168:00:09:25:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access3, changed state to upMar 16 08:39:40 [192.168.6.1.7.141] 169:00:09:26:%VPDN-6-AUTHORERR:L2FNAS LowSlot7 cannot locate a AAA server for Vi3 user usernameMar 16 08:39:40 [192.168.6.1.7.141] 170:HostObject::HostObject:size = 256Mar 16 08:39:40 [192.168.6.1.7.141] 171:HostObject::ResetMar 16 08:39:40 [192.168.6.1.7.141] 172:Service List:Mar 16 08:39:40 [192.168.6.1.7.141] 175:Service = isp-1Related Commands
debug ssg error
Displays all error messages for the system modules.
debug ssg packets
Displays packet contents handled by system modules.
debug ssg packets
Note
To display packet contents handled by system modules, use the debug ssg packets command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg packets
no debug ssg packets
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug ssg packets command displays packet messages for the system modules, which include the basic Cisco IOS and other support modules (such as Object Model, Timeout, Initialization). A packet message displays the contents of a package.
Examples
The following output is generated by using the debug ssg packets command when a user is running a Telnet session to 192.168.250.12 and pinging 192.168.250.11:
Router# debug ssg packets19:46:03:SSG-DATA:PS-UP-SetPakOutput=1(Vi2:172.16.17.71->192.168.250.12)19:46:03:SSG-DATA:PS-UP-SetPakOutput=1(Vi2:172.16.17.71->192.168.250.12)19:46:03:SSG-DATA:PS-UP-SetPakOutput=1(Vi3:172.16.17.72->192.168.250.12)19:46:03:SSG-DATA:PS-UP-SetPakOutput=1(Vi2:172.16.17.71->192.168.250.12)19:46:03:SSG-DATA:PS-UP-SetPakOutput=1(Vi2:172.16.17.71->192.168.250.12)19:46:03:SSG-DATA:PS-UP-SetPakOutput=1(Vi2:172.16.17.71->192.168.250.12)19:46:03:SSG-DATA:PS-UP-SetPakOutput=1(Vi3:172.16.17.72->192.168.250.11)Related Commands
debug ssg errors
Displays all error messages for the system modules.
debug ssg events
Displays event messages for system modules.
debug ssg port-map
To display debugging messages for port-mapping, use the debug ssg port-map command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg port-map {events | packets}
no debug ssg port-map {events | packets}
Syntax Description
events
Displays messages for port-map events: create and remove.
packets
Displays port-map packet contents and port address translations.
Defaults
This command is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays debugging messages for the creation of port maps.
Examples
Using the debug ssg port-map command generates the following output when a subscriber logs in to a service:
Router# debug ssg port-map eventsSSG port-map events debugging is onRouter# show debugSSG:SSG port-map events debugging is onRouter#00:46:09:SSG-PMAP:Changing state of port-bundle 70.13.60.3:65 from FREE to RESERVED00:46:09:SSG-PMAP:Changing state of port-bundle 70.13.60.3:65 from RESERVED to INUSE00:46:10:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access2, changed state to upRouter#00:46:25:SSG-PMAP:Allocating new port-mapping:[4148<->1040] for port-bundle 70.13.60.3:6500:46:29:SSG-PMAP:Allocating new port-mapping:[4149<->1041] for port-bundle 70.13.60.3:6500:46:31:SSG-PMAP:Allocating new port-mapping:[4150<->1042] for port-bundle 70.13.60.3:6500:46:31:SSG-PMAP:Allocating new port-mapping:[4151<->1043] for port-bundle 70.13.60.3:6500:46:31:SSG-PMAP:Allocating new port-mapping:[4152<->1044] for port-bundle 70.13.60.3:65Router# debug ssg port-map packetsSSG port-map packets debugging is onRouter#00:51:55:SSG-PMAP:forwarding non-TCP packet00:51:55:SSG-PMAP:forwarding packet00:51:55:SSG-PMAP:forwarding non-TCP packet00:51:55:SSG-PMAP:forwarding packet00:51:55:SSG-PMAP:forwarding non-TCP packet00:52:06:SSG-PMAP:srcip:70.13.6.100 srcport:8080 dstip:70.13.60.3 dstport:104400:52:06:SSG-PMAP:TCP flags:5011 Seq no:1162897784 Ack no:-123223471500:52:06:SSG-PMAP:received TCP-FIN packet00:52:10:SSG-PMAP:cef:packet bound for default n/w00:52:10:SSG-PMAP:Checking port-map ACLs00:52:10:SSG-PMAP:Port-map ACL check passed00:52:10:SSG-PMAP:cef:punting TCP-SYN packet to process00:52:10:SSG-PMAP:packet bound for default n/w00:52:10:SSG-PMAP:fast:punting TCP-SYN packet to process00:52:10:SSG-PMAP:packet bound for default n/w00:52:10:SSG-PMAP:translating source address from 10.3.6.1 to 70.13.60.300:52:10:SSG-PMAP:translating source port from 4158 to 104000:52:10:SSG-PMAP:srcip:70.13.6.100 srcport:8080 dstip:70.13.60.3 dstport:104000:52:10:SSG-PMAP:TCP flags:6012 Seq no:1186352744 Ack no:-123204770100:52:10:SSG-PMAP:translating destination address from 70.13.60.3 to 10.3.6.100:52:10:SSG-PMAP:translating destination port from 1040 to 4158Related Commands
show ssg port-map ip
Displays information on a particular port bundle.
show ssg port-map status
Displays information on port bundles.
debug ssg tcp-redirect
To turn on debug information for the Service Selection Gateway (SSG) Transport Control Protocol (TCP) Redirect for Services feature, use the debug ssg tcp-redirect command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg tcp-redirect {packet | error | event}
no debug ssg tcp-redirect {packet | error | event}
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to turn on debug information for the SSG TCP Redirect for Services feature. Use the packet keyword to display redirection information and any changes made to a packet when it is due for redirection. Use the error keyword to display any SSG TCP redirect errors. Use the event keyword to display any major SSG TCP redirect events or state changes.
Examples
The following example shows how to display redirection information and any changes made to a packet when it is due for redirection:
Router# debug ssg tcp-redirect packetDirection of the packet "-Up" indicates upstream packets from an SSG user, while "-Down" indicates downstream packets sent to a user:
07:13:15:SSG-REDIR-PKT:-Up:unauthorised user at 111.0.0.2 redirected to 9.2.36.253,808007:13:15:SSG-REDIR-PKT:-Down:TCP-RST Rxd for user at 111.0.0.2, port 1111407:13:15:SSG-REDIR-PKT:-Down:return remap for user at 111.0.0.2 redirected from 9.2.36.25The following example shows how to display any SSG TCP redirect errors:
Router# debug ssg tcp-redirect error07:15:20:SSG-REDIR-ERR:-Up:Packet from 172.0.0.2:11114 has different destination from stored connectionThe following example shows how to display any major SSG TCP redirect events or state changes:
Router# debug ssg tcp-redirect eventUpstream packets from users are redirected:
06:45:51:SSG-TCP-REDIR:-Up:created new remap entry for unauthorised user at 172.16.0.206:45:51: Redirect server set to 10.2.36.253,808006:45:51: Initial src/dest port mapping 11094<->2306:45:51:SSG-REDIR-EVT: Freeing tcp-remap connections06:46:21:SSG-REDIR-EVT:Host at 111.0.0.2, connection port 11094 timed out06:46:21:SSG-REDIR-EVT: Unauthenticated user remapping for 172.16.0.2 removedA host is being activated:
06:54:09:SSG-REDIR-EVT:- New Host at 172.16.0.2 set for default initial captivation06:54:09:SSG-REDIR-EVT:- New Host at 172.16.0.2 set for default advertising captivationInitial captivation begins:
06:59:32:SSG-REDIR-EVT:-Up:initial captivate got packet at start of connection (from 111.0.0.2)06:59:32:SSG-REDIR-EVT:-Up:user at 111.0.0.2 starting initial captivation06:59:32:SSG-REDIR-EVT:- Up:created new redirect connection and server for user at 111.0.0.206:59:32: Redirect server set to 10.64.131.20,800006:59:32: Initial src/dest port mapping 11109<->8006:59:48:SSG-REDIR-EVT:-Up:initial captivate got packet at start of connection (from 111.0.0.2)06:59:48:SSG-REDIR-EVT:-Up:initial captivate timed out for user at 172.16.0.206:59:48:SSG-REDIR-EVT:Removing server 10.64.131.20:8000 for host 172.16.0.2Advertising captivation begins:
06:59:48:SSG-REDIR-EVT:Removing redirect map for host 172.16.0.206:59:48:SSG-REDIR-EVT:-Up:advert captivate got packet at start of connection (from 111.0.0.2)06:59:48:SSG-REDIR-EVT:-Up:user at 111.0.0.2 starting advertisement captivation06:59:48:SSG-REDIR-EVT:- Up:created new redirect connection and server for user at 111.0.0.206:59:48: Redirect server set to 10.64.131.20,800006:59:48: Initial src/dest port mapping 11110<->80Related Commands
debug ssg transparent login
To display all the Service Selection Gateway (SSG) transparent login control events or errors, use the debug ssg transparent login command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg transparent login {errors | events} [ip-address]
no debug ssg transparent login {errors | events} [ip-address]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command when troubleshooting SSG for problems related to transparent autologon users.
Examples
The following examples show sample output from the debug ssg transparent login command. The output is self-explanatory.
Unidentified (NR) User Example
*Jan 15 12:34:47.847:SSG-TAL-EVN:100.0.0.2 :Added entry successfully*Jan 15 12:34:47.847:SSG-TAL-EVN:100.0.0.2 :Attempting authorization*Jan 15 12:34:47.847:SSG-TAL-EVN:100.0.0.2 :Attempting to send authorization request*Jan 15 12:35:09.711:SSG-TAL-EVN:100.0.0.2 :Authorization response received*Jan 15 12:35:09.711:SSG-TAL-EVN:100.0.0.2 :Authorization timedout. User statechanged to unidentified*Jan 15 12:35:09.711:%SSG-5-SSG_TAL_NR:SSG TAL :No response from AAA server. AAA server might be down or overloaded.*Jan 15 12:35:09.711:SSG-TAL-EVN:100.0.0.2 :Start SP/NR entry timeout timer for 10 minsTransparent Pass-Through (TP) User Example
*Jan 15 12:40:39.875:SSG-TAL-EVN:100.0.0.2 :Added entry successfully*Jan 15 12:40:39.875:SSG-TAL-EVN:100.0.0.2 :Attempting authorization*Jan 15 12:40:39.875:SSG-TAL-EVN:100.0.0.2 :Attempting to send authorization request*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Authorization response received*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Parsing profile for TP attribute*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :TP attribute found - Transparent user*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Stop SP/NR timer*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Idle timer started for 0 secs*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Session timer started for 0 secsSuspect User (SP) Example
*Jan 15 12:43:25.363:SSG-TAL-EVN:10.10.10.10 :Added entry successfully*Jan 15 12:43:25.363:SSG-TAL-EVN:10.10.10.10 :Attempting authorization*Jan 15 12:43:25.363:SSG-TAL-EVN:10.10.10.10 :Attempting to send authorization request*Jan 15 12:43:25.939:SSG-TAL-EVN:10.10.10.10 :Authorization response received*Jan 15 12:43:25.939:SSG-TAL-EVN:10.10.10.10 :Access reject from AAA server. Userstate changed to suspect*Jan 15 12:43:25.939:SSG-TAL-EVN:10.10.10.10 :Start SP/NR entry timeout timer for 60 minsClear All Users Example
The following is sample output for the debug ssg transparent login command when used after all transparent autologon users have been cleared by using the clear ssg user transparent all command.
*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10 :Entry removed*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10 :Stop SP/NR timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10 :Stop Idle timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10 :Stop session timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11 :Entry removed*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11 :Stop SP/NR timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11 :Stop Idle timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11 :Stop session timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2 :Entry removed*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2 :Stop SP/NR timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2 :Stop Idle timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2 :Stop session timerRelated Commands
debug ssm
To display diagnostic information about the Segment Switching Manager (SSM) for switched Layer 2 segments, use the debug ssm command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug ssm {cm errors | cm events | fhm errors | fhm events | sm errors | sm events | sm counters | xdr}
no debug ssm {cm errors | cm events | fhm errors | fhm events | sm errors | sm events | sm counters | xdr}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The SSM manages the data-plane component of the Layer 2 Virtual Private Network (L2VPN) configuration. The CM tracks the connection-level errors and events that occur on an xconnect. The SM tracks per-segment events and errors on the xconnect.
Use the debug ssm command to troubleshoot problems in bringing up the data plane.
This command is generally used only by Cisco engineers for internal debugging SSM processes.
Examples
The following example shows sample output for the debug ssm xdr command:
Router# debug ssm xdrSSM xdr debugging is on2w5d: SSM XDR: [4096] deallocate segment, len 162w5d: SSM XDR: [8193] deallocate segment, len 162w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to down2w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to up2w5d: SSM XDR: [4102] provision segment, switch 4101, len 1062w5d: SSM XDR: [4102] update segment status, len 172w5d: SSM XDR: [8199] provision segment, switch 4101, len 2062w5d: SSM XDR: [4102] update segment status, len 172w5d: %SYS-5-CONFIG_I: Configured from console by console2w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to down2w5d: SSM XDR: [4102] update segment status, len 172w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to up2w5d: SSM XDR: [4102] deallocate segment, len 162w5d: SSM XDR: [8199] deallocate segment, len 162w5d: SSM XDR: [4104] provision segment, switch 4102, len 1062w5d: SSM XDR: [4104] update segment status, len 172w5d: SSM XDR: [8201] provision segment, switch 4102, len 2062w5d: SSM XDR: [4104] update segment status, len 172w5d: SSM XDR: [4104] update segment status, len 172w5d: %SYS-5-CONFIG_I: Configured from console by consoleThe following example shows events that occur on the segment manager when an Any Transport over MPLS (AToM) virtual circuit (VC) configured for Ethernet over MPLS is shut down and then enabled:
Router# debug ssm sm eventsSSM Connection Manager events debugging is onRouter(config)# interface fastethernet 0/1/0.1Router(config-subif)# shutdown09:13:38.159: SSM SM: [SSS:AToM:36928] event Unprovison segment09:13:38.159: SSM SM: [SSS:Ethernet Vlan:4146] event Unbind segment09:13:38.159: SSM SM: [SSS:AToM:36928] free segment class09:13:38.159: SSM SM: [SSS:AToM:36928] free segment09:13:38.159: SSM SM: [SSS:AToM:36928] event Free segment09:13:38.159: SSM SM: last segment class freed09:13:38.159: SSM SM: [SSS:Ethernet Vlan:4146] segment ready09:13:38.159: SSM SM: [SSS:Ethernet Vlan:4146] event Found segment dataRouter(config-subif)# no shutdown09:13:45.815: SSM SM: [SSS:AToM:36929] event Provison segment09:13:45.815: label_oce_get_label_bundle: flags 14 label 1609:13:45.815: SSM SM: [SSS:AToM:36929] segment ready09:13:45.815: SSM SM: [SSS:AToM:36929] event Found segment data09:13:45.815: SSM SM: [SSS:AToM:36929] event Bind segment09:13:45.815: SSM SM: [SSS:Ethernet Vlan:4146] event Bind segmentThe following example shows the events that occur on the CM when an AToM VC configured for Ethernet over MPLS is shut down and then enabled:
Router(config)# interface fastethernet 0/1/0.1Router(config-subif)# shutdown09:17:20.179: SSM CM: [AToM] unprovision segment, id 3692909:17:20.179: SSM CM: CM FSM: state Open - event Free segment09:17:20.179: SSM CM: [SSS:AToM:36929] unprovision segment 109:17:20.179: SSM CM: [SSS:AToM] shQ request send unprovision complete event09:17:20.179: SSM CM: [SSS:Ethernet Vlan:4146] unbind segment 209:17:20.179: SSM CM: [SSS:Ethernet Vlan] shQ request send ready event09:17:20.179: SSM CM: SM msg event send unprovision complete event09:17:20.179: SSM CM: SM msg event send ready eventRouter(config-subif)# no shutdown09:17:35.879: SSM CM: Query AToM to Ethernet Vlan switching, enabled09:17:35.879: SSM CM: [AToM] provision second segment, id 3693009:17:35.879: SSM CM: CM FSM: state Down - event Provision segment09:17:35.879: SSM CM: [SSS:AToM:36930] provision segment 209:17:35.879: SSM CM: [AToM] send client event 6, id 3693009:17:35.879: SSM CM: [SSS:AToM] shQ request send ready event09:17:35.883: SSM CM: SM msg event send ready event09:17:35.883: SSM CM: [AToM] send client event 3, id 36930The following example shows the events that occur on the CM and SM when an AToM VC is provisioned and then unprovisioned:
Router# debug ssm cm eventsSSM Connection Manager events debugging is onRouter# debug ssm sm eventsSSM Segment Manager events debugging is onRouter# configure terminalRouter(config)# interface ethernet1/0Router(config-if)# xconnect 10.55.55.2 101 pw-class mpls16:57:34: SSM CM: provision switch event, switch id 8604016:57:34: SSM CM: [Ethernet] provision first segment, id 1231316:57:34: SSM CM: CM FSM: state Idle - event Provision segment16:57:34: SSM CM: [SSS:Ethernet:12313] provision segment 116:57:34: SSM SM: [SSS:Ethernet:12313] event Provison segment16:57:34: SSM CM: [SSS:Ethernet] shQ request send ready event16:57:34: SSM CM: SM msg event send ready event16:57:34: SSM SM: [SSS:Ethernet:12313] segment ready16:57:34: SSM SM: [SSS:Ethernet:12313] event Found segment data16:57:34: SSM CM: Query AToM to Ethernet switching, enabled16:57:34: SSM CM: [AToM] provision second segment, id 1641016:57:34: SSM CM: CM FSM: state Down - event Provision segment16:57:34: SSM CM: [SSS:AToM:16410] provision segment 216:57:34: SSM SM: [SSS:AToM:16410] event Provison segment16:57:34: SSM CM: [AToM] send client event 6, id 1641016:57:34: label_oce_get_label_bundle: flags 14 label 1916:57:34: SSM CM: [SSS:AToM] shQ request send ready event16:57:34: SSM CM: SM msg event send ready event16:57:34: SSM SM: [SSS:AToM:16410] segment ready16:57:34: SSM SM: [SSS:AToM:16410] event Found segment data16:57:34: SSM SM: [SSS:AToM:16410] event Bind segment16:57:34: SSM SM: [SSS:Ethernet:12313] event Bind segment16:57:34: SSM CM: [AToM] send client event 3, id 16410Router# configure terminalRouter(config)# interface e1/0Router(config-if)# no xconnect16:57:26: SSM CM: [Ethernet] unprovision segment, id 1638716:57:26: SSM CM: CM FSM: state Open - event Free segment16:57:26: SSM CM: [SSS:Ethernet:16387] unprovision segment 116:57:26: SSM SM: [SSS:Ethernet:16387] event Unprovison segment16:57:26: SSM CM: [SSS:Ethernet] shQ request send unprovision complete event16:57:26: SSM CM: [SSS:AToM:86036] unbind segment 216:57:26: SSM SM: [SSS:AToM:86036] event Unbind segment16:57:26: SSM CM: SM msg event send unprovision complete event16:57:26: SSM SM: [SSS:Ethernet:16387] free segment class16:57:26: SSM SM: [SSS:Ethernet:16387] free segment16:57:26: SSM SM: [SSS:Ethernet:16387] event Free segment16:57:26: SSM SM: last segment class freed16:57:26: SSM CM: unprovision switch event, switch id 1229016:57:26: SSM CM: [SSS:AToM] shQ request send unready event16:57:26: SSM CM: SM msg event send unready event16:57:26: SSM SM: [SSS:AToM:86036] event Unbind segment16:57:26: SSM CM: [AToM] unprovision segment, id 8603616:57:26: SSM CM: CM FSM: state Down - event Free segment16:57:26: SSM CM: [SSS:AToM:86036] unprovision segment 216:57:26: SSM SM: [SSS:AToM:86036] event Unprovison segment16:57:26: SSM CM: [SSS:AToM] shQ request send unprovision complete event16:57:26: SSM CM: SM msg event send unprovision complete event16:57:26: SSM SM: [SSS:AToM:86036] free segment class16:57:26: SSM SM: [SSS:AToM:86036] free segment16:57:26: SSM SM: [SSS:AToM:86036] event Free segment16:57:26: SSM SM: last segment class freedRelated Commands
debug sss aaa authorization event
To display messages about authentication, authorization, and accounting (AAA) authorization events that are part of normal call establishment, use the debug sss aaa authorization event command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss aaa authorization event
no debug sss aaa authorization event
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output of several Subscriber Service Switch (SSS) debug commands including the debug sss aaa authorization event command. The reports from these commands should be sent to technical personnel at Cisco Systems for evaluation.
Router# debug sss eventRouter# debug sss errorRouter# debug sss stateRouter# debug sss aaa authorization eventRouter# debug sss aaa authorization fsmSSS:SSS events debugging is onSSS error debugging is onSSS fsm debugging is onSSS AAA authorization event debugging is onSSS AAA authorization FSM debugging is on*Mar 4 21:33:18.248: SSS INFO: Element type is Access-Type, long value is 3*Mar 4 21:33:18.248: SSS INFO: Element type is Switch-Id, long value is -1509949436*Mar 4 21:33:18.248: SSS INFO: Element type is Nasport, ptr value is 6396882C*Mar 4 21:33:18.248: SSS INFO: Element type is AAA-Id, long value is 7*Mar 4 21:33:18.248: SSS INFO: Element type is AAA-ACCT_ENBL, long value is 1*Mar 4 21:33:18.248: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006*Mar 4 21:33:18.248: SSS MGR [uid:7]: Event service-request, state changed from wait-for-req to wait-for-auth*Mar 4 21:33:18.248: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions)*Mar 4 21:33:18.248: SSS PM [uid:7]: Need the following key: Unauth-User*Mar 4 21:33:18.248: SSS PM [uid:7]: Received Service Request*Mar 4 21:33:18.248: SSS PM [uid:7]: Event <need keys>, State: initial-req to need-init-keys*Mar 4 21:33:18.248: SSS PM [uid:7]: Policy reply - Need more keys*Mar 4 21:33:18.248: SSS MGR [uid:7]: Got reply Need-More-Keys from PM*Mar 4 21:33:18.248: SSS MGR [uid:7]: Event policy-or-mgr-more-keys, state changed from wait-for-auth to wait-for-req*Mar 4 21:33:18.248: SSS MGR [uid:7]: Handling More-Keys event*Mar 4 21:33:20.256: SSS INFO: Element type is Unauth-User, string value is nobody2@xyz.com*Mar 4 21:33:20.256: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006*Mar 4 21:33:20.256: SSS INFO: Element type is AAA-Id, long value is 7*Mar 4 21:33:20.256: SSS INFO: Element type is Access-Type, long value is 0*Mar 4 21:33:20.256: SSS MGR [uid:7]: Event service-request, state changed from wait-for-req to wait-for-auth*Mar 4 21:33:20.256: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions)*Mar 4 21:33:20.256: SSS PM [uid:7]: Received More Initial Keys*Mar 4 21:33:20.256: SSS PM [uid:7]: Event <rcvd keys>, State: need-init-keys to check-auth-needed*Mar 4 21:33:20.256: SSS PM [uid:7]: Handling Authorization Check*Mar 4 21:33:20.256: SSS PM [uid:7]: Event <send auth>, State: check-auth-needed to authorizing*Mar 4 21:33:20.256: SSS PM [uid:7]: Handling AAA service Authorization*Mar 4 21:33:20.256: SSS PM [uid:7]: Sending authorization request for 'xyz.com'*Mar 4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Event <make request>, state changed from idle to authorizing*Mar 4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Authorizing key xyz.com*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:AAA request sent for key xyz.com*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Received an AAA pass*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <found service>, state changed from authorizing to complete*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Found service info for key xyz.com*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <free request>, state changed from complete to terminal*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Free request*Mar 4 21:33:20.264: SSS PM [uid:7]: Event <found>, State: authorizing to end*Mar 4 21:33:20.264: SSS PM [uid:7]: Handling Service Direction*Mar 4 21:33:20.264: SSS PM [uid:7]: Policy reply - Forwarding*Mar 4 21:33:20.264: SSS MGR [uid:7]: Got reply Forwarding from PM*Mar 4 21:33:20.264: SSS MGR [uid:7]: Event policy-start-service-fsp, state changed from wait-for-auth to wait-for-service*Mar 4 21:33:20.264: SSS MGR [uid:7]: Handling Connect-Forwarding-Service event*Mar 4 21:33:20.272: SSS MGR [uid:7]: Event service-fsp-connected, state changed from wait-for-service to connected*Mar 4 21:33:20.272: SSS MGR [uid:7]: Handling Forwarding-Service-Connected eventRelated Commands
debug sss aaa authorization fsm
To display information about authentication, authorization, and accounting (AAA) authorization state changes, use the debug sss aaa authorization fsm command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss aaa authorization fsm
no debug sss aaa authorization fsm
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example shows how to enter this command. See the "Examples" section of the debug ssg transparent login command page for an example of output.
Router# debug sss aaa authorization fsmRelated Commands
debug sss error
To display diagnostic information about errors that may occur during Subscriber Service Switch (SSS) call setup, use the debug sss error command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss error
no debug sss error
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example shows how to enter this command. See the "Examples" section of the debug ssg transparent login command page for an example of output.
Router# debug sss errorRelated Commands
debug sss event
To display diagnostic information about Subscriber Service Switch (SSS) call setup events, use the debug sss event command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss event
no debug sss event
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example shows how to enter this command. See the "Examples" section of the debug ssg transparent login command page for an example of output.
Router# debug sss eventRelated Commands
debug sss fsm
To display diagnostic information about the Subscriber Service Switch (SSS) call setup state, use the debug sss fsm command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss fsm
no debug sss fsm
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example shows how to enter this command. See the "Examples" section of the debug ssg transparent login command page for an example of output.
Router# debug sss fsmdebug standby
To display Hot Standby Router Protocol (HSRP) state changes, use the debug standby command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug standby [terse]
no debug standby [terse]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug standby command displays Hot Standby Protocol state changes and debugging information regarding transmission and receipt of Hot Standby Protocol packets. Use this command to determine whether hot standby routers recognize one another and take the proper actions.
Examples
The following is sample output from the debug standby command:
Router# debug standbySB: Ethernet0 state Virgin -> ListenSB: Starting up hot standby processSB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB: Ethernet0 state Listen -> SpeakSB:Ethernet0 Hello out 192.168.72.20 Speak pri 100 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello out 192.168.72.20 Speak pri 100 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello out 192.168.72.20 Speak pri 100 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB: Ethernet0 state Speak -> StandbySB:Ethernet0 Hello out 192.168.72.20 Standby pri 100 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello out 192.168.72.20 Standby pri 100 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello out 192.168.72.20 Standby pri 100 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Active pri 90 hel 3 hol 10 ip 192.168.72.29SB: Ethernet0 Coup out 192.168.72.20 Standby pri 100 hel 3 hol 10 ip 192.168.72.29SB: Ethernet0 state Standby -> ActiveSB:Ethernet0 Hello out 192.168.72.20 Active pri 100 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Speak pri 90 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello out 192.168.72.20 Active pri 100 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello in 192.168.72.21 Speak pri 90 hel 3 hol 10 ip 192.168.72.29SB:Ethernet0 Hello out 192.168.72.20 Active pri 100 hel 3 hol 10 ip 192.168.72.29Table 305 describes the significant fields shown in the display.
The following line indicates that the router is initiating the Hot Standby Protocol. The standby ip interface configuration command enables Hot Standby.
SB: Starting up hot standby processThe following line indicates that a state transition occurred on the interface:
SB: Ethernet0 state Listen -> SpeakRelated Commands
debug standby errors
To display error messages related to Host Standby Router Protocol (HSRP), use the debug standby errors command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug standby errors
no debug standby errors
Syntax Description
This command has no arguments or keywords
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can filter the debug output using interface and HSRP group conditional debugging. To enable interface conditional debugging, use the debug condition interface command. To enable HSRP conditional debugging, use the debug condition standby command.
Examples
The following example enables the display of HSRP errors:
Router# debug standby errorsRelated Commands
debug standby events
Displays HSRP events
debug standby events icmp
Displays HSRP errors.
debug standby events
To display events related to Hot Standby Router Protocol (HSRP), use the debug standby events command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug standby events [all | api | ha | internal | protocol | redundancy | terse | track] [detail]
no debug standby events [all | ha | internal | protocol | redundancy | terse | track] [detail]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can filter the debug output using interface and HSRP group conditional debugging. To enable interface conditional debugging, use the debug condition interface command. To enable HSRP conditional debugging, use the debug condition standby command.
Examples
The following example shows how to enable the debugging of the active and standby Route Processors (RPs) on an active RP console. The HSRP group is configured on the active RP, and the HSRP state is active.
Router# debug standby events ha!Active RP*Apr 27 04:13:47.755: HSRP: Et0/0/1 Grp 101 RF Encode state Listen into sync buffer*Apr 27 04:13:47.855: HSRP: CF Sync send ok*Apr 27 04:13:57.755: HSRP: Et0/0/1 Grp 101 RF Encode state Speak into sync buffer*Apr 27 04:13:57.855: HSRP: CF Sync send ok*Apr 27 04:14:07.755: HSRP: Et0/0/1 Grp 101 RF Encode state Standby into sync buffer*Apr 27 04:14:07.755: HSRP: Et0/0/1 Grp 101 RF Encode state Active into sync buffer*Apr 27 04:14:07.863: HSRP: CF Sync send ok*Apr 27 04:14:07.867: HSRP: CF Sync send ok!Standby RP*Apr 27 04:11:21.011: HSRP: RF CF client 32, entity 0 got msg len 24*Apr 27 04:11:21.011: HSRP: Et0/0/1 Grp 101 RF sync state Init -> Listen*Apr 27 04:11:31.011: HSRP: RF CF client 32, entity 0 got msg len 24*Apr 27 04:11:31.011: HSRP: Et0/0/1 Grp 101 RF sync state Listen -> Speak*Apr 27 04:11:41.071: HSRP: RF CF client 32, entity 0 got msg len 24*Apr 27 04:11:41.071: HSRP: RF CF client 32, entity 0 got msg len 24*Apr 27 04:11:41.071: HSRP: Et0/0/1 Grp 101 RF sync state Speak -> Standby*Apr 27 04:11:41.071: HSRP: Et0/0/1 Grp 101 RF sync state Standby -> ActiveTable 306 describes the significant fields shown in the display.
Related Commands
debug standby events icmp
To display debugging messages for the Hot Standby Router Protocol (HSRP) Internet Control Message Protocol (ICMP) redirects filter, use the debug standby events icmp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug standby events icmp
no debug standby events icmp
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command helps you determine whether HSRP is filtering an outgoing ICMP redirect message.
Examples
The following is sample output from the debug standby events icmp command:
Router# debug standby events icmp10:35:20: SB: changing ICMP redirect sent to 20.0.0.4 for dest 30.0.0.210:35:20: SB: gw 20.0.0.2 -> 20.0.0.12, src 20.0.0.1110:35:20: SB: Use HSRP virtual address 20.0.0.11 as ICMP srcIf the router being redirected to is passive (HSRP enabled but no active groups), the following debugging message is displayed:
10:41:22: SB: ICMP redirect not sent to 20.0.0.4 for dest 40.0.0.310:41:22: SB: 20.0.0.3 does not contain an active HSRP groupIf HSRP could not uniquely determine the gateway used by the host, then the following message is displayed:
10:43:08: SB: ICMP redirect not sent to 20.0.0.4 for dest 30.0.0.210:43:08: SB: could not uniquely determine IP address for mac 00d0.bbd3.bc22The following messages are also displayed if the debug ip icmp command is enabled, in which case the message prefix is changed:
10:39:09: ICMP: HSRP changing redirect sent to 20.0.0.4 for dest 30.0.0.210:39:09: ICMP: gw 20.0.0.2 -> 20.0.0.12, src 20.0.0.1110:39:09: ICMP: Use HSRP virtual address 20.0.0.11 as ICMP src10:39:09: ICMP: redirect sent to 20.0.0.4 for dest 30.0.0.2, use gw 20.0.0.12Related Commands
debug standby events neighbor
To display Hot Standby Router Protocol (HSRP) Bidirectional Forwarding Detection (BFD) peering events, use the debug standby events neighbor command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug standby events neighbor
no debug standby events neighbor
Syntax Description
This command has no arguments or keywords.
Command Default
HSRP neighbor debugging output is not displayed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can filter the debug output by using interface and HSRP group conditional debugging. To enable interface conditional debugging, use the debug condition interface command. To enable HSRP conditional debugging, use the debug condition standby command.
Examples
In this example, two HSRP routers are configured as neighbors, supporting BFD peering with the debug standby events neighbor command configured. The following example shows the debug output that appears when an additional HSRP group is added to Router A:
Router A
RouterA# debug standby event neighborHSRP Events debugging is on(neighbor)*Oct 3 02:57:48.587: HSRP: Fa2/0 Grp 2 Standby router is local01:03:49: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 2 state Speak -> Standby*Oct 3 02:57:49.087: HSRP: Fa2/0 Grp 2 Active router is local*Oct 3 02:57:49.087: HSRP: Fa2/0 Grp 2 Standby router is unknown, was local01:03:50: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 2 state Standby -> ActiveRouter B
RouterB# debug standby event neighborHSRP Events debugging is on(neighbor)*Oct 3 10:00:28.503: HSRP: Fa2/0 Grp 2 Active router is 10.0.0.1 (no local config)*Oct 3 10:00:28.503: HSRP: Fa2/0 Nbr 10.0.0.1 active for group 2The following example shows the debug output when an additional HSRP group is added to Router B:
Router B
*Oct 3 10:02:28.067: HSRP: Fa2/0 Nbr 10.0.0.1 no longer active for group 2 (Disabled)*Oct 3 10:02:28.503: HSRP: Fa2/0 Grp 2 Active router is 10.0.0.1*Oct 3 10:02:28.503: HSRP: Fa2/0 Nbr 10.0.0.1 active for group 2*Oct 3 10:02:48.071: HSRP: Fa2/0 Grp 2 Standby router is local00:44:28: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 2 state Speak -> StandbyRouter A
*Oct 3 03:00:08.655: HSRP: Fa2/0 Grp 2 Standby router is 10.0.0.2*Oct 3 03:00:08.655: HSRP: Fa2/0 Nbr 10.0.0.2 standby for group 2The following is sample debug output showing a possible network outage (the loss of signal between the ports of Router A and B):
Router B
*Oct 3 10:09:07.651: HSRP: Fa2/0 Grp 1 Active router is local, was 10.0.0.1*Oct 3 10:09:07.651: HSRP: Fa2/0 Nbr 10.0.0.1 no longer active for group 1 (Standby)*Oct 3 10:09:07.651: HSRP: Fa2/0 Grp 1 Standby router is unknown, was local00:50:48: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 1 state Standby -> Active*Oct 3 10:09:08.959: HSRP: Fa2/0 Grp 2 Active router is local, was 10.0.0.1*Oct 3 10:09:08.959: HSRP: Fa2/0 Nbr 10.0.0.1 no longer active for group 2 (Standby)*Oct 3 10:09:08.959: HSRP: Fa2/0 Nbr 10.0.0.1 Was active or standby - start passive holddown*Oct 3 10:09:08.959: HSRP: Fa2/0 Grp 2 Standby router is unknown, was local00:50:49: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 2 state Standby -> ActiveRelated Commands
debug standby packets
To display debugging information for packets related to Hot Standby Router Protocol (HSRP), use the debug standby packets command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug standby packets [advertise | all | terse | coup | hello | resign] [detail]
no debug standby packet [advertise | all | terse | coup | hello | resign] [detail]
Syntax Description
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
12.1
This command was introduced.
12.2
The advertise keyword was added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
You can filter the debug output using interface and HSRP group conditional debugging. To enable interface conditional debugging, use the debug condition interface command. To enable HSRP conditional debugging, use the debug condition standby command.
Note
Examples
The following example show how to enable the display of all HSRP packets:
Router# debug standby packets allHSRP Packets debugging is on.Related Commands
debug stun packet
To display information on packets traveling through the serial tunnel (STUN) links, use the debug stun packet command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug stun packet [group] [address]
no debug stun packet [group] [address]
Syntax Description
Command Modes
Privileged EXEC
Usage Guidelines
Because using this command is processor intensive, it is best to use it after regular business hours, rather than in a production environment. It is also best to turn this command on by itself, rather than use it in conjunction with other debug commands.
Examples
The following is sample output from the debug stun packet command:
The following line describes an X1 type of packet:
STUN sdlc: 0:00:04 Serial3 NDI: (0C2/008) U: SNRM PF:1Table 307 describes the significant fields in this line of debug stun packet output.
The following line of output describes an X2 type of packet:
STUN sdlc: 0:00:00 Serial3 SDI: (0C2/008) S: RR PF:1 NR:000All the fields in the previous line of output match those for an X1 type of packet, except the last field, which is additional. NR:000 indicates a receive count of 0; the range for the receive count is 0 to 7.
The following line of output describes an X3 type of packet:
STUN sdlc: 0:00:00 Serial3 SDI: (0C2/008) S:I PF:1 NR:000 NS:000All fields in the previous line of output match those for an X2 type of packet, except the last field, which is additional. NS:000 indicates a send count of 0; the range for the send count is 0 to 7.
debug sw56
To display debugging information for switched 56K services, use the debug sw56 command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sw56
no debug sw56
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
debug syscon perfdata
To display messages related to performance data collection, use the debug syscon perfdata command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug syscon perfdata
no debug syscon perfdata
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
This command is primarily useful to your technical support representative.
Examples
The following is sample output from the debug syscon perfdata command. In this example, the CallFail poll group is configured and applied to shelf 1111. The system determines when the next polling cycle should occur and polls the shelf at the appropriate time. The data is stored in the file CallFail.891645120, and an older file is deleted.
Router# debug syscon perfdataPERF: Applying 'CallFail' to shelf 1111PERF: Setting up objects for SNMP polling: 'CallFail', shelf 1111PERF: year hours mins secs msecs = 1998 15 11 1 5PERF: Start 'CallFail' timer, next cycle in 0 mins, 59 secsPERF: Timer event: CallFail, 4 minutesPERF: Polling 'CallFail', shelf 1111, pc 60AEFDF0PERF: SNMP resp: Type 6, 'CallFail', shelf 1111, error_st 0PERF: Logged polled data to disk0:/performance/shelf-1111/CallFail.891645120PERF: Deleted disk0:/performance/shelf-1111/CallFail.891637469debug syscon sdp
To display messages related to the Shelf Discovery Protocol (SDP), use the debug syscon sdp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug syscon sdp
no debug syscon sdp
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
Use this command to display information about SDP packets exchanged between the shelf and the system controller.
Examples
The following sample output from the debug syscon sdp command shows the system controller discovering a managed shelf. In the first few lines, the system controller receives a hello packet from shelf 99 at 172.23.66.106. The system controller responds with a hello packet. When the shelf sends another hello packet, the system controller resets the timer and sends another packet.
Syscon# debug syscon sdpSYSCTLR: Hello packet received via UDP from 172.23.66.106%SYSCTLR-6-SHELF_ADD: Shelf 99 discovered located at address 172.23.66.106Hello packet sent to the RS located at 172.23.66.106SYSCTLR: Hello packet received via UDP from 172.23.66.106Timer for shelf 99 updated, shelf is aliveHello packet sent to the RS located at 172.23.66.106The following sample output from the debug syscon sdp command shows the shelf contacting the system controller. The shelf sends a hello packet to the system controller at 172.23.66.111. The system controller responds with the autoconfiguration commands. The remaining lines show the Hello packets were exchanged between the shelf and the system controller.
Shelf# debug syscon sdpSYSCTLR: Hello packet sent to the SYSCTLR at 172.23.66.111SYSCTLR: Command packet received from SYSCTLRFeb 24 17:24:16.713: %SHELF-6-SYSCTLR_ESTABLISHED: Configured via system controller located at 172.23.66.111SYSCTLR: Rcvd HELLO from SYSCTLR at 172.23.66.111SYSCTLR: Hello packet sent to the SYSCTLR at 172.23.66.111SYSCTLR: Rcvd HELLO from SYSCTLR at 172.23.66.111debug syslog-server
To display information about the syslog server process, use the debug syslog-server command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug syslog-server
no debug syslog-server
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
This command outputs a message every time the syslog server receives a message. It also displays information about subfile creation, removal, and renaming.
Use this command when subfiles are not being created as configured or data is not being written to subfiles. This command is also useful for detecting syslog file size mismatches.
Examples
The following is sample output from the debug syslog-server command. The sample output shows when the following command has been added to the configuration:
logging syslog-server 10 3 syslogsThis example shows the files being created. Use the dir disk0:/syslogs.dir command to display the contents of the newly created directory.
Router# debug syslog-serverSYSLOG_SERVER:Syslog file syslogsSYSLOG_SERVER:Directory disk0:/syslogs.dir created.SYSLOG_SERVER:Syslog file syslogs created successfully.When a syslog message is received, the router checks to determine if the current file will be too large when the new data is added. In this example, two messages are added to the file.
SYSLOG_SERVER: Configured size : 10240 bytesCurrent size : 0 bytesData size : 68 bytesNew size : 68 bytesSYSLOG_SERVER: Wrote 68 bytes successfully.SYSLOG_SERVER: Configured size : 10240 bytesCurrent size : 68 bytesData size : 61 bytesNew size : 129 bytesSYSLOG_SERVER: Wrote 61 bytes successfully.Table 308 describes the significant fields shown in the display.
The following output indicates that the current file is too full to fit the next syslog message. The oldest subfile is removed, and the remaining files are renamed. A new file is created and opened for writing syslog messages.
SYSLOG_SERVER:Last archive subfile disk0:/syslogs.dir/syslogs.2 removed.SYSLOG_SERVER: Subfile disk0:/syslogs.dir/syslogs.1 renamed as disk0:/syslogs.dir/syslogs.2.SYSLOG_SERVER:subfile disk0:/syslogs.dir/syslogs.cur renamed as disk0:/syslogs.dir/syslogs.1.SYSLOG_SERVER:Current subfile disk0:/syslogs.dir/syslogs.cur has been opened.debug tacacs
To display information associated with TACACS, use the debug tacacs command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug tacacs
no debug tacacs
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
TACACS is a distributed security system that secures networks against unauthorized access. Cisco supports TACACS under the authentication, authorization, and accounting (AAA) security system.
Use the debug aaa authentication command to get a high-level view of login activity. When TACACS is used on the router, you can use the debug tacacs command for more detailed debugging information.
Examples
The following is sample output from the debug aaa authentication command for a TACACS login attempt that was successful. The information indicates that TACACS+ is the authentication method used.
Router# debug aaa authentication14:01:17: AAA/AUTHEN (567936829): Method=TACACS+14:01:17: TAC+: send AUTHEN/CONT packet14:01:17: TAC+ (567936829): received authen response status = PASS14:01:17: AAA/AUTHEN (567936829): status = PASSThe following is sample output from the debug tacacs command for a TACACS login attempt that was successful, as indicated by the status PASS:
Router# debug tacacs14:00:09: TAC+: Opening TCP/IP connection to 192.168.60.15 using source 10.116.0.7914:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15 (AUTHEN/START)14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 192.168.60.1514:00:09: TAC+ (383258052): received authen response status = GETUSER14:00:10: TAC+: send AUTHEN/CONT packet14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15 (AUTHEN/CONT)14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.1514:00:10: TAC+ (383258052): received authen response status = GETPASS14:00:14: TAC+: send AUTHEN/CONT packet14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 192.168.60.15 (AUTHEN/CONT)14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.1514:00:14: TAC+ (383258052): received authen response status = PASS14:00:14: TAC+: Closing TCP/IP connection to 192.168.60.15The following is sample output from the debug tacacs command for a TACACS login attempt that was unsuccessful, as indicated by the status FAIL:
Router# debug tacacs13:53:35: TAC+: Opening TCP/IP connection to 192.168.60.15 using source192.48.0.7913:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 192.168.60.15(AUTHEN/START)13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 192.168.60.1513:53:35: TAC+ (416942312): received authen response status = GETUSER13:53:37: TAC+: send AUTHEN/CONT packet13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 192.168.60.15(AUTHEN/CONT)13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 192.168.60.1513:53:37: TAC+ (416942312): received authen response status = GETPASS13:53:38: TAC+: send AUTHEN/CONT packet13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 192.168.60.15(AUTHEN/CONT)13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 192.168.60.1513:53:38: TAC+ (416942312): received authen response status = FAIL13:53:40: TAC+: Closing TCP/IP connection to 192.168.60.15Related Commands
debug aaa accounting
Displays information on accountable events as they occur.
debug aaa authentication
Displays information on AAA/TACACS+ authentication.
debug tacacs accounting
To display information about TACACS+ protocol accounting debugging, use the debug tacacs accounting command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug tacacs accounting
no debug tacacs accounting
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Usage Guidelines
Use the debug tacacs accounting command only in response to a request from service personnel to collect data when a problem has been reported.
Caution
The TACACS protocol is used on routers to assist in managing user accounts. TACACS+ enhances the TACACS functionality by adding security features and cleanly separating the authentication, authorization, and accounting (AAA) functionality.
The TACACS debug messages are intended to be self-explanatory or for consumption by service personnel only.
Examples
The following example enables TACACS+ protocol accounting debugging:
Router# debug tacacs accountingTACACS+ accounting debugging is onRelated Commands
debug tacacs authentication
To display information about TACACS+ protocol authentication debugging, use the debug tacacs authentication command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug tacacs authentication
no debug tacacs authentication
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Usage Guidelines
Use the debug tacacs authentication command only in response to a request from service personnel to collect data when a problem has been reported.
Caution
The TACACS protocol is used on routers to assist in managing user accounts. TACACS+ enhances the TACACS functionality by adding security features and cleanly separating the authentication, authorization, and accounting (AAA) functionality.
The TACACS debug messages are intended to be self-explanatory or for consumption by service personnel only.
Examples
The following example enables TACACS+ protocol authentication debugging:
Router# debug tacacs authenticationTACACS+ authentication debugging is onRelated Commands
debug tacacs authorization
To display information about TACACS+ protocol authorization debugging, use the debug tacacs authorization command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug tacacs authorization
no debug tacacs authorization
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Usage Guidelines
Use the debug tacacs authorization command only in response to a request from service personnel to collect data when a problem has been reported.
Caution
The TACACS protocol is used on routers to assist in managing user accounts. TACACS+ enhances the TACACS functionality by adding security features and cleanly separating the authentication, authorization, and accounting (AAA) functionality.
The TACACS debug messages are intended to be self-explanatory or for consumption by service personnel only.
Examples
The following example enables TACACS+ protocol authorization debugging:
Router# debug tacacs authorizationTACACS+ authorization debugging is onRelated Commands
debug tacacs events
To display information from the TACACS+ helper process, use the debug tacacs events command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug tacacs events
no debug tacacs events
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
Use the debug tacacs events command only in response to a request from service personnel to collect data when a problem has been reported.
Caution
The TACACS protocol is used on routers to assist in managing user accounts. TACACS+ enhances the TACACS functionality by adding security features and cleanly separating out the authentication, authorization, and accounting (AAA) functionality.
Examples
The following is sample output from the debug tacacs events command. In this example, the opening and closing of a TCP connection to a TACACS+ server are shown, and the bytes read and written over the connection and the TCP status of the connection:
Router# debug tacacs events%LINK-3-UPDOWN: Interface Async2, changed state to up00:03:16: TAC+: Opening TCP/IP to 192.168.58.104/1049 timeout=1500:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 192.168.58.104/104900:03:16: TAC+: periodic timer started00:03:16: TAC+: 192.168.58.104 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB)expire=14 AUTHEN/START/SENDAUTH/CHAP queued00:03:17: TAC+: 192.168.58.104 ESTAB 3BD868 wrote 46 of 46 bytes00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=12 wanted=12 alloc=12 got=1200:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=61 wanted=61 alloc=61 got=4900:03:22: TAC+: 192.168.58.104 received 61 byte reply for 3BD86800:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9AUTHEN/START/SENDAUTH/CHAP processed00:03:22: TAC+: periodic timer stopped (queue empty)00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to 192.168.58.104/104900:03:22: TAC+: Opening TCP/IP to 192.168.58.104/1049 timeout=1500:03:22: TAC+: Opened TCP/IP handle 0x489F08 to 192.168.58.104/104900:03:22: TAC+: periodic timer started00:03:22: TAC+: 192.168.58.104 req=3BD868 id=299214410 ver=192 handle=0x489F08 (ESTAB)expire=14 AUTHEN/START/SENDPASS/CHAP queued00:03:23: TAC+: 192.168.58.104 ESTAB 3BD868 wrote 41 of 41 bytes00:03:23: TAC+: 192.168.58.104 CLOSEWAIT read=12 wanted=12 alloc=12 got=1200:03:23: TAC+: 192.168.58.104 CLOSEWAIT read=21 wanted=21 alloc=21 got=900:03:23: TAC+: 192.168.58.104 received 21 byte reply for 3BD86800:03:23: TAC+: req=3BD868 id=299214410 ver=192 handle=0x489F08 (CLOSEWAIT) expire=13AUTHEN/START/SENDPASS/CHAP processed00:03:23: TAC+: periodic timer stopped (queue empty)The TACACS messages are intended to be self-explanatory or for consumption by service personnel only. However, the messages shown are briefly explained in the following text.
The following message indicates that a TCP open request to host 192.168.58.104 on port 1049 will time out in 15 seconds if it gets no response:
00:03:16: TAC+: Opening TCP/IP to 192.168.58.104/1049 timeout=15The following message indicates a successful open operation and provides the address of the internal TCP "handle" for this connection:
00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 192.168.58.104/1049The following message indicates that a TACACS+ request has been queued:
00:03:16: TAC+: 192.168.58.104 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB) expire=14 AUTHEN/START/SENDAUTH/CHAP queuedThe message identifies the following:
•
•
•
•
•
•
–
–
–
–
–
–
–
–
–
–
–
•
•
The following message indicates that all 46 bytes were written to address 192.168.58.104 for request 3BD868:
00:03:17: TAC+: 192.168.58.104 ESTAB 3BD868 wrote 46 of 46 bytesThe following message indicates that 12 bytes were read in reply to the request:
00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=12 wanted=12 alloc=12 got=12The following message indicates that 49 more bytes were read, making a total of 61 bytes in all, which is all that was expected:
00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=61 wanted=61 alloc=61 got=49The following message indicates that a complete 61-byte reply has been read and processed for request 3BD868:
00:03:22: TAC+: 192.168.58.104 received 61 byte reply for 3BD868 00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9 AUTHEN/START/SENDAUTH/CHAP processedThe following message indicates that the TACACS+ server helper process switched itself off when it had no more work to do:
00:03:22: TAC+: periodic timer stopped (queue empty)Related Commands
debug tacacs packet
To display information about TACACS+ protocol packets debugging, use the debug tacacs packet command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug tacacs packet
no debug tacacs packet
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Usage Guidelines
Use the debug tacacs packet command only in response to a request from service personnel to collect data when a problem has been reported.
Caution
The TACACS protocol is used on routers to assist in managing user accounts. TACACS+ enhances the TACACS functionality by adding security features and cleanly separating the authentication, authorization, and accounting (AAA) functionality.
The TACACS debug messages are intended to be self-explanatory or for consumption by service personnel only.
Examples
The following example enables TACACS+ protocol packets debugging:
Router# debug tacacs packetTACACS+ packets debugging is onRelated Commands
Posted: Mon Aug 20 09:22:59 PDT 2007
All contents are Copyright © 1992--2007 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
