Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Troubleshooting the ASA CX Module

30-32

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter30 Configuring the ASA CX Module

Troubleshooting the ASA CX Module

To configure and view packet captures for the ASA CX module, enter one of the following commands:

Note Captured packets contain an additional AFBP header that your PCAP viewer might not understand; be

sure to use the appropriate plugin to view these packets.

Troubleshooting the ASA CX Module

•Problems with the Authentication Proxy, page30-32

If you are having a problem using the authentication proxy feature, follow these steps to troubleshoot

your configuration and connections:

1. Check your configurations.

•On the ASA, check the output of the show asp table classify domain cxsc-auth-proxy command

and make sure there are rules installed and that they are correct.

•In PRSM, ensure the directory realm is created with the correct credentials and test the connection

to make sure you can reach the authentication server; also ensure that a policy object or objects are

configured for authentication.

2. Check the output of the show service-policy cxsc command to see if any packets were proxied.

3. Perform a packet capture on the backplane, and check to see if traffic is being redirected on the

correct configured port. See the “Capturing Module Traffic” section on page30-32. You can check

the configured port using the show running-config cxsc command or the show asp table classify

domain cxsc-auth-proxy command.

Note If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only

configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module,

including traffic orginiating on the non-ASA CX interface (the feature is bidirectional). However, the

ASA only performs the authentication proxy on the interface to which the service policy is applied,

because this feature is ingress-only.

Example3 0-1 Make sure port 2000 is used consistently:

1. Check the authentication proxy port:

Command Purpose

capture name interface asa_dataplane Captures packets between ASA CX module and the ASA on the

backplane.

copy capture Copies the capture file to a server.

show capture Shows the capture at the ASA console.

Cisco Systems Troubleshooting the ASA CX Module