69-15
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Analyzing Connectivity Issues Using the Ping, Trace Route, or NS Lookup Tools
Applicability
The Ping tool is applicable on the following devices: ASA (7.0 – 8.3), PIX [6.3(1-5) to 8.0(2-4)], FWSM
[2.2(1) – 4.1(1)], all IOS. It is not applicable to IPS.
The Trace Route tool is applicable on the following devices: ASA [7.2(1) and onward], PIX [6.3(1-5) to
8.0(2-4)], and all IOS. It is not applicable to FWSM nor IPS.
The NS Lookup tool is not supported in any of the devices managed by CSM; rather, you run it from the
CSM client using the Windows API.
Analyzing Configuration Using Ping
The ping tool, by default uses the ICMP echo request and echo reply messages to test reachability to a
remote system. You can also choose to employ TCP to ping. In its simplest form, ping simply confirms
that an IP packet is capable of getting to and getting back from a destination IP address. A ping is sent
to an IP address and it returns a reply. This process enables network devices to discover, identify, and
test each other. From within Security Manager, you can designate both the network device from which
to issue the ping command, and the target of the echo request. This tool generally returns two pieces of
information: whether the source can reach the destination (and, by inference, vice versa), and the
round-trip time (RTT, typically in milliseconds).
You can use the Ping diagnostic tool in a variety of ways, including:
Pinging to a security appliance—Ping an interface on another security appliance to verify that it
is up and responding.
Loopback testing of two interfaces—Initiate a ping from one interface to another on the same
security appliance, as an external loopback test to verify basic “up” status and operation of each
interface.
Table69-3 Profiles of the Ping, Trace Route, and NS Lookup Troubleshooting Commands
Tool Profile
Ping Use Ping to test whether a particular host is reachable across an IP
network and to measure the round-trip time for packets sent from the
local host to a destination computer. This can include measuring the
local host’s own interfaces using ICMP messages.
See Analyzing Configuration Using Ping, page 69-15 for details on
using this tool.
Trace Route Use trace route to show the route taken by packets across an IP network.
The system returns the number of hops taken and the addresses of each
device traversed.
See Analyzing Configuration Using TraceRoute, page 69-17 for details
on using this tool.
NS Lookup Use NS lookup (namespace lookup) to issue an NS lookup command
from a device so you can test the contents of the DNS server that the
queried device uses.
See Analyzing Configuration Using NS Lookup, page69-18 for details
on using this tool.