Cisco Systems ASA Services Module Webcam User Manual


 
30-32
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 30 Configuring the ASA CX Module
Troubleshooting the ASA CX Module
Capturing Module Traffic
To configure and view packet captures for the ASA CX module, enter one of the following commands:
Note Captured packets contain an additional AFBP header that your PCAP viewer might not understand; be
sure to use the appropriate plugin to view these packets.
Troubleshooting the ASA CX Module
Problems with the Authentication Proxy, page 30-32
Problems with the Authentication Proxy
If you are having a problem using the authentication proxy feature, follow these steps to troubleshoot
your configuration and connections:
1. Check your configurations.
On the ASA, check the output of the show asp table classify domain cxsc-auth-proxy command
and make sure there are rules installed and that they are correct.
In PRSM, ensure the directory realm is created with the correct credentials and test the connection
to make sure you can reach the authentication server; also ensure that a policy object or objects are
configured for authentication.
2. Check the output of the show service-policy cxsc command to see if any packets were proxied.
3. Perform a packet capture on the backplane, and check to see if traffic is being redirected on the
correct configured port. See the “Capturing Module Traffic” section on page 30-32. You can check
the configured port using the show running-config cxsc command or the show asp table classify
domain cxsc-auth-proxy command.
Note If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only
configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module,
including traffic orginiating on the non-ASA CX interface (the feature is bidirectional). However, the
ASA only performs the authentication proxy on the interface to which the service policy is applied,
because this feature is ingress-only.
Example 30-1 Make sure port 2000 is used consistently:
1.
Check the authentication proxy port:
Command Purpose
capture name interface asa_dataplane
Captures packets between ASA CX module and the ASA on the
backplane.
copy capture
Copies the capture file to a server.
show capture
Shows the capture at the ASA console.