Introduction

I’ve found that people sometimes get nervous running debug commands as well as captures. There are horror stories where you run a debug command and the firewall just locks up. This fear is understandable given the critical nature of firewalls in maintaining network security and uptime. However, with the right knowledge and precautions, these powerful tools can be used safely and effectively. Understanding how to execute these commands properly can help alleviate concerns and ensure that you can troubleshoot issues without compromising system stability.

I have been doing quite a bit of troubleshooting on site-to-site VPN tunnels and have had to get some captures to confirm exactly what is happening.

How to Run the Capture

Below is a sample command you can use to match the traffic that matches the host 1.1.1.1 which in my case is the VPN peer IP address.

capture cap1 interface outside match ip host 1.1.1.1 any

Once the capture is configured you can view the capture by running the following command:

show capture cap1

You should see some information similar to this:

 2 packets captured

 1: 04:12:10.428093       192.168.10.10.34327 > 10.94.0.51.15868: S
    2669456341:2669456341(0) win 4128 <mss 536> Drop-reason: (acl-drop)
    Flow is denied by configured rule
 2: 04:12:12.427330       192.168.10.10.34327 > 10.94.0.51.15868: S
    2669456341:2669456341(0) win 4128 <mss 536> Drop-reason: (acl-drop)
    Flow is denied by configured rule
 2 packets shown

After you view the capture and don’t need it anymore, you can clear all the captures on the ASA with the following command:

clear capture /all