Skip to main content



Cisco Defense Orchestrator

Troubleshoot User Access with CDO

Consider the case of users being denied access to a resource that they should have access to. Here is an approach you can take to diagnose and remediate that problem.

  1. Users inform your security team that their access to a resource is blocked. Determine how that resource is typically reached. What is it's IP address? Do you reach it on a specific port? What protocol is used to send information to the resource?
  2. From the Devices & Services page, select the ASA and run packet tracer. See ASA Packet Tracer for more instructions.
  3. Examine the packet trace table for rules that may have denied access to the resource.
  4. After identifying the rule denying access, create a change request label in CDO and enable it. See Change Request Management. This will help you identify in Change Log policy changes you made to allow access to the resource. 
  5. Edit the rule from CDO to correct the behavior. Your ASA is now out of sync with CDO.
  6. Deploy the changes to the ASA from the Devices & Services page. CDO traces packets through the configuration saved on the ASA not a configuration staged on CDO. Be aware, you will also be deploying any other configuration changes staged on CDO to your ASA.
  7. Re-run packet tracer to determine if the policy change provides the desired results. Confirm that your users now have access to the resource. 
  8. Assuming your users now have access, clear the change request label in CDO. This prevents unrelated activity from being associated with this fix. 

Tip: If the change you made doesn't fix the problem or creates some new problems and you want to return to your previous configuration, you can do restore the ASA Configuration. See "Restoring ASA Configurations."

  • Was this article helpful?