Troubleshoot an ASA Device Security Policy

Procedure

Step 1

From the Inventory page, select your ASA, and click Troubleshoot in the Actions pane.

Step 2

In the Values pane, select the interface and packet type you want to send virtually through your ASA.

Step 3

(Optional) If you want to trace a packet where the security group tag value is embedded in the Layer 2 CMD header (Trustsec), check SGT number and enter the security group tag number, 0-65535.

Step 4

Specify the source and destination. You can specify IPv4 or IPv6 addresses, fully-qualified domain names (FQDN), or security group names or tags if you use Cisco Trustsec. For the source address, you can also specify a username in the format Domain\username.

Step 5

Specify other protocol characteristics:

  • ICMP-Enter the ICMP type, ICMP code (0-255), and optionally, the ICMP identifier.

  • TCP/UDP/SCTP-Enter the source and destination ports by selecting them from the list or entering a value in the port combo box.

  • IP-Enter the protocol number, 0-255.

Step 6

Click Run Packet Tracer.

Step 7

Continue with Analyze Packet Tracer Results.