Cisco ASA useful commands

In: Cisco, Firewall

There are thousands of commands available on the Cisco ASA. I found some of the commands very useful when troubleshooting.

1. Removing a tunnel-group

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
   ikev1 pre-shared-key lksdjflksd565glmfb

ASA (config)# clear configure tunnel-group

2. Viewing a list of Remote access VPN users

ASA# show vpn-sessiondb anyconnect | incl U
Username     : user1              Index        : 6787
Username     : user2              Index        : 8765

3. Displays information about a particular user

ASA# show vpn-sessiondb anyconnect filter name user1

Session Type: AnyConnect

Username     : user1                  Index        : 6787
Assigned IP  :             Public IP    :
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Essentials
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA256  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 3894551326             Bytes Rx     : 1305056771
Group Policy : GRP-POLICY.            Tunnel Group : RA-VPN
Login Time   : 16:50:12 BST Tue May 7 2020
Duration     : 0d 8h:26m:44s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 00000000019e9025eb16f50
Security Grp : 10:Sales        

4. View the IPsec SAs built between peers.

The show crypto ipsec sa command shows the IPsec SAs that are built between the peers. The encrypted tunnel is built between IP addresses and the traffic that flows between the networks and You can also see the two ESP SAs built for the inbound and outbound traffic.

ASA/act/sec# show crypto ipsec sa peer
peer address:
    Crypto map tag: map, seq num: 10, local addr:

      access-list VPN-ACL extended permit ip 
      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (

      #pkts encaps: 16905, #pkts encrypt: 16905, #pkts digest: 16905
      #pkts decaps: 16906, #pkts decrypt: 16906, #pkts verify: 16906
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 16905, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:, remote crypto endpt.:
      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: CEFTYUBA
      current inbound spi : CTYCBHYJ

5. ping tcp

This command allows the ASA device to send any TCP packet (TCP SYN) from any source IP to any destination IP on any port. This is very handy for troubleshooting. In this example, I'm testing connectivity from to ( on port 80

 ping tcp $source_interface $dest_ip $dest_port source $src_ip $ $src_port
ASA# ping tcp inside 80 source 25000  
Type escape sequence to abort.
Sending 5 TCP SYN requests to port 80
from starting port 25000, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 69/70/73 ms

6. Find the name of an object for

ASA# show running-config object network in-line | i

object network web-server1 host

Note - in-line is used to view the output in one line

ASA# show run object network ?

  in-line  display the output in one line
  |        Output modifiers

7. View the contents of an object

ASA# show run object id web-server1

object network web-server1

8. View the contents of an object group

ASA# show run object-group id public-servers

object-group network public-servers
 network-object host
 network-object host

9. packet-tracer utility

You can use packet-tracer command to identify whether traffic is able to traverse through the firewall.

ASA# packet-tracer input $source_interface $traffic_type $src_ip $src_port $dest_ip $ dest_port

ASA# packet-tracer input inside tcp 25000 80

10. View active IP-SGT Bindings

You can use show cts sgt-map command to find the sgt-tag assigned to a specific IP via ISE.

ASA# show cts sgt-map               

Active IP-SGT Bindings Information

IP Address          SGT   Source
================================================================           11   SXP          13   SXP          22   SXP          17   SXP

11. View detail information about Remote access VPN user such as OS and AnyConnect client version

Note - You can remove the filter to view the entire output.

ASA# show vpn-sessiondb detail anyconnect filter name user1 | incl Client

Client OS    : mac-intel              
Client OS Ver: 10.13.6                
Client Type  : AnyConnect
Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.7.04056
Client OS    : Mac OS X               
Client Type  : SSL VPN Client
Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.7.04056
Client OS    : Mac OS X               
Client Type  : DTLS VPN Client
Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.7.04056

Thanks for reading

As always, your feedback and comments are more than welcome.

Written by
Suresh Vina
Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
More from Packetswitch
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.