本文檔介紹與FXOS平台相關的常見問題。
This document presents the common problems associated with the FXOS platform.
Firepower可擴展作業系統(FXOS)是Firepower或安全防火牆平台上的底層作業系統。根據FXOS用於配置功能、監控機箱狀態和訪問高級故障排除功能的平台。
Firepower Extendable Production System (FXOS) is a bottom working system on Firepower or on a security firewall platform. According to FXOS, the configuration function, the monitor box status, and the interview platform for high-level trouble resolution. & nbsp;
Firepower 4100/9300和Firepower 2100上的FXOS以及平台模式下的自適應安全裝置軟體允許配置更改,而在其他平台中,除特定功能外,FXOS是只讀的。
FXOS on Firepower 4100/9300 and Firepower 2100 and self-adapted security device software under platform mode allow configuration changes, while FXOS is read-only in other platforms except for specific functions.
自2.8.x版起,fprm已棄用。因此,FXOS 2.8.x僅支援機箱和刀片顯示技術。
Since version 2.8.x, fprm has been abandoned. Therefore, FXOS 2.8.x only supports machine boxes and blade display techniques.
KSEC-FPR4115-2-1(local-mgmt)# show tech-support fprm detail WARNING: show tech-support fprm detail command is deprecated. Please use show tech-support chassis 1 detail command instead.
- 機箱:包含機箱、刀鋒、介面卡、基板管理控制器(BMC)和思科整合式管理控制器(CIMC)的記錄檔
- 模組:包含邏輯裝置自適應安全裝置(ASA)或Firepower威脅防禦(FTD)所在刀片/模組的日誌檔案。這包括諸如appAgent等元件的日誌)
在2.8.x之前的版本中,FXOS提供三種不同的show tech輸出。FPRM捆綁包包含管理輸入/輸出(MIO)(管理引擎)和服務管理器)的日誌檔案
In the pre-2.8.x version, FXOS provides three different types of show tech output. The FPRM bundle contains journal files for managing input/output (MIO) (managing engine) and service manager
通常,生成全部3個捆綁。使用show tech-support <option> detail生成用於TAC分析的3個不同日誌捆綁:
Generally, all three bundles are generated. Show tech-support & lt; option> detail generates three different daily bindings for TAC analysis:
FPR4140-A# connect local-mgmt FPR4140-A(local-mgmt)# show tech-support fprm detail FPR4140-A(local-mgmt)# show tech-support chassis 1 detail FPR4140-A(local-mgmt)# show tech-support module 1 detail
- 如果不指定細節選項,則會在螢幕上獲得輸出
- detail選項會建立tar檔案
檢查產生的檔案名稱:
Check generated file name:
FPR4140-A(local-mgmt)# dir techsupport/ 1 15595520 Apr 09 17:29:10 2017 20170409172722_FPR4140_FPRM.tar 1 962560 Apr 09 17:32:20 2017 20170409172916_FPR4140_BC1_all.tar 1 7014400 Apr 09 18:06:25 2017 Firepower-Module1_04_09_2017_18_05_59.tar
若要從CLI匯出套件組合,請執行下列動作:
To export packages from CLI, do the following:
FPR4140-A(local-mgmt)# copy workspace:///techsupport/20170409172722_FPR4140_FPRM.tar ftp|tftp|scp|sftp://username@192.168.0.1/
注意:除了FXOS show tech輸出外,邏輯裝置(例如ASA和/或FTD)還具有他們自己的獨立show tech功能。在多例項(MI)的情形中,每個例項還具有自己的獨立show-tech捆綁包。最後,FCM不支援MI show-techs
Note : In addition to FXOS show tech output, logical devices (e.g. ASA and/or FTD) have their own independent show tech functions. In multiple cases, each case has its own separate show-tech bundle. Finally, FCM does not support MI show-techs.
從FXOS 2.6開始,透過「工具」>「故障排除日誌」下的「Firepower機箱管理器(FCM) UI,可以生成和下載FXOS技術支援
Starting with FXOS 2.6, FXOS technology support can be generated and downloaded through FXOS & gt; Firepower Box Manager (FCM UI) under the FXO Journal
在FP9300上:
On FP9300:
在FP41xx上:
On FP41xx:
驗證管理介面配置的方法有以下幾種:
The methods used to verify the configuration of the management interface are as follows:
FPR4115-2-1# show fabric-interconnect
Fabric Interconnect:
ID OOB IP Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability Ingress VLAN Group Entry Count (Current/Max) Switch Forwarding Path Entry Count (Current/Max)
---- --------------- --------------- --------------- ---------------- ---------------- ------ ----------- -------------------------------------------- ------------------------------------------------
A 10.62.184.19 10.62.184.1 255.255.255.0 :: :: 64 Operable 0/500 14/1021
或
or
FPR4115-2-1# scope fabric-interconnect a
FPR4115-2-1 /fabric-interconnect # show
Fabric Interconnect:
ID OOB IP Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability Ingress VLAN Group Entry Count (Current/Max) Switch Forwarding Path Entry Count (Current/Max)
---- --------------- --------------- --------------- ---------------- ---------------- ------ ----------- -------------------------------------------- ------------------------------------------------
A 10.62.184.19 10.62.184.1 255.255.255.0 :: :: 64 Operable 0/500 14/1021
FPR4115-2-1 /fabric-interconnect # show detail
Fabric Interconnect:
ID: A
Product Name: Cisco FPR-4115-SUP
PID: FPR-4115-SUP
VID: V01
Vendor: Cisco Systems, Inc.
Serial (SN): JAD12345NY6
HW Revision: 0
Total Memory (MB): 8074
OOB IP Addr: 10.62.184.19
OOB Gateway: 10.62.184.1
OOB Netmask: 255.255.255.0
OOB IPv6 Address: ::
OOB IPv6 Gateway: ::
Prefix: 64
Operability: Operable
Thermal Status: Ok
Ingress VLAN Group Entry Count (Current/Max): 0/500
Switch Forwarding Path Entry Count (Current/Max): 14/1021
Current Task 1:
Current Task 2:
Current Task 3:
要更改IP設定:
To change IP settings:
FPR4115-2-1# scope fabric-interconnect a FPR4115-2-1 /fabric-interconnect # set out-of-band gw Gw ip Ip netmask Netmask KSEC-FPR4115-2-1 /fabric-interconnect # set out-of-band ip 10.62.184.19 netmask 255.255.255.0 gw 10.62.184.1 KSEC-FPR4115-2-1 /fabric-interconnect* # commit-buffer
關於提交:
About submission:
FPR4115-2-1 /fabric-interconnect # commit-buffer verify-only ! verify the change for error FPR4115-2-1 /fabric-interconnect # commit-buffer ! commit the change FPR4115-2-1 /fabric-interconnect # discard-buffer ! cancel the change
如需詳細資訊,請檢查:
If you need more details, check:
Cisco Firepower 4100/9300 FXOS命令參考
導航到本地管理CLI範圍,然後使用ping命令:
Navigator goes to locally managed CLI, and then uses ping command:
FPR4115-2-1# connect local-mgmt FPR4115-2-1(local-mgmt)# ping 10.62.184.1 PING 10.62.184.1 (10.62.184.1) from 10.62.184.19 eth0: 56(84) bytes of data. 64 bytes from 10.62.184.1: icmp_seq=1 ttl=255 time=0.602 ms 64 bytes from 10.62.184.1: icmp_seq=2 ttl=255 time=0.591 ms 64 bytes from 10.62.184.1: icmp_seq=3 ttl=255 time=0.545 ms 64 bytes from 10.62.184.1: icmp_seq=4 ttl=255 time=0.552 ms
導航到本地管理CLI範圍並使用此命令:
Navigator to manage the CLI area locally and use this command:
FPR4115-2-1# connect local-mgmt
FPR4115-2-1(local-mgmt)# show mgmt-ip-debug | begin eth0
eth0 Link encap:Ethernet HWaddr 78:bc:1a:e7:a4:11
inet addr:10.62.184.19 Bcast:10.62.184.255 Mask:255.255.255.0
inet6 addr: fe80::7abc:1aff:fee7:a411/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3420589 errors:0 dropped:0 overruns:0 frame:0
TX packets:2551231 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:419362704 (399.9 MiB) TX bytes:1530147643 (1.4 GiB)
除了scope fabric-interconnect a > show下的Operational外,您還可以使用此命令:
In addition to scope fabric-intercontract a & gt; show on the Office, you can also use this command:
FPR4115-2-1# connect local-mgmt
FPR4115-2-1(local-mgmt)# show mgmt-port
eth0 Link encap:Ethernet HWaddr 78:bc:1a:e7:a4:11
inet addr:10.62.184.19 Bcast:10.62.184.255 Mask:255.255.255.0
inet6 addr: fe80::7abc:1aff:fee7:a411/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3422158 errors:0 dropped:0 overruns:0 frame:0
TX packets:2552019 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:419611452 (400.1 MiB) TX bytes:1530247862 (1.4 GiB)
或者,您可以使用此指令。Scope部分顯示Link UP。請注意,UP顯示於下一行:
Alternatively, you can use this command. The Snape section shows Link UP. Note that UP is shown in the following row:
FPR4115-2-1# connect local-mgmt
FPR4115-2-1(local-mgmt)# show mgmt-ip-debug | begin eth0
eth0 Link encap:Ethernet HWaddr 78:bc:1a:e7:a4:11
inet addr:10.62.184.19 Bcast:10.62.184.255 Mask:255.255.255.0
inet6 addr: fe80::7abc:1aff:fee7:a411/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3420589 errors:0 dropped:0 overruns:0 frame:0
TX packets:2551231 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:419362704 (399.9 MiB) TX bytes:1530147643 (1.4 GiB)
註: UP狀態是介面的管理狀態。即使拔下物理電纜或SFP模組,狀態仍為UP。 另一個重要點是RUNNING狀態,這意味著鏈路運行正常(線路協定為運行狀態)。
comments : UP status is the management status of the interface. Even if you remove a physical cable or a SFP module, the status is UP. & nbsp; another important point is RUNNING status, which means that the link runs normally.
關閉介面的邏輯狀態:
Disable interface logical status:
FPR4100-3-A(local-mgmt)# mgmt-port shut
FPR4100-3-A(local-mgmt)# show mgmt-ip-debug ifconfig | b eth0
eth0 Link encap:Ethernet HWaddr 58:97:BD:B9:76:EB
inet addr:10.62.148.88 Bcast:10.62.148.127 Mask:255.255.255.128
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:3685870 errors:0 dropped:0 overruns:0 frame:0
TX packets:7068372 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:295216623 (281.5 MiB) TX bytes:1049391193 (1000.7 MiB)
再次提出問題:
Question again:
FPR4100-3-A(local-mgmt)# mgmt-port no-shut
FPR4100-3-A(local-mgmt)# show mgmt-ip-debug ifconfig | b eth0
eth0 Link encap:Ethernet HWaddr 58:97:BD:B9:76:EB
inet addr:10.62.148.88 Bcast:10.62.148.127 Mask:255.255.255.128
inet6 addr: fe80::5a97:bdff:feb9:76eb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3685885 errors:0 dropped:0 overruns:0 frame:0
TX packets:7068374 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:295218130 (281.5 MiB) TX bytes:1049391353 (1000.7 MiB)
註:fxos模式下的show interface brief和show interface mgmt 0分別顯示mgmt0介面關閉和Admin down。請勿使用此參照它已關閉。
notes : Shows mgmt0 interfaces closed and Admin down at 0 minutes for how interface brief and how interface mgmt in fxos mode. Do not use this reference is disabled.
FPR-4110-A# connect fxos FPR-4110-A(fxos)# show interface brief | include mgmt0 mgmt0 -- down 172.16.171.83 -- 1500
FPR-4110-A(fxos)# show interface mgmt 0 mgmt0 is down (Administratively down) Hardware: GigabitEthernet, address: 5897.bdb9.212d (bia 5897.bdb9.212d) Internet Address is 172.16.171.83/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA auto-duplex, auto-speed EtherType is 0x0000 1 minute input rate 3080 bits/sec 2 packets/sec 1 minute output rate 0 bits/sec 0 packets/sec Rx 977 unicast packets 12571 multicast packets 5229 broadcast packets 18777 input packets 2333662 bytes Tx 0 unicast packets 0 multicast packets 0 broadcast packets 0 output packets 0 bytes
如果您在fxos模式下執行show run interface mgmt0,則在該介面下執行shutdown force。同樣地,請勿使用此參考指出其已關閉:
If you run show run interface mgmt0 in fxos mode, do not use this reference to state that it is disabled:
FPR4115-2-1(fxos)# show run interface mgmt0 !Command: show running-config interface mgmt0 !Time: Tue May 5 14:19:42 2020 version 5.0(3)N2(4.81) interface mgmt0 shutdown force ip address 10.62.184.19/24
帶外管理僅依賴於預設網關集。因此,請確保選擇的預設網關允許連線到需要訪問系統的客戶端。connect fxos下有一個show ip route vrf all命令,但它不用於帶外管理。
Extramural administration depends only on the default network set. Therefore, make sure that the selected default network allows access to the client that needs to be interviewed. Connect fxos has a show iip roote vrf all command, but it does not need to be managed externally.
br>
ARP表在FXOS CLI中不可見。您還可以在fxos模式(ethanalyzer)下使用資料包捕獲來捕獲ARP和/或檢查進出管理層的流量。
The ARP table is not visible in FXOS CLI. You can also capture the ARP and/or check the flow into and out of management under the fxos mode (ethanalyzer).
以下是捕獲ARP資料包的示例。您可以將capture-filter(捕獲過濾器)更改為任何內容。該過濾器類似於tcpdump過濾器:
Here is an example of a captured ARP package. You can change capture-filter to any content. The filter is similar to a tcpdump filter:
fp9300-A# connect fxos
fp9300-A(fxos)# ethanalyzer local interface mgmt capture-filter arp
Capturing on eth0
2016-10-14 18:04:57.551221 00:50:56:85:be:44 -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.240? Tell 172.16.171.101
2016-10-14 18:04:57.935562 00:12:80:85:a5:49 -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.112? Tell 172.16.171.1
2016-10-14 18:04:58.167029 00:50:56:85:78:4e -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.205? Tell 172.16.171.100
2016-10-14 18:04:59.156000 00:50:56:9f:b1:43 -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.1? Tell 172.16.171.151
2016-10-14 18:04:59.165701 00:50:56:9f:b1:43 -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.1? Tell 172.16.171.151
2016-10-14 18:04:59.166925 00:50:56:85:78:4e -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.205? Tell 172.16.171.100
2016-10-14 18:04:59.268168 00:50:56:9f:b1:43 -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.151? Tell 0.0.0.0
2016-10-14 18:05:00.150217 00:50:56:85:78:4e -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.204? Tell 172.16.171.100
2016-10-14 18:05:00.268369 00:50:56:9f:b1:43 -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.151? Tell 0.0.0.0
2016-10-14 18:05:01.150243 00:50:56:85:78:4e -> ff:ff:ff:ff:ff:ff ARP Who has 172.16.171.204? Tell 172.16.171.100
10 packets captured
Program exited with status 0.
fp9300-A(fxos)#
此外,您可以將捕獲儲存到檔案,然後將其導出到遠端伺服器:
In addition, you can save the capture to a file and then direct it to a remote server:
FPR4140-A# connect fxos FPR4140-A(fxos)# ethanalyzer local interface mgmt capture-filter arp limit-captured-frames 0 write workspace:///ARP.pcap FPR4140-A# connect local-mgmt FPR4140-A(local-mgmt)# dir 1 23075 Jan 12 13:13:18 2020 ARP.pcap FPR4140-A(local-mgmt)# copy workspace:///ARP.pcap ftp://anonymous@10.48.40.70/ARP.pcap
使用show fault命令:
Use show fault command:
FPR4115-2-1# show fault Severity Code Last Transition Time ID Description --------- -------- ------------------------ -------- ----------- Major F0909 2020-04-26T21:19:37.520 554924 default Keyring's certificate is invalid, reason: expired. Major F1769 2012-01-19T00:30:02.733 323268 The password encryption key has not been set. Minor F1437 2012-01-19T00:30:02.732 32358 Config backup may be outdated
您還可以根據嚴重性過濾故障:
You can also have a critical filtering failure:
FPR4115-2-1# show fault ? 0-18446744073709551615 ID <CR> > Redirect it to a file >> Redirect it to a file in append mode cause Cause detail Detail severity Severity suppressed Fault Suppressed | Pipe command output to filter FPR4115-2-1# show fault severity major Severity Code Last Transition Time ID Description --------- -------- ------------------------ -------- ----------- Major F0909 2020-04-26T21:19:37.520 554924 default Keyring's certificate is invalid, reason: expired. Major F1769 2012-01-19T00:30:02.733 323268 The password encryption key has not been set.
從FXOS UI Overview > FAULTS控制台也可看到相同的故障:
The same failure can be observed on FXOS UI Overview & gt; FAULTS Console:
在系統範圍下使用set name命令:
Use set name commands in the system context:
KSEC-FPR4115-2-1# scope system KSEC-FPR4115-2-1 /system # set name new-name Warning: System name modification changes FC zone name and redeploys them non-disruptively KSEC-FPR4115-2-1 /system* # commit-buffer KSEC-FPR4115-2-1 /system # exit new-name#
在使用新安裝的安全模組之前,必須對其進行確認和重新初始化。即使透過RMA更換裝置也是如此。
Before using the newly installed security module, it must be validated and re-initiated. Even with RMA conversion devices.
FPR9300# show server status
Server Slot Status Overall Status Discovery
------- --------------------------------- --------------------- ---------
1/1 Mismatch Compute Mismatch Complete
1/2 Equipped Ok Complete
1/3 Empty
FPR9300#
計算不匹配可能導致此故障事件:
Calculating mismatch may cause this failure:
Service profile ssp-sprof-1 configuration failed due to compute-unavailable,insufficient-resources
show service-profile狀態將顯示「Unassociated」,就像模組不存在一樣。
how service-profile status will show "Unassociated" as the module does not exist.
從CLI確認的步驟:
Checked from CLI:
scope chassis 1
acknowledge slot <slot#>
commit-buffer
或者,您可以使用機箱管理器UI來確認模組:
Alternatively, you can use the box manager UI to confirm the module:
這表示在確認安全模組後,尚未重新初始化:
indicates that after confirming the safety module, it has not been re-initiated:
FPR9300# scope ssa FPR9300 /ssa # show slot Slot: Slot ID Log Level Admin State Operational State ---------- --------- ------------ ----------------- 1 Info Ok Token Mismatch 2 Info Ok Online 3 Info Ok Not Available FPR9300 /ssa #
透過CLI重新初始化的步驟:
via CLI's re-introduction:
scope ssa scope slot <#> reinitialize commit-buffer
在Firepower 41xx上,這也意味著SSD丟失或故障。在scope server 1/1下透過show inventory storage檢查SSD是否仍然存在:
On Firepower 41xx, this also means that SSD is missing or malfunctioning. Checks whether SSD still exists under scope server 1/1 through how inventory system:
FPR4140-A# scope ssa
FPR4140-A /ssa # show slot 1
Slot:
Slot ID Log Level Admin State Oper State
---------- --------- ------------ ----------
1 Info Ok Token Mismatch
FPR4140-A /ssa # show fault severity critical
Severity Code Last Transition Time ID Description
--------- -------- ------------------------ -------- -----------
Critical F1548 2018-03-11T01:22:59.916 38768 Blade swap detected on slot 1
FPR4140-A /ssa # scope server 1/1
FPR4140-A /chassis/server # show inventory storage
Server 1/1:
Name:
User Label:
Equipped PID: FPR4K-SM-36
Equipped VID: V01
Equipped Serial (SN): FLM12345KL6
Slot Status: Equipped
Acknowledged Product Name: Cisco Firepower 4100 Series Extreme Performance Security Engine
Acknowledged PID: FPR4K-SM-36
Acknowledged VID: V00
Acknowledged Serial (SN): FLM12345KL6
Acknowledged Memory (MB): 262144
Acknowledged Effective Memory (MB): 262144
Acknowledged Cores: 36
Acknowledged Adapters: 2
Motherboard:
Product Name: Cisco Firepower 4100 Series Extreme Performance Security Engine
PID: FPR4K-SM-36
VID: V01
Vendor: Cisco Systems Inc
Serial (SN): FLM12345KL6
HW Revision: 0
RAID Controller 1:
Type: SATA
Vendor: Cisco Systems Inc
Model: CHORLEYWOOD
Serial: FLM12345KL6
HW Revision:
PCI Addr: 00:31.2
Raid Support:
OOB Interface Supported: No
Rebuild Rate: N/A
Controller Status: Unknown
Local Disk 1:
Vendor:
Model:
Serial:
HW Rev: 0
Operability: N/A
Presence: Missing
Size (MB): Unknown
Drive State: Unknown
Power State: Unknown
Link Speed: Unknown
Device Type: Unspecified
Local Disk Config Definition:
Mode: No RAID
Description:
Protect Configuration: No
這是在FXOS平台設定下配置的。應用本文檔的說明:FXOS平台設定。
This is configured in the context of the FXOS platform settings. The application file description: FXOS platform settings.
驗證機箱時間設定:
Could not close temporary folder: %s
KSEC-FPR4115-2-1# show clock
Tue May 5 21:30:55 CEST 2020
KSEC-FPR4115-2-1# show ntp
NTP Overall Time-Sync Status: Time Synchronized
要從模組引導CLI驗證模組/刀片時間,請使用以下3條命令:
To guide the CLI verification module/blade time from the module, use the following three commands:
Firepower-module1>show ntp peerstatus
remote local st poll reach delay offset disp=======================================================================*203.0.113.126 203.0.113.1 2 64 377 0.00006 0.000018 0.02789
remote 203.0.113.126, local 203.0.113.1
hmode client, pmode mode#255, stratum 2, precision -20
leap 00, refid [192.0.2.1], rootdistance 0.19519, rootdispersion 0.17641
ppoll 6, hpoll 6, keyid 0, version 4, association 43834
reach 377, unreach 0, flash 0x0000, boffset 0.00006, ttl/mode 0
timer 0s, flags system_peer, config, bclient, prefer, burst
reference time: dbef8823.8066c43a Mon, Dec 5 2016 8:30:59.501
originate timestamp: 00000000.00000000 Mon, Jan 1 1900 2:00:00.000
receive timestamp: dbefb27d.f914589d Mon, Dec 5 2016 11:31:41.972
transmit timestamp: dbefb27d.f914589d Mon, Dec 5 2016 11:31:41.972
filter delay: 0.00008 0.00006 0.00008 0.00009
0.00008 0.00008 0.00008 0.00009
filter offset: 0.000028 0.000018 0.000034 0.000036
0.000033 0.000036 0.000034 0.000041
filter order: 1 2 6 0
4 5 3 7
offset 0.000018, delay 0.00006, error bound 0.02789, filter error 0.00412
Firepower-module1>show ntp association
remote refid st t when poll reach delay offset jitter==============================================================================*203.0.113.126 192.0.2.1 2 u 37 64 377 0.062 0.018 0.017
ind assid status conf reach auth condition last_event cnt===========================================================1 43834 961d yes yes none sys.peer 1
associd=43834 status=961d conf, reach, sel_sys.peer, 1 event, popcorn,
srcadr=203.0.113.126, srcport=123, dstadr=203.0.113.1, dstport=123,
leap=00, stratum=2, precision=-20, rootdelay=195.190, rootdisp=176.407,
refid=192.0.2.1,
reftime=dbef8823.8066c43a Mon, Dec 5 2016 8:30:59.501,
rec=dbefb27d.f91541fc Mon, Dec 5 2016 11:31:41.972, reach=377,
unreach=0, hmode=3, pmode=4, hpoll=6, ppoll=6, headway=22, flash=00 ok,
keyid=0, offset=0.018, delay=0.062, dispersion=0.778, jitter=0.017,
xleave=0.011,
filtdelay=0.08 0.06 0.08 0.10 0.08 0.09 0.08 0.10,
filtoffset=0.03 0.02 0.03 0.04 0.03 0.04 0.03 0.04,
filtdisp=0.00 0.03 1.04 1.07 2.06 2.09 3.09 3.12
Firepower-module1>show ntp sysinfo
associd=0 status=0618 leap_none, sync_ntp, 1 event, no_sys_peer,
version="ntpd 4.2.6p5@1.2349-o Fri Oct 7 17:08:03 UTC 2016 (2)",
processor="x86_64", system="Linux/3.10.62-ltsi-WR6.0.0.27_standard",
leap=00, stratum=3, precision=-23, rootdelay=195.271, rootdisp=276.641,
refid=203.0.113.126,
reftime=dbefb238.f914779b Mon, Dec 5 2016 11:30:32.972,
clock=dbefb2a7.575931d7 Mon, Dec 5 2016 11:32:23.341, peer=43834, tc=6,
mintc=3, offset=0.035, frequency=25.476, sys_jitter=0.003,
clk_jitter=0.015, clk_wander=0.011
system peer: 203.0.113.126
system peer mode: client
leap indicator: 00
stratum: 3
precision: -23
root distance: 0.19527 s
root dispersion: 0.27663 s
reference ID: [203.0.113.126]
reference time: dbefb238.f914779b Mon, Dec 5 2016 11:30:32.972
system flags: auth monitor ntp kernel stats
jitter: 0.000000 s
stability: 0.000 ppm
broadcastdelay: 0.000000 s
authdelay: 0.000000 s
time since restart: 1630112
time since reset: 1630112
packets received: 157339
packets processed: 48340
current version: 48346
previous version: 0
declined: 0
access denied: 0
bad length or format: 0
bad authentication: 0
rate exceeded: 0
Firepower-module1>
有關NTP驗證和故障排除的詳細資訊,請查閱本文檔:配置、驗證和排除Firepower FXOS裝置上的網路時間協定(NTP)設定故障
Detailed information on NTP verification and troubleshooting can be found in this document file:
對於ASA邏輯裝置,FXOS機箱需要智慧許可。有關詳細資訊,請參閱本文:ASA許可證管理
For the ASA logical device, the FXOS engine requires intellectual clearance. For more detailed information, please refer to this document: ASA license administration
以下是許可證狀態的輸出示例:
Below are some examples of the status of the license:
FPR4115-2-1# scope license FPR4115-2-1 /license # show license all Smart Licensing Status======================Smart Licensing is ENABLED Registration: Status: REGISTERED Smart Account: BU Production Test Virtual Account: TAC-BETA Export-Controlled Functionality: Not Allowed Initial Registration: SUCCEEDED on Dec 15 14:41:55 2015 PST Last Renewal Attempt: SUCCEEDED on Dec 23 09:26:05 2015 PST Next Renewal Attempt: Jun 21 07:00:21 2016 PST Registration Expires: Dec 23 06:54:19 2016 PST License Authorization: Status: AUTHORIZED on Apr 07 15:44:26 2016 PST Last Communication Attempt: SUCCEEDED on Apr 07 15:44:26 2016 PST Next Communication Attempt: May 07 15:44:25 2016 PST Communication Deadline: Jul 06 15:38:24 2016 PST License Usage==============No licenses in use Product Information===================UDI: PID:FPR9K-SUP,SN:JAD123456AB Agent Version=============Smart Agent for Licensing: 1.4.1_rel/31
或者:
Or:
fp9300-A# connect local-mgmt
fp9300-A(local-mgmt)# show license all
Smart Licensing Status
======================
Smart Licensing is ENABLED
Registration:
Status: REGISTERED
Smart Account: Cisco Internal
Virtual Account: Escalations
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Feb 10 18:55:08 2016 CST
Last Renewal Attempt: SUCCEEDED on Oct 09 15:07:25 2016 CST
Next Renewal Attempt: Apr 07 15:16:32 2017 CST
Registration Expires: Oct 09 15:10:31 2017 CST
License Authorization:
Status: AUTHORIZED on Sep 20 07:29:06 2016 CST
Last Communication Attempt: SUCCESS on Sep 20 07:29:06 2016 CST
Next Communication Attempt: None Communication Deadline: None
Licensing HA configuration error:
No Reservation Ha config error
License Usage
==============
No licenses in use
Product Information
===================
UDI: PID:FPR9K-SUP,SN:JAD190800VU
Agent Version
=============
Smart Agent for Licensing: 1.6.7_rel/95
檢查下列檔案:
Check the following files:
檢查此文檔:在Firepower NGFW裝置上配置SNMP
Check this file:
本文檔可以幫助您:安裝FXOS機箱管理器的受信任證書 檢查下列檔案: Check the following files: 對於FP41xx和FP93xx平台,請使用以下任一命令: For FP41xx and FP93xx platforms, use any of the following commands: 使用以下命令: Use the following command: 有關FP41xx和FP9300上的口令恢復過程,請參閱以下文檔:Firepower 9300/4100系列裝置的口令恢復過程 For a return to the password on FP41xx and FP9300, please refer to the following file: Firepower 9300/4100 series of devices 要重置邏輯裝置密碼,需要重新引導裝置。使用Bootstrap災難恢復過程,您可以更改以下任何內容: If you want to reset the logic device password, you need to reguide the device. 註:必須在維護窗口(MW)中執行引導恢復過程,因為它需要重新載入邏輯裝置 Note : The lead recovery must be performed in the maintenance window (MW) because it needs to reload the logic device 範例 1 Example 1 您可以使用FXOS UI編輯邏輯裝置的載入程式設定。導航到Logical Devices(邏輯裝置)頁籤, Edit a device(編輯裝置) You can use FXOS UI to edit the loader settings for the logical device. 設定密碼: Configure password: 一旦您儲存此訊息,就會出現: Once you save this message, you will appear: FPR4115-2-1# connect fxos
FPR4115-2-1(fxos)# show l2-table
Ingress MAC Vlan Class VlanGrp Status Dst
Eth1/1 78bc.1ae7.a45e 101 1 0 present 1
Veth776 78bc.1ae7.a45e 101 1 0 present 1
Po1 0100.5e00.0005 1001 1 0 present 1
Po1 0100.5e00.0006 1001 1 0 present 1
Po1 78bc.1ae7.a44e 1001 1 0 present 1
Po1 ffff.ffff.ffff 1001 63 0 present 1
FPR4115-2-1(fxos)# show mac address-table
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since first seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 1001 0100.5e00.0005 static 0 F F Eth1/1
* 1001 0100.5e00.0006 static 0 F F Eth1/1
* 1001 78bc.1ae7.a44e static 0 F F Eth1/1
* 1001 ffff.ffff.ffff static 0 F F Eth1/1
* 101 78bc.1ae7.a45e static 0 F F Eth1/1
* 101 78bc.1ae7.a46f static 0 F F Veth776
* 4047 0015.a501.0100 static 0 F F Veth864
* 4047 0015.a501.0101 static 0 F F Veth1015
* 4043 78bc.1ae7.b000 static 0 F F Eth1/10
* 4043 78bc.1ae7.b00c static 0 F F Eth1/9
* 1 0015.a500.001f static 0 F F Veth887
* 1 0015.a500.002f static 0 F F Veth1018
* 1 0015.a500.01bf static 0 F F Veth905
* 1 0015.a500.01ef static 0 F F Veth1019
FPR4115-2-1# connect fxos
FPR4115-2-1(fxos)# show interface mac-address
--------------------------------------------------------------------------------
Interface Mac-Address Burn-in Mac-Address
--------------------------------------------------------------------------------
Ethernet1/1 78bc.1ae7.a417 78bc.1ae7.a418
Ethernet1/2 78bc.1ae7.a417 78bc.1ae7.a419
Ethernet1/3 78bc.1ae7.a417 78bc.1ae7.a41a
Ethernet1/4 78bc.1ae7.a417 78bc.1ae7.a41b
Ethernet1/5 78bc.1ae7.a417 78bc.1ae7.a41c
Ethernet1/6 78bc.1ae7.a417 78bc.1ae7.a41d
Ethernet1/7 78bc.1ae7.a417 78bc.1ae7.a41e
Ethernet1/8 78bc.1ae7.a417 78bc.1ae7.a41f
Ethernet1/9 78bc.1ae7.a417 78bc.1ae7.a420
Ethernet1/10 78bc.1ae7.a417 78bc.1ae7.a421
Ethernet1/11 78bc.1ae7.a417 78bc.1ae7.a422
Ethernet1/12 78bc.1ae7.a417 78bc.1ae7.a423
port-channel1 78bc.1ae7.a417 78bc.1ae7.a41a
port-channel48 78bc.1ae7.a417 0000.0000.0000
mgmt0 78bc.1ae7.a411 78bc.1ae7.a411
Vethernet690 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet691 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet692 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet693 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet694 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet695 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet696 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet697 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet698 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet699 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet700 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet774 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet775 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet776 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet777 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet778 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet779 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet861 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet862 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet863 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet864 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet887 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet905 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet906 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet1015 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet1018 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet1019 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet1020 78bc.1ae7.a417 78bc.1ae7.a417
Vethernet1021 78bc.1ae7.a417 78bc.1ae7.a417
Firepower 4100/9300升級路徑
FXOS images are downgraded without formal support. The only way to lower the FXOS images is to re-enact the full remap of the running device Firepower 4100/9300
透過機箱管理器降級/升級ASA版本:更新邏輯裝置的映像版本
Downgraded/upgraded ASA version:
要透過CLI進行更改,請使用以下配置指南部分:更新邏輯裝置的映像版本
To make changes through CLI, use the following configuration guidance section:
注意:在CLI上提交緩衝區後,它會立即重新啟動模組。與此類似,在機箱管理器上,一旦按一下「確定」,模組就會重新啟動。無需手動重新啟動。
Note : Once a buffer zone has been submitted on CLI, it will restart the module immediately. Like this, the module will restart once the " OK" has been pressed on the case manager. There is no need to restart it manually.
所有元件均進入就緒狀態後,升級即完成:
Upgrade complete when all components are in state of readiness:
FP9300# scope system
FP9300 /system # show firmware monitor
FPRM:
Package-Vers: 2.0(1.37)
Upgrade-Status: Ready
Fabric Interconnect A:
Package-Vers: 2.0(1.23)
Upgrade-Status: Upgrading
Chassis 1:
Server 1:
Package-Vers: 2.0(1.23)
Upgrade-Status: Ready
Server 2:
Package-Vers: 2.0(1.23)
Upgrade-Status: Upgrading
其他有用的命令
Other useful orders
FP9300 /firmware/auto-install # show fsm status FP9300 /firmware/auto-install # show fsm status expand
首選方法是使用FCM UI。如果由於某種原因無法訪問使用者介面,請使用以下命令:
The preferred method is the FCM UI. If, for some reason, the user interface is not available, use the following command:
# scope chassis 1
/chassis # scope server 1/1
/chassis/server # reset ?
hard-reset-immediate Perform an immediate hard reset
hard-reset-wait Wait for the completion of any pending management oper
/chassis/server # commit-buffer
FXOS正常運行時間檢查在存在FXOS回溯時非常有用。您可以從UI (FCM)或CLI看到FXOS:
You can see FXOS from UI (FCM) or CLI:
FPR9K-1-A# connect fxos FPR9K-1-A(fxos)# show system uptime System start time: Sun Sep 25 09:57:19 2016 System uptime: 28 days, 9 hours, 38 minutes, 14 seconds Kernel uptime: 28 days, 9 hours, 38 minutes, 41 seconds Active supervisor uptime: 28 days, 9 hours, 38 minutes, 14 seconds
此外,若要判斷上次重新載入原因,請使用以下命令:
In addition, to determine the reasons for the last reload, use the following order:
FPR9K-1-A(fxos)# show system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 212883 usecs after Fri Oct 21 22:34:35 2016
Reason: Kernel Panic
Service:
Version: 5.0(3)N2(3.02)
2) At 106690 usecs after Thu May 26 16:07:38 2016
Reason: Reset Requested by CLI command reload
Service:
Version: 5.0(3)N2(3.02)
對於FPR2100正常運行時間,請執行以下操作:
For normal FP2100 run times, do the following:
1. 獲取「show tech-support fprm detail」捆綁包
1. Obtain the "show tech-support fprm binding package"
2. 提取捆綁包的內容
2. Content of the bundled package
3. 檢視檔案tmp/inventory_manager.xml
3. View filetmp/eventory_manager.xml
有一個條目顯示正常運行時間(以秒為單位):
has an entry showing the normal running time (in seconds):
tmp/inventory_manager.xml:
<uptime>151</uptime>
也稱為「工作區」:
It is also known as the "workspace":
FPR9K-1-A# connect local-mgmt FPR9K-1-A(local-mgmt)# dir 1 29 Sep 25 09:56:22 2016 blade_debug_plugin 1 19 Sep 25 09:56:22 2016 bladelog 1 16 Aug 05 15:41:05 2015 cores 1 2841476 Apr 26 14:13:12 2016 d 2 4096 Dec 01 10:09:11 2015 debug_plugin/ 1 31 Aug 05 15:41:05 2015 diagnostics 1 2842049 Feb 23 03:26:38 2016 dp 1 18053120 Feb 23 11:10:19 2016 fpr9k-1-0-sam_logs_all.tar 1 18176000 Feb 23 11:10:43 2016 fpr9k-1-1-sam_logs_all.tar 1 19302400 Feb 23 11:11:07 2016 fpr9k-1-2-sam_logs_all.tar 1 16312320 Feb 23 11:06:53 2016 fpr9k-1-3-sam_logs_all.tar 1 2841476 Feb 22 18:47:00 2016 fxos-dplug.5.0.3.N2.3.13.67g.gSSA 2 4096 Aug 05 15:38:58 2015 lost+found/ 1 25 Dec 01 11:11:50 2015 packet-capture 1 18493440 Feb 23 10:44:51 2016 sam_logs_all.tar 2 4096 Sep 14 11:23:11 2016 techsupport/ Usage for workspace:// 4032679936 bytes total 324337664 bytes used 3503489024 bytes free
FPR9K-1-A(local-mgmt)# dir volatile:/ 1 66 Oct 27 08:17:48 2016 xmlout_5816 Usage for volatile:// 251658240 bytes total 4096 bytes used 251654144 bytes free
檢查引導快閃記憶體的可用空間。請注意,此輸出也會顯示工作區大小及使用狀況:
Check the available space for leading flash flash memory. Note that this output also shows the size and usage of the workspace:
FPR9K-1-A# scope fabric-interconnect a
FPR9K-1-A /fabric-interconnect # show storage
Storage on local flash drive of fabric interconnect:
Partition Size (MBytes) Used Percentage
---------------- ---------------- ---------------
bootflash 106490 9
opt 3870 2
spare 5767 1
usbdrive Nothing Empty
workspace 3845 9
使用以下命令:
Use the following command:
FPR9K-1-A# connect local-mgmt FPR9K-1-A(local-mgmt)# erase configuration
註:此操作將重新啟動系統並清除整個配置,包括管理IP地址。因此,請確保控制檯已連線。系統重新啟動後,安裝應用程式會執行,您可以重新輸入管理組態資訊。
comments : This operation will restart the system and remove the configuration, including the management of the IP address. Therefore, make sure that the control table is connected. Once the system is restarted, the installation application will be executed and you can re-enter the management group information.
範例
Example
FPR9K-1# connect local-mgmt
FPR9K-1(local-mgmt)# erase configuration
All configurations are erased and system must reboot. Are you sure? (yes/no): yes
Removing all the configuration. Please wait....
/bin/rm: cannot remove directory `/bootflash/sysdebug//tftpd_logs': Device or resource busy
sudo: cannot get working directory
sudo: cannot get working directory
Configurations are cleaned up. Rebooting....
...
System is coming up ... Please wait ...
System is coming up ... Please wait ...
2016 Oct 28 06:31:00 %$ VDC-1 %$ %USER-0-SYSTEM_MSG: Starting bcm_attach - bcm_usd
System is coming up ... Please wait ...
2016 Oct 28 06:31:06 %$ VDC-1 %$ %USER-0-SYSTEM_MSG: Finished bcm_attach... - bcm_usd
2016 Oct 28 06:31:07 %$ VDC-1 %$ %USER-0-SYSTEM_MSG: Enabling Filter on CPU port - bcm_usd
System is coming up ... Please wait ...
2016 Oct 28 06:31:11 switch %$ VDC-1 %$ %VDC_MGR-2-VDC_ONLINE: vdc 1 has come online
System is coming up ... Please wait ...
nohup: appending output to `nohup.out'
---- Basic System Configuration Dialog ----
This setup utility guides you through the basic configuration of
the system. Only minimal configuration including IP connectivity to
the Fabric interconnect and its clustering mode is performed through these steps.
Type Ctrl-C at any time to abort configuration and reboot system.
To back track or make modifications to already entered values,
complete input till end of section and answer no when prompted
to apply configuration.
You have chosen to setup a new Security Appliance. Continue? (y/n):
FPR4100-3-A# scope ssa
FPR4100-3-A /ssa # show configuration
scope ssa
enter logical-device FTD4150-3 ftd 1 standalone
enter external-port-link Ethernet16_ftd Ethernet1/6 ftd
set decorator ""
set description ""
set port-name Ethernet1/6
exit
enter external-port-link Ethernet17_ftd Ethernet1/7 ftd
set decorator ""
set description ""
set port-name Ethernet1/7
exit
enter external-port-link Ethernet18_ftd Ethernet1/8 ftd
set decorator ""
set description ""
set port-name Ethernet1/8
exit
enter mgmt-bootstrap ftd
enter bootstrap-key DNS_SERVERS
set value 192.0.2.100
exit
enter bootstrap-key FIREPOWER_MANAGER_IP
set value 10.62.148.57
exit
enter bootstrap-key FIREWALL_MODE
set value routed
exit
enter bootstrap-key FQDN
set value FTD4150-3.lab.com
exit
enter bootstrap-key SEARCH_DOMAINS
set value lab.com
exit
enter bootstrap-key-secret PASSWORD
! set value
exit
enter bootstrap-key-secret REGISTRATION_KEY
! set value
exit
enter ipv4 1 firepower
set gateway 10.62.148.1
set ip 10.62.148.89 mask 255.255.255.128
exit
exit
set description ""
set res-profile-name ""
exit
scope slot 1
enter app-instance ftd
enable
set startup-version 6.0.1.1213
exit
set log-level info
exit
scope app asa 9.12.4.12
set-default
exit
scope app ftd 6.0.1.1213
accept-license-agreement
set-default
exit
exit
這相當於:
This is equivalent to:
如果要檢視所有FXOS配置,則增加關鍵字「all」(輸出有幾頁長):
If you want to view all FXOS configurations, add the key word "all" (with several page lengths):
FPR4100-3-A /ssa # show configuration all
FPR4100-3-A# scope eth-uplink
FPR4100-3-A /eth-uplink # scope fabric a
FPR4100-3-A /eth-uplink/fabric # show interface Interface: Port Name Port Type Admin State Oper State State Reason --------------- ------------------ ----------- ---------------- ------------ Ethernet1/1 Data Disabled Admin Down Administratively down Ethernet1/2 Data Disabled Admin Down Administratively down Ethernet1/3 Data Disabled Admin Down Administratively down Ethernet1/4 Data Disabled Sfp Not Present Unknown Ethernet1/5 Data Disabled Admin Down Administratively down Ethernet1/6 Data Enabled Up Ethernet1/7 Mgmt Enabled Up Ethernet1/8 Data Enabled Up FPR4100-3-A /eth-uplink/fabric #
這相當於:
This is equivalent to:
FPR9K-2-A# connect fxos FPR9K-2-A(fxos)# show system resources Load average: 1 minute: 1.60 5 minutes: 1.30 15 minutes: 1.15 Processes : 967 total, 1 running CPU states : 1.8% user, 1.1% kernel, 97.1% idle Memory usage: 16326336K total, 4359740K used, 11966596K free
註:即使對於屬於同一型號的2台裝置,輸出中顯示的總數也可能不同。具體來說,總數取自自由命令輸出,而自由命令輸出又取自/proc/meminfo。
Note : Even for two devices of the same type, the total number shown in the output may be different. Specifically, the total number is taken from free command output, while the free command output is taken from/proc/meminfo.
檢查記憶體:
Can not open message
FPR4100-8-A /fabric-interconnect # show detail
Fabric Interconnect:
ID: A
Product Name: Cisco FPR-4140-SUP
PID: FPR-4140-SUP
VID: V02
Vendor: Cisco Systems, Inc.
Serial (SN): FLM12345KL6
HW Revision: 0
Total Memory (MB): 8074
OOB IP Addr: 10.62.148.196
OOB Gateway: 10.62.148.129
OOB Netmask: 255.255.255.128
OOB IPv6 Address: ::
OOB IPv6 Gateway: ::
Prefix: 64
Operability: Operable
Thermal Status: Ok
Current Task 1:
Current Task 2:
Current Task 3:
驗證每個進程的記憶體使用率檢查(RES=實體記憶體):
Verifying memory usage check for each progress (RES = actual memory):
FPR4100-2-A-A# connect local-mgmt FPR4100-2-A-A(local-mgmt)# show processes Cpu(s): 8.0%us, 4.2%sy, 3.9%ni, 83.8%id, 0.0%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 8267648k total, 3866552k used, 4401096k free, 288k buffers Swap: 0k total, 0k used, 0k free, 1870528k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 5024 root -2 0 354m 114m 34m R 43 1.4 7976:51 /isan/bin/bcm_usd 1096 root 20 0 10352 3992 3332 S 0 0.0 0:00.28 sshd: admin@pts/1 1140 root 20 0 117m 78m 53m S 0 1.0 0:00.42 /isan/bin/ucssh --ucs-mgmt -p admin 1856 root 20 0 2404 632 512 S 0 0.0 2:29.32 /nuova/bin/cmcmon -f /etc/cmcmon.conf 1859 root 20 0 23804 1932 1532 S 0 0.0 1427:47 dmserver -F 1860 root 20 0 2244 472 404 S 0 0.0 0:00.01 /sbin/hotplug2 --persistent --set-rules-file /etc/automount.rules --set-worker /lib/worker_single.so 1861 root 20 0 57116 10m 6552 S 0 0.1 7:28.76 /isan/sbin/sysmgr -V 1864 root 20 0 14044 4136 1072 S 0 0.1 1:06.19 rsyslogd -c3 -i/var/run/rsyslogd.pid 4909 root 20 0 3568 1100 876 S 0 0.0 0:00.48 /isan/sbin/xinetd -syslog local7 -loop 250 -stayalive -reuse -dontfork 4911 root 20 0 58232 12m 6152 S 0 0.2 18:39.24 /isan/sbin/syslogd -d -n -m 0 -r 4912 root 20 0 20076 3532 2368 S 0 0.0 0:00.02 /isan/bin/sdwrapd 4913 root 21 1 2756 300 192 S 0 0.0 0:00.04 /usr/sbin/in.tftpd -l -c -s /bootflash 4914 root 20 0 58312 17m 8724 S 0 0.2 13:45.34 /isan/bin/pfm 4937 root 20 0 2208 332 272 S 0 0.0 0:00.01 /sbin/klogd -2 -x -c 1 4939 root 20 0 26692 4656 3620 S 0 0.1 0:24.01 /isan/bin/vshd
...
提示:
1. 收集show process memory輸出
2. 將輸出貼到Linux機器上的檔案中(cat > top.log)
3. 根據RES欄排序檔案
Reminder:
1. Collects how process memory output
2. Sort files according to RES column (cat & gt; top.log)
這會顯示GB、MB等
This will show GB, MB, etc.
mzafeiro@MZAFEIRO-JA2YS:$ cat top.log | sort -V -k 6 1954 root 20 0 1645m 1.6g 1372 S 0.0 20.7 793:32.99 dmserver 7556 root 20 0 207m 9.8m 6184 S 0.0 0.1 73:52.25 udld 5563 root 20 0 333m 9.8m 7032 S 0.0 0.1 5:08.65 cdpd 5523 root 20 0 327m 103m 28m S 0.0 1.3 0:12.38 afm 24040 daemon 23 3 592m 115m 33m S 0.0 1.5 74:56.57 httpd 5329 root -2 0 384m 132m 29m S 9.4 1.7 27130:09 bcm_usd 5317 root 20 0 401m 150m 35m S 0.0 1.9 33:19.05 fwm 5625 root 24 4 450m 179m 35m S 0.0 2.3 275:38.25 svc_sam_statsAG 5614 root 23 3 495m 247m 54m S 0.0 3.2 355:59.95 svc_sam_dme 21688 root 20 0 2672 1080 880 S 0.0 0.0 3:15.29 ntpd 8819 root 35 15 2408 1084 748 R 5.6 0.0 0:00.06 top
在Firepower 4100/9300中,使用此命令:
In Firepower 4100/9300, use this command:
FPR9K-2-A# connect fxos
FPR9K-2-A(fxos)# show interface e1/3 transceiver details
Ethernet1/3
transceiver is present
type is 1000base-T
name is CISCO-METHODE
part number is SP7041-R
revision is
serial number is FLM12345KL6
nominal bitrate is 1300 MBit/sec
Link length supported for copper is 100 m
cisco id is --
cisco extended id number is 4
DOM is not supported
FPR9K-2-A(fxos)#
對於光纖,輸出為:
For luminium, output is:
FPR4100-1-A(fxos)# show interface e1/1 transceiver details
Ethernet1/1
transceiver is present
type is 10Gbase-SR
name is CISCO-JDSU
part number is PLRXPL-SC-S43-CS
revision is 1
serial number is FLM12345KL6
nominal bitrate is 10300 MBit/sec
Link length supported for 50/125um OM2 fiber is 82 m
Link length supported for 62.5/125um fiber is 26 m
Link length supported for 50/125um OM3 fiber is 300 m
cisco id is --
cisco extended id number is 4
Calibration info not available
在Firepower 1000/2100中,使用此命令:
In Firepower 1000/2100, use this command:
FPR2100# scope fabric-interconnect
FPR2100 /fabric-interconnect # show inventory expand detail | egrep ignore-case "Port|Xcvr"
...
Slot 1 Port 13:
Xcvr: 10 Gbase SR
Xcvr Model: PLRXPL-SC-S43-C
Xcvr Vendor: Cisco Systems, Inc.
Xcvr Serial: ABCD1234
Slot 1 Port 14:
Xcvr: 10 Gbase SR
Xcvr Model: PLRXPL-SC-S43-C
Xcvr Vendor: Cisco Systems, Inc.
Xcvr Serial: VWXY1234
Slot 1 Port 15:
Xcvr: Non Present
Xcvr Model:
Xcvr Vendor:
Xcvr Serial:
Slot 1 Port 16:
Xcvr: Non Present
Xcvr Model:
Xcvr Vendor:
Xcvr Serial:
此命令顯示機箱和模組(網路模組)的產品ID (PID)和序列號(SN)
This command shows product ID (PID) and serial number (SN) of the box and module (network module)
FP4110-7-A# connect fxos
FP4110-7-A(fxos)# show inventory NAME: "Chassis", DESCR: "Firepower 41xx Security Appliance" PID: FPR-4110-SUP , VID: V02 , SN: FLM12345KL6 <--- Chassis SN NAME: "Module 1", DESCR: "Firepower 41xx Supervisor" PID: FPR-4110-SUP , VID: V02 , SN: FLM12345KL6 <--- Embedded module on FPR4100 NAME: "Module 3", DESCR: "Firepower 6x10G FTW SFP+ SR NM" PID: FPR-NM-6X10SR-F , VID: V00 , SN: FLM12345KL6 <--- FTW Netmode SN
FPR4110有2個用於網路模組(2和3)的插槽,示例中的裝置在插槽3中安裝有FTW網路模組。
FPR4110 has two slots for network modules (2 and 3) and the device in the example has a FTW network module installed in slot 3.
FPR9K-1-A# scope chassis 1
FPR9K-1-A /chassis # show inventory server
Chassis 1:
Servers:
Server 1/1:
Equipped Product Name: Cisco Firepower 9000 Series High Performance Security Module
Equipped PID: FPR9K-SM-36
Equipped VID: V01
Equipped Serial (SN): FLM12345KL6
Slot Status: Equipped
Acknowledged Product Name: Cisco Firepower 9000 Series High Performance Security Module
Acknowledged PID: FPR9K-SM-36
Acknowledged VID: V01
Acknowledged Serial (SN): FLM12345KL6
Acknowledged Memory (MB): 262144
Acknowledged Effective Memory (MB): 262144
Acknowledged Cores: 36
Acknowledged Adapters: 2
Server 1/2:
Equipped Product Name: Cisco Firepower 9000 Series High Performance Security Module
Equipped PID: FPR9K-SM-36
Equipped VID: V01
Equipped Serial (SN): FLM12345KL6
Slot Status: Equipped
Acknowledged Product Name: Cisco Firepower 9000 Series High Performance Security Module
Acknowledged PID: FPR9K-SM-36
Acknowledged VID: V01
Acknowledged Serial (SN): FLM12345KL6
Acknowledged Memory (MB): 262144
Acknowledged Effective Memory (MB): 262144
Acknowledged Cores: 36
Acknowledged Adapters: 2
Server 1/3:
Equipped Product Name: Cisco Firepower 9000 Series High Performance Security Module
Equipped PID: FPR9K-SM-36
Equipped VID: V01
Equipped Serial (SN): FLM12345KL6
Slot Status: Equipped
Acknowledged Product Name: Cisco Firepower 9000 Series High Performance Security Module
Acknowledged PID: FPR9K-SM-36
Acknowledged VID: V01
Acknowledged Serial (SN): FLM12345KL6
Acknowledged Memory (MB): 262144
Acknowledged Effective Memory (MB): 262144
Acknowledged Cores: 36
Acknowledged Adapters: 2
伺服器1/1=模組/刀片1
Server 1/1 = Module/Knife1
伺服器1/2=模組/刀片2
Server 1/2 = module/knife 2
伺服器1/3=模組/刀片3
Server 1/3 = module/knife 3
FPR41xx型號PID:
FPR41xx Model PID:
- FPR4K-SM-12=FPR4110
- FPR4K-SM-24=FPR4120
- FPR4K-SM-36=FPR4140
- FPR4K-SM-44=FPR4150
- FPR4K-SM-24S=FPR4115
- FPR4K-SM-32S=FPR4125
- FPR4K-SM-44S=FPR4145
您也可以在<機箱ID/刀片ID>範圍內獲取其他資訊:
You can also get additional information within < box ID/Knife ID> range:
FP9300-A# scope server 1/1
FP9300-A /chassis/server # show inventory
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
adapter Adapter
bios Bios
board Board
cpu Cpu
detail Detail
expand Expand
memory Memory
mgmt Mgmt
storage Storage
| Pipe command output to filter
FP9300-A /chassis/server # show inventory storage
Server 1/1:
Name:
User Label:
Equipped PID: FPR9K-SM-36
Equipped VID: V01
Equipped Serial (SN): FLM12345PBD
Slot Status: Equipped
Acknowledged Product Name: Cisco Firepower 9000 Series High Performance Security Module
Acknowledged PID: FPR9K-SM-36
Acknowledged VID: 01
Acknowledged Serial (SN): FLM67890PBD
Acknowledged Memory (MB): 262144
Acknowledged Effective Memory (MB): 262144
Acknowledged Cores: 36
Acknowledged Adapters: 2
Motherboard:
Product Name: Cisco Firepower 9000 Series High Performance Security Module
PID: FPR9K-SM-36
VID: V01
Vendor: Cisco Systems Inc
Serial (SN): FLM12345KL6
HW Revision: 0
RAID Controller 1:
Type: SAS
Vendor: Cisco Systems Inc
Model: UCSB-MRAID12G
Serial: FLM12345KL6
HW Revision: C0
PCI Addr: 01:00.0
Raid Support: RAID0, RAID1
OOB Interface Supported: Yes
Rebuild Rate: 30
Controller Status: Optimal
Local Disk 1:
Product Name:
PID:
VID:
Vendor: TOSHIBA
Model: PX02SMF080
Vendor Description:
Serial: FLM12345KL6
HW Rev: 0
Block Size: 512
Blocks: 1560545280
Operability: Operable
Oper Qualifier Reason: N/A
Presence: Equipped
Size (MB): 761985
Drive State: Online
Power State: Active
Link Speed: 12 Gbps
Device Type: SSD
Local Disk 2:
Product Name:
PID:
VID:
Vendor: TOSHIBA
Model: PX02SMF080
Vendor Description:
Serial: FLM12345KL6
HW Rev: 0
Block Size: 512
Blocks: 1560545280
Operability: Operable
Oper Qualifier Reason: N/A
Presence: Equipped
Size (MB): 761985
Drive State: Online
Power State: Active
Link Speed: 12 Gbps
Device Type: SSD
Local Disk Config Definition:
Mode: RAID 1 Mirrored
Description:
Protect Configuration: Yes
Virtual Drive 0:
Type: RAID 1 Mirrored
Block Size: 512
Blocks: 1560545280
Operability: Operable
Presence: Equipped
Size (MB): 761985
Lifecycle: Allocated
Drive State: Optimal
Strip Size (KB): 64
Access Policy: Read Write
Read Policy: Normal
Configured Write Cache Policy: Write Through
Actual Write Cache Policy: Write Through
IO Policy: Direct
Drive Cache: No Change
Bootable: True
FP9300-A /chassis/server #
註:在FP41xx平台上,由於未使用RAID,show inventory storage會將「Controller Status」顯示為「Unknown」。它們不是RAID的主要原因是第二個SSD用於FTD邏輯裝置上的MSP(惡意軟體儲存包)等其他功能。
在FCM GUI上:
On FCM GUI:
要從GUI中刪除,請導航到System > Updates並刪除影象:
To delete from GUI, direct to System & gt; Updates and delete the image:
從FXOS CLI
From FXOS CLIbrb
FPR4100# scope ssa
FPR4100 /ssa # show app
Application:
Name Version Description Author Deploy Type CSP Type Is Default App
------ ---------- ----------- ---------- ----------- ----------- --------------
asa 9.6.1 N/A cisco Native Application Yes
ftd 6.0.1.1213 N/A cisco Native Application No
ftd 6.1.0.330 N/A cisco Native Application Yes
FPR4100 /ssa # delete app asa 9.6.1
FPR4100 /ssa* # commit
FPR4100 /ssa # show app
Application:
Name Version Description Author Deploy Type CSP Type Is Default App
---------- ---------- ----------- ---------- ----------- ----------- --------------
ftd 6.0.1.1213 N/A cisco Native Application No
ftd 6.1.0.330 N/A cisco Native Application Yes
有幾種方法可以做到這一點。
There are several ways to do this.
方式1
Mode 1
FPR4100# show fabric-interconnect firmware
Fabric Interconnect A:
Running-Kern-Vers: 5.0(3)N2(4.01.65)
Running-Sys-Vers: 5.0(3)N2(4.01.65)
Package-Vers: 2.0(1.86)
Startup-Kern-Vers: 5.0(3)N2(4.01.65)
Startup-Sys-Vers: 5.0(3)N2(4.01.65)
Act-Kern-Status: Ready
Act-Sys-Status: Ready
Bootloader-Vers:
這與FCM GUI中顯示的相同:
This is the same as shown in FCM GUI:
方式2
Mode 2
FP4145-1# show version
Version: 2.6(1.192)
Startup-Vers: 2.6(1.192)
預設情況下,Firepower 4100/9300機箱支援超巨型幀。您可以使用以下命令檢查介面MTU:
You can check the MTU interface using the following command:
FPR9K-1-A# connect fxos
FPR9K-1-A(fxos)# show hardware internal bcm-usd info phy-info all +-----------------+------------------------------------------------------------+ | port phy info | +-----------------+------------------------------------------------------------+ front-port : 1 asic-port : 125 sfp installed : yes enable : ena speed : 1G autoneg : on interface : (10)XFI duplex: half linkscan : sw pause_tx : 0x0 pause_rx : 0x0 max frame : 9216 local_advert : 0x20 remote_advert : 0x420 port_40g_enable : 0 local_fault : 0x1 remote_fault : 0x0 xcvr sfp type : (1)PHY_SFP_1G_COPPER TSC4 registers: txfir(0xc252):0x0000 txdrv(0xc017):0x0000 lane(0x9003):0x1b1b Asic 56846 Registers signal_detect(1.0x81d0):0x0000 link_status(1.0x81d1):0x0000 rx_link_state(1.0x0):0x0000 pcs_rx_tx_fault(1.0x0008):0x0000 pcs_block_status_0x20(1.0x20) :0x0000 pcs_block_status_0x21(1.0x021) : 0x0000 transmitter_reg(1.0x8000):0x0000 micro_ver(1.0x81f0):0x0000
或者,檢查fxos命令shell中的MTU:
Or, check the MTU in fxos command shell:
KSEC-FPR4112-4# connect fxos
<output is skipped>
KSEC-FPR4112-4(fxos)# show interface ethernet 1/1
Ethernet1/1 is up
Dedicated Interface
Hardware: 1000/10000 Ethernet, address: 14a2.a02f.07c0 (bia 14a2.a02f.07c0)
Description: U: Uplink
MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec
從機箱CLI使用命令scope ssa,然後使用show slot expand detail。
Use command ssa from the machine box CLI and then show slot expand detail.
可以在機箱show tech bundle內的檔案sam_techsupportinfo上找到相同資訊。
The same information can be found on the file sam_techssupportinfo in the boxhow tech bindle.
`scope ssa`
`show slot expand detail`
Slot:
Slot ID: 1
Log Level: Info
Admin State: Ok
Operational State: Online
Disk State: Ok
Clear Log Data: Available
Application Instance:
Application Name: asa
Admin State: Enabled
Operational State: Online
Running Version: 9.6.2
Startup Version: 9.6.2
Hotfixes:
Externally Upgraded: No
Cluster Oper State: Not Applicable
Current Job Type: Start
Current Job Progress: 100
Current Job State: Succeeded
Clear Log Data: Available
Error Msg:
Current Task:
App Attribute:
App Attribute Key: mgmt-ip
Value: 0.0.0.0
App Attribute Key: mgmt-url
Value: https://0.0.0.0/
Heartbeat:
Last Received Time: 2017-03-15T10:25:02.220
Heartbeat Interval: 1
Max Number of Missed heartbeats Permitted: 3
Resource:
Allocated Core NR: 46
Allocated RAM (KB): 233968896
Allocated Data Disk (KB): 20971528
Allocated Binary Disk (KB): 174964
Allocated Secondary Disk (KB): 0
Heartbeat:
Last Received Time: 2017-03-15T10:25:00.447
Heartbeat Interval: 5
Max Number of Missed heartbeats Permitted: 3
Monitor:
OS Version: 9.6(1.150)
CPU Total Load 1 min Avg: 48.110001
CPU Total Load 5 min Avg: 48.110001
CPU Total Load 15 min Avg: 48.110001
Memory Total (KB): 264377600
Memory Free (KB): 236835112
Memory Used (KB): 27542488
Memory App Total (KB): 233968896
Disk File System Count: 5
Blade Uptime: up 1 day, 6:56
Last Updated Timestamp: 2017-03-15T10:24:10.306
Disk File System:
File System: /dev/sda1
Mount Point: /mnt/boot
Disk Total (KB): 7796848
Disk Free (KB): 7694456
Disk Used (KB): 102392
File System: /dev/sda2
Mount Point: /opt/cisco/config
Disk Total (KB): 1923084
Disk Free (KB): 1734420
Disk Used (KB): 90976
File System: /dev/sda3
Mount Point: /opt/cisco/platform/logs
Disk Total (KB): 4805760
Disk Free (KB): 4412604
Disk Used (KB): 149036
File System: /dev/sda5
Mount Point: /var/data/cores
Disk Total (KB): 48061320
Disk Free (KB): 43713008
Disk Used (KB): 1906892
File System: /dev/sda6
Mount Point: /opt/cisco/csp
Disk Total (KB): 716442836
Disk Free (KB): 714947696
Disk Used (KB): 1495140
埠通道驗證命令
Port Channel Validation Command
檢查 1
Check 1
要驗證機箱上當前配置了哪些埠通道,請執行以下操作:
To verify which ports are currently configured on the engine box, do the following:
FPR9K-1-A# connect fxos
FPR9K-1-A(fxos)# show port-channel summary Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed S - Switched R - Routed U - Up (port-channel) M - Not in use. Min-links not met -------------------------------------------------------------------------------- Group Port- Type Protocol Member Ports Channel -------------------------------------------------------------------------------- 11 Po11(SU) Eth LACP Eth1/4(P) Eth1/5(P) 15 Po15(SD) Eth LACP Eth1/6(D) 48 Po48(SU) Eth LACP Eth1/2(P) Eth1/3(P)
檢查 2
Check 2
驗證分配給邏輯裝置的埠通道:
Could not close temporary folder: %s
FPR9K-1-A# scope ssa
FPR9K-1-A /ssa # show configuration
scope ssa
enter logical-device ftd_682021968 ftd "1,2,3" clustered
enter cluster-bootstrap
set chassis-id 1
set ipv4 gateway 0.0.0.0
set ipv4 pool 0.0.0.0 0.0.0.0
set ipv6 gateway ::
set ipv6 pool :: ::
set virtual ipv4 0.0.0.0 mask 0.0.0.0
set virtual ipv6 :: prefix-length ""
! set key
set mode spanned-etherchannel
set name 682021968
set site-id 0
exit
enter external-port-link Ethernet11_ftd Ethernet1/1 ftd
set decorator ""
set description ""
set port-name Ethernet1/1
exit
enter external-port-link PC11_ftd Port-channel11 ftd
set decorator ""
set description ""
set port-name Port-channel11
exit
enter external-port-link PC48_ftd Port-channel48 ftd
set decorator ""
set description ""
set port-name Port-channel48
exit
檢查 3
Check 3
檢查每個埠的埠通道流量統計資訊:
Check port traffic statistics for each port:
FPR9K-1-A(fxos)# show port-channel traffic interface port-channel 11
ChanId Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst
------ --------- ------- ------- ------- ------- ------- -------
11 Eth1/4 62.91% 0.0% 58.90% 49.99% 100.00% 0.0%
11 Eth1/5 37.08% 0.0% 41.09% 50.00% 0.0% 0.0%
檢查 4
Check 4
檢查特定Port-Channel的詳細資訊:
Check specific Port-Channel details:
FPR9K-1-A(fxos)# show port-channel database interface port-channel 11
port-channel11
Last membership update is successful
2 ports in total, 2 ports up
First operational port is Ethernet1/4
Age of the port-channel is 0d:20h:26m:27s
Time since last bundle is 0d:18h:29m:07s
Last bundled member is Ethernet1/5
Ports: Ethernet1/4 [active ] [up] *
Ethernet1/5 [active ] [up]
檢查 5
Check 5
檢查本地LACP系統ID:
Check local LACP system ID:
FPR9K-1-A(fxos)# show lacp system-identifier 32768,b0-aa-77-2f-81-bb
檢查 6
Check 6
檢查上游裝置的LACP系統ID以及LACP狀態標誌:
Checking LACP system ID and LACP status labels for upstream devices:
FPR9K-1-A(fxos)# show lacp neighbor
Flags: S - Device is sending Slow LACPDUs F - Device is sending Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
port-channel11 neighbors
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/4 32768,4-62-73-d2-65-0 0x118 66828 FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0xb 0x3d
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/5 32768,4-62-73-d2-65-0 0x119 66826 FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0xb 0x3d
檢查 7
Check 7
檢查埠通道事件歷史記錄:
Check the history of the port corridor incident:
FPR9K-1-A(fxos)# show port-channel internal event-history all
Low Priority Pending queue: len(0), max len(1) [Thu Apr 6 11:07:48 2017]
High Priority Pending queue: len(0), max len(16) [Thu Apr 6 11:07:48 2017]
PCM Control Block info:
pcm_max_channels : 4096
pcm_max_channel_in_use : 48
pc count : 3
hif-pc count : 0
Max PC Cnt : 104
Load-defer timeout : 120====================================================PORT CHANNELS:
2LvPC PO in system : 0
port-channel11
channel : 11
bundle : 65535
ifindex : 0x1600000a
admin mode : active
oper mode : active
fop ifindex : 0x1a003000
nports : 2
active : 2
pre cfg : 0
ltl : 0x0 (0)
lif : 0x0
iod : 0x78 (120)
global id : 3
flag : 0
lock count : 0
num. of SIs: 0
ac mbrs : 0 0
lacp graceful conv disable : 0
lacp suspend indiv disable : 1
pc min-links : 1
pc max-bundle : 16
pc max active members : 32
pc is-suspend-minlinks : 0
port load defer enable : 0
lacp fast-select-hot-standby disable : 0
ethpm bundle lock count : 0
bundle res global id : 2
Members:
Ethernet1/4 [bundle_no=0]
Ethernet1/5 [bundle_no=0]
port-channel external lock:
Lock Info: resource [eth-port-channel 11]
type[0] p_gwrap[(nil)]
FREE @ 246108 usecs after Wed Apr 5 14:18:10 2017
type[1] p_gwrap[(nil)]
FREE @ 436471 usecs after Wed Apr 5 16:15:30 2017
type[2] p_gwrap[(nil)]
FREE @ 436367 usecs after Wed Apr 5 16:15:30 2017
0x1600000a
internal (ethpm bundle) lock:
Lock Info: resource [eth-port-channel 11]
type[0] p_gwrap[(nil)]
FREE @ 246083 usecs after Wed Apr 5 14:18:10 2017
type[1] p_gwrap[(nil)]
FREE @ 610546 usecs after Wed Apr 5 16:19:04 2017
type[2] p_gwrap[(nil)]
FREE @ 610437 usecs after Wed Apr 5 16:19:04 2017
0x1600000a
>>>>FSM: <eth-port-channel 11> has 194 logged transitions<<<<<
1) FSM:<eth-port-channel 11> Transition at 557291 usecs after Wed Apr 5 16:04:27 2017
Previous state: [PCM_PC_ST_WAIT_REL_RESRC]
Triggered event: [PCM_PC_EV_REL_RESRC_DONE]
Next state: [PCM_PC_ST_INIT]
2) FSM:<eth-port-channel 11> Transition at 49036 usecs after Wed Apr 5 16:07:18 2017
Previous state: [PCM_PC_ST_INIT]
Triggered event: [PCM_PC_EV_L2_CREATE]
Next state: [PCM_PC_ST_WAIT_CREATE]
3) FSM:<eth-port-channel 11> Transition at 49053 usecs after Wed Apr 5 16:07:18 2017
Previous state: [PCM_PC_ST_WAIT_CREATE]
Triggered event: [PCM_PC_EV_L2_CREATED]
Next state: [PCM_PC_ST_CREATED]
檢查 8
Check 8
Debug lacp all會產生非常大的輸出:
Debug lacp all produces very large output:
FPR9K-1-A(fxos)# debug lacp all
2017 Jul 11 10:42:23.854160 lacp: lacp_pkt_parse_pdu(569): lacp_pkt_parse_pdu: got packet from actorport=220a partnerport=43 2017 Jul 11 10:42:23.854177 lacp: lacp_pkt_compute_port_params(1163): Ethernet1/3(0x1a002000): pa aggregatable state=1 ac aggregatable state=1 pkt sync=1 port_stateactive=1 2017 Jul 11 10:42:23.854190 lacp: lacp_pkt_compute_port_params(1170): p_el=(8000, 2-0-0-0-0-1, 136, 8000, 220a) 2017 Jul 11 10:42:23.854198 lacp: lacp_pkt_compute_port_params(1172): p_el_pkt=(8000, 2-0-0-0-0-1, 136, 8000, 220a) 2017 Jul 11 10:42:23.854207 lacp: lacp_utils_get_obj_type_from_ifidx(390): lacp_utils_get_obj_type_from_ifidx: For if-index 1a002000 , if_type=26 2017 Jul 11 10:42:23.854218 lacp: Malloc in fu_fsm_event_new@https://www.cisco.com/c/zh_tw/support/docs/security/utils/fsmutils/fsm.c[5317]-ty[1]0x9bf719c[124] 2017 Jul 11 10:42:23.854228 lacp: lacp_utils_cr_fsm_event(572): Called from lacp_utils_create_fsm_event_with_params: Create event 0x9bf719c 2017 Jul 11 10:42:23.854237 lacp: Malloc in fu_fsm_event_pair_new@https://www.cisco.com/c/zh_tw/support/docs/security/utils/fsmutils/fsm.c[5327]-ty[2]0x9bf730c[132] 2017 Jul 11 10:42:23.854248 lacp: fu_fsm_execute_all: match_msg_id(0), log_already_open(0) 2017 Jul 11 10:42:23.854257 lacp: Malloc in fu_fsm_event_new@https://www.cisco.com/c/zh_tw/support/docs/security/utils/fsmutils/fsm.c[5317]-ty[1]0x9bf719c[124] 2017 Jul 11 10:42:23.854268 lacp: fu_fsm_execute: (Ethernet1/3) 2017 Jul 11 10:42:23.854275 lacp: current state [LACP_ST_PORT_MEMBER_COLLECTING_AND_DISTRIBUTING_ENABLED] 2017 Jul 11 10:42:23.854283 lacp: current event [LACP_EV_PARTNER_PDU_IN_SYNC_COLLECT_ENABLED_DISTRIBUTING_ENABLED] 2017 Jul 11 10:42:23.854291 lacp: next state [FSM_ST_NO_CHANGE] 2017 Jul 11 10:42:23.854304 lacp: lacp_proto_get_state(969): IF Ethernet1/3(0x1a002000): end PartnerEnd(2): state TimeOut(1): enable_flag False 2017 Jul 11 10:42:23.854314 lacp: lacp_proto_record_pdu(2266): Recording PDU for LACP pkt on IF Ethernet1/3(0x1a002000) 2017 Jul 11 10:42:23.854325 lacp: lacp_proto_set_state(900): IF Ethernet1/3(0x1a002000): Set end ActorEnd(1): state Defaulted(6) from False to False 2017 Jul 11 10:42:23.854335 lacp: lacp_proto_get_state(969): IF Ethernet1/3(0x1a002000): end PartnerEnd(2): state TimeOut(1): enable_flag False 2017 Jul 11 10:42:23.854344 lacp: lacp_proto_update_ntt(2211): updateNTT called for IF Ethernet1/3(0x1a002000) 2017 Jul 11 10:42:23.854355 lacp: lacp_proto_get_state(969): IF Ethernet1/3(0x1a002000): end ActorEnd(1): state TimeOut(1): enable_flag True 2017 Jul 11 10:42:23.854362 lacp: lacp_timer_start_w_chgd_time(681): lacp_timer_start_w_chgd_time: starting timer with time in ms=15000 2017 Jul 11 10:42:23.854377 lacp: lacp_timer_start(637): Timer Started: Timer_Arg ([rid type IF-Rid: ifidx 0x1a002000: ch_num 0: event_id LACP_EV_RECEIVE_PARTNER_PDU_TIMED_OUT(17): timer_id 426092: type PartnerTimedOut: active True: period_in_ms 15000]) 2017 Jul 11 10:42:23.854386 lacp: lacp_timer_start(638): Timer period=15 seconds 2017 Jul 11 10:42:23.854396 lacp: Free ptr in fu_fsm_execute@https://www.cisco.com/c/zh_tw/support/docs/security/utils/fsmutils/fsm.c[1091] for addr 0x9bf719c 2017 Jul 11 10:42:23.854408 lacp: fu_fsm_execute_all: done processing event LACP_EV_PARTNER_PDU_IN_SYNC_COLLECT_ENABLED_DISTRIBUTING_ENABLED 2017 Jul 11 10:42:23.854419 lacp: fu_mts_drop ref 0x9bf7320 opc 90117 2017 Jul 11 10:42:23.854434 lacp: fu_fsm_execute_all: MTS_OPC_NET_L2_RX_DATA_HDR(msg_id 2623696) dropped 2017 Jul 11 10:42:23.854445 lacp: fu_fsm_engine_post_event_processing 2017 Jul 11 10:42:23.854453 lacp: end of while in fu_fsm_engine 2017 Jul 11 10:42:23.854461 lacp: fu_handle_process_hot_plugin_msg: Entered the function line 143 2017 Jul 11 10:42:23.854468 lacp: begin fu_fsm_engine: line[2357] 2017 Jul 11 10:42:24.361501 lacp: lacp_pkt_encode_pdu_helper(770): lacp_pkt_encode_pdu_helper: pkt_len=LACP_PDU_LEN=110 periodic_rate:1 2017 Jul 11 10:42:24.361530 lacp: lacp_pkt_encode_pdu_helper(797): lacp_pkt_encode_pdu_helper: if_idx=Ethernet1/3(0x1a002000) partner-mac=0-a6-ca-f3-c7-83 port_num=43 2017 Jul 11 10:42:24.361542 lacp: lacp_debug_wrapper_tl(1718): Executing [mcecm_api_is_pc_mcec] 2017 Jul 11 10:42:24.361551 lacp: lacp_debug_wrapper_tl(1718): input: if_index=[0x16000000] 2017 Jul 11 10:42:24.361559 lacp: lacp_debug_wrapper_tl(1718): Executing [mcecm_cache_is_pc_mcec] 2017 Jul 11 10:42:24.361568 lacp: lacp_debug_wrapper_tl(1718): output:0 2017 Jul 11 10:42:24.361589 lacp: lacp_pkt_encode_pdu_helper(842): 0x1a002000: Set short_timeout to periodic_rate:1 2017 Jul 11 10:42:24.361599 lacp: lacp_pkt_encode_pdu_helper(879): lacp_pkt_encode_pdu_helper: actor-port-state=3f agg=1 insync=1 coll=1 dis=1 active=1 short_timeout=1 2017 Jul 11 10:42:24.361612 lacp: lacp_pkt_encode_pdu_helper(906): lacp_pkt_encode_pdu_helper: if_idx=Ethernet1/3(0x1a002000) partner-port-state=3d agg=1 insync=1 coll=1 dis=1 active=1 short-timeout=0 2017 Jul 11 10:42:24.361624 lacp: lacp_pkt_encode_pdu_helper(910): lacp_pkt_encode_pdu_helper: if_idx=Ethernet1/3(0x1a002000) partner-mac=2-0-0-0-0-1 port_num=220a 2017 Jul 11 10:42:24.361636 lacp: lacp_net_tx_data(206): lacp_net_tx_data: Sending buffer with length 110 2017 Jul 11 10:42:24.361648 lacp: lacp_net_tx_data(215): 01 01 01 14 ffff 2017 Jul 11 10:42:24.361658 lacp: lacp_net_tx_data(215): ffff 2017 Jul 11 10:42:24.361668 lacp: lacp_net_tx_data(215): 00 00 00 02 14 ffff 2017 Jul 11 10:42:24.361678 lacp: lacp_net_tx_data(215): ffff 2017 Jul 11 10:42:24.361689 lacp: lacp_net_tx_data(215): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2017 Jul 11 10:42:24.361700 lacp: lacp_net_tx_data(215): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2017 Jul 11 10:42:24.361710 lacp: lacp_net_tx_data(215): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2017 Jul 11 10:42:24.361721 lacp: lacp_net_tx_data(247): Ethernet1/3(0x1a002000): Tx LACP PDU len: 110 As:3f, Ps:3d 2017 Jul 11 10:42:24.361753 lacp: lacp_proto_get_state(969): IF Ethernet1/3(0x1a002000): end PartnerEnd(2): state TimeOut(1): enable_flag False 2017 Jul 11 10:42:24.361764 lacp: lacp_proto_restart_tx_timer(1802): lacp_proto_restart_tx_timer: got enable flag=0 before sending on interface Ethernet1/3(0x1a002000) 2017 Jul 11 10:42:24.361773 lacp: lacp_proto_restart_tx_timer(1825): lacp_proto_restart_tx_timer: flag 0 interface Ethernet1/3(0x1a002000) periodic_timer is fast 2017 Jul 11 10:42:24.361782 lacp: lacp_timer_start_w_chgd_time(681): lacp_timer_start_w_chgd_time: starting timer with time in ms=1000 2017 Jul 11 10:42:24.361798 lacp: lacp_timer_start(637): Timer Started: Timer_Arg ([rid type IF-Rid: ifidx 0x1a002000: ch_num 0: event_id LACP_EV_PERIODIC_TRANSMIT_TIMER_EXPIRED(19): timer_id 400214: type PDUSendTime: active True: period_in_ms 1000]) 2017 Jul 11 10:42:24.361807 lacp: lacp_timer_start(638): Timer period=1 seconds 2017 Jul 11 10:42:24.361820 lacp: lacp_pkt_encode_pdu_helper(770): lacp_pkt_encode_pdu_helper: pkt_len=LACP_PDU_LEN=110 periodic_rate:1 2017 Jul 11 10:42:24.361833 lacp: lacp_pkt_encode_pdu_helper(797): lacp_pkt_encode_pdu_helper: if_idx=Ethernet1/4(0x1a003000) partner-mac=0-a6-ca-f3-c7-83 port_num=44 2017 Jul 11 10:42:24.361841 lacp: lacp_debug_wrapper_tl(1718): Executing [mcecm_api_is_pc_mcec] 2017 Jul 11 10:42:24.361849 lacp: lacp_debug_wrapper_tl(1718): input: if_index=[0x16000000] 2017 Jul 11 10:42:24.361857 lacp: lacp_debug_wrapper_tl(1718): Executing [mcecm_cache_is_pc_mcec] 2017 Jul 11 10:42:24.361865 lacp: lacp_debug_wrapper_tl(1718): output:0 2017 Jul 11 10:42:24.361879 lacp: lacp_pkt_encode_pdu_helper(842): 0x1a003000: Set short_timeout to periodic_rate:1 2017 Jul 11 10:42:24.361888 lacp: lacp_pkt_encode_pdu_helper(879): lacp_pkt_encode_pdu_helper: actor-port-state=7f agg=1 insync=1 coll=1 dis=1 active=1 short_timeout=1 2017 Jul 11 10:42:24.361899 lacp: lacp_pkt_encode_pdu_helper(906): lacp_pkt_encode_pdu_helper: if_idx=Ethernet1/4(0x1a003000) partner-port-state=0 agg=0 insync=0 coll=0 dis=0 active=0 short-timeout=0 2017 Jul 11 10:42:24.361910 lacp: lacp_pkt_encode_pdu_helper(910): lacp_pkt_encode_pdu_helper: if_idx=Ethernet1/4(0x1a003000) partner-mac=0-0-0-0-0-0 port_num=0 2017 Jul 11 10:42:24.361920 lacp: lacp_net_tx_data(206): lacp_net_tx_data: Sending buffer with length 110 2017 Jul 11 10:42:24.361930 lacp: lacp_net_tx_data(215): 01 01 01 14 ffff 2017 Jul 11 10:42:24.361940 lacp: lacp_net_tx_data(215): ffff 2017 Jul 11 10:42:24.361950 lacp: lacp_net_tx_data(215): 00 00 00 02 14 00 00 00 00 00 00 00 00 00 00 00 00 2017 Jul 11 10:42:24.361960 lacp: lacp_net_tx_data(215): 00 00 00 00 00 00 03 10 00 00 00 00 00 00 00 00 00 2017 Jul 11 10:42:24.361971 lacp: lacp_net_tx_data(215): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2017 Jul 11 10:42:24.361981 lacp: lacp_net_tx_data(215): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2017 Jul 11 10:42:24.361991 lacp: lacp_net_tx_data(215): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2017 Jul 11 10:42:24.362001 lacp: lacp_net_tx_data(247): Ethernet1/4(0x1a003000): Tx LACP PDU len: 110 As:7f, Ps:00 2017 Jul 11 10:42:24.362022 lacp: lacp_proto_get_state(969): IF Ethernet1/4(0x1a003000): end PartnerEnd(2): state TimeOut(1): enable_flag False 2017 Jul 11 10:42:24.362032 lacp: lacp_proto_restart_tx_timer(1802): lacp_proto_restart_tx_timer: got enable flag=0 before sending on interface Ethernet1/4(0x1a003000) 2017 Jul 11 10:42:24.362042 lacp: lacp_proto_restart_tx_timer(1825): lacp_proto_restart_tx_timer: flag 0 interface Ethernet1/4(0x1a003000) periodic_timer is fast 2017 Jul 11 10:42:24.362050 lacp: lacp_timer_start_w_chgd_time(681): lacp_timer_start_w_chgd_time: starting timer with time in ms=1000 2017 Jul 11 10:42:24.362062 lacp: lacp_timer_start(637): Timer Started: Timer_Arg ([rid type IF-Rid: ifidx 0x1a003000: ch_num 0: event_id LACP_EV_PERIODIC_TRANSMIT_TIMER_EXPIRED(19): timer_id 399340: type PDUSendTime: active True: period_in_ms 1000])
提示
Hint
檢查是否從對等體接收LACP資料包。例如,Ethernet1/3介面接收LACP資料包,但Ethernet1/4否:
Check whether the LACP data package is received from a peer. For example, the Ethernet1/3 interface receives the LACP data package, but Ethernet1/4 does not:
2017 Jul 11 10:42:25.641920 lacp: lacp_net_get_pkt_info(746): Packet received on phy_if_idx Ethernet1/3(0x1a002000): log_if_idx Ethernet1/3(0x1a002000): pkt_len 124 l2 header len 14 2017 Jul 11 10:42:25.641937 lacp: lacp_net_process_rx_data(480): Ethernet1/3(0x1a002000): Rx LACP PDU len: 124 As:3f, Ps:3d
檢查 9
Check 9
在此輸出中,介面Ethernet1/4是Port-Channel的成員,但處於個別模式(在交換器端擱置):
In this output, interface Ethernet 1/4 is a member of Port-Channel, but in a different mode (placed on the switchboard):
ciscofcm01-A(fxos)# show lacp internal event-history interface ethernet 1/4
>>>>FSM: <Ethernet1/4> has 549 logged transitions<<<<<
1) FSM:<Ethernet1/4> Transition at 385779 usecs after Wed Jul 5 13:13:03 2017
Previous state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED]
Triggered event: [LACP_EV_CLNUP_PHASE_II]
Next state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED]
2) FSM:<Ethernet1/4> Transition at 955546 usecs after Wed Jul 5 13:13:03 2017
Previous state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED]
Triggered event: [LACP_EV_LACP_ENABLED_AND_PORT_UP]
Next state: [LACP_ST_DETACHED_LAG_NOT_DETERMINED]
3) FSM:<Ethernet1/4> Transition at 962224 usecs after Wed Jul 5 13:13:10 2017
Previous state: [LACP_ST_DETACHED_LAG_NOT_DETERMINED]
Triggered event: [LACP_EV_RECEIVE_PARTNER_PDU_TIMED_OUT]
Next state: [FSM_ST_NO_CHANGE]
4) FSM:<Ethernet1/4> Transition at 963838 usecs after Wed Jul 5 13:13:13 2017
Previous state: [LACP_ST_DETACHED_LAG_NOT_DETERMINED]
Triggered event: [LACP_EV_RECEIVE_PARTNER_PDU_TIMED_OUT]
Next state: [FSM_ST_NO_CHANGE]
5) FSM:<Ethernet1/4> Transition at 964002 usecs after Wed Jul 5 13:13:13 2017
Previous state: [LACP_ST_DETACHED_LAG_NOT_DETERMINED]
Triggered event: [LACP_EV_RECEIVE_PARTNER_PDU_TIMED_OUT_II_INDIVIDUAL]
Next state: [LACP_ST_INDIVIDUAL_OR_DEFAULT]
6) FSM:<Ethernet1/4> Transition at 735923 usecs after Wed Jul 5 13:13:36 2017
Previous state: [LACP_ST_INDIVIDUAL_OR_DEFAULT]
Triggered event: [LACP_EV_UNGRACEFUL_DOWN]
Next state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED]
檢查 10
Check 10
在此輸出中,雖然屬於PortChannel1的成員的Ethernet1/4處於獨立模式,但介面Ethernet1/3仍可正常工作並屬於PortChannel1。請注意,Ethernet1/3傳送(tx)和接收(rx)封包,但Ethernet1/4僅傳送(rx) no tx:
In this output, while Ethernet1/4 belonging to Port Channel1 is in stand-alone mode, the interface Ethernet1/3 still works and belongs to Port Channel1. Note that Ethernet1/3 sends (tx) and receives (rx) packages, but Ethernet1/4 only sends (rx) no tx:
ciscofcm01-A(fxos)# debug lacp pkt ciscofcm01-A(fxos)# 2017 Jul 11 11:04:05.278736 lacp: lacp_net_process_rx_data(480): Ethernet1/3(0x1a002000): Rx LACP PDU len: 124 As:3f, Ps:3d 2017 Jul 11 11:04:05.602855 lacp: lacp_net_tx_data(247): Ethernet1/3(0x1a002000): Tx LACP PDU len: 110 As:3f, Ps:3d 2017 Jul 11 11:04:05.983134 lacp: lacp_net_tx_data(247): Ethernet1/4(0x1a003000): Tx LACP PDU len: 110 As:7f, Ps:00 2017 Jul 11 11:04:06.249929 lacp: lacp_net_process_rx_data(480): Ethernet1/3(0x1a002000): Rx LACP PDU len: 124 As:3f, Ps:3d 2017 Jul 11 11:04:06.602815 lacp: lacp_net_tx_data(247): Ethernet1/3(0x1a002000): Tx LACP PDU len: 110 As:3f, Ps:3d 2017 Jul 11 11:04:06.992812 lacp: lacp_net_tx_data(247): Ethernet1/4(0x1a003000): Tx LACP PDU len: 110 As:7f, Ps:00 2017 Jul 11 11:04:07.163780 lacp: lacp_net_process_rx_data(480): Ethernet1/3(0x1a002000): Rx LACP PDU len: 124 As:3f, Ps:3d 2017 Jul 11 11:04:07.602814 lacp: lacp_net_tx_data(247): Ethernet1/3(0x1a002000): Tx LACP PDU len: 110 As:3f, Ps:3d 2017 Jul 11 11:04:08.002817 lacp: lacp_net_tx_data(247): Ethernet1/4(0x1a003000): Tx LACP PDU len: 110 As:7f, Ps:00 2017 Jul 11 11:04:08.102006 lacp: lacp_net_process_rx_data(480): Ethernet1/3(0x1a002000): Rx LACP PDU len: 124 As:3f, Ps:3d 2017 Jul 11 11:04:08.612810 lacp: lacp_net_tx_data(247): Ethernet1/3(0x1a002000): Tx LACP PDU len: 110 As:3f, Ps:3d 2017 Jul 11 11:04:09.002811 lacp: lacp_net_tx_data(247): Ethernet1/4(0x1a003000): Tx LACP PDU len: 110 As:7f, Ps:00 2017 Jul 11 11:04:09.091937 lacp: lacp_net_process_rx_data(480): Ethernet1/3(0x1a002000): Rx LACP PDU len: 124 As:3f, Ps:3d 2017 Jul 11 11:04:09.622810 lacp: lacp_net_tx_data(247): Ethernet1/3(0x1a002000): Tx LACP PDU len: 110 As:3f, Ps:3d 2017 Jul 11 11:04:10.002807 lacp: lacp_net_tx_data(247): Ethernet1/4(0x1a003000): Tx LACP PDU len: 110 As:7f, Ps:00 2017 Jul 11 11:04:10.004411 lacp: lacp_net_process_rx_data(480): Ethernet1/3(0x1a002000): Rx LACP PDU len: 124 As:3f, Ps:3d 2017 Jul 11 11:04:10.632806 lacp: lacp_net_tx_data(247): Ethernet1/3(0x1a002000): Tx LACP PDU len: 110 As:3f, Ps:3d 2017 Jul 11 11:04:10.854094 lacp: lacp_net_process_rx_data(480): Ethernet1/3(0x1a002000): Rx LACP PDU len: 124 As:3f, Ps:3d 2017 Jul 11 11:04:11.002789 lacp: lacp_net_tx_data(247): Ethernet1/4(0x1a003000): Tx LACP PDU len: 110 As:7f, Ps:00 2017 Jul 11 11:04:11.642807 lacp: lacp_net_tx_data(247): Ethernet1/3(0x1a002000): Tx LACP PDU len: 110 As:3f, Ps:3d 2017 Jul 11 11:04:11.714199 lacp: lacp_net_process_rx_data(480): Ethernet1/3(0x1a002000): Rx LACP PDU len: 124 As:3f, Ps:3d
如需其他資訊,請查閱本檔案:
Read this file: & nbsp;
方式1
Mode 1
在FPRM tar檔案中,擷取FPRM_A_TechSupport.tar.gz檔案的內容。然後開啟sam_techsupportinfo檔案並搜尋Package-Verse:
In the FPRM tar file, take the contents of the FPRM_A_TechSupport.tar.gz file. Then open the sam_techssupportinfo file and search the Package-Verse:
FPR4140-A# show fabric-interconnect firmware
Fabric Interconnect A:
Running-Kern-Vers: 5.0(3)N2(4.11.74)
Running-Sys-Vers: 5.0(3)N2(4.11.74)
Package-Vers: 2.1(1.77)
Startup-Kern-Vers: 5.0(3)N2(4.11.74)
Startup-Sys-Vers: 5.0(3)N2(4.11.74)
Act-Kern-Status: Ready
Act-Sys-Status: Ready
Bootloader-Vers:
方式2
Mode 2
在FRPM tar檔案中,擷取FPRM_A_TechSupport.tar.gz檔案的內容。然後開啟/var/sysmgr/sam_logs/svc_sam_dme.log檔案並搜尋aInPlatformVersion關鍵字:
In the FRPM tar file, retrieve the contents of the FPRM_A_TechSupport.tar.gz file. Open/var/sysmgr/sam_logs/svc_sam_dme.log and search for aInPlatformVersion key:
它使用MIO App-Agent元件。
It uses the MIO App-Agent component.
例如,從MIO將新連線埠通道指派給FTD時:
For example, when a new port channel is assigned to the FTD from MIO:
FTD應用程式代理程式偵錯顯示:
FTD application agent error shows:
firepower# debug app-agent 255 appagent : part 0 : ftd_001_JAD19500BAB0Z690F2.interfaceMapping.update appagent : part 1 : ssp-xml:3 appagent : part 2 : 7 appagent : part 3 : appAG appagent : part 4 : <interfaceMappingConfigUpdateRequest><interfaceMapping action="insert"><externalPort><portName>Port-channel11</portName><vlan>1011</vlan><role>data</role><mode>individual</mode><mc_mode>individual</mc_mode><status>down</status><speed>1000</speed><mac type="system">5897.bdb9.367e</mac></externalPort><internalPort><bladeVNIC>9</bladeVNIC>
<bladeVNIC>22</bladeVNIC></internalPort></interfaceMapping></interfaceMappingConfigUpdateRequest> appagent : Process the request message appagent : It is an update request command appagent : Invoke request msg handler for cmd interfaceMapping.update appagent : Processing InterfaceMapping Update Message appagent : Creating Interface Mapping Structure. appagent : Processing the tag externalPort. appagent :================================appagent : PortName=Port-channel11 appagent : ftw capability=0 appagent : no available ftw peers appagent : cleaning external_port_ftw_peers_t appagent : Sending Response message for Interface Mapping update Message appagent : Send response message to appAG appagent : resp_msg->cmdName=appAG.interfaceMapping.update appagent : resp_msg->content_version=ssp-xml:3 appagent : resp_msg->msgId=7 appagent : resp_msg->statuscode=100 appagent : resp_msg->data=<interfaceMappingConfigUpdateResponse> <response> <code>100</code> <message>Request success</message> </response> </interfaceMappingConfigUpdateResponse> appagent : part 0 : ftd_001_JAD19500BAB0Z690F2.interfaceStatus.update appagent : part 1 : ssp-xml:3 appagent : part 2 : 8 appagent : part 3 : appAG appagent : part 4 : <interfaceStatusUpdateRequest><interface><interfaceName>Port-channel11</interfaceName><externalOperationalStatus>down</externalOperationalStatus><internalOperationalStatus>up</internalOperationalStatus></interface></interfaceStatusUpdateRequest> appagent : Process the request message appagent : It is an update request command appagent : Invoke request msg handler for cmd interfaceStatus.update appagent : Processing Interface Status Update Request. appagent : The Fxos version is 2.1.1 or newer appagent : Parsing interface status update request message for FXOS > 211 appagent : Parsing Interface Status Req. appagent : Interface Status Successfully Updated. appagent : Sending Response for Interface Status Update Request appagent : Send response message to appAG appagent : resp_msg->cmdName=appAG.interfaceStatus.update appagent : resp_msg->content_version=ssp-xml:3 appagent : resp_msg->msgId=8 appagent : resp_msg->statuscode=100 appagent : resp_msg->data=<interfaceStatusUpdateResponse> <response> <code>100</code> <message>Request success</message> </response> </interfaceStatusUpdateResponse>
Firepower機箱具有多個SN。RMA請求所用的命令可從以下輸出中獲取:
Wirepower has multiple SNs in the box. The RMA request command can be obtained from the following output:
FP4120-5-A# scope chassis 1
FP4120-5-A /chassis # show inventory
Chassis PID Vendor Serial (SN) HW Revision
---------- --------------- ----------------- ----------- -----------
1 FPR-4120-K9 Cisco Systems Inc FLM12345KL6 0
或:
or:
FP4120-5-A# connect local-mgmt FP4120-5-A(local-mgmt)# show license all Smart Licensing Status======================Smart Licensing is ENABLED Registration: Status: UNREGISTERED Export-Controlled Functionality: Not Allowed License Authorization: Status: No Licenses in Use License Usage==============No licenses in use Product Information===================UDI: PID:FPR-4120-SUP,SN:JAD19500BAB
或:
or:
FP4120-5-A# scope license FP4120-5-A /license # show license all Smart Licensing Status======================Smart Licensing is ENABLED Registration: Status: UNREGISTERED Export-Controlled Functionality: Not Allowed License Authorization: Status: No Licenses in Use License Usage==============No licenses in use Product Information===================UDI: PID:FPR-4120-SUP,SN:JAD19500BAB
簡短的回答是「否」。SSD1包含應用映像(例如FTD或ASA)。如果您將SSD1從機箱中取出,並將其插入不同的機箱,則模組不會出現,並且會顯示以下錯誤:
The short answer is no. SSD1 contains application images (e.g. FTD or ASA). If you remove SSD1 from the box and insert it in a different box, the module will not appear and will show the following errors:
F1548 2017-11-08T11:36:40.095 427280刀鋒交換偵測到插槽1
F1548 2017-11-08T11:36:40.095,427280 FLDS detected in slot 1
安全模組映像不匹配
Security module image does not match
伺服器1/1上缺少本地磁碟1
Missing local disk 1 on server 1/1
從FXOS 2.2.1版本開始,您可以使用命令show environment summary:
Starting with the FXOS version 2.2.1, you can use the commandshow environment submary:
FPR4100-1 /chassis # show environment summary
Chassis INFO :
Total Power Consumption: 440.000000
Inlet Temperature (C): 21.000000
CPU Temperature (C): 39.000000
Last updated Time: 2018-07-01T09:39:55.157
PSU 1:
Type: AC
Input Feed Status: Ok
12v Output Status: Ok
Overall Status: Operable
PSU 2:
Type: AC
Input Feed Status: N/A
12v Output Status: N/A
Overall Status: Removed
FAN 1
Fan Speed RPM (RPM): 12110
Speed Status: Ok
Overall Status: Operable
FAN 2
Fan Speed RPM (RPM): 12110
Speed Status: Ok
Overall Status: Operable
FAN 3
Fan Speed RPM (RPM): 12100
Speed Status: Ok
Overall Status: Operable
有關其他資訊,請檢視:
For additional information please see:
FPR-4110-7-A# scope chassis 1
FPR-4110-7-A /chassis # scope server 1
FPR-4110-7-A /chassis/server # scope adapter 1
FPR-4110-7-A /chassis/server/adapter # show version detail
Adapter 1:
Running-Vers: 5.3(1.91)
Package-Vers: 2.3(1.88)
Update-Status: Ready
Activate-Status: Ready
Bootloader-Update-Status: Ready
Startup-Vers: 5.3(1.91)
Backup-Vers: 5.3(1.48)
Bootloader-Vers: MF-111-234949
安裝FXOS 2.3.1.58或更新版本後,系統可能會顯示您的安全裝置上發生嚴重故障,指示需要升級介面卡韌體:
When installed or updated by FXOS 2.3.1.58, the system may show a serious malfunction on your security device, indicating that an upgrade to the interface will be required:
Critical F1715 2017-05-11T11:43:33.121 339561 Adapter 1 on Security Module 1 requires a critical firmware upgrade. Please see Adapter Bootloader Upgrade instructions in the FXOS Release Notes posted with this release.
開機載入程式升級的程式在此連結中說明:
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos231/release/notes/fxos231_rn.html#pgfId-173826
A program to load the program upgrades is described in this connection by:
如果在引導載入程式升級期間遇到以下錯誤,可以嘗試使用「force」選項。
Try using the "Force" option if the following error occurs during the upgrade of the pilot loader.
FPR-4110-7-A# scope chassis 1
FPR-4110-7-A /chassis # scope server 1
FPR-4110-7-A /chassis/server # scope adapter 1/1/1
FPR-4110-7-A /chassis/server/adapter # show image
Name Type Version
--------------------------------------------- -------------------- -------
fxos-m83-8p40-cruzboot.4.0.1.62.bin Adapter Boot 4.0(1.62)
fxos-m83-8p40-vic.4.0.1.51.bin Adapter 4.0(1.51)
fxos-m83-8p40-vic.5.3.1.2.bin Adapter 5.3(1.2)
fxos-m83-8p40-vic.5.3.1.48.bin Adapter 5.3(1.48)
fxos-m83-8p40-vic.5.3.1.91.bin Adapter 5.3(1.91)
FPR-4110-7-A /chassis/server/adapter # update boot-loader 4.0(1.62)
Warning: Please DO NOT reboot blade or chassis during uprgade, otherwise, it may cause adapter UNUSABLE
After upgrade completed, blade must be power cycled automatically
FPR-4110-7-A /chassis/server/adapter* # commit-buffer
Error: Update failed: [This adaptor is not applicable for boot-loader upgrade.]
這在實驗室測試和故障排除過程中非常有用。請注意,此絕對超時是一種安全最佳實踐,對於非零值,如果要在使用者環境中暫時完成,請注意這一點。
This is very useful in laboratory testing and troubleshooting. Note that this is an absolute time-out of the best safety practice. For non-zero values, note this if it is to be completed temporarily in the user environment. & nbsp; & nbsp;
FPR-4115-A# scope security
FPR-4115-A /security # scope default-auth
FPR-4115-A /security/default-auth # show detail
Default authentication:
Admin Realm: Local
Operational Realm: Local
Web session refresh period(in secs): 600
Idle Session timeout(in secs) for web, ssh, telnet sessions: 3600
Absolute Session timeout(in secs) for web, ssh, telnet sessions: 3600
Serial Console Idle Session timeout(in secs): 3600
Serial Console Absolute Session timeout(in secs): 3600
Admin Authentication server group:
Operational Authentication server group:
Use of 2nd factor: No
FPR-4115-A /security/default-auth # set absolute-session-timeout 0
FPR-4115-A /security/default-auth* # commit-buffer
FPR-4115-A /security/default-auth # show detail
Default authentication:
Admin Realm: Local
Operational Realm: Local
Web session refresh period(in secs): 600
Idle Session timeout(in secs) for web, ssh, telnet sessions: 3600
Absolute Session timeout(in secs) for web, ssh, telnet sessions: 0
Serial Console Idle Session timeout(in secs): 3600
Serial Console Absolute Session timeout(in secs): 3600
Admin Authentication server group:
Operational Authentication server group:
Use of 2nd factor: No
發往Firepower 4100/9300機箱管理引擎(控制平面)的LACP資料包封裝在特定資料包的資料部分內,並可使用ethanalyzer命令在內部入站- 高介面上捕獲。從值為01 80 C2 00 00 02(IEEE 802.3 Slow_Protocols_Multicast地址)的位元組開始嵌入LACP PDU位元組,直至資料部分結束:
The LACP data package , which is sent to Firepower 4100/9300 engine (control plane), can be sealed in the data section of a particular data package and 使用聯機工具可將十六進位制轉儲轉換為PCAP。 Hexadecimal converts to PCAP using a network tool. 以下是FN72077中步驟1的解決辦法/解決方案部分提到的所有FXOS版本,都提供了機箱管理引擎內部SSD資訊: All the FXOS versions referred to in section of 安全引擎(刀鋒) SSD: SSD: 請參閱文章配置和驗證安全防火牆和Firepower內部交換機捕獲。 See article .firepower# connect fxos
...
firepower(fxos)# ethanalyzer local interface inbound-hi limit-captured-frames 10000 limit-frame-size 9000 detail
Capturing on 'eth4'
Frame 1: 188 bytes on wire (1504 bits), 188 bytes captured (1504 bits) on interface 0
Interface id: 0 (eth4)
Interface name: eth4
Encapsulation type: Ethernet (1)
Arrival Time: Dec 5, 2023 09:16:06.736180828 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1701767766.736180828 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 188 bytes (1504 bits)
Capture Length: 188 bytes (1504 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:vlan:ethertype:data]
Ethernet II, Src: 02:10:18:a3:4f:f5 (02:10:18:a3:4f:f5), Dst: 58:97:bd:b9:36:4e (58:97:bd:b9:36:4e)
Destination: 58:97:bd:b9:36:4e (58:97:bd:b9:36:4e)
Address: 58:97:bd:b9:36:4e (58:97:bd:b9:36:4e)
.... ..0. .... .... .... ....=LG bit: Globally unique address (factory default)
.... ...0 .... .... .... ....=IG bit: Individual address (unicast)
Source: 02:10:18:a3:4f:f5 (02:10:18:a3:4f:f5)
Address: 02:10:18:a3:4f:f5 (02:10:18:a3:4f:f5)
.... ..1. .... .... .... ....=LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... ....=IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 4048
000. .... .... ....=Priority: Best Effort (default) (0)
...0 .... .... ....=DEI: Ineligible
.... 1111 1101 0000=ID: 4048
Type: Unknown (0xde08)
Data (170 bytes)
0000 b8 50 20 04 00 00 00 00 00 00 00 00 00 00 81 00 .P .............
0010 00 00 00 00 00 04 09 04 cd 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 80 ................
0030 c2 00 00 02 58 97 bd b9 36 51 88 09 01 01 01 14 ....X...6Q......
0040 80 00 58 97 bd b9 36 4d 00 28 80 00 00 44 3f 00 ..X...6M.(...D?.
0050 00 00 02 14 80 00 00 17 df d6 ec 00 00 33 80 00 .............3..
0060 02 2c 3d 00 00 00 03 10 00 00 00 00 00 00 00 00 .,=.............
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 ..........
Data: b85020040000000000000000000081000000000000040904...KSEC-FPR4112-4 # scope chassis 1
KSEC-FPR4112-4 /chassis # show sup version detail
SUP FIRMWARE:
ROMMON:
Running-Vers: 1.0.15
Package-Vers: 1.0.18
Activate-Status: Ready
Upgrade Status: SUCCESS
FPGA:
Running-Vers: 2.00
Package-Vers: 1.0.18
Activate-Status: Ready
SSD:
Running-Vers: MU03
Model: Micron_M500IT_MTFDDAT128MBDKSEC-FPR4112-4# show server storage detail
Server 1/1:
<output skipped>
RAID Controller 1:
Type: SATA
Vendor: Cisco Systems Inc
Model: FPR4K-PT-01
Serial: JAD260508TZ
HW Revision:
PCI Addr: 00:31.2
Raid Support:
OOB Interface Supported: No
Rebuild Rate: N/A
Controller Status: Unknown
Local Disk 1:
Vendor: INTEL
Model: SSDSC2KG48
Serial: PHYG109603PA480BGN
HW Rev: 0
Operability: Operable
Presence: Equipped
Size (MB): 400000
Drive State: Online
Power State: Active
Link Speed: 6 Gbps
Device Type: SSD
Local Disk 2:
Vendor: INTEL
Model: SSDSC2KG96
Serial: PHYG143301JG960CGN
HW Rev: 0
Operability: Operable
Presence: Equipped
Size (MB): 800000
Drive State: Online
Power State: Active
Link Speed: 6 Gbps
Device Type: SSD
Local Disk Config Definition:
Mode: No RAID
Description:
Protect Configuration: No
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论