下面开始正式介绍10种Cisco IOS debug 方式。
10. Debug all
显然,最危险的debug 命令就是debug all了。它有可能把路由器直接搞崩溃掉。当然执行之前,系统会要求一个确认信息。为了满足你的好奇心,列表 Listing C 列举了这条命令的输出。
9. Debug ISDN 和 拨号设备
Debug 在做Cisco路由器拨号配置故障排除的时候的用处。在具体工作当中,拨号配置往往很难一次就配置成功。比较好的方式是在配置IOS拨号的时候采用逐层配置,逐层测试的方法(OSI层)。当测试没有通过之后,debug就派上用场了:
- debug isdn events 调试所有ISDN的events. 这一条debug最好用在 q921 或者 q931之前。 因为那两条相对来说麻烦一点。debug isdn events 可能会有你想知道的所有信息。
- debug isdn q921 针对Layer 2.
- debug isdn q931 针对Layer 3.
- debug dialer events 会告诉你有关拨号初始化或者结束的原因。这里是例子:
00:18:52: BRI0/0 DDR: Dialing cause ip (s=.2, d=1.1.1.1)
00:18:52: BRI0/0 DDR: Attempting to dial 8358661
00:19:22: BRI0/0:2 DDR: disconnecting call
- debug dialer packet 可以查看到什么数据包正在通过拨号接口以及包的来源和目的,还可以看到包是否被接口上dialer-list允许通过。例子:
00:39:24: BRI0/0 DDR: ip (s=.2, d=1.1.1.1), 100 bytes, outgoing interesting (ip PERMIT)
00:39:24: BRI0/0 DDR: ip (s=1.1.1.2, d=1.1.1.1), 100 bytes, outgoing interesting (ip PERMIT)
00:39:24: BRI0/0 DDR: ip (s=1.1.1.2, d=1.1.1.1), 100 bytes, outgoing interesting (ip PERMIT)
00:39:24: BRI0/0 DDR: ip (s=1.1.1.2, d=1.1.1.1), 100 bytes, outgoing interesting (ip PERMIT)
00:41:09: BRI0/0 DDR: cdp, 273 bytes, outgoing uninteresting (no list matched)
8. PPP authentication
如果你出于安全目的在dialup line上配置了 PPP authentication,就可以通过用户名和密码来匹配或者阻断数据包的通过。如果不使用debug ppp authentication 就很难发现问题了。
这是一个路由器上debug ppp authentication 密码出错的输出:
00:32:30: BR0/0:1 CHAP: O CHALLENGE id 13 len 23 from “r2″
00:32:31: BR0/0:1 CHAP: I CHALLENGE id 2 len 23 from “r1″
00:32:31: BR0/0:1 CHAP: O RESPONSE id 2 len 23 from “r2″
00:32:31: BR0/0:1 CHAP: I FAILURE id 2 len 26 msg is “Authentication failure”
这是一个路由器上debug ppp authentication用户出错的输出:
00:47:05: BR0/0:1 CHAP: O CHALLENGE id 25 len 23 from “r2″
00:47:05: BR0/0:1 CHAP: I CHALLENGE id 19 len 23 from “r1″
00:47:05: BR0/0:1 CHAP: O RESPONSE id 19 len 23 from “r2″
00:47:05: BR0/0:1 CHAP: I FAILURE id 19 len 25 msg is “MD/DES compare failed”
7. Debug {topology} packet
这种方法可以对各OSI层进行诊断参考: Cisco Certification: Bridges, Routers, and Switches for CCIEs。
根据OSI模型无论怎样的网络拓扑,比方说你可以使用debug去查看第二层使用了何种方式的封装 (当然你得保持接线正常)。假设你用了帧中继,但是你无法接受到数据包,在确认link是启用的情况下,你可以使用 debug frame-relay packet
然后你可以尝试ping远端路由器的接口你就可能获得以下调试信息:
01:03:22: Serial0/0:Encaps failed–no map entry link 7(IP)
这条信息告诉你帧中继的ip包封装失败了。不仅如此,它同时告诉你由于没有申明frame-relay map 而出错。修复之后,你会发现帧中继错误不再存在了。但是包仍有可能通不过,因此,你还需要对第三层进行debug:
debug ip packet
会得到:
01:06:46: IP: s=.2 (local), d=11.11.11.11, len 100, unroutable
这就告诉你在第三层中没有路由可以让传输流过,然后你就可以添加路由彻底解决这个问题了。
你还可以根据你的实际情况尝试以下几种方法进行调试:
- debug atm packet
- debug serial packet
- debug ppp packet
- debug dialer packet
- debug fastethernet packet
6. Debug crypto (IPSec 和 ××× 功能)
当然IPSec和×××范围太大了同时故障情况会很多,无法一一列举。我这里列举几个常用的IPSec和×××的debug命令:
- debug crypto isakmp
- debug crypto ipsec
- debug crypto engine
- debug ip security
- debug tunnel
另外, debug ip packet, 对IPSec的诊断也很有帮助。
如果你想知道更多关于IPSec主题的内容请参考 Cisco’s IP Security Protocols Section。
5. Debug IP routing
例如在你的网络环境中存在路由问题,比如一条路由加入但是很快就被删除(flapping)你就可以利用debug ip routing。
输出结果可能是这样的:
01:30:56: RT: add 111.111.111.111/32 vi.11, ospf metric [110/65]
01:31:13: RT: del 111.111.111.111/32 vi.11, ospf metric [110/65]
01:31:13: RT: delete subnet route to 111.111.111.111/32
01:31:13: RT: delete network route to 111.0.0.0
01:32:56: RT: add 111.111.111.111/32 vi.11, ospf metric [110/65]
01:33:13: RT: del 111.111.111.111/32 vi.11, ospf metric [110/65]
01:33:13: RT: delete subnet route to 111.111.111.111/32
01:33:13: RT: delete network route to 111.0.0.0
这说明你的网络中存在路由环路的问题。另外就是可能在拨号接口或帧中继接口上的链路up马上又down掉了。
4. Debug ip {routing protocol}
debug ip 有很多选项,可以通过debug ip ? 来获取,可以查看列表 Listing D。
许多路由协议 (如, OSPF, EIGRP, IGRP, 和 BGP) 包含在了这张表格中。 每个协议又有它自己的很多扩展选项可以用debug。 (你可以使用debug ip {routing protocol} ? 来获取。) 例如debug ip ospf adjacency是唯一可以知道你的两条OSPF路由之间由于认证类型不匹配而没有形成交互的诊断方式。
以下是输出结果,它告诉你认证类型布匹配:
01:39:46: OSPF: Rcv pkt from .11, Serial0/0 : Mismatch Authentication type. Input packet specified type 0, we use type 2
在这种情况下面要不是使用debug你可能会抓破脑袋。
3. Debug list
这事一条比较少用但比较有意思的命令。实际上这条命令什么也不调试。它为你下一条debug命令在你的一个接口上设置一个访问列表。 如:
debug list 1
debug dhcp detail
DHCP client activity debugging is on for access list: 1 (detailed)
2. 记录 access list 到 system 或 syslog
你可以在一条访问列表的最后使用log 选项来记录被允许或者拒绝的数据包。相当于起到部分防火墙或者访问控制的作用。举例:
首先,假设你只允许BGP在你的网络中传输然后希望跟踪其它的企图进入某链路的传输。配置例子:
Interface Serial 0/0
Access-group
access-list 100 remark Begin — Allow BGP IN and OUT
access-list 100 permit tcp host .1 host 2.2.2.2 eq bgp
access-list 100 permit udp any host 2.2.2.2 gt 33000
access-list 100 remark End
access-list 100 deny ip any any log
如果你开启了“logging buffered”或者配置了syslog服务器,所有经过你的路由器的传输会被记录下来。
在第二个例子里面,假设你希望建立一条访问列表某一类型的传输通过你的拨号接口。配置如下:
Interface BRI 0/0
Access-group
Access-group 100 out
access-list 100 permit ip any any log
如果你查看router的 log, 你会发现ICMP packet 和一个TCP packet通过了你的链路:
02:03:43: %SEC-6-IPACCESSLOGDP: list 100 permitted icm.2 -> 1.1.1.1 (0/0), 1 packet
02:06:25: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 1.1.1.2(0) -> 1.1.1.1(0), 1 packet
1. Debug IP packet detail XXX (access list number)
这一条命令可以象一个基本的sniffer/protocol分析工具利用访问列表去查看从源自(到达)某处的传输。为什么说是基本的抓包分析工具呢?因为它看不到包头。
你能够利用访问列表来查看特定的主机、协议、端口或者网络。 当然它不是真正意义上的协议分析工具,但是它是IOS集成的一个特性,比别的工具相对来说使用起来方便快捷。下面的例子是一个记录所有通过你的路由器的Telnet包的配置。
access-list 101 permit tcp any any eq telnet
debug ip packet detail 101
IP packet debugging is on (detailed) for access list 101
Listing E 总结了一些debug输出的示例。
你可以从输出结果看到获取的ip 源、目的(地址、端口号)接口、sequence 号、acknowledgement 号, window 尺寸, 和 TCP 通讯标志 (SYN, ACK, FIN)。
This post was written by:
不唠嗑
***CPU及内存的使用率在50%以上时,慎用debug命令***
附:Listing C
Listing C Router#deb all This may severely impact network performance. Continue? (yes/[no]): yes All possible debugging has been turned on Router# Router#show debug "debug all" is in effect. Command parser: Parser ambiguity debugging is off Help message debugging is off Parser mode debugging is off Parser interface range debugging is off Parser aliases debugging is off Privilege level debugging is off Parser HTTP processing debugging is off Parser Cache debugging is off Frame Relay switching debug interval is 1 seconds UDPtn debugging is off LPD Printer debugging is off (detailed) IP multicast: IP multicast fast-switching debugging is on IP multicast routing debugging is on IGMP debugging is on CGMP debugging is on RGMP debugging is on DVMRP debugging is on PIM debugging is on PIM DF debugging is on PIM ATM debugging is on PIM BSR debugging is on SD debugging is on PIM Auto-RP debugging is on MSDP debugging is on URD debugging is on Heartbeat debugging is on IP Multicast tagswitching debugging is on PIM multicast tagswitching debugging is on AT/EIGRP: AT/EIGRP Event Logging debugging is off AppleTalk Remote Access: ARAP MNP4 debugging is on ARAP V.42bis debugging is on ARAP internal packet debugging is on ARAP memory debugging is onLDAP: connect debbuging is on bind debbuging is on ber debbuging is on receivedata debbuging is on request debbuging is on referrals debbuging is on error debbuging is on DLSw: DLSw Core debugging is off DLSw Reachability debugging is off DLSw Local Circuit debugging is off DLSw reachability debugging is on at event level for all protocol traffic DLSw core message debugging is on DLSw core state debugging is on DLSw core flow control debugging is on DLSw core xid debugging is on DLSw Local Circuit debugging is on SNA: SNA activation debugging is on for all PUs SNA packet debugging is on for all PUs SNA state change debugging is on for all PUs SNA trace debugging is on for all PUs SNA alert debugging is on for all PUs NCIA: Debug client all is on NCIA: Debug server is on NCIA: Debug circuit all is on BSTUN: BSTUN event debugging is on BSTUN packet debugging is on BSTUN packet display size for debugging is 20 BSC: BSC event debugging is on BSC packet debugging is on BSC diagnostic debugging is on BSC packet display size for debugging is 20 ASPP: ASPP event debugging is on ASPP packet debugging is on ASPP packet display size for debugging is 20 MGCP: Media Gateway Control Protocol input packets in hex value debugging is off Rudpv1: Application debugging is enabled Rudpv1: Performance debugging is enabled Rudpv1: Retransmit/softreset is enabled Rudpv1: Segment debugging is enabled Rudpv1: Signal debugging is enabled Rudpv1: State debugging is enabled Rudpv1: Timer debugging is enabled Rudpv1: Transfer state debugging is enabledBSM:All debuuging turned on at the session level ISDN events debug DSLs. (On/Off/No DSL:1/0/-) DSL 0 --> 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ISDN Q921 packets debug DSLs. (On/Off/No DSL:1/0/-) DSL 0 --> 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ISDN L2 Socket Process packets debug DSLs. (On/Off/No DSL:1/0/-) DSL 0 --> 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ISDN Q931 packets debug DSLs. (On/Off/No DSL:1/0/-) DSL 0 --> 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ISDN API event debug DSLs. (On/Off/No DSL:1/0/-) DSL 0 --> 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ISDN backhaul event debug DSLs. (On/Off/No DSL:1/0/-) DSL 0 --> 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - X.25: X.25 special event debugging is off X.25 encapsulation debugging is off X.25 switch debugging is off X.25 over FR (Annex-G) debugging is off Always On/Direct ISDN events debugging is off Radius protocol debugging is off (detailed) Voice Telephony session debugging is on Voice Telephony dsp debugging is on Voice Telephony error debugging is on Voice Telephony stats debugging is on Voice Telephony tone generation debugging is on TSP call debugging is on TSP port debugging is on TSP error debugging is on TSP ROSE ASN debugging is on CCH323 SPI: H225 State Machine tracing is enabled CCH323 SPI: H245 State Machine tracing is enabled CCH323 SPI: RAS State Machine tracing is enabled CCH323 SPI: RTP packet tracing is enabled CCH323 SPI: Session tracing is enabled CCH323 SPI: CCH323 Error debug is enabled CCH323 SPI: CCH323 Rawmsg debug is enabled CCH323 SPI: CCH323 H450 debug is enabled RTP SPI error tracing is enabled. RTP SPI function in/out tracing is enabled. RTP SPI Session tracing is enabled Translation debug detail is on Translation debug min is on CCSIP SPI: SIP Call Statistics tracing is enabled CCSIP SPI: SIP Call Message tracing is enabled CCSIP SPI: SIP Call State Machine tracing is enabled CCSIP SPI: SIP Call Events tracing is enabled SIP : SIP error debug tracing is enabled QoS Module : Function Trace Debugging is enabled QoS Module : Events Debugging is enabled Voice Port Module session debugging is on Voice Port Module DSP message debugging is on Voice Port Module error debugging is on Voice Port Module signaling debugging is on Voice Port Module voaal2 debugging is on Voice Port Module trunk conditioning is on FRF.11 Session tracing is enabled Local MobileIP: aging arp mobility cacCCSWVOICE Session tracing is enabled CCSWVOICE Vofr Session tracing is enabled CCSWVOICE Vofr Error tracing is enabled CCSWVOICE Voatm Session tracing is enabled CCSWVOICE Voatm Error tracing is enabled` settlement: error conditions tracing is on enter to functions tracing is on exit from functions tracing is on memory tracing is on transaction tracing is on network intput/output tracing is on security tracing is on miscellaneous tracing is on ssl interface tracing is on DSPU: DSPU activation debugging is on for all PUs DSPU packet debugging is on for all PUs DSPU state change debugging is on for all PUs DSPU trace debugging is on for all PUs DSPU alert debugging is on for all PUs ALPS: ALPS peer event debugging for all peers is on ALPS peer packet debugging for all peers is on ALPS circuit event debugging for all circuits is on ALPS ascu event debugging for all ascus is on ALPS ascu packet debugging for all ascus is on ALPS ascu detail debugging for all ascus is on ALPS ascu router packet format for all ascus is on Error debugging enabled for RTR responder Trace debugging enabled for RTR responder Router# Router#un all All possible debugging has been turned off Router#