IPS Tech Tip - "show tech" command part 2 - IPS dev team webinar

Similar Messages

• Cisco IPS Tech Tips: 2010 Dec. 16 - Show Tech Part 1 Recording

  Hi Cisco IPS Users,
  I've attached the recording from our last Tech Tips regarding the "show tech" command. We hope that you will find this of value in the operation of your Cisco IPS.
  As always feel free to leave comments on the content or future subjects you would like to see us address.
  The continuation of this discussion will take place today (Jan 27th).
  Thanks,
  -Robert
  Robert Albach
  IPS Product Management
  [email protected]

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• Cisco IPS Tech Tips: 2010 Dec 16 - show tech commands

  Robert Albach invites you to attend a Web seminar using WebEx. This event requires registration.
  IPS Tech Tips are monthly webinars lasting approximately 30 minutes with question and answer to follow. This month’s event will focus on the “show tech” command and its potential relevance to your IPS operation.
  Topic: Cisco IPS Tech Tip 2010 Dec 16 - Show Tech
  Host: Robert Albach
  Date and Time:
  December 16, 2010 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=205452108&t=a&EA=ralbach%40cisco.com&ET=72ce549014a807001ae666a6d82dcc7c&ETR=6ff5ff3ebf442ab68017b906c9ead1a7&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.
  For assistance
  You can contact Robert Albach at:
  [email protected]
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to discovery in the event of litigation.

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• IPS Tech Tip - Evasions - TCP/IP examples and handling - Sig team presentation

  Hi Customers,
  Its summer time and nothing evokes cool quite like a discussion into the TCP / IP stack and how creative attacker types try to hide attacks behind it. This presentation will feature a security researcher from our signature team and will be the first of several presentations on evastions and how the Cisco IPS handle them.
  We hope that you can make it.
  Thanks,
  -Robert
  Robert Albach invites you to attend a 30-45 minute Web seminar on the Cisco IPS internal operations using WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - Handling Evasions
  Host: Robert Albach
  Date and Time:
  August 25, 2011 9:30 am, Central Daylight Time (Chicago, GMT-05:00)
  To register for the online event
  1. Go to https://ciscosales.webex.com/ciscosales/onstage/g.php?d=201261254&t=a&EA=ralbach%40cisco.com&ET=64ed8e6d81005252203f6671cfeee480&ETR=fb46b8799a6afe989e9a744f0fac0d77&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.

  Sadly we did not get the recording done. The presentation and the example pcaps  however are on this forum now.
  -Robert

• IPS Tech Tips: IPS Best Practices with Cisco Remote Management Services

  Hi Folks -
  Another IPS Tech Tip coming up and this time we will be hearing from some past and current Cisco Remote Services members on their best practice suggestions. As always these are about 30 minutes of content and then Q&A - a low cost high reward event.
  Hope to see you there.
  -Robert
  Cisco invites you to attend a 30-45 minute Web seminar on IPS Best   Practices delivered via WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - IPS Best Practices with Cisco Remote Management   Services
  Host: Robert Albach
  Date and Time:
  Wednesday, October 10, 2012 10:00 am, Central Daylight Time (Chicago,   GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=203590900&t=a&EA=ralbach%40cisco.com&ET=28f4bc362d7a05aac60acf105143e2bb&ETR=fdb3148ab8c8762602ea8ded5f2e6300&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation. If you wish to be excluded from these invitations   then please let me know!

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

• Cisco IPS Tech Tips: Data Center Protections and Platforms

  Hello Cisco Community Forum Members;
  Robert Albach invites you to attend a 30-45 minute Web seminar on the Cisco   IPS internal operations using WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - Data Center Protections and Platforms
  Host: Robert Albach
  Date and Time:
  Thursday, July 19, 2012 10:00 am, Central Daylight Time (Chicago, GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=206048546&t=a&EA=ralbach%40cisco.com&ET=ade69a0aa29f279471b6a85feae46a71&ETR=5b39cf5f535442c1763f090845d7ddd3&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation.

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• Cisco IPS Tech Tips - Protecting Industrial Environments - Nov. 20 2012

  Robert Albach invites you to attend a 30-45 minute Web seminar on protecting   Industrial Environments with Cisco IPS. This event requires registration.
  Topic: Cisco IPS Tech Tips - Protecting Industrial Environments
  Host: Robert Albach
  Date and Time:
  Tuesday, November 20, 2012 10:00 am, Central Standard Time (Chicago,   GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=204100621&t=a&EA=ralbach%40cisco.com&ET=9a66f6e8f36ecbaab4ac37ed47bae5cf&ETR=c55c84ed345001203dd77689eca88777&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation.

• IPS Tech Tips - Introducing NGFW with IPS

  Robert Albach invites you to attend a 30-45 minute Web seminar on the Cisco new NGFW with IPS and its operations. This event requires registration.
  Topic: Cisco IPS Tech Tips - Introducing NGFW with IPS
  Host: Cisco Security Group
  Date and Time:
  Thursday, December 19, 2013 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=207672622&t=a&EA=ralbach%40cisco.com&ET=5a30e5f0d7b86e89044459f4fac9065e&ETR=6d878102a33643d67bc6b9d3df08da27&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• About show tech command

  Hi everyone, I'm doing a performance report, I have the output of show tech command, I'm considering the cpu and memory information for my performance report, but Im not sure about the normal operation, there is some parameter for a normal operation?, for example a router 2900, and whitch commands also I have to considering fomr my performance report?, I want a good inform for my lab, any help is welcome.
  Thanks in advance.

  I think that you're talking about the output interpreter
  https://www.cisco.com/pcgi-bin/Support/OutputInterpreter/home.pl
  cheers.

• Cable modem link slowness w ISA570 and CLI "show tech" equivalent

  Hi, I'm helping out a non profit that has a Mediacom 100mbs link, they get 90+ Speed connected directly to the cable modem, but anywhere past the ISA570 they only get 50-60mbs. They have switched cables, added a separate port, tried different PCs, results are the same, 50-60 mbs max.
  Also it's their understanding the ISA570 can't do CLI, so how can they get the equivalent of a 'show tech' command to a file to send offsite for troubleshooting,
  Thanks.
  Jim

  Hello,
  There is something similar to show tech on the ISA.
  Log into the web GUI, go to Device Management >> Cisco Services & Support >> Send Diagnostics.  At the bottom of that page is a Download button that will collect the config file, the logs, and some debug outputs into a zip file.  You can use this to troubleshoot the device, although I usually prefer to be on the live device itself to look at things.
  Before you dig too deep into those however, what kind of security services do you currently have enabled on the ISA?   I was looking over the datasheet and while the SPI is capable of ~500mbps, when you start to enable the various security services those speeds start to drop.
  If we look at the UTM (Unified Threat Management) throughput measures, that is at about 75mbps, which is fairly close to what you are getting.  I would go through and disable the various security services one at a time and test your speed.  My guess would be either A/V or IPS is slowing your connection down.  It may be one or a combination of these services causing the slowdown.  You can disable those options, or just explain that the extra security will cost a bit of speed.
  Hope that helps a bit,
  Christopher Ebert - Advanced Network Support Engineer
  Cisco Small Business Support Center
  *please rate helpful posts*

• Using ACS to deny show tech-support

  I am trying to deny the show tech-support command using Cisco Secure ACS command authorization sets (picture included). All other deny commands are working (is show running-config) but no matter what I do the show tech is un-successful. Any ideas?

  Do you have these authorization commands configured?
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  tacacs-server host 10.1.1.1 key cisco123
  Debug aaa author should display:
  AAA/AUTHOR/CMD: tty2 (2846421758) user='switchuser'
  AAA/AUTHOR/CMD (2846421758): send AV service=shell
  AAA/AUTHOR/CMD (2846421758): send AV cmd=show
  AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=tech-support
  AAA/AUTHOR/CMD (2846421758): send AV cmd-arg=
  AAA/AUTHOR/CMD (2846421758): found list "default"
  AAA/AUTHOR/CMD (2846421758): Method=tacacs+ (tacacs+)
  AAA/AUTHOR/TAC+: (2846421758): user=switchuser
  AAA/AUTHOR/TAC+: (2846421758): send AV service=shell
  AAA/AUTHOR/TAC+: (2846421758): send AV cmd=show
  AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=tech-support
  AAA/AUTHOR/TAC+: (2846421758): send AV cmd-arg=
  TAC+: Using default tacacs server-group "tacacs+" list.
  TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
  TAC+: Opened TCP/IP handle 0x2E8FEA4 to 10.1.1.1/49
  TAC+: 10.1.1.1 (2846421758) AUTHOR/START queued
  TAC+: (2846421758) AUTHOR/START processed
  TAC+: (-1448545538): received author response status = FAIL
  Make sure to modify the original ACS Shell Command Authorization...
  deny tech-support instead of deny tech.

• ACE 20 Modular - show tech too large

  Hi
  A Client sent me a show tech of this ACE 20, is inserted into a VSS, but this file is very large, the reason is a command "show acl-merge merged-list vlan 93".. Somebody can tell me is this information is normal, or not, I think that is possible attack point to the farm server. the service is up, in the other ace20. the symptom is can not reach the VIP of the service.
  `show acl-merge merge vlan 93 in`
  All ACEs in merged list 5 Total:6377 Non-redundant:5608
  Priority:164, Lineno:0, ACE-id:61470 Action:PERMIT, Path-id:0x81/0x0/0x0:6/0[6/]
  Pmap:0x5, Log:FALSE/FALSE[FALSE][FALSE], Interval:0/0[0][0]
  Hash1:0x0 Hash2:0x0
  Generated:TRUE, need-to-add-in-comp:NO_ACT_NEEDED, redundant:FALSE
  Parent:: feature:SECURITY ace-lineno:8 ACL priority:0[G:0,P:0,C:0,ACL:0]
  Parent:: feature:TO CP ace-lineno:2 ACL priority:16779265[G:0,P:1,C:8,ACL:1]
  Feature:SECURITY Policy:1[1][1] sec-level:0x0 Intratype:SKIP
  Feature:TO CP Policy:1[1][1] sec-level:0x0 Intratype:TERMINATE
  Intertype:TERMINATE     
  IP address SRC:0.0.0.0/0.0.0.0 DST:172.23.98.20/255.255.255.255
  Ports SRC:RANGE 8 8 DST:RANGE 0 0       
  Protocol:1
  Hit Count:0 Active:TRUE Timerange:0
  Priority:326, Lineno:0, ACE-id:61471 Action:PERMIT, Path-id:0x81/0x0/0x0:6/0[6/]
  Pmap:0x5, Log:FALSE/FALSE[FALSE][FALSE], Interval:0/0[0][0]
  Hash1:0x0 Hash2:0x0
  Generated:TRUE, need-to-add-in-comp:NO_ACT_NEEDED, redundant:FALSE
  Parent:: feature:SECURITY ace-lineno:8 ACL priority:0[G:0,P:0,C:0,ACL:0]
  Parent:: feature:TO CP ace-lineno:2 ACL priority:16781313[G:0,P:1,C:16,ACL:1]
  Feature:SECURITY Policy:1[1][1] sec-level:0x0 Intratype:SKIP
  Feature:TO CP Policy:1[1][1] sec-level:0x0 Intratype:TERMINATE
  Intertype:TERMINATE     
  IP address SRC:0.0.0.0/0.0.0.0 DST:165.183.93.51/255.255.255.255        
  Ports SRC:RANGE 8 8 DST:RANGE 0 0       
  Protocol:1
  Hit Count:0 Active:TRUE Timerange:0
  Priority:487, Lineno:0, ACE-id:61472 Action:PERMIT, Path-id:0x81/0x0/0x0:6/0[6/]
  Pmap:0x5, Log:FALSE/FALSE[FALSE][FALSE], Interval:0/0[0][0]
  Hash1:0x0 Hash2:0x0
  Generated:TRUE, need-to-add-in-comp:NO_ACT_NEEDED, redundant:FALSE
  Parent:: feature:SECURITY ace-lineno:8 ACL priority:0[G:0,P:0,C:0,ACL:0]
  Parent:: feature:TO CP ace-lineno:2 ACL priority:16783361[G:0,P:1,C:24,ACL:1]
  Feature:SECURITY Policy:1[1][1] sec-level:0x0 Intratype:SKIP
  Feature:TO CP Policy:1[1][1] sec-level:0x0 Intratype:TERMINATE
  Intertype:TERMINATE     
  IP address SRC:0.0.0.0/0.0.0.0 DST:165.183.93.51/255.255.255.255        
  Ports SRC:RANGE 8 8 DST:RANGE 0 0       
  Protocol:1
  Hit Count:0 Active:TRUE Timerange:0
  Priority:647, Lineno:0, ACE-id:61473 Action:PERMIT, Path-id:0x81/0x0/0x0:6/0[6/]
  Pmap:0x5, Log:FALSE/FALSE[FALSE][FALSE], Interval:0/0[0][0]
  Hash1:0x0 Hash2:0x0
  Generated:TRUE, need-to-add-in-comp:NO_ACT_NEEDED, redundant:FALSE
  Parent:: feature:SECURITY ace-lineno:8 ACL priority:0[G:0,P:0,C:0,ACL:0]
  Parent:: feature:TO CP ace-lineno:2 ACL priority:16785409[G:0,P:1,C:32,ACL:1]
  Feature:SECURITY Policy:1[1][1] sec-level:0x0 Intratype:SKIP
  Feature:TO CP Policy:1[1][1] sec-level:0x0 Intratype:TERMINATE
  Intertype:TERMINATE     
  IP address SRC:0.0.0.0/0.0.0.0 DST:165.183.93.61/255.255.255.255        
  Ports SRC:RANGE 8 8 DST:RANGE 0 0       
  Protocol:1
  Hit Count:0 Active:TRUE Timerange:0

  Hi.
  We reboot the ACE20, and let one contex in this module..  The services is OK now, but my only doub is why the show tech-support is too large and appear the out of command show acl-merge merged-list vlan 93, with a lot of line.. 
  I try to run command "show tech-support" again and submit.

• Show tech and cpu load

  Hello
  we have 2 6500 in VSS , with image 15.1(1)SY1.
  I had to do show tech as there was some issue in our network , when i gave this command immidiately show process cpu output showed usage as 100% and resource was SSH Process and show tech output never got complete session got hanged and I had to open new VTY session
  I want to know does this happen eveytime when we give show tech or there is a issue with our device .

  Amit
  It is not necessarily an issue with your switches. When you are logged in via the vty lines and you issue a command like "sh tech" there is a large amount of data to be displayed and it is normal for the CPU to spike when it does this -
  Q. How can we reduce the process for SSH on 6500?
  A. If it is virtual exec, that is used for servicing vty lines, Vty lines are used for logging into the switch. If we are trying to dump a huge output like "show tech", it is expected to see high CPU and is not a matter for concern.
  full link -
  https://supportforums.cisco.com/docs/DOC-22037
  so what you are seeing is normal. But what is not normal is the display getting hung and having to open a new session.
  So if it happens all the time it would be a problem but it could just be that at that particular time the switch was busy doing other things that also placed a load on the CPU.
  Jon

• Show Tech-support

  I ran the command show tech-support without page and other options on IDS, output is just going on from last 2 hours. I phave pressed ^c many times but it's not coming to prompt and not stopping.
  If any one have solution please update..

  You should be able to stop it using 'CTRL+C'.

• Nexus 7000 show tech-support

  Is there a way to do a show tech-support and pipe it to a file or tftp so that I can send it to a vendor?  If so, what would the command be?
  Thanks.
  Jeff

  You can use the redirect feature
  show tech-support > bootflash:tsupport_file
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/sw/4_2/nx-os/fundamentals/command/reference/fnd_commands.html#wp1136081
  Thanks
  Hatim