Information Technology Reference
In-Depth Information
Use of the
debug packet
command on a PIX Firewall experiencing a heavy load may result
in the output displaying so fast that it may be impossible to stop the output by entering the
no debug packet
command from the console. You can enter the
no debug packet
command from a Telnet session.
Note
Additional Debug Command Notes
The
debug icmp trace
command now sends output to the Trace Channel. The location of the Trace
Channel depends on whether you have a simultaneous Telnet console session running at the same time
as the console session, or if you are using only the PIX Firewall serial console.
If you are using only the PIX Firewall serial console, all
debug
commands display on the serial console.
If you have both a serial console session and a Telnet console session accessing the console, then no
matter where you enter the
debug icmp trace
or the
debug sqlnet
commands, the output displays on the
Telnet console session.
If you have two or more Telnet console sessions, the first session is the Trace Channel. If that session
closes, the serial console session becomes the Trace Channel. The next Telnet console session that
accesses the console will then become the Trace Channel.
The
debug packet
command displays only on the serial console. However, you can enable or disable
this command from either the serial console or a Telnet console sessions.
The
debug
commands are shared between all Telnet and serial console sessions.
The downside of the Trace Channel feature is that if one administrator is using the serial
console and another administrator starts a Telnet console session, the serial console
debug
icmp trace
and
debug sqlnet
output will suddenly stop without warning. In addition, the
administrator on the Telnet console session will suddenly be viewing
debug
output, which
may be unexpected. If you are using the serial console and
debug
output is not appearing,
use the
who
command to see if a Telnet console session is running.
Note
To let users ping through the PIX Firewall, add the
conduit permit icmp any
command to
the configuration. This lets
ping
s go outbound and inbound.
Note
Troubleshooting Steps
The first example deals with an internal user who cannot access the Internet. These are recommended
troubleshooting steps to follow, but note that these steps may not solve every instance of this problem.
Go to the end user's machine and have the user
ping
the PIX's internal interface. If you get a response,
go to the next step. If you do not get a response, check the following for possible solutions:
Step 1
User cannot ping any internal address. Check interface card on the user's system.
•
User can
ping
other systems on the same network but cannot
ping
the PIX. This assumes that there
is a router between the user's system and the PIX. Check the following:
•
The default route on the user's system.
a.
