Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Operational Commands to Troubleshoot SSL Sessions

In the CLI, the operational commands provide information that can help with troubleshooting. You can use show commands to determine and analyze the statistical counters and metrics related to any traffic loss and take an appropriate corrective measure. This topic covers information for monitoring, displaying, and verifying of SSL-related issues using the operational mode commands.

Displaying Active SSL Sessions

Purpose

Display information about all the active SSL sessions on the device.

Action

Use the show security flow session ssl command.

Meaning

The output shows all standard flow information including the session ID, timeout value for the session, the direction of the flow, the source address and port, the destination address and port, the IP protocol, and the interface used for the session. Example:

  • The policy name that allowed this traffic is default-permit.

  • The timeout value.

  • Both the source IP and the destination IP are displayed with their respective source/destination ports.

  • Session type.

  • The source interface and the destination interface for this session.

For details about the output fields of the command, see show security flow session ssl.

Displaying Active SSL Sessions Details

Purpose

Display detail information about the active SSL sessions on the device.

Action

From the operational mode, use the show security flow session extensive ssl command.

Meaning

The output of the command displays extensive information about all the active sessions on the device.

Display information includes the session ID, the Network Address Translation (NAT) source pool (if source NAT is used), the configured timeout value for the session and its standard timeout, and the session start time and how long the session has been active, direction of the flow, the source address and port, the destination address and port, the IP protocol, and the interface used for the session.

Example:

  • The policy name that allowed this traffic is default-permit.

  • The maximum timeout and current timeout values.

  • Session type.

  • The source interface and the destination interface for the session

  • The next-hop gateway IP address

  • AppQoS rule set details.

For details about the output fields of the command, see show services ssl session.

Displaying Specific SSL Session Details

Purpose

Display information about the specific SSL session.

Action

Use the show services ssl session 56 command.

Meaning

You can get the detail information about the specific SSL session with this command. Example:

  • Session ID, connection type and SSL profile used for the session.

  • Server certificate subject name and verification status.

  • CRL check status and action.

  • SSL Initiation and termination details.

  • The source interface and the destination interface for this session.

For details about the output fields of the command, see show security flow session ssl.

Display SSL Certificates

Purpose

Display the digital certificates available on the device.

Action

From the operational mode, use the show services ssl certificate all command.

Meaning

Display the list of all SSL certificates active on the device. SSL sessions use these certificates to establish a secure communication between a client and a server.

For details about the output fields of the command, see show services ssl certificate.

Display SSL Certificate Information

Purpose

Display brief information about the SSL certificate.

Action

From the operational mode, use the show services ssl certificate brief certificate-id certificate-identifier command. Following samples show command outputs for CA certificate and local certificates.

Meaning

Displays details about the certificate including certificate ID, type, issuer of the certificate, and encryption algorithm used. The type field displays the type of the certificate—That is—CA-CERT or LOCAL-CERT. CA-Cert certificate is an authorized certificate issued by trusted certificate authority and LOCAL-CERT is a self-signed certificate.

Note that the output of the commands vary depending on the type of certificate.

For details about the output fields of the command, see show services ssl certificate.

Display SSL Certificate Details

Purpose

Display detail information about the SSL certificate.

Action

From the operational mode, use the show services ssl certificate detail certificate-identifier command.

Meaning

Displays details about the certificate including certificate ID, type, last modified date, version, serial number, issuer, subject, validity, and encryption algorithm used.

Example:

  • Type of the certificate. The type field displays the type of the certificate—That is—CA-CERT or LOCAL-CERT. CA-Cert certificate is an authorized certificate issued by trusted certificate authority and LOCAL-CERT is a self-signed certificate.

  • Subject and issuer of the certificate.

  • Certificate validity from-date and to-date.

  • Public key algorithms used.

  • Algorithm used by the certificate authority to sign the certificate.

  • CRL-related updates (CA certificates only)

For details about the output fields of the command, see show services ssl certificate.

SSL Proxy Counters All

Purpose

Display all the statistical counters for the SSL proxy sessions.

Action

From the operational mode, use the show services ssl proxy counters all command.

Meaning

The output display the counters details related to SSL proxy sessions. These counters generally increment whenever there is some activity such as session matched, session created, and so on.

Example:

  • Count of sessions created, matched, ignored or destroyed.

  • Number of sessions allowlisted based on IP address and URL categories.

  • Session counts based on CRL-related information such as new updates done or certificates revoked, no CRL present, or no CA certificate present.

  • Number of sessions matching default SSL proxy profile in unified policy.

  • Number of sessions dropped because of absence of default SSL proxy profile.

For details about the output fields of the command, see show services ssl proxy counters .

SSL Proxy Counters Information

Purpose

Display statistical counters for the SSL proxy session to provide information about the sessions.

Action

From the operational mode, use the show services ssl proxy counters info command.

Meaning

The output display the counters details related SSL proxy session. These counters generally increment whenever there is some activity such as session matched, session created, and so on.

Example:

  • Count of sessions created, matched, ignored or destroyed.

  • Number of sessions allowlisted.

  • Session counts based on CRL-related information such as new updates done, certificates revoked, no CRL present, or no CA certificate present.

  • Number of sessions matching default SSL proxy profile in unified policy.

  • Number of sessions dropped because of absence of default SSL proxy profile.

For details about the output fields of the command, see show services ssl proxy counters .

SSL Proxy Counters Errors

Purpose

Display statistical counters for the errors encountered in SSL proxy session.

Action

From the operational mode, use the show services ssl proxy counters errors command.

Meaning

The output display the counters details for the errors encountered in an SSL proxy session. Example:

  • Number of failed sessions.

  • Number of non-SSL sessions received on the system.

  • Number of dropped sessions.

For details about the output fields of the command, see show services ssl proxy counters .

Display SSL Proxy Profile Details

Purpose

Display information about the SSL proxy profile.

Action

From the operational mode, use the show services ssl proxy profile profile-name command.

Meaning

Output of the command displays the details of the SSL proxy profile. Example:

  • The number of sessions that are allowlisted.

  • Whether the non SSL sessions are allowed.

  • Whether the root certificate is active or expired.

For details about the output fields of the command, see show services ssl proxy profile .

Display SSL Proxy Profiles

Purpose

Display all the SSL proxy profiles configured on the device.

Action

From the operational mode, use the show services ssl proxy profile all command.

Meaning

The output displays the list of SSL proxy profiles available on the device.

For details about the output fields of the command, see show services ssl proxy profile .

Display SSL Proxy Session Cache Statistics

Purpose

Display the data for the SSL proxy session cache.

Action

From the operational mode, use the show services ssl proxy session-cache statistics command.

Meaning

Command output displays SSL proxy session cache statistics. You can get the details such as number of times the information related to an SSL session is found in the cache or the number of times the information related to an SSL session is missing in the cache, and number of times the session cache limit is reached.

For details about the output fields of the command, see show services ssl proxy session-cache statistics.

Display SSL Proxy Session Cache Summary

Purpose

Display brief information about the entries stored in the SSL proxy session cache.

Action

From the operational mode, use the show services ssl proxy session-cache entries summary command.

Meaning

Command output displays SSL proxy session cache entries details such as session information saved in the cache, session status, session ID, and length of the session ID, destination IP address and port details, and SSL initiation and SSL termination profile IDs.

For details about the output fields of the command, see show services ssl proxy session-cache entries.

Display SSL Proxy Session Cache Details

Purpose

Display detail information about the entries stored in the SSL proxy session cache.

Action

From the operational mode, use the show services ssl proxy session-cache entries detail command.

Meaning

Command output displays cached SSL proxy session entries details. Example:

  • Status of the cache entry with time to expire. Because the cache entries are valid only for short interval.

  • Session ID, and length of the session ID.

  • Destination IP address and destination port details.

  • SSL initiation and SSL termination session details.

  • Server certificate validation, interdicted certificate details.

For details about the output fields of the command, see show services ssl proxy session-cache entries.

Display SSL Proxy Certificate Cache Entry Statistics

Purpose

Display data for the SSL proxy certificate cache.

Action

From operational mode, use the show services ssl proxy certificate–cache statistics command.

Meaning

Command output displays SSL proxy certificate cache statistics such as number of times the match is available in cache, number of times an entry is not found in cache, or the number of times that cache was full.

For details about the output fields of the command, see show services ssl proxy certificate–cache statistics.

Display SSL Proxy Certificate Cache Entry Summary

Purpose

Display brief information about the entries stored in the SSL proxy certificate cache.

Action

From operational mode, use the show services ssl proxy certificate-cache entries summary command.

Meaning

Command output displays certificate cache statistics such number of cache entries, serial number, profile ID, and CRL updates.

For details about the output fields of the command, see show services ssl proxy certificate-cache entries.

Display SSL Proxy Certificate Cache Entry Details

Purpose

Display detail information about the entries stored in the SSL proxy certificate cache.

Action

From operational mode, use the show services ssl proxy certificate-cache entries detail command.

Meaning

You can get the detail information about the cached SSL proxy certificate entries with this command. Example:

  • Number of entries present in the certificate-cache.

  • Number of times the CRL updates done till the interdicted certificate was added to the certificate-cache.

  • Cached interdicted certificate and the server certificate verification results.

  • Subject and issuer of the interdicted certificate.

For details about the output fields of the command, see show services ssl proxy certificate-cache entries.

Display SSL Proxy Status

Purpose

Display the status of the SSL proxy session.

Action

From operational mode, use the show services ssl proxy status command.

Meaning

The command displays the overall status of the SSL proxy. Example:

  • Crypto status, proxy activation status.

  • Certificate cache details such as whether certificate cache is activated, CRL configuration, certificate cache size, number of certificates in certificate cache currently used.

  • Session cache details such as whether session cache is activated, size of the session cache, number of sessions in session cache currently used.

For details about the output fields of the command, see show services ssl proxy status.

Display SSL Termination Counter Details

Purpose

Display statistical counter details for the SSL termination sessions.

Action

From operational mode, use the show services ssl termination counters all command.

Meaning

You can get useful information about the SSL termination counters with this command. Example:

  • Number of errors related to memory, handshake, certificate, server protection, proxy and crypto

  • Number of sessions initiated handshake and completed handshake.

  • Number of active sessions.

  • Number of SSL proxy sessions such as sessions created, active sessions, ignored sessions, renegotiated sessions, sessions with different authentication methods and so on.

For details about the output fields of the command, see show services ssl termination counters.

Display SSL Termination Counters Errors

Purpose

Display statistical counters for the errors encountered in SSL termination session.

Action

From operational mode, use the show services ssl termination counters error command.

Meaning

The output of the command displays number of errors related to memory, handshake, certificate, server protection, proxy and crypto, and SSL decryption mirroring functionality.

For details about the output fields of the command, see show services ssl termination counters.

Display SSL Termination Counters Handshake

Purpose

Display statistical counters for the SSL termination handshake.

Action

From operational mode, use the show services ssl termination counters handshake command.

Meaning

You can get useful information about the SSL termination counters with this command. Example:

  • Number of sessions initiated handshake and completed handshake.

  • Number of active sessions

  • Number of SSL proxy sessions such as sessions created, active sessions, ignored sessions, renegotiated sessions, sessions with different authentication methods and so on.

For details about the output fields of the command, see show services ssl termination counters.

Display SSL Termination Profile

Purpose

Display all SSL termination profiles available on the device.

Action

From operational mode, use the show services ssl termination profile all command.

Meaning

The output of the command displays the list of all SSL termination profiles available on the device.

For details about the output fields of the command, see show services ssl termination profile .

Display SSL Termination Profile Summary

Purpose

Display the brief information about the SSL termination profiles.

Action

From operational mode, use the show services ssl termination profile brief profile-name command.

Meaning

Displays the details of the SSL termination profile.

You can get useful information about the SSL initiation profile with this command. Example:

  • Whether the root certificate is active or expired.

  • Preferred SSL cipher with key strength.

  • Whether the non SSL sessions are allowed.

  • Number of URL categories configured.

  • Number of allowlisted sessions.

For details about the output fields of the command, see show services ssl termination profile .

Display SSL Termination Profile Details

Purpose

Display the detail information about the SSL termination profile.

Action

From operational mode, use the show services ssl termination profile detail profile-name command.

Meaning

You can get useful information about the SSL termination profile with this command. Example:

  • Profile name.

  • Whether the non-SSL sessions are allowed.

  • Category of the preferred cipher.

  • Number of URL categories configured.

  • Protocol version.

  • Status of the various functionality such as client and server authentication, certificate revocation actions, session resumption, session renegotiation.

  • Trusted CA and custom cipher details.

  • SSL decryption mirror status.

  • SSL termination per profile statistics or counters.

For details about the output fields of the command, see show services ssl termination profile .

Display SSL Initiation Counter Details

Purpose

Display statistical counters for the SSL initiation session.

Action

From operational mode, use the show services ssl initiation counters all command.

Meaning

You can get useful information about the SSL initiation counters with this command. Example:

  • Number of errors related to memory, handshake, certificate, server protection, proxy and crypto.

  • Number of sessions initiated handshake and completed the handshake.

  • Number of active sessions.

  • Number of SSL proxy sessions such as sessions created, active sessions, ignored sessions, renegotiated sessions, sessions with different authentication methods and so on.

For details about the output fields of the command, see show services ssl initiation counters.

Display SSL initiation Counter Handshake

Purpose

Display statistical counters for the SSL initiation handshake.

Action

From operational mode, use the show services ssl initiation counters handshake command.

Meaning

You can get useful information about the SSL initiation counters with this command. Example:

  • Number of sessions initiated handshake and completed handshake.

  • Number of active sessions.

  • Number of SSL proxy sessions such as sessions created, active sessions, ignored sessions, renegotiated sessions, sessions with different authentication methods and so on.

For details about the output fields of the command, see show services ssl initiation counters.

Display SSL Initiation Counter Errors

Purpose

Display statistical counters for the errors encountered in SSL initiation session.

Action

From operational mode, use the show services ssl initiation counters error command.

Meaning

The output of the command displays number of errors related to memory, handshake, certificate, server protection, proxy and crypto, and SSL decryption mirroring functionality.

For details about the output fields of the command, see show services ssl initiation counters.

Display SSL Initiation Profile

Purpose

Display all SSL initiation profiles available on the device.

Action

From operational mode, use the show services ssl initiation profile all command.

Meaning

The output of the command displays the list of all SSL initiation profiles available on the device.

For details about the output fields of the command, see show services ssl initiation profile .

Display SSL Initiation Profile Summary

Purpose

Display the summary of the SSL initiation profile.

Action

From operational mode, use the show services ssl initiation profile brief profile-name command.

Meaning

Displays the details of the SSL initiation profile such as profile name, whether the non-SSL sessions ar allowed, prefered-ciphers, and number of URL categories configured.

For details about the output fields of the command, see show services ssl initiation profile .

Display SSL Initiation Profile Details

Purpose

Display the detail information about the SSL initiation profile.

Action

From operational mode, use the show services ssl initiation profile detail profile-name command.

Meaning

You can get useful information about the SSL initiation profile with this command. Example:

  • Whether the non SSL sessions are allowed.

  • Preferred SSL cipher

  • Number of URL categories configured.

  • Status of the various functionality such as client and server authentication, certificate revocation actions, session resumption, session renegotiation.

  • Trusted CA, chain certificates details.

  • SSL decryption mirror status

  • SSL initiation session counters

For details about the output fields of the command, see show services ssl initiation profile .

Display SSL Drop Log Details

Purpose

Display information about SSL drop logs.

Action

From operational mode, use the show services ssl droplogs command.

Meaning

Output of the command displays the denied/dropped session details. You can use the command output to understand the issue why session was dropped.