: Troubleshoot the Panorama Plugin for Cisco TrustSec
Focus
Focus

Troubleshoot the Panorama Plugin for Cisco TrustSec

Table of Contents

Troubleshoot the Panorama Plugin for Cisco TrustSec

Plugin Status Commands

  • Clear counters:
    clear plugins cisco_trustsec counters
  • Display monitor status:
    show plugins cisco_trustsec status
  • Display counters:
    show plugins cisco_trustsec counters

Debug Commands

  • Check IP addresses in dynamic address groups.
    show object registered-ip tag <tag>
    show object registered-ip all
  • Fetch the tags of an IP address from a server. The fetched ip-tag mappings are logged in plugin_cisco_trustsec.log. No ip-tag mappings are pushed to the notify group associated with the server. No retry if failed.
    debug plugins cisco_trustsec query pxgrid-server $server-name ip $ip-address
  • Force synchronize with a server and push the mappings to the configd process. No retry if failed.
    request plugins cisco_trustsec synchronize-dynamic-objects name $server-name
  • Force synchronize with all servers and push the mappings to the configd process. No retry if failed.
     request plugins cisco_trustsec synchronize-dynamic-objects all
  • Force synchronize the mappings from configd process to VM-Series firewalls. No retry if failed.
    request plugins cisco_trustsec sync

Debug Logs

The logs are in the following locations on the disk:
/opt/plugins/var/log/pan/plugin_cisco_trustsec.log
/opt/plugins/var/log/pan/plugin_cisco_trustsec_sub.log
/opt/plugins/var/log/pan/plugin_cisco_trustsec_ret.log
/opt/plugins/var/log/pan/plugin_cisco_trustsec_proc.log
The size limit for a log file (shared by all plugins installed on your Panorama device) is 10 million bytes. A log file can accept 93,000 session logins. If you configure log rotation, a backup log can support 186,000 session logins.
  • Change the plugin debug level.
     request plugins debug level $level plugin-name cisco_trustsec
    • off: No debug log.
    • low: Dump only basic debug logs.
    • medium: Dump detailed debug logs.
    • high: Dump everything including request/response messages with servers.
  • Merge the logs into a single log file:
    request plugins cisco_trustsec merge-logs
  • Show the debug log in the CLI:
    • Cisco TrustSec plugin version 1.0.2 or later installed on a Panorama version earlier than 10.0.0:
      tail mp-log plugin_cisco_trustsec_merged.log
    • Cisco TrustSec plugin version 1.0.2 or later installed on Panorama version 10.0.0 or later:
      tail follow yes plugins-log