Purpose
Current traceback information saved on the ASA after a crash does not always provide enough information to determine the root cause of the problem. The coredump is a system-wide snapshot of the ASA memory at the time when a crash occurs. Coredumps are saved to disk allowing the administrator to export it later for off-site analysis by Cisco TAC and Development.
Things to know before configuring a coredump
Why should I configure a coredump?
Typically, the coredump feature will be recommended by support when troubleshooting the cause of a new crash. The coredump is meant provide additional information when the contents of the crashinfo are not adequate to fix the crash. Feel free to enable coredump at any point, sometime having the coredump available means the difference between getting an actual fix to the issue and simply having to monitor for the problem again in the future.
Where do coredumps go?
All coredumps are written to the device's flash file system. Currently that means either disk0:, flash:, or disk1: (where disk0: and flash: equate to the same media).
How much disk/flash space is currently available on your system?
Before enabling coredump, it is important to be aware of how much disk space is currently available on the system. If disk space is tight on your ASA, then coredumps are not an option. The amount of disk space allocated for coredumps is currently based on the ASA platform and it's typical memory configuration. When you first enable a coredump, it will indicate the space in Flash that will be reserved for saving the cores. Take this example from an ASAv:
ciscoasa(config)# coredump enable
WARNING: Enabling coredump on an ASAv platform will delay
the reload of the system in the event of software forced reload.
The exact time depends on the size of the coredump generated.
Proceed with coredump filesystem allocation of 819 MB [confirm]
Note: If there is not enough space, check to see if any old files that are no longer in use can be removed. If there is still not enough room, then the above values may be manually configured and reduced. Note: It is unadvised to go below 1/2 of the default values as the chances of truncating the coredump early are greatly increased. A truncated coredump is of no use and will be removed automatically by the ASA code at the time of occurrence.
What happens when the pre-allocated space for coredumps fills up?
When the ASA code detects the pre-allocated space is full, it will go through & remove older accumulated coredumps. It removes the oldest coredump first and will then try and continue writing the current coredump. If more space is required, it will continue removing previous coredumps if necessary.
If the ASA gets to the point that all previous coredumps have been removed and we still cannot fit the current coredump, then the current coredump will be aborted, anything written to disk removed, and the coredump log will be updated with what happened.
Configuration
CLI Commands
The correct method to enable coredumps is from configuration mode on the device:
ciscoasa(config)# coredump enable
When coredumps are enabled the following file elements get created on the specified filesystem (disk0:, disk1:, flash:) and should never be manipulated explicitly by the user:
coredumpfsys – directory containing coredump images
coredumpfsysimage.bin – coredump filesystem image used to manage coredumps
coredumpinfo – directory containing the coredump log
This example is the simplest case. Basically a user just has to enable the feature. Entering the filesystem & size are optional.
ciscoasa(config)# coredump enable
WARNING: Enabling coredump on an ASAv platform will delay
the reload of the system in the event of software forced reload.
The exact time depends on the size of the coredump generated.
Proceed with coredump filesystem allocation of 819 MB
on 'disk0:' (Note this may take a while) ? [confirm]
filesys_image created ok: disk0:coredumpfsysimage.bin
Making coredump file system image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Coredump file system image created & mounted successfully
/dev/loop1 on /mnt/disk0/coredumpfsys type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
Changing the default parameters:
Should you need to, you can set the specific size of the coredump filesystem and its location. The size listed below is in MB.
ciscoasa(config)# coredump enable filesystem disk0: size 1000
WARNING: Enabling coredump on an ASAv platform will delay
the reload of the system in the event of software forced reload.
The exact time depends on the size of the coredump generated.
Proceeding with resizing to 1000 MB results in
deletion of current 819 MB coredump filesystem and
its contents on 'disk0:', proceed ? [confirm]
filesys_image created ok: disk0:coredumpfsysimage.bin
Making coredump file system image!!!!!!!!!!!!!!!!!!!!!!!
Coredump file system image created & mounted successfully
/dev/loop1 on /mnt/disk0/coredumpfsys type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
Note: Be sure to execute "write mem" after enabling or disabling coredump functionality.
You can disable coredumps with the command "no coredump enable"
Troubleshooting/Debugging
Show commands
"show coredump filesystem"
This command displays any files on the coredump filesystem, also giving you a clue as to how full it might be. A word of advice: please archive the coredump files when convenient as it is possible a subsequent coredump could lead to previous coredump(s) being removed to fit the current core.
ciscoasa# show coredump filesystem
Coredump Filesystem Size is 1000 MB
Filesystem type is FAT for disk0
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/loop2 1023728 79136 944592 8% /mnt/disk0/coredumpfsys
Directory of disk0:/coredumpfsys/
175 -rwx 81022457 21:37:08 Apr 25 2022 core_smp.2022Apr25_213627.1904.11.gz
8571076608 bytes total (5832269824 bytes free)
"show coredump log"
When a coredump file is created, messages are added to the coredump.log file in disk0:/coredumpinfo. Use the show coredump log command to display the contents of the log file. The messages should reflect what's currently on the disk. It provides quick feedback on coredumps which have happened. You can also see the compressed/uncompressed size of the coredump, timestamp of when the core happened, as well as how long it took to dump the core image.
ciscoasa# show coredump log
[ 1 ] Mon Apr 25 21:37:08 2022: Coredump completed for module 'lina', coredump file 'core_smp.2022Apr25_213627.1904.11.gz', size 931221504 bytes, compressed size 81022457
[ 2 ] Mon Apr 25 21:36:27 2022: Coredump started for module 'lina', generating coredump file 'core_smp.2022Apr25_213627.1904.11.gz' on 'disk0'
Syslog Messages
- %ASA-6-741000: Coredump filesystem image created on
Physical coredump filesystem has been created/allocated and is now ready for use.
- %ASA-6-741001: “disk: Coredump filesystem image on %s – resized from start_size MB to new_size MB
Physical coredump file system image has been resized.
- %ASA-6-741002: “disk: Coredump log and filesystem contents cleared on %s
Removed all contents in the current coredump file system image directory, while also clearing the log.
- %ASA-6-741003: “disk: Coredump filesystem and it’s contents removed on %s
Removes entire coredump filesystem and it’s contents. Also clears the coredump log.
- %ASA-6-741004: “disk: Coredump configuration reset to default values
Coredump configuration is reset to it’s default values. The coredump filesystem and it’s contents remain untouched. The coredump log is untouched as well.
- %ASA-4-741005: Coredump operation operation failed with error error
Indicates an internal coredump error occurred manipulating the coredump filesystem. If this error is observed please forward to Cisco TAC.
- %ASA-4-741006: Unable to write Coredump Helper configuration, reason reason
An error occurred writing the coredump helper configuration. Indicates either "disk0” is full or memory was not available to write the file. Please check your flash space and available memory.
How do I get a coredump off my box?
You can transfer a coredump as you would any other ASA file, using copy tftp, or copy scp from the CLI. Additionally you can use the File Transfer functionality of the ASDM GUI. Once you have the coredump file, please upload it to your Cisco Support case so the TAC Engineer can continue to diagnose the issue.The coredumps are located, by default, in the disk0:/coredumpfsys/ portion of the filesystem. You can check if there are any coredumps, and their timestamps, from the output of "show coredump filesystem"
Here is an example of transferring via SCP to a Linux box:
ciscoasa# copy disk0:/coredumpfsys/core_smp.2022Apr25_213627.1904.11.gz scp://admin@192.168.100.100:core_smp.2022Apr25_213627.1904.11.gz
Source filename [/coredumpfsys/core_smp.2022Apr25_213627.1904.11.gz]?
Address or name of remote host [192.168.100.100]?
Destination username [admin]?
Destination filename [core_smp.2022Apr25_213627.1904.11.gz]?
Password: ***********
!!!!!!!!!!!!!!!!!!!! ... [truncated]
81022457 bytes copied in 14.80 secs (5787318 bytes/sec)
ciscoasa#
What about Firepower Threat Defense?
Gathering a coredump from an FTD device is a slightly different procedure. Please refer to this guide:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/216245-collection-of-core-files-from-a-firepowe.html
