Troubleshoot User Access with Security Cloud Control

Consider the case of users being denied access to a resource that they should have access to. Here is an approach you can take to diagnose and remediate that problem.

Procedure


Step 1

Users inform your security team that their access to a resource is blocked. Determine how that resource is typically reached. What is it's IP address? Do you reach it on a specific port? What protocol is used to send information to the resource?

Step 2

In the left pane, click Security Devices.

Step 3

Click the ASA tab and select the ASA and run packet tracer. See ASA Packet Tracer for more instructions.

Step 4

Examine the packet trace table for rules that may have denied access to the resource.

Step 5

After identifying the rule denying access, create a change request label in Security Cloud Control and enable it. See Change Request Management. This will help you identify in Change Log policy changes you made to allow access to the resource.

Step 6

Edit the rule from Security Cloud Control to correct the behavior. Your ASA is now out of sync with Security Cloud Control.

Step 7

Deploy the changes to the ASA from the Security Devices page. Security Cloud Control traces packets through the configuration saved on the ASA not a configuration staged on Security Cloud Control. Be aware, you will also be deploying any other configuration changes staged on Security Cloud Control to your ASA.

Step 8

Re-run packet tracer to determine if the policy change provides the desired results. Confirm that your users now have access to the resource.

Step 9

Assuming your users now have access, clear the change request label in Security Cloud Control. This prevents unrelated activity from being associated with this fix.

Note

If the change you made doesn't fix the problem or creates some new problems and you want to return to your previous configuration, you can do restore the ASA Configuration. See Restoring ASA Configurations.