Cisco ASA 5510 logging ACL denies without "log" keyword with WARNING severity

Sam Brynes — Mon, 06 Apr 2020 02:22:16 GMT

I've enabled logging (logging enable) on our Cisco ASA 5510. I have an ACL on our outside interface. I see many deny log entries with a warning (level 4) severity, but I don't have the "log" keyword enabled on any of the ACL entries in the referenced ACL. Does anyone know where the warning (level 4) denies are coming from, and how I can stop them?

ASA5510(config)# sh run all | i logging
logging enable
logging timestamp
logging hide username
logging buffer-size 1048576
logging asdm-buffer-size 100
logging monitor notifications
logging buffered notifications
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 747001
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 1 message 313009
logging rate-limit 100 1 message 750003
logging rate-limit 100 1 message 750002
logging rate-limit 100 1 message 750004
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405003
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 60 message 199020
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 429007
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001
ASA5510(config)#
ASA5510(config)#sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level notifications, 891 messages logged
Buffer logging: level notifications, 884 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
ASA5510(config)#

Deny examples:

Apr 05 2020 23:25:15: %ASA-4-106023: Deny udp src outside:168.232.213.153/21592 dst inside:172.18.0.4/10682 by access-group "ACL-OUTSIDE-IN" [0xe63c7008, 0x0]
Apr 05 2020 23:25:16: %ASA-4-106023: Deny udp src outside:178.198.131.51/40837 dst inside:172.18.0.4/10682 by access-group "ACL-OUTSIDE-IN" [0xe63c7008, 0x0]
Apr 05 2020 23:25:19: %ASA-4-106023: Deny udp src outside:178.198.131.51/40837 dst inside:172.18.0.4/10682 by access-group "ACL-OUTSIDE-IN" [0xe63c7008, 0x0]

Our ACL:

ASA5510(config)# sh access-list ACL-OUTSIDE-IN
access-list ACL-OUTSIDE-IN; 11 elements; name hash: 0x4c51d238
access-list ACL-OUTSIDE-IN line 1 extended deny ip 10.0.0.0 255.0.0.0 any (hitcnt=15) 0x048a140c
access-list ACL-OUTSIDE-IN line 2 extended deny ip 172.16.0.0 255.240.0.0 any (hitcnt=109) 0xd408f2c1
access-list ACL-OUTSIDE-IN line 3 extended deny ip 192.168.0.0 255.255.0.0 any (hitcnt=0) 0x783f94e3
access-list ACL-OUTSIDE-IN line 4 extended deny ip 224.0.0.0 224.0.0.0 any (hitcnt=0) 0x9a833009
access-list ACL-OUTSIDE-IN line 6 extended permit icmp any any unreachable (hitcnt=100583) 0x6aeef44e
access-list ACL-OUTSIDE-IN line 7 extended permit icmp any any time-exceeded (hitcnt=6983) 0x4242299f
access-list ACL-OUTSIDE-IN line 8 extended deny icmp any any (hitcnt=0) 0x43e8b911
access-list ACL-OUTSIDE-IN line 9 extended deny udp any any (hitcnt=658) 0xe63c7008
access-list ACL-OUTSIDE-IN line 10 extended deny tcp any any (hitcnt=232) 0x783583f8
access-list ACL-OUTSIDE-IN line 11 extended deny ip any any (hitcnt=0) 0x320f194c
ASA5510(config)#

Re: Cisco ASA 5510 logging ACL denies without "log" keyword with WARNING severity

Cristian Matei — Mon, 06 Apr 2020 16:38:12 GMT

Hi,

The ASA firewall, by default, logs anytime there is an ACE match in your ACL for a new flow, with or without the "log" keyword being configured. If you don't specify the log keyword you get a "106023" system message, if you do specify the log keyword you get a "106100" system message. If you don't want the ASA to log at all, configure the ACE with the "log disable" option. Like for example:

access-list ACL-OUTSIDE-IN line 9 extended deny udp any any log disable

Regards,

Cristian Matei.

Re: Cisco ASA 5510 logging ACL denies without "log" keyword with WARNING severity

Sam Brynes — Tue, 07 Apr 2020 00:32:40 GMT

Perfect, that was it. Thanks!

topic Re: Cisco ASA 5510 logging ACL denies without "log" keyword with WARNING severity in Network Security

Cisco ASA 5510 logging ACL denies without "log" keyword with WARNING severity

Re: Cisco ASA 5510 logging ACL denies without "log" keyword with WARNING severity

Re: Cisco ASA 5510 logging ACL denies without "log" keyword with WARNING severity