topic Re: CISCO ASA icmp logs in Network Security

CISCO ASA icmp logs

ihor.nakonecznyj — Wed, 18 Aug 2021 22:08:10 GMT

The ICMP logs (ASA-6-302021) we are currently receiving from the ASA do not contain the byte count for the packet. Is this design intent or a config issue?

With the rise in hackers using icmp for exfil this is a critical piece of data.

TIA

Ihor

Re: CISCO ASA icmp logs

balaji.bandi — Wed, 18 Aug 2021 22:28:57 GMT

Can you post sample Log here to understand the issue ?

Re: CISCO ASA icmp logs

ihor.nakonecznyj — Wed, 18 Aug 2021 22:33:11 GMT

9:07:23.000 PM
Aug 18 16:07:23 10.a.a.a %ASA-6-302021: Teardown ICMP connection for faddr 10.b.b.b/45883 gaddr 10.c.c.c/0 laddr 10.c.c.c/0 type 8 code 0
BTW, what is faddr gaddr and laddr?

Re: CISCO ASA icmp logs

balaji.bandi — Wed, 18 Aug 2021 22:59:26 GMT

02021

Error Message %ASA-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num } [(idfw_user )] gaddr {gaddr | icmp_type } laddr laddr [(idfw_user )] type {type } code {code }

Explanation An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command. The following list describes the message values:

faddr —Specifies the IP address of the foreign host
gaddr —Specifies the IP address of the global host
laddr —Specifies the IP address of the local host
idfw_user —The name of the identity firewall user
user —The username associated with the host from where the connection was initiated
type —Specifies the ICMP type
code —Specifies the ICMP code

Re: CISCO ASA icmp logs

ihor.nakonecznyj — Wed, 18 Aug 2021 23:03:11 GMT

Thank you. So, no byte count for the packet? Is there a different ASA icmp log that would contain the packet byte count?

TIA

Ihor