topic Re: ASA5508 syslog issue - classes session vs auth/webvpn events in Network Security

ASA5508 syslog issue - classes session vs auth/webvpn events

Jerome BERTHIER — Mon, 29 Apr 2024 08:24:54 GMT

Hello

I need to export all events from level informational from an ASA5508 to a syslog server. Basically, I set it as "logging trap informational"

This device provides firewall services as well as remote SSL VPN access and WebVPN.

I noticed that AAA and WebVPN events were not loggued.

After having few tests, I found that events from class session are mutually exclusive from almost all others classes and at least both classes auth and webvpn.

If I set a logging list containing all classes at informational level excluding the class session, it works fine. As soon I add the class session (even limited to level notification), I loose events from classes auth and webvpn.

I checked the default rate limit configuration. Messages I'm expecting are not rate limited.

I also checked default level bound to specific message I expect. It is informational :

asa# sh logging message 113015
syslog 113015: default-level informational (enabled),standby logging (disabled)
asa# sh logging message 716039
syslog 716039: default-level informational (enabled),standby logging (disabled)

I'm interested in logging all events but three classes are really mandatory :

* auth + webvpn to track VPN events

* session to track traffic

I have three platforms ASA5525X with same VPN features where this syslog setup works fine for classes session, auth and webvpn at same time.

By reading ASA syslog documentation, I do not find any information about this issue.

The issue was seen on version 9.16(4)42. The device has been updated to version 9.16(4)57.

Is it a known limitation of this platform 5508 ? or a bug ?

Regards

Re: ASA5508 syslog issue - classes session vs auth/webvpn events

Jerome BERTHIER — Tue, 30 Apr 2024 16:03:54 GMT

Well not much people inspired by my question 🙂

Finally, I think I found a good clue in the syslog documentation of version 9.16 :

When you configure syslog logging on an interface with management-only access enabled, the dataplane related logs (syslog IDs 302015, 302014, 106023, and 304001) are dropped and does not reach the syslog server. The syslog messages are dropped because the datapath routing table does not have the management interface routing. Hence, ensure the interface that you are configuring has management-only access disabled

Those message IDs starting with 302 and 106 are from the class session. In my case, they are exported but not messages from other classes.

As I do use the management interface, I think that even if these logs are not dropped then may move to CPU processing and impact others classes of logs.

My next point will be to try to export logs from a revenue interface.

Re: ASA5508 syslog issue - classes session vs auth/webvpn events

MHM Cisco World — Wed, 01 May 2024 08:00:39 GMT

To be honest I dont get class session you use?

Maybe more elaborate

Thanks alot

MHM

Re: ASA5508 syslog issue - classes session vs auth/webvpn events

Jerome BERTHIER — Thu, 02 May 2024 06:39:17 GMT

To be more accurate, below the typical setup I use on other ASA VPN devices :

logging enable
logging timestamp
no logging hide username
logging list my-events-list level informational class auth
logging list my-events-list level informational class config
logging list my-events-list level informational class ha
logging list my-events-list level informational class ids
logging list my-events-list level notifications class ip
logging list my-events-list level informational class np
logging list my-events-list level informational class rm
logging list my-events-list level notifications class session
logging list my-events-list level informational class snmp
logging list my-events-list level informational class sys
logging list my-events-list level informational class vpdn
logging list my-events-list level informational class vpn
logging list my-events-list level informational class vpnc
logging list my-events-list level informational class vpnfo
logging list my-events-list level informational class vpnlb
logging list my-events-list level informational class webfo
logging list my-events-list level informational class webvpn
logging list my-events-list level informational class ca
logging list my-events-list level informational class svc
logging list my-events-list level informational class csd
logging list my-events-list level notifications class ssl
logging list my-events-list level informational class vm
logging list my-events-list level informational class dap
logging list my-events-list level warnings class ipaa
logging list my-events-list level informational class rule-engine
logging buffer-size 16384
logging buffered debugging
logging trap my-events-list
logging asdm notifications
logging device-id hostname
logging host management x.x.x.x

This setup works as expected on ASA5525X (for more a decade).

The same setup doesn't work on the single ASA5508 I have.

On this ASA5508, if the messages class "session" is used the other classes are not sent to external syslog server.

If I set to send all messages to syslog from level informational (logging trap informational), it doesn't work either. Same issue.

If I keep all classes in the setup except the class "session", it works then as soon I add the class "session", the device stops sending messages from other classes after a delay around 60 secondes (not measured accuratly).

As pointed out in my previous answer, I'm going to investigate on changing the source interface of the syslog export. I'll switch it to a dataplane port.

Regards

Re: ASA5508 syslog issue - classes session vs auth/webvpn events

Jerome BERTHIER — Thu, 02 May 2024 08:25:29 GMT

I solved the issue by moving syslog export from a dataplane interface.

The documentation is not accurate. I faced the opposite effect.

The documentation states :

When you configure syslog logging on an interface with management-only access enabled, the dataplane related logs (syslog IDs 302015, 302014, 106023, and 304001) are dropped and does not reach the syslog server. The syslog messages are dropped because the datapath routing table does not have the management interface routing.

It is the opposite. Messages are dropped except those from dataplane related logs.

By choosing to export logs from a dataplane, you can retreive all types all logs.

Here, the simpliest final setup :

route <dataplane_interface> <syslog_IP> 255.255.255.255 <gw>
logging host <dataplane_interface> <syslog_IP>

logging trap informational

As I said, this issue is seen on ASA5508 version 9.16(4).x but not on ASA5525X version 9.12(4).x.

Regards