topic Re: ASA 5510 Real Time Log Viewer Delay, Slow in Network Security

ASA 5510 Real Time Log Viewer Delay, Slow

simonbilton — Mon, 11 Mar 2019 22:30:58 GMT

Hi All,

I have a new ASA 5510 running 8.3(1) and ASDM 6.4(5)

I am trying to use the real time log viewer to help troubleshoot some access issues, but I am getting delays of up to 30 seconds or more between my client conecting to the ASA and the corresponding events showing in the RT Log viewer. I am using a simple filter for source IP as it's quite a busy device.

I've seen an article that says to turn off certain logging IDs (such as 304001 from memory, but don't quote me!) which I have done, but no different.

Any suggestions please?

Simon

Re: ASA 5510 Real Time Log Viewer Delay, Slow

varrao — Fri, 17 Feb 2012 14:31:56 GMT

Hi Simon,

Can you share an output of show run logging from the ASA?

and

show access-list | include cache

Thanks,

Varun

Re: ASA 5510 Real Time Log Viewer Delay, Slow

simonbilton — Fri, 17 Feb 2012 16:34:19 GMT

Hi Varun,

Thanks for coming back .... here's the two outputs you asked for.

I've previoulsy tried disabling as much logging as possible (e.g. only to ASDM) but nothing seems to have any effect.
You will see the two specific syslog IDs that I disabled after reading another post somewhere, but don't think this is relevant to our situation. (I think I saw another post suggesting a further four or five similar IDs to turn off as well, but not got round to that yet.)

Could really do with getting this sorted as it's causing me loads of stress from the site admins, who keep reminding me that their previous Linux-based firewall "never had all these problems" - I am fighting for credibility here

byasa01# sh run logging
logging enable
logging console informational
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 192.168.20.50
no logging message 304002
no logging message 304001

byasa01# show access-list | include cache
access-list cached ACL log flows: total 100, denied 0 (deny-flow-max 4096)
byasa01#

Re: ASA 5510 Real Time Log Viewer Delay, Slow

varrao — Fri, 17 Feb 2012 16:57:42 GMT

Hi Simon,

I can understand what you are fighting against, but the real time log viewer is a convinient tool but not the best method i would say. The ASA also has to prioritize tasks to manage everything, the priority for it is inspecting traffic and logging is not a pririty task for it. If you're firewall is generating high amount of traffic then I would expect there might e some delay, although we can use bare minimum things to reduce this delay.

I would suggest you disable the following logging first:

logging console informational

logging buffered informational

logging asdm informational

and then, reduce the time interval of the acl log as well, for that lets take an example that, you are logging the following acl:

access-list outside_in deny ip any any log interval 1

make the interval as 1sec, whihc means it would send the log after every 1 sec, default is 300.

and also can you provide this:

show logging queue

show logging message.

Thanks,

Varun

Re: ASA 5510 Real Time Log Viewer Delay, Slow

simonbilton — Fri, 17 Feb 2012 17:07:57 GMT

Disabled logging as suggested, requested outputs below:-

byasa01# sh logging queue

        Logging Queue length limit : 512 msg(s)
        14307737 msg(s) discarded due to queue overflow
        0 msg(s) discarded due to memory allocation failure
        Current 0 msg on queue, 512 msgs most on queue

byasa01# sh logging mess
byasa01# sh logging message
syslog 304002: default-level notifications (disabled)
syslog 304001: default-level notifications (disabled)

Not tried changing the ACL log interval yet as running out of time for today, but will try it over the weekend if I get time.

Appreciate prompt repsonses, thanks

Simon

ASA 5510 Real Time Log Viewer Delay, Slow

varrao — Fri, 17 Feb 2012 17:11:23 GMT

You can see it here:

14307737 msg(s) discarded due to queue overflow

which means its quite a busy firewall

let me know how it goes, i am on the forum this weekend.

Thanks,

Varun

ASA 5510 Real Time Log Viewer Delay, Slow

simonbilton — Fri, 17 Feb 2012 22:35:02 GMT

Thanks once again.

While your statement about a busy firewall and the number of discarded messages makes sense in some respects, I'd appreciate a bit of an insight as to "what" is so busy.

This is a relatively small site - maybe 100 users - but with a proportionately high throughput to be honest - but do these numbers suggest a lot of stuff hitting the firewall and being rejected, hence blocking / delaying real traffic ?

Wouldn't mind a subjective opinion if you can spare some time.

Thanks

Simon