https://community.cisco.com/t5/network-security/firewall-deny-not-getting-logged/m-p/1609515#M591838 <HTML><HEAD></HEAD><BODY><P>Thanks Jennifer</P><P></P><P>We rebooted the FWSM firewall and that solved the issue. If the issue repeats, we are planning to open a TAC case on this.</P><P>Thanks for your suggestion</P><P></P><P>Regards</P><P>S.Balaji</P></BODY></HTML> Thu, 17 Feb 2011 13:57:44 GMT balajis27 2011-02-17T13:57:44Z https://community.cisco.com/t5/network-security/firewall-deny-not-getting-logged/m-p/1609513#M591836 <P>Hi All</P><P></P><P>I am facing a strange issue with FWSM firewall rules and need some help on that.</P><P></P><P>On this firewall, we have logging enabled to a log all denies for blocked ports. . This is covered in the last deny statement with port object-group as shown below.</P><P></P><DIV><DIV><SPAN style="color: #000000; font-family: Arial; ">access-list al_from_labs line 2236 extended deny object-group tcp_udp any any object-group Blocked_Ports log errors interval 300 0x9f5a4bff </SPAN></DIV><DIV> </DIV></DIV><P>In the recent days we found extensive deny logs for the below 6 ports and this was causing the below error message 106101 .</P><P></P><P>tcp SMTP,tcp 135,tcp 445, tcp netbios-ssn, udp netbios-ns, udp snmp</P><P></P><P><SPAN style="color: #000000; font-family: Arial; ">106101 The number of ACL log deny-flows has reached limit (number)</SPAN></P><DIV><DIV><DIV><SPAN style="color: #000000; font-family: Arial; ">106101 The number of ACL log deny-flows has reached limit (4096). </SPAN></DIV></DIV></DIV><P></P><P>Already the max configured limit on device is 4096. So we decided to remove logging only for those specifc 6 ports and wanted to still log rest of the denies. So we modified ACL as below</P><P></P><DIV><DIV><SPAN style="color: #000000; font-family: Arial; ">ddddd# sh access-list al_from_labs | in deny<BR />access-list al_from_labs line 2227 extended deny tcp any any eq smtp (hitcnt=29954) 0xf62aaca9<BR />access-list al_from_labs line 2228 extended deny tcp any any eq 135 (hitcnt=2127) 0xc8773775<BR />access-list al_from_labs line 2229 extended deny tcp any any eq 445 (hitcnt=2617) 0x9ad56a8f<BR />access-list al_from_labs line 2230 extended deny tcp any any eq netbios-ssn (hitcnt=888) 0x9258206<BR />access-list al_from_labs line 2231 extended deny udp any any eq netbios-ns (hitcnt=8670) 0x5fad9aa0<BR />access-list al_from_labs line 2232 extended deny udp any any eq snmp (hitcnt=532) 0xfe3a0d52<BR />access-list al_from_labs line 2236 extended deny object-group tcp_udp any any object-group Blocked_Ports log errors interval 300 0x9f5a4bff </SPAN></DIV></DIV><P></P><P>Please see above where we removed logging for those specific 6 denies and moved it above the last deny rule.</P><P></P><P><STRONG>Issue:</STRONG></P><P><STRONG>====</STRONG></P><P></P><P><STRONG>After we modified the acl entries as above, we see strangely that none of the denies are getting logged to the syslog server. So absolutely logging gets stopped. This is confusing becos we only wanted the firewall not to log for those specific 6 ports but now access attempt to other ports also is not getting logged.</STRONG></P><P></P><P>Please let us know what might be the cause of the issue.</P><P></P><P>Regards</P> Mon, 11 Mar 2019 19:50:11 GMT https://community.cisco.com/t5/network-security/firewall-deny-not-getting-logged/m-p/1609513#M591836 balajis27 2019-03-11T19:50:11Z https://community.cisco.com/t5/network-security/firewall-deny-not-getting-logged/m-p/1609514#M591837 <HTML><HEAD></HEAD><BODY><P>My suggestion would be to reload the FWSM to clear the cached flow.</P><P>However, if you would like to know the reason why it's not working as it should, I would suggest that you open a TAC case so the issue can be investigated further.</P></BODY></HTML> Mon, 14 Feb 2011 06:26:16 GMT https://community.cisco.com/t5/network-security/firewall-deny-not-getting-logged/m-p/1609514#M591837 Jennifer Halim 2011-02-14T06:26:16Z https://community.cisco.com/t5/network-security/firewall-deny-not-getting-logged/m-p/1609515#M591838 <HTML><HEAD></HEAD><BODY><P>Thanks Jennifer</P><P></P><P>We rebooted the FWSM firewall and that solved the issue. If the issue repeats, we are planning to open a TAC case on this.</P><P>Thanks for your suggestion</P><P></P><P>Regards</P><P>S.Balaji</P></BODY></HTML> Thu, 17 Feb 2011 13:57:44 GMT https://community.cisco.com/t5/network-security/firewall-deny-not-getting-logged/m-p/1609515#M591838 balajis27 2011-02-17T13:57:44Z https://community.cisco.com/t5/network-security/firewall-deny-not-getting-logged/m-p/1609516#M591839 <HTML><HEAD></HEAD><BODY><P>Excellent, and it's great to hear.</P><P>Please kindly mark the post answered so others can learn from your post. Thank you.</P></BODY></HTML> Thu, 17 Feb 2011 22:35:56 GMT https://community.cisco.com/t5/network-security/firewall-deny-not-getting-logged/m-p/1609516#M591839 Jennifer Halim 2011-02-17T22:35:56Z