topic Re: Can the ASA 'sla monitor' log state changes to the log buffe in Network Security

Can the ASA 'sla monitor' log state changes to the log buffer?!

j.irwin — Mon, 11 Mar 2019 18:32:04 GMT

Questions: Does anyone know if "sla monitor" can log its state changes? If not now, is it planned in a future release?

Background: Since version 7.2(1), the ASA firewall has a "sla monitor" feature to monitor the availability of remote IP addresses, eg

sla monitor 10
   type echo protocol ipIcmpEcho 10.1.10.1 interface outside
   num-packets 3
   frequency 10
sla monitor schedule 10 life forever start-time now

which can then be applied to make routing changes (using "track" to add/remove) routes, eg:

route outside 0.0.0.0 0.0.0.0 10.1.1.1 1 track 1
route outsid2 0.0.0.0 0.0.0.0 10.2.2.2 250

The running state can be manually seen with:

anyASAfirewall# show sla monitor operational-state
Entry number: 10
...

Latest operation return code: OK
...

Other than debug commands, the state changes are not logged, nor does there appear any respective logging commands.

The ability for sla monitor to log state changes would be a very useful feature, particularly in determining when *all* events occured and action was taken.

Thanks in advance

Jason

Re: Can the ASA 'sla monitor' log state changes to the log buffe

Nagaraja Thanthry — Mon, 30 Aug 2010 04:26:52 GMT

Hello,

You can try syslog message 622001. It notifies whenever there is an

addition/deletion of the tracked route.

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.ht

ml#wp4774896

Hope this helps.

Regards,

Re: Can the ASA 'sla monitor' log state changes to the log buffe

praprama — Mon, 30 Aug 2010 04:33:41 GMT

Hi,

I think the below is what you are looking for:

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp3741861

You can also look at the below link:

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&locale=en&index=all&query=ASA-6-622001&counter=0&paging=5&links=reference&sa=Submit

You can look at the below document for all the logs that are produced when tacking succeeds and when it fails:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#debug

Let me know if this helps. All the best!!

Regards,

Prapanch

Re: Can the ASA 'sla monitor' log state changes to the log buffe

j.irwin — Mon, 30 Aug 2010 05:50:59 GMT

Thanks Nagaraja and Prapanch,

I am already familiar these links; to be clear, none make mention of non-debug logging, nor any specific sla log commands.

However, I can confirm (even on version 8.0) that the Nagaraja's 622001 events do get logged *without debug enabled*.

Aug 30 2010 14:58:27: %ASA-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.1.1.1, distance 1, table Default-IP-Routing-Table, on interface outside
...
Aug 30 2010 14:58:27: %ASA-6-622001: Adding tracked route 0.0.0.0 0.0.0.0 10.1.1.1, distance 1, table Default-IP-Routing-Table, on interface outside

Hence these logs are available without any extra commands (from the original post).

The catch is these log events are type 6, which requires the very verbose:

logging buffered informational

So in most production environments these logs will quickly expire when the log wraps, even with a megabyte of local logs:

logging buffer-size 1048576

Regards,

Jason

Re: Can the ASA 'sla monitor' log state changes to the log buffe

praprama — Mon, 30 Aug 2010 06:20:25 GMT

Hi,

Just to clarify a thing here. Any message starting with the format of %PIX/ASA-x-yyyyyy is a syslog message and will not require any debugs to be run on the device. The link with the configuration example for SLA monitoring shows all logs produced when the tracking succeeds and when the tracking fails.

Regarding the syslog like below:

%PIX-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.200.159.1,  
               distance 1, table Default-IP-Routing-Table, on interface 
               outside

If you do not want to enable buffered logging at level 6, you can change the default level of this message to something higher using the below command:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/l2_72.html#wp1689570 

So for example, if you would like to enable logging at level 3(errors) but still want the syslog id 622001 to be logged, you can change the level of this 
command to errors using:

logging message 622001 level 3

Once this is done, you should see this message being logged at level 3 in the buffer. Hope this helps:

Regards,
Prapanch

Re: Can the ASA 'sla monitor' log state changes to the log buffe

Nagaraja Thanthry — Mon, 30 Aug 2010 06:21:22 GMT

Hello,

If you do not want to log at level 6, you can change the message level.

logging message 622001 level 3

This command will force the ASA to log 622001 at level 3. You can also

configure SNMP logging or mail logging for this specific event (although

mail logging is not very efficient).

Hope this works for you.

Regards,