Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
1
Replies

ACE logging hassle - GLBP m-cast denies...

mprescher
Level 1
Level 1

‎02-14-2011 08:41 AM

Need some ideas:

Have a pair of ACE's in front of a data center application.  The outside interfaces are properly denying GLBP m-cast traffic from the attached pair of 6509's on the same VLAN.

2/14/2011,10:04:11 AM,10.147.254.2,???,LOCAL4,WARNING,:%ACE-4-106023: Deny udp src vlan2577:165.201.107.195/3222 dst undetermined:224.0.0.102/3222 by access-group "Public" [0xffffffff, 0x0]
2/14/2011,10:04:11 AM,10.147.254.2,???,LOCAL4,WARNING,:%ACE-4-106023: Deny udp src vlan2577:165.201.107.194/3222 dst undetermined:224.0.0.102/3222 by access-group "Public" [0xffffffff, 0x0]

These messages or normal and expected but the denies fill up the ACE log to the tune of 30MB per day. I've looked at...

To tune out specific syslog messages:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/system/message/guide/config.html#wp1069411

ACE Syslog message guide:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/system/message/guide/messags.html#wp1145672

...but it appears if I tune out this syslog message 106023, I lose all deny reporting - don't want to do that.

Here is the existing ACL-list:

access-list Public remark Inbound Traffic
access-list Public line 1 extended permit icmp any any
access-list Public line 10 extended permit tcp any any eq https
access-list Public line 11 extended permit tcp any any eq www

I really don't want to recommend passing this m-cast traffic through the ACE, no purpose for it behind the ACE. Nor do I want to slow down the GLBP hellos just to solve a log record annoyance.

Any ideas on how I can reduce or eliminate these deny messages from the ACE log withough losing all deny visibility?

Thanks,

m.

Labels:
0 Helpful
1 Reply 1

mprescher
Level 1
Level 1

‎02-15-2011 04:57 PM

Still no joy on this one, but there was some faint hope with the solution below for ASA FW's that I got from engineering inside Cisco (Not TAC). Unfortunately, the ACE does not support the required 'shun' command. Thought I would just post the ASA solution in case folks run across this issue in other environments and maybe, just maybe, we can get the shun command on the ACE.

------------------------------------

Shunning allows you to black-hole or refuse particular traffic at an interface based upon source-destination addressing.  This action would also be logged, but with 'shun' you can also assign a unique SYSLOG ID to the shunned traffic and so tune it out completely from the logging. If it doesn't, then there is no elegant solution.

So, check out whether the ACE has the shun command available  in it. If it has the command, then the following should apply:

Possible workaround-

shun 10.17.84.2 239.192.2.0 2222 2222

That way you'll get different syslog message ID for shun traffic and you can disable logging for that traffic by-

no logging message

Reference
http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1279897

http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logconf.html#wp1067974

0 Helpful
Customers Also Viewed These Support Documents