Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
0
Helpful
1
Replies

ASA 5520 - Syslog and Tacacs generate ping response?

gamorr50265_AHM
Level 1
Level 1

‎03-21-2012 08:16 AM - edited ‎03-11-2019 03:45 PM

Hi;

I'm trying to configure an ASA firewall (FW2) for syslog and tacacs and am experiencing strange behavior.  Both the syslog and ACS server are on the inside of another firewall (CoreFW).  Whenever a log message is generated on FW2 the request is dropped by CoreFW and message '%ASA-4-313004: Denied ICMP type=0, from laddr FW2 on interface outside-b2b to syslog01: no matching session' is displayed.  The same thing occurs for tacacs.

It appears that the syslog and ACS requests are generating ICMP echo replies, which the core firewall drops since no session exists on a lower security interface.  I have access lists configured on CoreFW to allow the syslog and tacacs requests.

FW2 is running asa825-k8.bin, CoreFW is asa824-k8.bin

I'm baffled!  Please pass along any suggestions.

Thanks, Glenn

Labels:
124778-ASA-4-313004.vsd.zip
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎03-27-2012 06:20 AM

Hi Glenn,

The ASA should not generate echo replies unless there was a corresponding echo request. Likewise, logging and AAA functions do not use ICMP echos.

I would suggest setting up a capture on FW2's interface that faces the syslog/ACS server and see what that shows:

FW2# capture cap1 interface  match ip any host 
FW2# show capture cap1

You can also check the output of 'debug icmp trace' to see if/why the ASA is generating the echo reply.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card