Why the traffic is only appearing on the packet capture, not “show log” & syslog?

Adam David · ‎06-05-2011

Hi,

I’m trying to capture a traffic from host 10.10.10.10 to host 192.168.1.10.

One thing that I still don’t understand is why firewall command “show log” and syslog server doesn’t capture any packet but when I did a packet capture, I can see the packet?

"show log" doesn't capture any network traffic from 10.10.10.10 to 192.168.1.10

asafw# sh log | i 10.10.10.10 | i 192.168.1.10

Jun 06 2011 06:05:24 172.27.157.78 : %ASA-5-111008: User 'admin' executed the 'access-list capin permit ip host 10.10.10.10 host 192.168.1.10' command.

Jun 06 2011 06:07:04 172.27.157.78 : %ASA-5-111008: User 'admin' executed the 'access-list cap-fail permit ip host 10.10.10.10 host 192.168.1.10' command.

asafw#

syslog also doesn't capture any network traffic from 10.10.10.10 to 192.168.1.10

syslog{admin}: tail -f logfile | grep asafw | grep 10.10.10.10 | grep 192.168.1.10

But when I do a packet capture, I can see the traffic. Is there any reason why “sh log” command and syslog unable to capture specific network traffic from host 10.10.10.10 to host 192.168.1.10?

asafw# sh access-list cap-fail
access-list cap-fail; 2 elements
access-list cap-fail line 1 extended permit ip host 10.10.10.10 host 192.168.1.10 (hitcnt=146) 0x11576850 
access-list cap-fail line 2 extended permit ip host 192.168.1.10 host 10.10.10.10 (hitcnt=146) 0x9e07e800

asafw# sh cap
capture cap-fail type raw-data access-list cap-fail packet-length 54 interface dmz [Capturing - 8540 bytes]

asafw# sh cap cap-fail

1043 packets captured
   1: 06:10:10.039472 10.10.10.10 > 192.168.1.10: icmp: echo request
   2: 06:10:10.062389 192.168.1.10 > 10.10.10.10: icmp: echo reply
   3: 06:10:11.039518 10.10.10.10 > 192.168.1.10: icmp: echo request
   4: 06:10:11.061550 192.168.1.10 > 10.10.10.10: icmp: echo reply
   5: 06:10:12.039518 10.10.10.10 > 192.168.1.10: icmp: echo request
   6: 06:10:12.061245 192.168.1.10 > 10.10.10.10: icmp: echo reply
   7: 06:10:13.039533 10.10.10.10 > 192.168.1.10: icmp: echo request
   8: 06:10:13.061657 192.168.1.10 > 10.10.10.10: icmp: echo reply
   9: 06:10:14.039533 10.10.10.10 > 192.168.1.10: icmp: echo request
10: 06:10:14.061672 192.168.1.10 > 10.10.10.10: icmp: echo reply

Anu M Chacko · ‎06-05-2011

Hi Adam,

Are any syslog messages turned off on the ASA? At what level have you enabled the syslogging? Could you please post the output of "sh run | i logging" here? There is a known bug regarding this in ASA version 7.2. Take a look:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk30698

Was this working before?

Regards,

Anu

Adam David · ‎06-06-2011

Thanks Anu for your prompt reply. Btw, this is ASA ver 8.0(5). Log message looks ok and it is able to capture other message as you can see below.

But I don't know why it can't capture a traffic from 10.10.10.10 or 192.168.1.10 while packet capture is able to capture this traffic.

asafw# sh log | i 192.168.1.10

Jun 06 2011 06:07:04 172.27.157.78 : %ASA-5-111008: User 'admin' executed the 'access-list cap-fail permit ip host 10.10.10.10 host 192.168.1.10' command.

Jun 06 2011 06:07:05 172.27.157.78 : %ASA-5-111008: User 'admin' executed the 'access-list cap-fail permit ip host 192.168.1.10 host 10.10.10.10' command.

asafw#

Here is the show log output

asafw# sh log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level notifications, 1754250 messages logged

Trap logging: level informational, facility 20, 20772961 messages logged

Logging to inside 172.16.10.10 errors: 181 dropped: 1007

Logging to inside 172.16.10.11 errors: 86 dropped: 336

History logging: level notifications, 1754250 messages logged

Device ID: 'inside' interface IP address "172.16.100.100"

Mail logging: disabled

ASDM logging: level informational, 20772961 messages logged

bound TCP connection denied from host-10.10.180.50/606 to host-10.10.180.49/515 flags SYN on interface outside

Jun 05 2011 05:07:14 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/606 to host-10.10.180.49/515 flags SYN on interface outside

Jun 05 2011 05:07:16 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/606 to host-10.10.180.49/515 flags RST on interface outside

Jun 05 2011 05:08:16 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/605 to host-10.10.180.49/515 flags SYN on interface outside

Jun 05 2011 05:08:19 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/605 to host-10.10.180.49/515 flags SYN on interface outside

Jun 05 2011 05:08:21 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/605 to host-10.10.180.49/515 flags RST on interface outside

Jun 05 2011 05:09:21 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/604 to host-10.10.180.49/515 flags SYN on interface outside

Jun 05 2011 05:09:24 10.10.157.78 : %ASA-2-106001: Inbound TCP connection denied from host-10.10.180.50/604 to host-10.10.180.49/515 flags SYN on interface outside

Anu M Chacko · ‎06-06-2011

Hi Adam,

I see that the level is set to notifications(level 5) for buffered logging. Could you increase the level to be debugging and test if you see logs in the buffer?

logging buffered 7

logging on

clear logging buffer

sh log

Let me know.

Regards,

Anu

brquinn · ‎06-07-2011

Even if you have debug level syslogs enabled, you won't see logs for your ICMP traffic unless you enable the ICMP inspection.

Thanks,

Brendan