Solved: Re: Syslog Issue

tlayers@liberty.edu · ‎01-28-2019

Hello,

Hopefully this is in the correct location for this type of question. I am still early in my career and I am hoping that someone can catch my mistake because I am not entirely sure what went wrong with this. We have a Cisco ASA 5505 and I implemented a syslog so that I could start working on a solution to track events for a customer of ours. These are the commands that I used on our ASA at our own shop as a test before trying it on our customer's server. I am attempting to send a TCP syslog message to a host at x.x.x.213 over port 1470 and found this command in some cisco syslog documentation.
logging enable
logging timestamp
logging console notifications
logging trap informational
logging history errors
logging asdm informational
logging host inside x.x.x.213 6/1470

I implemented the TCP 1470 port for this because I was having errors on my PC that prevents the Kiwi syslog server from working, and when I found a good free one the UDP of that software was also giving me an error. I tried to enable the TCP side of the syslog server and it worked great and my messages started to come through. Here is where the problems began though. The server ran great over night for about 15 hours, but then we started to notice minor problems on our network. We had one uses that couldn't access web pages at all. Their workstation was dropping connection intermittently and then would come back on. Finally she dropped off permanently and so did about 3 other people. When I got back from lunch I tested a few things on the network and it seemed like some could access the internet and some couldn't. We were seeing strange errors like the DNS servers were not resolving hostnames etc etc. I removed the changes I made to the ASA and the problems instantly stopped and we haven't had an issue since. And now comes the question..... what did I miss? Do I have to set up a buffer to limit the amount of data that can be committed to this? The more I turn it over in my head the more it feels like either the syslog server is bogging down the network, or bogging down the ASA but I don't know enough about the device to know what to do.

Thanks!

Seb Rupik · ‎01-28-2019

Hi there,

Since it is a 5505, this could possibly be a licensing issue. Specifically the inside hosts limit. The 5505 supports 10, 50 or unlimited inside hosts.

Can you share the output from sh ver

cheers,

Seb.

View solution in original post

Seb Rupik · ‎01-28-2019

Hi there,

Since it is a 5505, this could possibly be a licensing issue. Specifically the inside hosts limit. The 5505 supports 10, 50 or unlimited inside hosts.

Can you share the output from sh ver

cheers,

Seb.

tlayers@liberty.edu · ‎01-28-2019

. Here is our version with private information excluded of course. Thanks!

Cisco Adaptive Security Appliance Software Version 9.1(5)
Device Manager Version 7.1(6)

Compiled on Thu 27-Mar-14 09:36 by builders
System image file is "disk0:/asa915-k8.bin"
Config file at boot was "startup-config"

CWCV-ASA up 153 days 9 hours

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is 885a.92fa.xxxx, irq 11
1: Ext: Ethernet0/0         : address is 885a.92fa.xxxx, irq 255
2: Ext: Ethernet0/1         : address is 885a.92fa.xxxx, irq 255
3: Ext: Ethernet0/2         : address is 885a.92fa.xxxx, irq 255
4: Ext: Ethernet0/3         : address is 885a.92fa.xxxx, irq 255
5: Ext: Ethernet0/4         : address is 885a.92fa.xxxx, irq 255
6: Ext: Ethernet0/5         : address is 885a.92fa.xxxx, irq 255
7: Ext: Ethernet0/6         : address is 885a.92fa.xxxx, irq 255
8: Ext: Ethernet0/7         : address is 885a.92fa.xxxx, irq 255
9: Int: Internal-Data0/1    : address is 885a.0003.xxxx, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 50             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : 25             perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: xxxxxxxxx
Running Permanent Activation Key: xxxxxxxx xxxxxxxxx xxxxxxxxxx xxxxxxxxxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 11:46:30.623 EST Mon Jan 28 2019

Seb Rupik · ‎01-28-2019

OK, so you have a 50 host limit.

Can you provide the output for show host-limit

also show log | inc host limit

...hopefully the above command will show something, but it depends on how big your log buffer. If you are sending the logs to a syslogs server, grep them for the string 'host limit'.

cheers,

Seb.

tlayers@liberty.edu · ‎01-28-2019

Show host-limit isn't showing as a command on the ASA. Is that the command as it is supposed to be? I looked through the list of commands using Show ? and the only one even close is hostname. Also the show logging is blank. I had turned it off to aliviate out networking issue. But that does sound like it may be our issue because we do have close to if not over 50 host on the inside. So we can only have a max of 50 at any given time? I need to pour through the datasheets some more from the sounds of this. Didn't realize the ASA's had user limits.

Seb Rupik · ‎01-28-2019

Sorry, it should be show local-host ...been a while since I've worked on a 5505!

Yes the host limit did seem like a cruel feature at the time! You can get around it by NAT'ing your entire inside network before it reaches the ASA inside interface. This way it will only the the IP/MAC of a single inside device....but adding another router/firewall just to get around this limitation my not suit your deployment.

In fairness the 5505 is getting long in the tooth, perhaps this is a good reason to upgrade to a 5506X.

cheers,

Seb.