I'm in need of some help here. We lost internet connection. I checked ASA syslog, I found that ASA was displaying disallowing new connections on the ASDM syslog:
Syslog ID: 201008: Disallowing new connections
I did a google search and didn't yield any good results. Any help would greatly be appreciated.
Need to know why and what caused this error, and what is the fix. Thanks.
I think we had this problem when we enabled TCP based Syslog to a Syslog server (instead of the default UDP traffic). Unknown to us at that time was that if for any reason the Syslog server was not reached through that TCP connection the ASA would stop allowing new connections through it.
I then found out that to avoid this situation you had to have this command enabled
This command essentially allows the ASA to perform normally even if the Syslog server had become unreachable. Our problem in this case was related to misunderstanding on what the TCP port used should have been.
We added this command after the problem had started on a Security Context in a Multiple Context mode ASA and we found out also that adding this command later did not help with the situation. We went as far as removing all logging configurations and even the interface through which the Syslog server had been configured originally. None of this helped. In the end we had to remove the whole Security Context and enter it again in the System Context to get connections going through that particular Security Context.
So I kind of wonder if you have configured TCP based Syslog messages on the ASA and the server has become unreachable and you dont have the above mentioned command enabled?
Hope this helps
Yes, TCP is enabled for syslog server.
I have also enabled "Allow user traffic to pass when TCP syslog server is down". Hoping this will resolve the issue.
Will test the firewall again tomorrow evening to see if this solves the problem.
Jouni Forss , thanks for the posting, we lost link to syslog server, and the same thing happened.
logging permit-hostdown Worked great while we restore the link.
I know it's an older post, but it's still a problem :)
If the command:
not helps, you're hitting a bug which is not public. The bug is related to context firewalls.
To fix the problem, the only solution is to re-create the context again. A reboot doesn't help.
Here's a short instruction (repeat for every context):
remove tcp syslog server configuration
changeto contex XYZ
no logging host inside x.x.x.x tcp/xxx
save new configuration
wr mem all
check configuration (optional)
more xyz.cfg | in logging
check context file:
sh run context XYZ
remove context configuration
changeto context XYZ
clear configure all
Use context file again:
If you have a failover pair, I recommend to remove the configuration of the secondary ASA and built up the failover cluster again.