02-16-2012 02:13 PM - edited 03-11-2019 03:30 PM
Hi All,
I have a new ASA 5510 running 8.3(1) and ASDM 6.4(5)
I am trying to use the real time log viewer to help troubleshoot some access issues, but I am getting delays of up to 30 seconds or more between my client conecting to the ASA and the corresponding events showing in the RT Log viewer. I am using a simple filter for source IP as it's quite a busy device.
I've seen an article that says to turn off certain logging IDs (such as 304001 from memory, but don't quote me!) which I have done, but no different.
Any suggestions please?
Simon
02-17-2012 06:31 AM
Hi Simon,
Can you share an output of show run logging from the ASA?
and
show access-list | include cache
Thanks,
Varun
02-17-2012 08:34 AM
Hi Varun,
Thanks for coming back .... here's the two outputs you asked for.
I've previoulsy tried disabling as much logging as possible (e.g. only to ASDM) but nothing seems to have any effect.
You will see the two specific syslog IDs that I disabled after reading another post somewhere, but don't think this is relevant to our situation. (I think I saw another post suggesting a further four or five similar IDs to turn off as well, but not got round to that yet.)
Could really do with getting this sorted as it's causing me loads of stress from the site admins, who keep reminding me that their previous Linux-based firewall "never had all these problems" - I am fighting for credibility here
byasa01# sh run logging
logging enable
logging console informational
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 192.168.20.50
no logging message 304002
no logging message 304001
byasa01# show access-list | include cache
access-list cached ACL log flows: total 100, denied 0 (deny-flow-max 4096)
byasa01#
02-17-2012 08:57 AM
Hi Simon,
I can understand what you are fighting against, but the real time log viewer is a convinient tool but not the best method i would say. The ASA also has to prioritize tasks to manage everything, the priority for it is inspecting traffic and logging is not a pririty task for it. If you're firewall is generating high amount of traffic then I would expect there might e some delay, although we can use bare minimum things to reduce this delay.
I would suggest you disable the following logging first:
logging console informational
logging buffered informational
logging asdm informational
and then, reduce the time interval of the acl log as well, for that lets take an example that, you are logging the following acl:
access-list outside_in deny ip any any log interval 1
make the interval as 1sec, whihc means it would send the log after every 1 sec, default is 300.
and also can you provide this:
show logging queue
show logging message.
Thanks,
Varun
02-17-2012 09:07 AM
Disabled logging as suggested, requested outputs below:-
byasa01# sh logging queue
Logging Queue length limit : 512 msg(s)
14307737 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 0 msg on queue, 512 msgs most on queue
byasa01# sh logging mess
byasa01# sh logging message
syslog 304002: default-level notifications (disabled)
syslog 304001: default-level notifications (disabled)
Not tried changing the ACL log interval yet as running out of time for today, but will try it over the weekend if I get time.
Appreciate prompt repsonses, thanks
Simon
02-17-2012 09:11 AM
You can see it here:
14307737 msg(s) discarded due to queue overflow
which means its quite a busy firewall
let me know how it goes, i am on the forum this weekend.
Thanks,
Varun
02-17-2012 02:35 PM
Thanks once again.
While your statement about a busy firewall and the number of discarded messages makes sense in some respects, I'd appreciate a bit of an insight as to "what" is so busy.
This is a relatively small site - maybe 100 users - but with a proportionately high throughput to be honest - but do these numbers suggest a lot of stuff hitting the firewall and being rejected, hence blocking / delaying real traffic ?
Wouldn't mind a subjective opinion if you can spare some time.
Thanks
Simon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide