Solved: ASA 5510 real time logs showing incorrect ports

kyle.heath · ‎10-18-2012

I have an issue on an ASA 5510 that I have noticed today, when I am using the log viewer all of the information recorded only shows the high end source and destination ports. For example

Source IP 10.10.4.69

Source Port 59886

Destination IP 8.8.8.8

Destination Port 59866

So what seems to be happening is that I am seeing only half of the connection in the log viewer, I see the side with the high end ports and not the side with the ports the application uses, this example was done with a ping.

All my services are working correctly and the client sending the ping gets the response expected, it just seems I have lost the logging display?

Any ideas?

Cheers

Kyle

Jouni Forss · ‎10-18-2012

Hi,

The Syslog IDs for the log messages that have to do with forming/building TCP/UDP connections should be 302013-302016

The Syslog IDs for the log messages that have to do with forming/building translations should be 305011-305012

By default if you had only configured the logging levels like this

logging buffered informational

logging asdm informational

logging trap informational

You should always see log messages of the formed connections and translations both. I guess in alot of situations people only use "notifications" logging level that generally just shows connections that have been blocked by the firewall.

I can't think of many reasons at the moment why you wouldnt see log messages related to forming the connections if you have the above logging level set

One possiblity is that you have (or someone else) has configured the ASA so that those logging messages have been disabled. This should be verifiable by issuing the command "show run logging" and looking for commands that start with "no" parameter and include the syslog IDs I mentioned earlier.

Other thing could be that you have access-list statements in the interface access-list that have modified logging settings at the end. I guess in this it might be in some access-list rule that permits all the traffic and the logging level is set to something that is out of the range of the setting you have configured with the above "logging" commands.

I can't think of anything else at the moment

- Jouni

View solution in original post

Jouni Forss · ‎10-18-2012

Hi,

Can you copy paste example log messages from either the ASDM or the CLI of the ASA?

You sure you have not disabled any syslog messages IDs or made some other changes to logging?

Are you sure you are not watching the log lines about PAT translations? They will have a high end port as the source/destination

They start with the "Built dynamic TCP translation from" etc.

- Jouni

kyle.heath · ‎10-18-2012

Jouni I think you are on to something here. Yes the logging starts with the Built dynamic TCP translation from so I think I am seeing the PAT here.

Is there something that I am missing in the logging to see the NAT instead?

Kyle

Jouni Forss · ‎10-18-2012

Hi,

The Syslog IDs for the log messages that have to do with forming/building TCP/UDP connections should be 302013-302016

The Syslog IDs for the log messages that have to do with forming/building translations should be 305011-305012

By default if you had only configured the logging levels like this

logging buffered informational

logging asdm informational

logging trap informational

You should always see log messages of the formed connections and translations both. I guess in alot of situations people only use "notifications" logging level that generally just shows connections that have been blocked by the firewall.

I can't think of many reasons at the moment why you wouldnt see log messages related to forming the connections if you have the above logging level set

One possiblity is that you have (or someone else) has configured the ASA so that those logging messages have been disabled. This should be verifiable by issuing the command "show run logging" and looking for commands that start with "no" parameter and include the syslog IDs I mentioned earlier.

Other thing could be that you have access-list statements in the interface access-list that have modified logging settings at the end. I guess in this it might be in some access-list rule that permits all the traffic and the logging level is set to something that is out of the range of the setting you have configured with the above "logging" commands.

I can't think of anything else at the moment

- Jouni

kyle.heath · ‎10-19-2012

Jouni

Thank you very much, it was indeed the syslog ID that were disabled, the exact range you were mentioning. I enabled these again and I can see the logging I need.

Thank you!