Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2257
Views
0
Helpful
4
Replies

ASA 5510 real time logs showing incorrect ports

Go to solution
kyle.heath
Level 1
Level 1

‎10-18-2012 04:11 AM - edited ‎03-11-2019 05:11 PM

I have an issue on an ASA 5510 that I have noticed today, when I am using the log viewer all of the information recorded only shows the high end source and destination ports.  For example

Source IP 10.10.4.69

Source Port 59886

Destination IP 8.8.8.8

Destination Port 59866

So what seems to be happening is that I am seeing only half of the connection in the log viewer, I see the side with the high end ports and not the side with the ports the application uses, this example was done with a ping.

All my services are working correctly and the client sending the ping gets the response expected, it just seems I have lost the logging display?

Any ideas?

Cheers

Kyle

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to kyle.heath

‎10-18-2012 09:42 AM

Hi,

The Syslog IDs for the log messages that have to do with forming/building TCP/UDP connections should be 302013-302016

The Syslog IDs for the log messages that have to do with forming/building translations should be 305011-305012

By default if you had only configured the logging levels like this

logging buffered informational

logging asdm informational

logging trap informational

You should always see log messages of the formed connections and translations both. I guess in alot of situations people only use "notifications" logging level that generally just shows connections that have been blocked by the firewall.

I can't think of many reasons at the moment why you wouldnt see log messages related to forming the connections if you have the above logging level set

One possiblity is that you have (or someone else) has configured the ASA so that those logging messages have been disabled. This should be verifiable by issuing the command "show run logging" and looking for commands that start with "no" parameter and include the syslog IDs I mentioned earlier.

Other thing could be that you have access-list statements in the interface access-list that have modified logging settings at the end. I guess in this it might be in some access-list rule that permits all the traffic and the logging level is set to something that is out of the range of the setting you have configured with the above "logging" commands.

I can't think of anything else at the moment

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-18-2012 05:06 AM

Hi,

Can you copy paste example log messages from either the ASDM or the CLI of the ASA?

You sure you have not disabled any syslog messages IDs or made some other changes to logging?

Are you sure you are not watching the log lines about PAT translations? They will have a high end port as the source/destination

They start with the "Built dynamic TCP translation from" etc.

- Jouni

0 Helpful

Go to solution
kyle.heath
Level 1
Level 1
In response to Jouni Forss

‎10-18-2012 09:11 AM

Jouni  I think you are on to something here. Yes the logging starts with the Built dynamic TCP translation from so I think I am seeing the PAT here.

Is there something that I am missing in the logging to see the NAT instead?

Kyle

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to kyle.heath

‎10-18-2012 09:42 AM

Hi,

The Syslog IDs for the log messages that have to do with forming/building TCP/UDP connections should be 302013-302016

The Syslog IDs for the log messages that have to do with forming/building translations should be 305011-305012

By default if you had only configured the logging levels like this

logging buffered informational

logging asdm informational

logging trap informational

You should always see log messages of the formed connections and translations both. I guess in alot of situations people only use "notifications" logging level that generally just shows connections that have been blocked by the firewall.

I can't think of many reasons at the moment why you wouldnt see log messages related to forming the connections if you have the above logging level set

One possiblity is that you have (or someone else) has configured the ASA so that those logging messages have been disabled. This should be verifiable by issuing the command "show run logging" and looking for commands that start with "no" parameter and include the syslog IDs I mentioned earlier.

Other thing could be that you have access-list statements in the interface access-list that have modified logging settings at the end. I guess in this it might be in some access-list rule that permits all the traffic and the logging level is set to something that is out of the range of the setting you have configured with the above "logging" commands.

I can't think of anything else at the moment

- Jouni

0 Helpful

Go to solution
kyle.heath
Level 1
Level 1
In response to Jouni Forss

‎10-19-2012 01:39 AM

Jouni

Thank you very much, it was indeed the syslog ID that were disabled, the exact range you were mentioning.  I enabled these again and I can see the logging I need.

Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card