Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1035
Views
7
Helpful
7
Replies

asa log

Go to solution
suthomas1
Level 6
Level 6

‎01-05-2011 04:23 AM - edited ‎03-11-2019 12:30 PM

Hi,

Few questions on ASA:

1. one of asa  has logging enabled for warning & information message.

   logging enable

logging buffered warnings

logging asdm informational

when asdm logs are seen, it shows normal teardown etc. for traffic. but sh log gives lot of different logs, below is one of them:

  %ASA-2-106001: Inbound TCP connection denied from 45.34.115.88/3160 to 202.88.179.15/445 flags SYN  on interface outside

why are these logs appearing seperately & is it the correct way of syslog configuration.

2. diagram is:

  remote branch - internet - asa - 3845 router - local office

   remote branch needs data from local office and vice-versa, this is done with ipsec, which is between remote branch & router. plan is to do shift this frm router to asa. i.e remote branch to asa will have ipsec points & users on both sides will use it for data.

on the router , we feel that ipsec is using large bandwidth from our internet ( 5M ),router to local office has 4M capacity. i know asa can be used for police function.

will it be  a good solution if set bandwidth of 1M is put on asa for it.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to suthomas1

‎01-05-2011 06:27 AM

There is no correct way of logging. It is how much information you like to see which is entirely upto the requirement. These do not have to be the same.

We suggest not to send debug level logs to the console as it is at 9600 bps. As far as monitor, buffer, trap and asdm is concerned you can change it to any level.

When we troubleshoot from command line we usually crank up the buffer log to debug

conf t

logging on

logging buffered 7

exit

People also use ftp server to send the buffer-wrap to and also send certain messages or range of messages via e-mail.

Techically you can have

logging on

logging buffered 7

logging console 1

logging monitor 2

logging trap 6

logging host inside 1.1.1.1

logging asdm 5

You can check the command ref. here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754

2. Yes you can configure policing and prioritizing. Pls. refer this QoS link: https://supportforums.cisco.com/docs/DOC-1230

That has step by step instructions.

-KS

View solution in original post

0 Helpful
7 Replies 7

Go to solution
padatta
Level 1
Level 1

‎01-05-2011 05:19 AM

1. The level of logging is different for ASDM and buffer. That is why the logging outputs in ASDM and buffer (sho log) will not be the same. One will be a 'subset' of the other.

2. This would depend entirely on your requirement. E.g., if most traffic is through IPSec then more BW should be recseved for this traffic.

HTH

Paps

Go to solution
suthomas1
Level 6
Level 6
In response to padatta

‎01-05-2011 05:42 AM

1. what should be the correct logging level for both to be same or so not to have 2 different log outputs & only 1 common log.

2. oracle tcp traffic between 2 hosts on both sites will be major use on this ipsec. either can initiate the connection.

please help.

thanks

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to suthomas1

‎01-05-2011 06:27 AM

There is no correct way of logging. It is how much information you like to see which is entirely upto the requirement. These do not have to be the same.

We suggest not to send debug level logs to the console as it is at 9600 bps. As far as monitor, buffer, trap and asdm is concerned you can change it to any level.

When we troubleshoot from command line we usually crank up the buffer log to debug

conf t

logging on

logging buffered 7

exit

People also use ftp server to send the buffer-wrap to and also send certain messages or range of messages via e-mail.

Techically you can have

logging on

logging buffered 7

logging console 1

logging monitor 2

logging trap 6

logging host inside 1.1.1.1

logging asdm 5

You can check the command ref. here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754

2. Yes you can configure policing and prioritizing. Pls. refer this QoS link: https://supportforums.cisco.com/docs/DOC-1230

That has step by step instructions.

-KS

0 Helpful

Go to solution
suthomas1
Level 6
Level 6

‎01-05-2011 07:02 AM

Thanks KS. lastly, on the qos part, when policy is put on outside, does it police for both inbound & outbound?

can i put an acl like;

   acl oracle line 1 extended permit tcp host 192.168.100.2 host 192.168.200.5 eq 1445

   acl oracle line 2 extended permit tcp host 192.168.200.5 host 192.168.100.2 eq 1445

and then apply this to class for limit on both ways traffic.

thanks.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to suthomas1

‎01-05-2011 07:13 AM

No. ACL is just the interesting traffic that you want policed. Police input and/or police out should be used.

The input keyword enables policing of traffic flowing in the input direction.

The output keyword enables policing of traffic flowing in the output direction.

You can refer this link (step 3): http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html#wp1071334

-KS

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Kureli Sankar

‎01-05-2011 07:34 AM

so if the traffic flows  from remote site to locate site & vice versa

( remote branch - internet - asa - 3845 router - local office )

it would be more proper to apply it outbound on outside of asa. please correct if otherwise.

thanks

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to suthomas1

‎01-05-2011 07:38 AM

Correct. I agree.

Policy outside - would be appropriate.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card