Solved: ASA logging to syslog server shows errors and drops

mahesh18 · ‎07-15-2015

Hi Everyone,

On Cisco ASA i see below config

sh logging setting

Syslog logging: enabled

Facility: 21

Timestamp logging: enabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: level critical, 7665441 messages logged

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level informational, facility 21, 449604701 messages logged

Logging to server 192.168.1.50 udp/51410 errors: 13 dropped: 137573588

Need to know why ASA is dropping packets to this syslog server?

What does error mean here?

Regards

Mahesh

joseoroz · ‎07-16-2015

Hello Mahesh,

As you can see there the discarded logs were caused by log overflows. The firewall will store maximum amount of logs per type per minute and drop the rest. That rate can be seen with the command:

sh running-config all logging | in rate-limit

You can modify the values. Be aware that any change that you do can affect the performance on the device.

Kind regards,

Jose Orozco.

View solution in original post

joseoroz · ‎07-16-2015

Hello Mahesh,

Can you provide the output from the following command:

show logging queue

Regards,

Jose Orozco.

mahesh18 · ‎07-16-2015

Hi Jose,

Here is info

h logging queue

        Logging Queue length limit : 1024 msg(s)
        13255392 msg(s) discarded due to queue overflow
        0 msg(s) discarded due to memory allocation failure
        Current 0 msg on queue, 512 msgs most on queue

Yesterday i changed the Queue size to 1024

Regards

Mahesh

joseoroz · ‎07-16-2015

Hello Mahesh,

As you can see there the discarded logs were caused by log overflows. The firewall will store maximum amount of logs per type per minute and drop the rest. That rate can be seen with the command:

sh running-config all logging | in rate-limit

You can modify the values. Be aware that any change that you do can affect the performance on the device.

Kind regards,

Jose Orozco.

mahesh18 · ‎07-17-2015

Hi Jose,

I ran the command here is output

sh running-config all logging | in rate-limit
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001

Can you please tell me what does numbers 1,10 and message 450001 mean here?

Regards

Mahesh

joseoroz · ‎07-17-2015

Hello Mahesh,

The column with the number 1 is seconds and the 10 is the amount allowed per second. The 450001 is the syslog message.

Kind regards,

Jose Orozco.

joseoroz · ‎07-17-2015

450001

Error Message ASA-4-450001: Deny traffic for protocol protocol_id src interface_name : IP_address / port dst interface_name : IP_address / port, licensed host limit of num exceeded.

Explanation The licensed host limit was exceeded. This message applies to the ASA 5505 ASA only.

protocol_id —The protocol ID number
interface_name —The interface associated with the sender or receiver of the packet
IP_address —The IP address of the sender/receiver of the packet
port —The port number of the packet transmitted
num —The maximum host limit value

Recommended Action None required.

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html

Mehrzad Sharifi · ‎03-11-2023

Hi., I have a problem. my ASA firewall doesn't send traffic to syslog server for UDP 514. however, it seems it works on other ports because I can see the checkpoint firewall showing the flow as it is the next hope.
I increased the size to 1024 and reload the device, didn't help. just the drops disappeared. can somebody help please?
here is the config:
logging enable
logging timestamp
no logging hide username
logging buffer-size 1048576
logging asdm-buffer-size 512
logging monitor informational
logging buffered debugging
logging trap informational
logging history informational
logging asdm emergencies
logging queue 1024
logging device-id hostname
logging host management x.x.x.x.
logging host management x.x.x.x.
logging debug-trace
logging flash-minimum-free 3076
logging flash-maximum-allocation 51200

----------

Logging Queue length limit : 1024 msg(s)
0 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 0 msg on queue, 976 msgs most on queue
---------------
capture shows the packet is being sent:
1: 14:51:12.826754 0050.56ab.21cd 0050.569c.0624 0x0800 Length: 345
ASA Firewall ip.514 > 1st syslog server.514: [udp sum ok] udp 303 (ttl 255, id 32544)
2: 14:51:12.826754 0050.56ab.21cd 0050.569c.0624 0x0800 Length: 345
ASA Firewall ip.514 > 2st syslog server.514: [udp sum ok] udp 303 (ttl 255, id 4313)

___________________
Cisco Adaptive Security Appliance Software Version 9.16(2)14
SSP Operating System Version 2.10(1.182)
Device Manager Version 7.17(1)152
REST API Agent Version 7.16.1.75