07-15-2015 12:49 PM - edited 03-11-2019 11:16 PM
Hi Everyone,
On Cisco ASA i see below config
sh logging setting
Syslog logging: enabled
Facility: 21
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level critical, 7665441 messages logged
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level informational, facility 21, 449604701 messages logged
Logging to server 192.168.1.50 udp/51410 errors: 13 dropped: 137573588
Need to know why ASA is dropping packets to this syslog server?
What does error mean here?
Regards
Mahesh
Solved! Go to Solution.
 
					
				
		
07-16-2015 06:54 PM
Hello Mahesh,
As you can see there the discarded logs were caused by log overflows. The firewall will store maximum amount of logs per type per minute and drop the rest. That rate can be seen with the command:
sh running-config all logging | in rate-limit
You can modify the values. Be aware that any change that you do can affect the performance on the device.
Kind regards,
Jose Orozco.
 
					
				
		
07-16-2015 01:14 PM
Hello Mahesh,
Can you provide the output from the following command:
show logging queue
Regards,
Jose Orozco.
07-16-2015 02:20 PM
Hi Jose,
Here is info
h logging queue
        Logging Queue length limit : 1024 msg(s)
        13255392 msg(s) discarded due to queue overflow
        0 msg(s) discarded due to memory allocation failure
        Current 0 msg on queue, 512 msgs most on queue
Yesterday i changed the Queue size to 1024
Regards
Mahesh
 
					
				
		
07-16-2015 06:54 PM
Hello Mahesh,
As you can see there the discarded logs were caused by log overflows. The firewall will store maximum amount of logs per type per minute and drop the rest. That rate can be seen with the command:
sh running-config all logging | in rate-limit
You can modify the values. Be aware that any change that you do can affect the performance on the device.
Kind regards,
Jose Orozco.
07-17-2015 01:08 PM
Hi Jose,
I ran the command here is output
sh running-config all logging | in rate-limit
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001
 
Can you please tell me what does numbers 1,10 and message 450001 mean here?
Regards
Mahesh
 
					
				
		
07-17-2015 03:16 PM
Hello Mahesh,
The column with the number 1 is seconds and the 10 is the amount allowed per second. The 450001 is the syslog message.
Kind regards,
Jose Orozco.
 
					
				
		
07-17-2015 03:17 PM
Error Message ASA-4-450001: Deny traffic for protocol protocol_id src interface_name : IP_address / port dst interface_name : IP_address / port, licensed host limit of num exceeded.
Explanation The licensed host limit was exceeded. This message applies to the ASA 5505 ASA only.
Recommended Action None required.
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html
03-11-2023 05:37 AM - edited 03-11-2023 05:58 AM
Hi., I have a problem. my ASA firewall doesn't send traffic to syslog server for UDP 514. however, it seems it works on other ports because I can see the checkpoint firewall showing the flow as it is the next hope.
I increased the size to 1024 and reload the device, didn't help. just the drops disappeared. can somebody help please?
here is the config:
logging enable
logging timestamp
no logging hide username
logging buffer-size 1048576
logging asdm-buffer-size 512
logging monitor informational
logging buffered debugging
logging trap informational
logging history informational
logging asdm emergencies
logging queue 1024
logging device-id hostname
logging host management x.x.x.x.
logging host management x.x.x.x.
logging debug-trace
logging flash-minimum-free 3076
logging flash-maximum-allocation 51200
----------
Logging Queue length limit : 1024 msg(s)
0 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 0 msg on queue, 976 msgs most on queue
---------------
capture shows the packet is being sent:
1: 14:51:12.826754 0050.56ab.21cd 0050.569c.0624 0x0800 Length: 345
ASA Firewall ip.514 > 1st syslog server.514: [udp sum ok] udp 303 (ttl 255, id 32544)
2: 14:51:12.826754 0050.56ab.21cd 0050.569c.0624 0x0800 Length: 345
ASA Firewall ip.514 > 2st syslog server.514: [udp sum ok] udp 303 (ttl 255, id 4313)
___________________
Cisco Adaptive Security Appliance Software Version 9.16(2)14
SSP Operating System Version 2.10(1.182)
Device Manager Version 7.17(1)152
REST API Agent Version 7.16.1.75
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide