03-02-2015 06:18 AM - edited 03-11-2019 10:34 PM
Hi,
I have a ASA 5520 running with ASA Version 8.4(7).
I am working with real-time logging viewer and there is a situation i don't understand.
I setup an ACL which denies icmp and https traffic from an internal client to a destination client in DMZ. I also enabled logging for this acl (logging warning). I also set the asdm logging filter to debugging. In the End, if I start real-time logging, I can't see anything from my internal client which has a permanent ping running to my dmz client.
There is also IPS for ICMP enable in default service policy rule, I don't know if this doesn't matter.
Hope someone can help me out.
Thanks
Rene
Solved! Go to Solution.
03-02-2015 11:59 PM
Hi,
I guess the first thing I would have a look at is the complete "logging" configuration
You could issue the following command on the CLI to show that configuration
show run logging
I would then look if there are any configuration lines that disable certain syslog IDs. (Commands that start with "no"). Though typically I have seen people disable the connection Built and Teardown messages but I would imagine that the ACL deny messages is also a high volume message so maybe it has been disabled at some point.
If there are no disabled Syslog Message IDs then I would probably confirm that the Client is configured correctly and has all other normal connectivity. That its connections reaches the firewall when its connecting to the Internet for example.
I would also make sure that there is no other device between the Client and the firewall before the DMZ that could be blocking the connectivity.
If there is nothing in between that could block the connection you could naturally go through the routing tables of the devices in between to make sure that the destination subnet is not routed somewhere else (for some reason)
Hope this helps :)
- Jouni
03-03-2015 02:54 AM
Hi,
These commands disable the ASA sending/generating log messages of an ACL permitting or denying traffic
no logging message 106100
no logging message 106023
So you would need to issue
logging message 106100
logging message 106023
There are also some other Syslog IDs disabled that contain valuable information in some troubleshooting cases.
These commands disable logging of messages that tell of a TCP connection being Built or Teardown from the ASA
no logging message 302014
no logging message 302013
These commands disable logging of messages that tell of a UDP connection being Bult or Teardown from the ASA
no logging message 302015
no logging message 302016
These commands disable logging of messages that tell of a ICMP connection being Built or Teardown from the ASA
no logging message 302020
no logging message 302021
These commands disable logging of messages that tell of a GRE connection being Built or Teardown from the ASA
no logging message 302017
no logging message 302018
The below command disable logging of message that might indicate either a asymmetric routing problem or a problem with a connection that is timed out from the ASA before the connection is used again (software/application that very rarely sends data but tries to use an old connection that the ASA has already torn down)
no logging message 106015
The below commands seem to disable logging for denied IPv4 and IPv6 ICMP traffic that is destined to one of your ASA interfaces
no logging message 313001
no logging message 313008
The below command seems to disable logging of denied TCP/UDP connection destined to one of your ASAs interfaces
no logging message 710003
You can re-enable any of the above Syslog IDs just by issuing the above commands without the "no" in front of them.
You can refer to the following site if you want to check different Syslog IDs specific information
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html
As you can see from my above listing there any multiple Syslog IDs disabled that generate important information through (and to) your ASA firewall. Naturally if the environment is large and logging levels for different logging destinations are configured to specific levels this might generate a very large amount of logs. I prefer to keep the devices I manage logging pretty much all of above information as it helps with troubleshooting.
Hope this helps :)
- Jouni
03-02-2015 11:59 PM
Hi,
I guess the first thing I would have a look at is the complete "logging" configuration
You could issue the following command on the CLI to show that configuration
show run logging
I would then look if there are any configuration lines that disable certain syslog IDs. (Commands that start with "no"). Though typically I have seen people disable the connection Built and Teardown messages but I would imagine that the ACL deny messages is also a high volume message so maybe it has been disabled at some point.
If there are no disabled Syslog Message IDs then I would probably confirm that the Client is configured correctly and has all other normal connectivity. That its connections reaches the firewall when its connecting to the Internet for example.
I would also make sure that there is no other device between the Client and the firewall before the DMZ that could be blocking the connectivity.
If there is nothing in between that could block the connection you could naturally go through the routing tables of the devices in between to make sure that the destination subnet is not routed somewhere else (for some reason)
Hope this helps :)
- Jouni
03-03-2015 12:58 AM
Hi Jouni,
this is the output of sh run logging:
logging enable
logging timestamp
logging buffer-size 20480
logging asdm-buffer-size 200
logging monitor errors
logging buffered warnings
logging trap alerts
logging asdm warnings
logging mail critical
logging from-address xxx
logging recipient-address xxx level alerts
logging host Intern 1.2.3.4
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
I don't know what all these message IDs are.
I am just pinging from an internal client to a client in the dmz. Whenever I disable the acl on asa, ping is working, so it seems that there is no problem in between.
Regards
Rene
03-03-2015 02:54 AM
Hi,
These commands disable the ASA sending/generating log messages of an ACL permitting or denying traffic
no logging message 106100
no logging message 106023
So you would need to issue
logging message 106100
logging message 106023
There are also some other Syslog IDs disabled that contain valuable information in some troubleshooting cases.
These commands disable logging of messages that tell of a TCP connection being Built or Teardown from the ASA
no logging message 302014
no logging message 302013
These commands disable logging of messages that tell of a UDP connection being Bult or Teardown from the ASA
no logging message 302015
no logging message 302016
These commands disable logging of messages that tell of a ICMP connection being Built or Teardown from the ASA
no logging message 302020
no logging message 302021
These commands disable logging of messages that tell of a GRE connection being Built or Teardown from the ASA
no logging message 302017
no logging message 302018
The below command disable logging of message that might indicate either a asymmetric routing problem or a problem with a connection that is timed out from the ASA before the connection is used again (software/application that very rarely sends data but tries to use an old connection that the ASA has already torn down)
no logging message 106015
The below commands seem to disable logging for denied IPv4 and IPv6 ICMP traffic that is destined to one of your ASA interfaces
no logging message 313001
no logging message 313008
The below command seems to disable logging of denied TCP/UDP connection destined to one of your ASAs interfaces
no logging message 710003
You can re-enable any of the above Syslog IDs just by issuing the above commands without the "no" in front of them.
You can refer to the following site if you want to check different Syslog IDs specific information
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html
As you can see from my above listing there any multiple Syslog IDs disabled that generate important information through (and to) your ASA firewall. Naturally if the environment is large and logging levels for different logging destinations are configured to specific levels this might generate a very large amount of logs. I prefer to keep the devices I manage logging pretty much all of above information as it helps with troubleshooting.
Hope this helps :)
- Jouni
03-03-2015 02:57 AM
Hi,
Actually , you have all the syslog ID disabled on the ASA device and that is the reason why you don't see any logs.
Importantly , 106100 , 106023 etc.
You must be having Netflow configured that is the reason , why these syslog ID's have been disabled.
Use this command , to re-enable them:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/l2.html#pgfId-1798165
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide