Solved: Hi, These commands disable

Rene Mueller · ‎03-02-2015

Hi,

I have a ASA 5520 running with ASA Version 8.4(7).

I am working with real-time logging viewer and there is a situation i don't understand.

I setup an ACL which denies icmp and https traffic from an internal client to a destination client in DMZ. I also enabled logging for this acl (logging warning). I also set the asdm logging filter to debugging. In the End, if I start real-time logging, I can't see anything from my internal client which has a permanent ping running to my dmz client.

There is also IPS for ICMP enable in default service policy rule, I don't know if this doesn't matter.

Hope someone can help me out.

Thanks

Rene

Jouni Forss · ‎03-02-2015

Hi,

I guess the first thing I would have a look at is the complete "logging" configuration

You could issue the following command on the CLI to show that configuration

show run logging

I would then look if there are any configuration lines that disable certain syslog IDs. (Commands that start with "no"). Though typically I have seen people disable the connection Built and Teardown messages but I would imagine that the ACL deny messages is also a high volume message so maybe it has been disabled at some point.

If there are no disabled Syslog Message IDs then I would probably confirm that the Client is configured correctly and has all other normal connectivity. That its connections reaches the firewall when its connecting to the Internet for example.

I would also make sure that there is no other device between the Client and the firewall before the DMZ that could be blocking the connectivity.

If there is nothing in between that could block the connection you could naturally go through the routing tables of the devices in between to make sure that the destination subnet is not routed somewhere else (for some reason)

Hope this helps :)

- Jouni

View solution in original post

Jouni Forss · ‎03-03-2015

Hi,

These commands disable the ASA sending/generating log messages of an ACL permitting or denying traffic

no logging message 106100
no logging message 106023

So you would need to issue

logging message 106100
logging message 106023

There are also some other Syslog IDs disabled that contain valuable information in some troubleshooting cases.

These commands disable logging of messages that tell of a TCP connection being Built or Teardown from the ASA

no logging message 302014
no logging message 302013

These commands disable logging of messages that tell of a UDP connection being Bult or Teardown from the ASA

no logging message 302015
no logging message 302016

These commands disable logging of messages that tell of a ICMP connection being Built or Teardown from the ASA

no logging message 302020
no logging message 302021

These commands disable logging of messages that tell of a GRE connection being Built or Teardown from the ASA

no logging message 302017
no logging message 302018

The below command disable logging of message that might indicate either a asymmetric routing problem or a problem with a connection that is timed out from the ASA before the connection is used again (software/application that very rarely sends data but tries to use an old connection that the ASA has already torn down)

no logging message 106015

The below commands seem to disable logging for denied IPv4 and IPv6 ICMP traffic that is destined to one of your ASA interfaces

no logging message 313001
no logging message 313008

The below command seems to disable logging of denied TCP/UDP connection destined to one of your ASAs interfaces

no logging message 710003

You can re-enable any of the above Syslog IDs just by issuing the above commands without the "no" in front of them.

You can refer to the following site if you want to check different Syslog IDs specific information

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html

As you can see from my above listing there any multiple Syslog IDs disabled that generate important information through (and to) your ASA firewall. Naturally if the environment is large and logging levels for different logging destinations are configured to specific levels this might generate a very large amount of logs. I prefer to keep the devices I manage logging pretty much all of above information as it helps with troubleshooting.

Hope this helps :)

- Jouni

View solution in original post

Jouni Forss · ‎03-02-2015

Hi,

I guess the first thing I would have a look at is the complete "logging" configuration

You could issue the following command on the CLI to show that configuration

show run logging

I would then look if there are any configuration lines that disable certain syslog IDs. (Commands that start with "no"). Though typically I have seen people disable the connection Built and Teardown messages but I would imagine that the ACL deny messages is also a high volume message so maybe it has been disabled at some point.

If there are no disabled Syslog Message IDs then I would probably confirm that the Client is configured correctly and has all other normal connectivity. That its connections reaches the firewall when its connecting to the Internet for example.

I would also make sure that there is no other device between the Client and the firewall before the DMZ that could be blocking the connectivity.

If there is nothing in between that could block the connection you could naturally go through the routing tables of the devices in between to make sure that the destination subnet is not routed somewhere else (for some reason)

Hope this helps :)

- Jouni

Rene Mueller · ‎03-03-2015

Hi Jouni,

this is the output of sh run logging:

logging enable
logging timestamp
logging buffer-size 20480
logging asdm-buffer-size 200
logging monitor errors
logging buffered warnings
logging trap alerts
logging asdm warnings
logging mail critical
logging from-address xxx
logging recipient-address xxx level alerts
logging host Intern 1.2.3.4
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020

I don't know what all these message IDs are.

I am just pinging from an internal client to a client in the dmz. Whenever I disable the acl on asa, ping is working, so it seems that there is no problem in between.

Regards

Rene

Jouni Forss · ‎03-03-2015

Hi,

These commands disable the ASA sending/generating log messages of an ACL permitting or denying traffic

no logging message 106100
no logging message 106023

So you would need to issue

logging message 106100
logging message 106023

There are also some other Syslog IDs disabled that contain valuable information in some troubleshooting cases.

These commands disable logging of messages that tell of a TCP connection being Built or Teardown from the ASA

no logging message 302014
no logging message 302013

These commands disable logging of messages that tell of a UDP connection being Bult or Teardown from the ASA

no logging message 302015
no logging message 302016

These commands disable logging of messages that tell of a ICMP connection being Built or Teardown from the ASA

no logging message 302020
no logging message 302021

These commands disable logging of messages that tell of a GRE connection being Built or Teardown from the ASA

no logging message 302017
no logging message 302018

The below command disable logging of message that might indicate either a asymmetric routing problem or a problem with a connection that is timed out from the ASA before the connection is used again (software/application that very rarely sends data but tries to use an old connection that the ASA has already torn down)

no logging message 106015

The below commands seem to disable logging for denied IPv4 and IPv6 ICMP traffic that is destined to one of your ASA interfaces

no logging message 313001
no logging message 313008

The below command seems to disable logging of denied TCP/UDP connection destined to one of your ASAs interfaces

no logging message 710003

You can re-enable any of the above Syslog IDs just by issuing the above commands without the "no" in front of them.

You can refer to the following site if you want to check different Syslog IDs specific information

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html

As you can see from my above listing there any multiple Syslog IDs disabled that generate important information through (and to) your ASA firewall. Naturally if the environment is large and logging levels for different logging destinations are configured to specific levels this might generate a very large amount of logs. I prefer to keep the devices I manage logging pretty much all of above information as it helps with troubleshooting.

Hope this helps :)

- Jouni

Vibhor Amrodia · ‎03-03-2015

Hi,

Actually , you have all the syslog ID disabled on the ASA device and that is the reason why you don't see any logs.

Importantly , 106100 , 106023 etc.

You must be having Netflow configured that is the reason , why these syslog ID's have been disabled.

Use this command , to re-enable them:-

logging flow-export-syslogs enable

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/l2.html#pgfId-1798165

Thanks and Regards,

Vibhor Amrodia

ASA Real-Time Logging Viewer -> not seeing ICMP from ACL

logging flow-export-syslogs enable