Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
1
Replies

ASA syslog keeps sending to "old" syslog server and reports spoofing after changing the syslog server

netsec
Level 1
Level 1

‎10-27-2011 05:24 AM - edited ‎03-11-2019 02:43 PM

Hello,

We use multiple ASA 5500/5580 cluster systems running  8.3 software versions

Actually we send all our FW syslog data to a SIEM appliance in a DMZ on a remote firewall (non-asa).

Recently we suffered a strange incident while implementing a new SIEM collection station now situated in a dmz that is located on one of the ASA contexts.

We redirected the syslog streams to the new client for one of the contexts on the ASA cluster that holds the new SIEM agent DMZ...

since we did this and redirected the syslog we see double traffic and spoofing errors on that context

a/ the ASA keeps sending out the syslog traffic to the OLD SIEM agent server ip (there is however no trace of its ip in the config)

b/ the traffic leaving the interconnection interface towards the OLD SIEM agent gets a SPOOFING error on the traffic

c/ strangely the data gets also correctly forwarded to the new SIEM collection stations.

We started out with redirecting traffic on only one of the 5 contexts to the new environment and kept logging the others to the old system

I finaly got out of the issue by reconfiguring al the other contexts to forward their syslog towards the same new server , since that moment we no longer have the double logging and spoofing error , all syslog traffic goes correctly to the new SIEM agent.

I still have to try and reproduce the behaviour in our LAB but did anyone ever encounter anything like this ??? it looked like some remenants of the old syslog config remainded on the asa event after deleting and introducing a new config line (we used the asdm to execute the action)

as said either it kept the old config or it looked in the other context and "decided" to keep sending to the old server also mentioned in that syslog

I can find the behaviour in any buglists ..

either way im a bit worried now , im not goin to screw around with the setup as it is nicely operating a.t.m. , im just anxious to know what did happen to cause this wierd behaviour

greetz,

Labels:
0 Helpful
1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

‎10-28-2011 12:11 AM

At the top of my head, it could have been a UDP session that got stuck there and it never went away, was never torn down by the firewall and since there is no method to acknowledge receive packets, the firewall just kept sending the messages to that station.

Did you removed the syslog entry when you changed the servers around? Something that would really have give you the clue back then would have been a show conn all command, that would show you the session up towards the server and that way you should have been able to see that the session never was torn down hence the firewall kept sending the messages.

Odd behavior thou, but it could happen.

Let me know if you have plans to recreate this anytime soon.

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card