cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25811
Views
5
Helpful
10
Replies

ASDM Traffic Logs

Yves Alob
Level 1
Level 1

I'm fairly new to ASDM so I apologize for this noob question. I need to see what is actually passing through a specific source IP and destination IP, my goal is to identify which specific ports I'm missing on an IP ruleset. My logging is setup to "Debugging" but I can't seem to see what ports are being dropped/allowed whenever I check the Log Buffer & Real-Time Log Viewer.Do I need to setup some sort of packet trace? Need help on setting up filters please.

10 Replies 10

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

I don't deal with ASDM that much but I do use it mainly for the same thing as you are trying to use it for which is to monitor live some connections/connection attempts.

 

I am not sure what the problem in this situation is. Can you confirm that you can atleast some logs on the ASDM when no filter is applied? Can you see any logs on the "Home" pages "Device Dashboard" ?

 

When you are looking at the logs through the actual "Monitoring" section and open the separate logging window you should see a button called "Build Filter" which provides you with different parameters with which you can filter the logs shown in the window.

 

If the traffic is blocked by the interface ACL you can probably even search for the logs with the Sylog ID 106023

 

You can naturally start by using destination/source IP address and see if you can get anything to show up. It might even be possible that the traffic is not even reaching this firewall?

 

- Jouni

Alright,here is the scenario. I have a request coming from a user to grant access to a cctv system. I created an ip ruleset for this but unfortunately, the access is still not working. What I'm trying to look up, is what specific ports am I missing which causes the problem. I have allowed 'IP' on the ruleset, and traffic went through which means I'm missing some specific ports. I can see logs on the dashboard & monitoring section, but I can't seem to see what ports are being dropped and from what source & to what destination.

Hi,

 

If you are seeing the logs in the monitoring windows then you should be looking for log messages that (by default) are colored yellow. They should also mention at the end the name of the ACL that blocks the traffic. The log message in itself should show the source/destination IP addresses and ports of this blocked connection attempt.

 

You should be able to build a Filter using the IP addresses alone to catch that traffic. Perhaps use the source IP address first and narrow it down if needed.

 

- Jouni

Hello Jouni,

I can only see severity 6 & 7 logs although my logging filters are set to 'debugging'. Please see attached screenshots. I do not see the colored yellow logs, I'm sure I'm just missing something on the setup.

 

Yves

Hi,

 

You could go to the CLI (command line) or use the CLI tool on the ASDM (top menu) to insert the command

 

show run logging

 

With this we should see if you have disabled any log message IDs from showing. You are seeing debugging messages so you should also be seeing the deny messsages which to my understanding are Notifications level messages (5)

 

- Jouni

Hi,

Please see show results below:

Firewall# show run logging
logging enable
logging timestamp
logging standby
logging monitor debugging
logging buffered notifications
logging trap debugging
logging asdm debugging
logging host Management 10.X.X.X
logging host Management 10.X.X.X
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020

Hi,

 

If you check my earlier messages you will see that I mentioned the Syslog ID 106023. In your above list its disabled so that is why the ASDM is not showing the logs. And if I can remember correctly you also have disabled some logs that show when a connection is built and torn down from the ASA. The mentioned log messages in my opinion are pretty important messages to record to Syslog server. They are great to have when a user reports a problem that might have begun several days ago or you are possibly trying to track and find a computer in your network that is causing spam and possibly blacklisting your public IPs and so on.

 

So you would have to enter this command

 

logging message 106023

 

Also all these disabled IDs are log messages that record TCP/UDP/ICMP connection forming and teardown

 

no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020


Basically it means you are not recording any connections that are formed through your firewall.

 

Also this Syslog ID is related to a situation when ASA blocks some traffic

 

no logging message 106100

 

- Jouni

 

Jouni,

 

Thanks for your help! I am now able to see notification logs & build a filter. Appreciate your inputs.

 

Regards,

Yves

Hi,

 

Glad to hear all is working now. :)

 

Please do remember to rate any helpfull answers or mark a reply as the correct answer if it answered your question.

 

- Jouni

Hi

Your reply guided me where to look but the interface is slightly different in ASDM Version 7.6(1) ASA Verson 9.6(2)3

And the Real Time log viewer is located under

Monitoring ->Logging ->Real-Time Log Viewer 

I set the logging level to Informational because debugging could be overwhelming.

 

 

 

 

Review Cisco Networking for a $25 gift card