cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1462
Views
5
Helpful
2
Replies

Cisco ASA 5510 logging ACL denies without "log" keyword with WARNING severity

Sam Brynes
Beginner
Beginner

I've enabled logging (logging enable) on our Cisco ASA 5510. I have an ACL on our outside interface. I see many deny log entries with a warning (level 4) severity, but I don't have the "log" keyword enabled on any of the ACL entries in the referenced ACL. Does anyone know where the warning (level 4) denies are coming from, and how I can stop them?

 

ASA5510(config)# sh run all | i logging
logging enable
logging timestamp
logging hide username
logging buffer-size 1048576
logging asdm-buffer-size 100
logging monitor notifications
logging buffered notifications
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 747001
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 1 message 313009
logging rate-limit 100 1 message 750003
logging rate-limit 100 1 message 750002
logging rate-limit 100 1 message 750004
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405003
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 60 message 199020
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 429007
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001
ASA5510(config)#
ASA5510(config)#sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level notifications, 891 messages logged
Buffer logging: level notifications, 884 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
ASA5510(config)#


Deny examples:

Apr 05 2020 23:25:15: %ASA-4-106023: Deny udp src outside:168.232.213.153/21592 dst inside:172.18.0.4/10682 by access-group "ACL-OUTSIDE-IN" [0xe63c7008, 0x0]
Apr 05 2020 23:25:16: %ASA-4-106023: Deny udp src outside:178.198.131.51/40837 dst inside:172.18.0.4/10682 by access-group "ACL-OUTSIDE-IN" [0xe63c7008, 0x0]
Apr 05 2020 23:25:19: %ASA-4-106023: Deny udp src outside:178.198.131.51/40837 dst inside:172.18.0.4/10682 by access-group "ACL-OUTSIDE-IN" [0xe63c7008, 0x0]

 


Our ACL:

ASA5510(config)# sh access-list ACL-OUTSIDE-IN
access-list ACL-OUTSIDE-IN; 11 elements; name hash: 0x4c51d238
access-list ACL-OUTSIDE-IN line 1 extended deny ip 10.0.0.0 255.0.0.0 any (hitcnt=15) 0x048a140c
access-list ACL-OUTSIDE-IN line 2 extended deny ip 172.16.0.0 255.240.0.0 any (hitcnt=109) 0xd408f2c1
access-list ACL-OUTSIDE-IN line 3 extended deny ip 192.168.0.0 255.255.0.0 any (hitcnt=0) 0x783f94e3
access-list ACL-OUTSIDE-IN line 4 extended deny ip 224.0.0.0 224.0.0.0 any (hitcnt=0) 0x9a833009
access-list ACL-OUTSIDE-IN line 6 extended permit icmp any any unreachable (hitcnt=100583) 0x6aeef44e
access-list ACL-OUTSIDE-IN line 7 extended permit icmp any any time-exceeded (hitcnt=6983) 0x4242299f
access-list ACL-OUTSIDE-IN line 8 extended deny icmp any any (hitcnt=0) 0x43e8b911
access-list ACL-OUTSIDE-IN line 9 extended deny udp any any (hitcnt=658) 0xe63c7008
access-list ACL-OUTSIDE-IN line 10 extended deny tcp any any (hitcnt=232) 0x783583f8
access-list ACL-OUTSIDE-IN line 11 extended deny ip any any (hitcnt=0) 0x320f194c
ASA5510(config)#

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Cristian Matei
Collaborator
Collaborator

Hi,

 

   The ASA firewall, by default, logs anytime there is an ACE match in your ACL for a new flow, with or without the "log" keyword being configured. If you don't specify the log keyword you get a "106023" system message, if you do specify the log keyword you get a "106100" system message. If you don't want the ASA to log at all, configure the ACE with the "log disable" option. Like for example:

access-list ACL-OUTSIDE-IN line 9 extended deny udp any any log disable

 

Regards,

Cristian Matei.

View solution in original post

2 REPLIES 2

Cristian Matei
Collaborator
Collaborator

Hi,

 

   The ASA firewall, by default, logs anytime there is an ACE match in your ACL for a new flow, with or without the "log" keyword being configured. If you don't specify the log keyword you get a "106023" system message, if you do specify the log keyword you get a "106100" system message. If you don't want the ASA to log at all, configure the ACE with the "log disable" option. Like for example:

access-list ACL-OUTSIDE-IN line 9 extended deny udp any any log disable

 

Regards,

Cristian Matei.

Perfect, that was it. Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: