CISCO ASA icmp logs

ihor.nakonecznyj · ‎08-18-2021

The ICMP logs (ASA-6-302021) we are currently receiving from the ASA do not contain the byte count for the packet. Is this design intent or a config issue?

With the rise in hackers using icmp for exfil this is a critical piece of data.

TIA

Ihor

balaji.bandi · ‎08-18-2021

Can you post sample Log here to understand the issue ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ihor.nakonecznyj · ‎08-18-2021

9:07:23.000 PM
Aug 18 16:07:23 10.a.a.a %ASA-6-302021: Teardown ICMP connection for faddr 10.b.b.b/45883 gaddr 10.c.c.c/0 laddr 10.c.c.c/0 type 8 code 0
BTW, what is faddr gaddr and laddr?

balaji.bandi · ‎08-18-2021

02021

Error Message %ASA-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num } [(idfw_user )] gaddr {gaddr | icmp_type } laddr laddr [(idfw_user )] type {type } code {code }

Explanation An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command. The following list describes the message values:

faddr —Specifies the IP address of the foreign host
gaddr —Specifies the IP address of the global host
laddr —Specifies the IP address of the local host
idfw_user —The name of the identity firewall user
user —The username associated with the host from where the connection was initiated
type —Specifies the ICMP type
code —Specifies the ICMP code

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ihor.nakonecznyj · ‎08-18-2021

Thank you. So, no byte count for the packet? Is there a different ASA icmp log that would contain the packet byte count?

TIA

Ihor