Hi guys,

We have a strange issue on our ASA 5555-X cluster (with the 50 context license). We were running on 9.8(3)8 and had a few contexts that did not log towards our syslog server over UDP. Other contexts do log perfectly. We changed the non-functioning contexts to TCP logging and ran into the hostdown apparently, which we fixed in config by adding 'logging permit-hostdown'.

Although, we thought it was fixed but a few days later a customer was complaining that no connections could me made. The disallowing of new connections was found in the buffered log which we did not expect as we configured the logging permit-hostdown option. The syslog server was reachable, tested if tcp logging worked which it did so no problems there.

After some investigation, we did find some bugs relating but not a 100% match. We deleted a whole context, configured it again but with no luck.

Some links/bugs we found.

https://community.cisco.com/t5/firewalls/asa-5510-disallowing-new-connections/m-p/2525414/highlight/true#M130902

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut01856

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc14502

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb74249

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj69650

After this search and some workarounds tried, we decided to upgrade the cluster to 9.8(4)12, the current suggested interim release. The problem however, syslog over UDP in a context, still does not work for one or the other. It seems random as a number of contexts does log over UDP. We changed one context to TCP syslog for now (with permit-hostdown) but I can't say if this is a permanent solution (does it fail after a few days?). We prefer the UDP option, of course.

What is the next step? Any ideas?

My suggestion for now is to remove all the TCP logging hosts, permit hostdown rules from all contexts. Reload the standby, failover. Is that valid, or do will still encounter a bug somehow? The above bugs have the status Fixed...