05-04-2017 07:46 AM - edited 03-12-2019 02:19 AM
Cisco ASA 5550
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(9)
System image file is "disk0:/asa825-k8.bin"
===============================================
Such a thing happened today, my asa using remote syslog server. previous configuration as follows:
asa# sh run | include logging
logging enable
logging trap warnings
logging host dmz_service 192.168.100.16
i was creating a new syslog server 192.168.100.17 using tcp port 11001 to accept remote message. so i made the modification.
asa(config)# logging host dmz_service 192.168.100.17 tcp/11001
WARNING: interface Rdundant1.15 security level is 60.
why this warning pop up,after that, all traffic between the zones was forbid on ASA.
unbelievably. it was recovery when i "no logging host dmz_service 192.168.100.17 tcp/11001"
it cause severe productive accident.i feel so confused until now. anybody can help me?
Solved! Go to Solution.
05-04-2017 12:54 PM
Please check if the host 192.168.100.17 is reachable from the ASA. On the ASA, if the TCP SYSLOG server is unreachable, it will drop all traffic through the device. This is a default behavior on the ASA.
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html
To change the default behavior, configure the option "logging permit-hostdown" . This will make sure all the connection through the ASA is not denied, if the SYSLOG server is unreachable from the ASA.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/l2.html
Regards
Akhil
05-04-2017 11:02 AM
Could you please attach the output of 'show nameif'
-AJ
05-04-2017 12:54 PM
Please check if the host 192.168.100.17 is reachable from the ASA. On the ASA, if the TCP SYSLOG server is unreachable, it will drop all traffic through the device. This is a default behavior on the ASA.
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html
To change the default behavior, configure the option "logging permit-hostdown" . This will make sure all the connection through the ASA is not denied, if the SYSLOG server is unreachable from the ASA.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/l2.html
Regards
Akhil
05-04-2017 08:53 PM
got it.
thank you for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide