06-21-2011 05:06 AM - edited 03-11-2019 01:48 PM
Hi,
The syslogs from ASA and FWSM are a nightmare, since source/destionation are always different under some circumstances and even the ASDM shows wrong info.
C is client which is the source of all activity
S is server which is always the destination
FWSM (3.2(4))
Source Destination Message
icmp
S C built outbound icmp connection
S C teardown icmp connection
ssh
C S built outbound tcp connection
C S teardown tcp connection
ASA (8.3(2))
icmp
S C teardown icmp connection
C S built outbound icmp connection
ssh
C S built outbound tcp connection
S C teardown tcp connection
So we have here multiple issues:
1) Why can cisco firewalls never actuall really tell which is the source/destination and I really think that teardown should also be for the same connection as when created and not switch the direction.
2) In ASDM the teardown of a icmp connection always comes before the built message?
Cisco please fix the logs
06-22-2011 06:15 AM
1) I don't know why the ASA and FWSMs implemented the logs differently. The differences were documented by doc bug: CSCsi76077. You can read more at www.cisco.com/go/bugs. I know this issue has been brought up before and I believe that the logs haven't been changed due to consistency issues. Basically if they change the syslog output, everyone's log parsers (both Cisco and 3rd party) will need to account for this change and a lot of things will break.
2) I don't experience this with my ASA. Note that by default the Real-Time log viewer in ASDM will show the syslogs in descending order by time. When you issue the 'show logging' command to view the logging buffer on the CLI, the syslogs will be displayed in ascending order by time.
I hope this helps.
Thanks,
Brendan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide