Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
1
Replies

Cisco FWSM icmp logs wrong source/destination and nobody cares!

pweichmann
Level 1
Level 1

‎06-21-2011 05:06 AM - edited ‎03-11-2019 01:48 PM

Hi,

The syslogs from ASA and FWSM are a nightmare, since source/destionation are always different under some circumstances and even the ASDM shows wrong info.

C is client which is the source of all activity

S is server which is always the destination

FWSM (3.2(4))

Source      Destination     Message

icmp

S               C                    built outbound icmp connection

S               C                    teardown icmp connection

ssh

C               S                    built outbound tcp connection

C               S                    teardown tcp connection

ASA (8.3(2))

icmp

S               C                    teardown icmp connection

C               S                    built outbound icmp connection

ssh

C               S                    built outbound tcp connection

S               C                    teardown tcp connection

So we have here multiple issues:

1)     Why can cisco firewalls never actuall really tell which is the source/destination and I really think that teardown should also be for the same connection as when created and not switch the direction.

2)     In ASDM the teardown of a icmp connection always comes before the built message?

Cisco please fix the logs

Labels:
0 Helpful
1 Reply 1

brquinn
Level 1
Level 1

‎06-22-2011 06:15 AM

1) I don't know why the ASA and FWSMs implemented the logs differently. The differences were documented by doc bug: CSCsi76077. You can read more at www.cisco.com/go/bugs. I know this issue has been brought up before and I believe that the logs haven't been changed due to consistency issues. Basically if they change the syslog output, everyone's log parsers (both Cisco and 3rd party) will need to account for this change and a lot of things will break.

2) I don't experience this with my ASA. Note that by default the Real-Time log viewer in ASDM will show the syslogs in descending order by time. When you issue the 'show logging' command to view the logging buffer on the CLI, the syslogs will be displayed in ascending order by time.

I hope this helps.

Thanks,

Brendan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card