Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
803
Views
0
Helpful
3
Replies

Extended ACL logging on ASA v9.4

Mike Pennycook
Level 1
Level 1

‎10-17-2018 05:45 AM - edited ‎02-21-2020 08:21 AM

Hi there, 

 

I'm trying to see what traffic is hitting this particular rule:

 

access-list X line 1 extended permit tcp object-group SRC_X object SRC_X log debugging interval 300 (hitcnt=323) 0xb7788b5f
access-list X line 1 extended permit tcp x.x.x.0 255.255.248.0 host 1.1.1.1 log debugging interval 300 (hitcnt=117) 0xdd1a891c
access-list X line 1 extended permit tcp x.x.x.0 255.255.248.0 host 1.1.1.1 log debugging interval 300 (hitcnt=206) 0x00417bf4

 

How exactly would I see the debug logs generated for this ACL?  I need to see details of the connection allowed through this ACL

 

Thanks!

0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎10-17-2018 06:23 AM

The ASA is not very good at this.  The best method would be to set up a syslog server and log informational messages to it. then filter on the IPs or subnets you are looking for.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Mike Pennycook
Level 1
Level 1
In response to Marius Gunnerud

‎10-17-2018 06:40 AM

Thanks Marius

 

I've configured syslog servers on the ASDM, with a severity of informational and specific class events of 'session/user session' to debugging. The session/user session syslog message should include message 106100, which should log like:

 

 

106100

Error Message    %PIX|ASA-6-106100: access-list acl_ID {permitted | denied | 
est-allowed} protocol interface_name/source_address(source_port) -> 
interface_name/dest_address(dest_port) hit-cnt number ({first hit | 
number-second interval}) hash codes

 

 

https://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768518

 

I have ofcourse set the ACL to log at debug. 

 

The problem with this ACL is I've done packet captures, used 'show conn' and used the real time log monitor on the ASDM as well as looking at netstat on the end server - I simply cannot see those connections

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Mike Pennycook

‎10-17-2018 06:53 AM

You don't see them in the capture either?

If that is the case then this might be being dropped by an interface ACL. Which in itself is another syslog message.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card