Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
4
Replies

Find TCP Connection destination

Go to solution
mcmurphytoo
Level 1
Level 1

‎01-14-2014 01:39 PM - edited ‎03-11-2019 08:29 PM

I recently updated ASA 5510 from V8.0 to V9.1.  In 8.0 I had elevated the severity of event 302013 so ASA sent it to syslog.  It gave me inside and outside IP addresses of every TCP connection.  When the IPS called, said an inside user was infected and trying to send to an evil web server, but IPS knew only ASA's outside address, I used the syslog to track down the offending inside address by its logged TCP connection.  On V9.1 I'm seeing event 305011 building a TCP connection, but I see only the port, not the IP address of the destination.  Will anything in V9.1 log for me both  the inside and outside addresses of every connection?                 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-14-2014 03:09 PM

Hi,

All the basic syslog IDs should be there still no matter which software level you are using.

The Syslog ID 305011 seems to be a message for when a translation is built for the actual connection on the ASA. So it doesnt give the information about the actual connection specifically.

On its basic setting it should be able to get the connection Built/Teardown messages to show with the Informational (level 6) logging level or otherwise manipulating the logging levels.

Are you sure that the Syslog ID has not been disabled for some reason by someone?

Does your logging configuration output of "show run logging" indicate that any Syslog ID would have been disabled or any Syslog IDs level would have been changed to something else than its supposed to be?

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-14-2014 03:09 PM

Hi,

All the basic syslog IDs should be there still no matter which software level you are using.

The Syslog ID 305011 seems to be a message for when a translation is built for the actual connection on the ASA. So it doesnt give the information about the actual connection specifically.

On its basic setting it should be able to get the connection Built/Teardown messages to show with the Informational (level 6) logging level or otherwise manipulating the logging levels.

Are you sure that the Syslog ID has not been disabled for some reason by someone?

Does your logging configuration output of "show run logging" indicate that any Syslog ID would have been disabled or any Syslog IDs level would have been changed to something else than its supposed to be?

- Jouni

0 Helpful

Go to solution
mcmurphytoo
Level 1
Level 1
In response to Jouni Forss

‎01-15-2014 06:17 AM

The ASDM syslog info showed ID 302013 still set to Errors, not disabled.  But a sho run log showed:

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

logging message 713120 level errors

logging message 722022 level errors

logging message 722023 level errors

logging message 713050 level errors

logging message 302013 level errors

I must guess the 8.0-to-9.1 updater guys did a command line disable that the ASDM somehow did not pick up.

So I did a command-line "logging message 302013" and now i see them again syslogged.  I know it's lots of logging, but it's critically important when I get those calls from the IPS monitors that something is happening inside my network and trying to get out.   Thanks.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mcmurphytoo

‎01-15-2014 06:22 AM

Hi,

Great to hear its working

Yeah its an important log that I also like to keep logged to our Syslog servers. Helps with a lot of troubleshooting situations especially in cases where the users report about the problem after its already passed. Usually get somekind of picture about a possible cause from the "Teardown" log messages for example.

Naturally it also helps with confirming if certain connections have been formed through the firewall as you mention.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-15-2014 06:25 AM

Also,

In situations such as yours I tend to always configure traffic capture on the ASA to capture this traffic and go through the capture every now and then in addition to monitoring the logs.

The ASA can hold a 33,5MB buffer of captured data in a single capture. Naturally if you dont capture the actual data contained in the packet you can get more traffic captured and see whats been happening.

If you need any example configurations/commands to take a capture directly on the ASA (and then later open it on your own computer with Wireshark) then let me know.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card