Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3905
Views
0
Helpful
3
Replies

Firewall deny not getting logged

Go to solution
balajis27
Level 1
Level 1

‎02-13-2011 10:07 PM - edited ‎03-11-2019 12:50 PM

Hi All

I am facing a strange issue with FWSM firewall rules and need some help on that.

On this firewall, we have logging enabled to a log all denies for blocked ports. . This is covered in the last deny statement with port object-group as shown below.

access-list al_from_labs line 2236 extended deny object-group tcp_udp any any object-group Blocked_Ports log errors interval 300 0x9f5a4bff

In the recent days we found extensive deny logs for the below 6 ports and this was causing the below error message 106101 .

tcp SMTP,tcp 135,tcp 445, tcp netbios-ssn, udp netbios-ns, udp snmp

106101 The number of ACL log deny-flows has reached limit (number)

106101 The number of ACL log deny-flows has reached limit (4096).

Already the max configured limit on device is 4096. So we decided to remove logging only for those specifc 6 ports and wanted to still log rest of the denies. So we modified ACL as below

ddddd# sh access-list al_from_labs | in deny
access-list al_from_labs line 2227 extended deny tcp any any eq smtp (hitcnt=29954) 0xf62aaca9
access-list al_from_labs line 2228 extended deny tcp any any eq 135 (hitcnt=2127) 0xc8773775
access-list al_from_labs line 2229 extended deny tcp any any eq 445 (hitcnt=2617) 0x9ad56a8f
access-list al_from_labs line 2230 extended deny tcp any any eq netbios-ssn (hitcnt=888) 0x9258206
access-list al_from_labs line 2231 extended deny udp any any eq netbios-ns (hitcnt=8670) 0x5fad9aa0
access-list al_from_labs line 2232 extended deny udp any any eq snmp (hitcnt=532) 0xfe3a0d52
access-list al_from_labs line 2236 extended deny object-group tcp_udp any any object-group Blocked_Ports log errors interval 300 0x9f5a4bff

Please see above where we removed logging for those specific 6 denies and moved it above the last deny rule.

Issue:

====

After we modified the acl entries as above, we see strangely that none of the denies are getting logged to the syslog server. So absolutely logging gets stopped. This is confusing becos we only wanted the firewall not to log for those specific 6 ports but now access attempt to other ports also is not getting logged.

Please let us know what might be the cause of the issue.

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to balajis27

‎02-17-2011 02:35 PM

Excellent, and it's great to hear.

Please kindly mark the post answered so others can learn from your post. Thank you.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-13-2011 10:26 PM

My suggestion would be to reload the FWSM to clear the cached flow.

However, if you would like to know the reason why it's not working as it should, I would suggest that you open a TAC case so the issue can be investigated further.

0 Helpful

Go to solution
balajis27
Level 1
Level 1
In response to Jennifer Halim

‎02-17-2011 05:57 AM

Thanks Jennifer

We rebooted the FWSM firewall and that solved the issue. If the issue repeats, we are planning to open a TAC case on this.

Thanks for your suggestion

Regards

S.Balaji

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to balajis27

‎02-17-2011 02:35 PM

Excellent, and it's great to hear.

Please kindly mark the post answered so others can learn from your post. Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card